Stack Overflow
Stack Overflow

Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions
0
votes
1 answer

How to drop skb_buff use ebpf/bcc?

I am running the bcc example /http_filter/http-parse-simple.c, in which a comment explains: /* eBPF program. Filter IP and TCP packets, having payload not empty and containing "HTTP", "GET", "POST" ... as first bytes of payload if the…
Vector
  • 67
  • 1
  • 5
0
votes
0 answers

EBPF probe for compiled inlined function

Id like to create an EBPF program for Golang that records when a function is entered and returns. Some issues I have: A. Functions are inlined. B. Closures are anonymous. C. Reading Golang structs. Questions: A. In my case its not possible to…
zino
  • 1,222
  • 2
  • 17
  • 47
0
votes
1 answer

How can I look for uneven port numbers only using BPF?

How can I get a tcpdump that contains only uneven port numbers, using BPF?
M. T
  • 23
  • 1
  • 4
0
votes
1 answer

How do I target the MSS value in a TCP packet using BPF

I am learning BPF and converting some iptables rules to BPF bytcode. I am primarily using the nfbpf_compile application to do this, rather than trying to write C or Assembler. I am having a lot of luck but the syntax of one rule is escaping me. I'd…
jdw
  • 111
  • 2
0
votes
0 answers

Tcpdump dynamic filter based on length

I'm trying to capture all DHCP Discover packets that don't end with ff that should be the last byte of a correct BOOTP request. I can filter all DHCP Discover by using the correct offset ether[284:1] because it is at the beginning of the packet but…
Skylo02
  • 1
0
votes
1 answer

libseccomp patch for hash maps

Has this patch been merged or rejected? Or the discussion has just ended without evolving? Maybe the fact that seccomp filters can be rewritten as binary trees is enough to don't add hash maps support for…
Maicake
  • 1,046
  • 10
  • 34
0
votes
2 answers

Does BPF_PROG_RUN implements the fallback ebpf interpreter?

https://github.com/torvalds/linux/blob/33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9/include/linux/filter.h#L556-L571 is this the implementation of the ebpf fallback interpreter?
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

net/core/filter.c and linux/bpf/verifier.c

If I understood well initially the cBPF verifier and interpreter were both within net/core/fiter.c for example sk_run_filter here https://elixir.bootlin.com/linux/v3.2/source/net/core/filter.c#L112 just convert the cBPF instructions applying them on…
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

Can't access correctly to tracepoint context struct fields

GOAL: write in the trace_pipe only if openat is called with O_RDONLY flag. I've build the struct looking the format contained here /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format PROBLEM I think I'm not accessing to the flags field …
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

tracepoint/syscalls/sys_enter doesn't trigger bpf_trace_printk

GOAL: print Hello every time a system call is executed. CODE: _kern.c #include #include "bpf_helpers.h" SEC("tracepoint/syscalls/sys_enter") int bpf_sys(struct syscalls_enter_open_args *ctx) { char fmt[] = "Hello\n"; …
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

Is there any difference between using SYS_syscallname __NR_syscallname in seccomp?

Which is the difference between using SYS_syscallname and __NR_syscallname in a seccomp filter? Which one should I use?
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

load seccomp_export_bpf generated code into the kernel

http://man7.org/linux/man-pages/man3/seccomp_export_bpf.3.html how can I load the generated code into kernel? Which are possible use cases for this function?
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

how to use seccomp_release libseccomp?

Should I release the filter also after seccomp_load() is called? Or only if some of the calls to seccomp_rule_add() fails? For example OPTION1 r = seccomp_rule_add(...) if r < 0 seccomp_relase(...) r =seccomp_rule_add(...) if r < 0…
Maicake
  • 1,046
  • 10
  • 34
0
votes
1 answer

In libseccomp, what is scmp_filter_ctx? And what is it used for?

What actually stores scmp_filter_ctx since it's defined as void? See seccomp header file. In general what is a context ?
Maicake
  • 1,046
  • 10
  • 34
0
votes
0 answers

BPF filters in multithreaded application

I have a multi-threaded(2 threads) application which use BPF filters , where in each thread uses a PF_PACKET socket and tries to apply a BPF filter using SO_ATTACH_FILTER on the same incoming interface. But what i observe is that both the threads…
Madhu
  • 1
1 2 3
29 30