6. What's eBPF/BPF?
• extend BPF
• from filter to monitoring, traffic control, kernel tracing
• high level c language to inject the BPF pseudo code
• kernel space - user space can exchange info using BPF map structure
• compiled by llvm/clang, in-kernel verifier
• the traditional BPF is also called classic BPF(cBPF)
7. eBPF machanism
• An eBPF program can be split into 2 parts
• user space BPF loader
• kernel space BPF elf program
• BPF loader loads BPF program into
kernel space
• Then BPF program can be executed in in-kernel
BPF virtual machine
8. eBPF types
• eBPF supports many different features
• kernel tracing
• network monitoring
• traffic control
• eXpress Data Path
• increasing in each kernel version from v3.17
eBPF types listed in /include/uapi/inux/bpf.h
in kernel version v5.8.9
9. eBPF maps
• In eBPF, there are several maps structures
• Unlike cBPF using recv(), eBPF exchange
information between kernel space eBPF
program and user space BPF loader
• BPF_MAP_TYPE_ARRAY,
BPF_MAP_TYPE_PERCPU_ARRAY
• BPF_MAP_TYPE_HASH,
BPF_MAP_TYPE_PERCPU_HASH
• and others
eBPF maps listed in /include/uapi/inux/bpf.h
in kernel version v5.8.9
14. in-kernel eBPF examples
• Many eBPF example source code is included in Linux kernel source code
under samples/bpf/
• and can be compiled by its own makefile
15. How to compile
• How to compile in-kernel eBPF source code? (Ubuntu 18.04)
• prerequisite
• verify your kernel version and download the kernel source code
match to your kernel version
• install required packages
• cd to /usr/src/linux-source-5.0.0/linux-source-5.0.0/ and start to
compile
16. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo
17. eBPF program analyzing
• Each eBPF program has hook point and type, programmer should define
the type in eBPF loader
• eBPF loader will look for SEC() to find eBPF hook point function definition
• The hook point type is depends on what types of eBPF in eBPF loader
• e.g. in XDP eBPF program source code, the parameter of hook point
function is a struct xdp_md pointer variable
19. eBPF program analyzing - using XDP
• Each XDP program should return XDP_* value at the end of XDP function
definition
drop packet directly
allow packet go through
into network stack
20. eBPF program analyzing - using XDP
• Our eBPF program is just like this so far.
• Now, let's start to add some code. First, we need to get the packet we
receive
21. eBPF program analyzing - using XDP
• Next, we can add whatever we want to
implement in this XDP program
• For this example, we try to filter and
drop incoming packets which are UDP
and port 55688
22. eBPF program analyzing
• We sometimes want to exchange data between user space eBPF loader
using MAP structure
• In this example, we try to statistic each incoming udp packet and store
into the map structure
Atomic operation
23. eBPF loader analyzing
• In eBPF loader, there are several steps to load eBPF program:
• find eBPF elf file and load the eBPF file file
• bpf_prog_load_xattr()
• find the hook point in eBPF program - the string in SEC()
• bpf_object__find_program_by_title()
• load the hook point function followed by the SEC()
• bpf_program__fd()
• In XDP loader, we need to attach the XDP program to network interface
• bpf_set_link_xdp_fd()
24. eBPF loader analyzing
• If the map structure is used, we should:
• find whether there is map in eBPF program and the map if so
• bpf_map__next()
• bpf_map__fd()
• set the entries in the map to 0
• bpf_map_update_elem()
• Then we can fetch the value in the map in each entry
• bpf_map_lookup_elem()
25. Modify the makefile in kernel source
• This makefile uses kbuild system to compile.
• Define the compile executable file name
• hostprogs-y += get_pkts
• Define the object files loader needs
• get_pkts-objs := bpf_load.o get_pkts_user.o
• Add always variable to compile elf file
• always += get_pkts_kern.o
26. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo