Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

examples: fentry - add comments to illustrate difference with tcprtt #615

Merged
merged 1 commit into from Mar 30, 2022
Merged

examples: fentry - add comments to illustrate difference with tcprtt #615

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Binary file modified examples/fentry/bpf_bpfeb.o
View file
Open in desktop
Binary file not shown.
Binary file modified examples/fentry/bpf_bpfel.o
View file
Open in desktop
Binary file not shown.
35 changes: 29 additions & 6 deletions examples/fentry/fentry.c
View file
Open in desktop
Expand Up @@ -8,8 +8,25 @@
#define AF_INET 2
#define TASK_COMM_LEN 16

char LICENSE[] SEC("license") = "Dual MIT/GPL";
char __license[] SEC("license") = "Dual MIT/GPL";

/**
* This example copies parts of struct sock_common and struct sock from
* the Linux kernel, but doesn't cause any CO-RE information to be emitted
* into the ELF object. This requires the struct layout (up until the fields
* that are being accessed) to match the kernel's, and the example will break
* or misbehave when this is no longer the case.
*
* Also note that BTF-enabled programs like fentry, fexit, fmod_ret, tp_btf,
* lsm, etc. declared using the BPF_PROG macro can read kernel memory without
* needing to call bpf_probe_read*().
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be BPF_CORE_READ*()?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BPF_CORE_READ and friends emit a CO-RE relocation and call bpf_probe_read_*() behind the scenes, but that's not what is meant here specifically. This comment is just about the memory accesses in the kernel, not the CO-RE part.

*/

/**
* struct sock_common reflects the start of the kernel's struct sock_common.
* It only contains the fields up until skc_family that are accessed in the
* program, with padding to match the kernel's declaration.
*/
struct sock_common {
union {
struct {
Expand All @@ -18,8 +35,8 @@ struct sock_common {
};
};
union {
unsigned int skc_hash;
__u16 skc_u16hashes[2];
// Padding out union skc_hash.
__u32 _;
};
union {
struct {
Expand All @@ -30,6 +47,9 @@ struct sock_common {
short unsigned int skc_family;
};

/**
* struct sock reflects the start of the kernel's struct sock.
*/
struct sock {
struct sock_common __sk_common;
};
Expand All @@ -39,16 +59,19 @@ struct {
__uint(max_entries, 1 << 24);
} events SEC(".maps");

// Force emitting struct event into the ELF.
const struct event *unused __attribute__((unused));

/**
* The sample submitted to userspace over a ring buffer.
* Emit struct event's type info into the ELF's BTF so bpf2go
* can generate a Go type from it.
*/
struct event {
u8 comm[16];
__u16 sport;
__be16 dport;
__be32 saddr;
__be32 daddr;
};
struct event *unused __attribute__((unused));

SEC("fentry/tcp_connect")
int BPF_PROG(tcp_connect, struct sock *sk) {
Expand Down