03f4723ed7
this socket filter example does:
- creates arraymap in kernel with key 4 bytes and value 8 bytes
- loads eBPF program which assumes that packet is IPv4 and loads one byte of
IP->proto from the packet and uses it as a key in a map
r0 = skb->data[ETH_HLEN + offsetof(struct iphdr, protocol)];
*(u32*)(fp - 4) = r0;
value = bpf_map_lookup_elem(map_fd, fp - 4);
if (value)
(*(u64*)value) += 1;
- attaches this program to raw socket
- every second user space reads map[IPPROTO_TCP], map[IPPROTO_UDP], map[IPPROTO_ICMP]
to see how many packets of given protocol were seen on loopback interface
Usage:
$sudo samples/bpf/sock_example
TCP 0 UDP 0 ICMP 0 packets
TCP 187600 UDP 0 ICMP 4 packets
TCP 376504 UDP 0 ICMP 8 packets
TCP 563116 UDP 0 ICMP 12 packets
TCP 753144 UDP 0 ICMP 16 packets
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
123 lines
2.7 KiB
C
123 lines
2.7 KiB
C
/* eBPF mini library */
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <linux/unistd.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
#include <linux/netlink.h>
|
|
#include <linux/bpf.h>
|
|
#include <errno.h>
|
|
#include <net/ethernet.h>
|
|
#include <net/if.h>
|
|
#include <linux/if_packet.h>
|
|
#include <arpa/inet.h>
|
|
#include "libbpf.h"
|
|
|
|
static __u64 ptr_to_u64(void *ptr)
|
|
{
|
|
return (__u64) (unsigned long) ptr;
|
|
}
|
|
|
|
int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
|
|
int max_entries)
|
|
{
|
|
union bpf_attr attr = {
|
|
.map_type = map_type,
|
|
.key_size = key_size,
|
|
.value_size = value_size,
|
|
.max_entries = max_entries
|
|
};
|
|
|
|
return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
|
|
}
|
|
|
|
int bpf_update_elem(int fd, void *key, void *value, unsigned long long flags)
|
|
{
|
|
union bpf_attr attr = {
|
|
.map_fd = fd,
|
|
.key = ptr_to_u64(key),
|
|
.value = ptr_to_u64(value),
|
|
.flags = flags,
|
|
};
|
|
|
|
return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
|
|
}
|
|
|
|
int bpf_lookup_elem(int fd, void *key, void *value)
|
|
{
|
|
union bpf_attr attr = {
|
|
.map_fd = fd,
|
|
.key = ptr_to_u64(key),
|
|
.value = ptr_to_u64(value),
|
|
};
|
|
|
|
return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
|
|
}
|
|
|
|
int bpf_delete_elem(int fd, void *key)
|
|
{
|
|
union bpf_attr attr = {
|
|
.map_fd = fd,
|
|
.key = ptr_to_u64(key),
|
|
};
|
|
|
|
return syscall(__NR_bpf, BPF_MAP_DELETE_ELEM, &attr, sizeof(attr));
|
|
}
|
|
|
|
int bpf_get_next_key(int fd, void *key, void *next_key)
|
|
{
|
|
union bpf_attr attr = {
|
|
.map_fd = fd,
|
|
.key = ptr_to_u64(key),
|
|
.next_key = ptr_to_u64(next_key),
|
|
};
|
|
|
|
return syscall(__NR_bpf, BPF_MAP_GET_NEXT_KEY, &attr, sizeof(attr));
|
|
}
|
|
|
|
#define ROUND_UP(x, n) (((x) + (n) - 1u) & ~((n) - 1u))
|
|
|
|
char bpf_log_buf[LOG_BUF_SIZE];
|
|
|
|
int bpf_prog_load(enum bpf_prog_type prog_type,
|
|
const struct bpf_insn *insns, int prog_len,
|
|
const char *license)
|
|
{
|
|
union bpf_attr attr = {
|
|
.prog_type = prog_type,
|
|
.insns = ptr_to_u64((void *) insns),
|
|
.insn_cnt = prog_len / sizeof(struct bpf_insn),
|
|
.license = ptr_to_u64((void *) license),
|
|
.log_buf = ptr_to_u64(bpf_log_buf),
|
|
.log_size = LOG_BUF_SIZE,
|
|
.log_level = 1,
|
|
};
|
|
|
|
bpf_log_buf[0] = 0;
|
|
|
|
return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
|
|
}
|
|
|
|
int open_raw_sock(const char *name)
|
|
{
|
|
struct sockaddr_ll sll;
|
|
int sock;
|
|
|
|
sock = socket(PF_PACKET, SOCK_RAW | SOCK_NONBLOCK | SOCK_CLOEXEC, htons(ETH_P_ALL));
|
|
if (sock < 0) {
|
|
printf("cannot create raw socket\n");
|
|
return -1;
|
|
}
|
|
|
|
memset(&sll, 0, sizeof(sll));
|
|
sll.sll_family = AF_PACKET;
|
|
sll.sll_ifindex = if_nametoindex(name);
|
|
sll.sll_protocol = htons(ETH_P_ALL);
|
|
if (bind(sock, (struct sockaddr *)&sll, sizeof(sll)) < 0) {
|
|
printf("bind to %s: %s\n", name, strerror(errno));
|
|
close(sock);
|
|
return -1;
|
|
}
|
|
|
|
return sock;
|
|
}
|