Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions

votes

4 answers

Can eBPF modify the return value or parameters of a syscall?

To simulate some behavior I would like to attach a probe to a syscall and modify the return value when certain parameters are passed. Alternatively, it would also be enough to modify the parameters of the function before they are processes. Is this…

asked Mar 24 '17 at 15:46

Georg Schölly

124,188
49
220
267

votes

2 answers

who creates map in BPF

After reading man bpf and a few other sources of documentation, I was under impression that a map can be only created by user process. However the following small program seems to magically create bpf map: struct bpf_map_def SEC("maps") my_map = { …

linux-kernel bpf ebpf

asked Jan 02 '18 at 20:05

Mark

6,052
8
61
129

votes

2 answers

How can I get the bpf_helpers.h header file for my Linux kernel?

I am developing an eBPF program on an Ubuntu machine: $ uname -a Linux ubuntu-bionic 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux To do this I need both bpf.h for a number of definitions as…

linux linux-kernel header-files bpf ebpf

asked Mar 30 '19 at 22:28

dippynark

2,743
20
58

votes

4 answers

Is it possible to intercept unencrypted HTTPS request body of local programs?

Is it possible to write a single general EBPF program that can read the unencrypted HTTPS request and response bodies of all user space programs? As I understand it, EBPF works with packets for layers 2, 3 and 4 of the network. HTTPS payloads are…

linux https network-programming bpf ebpf

asked Jan 02 '20 at 21:40

zino

1,222
2
17
47

votes

1 answer

Map sharing between different ebpf program types

Is it possible to share ebpf maps between different program types. I need to share a map between a tc-bpf program and a cgroup bpf program. This should be possible if the map is pinned to file system that act as global namespace. But, I haven't got…

linux-kernel elf bpf ebpf iproute

asked Oct 18 '19 at 17:28

user1727270

votes

1 answer

Why is having an userspace version of eBPF interesting?

I've seen that userspace version of ebpf (runtime, assembler, dissasembler) are being developped (uBPF, rbpf). Why is having an userspace version of eBPF interesting ? Do those alternatives focus on the same goal than the eBPF program types…

linux-kernel bpf ebpf

asked Jan 26 '21 at 16:12

Hugo REYMOND

votes

2 answers

How to use seccomp filter with ebpf?

I'm looking for an example of eBPF to write a seccomp filter, but I can't find none. Could someone tell me if is possible to use eBPF to write seccomp filter?

c bpf ebpf seccomp

asked Aug 29 '19 at 14:59

Maicake

1,046
10
34

votes

2 answers

Are loops allowed in Linux's BPF programs?

I am thinking of a solution of replicating packets in the kernel and forward to 5 hosts (unicast). Planning to utilize eBPF/XDP for it. I am trying to loop for 5 times, and inside the loop I am planning to clone the packet, modify the DST IP…

llvm-clang bpf ebpf

asked May 13 '19 at 07:15

Fernando

votes

0 answers

How do I allow bpf syscalls in docker on Centos 7 with SELinux on?

I'm running a docker container that monitors other containers in a Centos 7 server. Since SELinux is enabled by default, it blocks my monitoring process when it calls any bpf operation with this info: type=AVC msg=audit: avc: denied { map_create…

docker centos kernel selinux bpf

asked May 14 '20 at 16:30

patraulea

votes

1 answer

Output from bpf_printk()

While running some examples from samples/bpf I noticed that bpf_printk output is prepended with some extra information, e.g. : telnet-470 [001] .N.. 419421.045894: 0x00000001: BPF command: 2 BPF command: 2 is actual string passed to bpf_printk in…

linux-kernel llvm-clang bpf ebpf

asked Dec 20 '17 at 20:54

Mark

6,052
8
61
129

votes

1 answer

How do you compute the performance impact of a eBPF probe?

eBPF has become a prominent tool to easily and quickly monitor processes. However, I was not able to find how would one compute the impact of the probe itself on the performance. I'm sure if I hook every syscall and push some information in a map,…

performance monitoring bpf ebpf

asked Feb 10 '21 at 08:29

Dominus

votes

1 answer

How to flush raw AF_PACKET socket to get correct filtered packets

sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &f, sizeof (f)) With this simple BPF/LPF attach code, when I try to receive packet on the socket, will get some wrong packets that doesn't match…

linux sockets ethernet raw-sockets bpf

asked Oct 24 '20 at 19:00

Rider

votes

1 answer

implicit declaration of function ‘bpf’

I have been studying BPF recently, but it is not proceeding because of a very basic problem. I included linux/bpf.h as described in man bpf(2), but GCC can not find bpf function. This code is just for the test to make sure that GCC can find bpf…

bpf ebpf

asked Feb 22 '19 at 07:27

R00T3D

votes

1 answer

BPF: owner of a map

This is follow-up to who creates map in BPF since my new question is not directly relevant that thread. So, it seems to me that there has to be a single point where a BPF map is created, either it is a bpf program or a user program that loads bpf…

linux-kernel bpf

asked Jan 05 '18 at 22:12

Mark

6,052
8
61
129

votes

1 answer

how to build BPF program out of the kernel tree

The kernel provides a number of examples in samples/bpf. I am interested in building one of examples outside of the tree, just like we build a kernel module, where Makefile can be simple enough. Is it possible to do the same with bpf? I tried it by…

linux-kernel jit llvm-clang bpf

asked Dec 19 '17 at 21:04

Mark

6,052
8
61
129

2 3

…

29 30 Next