Questions tagged [ebpf]
eBPF is a technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. Details refer to https://ebpf.io.
39 questions
3
votes
2
answers
85
views
What would be the most reliable way to obtain PID, remote address and port combinations for all connections?
I tried tcp_connect, udp_sendmsg kprobes together on an eBPF program and it worked, but it missed a lot of connections. I couldn't really get any reliable results with other kprobes as well so I tried ...
2
votes
1
answer
67
views
How are network stack modifications tested?
I have the task to develop a modification (using eBPF) of the TCP stack of the Linux kernel, and I need to test its interoperability with non-modified kernels. Specifically, the eBPF program should be ...
- 23
1
vote
0
answers
44
views
What does the phrase "consider native interface" refer to when the nftables wiki says that xt_bpf match is unsupported
In this list of unsupported xtables features. xt_bpf is listed as one of the unsupported features. The comment says to "consider native interface". But what interface is being referred to ...
- 599
2
votes
0
answers
30
views
Task name shown as <...> in the output of EBPF program
I wrote a simple EBPF program which prints a message when the execve system call is invoked. I print the message using the bpf_trace_printk function. In the output, the task name for some processes is ...
0
votes
1
answer
72
views
eBPF `bpf_core_read` returns incorrect value
As @andy-dalton suggests. I changed type of err and initialized it. But it still outputs the same results.
The modified code:
SEC("sockops")
int bpf_sockops_cb(struct bpf_sock_ops *skops) {
...
- 121
0
votes
0
answers
57
views
How does bpftrace implement its printf function?
the bpftrace language supports the function printf which can write something to the terminal, but as far as I know ebpf running in kernel mode cannot call arbitrary kernel functions, so how is that ...
- 1,435
0
votes
0
answers
40
views
BPF program attached to `getname` won't get called when calling the `renameat2` syscall
I'm fiddling with a BPF program that needs to attach to the two "getname" functions that are being called from the renameat2 syscall, defined in linux/fs/namei.c as:
SYSCALL_DEFINE5(...
0
votes
1
answer
122
views
New added android kernel bpf helpers are not detected
I'm trying to patch an android kernel 4.9 to support probe_read_{user, kernel} and probe_read_{user, kernel} helpers. For the backporting I took example from another patch that adds bpf_probe_read_str ...
- 1
2
votes
1
answer
294
views
eBPF in real-time systems [closed]
I've a question about real-time systems, in particular in LynxOS (LynxOS-178).
I would need information on the compatibility and presence of eBPF in these systems.
Can anyone help me?
I haven't found ...
0
votes
0
answers
101
views
Can I use systemd resource management to deny port only outside containers
On an up-to-date fedora 39, I have set up podman for rootless containers and I limit the ports a user may bind to by creating
/etc/systemd/system/user-1000.slice.d/user-resources.conf
with
[Slice]
...
- 231
1
vote
0
answers
291
views
eBPF vs verified Linux Kernel Modules
In what way is eBPF superior to a kernel module verified on the user-side?
I'm not disputing the value of verified code; both approaches would be fully statically verified.
Both approaches require ...
- 255
2
votes
1
answer
624
views
How to get argv[0] in bpftrace?
I have this rather simple script:
#!/usr/bin/bpftrace
tracepoint:syscalls:sys_enter_exec*
{
@start[pid] = nsecs;
printf("START;%-6d;", pid);
join(args->argv);
}
tracepoint:...
- 52.9k
1
vote
1
answer
985
views
Redirect port using TC BPF
I'm want to use TC BPF to redirect incoming traffic from port 80 to port 8080.
Below is my own code, but I've also tried the example from man 8 tc-bpf (search for 8080) and I get the same result.
#...
- 13
1
vote
1
answer
872
views
Log all commands executed regardless of shell?
Suppose a user runs the following command:
zcat file.gz | grep something | gzip > grepped.gz
I'm looking for a kernel feature (a BPF filter perhaps?) that would note all of the execves, chain ...
- 1,298
1
vote
1
answer
175
views
DPROBES (DTRACE_PROBE) for measuring high latency stuff under 1µsec
Currently, I'm analyzing the performance of a high latency application but I'm not confident in my measurements at all. So far, I have used DPROBES for instrumentation and BCC/funclatency for ...
- 113