Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions
0
votes
1 answer

eBPF: insert a new inner map to `BPF_MAP_TYPE_HASH_OF_MAPS`?

I am trying to implement LSM BPF programs and I want to use BPF_MAP_TYPE_HASH_OF_MAPS to store information for each super block as the sb_alloc_security LSM hook is triggered. For example, I want to define the map as: struct bpf_map_def SEC("SBMap")…
vanbastelaer
  • 368
  • 2
  • 15
0
votes
0 answers

Get interface statistics using berkley packet filter in linux?

Is there any way to get interface statistics using bpf. More specifically im looking for getting virtual interface stats using bpf. I know it can be done using iptable chain but i want to do it specifically with bpf. Thanks Update : Iamable to get…
0
votes
1 answer

How to load symbol files to BCC profiler

With bcc tools' profile, I am getting mostly "[unknown]" in the profile output on my C program. This is, of course, expected because the program symbol are not loaded. However, I am not sure how to properly load the symbols so that "profile" program…
hc6
  • 153
  • 9
0
votes
1 answer

TCPDUMP BPF Primitives and Port Exclusion

I am trying to create a filter in tcpdump that will allow me to examine tcp traffic on ports about 1024. I came up with:sudo tcpdump tcp portrange 1025-65535 but I'm not sure if there is a better way to create the filter. For example, I tried…
0
votes
1 answer

bpf_get_current_pid_tgid() returns a 'not found' error in socket_filter type of bpf program in Linux 04.04.15

I have a bpf program of the socket_filter type. Trying to get the PID of the process involved in the current packet. Then it will go into a bpf map for the user space to use. However, this call does not work ; the function is not found. Ubuntu 18.04…
0
votes
1 answer

How to use structure in bpftracing scripting

I have written a func.bt file to use a structure in my kprobe routine. /* func.bt */ struct FUNC_PARAMS { unsigned int client; void * params; unsigned int paramsSize; unsigned int status; }; /* This script provides a reasonable…
0
votes
1 answer

Why does BPF verifier error with null key when using BPF_MAP_TYPE_QUEUE?

I'm trying to load a BPF program with a queue map. It seems I get an error related to the null key. libbpf: -- BEGIN DUMP LOG --- libbpf: 0: (b7) r1 = 123 1: (63) *(u32 *)(r10 -4) = r1 2: (bf) r3 = r10 3: (07) r3 += -4 4: (18) r1 =…
steepestascent
  • 153
  • 2
  • 7
0
votes
1 answer

How to write a seccomp BPF program to filter the system call instruction pointer

Is it possible to write a seccomp-BPF program to filter on the system call instruction pointer? For example, to kill the process where there is a system call instruction executed not from the libc.
xiaogw
  • 653
  • 8
  • 18
0
votes
0 answers

I am trying to kprobe the function of tcp_synack_timer in a custom BPF program, like the book BPF Performance Tools

I want to use the aforementioned function because I want to use the struct request_sock_queue and struct listen_sock . Is there a way to use them (perhaps a different function)? First I tried to make a BPF program which uses…
0
votes
1 answer

process name (comm) as key for BPF map

I've been trying to design a tool wherein I can do per-process tracing, but this implies that I need a key for each process so that I can store key-value map pairings for each process. I instinctually don't like using structs or strings as keys, and…
byrnesj1
  • 189
  • 1
  • 14
0
votes
1 answer

python interaction with BPF maps

I'm wondering if there is an easy to to initialize BPF maps from python userspace. For my project, I'll have a scary looking NxN 2d array of floats for each process. For simplicity's sake, lets assume N is constant across processes (say 5). To…
byrnesj1
  • 189
  • 1
  • 14
0
votes
2 answers

BPF cgroup device controller program problem with map

I want to pass data between user/kernel side with BPF_PROG_TYPE_CGROUP_DEVICE I have defined map as: struct bpf_map_def SEC("maps") my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = sizeof(int), …
0
votes
0 answers

AF_XDP: Relationship between `FRAME_SIZE` and actual size of packet

My AF-XDP userspace program is based on this tutorial: https://github.com/xdp-project/xdp-tutorial/tree/master/advanced03-AF_XDP I am currently trying to parse ~360.000 RTP-packets per second (checking for continuous sequence numbers) but I loose…
binaryBigInt
  • 1,526
  • 2
  • 18
  • 44
0
votes
1 answer

AF_XDP: No packets from multicast although steered on RX-Queue 0

I am still playing with the AF_XDP socket and my program is still largely based on: https://github.com/xdp-project/xdp-tutorial/tree/master/advanced03-AF_XDP I now want to receive multiple multicast streams (which works fine the way I register the…
binaryBigInt
  • 1,526
  • 2
  • 18
  • 44
0
votes
0 answers

AF_XDP not working on Kernel `4.18.0-25-generic`

I am currently trying to get the AF_XDP-Tutorial running from here: https://github.com/xdp-project/xdp-tutorial/tree/master/advanced03-AF_XDP I was able to compile it but if I try to put the xdp-code into the kernel via: sudo ./af_xdp_user --dev…
binaryBigInt
  • 1,526
  • 2
  • 18
  • 44