Collect bpf helper arguments related to bpf map by jschwinger233 · Pull Request #453 · cilium/pwru

jschwinger233 · 2024-11-08T10:03:56Z

This PR adds --output-bpfmap flag to collect and print bpfmap ID, name, key(hex) and value(hex).

#  pwru --output-caller --filter-track-skb --filter-track-bpf-helpers --output-bpfmap 'src port 19233 and tcp[tcpflags]=tcp-syn'
2025/01/05 19:28:56 Attaching kprobes (via kprobe-multi)...
1641 / 1641 [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s
2025/01/05 19:28:56 Attached (ignored 0)
2025/01/05 19:28:56 Listening for events..
2025/01/05 19:28:56 Failed to retrieve all ifaces from all network namespaces: open /proc/272927/ns/net: no such file or directory. Some iface names might be not shown.
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC CALLER
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0               0         0x0000 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) ip_local_out __ip_queue_xmit
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0               0         0x0000 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __ip_local_out ip_local_out
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0               0         0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) ip_output      ip_local_out
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) nf_hook_slow   ip_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) apparmor_ip_postroute nf_hook_slow
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) ip_finish_output      ip_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __ip_finish_output    ip_finish_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) ip_finish_output2     __ip_finish_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) neigh_resolve_output  ip_finish_output2
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __neigh_event_send    neigh_resolve_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) eth_header            neigh_resolve_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  60    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_push              eth_header
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1373  74    10.244.3.249:19233->10.244.2.187:8080(tcp) __dev_queue_xmit      neigh_resolve_output
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) netdev_core_pick_tx   __dev_queue_xmit
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) validate_xmit_skb     __dev_queue_xmit
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) netif_skb_features    validate_xmit_skb
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) passthru_features_check netif_skb_features
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_network_protocol    netif_skb_features
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_csum_hwoffload_help validate_xmit_skb
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) validate_xmit_xfrm      validate_xmit_skb
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) dev_hard_start_xmit     __dev_queue_xmit
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_clone_tx_timestamp  veth_xmit[veth]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) __dev_forward_skb       veth_xmit[veth]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) __dev_forward_skb2      __dev_forward_skb
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_scrub_packet        __dev_forward_skb2
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533888 0            eth0:11      0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) eth_type_trans          __dev_forward_skb2
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __netif_rx              veth_xmit[veth]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  60    10.244.3.249:19233->10.244.2.187:8080(tcp) netif_rx_internal       __netif_rx
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  60    10.244.3.249:19233->10.244.2.187:8080(tcp) enqueue_to_backlog      netif_rx_internal
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __netif_receive_skb     process_backlog
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  60    10.244.3.249:19233->10.244.2.187:8080(tcp) __netif_receive_skb_one_core __netif_receive_skb
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_event_output         bpf_prog_a5a51cee1ed29ce6_cil_from_container[
bpf]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_pull_data            bpf_prog_e78b6847176ca467_tail_handle_ipv4[bp
f]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) skb_ensure_writable          bpf_skb_pull_data
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_load_bytes           bpf_prog_e78b6847176ca467_tail_handle_ipv4[bp
f]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) __htab_map_lookup_elem       arch_rethook_trampoline
map_id: 422
map_name: cilium_lb4_serv
key(12):
00000000  0a f4 02 bb 1f 90 00 00  00 00 00 00              |............|
value(12):
00000000  00 00 00 00 00 00 00 00  00 00 00 00              |............|

0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_load_bytes           bpf_prog_81acdf07efeda1c9_tail_ipv4_ct_egress
[bpf]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_load_bytes           bpf_prog_81acdf07efeda1c9_tail_ipv4_ct_egress
[bpf]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_event_output         bpf_prog_81acdf07efeda1c9_tail_ipv4_ct_egress
[bpf]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_skb_event_output         bpf_prog_81acdf07efeda1c9_tail_ipv4_ct_egress
[bpf]
0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_map_lookup_elem          arch_rethook_trampoline
map_id: 436
map_name: cilium_ct4_glob
key(14):
00000000  0a f4 02 bb 0a f4 03 f9  4b 21 1f 90 06 01        |........K!....|
value(56):
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00                           |........|

0xffff90d46abbe0e8 3   ~in/curl:1200370 4026533203 0        ~0e72e3a7e883:12 0x0800 1500  74    10.244.3.249:19233->10.244.2.187:8080(tcp) bpf_map_lookup_elem          arch_rethook_trampoline
map_id: 436
map_name: cilium_ct4_glob
key(14):
00000000  0a f4 03 f9 0a f4 02 bb  1f 90 4b 21 06 00        |..........K!..|
value(56):
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  5b 3b 00 00 00 00 00 00  00 00 02 00 b9 04 00 00  |[;..............|
00000030  1f 3b 00 00 00 00 00 00                           |.;......|

Fixes: #448

jschwinger233 · 2024-11-08T10:14:11Z

I hope this helps me understand how Cilium CT works. Even after 18 months since onboarding, CT is still a mystery to me.

brb · 2024-11-11T16:58:30Z

👍 the idea

jschwinger233 · 2025-01-05T11:43:56Z

I labelled this "don't merge' because it's on the top of #477 which is pending.

brb · 2025-01-15T10:51:23Z

#477 has been merged. Could your rebase? Thanks

bpf/kprobe_pwru.c

This patch doesn't introduce any functional change but defines corresponding new fields and struct in both bpf and userspace programs. Signed-off-by: gray <[email protected]>

No functional changes. Signed-off-by: gray <[email protected]>

This patch collects bpfmap id, name, key, value at bpf_map_update_elem. Signed-off-by: gray <[email protected]>

This patch collects bpfmap id, name, key, value at bpf_map_delete_elem. Signed-off-by: gray <[email protected]>

We can only get the map value at return hook (kretprobe), that's why event instance has to be stashed in a PERCPU array (event_stash) temporarily at entry hook (kprobe) and retrieved at return hook (kretprobe), where we can read bpfmap value from %rax (x64). kretprobe_bpf_map_lookup_elem also needs to be excluded from pcap injection. Signed-off-by: gray <[email protected]>

We search BTF to find bpfmap funcs by first parameter of type "struct bpf_map *". Function name suffix determine which bpf program is attached to: - *_lookup_elem: {kprobe,kretprobe}_bpf_map_lookup_elem - *_update_elem: kprobe_bpf_map_lookup_elem - *_delete_elem: kprobe_bpf_map_delete_elem Signed-off-by: gray <[email protected]>

Signed-off-by: gray <[email protected]>

By adding 1 to bpf_get_smp_processor_id(), we can safely rely on "if event.PrintBpfmapId > 0" to decide whether there is bpfmap data to read. Signed-off-by: gray <[email protected]>

This reverts commit bc140a8. To avoid verifier error "R2 =<< 56": ; event->skb_addr = skb_addr; @ kprobe_pwru.c:658 1827: (79) r1 = *(u64 *)(r10 -56) ; frame1: R1_w=ptr_sk_buff() R10=fp0 fp-56=ptr_sk_buff() 1828: (bf) r2 = r1 ; frame1: R1_w=ptr_sk_buff() R2_w=ptr_sk_buff() 1829: (77) r2 >>= 56 Signed-off-by: Martynas Pumputis <[email protected]>

It is EOL. Signed-off-by: Martynas Pumputis <[email protected]>

Signed-off-by: Martynas Pumputis <[email protected]>

brb

🍕

jschwinger233 force-pushed the gray/bpf-map-args branch from 4e3f4c3 to e6de8f9 Compare December 2, 2024 09:46

jschwinger233 force-pushed the gray/bpf-map-args branch 4 times, most recently from 8fb88e5 to 8cb08f5 Compare January 5, 2025 11:30

jschwinger233 marked this pull request as ready for review January 5, 2025 11:39

jschwinger233 requested a review from a team as a code owner January 5, 2025 11:39

jschwinger233 changed the title ~~[Draft] Collect bpf helper arguments related to bpf map~~ Collect bpf helper arguments related to bpf map Jan 5, 2025

jschwinger233 added the dont-merge label Jan 5, 2025

jschwinger233 force-pushed the gray/bpf-map-args branch from 8cb08f5 to e93d1fa Compare January 17, 2025 09:32

jschwinger233 removed the dont-merge label Jan 22, 2025

jschwinger233 force-pushed the gray/bpf-map-args branch from e93d1fa to 2a387f0 Compare February 5, 2025 08:48

jschwinger233 marked this pull request as draft February 5, 2025 09:55

jspaleta reviewed Feb 5, 2025

View reviewed changes

bpf/kprobe_pwru.c Show resolved Hide resolved

jschwinger233 added 8 commits December 22, 2025 16:40

Define print_bpfmap_{id,value,map} in bpf and userspace

6abde64

This patch doesn't introduce any functional change but defines corresponding new fields and struct in both bpf and userspace programs. Signed-off-by: gray <[email protected]>

bpf: Move some common statements in handle_everything()

bc140a8

No functional changes. Signed-off-by: gray <[email protected]>

Add kprobe/bpf_map_update_elem

b1a9055

This patch collects bpfmap id, name, key, value at bpf_map_update_elem. Signed-off-by: gray <[email protected]>

Add kprobe/bpf_map_delete_elem

ba8c5e1

This patch collects bpfmap id, name, key, value at bpf_map_delete_elem. Signed-off-by: gray <[email protected]>

Add --output-bpfmap

9a321ae

Signed-off-by: gray <[email protected]>

Let print_bpfmap_id be non-zero

ca335cb

By adding 1 to bpf_get_smp_processor_id(), we can safely rely on "if event.PrintBpfmapId > 0" to decide whether there is bpfmap data to read. Signed-off-by: gray <[email protected]>

brb force-pushed the gray/bpf-map-args branch from 2a387f0 to ca335cb Compare December 22, 2025 16:03

brb temporarily deployed to false December 22, 2025 16:03 — with GitHub Actions Inactive

brb temporarily deployed to false December 29, 2025 14:50 — with GitHub Actions Inactive

brb marked this pull request as ready for review December 29, 2025 14:50

gh/workflows: Remove 5.4 kernel

e7a52ab

It is EOL. Signed-off-by: Martynas Pumputis <[email protected]>

brb marked this pull request as draft December 29, 2025 15:48

brb temporarily deployed to false December 29, 2025 15:56 — with GitHub Actions Inactive

Do not load k(ret)probe_bpf_map_* if --output-bpfmap=false

9e00bb8

Signed-off-by: Martynas Pumputis <[email protected]>

brb force-pushed the gray/bpf-map-args branch from 4aa3b07 to 9e00bb8 Compare December 30, 2025 09:43

brb temporarily deployed to false December 30, 2025 09:43 — with GitHub Actions Inactive

brb marked this pull request as ready for review December 30, 2025 10:12

brb approved these changes Dec 30, 2025

View reviewed changes

brb merged commit e42170b into cilium:main Dec 30, 2025
10 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comments

Collect bpf helper arguments related to bpf map#453

Collect bpf helper arguments related to bpf map#453
brb merged 11 commits intocilium:mainfrom
jschwinger233:gray/bpf-map-args

jschwinger233 commented Nov 8, 2024 •

edited

Loading

Uh oh!

jschwinger233 commented Nov 8, 2024

Uh oh!

brb commented Nov 11, 2024

Uh oh!

jschwinger233 commented Jan 5, 2025

Uh oh!

brb commented Jan 15, 2025

Uh oh!

Uh oh!

brb left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Comments

Conversation

jschwinger233 commented Nov 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jschwinger233 commented Nov 8, 2024

Uh oh!

brb commented Nov 11, 2024

Uh oh!

jschwinger233 commented Jan 5, 2025

Uh oh!

brb commented Jan 15, 2025

Uh oh!

Uh oh!

brb left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jschwinger233 commented Nov 8, 2024 •

edited

Loading