forked from Minki/linux
b896c4f95a
tracex1_kern.c - C program compiled into BPF. It attaches to kprobe:netif_receive_skb() When skb->dev->name == "lo", it prints sample debug message into trace_pipe via bpf_trace_printk() helper function. tracex1_user.c - corresponding user space component that: - loads BPF program via bpf() syscall - opens kprobes:netif_receive_skb event via perf_event_open() syscall - attaches the program to event via ioctl(event_fd, PERF_EVENT_IOC_SET_BPF, prog_fd); - prints from trace_pipe Note, this BPF program is non-portable. It must be recompiled with current kernel headers. kprobe is not a stable ABI and BPF+kprobe scripts may no longer be meaningful when kernel internals change. No matter in what way the kernel changes, neither the kprobe, nor the BPF program can ever crash or corrupt the kernel, assuming the kprobes, perf and BPF subsystem has no bugs. The verifier will detect that the program is using bpf_trace_printk() and the kernel will print 'this is a DEBUG kernel' warning banner, which means that bpf_trace_printk() should be used for debugging of the BPF program only. Usage: $ sudo tracex1 ping-19826 [000] d.s2 63103.382648: : skb ffff880466b1ca00 len 84 ping-19826 [000] d.s2 63103.382684: : skb ffff880466b1d300 len 84 ping-19826 [000] d.s2 63104.382533: : skb ffff880466b1ca00 len 84 ping-19826 [000] d.s2 63104.382594: : skb ffff880466b1d300 len 84 Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Cc: Arnaldo Carvalho de Melo <acme@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: David S. Miller <davem@davemloft.net> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Steven Rostedt <rostedt@goodmis.org> Link: http://lkml.kernel.org/r/1427312966-8434-7-git-send-email-ast@plumgrid.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
102 lines
2.7 KiB
C
102 lines
2.7 KiB
C
/* eBPF example program:
|
|
* - creates arraymap in kernel with key 4 bytes and value 8 bytes
|
|
*
|
|
* - loads eBPF program:
|
|
* r0 = skb->data[ETH_HLEN + offsetof(struct iphdr, protocol)];
|
|
* *(u32*)(fp - 4) = r0;
|
|
* // assuming packet is IPv4, lookup ip->proto in a map
|
|
* value = bpf_map_lookup_elem(map_fd, fp - 4);
|
|
* if (value)
|
|
* (*(u64*)value) += 1;
|
|
*
|
|
* - attaches this program to eth0 raw socket
|
|
*
|
|
* - every second user space reads map[tcp], map[udp], map[icmp] to see
|
|
* how many packets of given protocol were seen on eth0
|
|
*/
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <assert.h>
|
|
#include <linux/bpf.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <sys/socket.h>
|
|
#include <arpa/inet.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/ip.h>
|
|
#include <stddef.h>
|
|
#include "libbpf.h"
|
|
|
|
static int test_sock(void)
|
|
{
|
|
int sock = -1, map_fd, prog_fd, i, key;
|
|
long long value = 0, tcp_cnt, udp_cnt, icmp_cnt;
|
|
|
|
map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), sizeof(value),
|
|
256);
|
|
if (map_fd < 0) {
|
|
printf("failed to create map '%s'\n", strerror(errno));
|
|
goto cleanup;
|
|
}
|
|
|
|
struct bpf_insn prog[] = {
|
|
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
|
|
BPF_LD_ABS(BPF_B, ETH_HLEN + offsetof(struct iphdr, protocol) /* R0 = ip->proto */),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0 */
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
|
|
BPF_LD_MAP_FD(BPF_REG_1, map_fd),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
|
|
BPF_MOV64_IMM(BPF_REG_1, 1), /* r1 = 1 */
|
|
BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_0, BPF_REG_1, 0, 0), /* xadd r0 += r1 */
|
|
BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
|
|
BPF_EXIT_INSN(),
|
|
};
|
|
|
|
prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, prog, sizeof(prog),
|
|
"GPL", 0);
|
|
if (prog_fd < 0) {
|
|
printf("failed to load prog '%s'\n", strerror(errno));
|
|
goto cleanup;
|
|
}
|
|
|
|
sock = open_raw_sock("lo");
|
|
|
|
if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, &prog_fd,
|
|
sizeof(prog_fd)) < 0) {
|
|
printf("setsockopt %s\n", strerror(errno));
|
|
goto cleanup;
|
|
}
|
|
|
|
for (i = 0; i < 10; i++) {
|
|
key = IPPROTO_TCP;
|
|
assert(bpf_lookup_elem(map_fd, &key, &tcp_cnt) == 0);
|
|
|
|
key = IPPROTO_UDP;
|
|
assert(bpf_lookup_elem(map_fd, &key, &udp_cnt) == 0);
|
|
|
|
key = IPPROTO_ICMP;
|
|
assert(bpf_lookup_elem(map_fd, &key, &icmp_cnt) == 0);
|
|
|
|
printf("TCP %lld UDP %lld ICMP %lld packets\n",
|
|
tcp_cnt, udp_cnt, icmp_cnt);
|
|
sleep(1);
|
|
}
|
|
|
|
cleanup:
|
|
/* maps, programs, raw sockets will auto cleanup on process exit */
|
|
return 0;
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
FILE *f;
|
|
|
|
f = popen("ping -c5 localhost", "r");
|
|
(void)f;
|
|
|
|
return test_sock();
|
|
}
|