0

I'm trying, finally, to understand eBPF and maybe use it in an upcoming project. For sake of simplicity I started with reading bcc documentation.

In my project I'll need to send some data over network upon some kernel function calls. Can that be done without sending the data to userspace first?

I see that I can redirect skbs from one socket to another etc., and I see that I can submit custom data to user space. Is there a way to get the best of both worlds?

EDIT: I'm trying to log some file system events to another server that'll collect this data from multiple machines. Those machines can be fairly busy in some situations. It should be real time and with low latency. I'd love to avoid going through userspace to prevent copying the data back and forth and to reduce sw overhead as much as possible.

Thank you all!

David
  • 182
  • 1
  • 1
  • 8
  • 1
    Could you describe a bit more which kernel functions you are trying to trace and what data you want to send over the network? Also, why do you want to avoid going through userspace? – pchaigno Mar 09 '22 at 10:20
  • @pchaigno Thanks, added a comment in the question. – David Mar 09 '22 at 11:23

1 Answers1

1

It seems this question can be summarized to: is it possible to send data over the network from a BPF tracing program (kprobes, tracepoints, etc.)?

The answer to that question is no. As far as I know, there are currently no way to craft and send packets over the network from BPF programs. You can resend a received packet to the network with some helpers, but they are only available to networking BPF programs.

pchaigno
  • 11,313
  • 2
  • 29
  • 54