Stack Overflow
Stack Overflow

Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions
6
votes
1 answer

BPF expression to capture only arp-reply packets

Is there a BPF expression that would only capture arp-reply packets? Currently, I am using Pcap4J and the following BPF expression: arp and dst host host and ether dst mac where host is the IP address of my device and mac is the MAC address of my…
rolling_codes
  • 15,174
  • 22
  • 76
  • 112
6
votes
1 answer

How to use BPF to filter kernel function arguments?

How to use the Berkeley Packet Filter (BPF) to filter function arguments in kernel? The function should be any non-inline functions, rather than only system calls. Also, it is better that the pointers in function arguments can be dereferenced for…
WindChaser
  • 960
  • 1
  • 10
  • 30
5
votes
2 answers

Test that an integer is different from two other integers in eBPF without branch opcodes

I'm writing an eBPF kprobe that checks task UIDs, namely that the only permitted UID changes between calls to execve are those allowed by setuid(), seteuid() and setreuid() calls. Since the probe checks all tasks, it uses an unrolled loop that…
patraulea
  • 652
  • 2
  • 5
  • 26
5
votes
1 answer

eBPF - difference between loading, attaching, and linking?

I'm very confused on eBPF terminology that is used in the bpf syscall and libbpf functions. Could someone break down where my understanding of loading/attaching a process using bpf is wrong? My understanding: I've been looking at code for cgroups…
wxz
  • 2,254
  • 1
  • 10
  • 31
5
votes
1 answer

What is variable attribute SEC means?

Currently, I'm tracing a bpf program and found something I can't understand. There're several declaration like: struct bpf_map_def SEC("maps") map_parsing_context = { ... }; struct { ... } map_keys SEC(".maps"); My question are: What did this…
Steven
  • 811
  • 4
  • 23
5
votes
0 answers

maximum number of uprobe using bcc/bpf

I use bcc to trace userspace program with uprobe. However, I cannot attach more than 500 uprobe. I am wondering is there a limit of how many uprobe can be attached at the same time? Or is there a kernel config that I can change?
戴均維
  • 101
  • 5
5
votes
1 answer

Getting BPF programs working with USDT probes (Dtrace) in Linux

So I'm following this link to attach a BPF program to user space probes, Dtrace format (see section User Statically Defined Tracepoints). C program: #include int main() { DTRACE_PROBE("hello-usdt", "probe-main"); } The checks to…
mdaniel
  • 191
  • 1
  • 12
5
votes
1 answer

BPF verifier rejects code: "invalid bpf_context access"

I'm trying to write a simple socket filter eBPF program that can access the socket buffer data. #include #include #define SEC(NAME) __attribute__((section(NAME), used)) SEC("socket_filter") int myprog(struct…
Tom Hadlaw
  • 123
  • 6
5
votes
1 answer

bpf_trace_printk format pointer

How is "%p" implemented in bpf_trace_printk? It seems very different with printf. #include int print_args(struct pt_regs *ctx) { void *ptr = (void*)PT_REGS_PARM1(ctx); bpf_trace_printk("args: %lx %p %ld\n", ptr, ptr,…
libo
  • 102
  • 5
5
votes
1 answer

bounded loops in ebpf. Does now the verifier check if the program is a DAG?

Since bounded loop are now allowed in ebpf programs https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=2589726d12a1b12eaaa93c7f1ea64287e383c7a5 does the verifier still check in the first pass if the program control flow is…
Maicake
  • 1,046
  • 10
  • 34
5
votes
3 answers

How to fix BPF device permissions on Mac OS to use tcpdump

I may have done something to change my device permissions because I am getting the error: "tcpdump: en0: You don't have permission to capture on that device". The TCP portion is irrelevant because I am having an issue using bpf devices. I attempted…
ZJam
  • 51
  • 1
  • 1
  • 6
4
votes
0 answers

Concurrent modification of Linux BPF hashtab map, how to make it safe without resorting to BPF_F_NO_PREALLOC flag

A BPF map preallocates memory for items by default. BPF_F_NO_PREALLOC flag turns preallocation off. A preallocated map is faster. Sleepable programs could only work with preallocated maps until recently. When it comes to concurrency, there's a…
Nick Zavaritsky
  • 1,429
  • 8
  • 19
4
votes
1 answer

"invalid bpf_context access" when trying to read `regs` parameter

Depending on how the syscall is defined in /sys/kernel/btf/vmlinux, reading struct pt_regs *regs parameter for fentry/fexit traces causes invalid bpf_context access error: SEC("fentry/__x64_sys_recvfrom") int BPF_PROG(fentry_syscall, struct pt_regs…
Akihiro HARAI
  • 574
  • 1
  • 8
  • 17
4
votes
1 answer

"Program too large" threshold greater than actual instruction count

I've written a couple production BPF agents, but my approach is very iterative until I please the verifier and can move on. I've reached my limit again. Here's a program that works if I have one fewer && condition -- and breaks otherwise. The…
coxley
  • 339
  • 2
  • 12
4
votes
0 answers

How to share BPF maps between two kernel space BPF programs?

Before I present my matter; I have read this Map sharing between different ebpf program types previously asked question which does not seem to answer my question. Now, what I am doing is, I have two BPF programs, one for XDP and other for TC (No…
Zarrar
  • 63
  • 3
1
2
3
29 30