bpf

I was looking at the different types of BPF program, and noticed that for different program types the context is being passed differently. Example: For program type BPF_PROG_TYPE_SOCK_OPS , an object of type struct bpf_sock_ops_kern is passed. However, the BPF program of this type takes a reference to struct bpf_sock_ops . Why is it done this way and where is the "translation" from bpf_sock_ops_kern to bpf_sock_ops ? For program type BPF_PROG_TYPE_CGROUP_SKB , an object of type struct sk_buff is passed (e.g., in __cgroup_bpf_run_filter_skb ), but the BPF program expects a minimized version,

I'm playing with gobpf and have got an issue with calculating a duration of traced user-space function. I use bpf_ktime_get_ns() to read time and then trying to calculate delta, but got enormous numbers, though traced function sleeps just 1 second. Here is the tested C-program, which has a function called "ameba". #include <stdio.h> #include <strings.h> #include <stdlib.h> #include <time.h> #include <unistd.h> char * ameba(char * s1, char * s2); int main(void) { time_t rawtime; struct tm * timeinfo; time(&rawtime); timeinfo = localtime(&rawtime); printf("enter: %s", asctime (timeinfo)); printf

After reading man bpf and a few other sources of documentation, I was under impression that a map can be only created by user process. However the following small program seems to magically create bpf map: struct bpf_map_def SEC("maps") my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = sizeof(long), .max_entries = 10, }; SEC("sockops") int my_prog(struct bpf_sock_ops *skops) { u32 key = 1; long *value; ... value = bpf_map_lookup_elem(&my_map, &key); ... return 1; } So I load the program with the kernel's tools/bpf/bpftool and also verify that program is loaded: $

To simulate some behavior I would like to attach a probe to a syscall and modify the return value when certain parameters are passed. Alternatively, it would also be enough to modify the parameters of the function before they are processes. Is this possible with BPF? I believe that attaching eBPF to kprobes/kretprobes gives you read access to function arguments and return values, but that you cannot tamper with them. I am NOT 100% sure; good places to ask for confirmation would be the IO Visor project mailing list or IRC channel (#iovisor at irc.oftc.net). As an alternative solution, I know

I'm trying to test classic BPF for packet filtering by attaching it to raw socket. I want to catch TCP packets with first byte of source port == 8 (tcpdump 'tcp[1:1] = 0x50'), but I see no incoming packets on the socket. Without filter my code works OK. Here is the code example: #include<stdio.h> //for printf #include<string.h> //memset #include<sys/socket.h> //for socket ofcourse #include<stdlib.h> //for exit(0); #include<errno.h> //For errno - the error number #include<netinet/tcp.h> //Provides declarations for tcp header #include<netinet/ip.h> //Provides declarations for ip header #include