Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal - "readbuf" builtin or similar #268

Closed
dalehamel opened this issue Nov 25, 2018 · 2 comments
Closed

Proposal - "readbuf" builtin or similar #268

dalehamel opened this issue Nov 25, 2018 · 2 comments

Comments

@dalehamel
Copy link
Contributor

Some applications require examining kernel state that is not conveniently stored in struct form.

For instance, tcpdrop.py implements a mechanism to read from the socket buffer, using the struct members of the socket buffer to dynamically compute the offset within the buffer.

For use cases like this, it would be great to have a command, say something called "readbuf" with an API like:

$base = $skb->head
$offset = $skb->transport_header
$length = 1 // one byte
$tcpflags = readbuf($base, $length, $offset)

This should be possible, I have an idea of how it could be implemented but I wonder if this is something that is within the scope of what is intended for bpftrace?

I think that this sort of functionality is needed to be able to implement functionality such as above in tcpdrop.py, as well as for analysis closer to the network edge, as in this tcpaccept-like systemtap probe from cloudflare.

It should be possible to do this reasonably efficiently/safely, by checking that the the buffer doesn't overflow and having a maximum extraction size.

I tried to think of a better name than readbuf, memcpy seems misleading but is the closest C analogue to the functionality I'm looking for, the critical difference being that it should probably always return a 64 byte variable (with width masked out if size specified to less) rather than copying arbitrary bits of memory.

This could also be really useful for examining raw binary data in the kernel in general, by printing segments of 64 bytes in hex.

Thoughts? Worth implementing? Is there anything that might make this harder than I am expecting?
@dalehamel dalehamel mentioned this issue Nov 25, 2018
Closed
@dalehamel
Copy link
Contributor Author

Related - this is likely also the mechanism we'd want to use to read ipv6 addresses, as it looks like the underlying ipv6 address is stored in an array https://elixir.bootlin.com/linux/v4.14/source/include/uapi/linux/in6.h#L38

Attempting to access it currently doesn't work, as it doesn't resolve to a normal integer type.

Not totally sure what we will want to do for accessing these ipv6 values, but it might fall in this same bucket.

@dalehamel dalehamel mentioned this issue Nov 26, 2018
Closed
@dalehamel
Copy link
Contributor Author

I'm going to close this as #275 probably covers this use case.

@ech0-py ech0-py mentioned this issue May 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dalehamel