Skip to main content
835 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
1 vote
0 answers
44 views

I have two k8s pods that communicate using TLS. I am loading an eBPF TC code on the egress of the sender pod. This code adds 28 bytes to the optional space of the TCP headers after TCP options. If I ...
alepvn33's user avatar
  • 11
0 votes
1 answer
129 views

I am trying to implement a manual implementation of strstr in eBPF but cannot get past verifier. Before starting, I know there is an existing bpf_strstr() implementation, but it's on 6.17+ linux ...
Stefan Misu's user avatar
  • 17
1 vote
1 answer
36 views

I'm working on an LSM BPF program and running into an issue with bpf_task_storage_get. Here’s a minimal example that works: struct provenance_structure { __u8 to_trace; struct bpf_spin_lock ...
Polo's user avatar
  • 147
1 vote
1 answer
80 views

Below is the code attached to sched_process_fork tracepoint for tracking process forks. // fork.bpf.c // clang -O2 -target bpf -c fork.bpf.c -o fork.bpf.o #include <linux/bpf.h> #include <...
user31736034's user avatar
  • 1
0 votes
0 answers
38 views

Is it possible to store a pointer to an MAP entry (PTR_TO_MAP) in another MAP and use it later, potentially in another eBPF program? If not, what kind of support is needed for this to work? I am ...
Farbod Shahinfar's user avatar
  • 896
2 votes
0 answers
322 views

I'm running Ubuntu 24.04 LTS with kernel 6.14.0-32-generic and trying to use bpftool for eBPF dev. After some struggling in setting up, I realized that the linux-tools-6.14.0-32-generic package is ...
zephyrus1's user avatar
  • 11
1 vote
1 answer
49 views

I have a bound check statement that is optimized by clang and as a result verifier doesn't accept the program. I would like to write it using embedded assembly. I am not sure how to do it. I know that ...
Farbod Shahinfar's user avatar
  • 896
-4 votes
1 answer
52 views

Can we attach a ebpf program after tcp reordering? What mechanism should we use any ready examples folks? We tried at tc level but see problems of packets not being ordered/assembled as expected! ...
user4737628's user avatar
  • 5
1 vote
1 answer
126 views

Can somebody help me with retrieving name of file using eBPF when file is creating? What I’ve done: We have 2 funcs (helper and Kfunc) for collecting filepath from struct path: bpf_d_path & ...
Mr hard's user avatar
  • 9
2 votes
0 answers
120 views

Wrote an eBPF code to count cache refs and miss of a target process. The program seems to work, albeit the counts dont match even closely to the perf stat output. I am assuming there is some issue ...
ultimate cause's user avatar
  • 2,354
2 votes
1 answer
81 views

I was attempting Experiment 2 specified on the site, which involves modifying the first parameter (the file path of the executed program) in the sys_enter_execvfunction. However, when I called ...
C JH's user avatar
  • 23
0 votes
0 answers
47 views

I was trying to write a simple bpftrace script to check if (Tcl) functions call themselves recursively and I got unexpected results. To investigate, I simplified the script to: uprobe:/usr/lib64/...
Schelte Bron's user avatar
  • 4,992
0 votes
0 answers
97 views

While testing my rust Aya xdp ebpf program i came across this error Error: the BPF_PROG_LOAD syscall failed. Verifier output: fd 10 is not pointing to valid bpf_map verification time 215 usec stack ...
ΠΑΝΟΣ ΚΩΣΤΟΠΟΥΛΟΣ's user avatar
  • 1
0 votes
1 answer
86 views

In kernel based UDP server, we do bind to a address/port. For ebpf as I understand it I can just do filter the port in ebpf program rather than call bind. However some of the existing udp clients are ...
user2426361's user avatar
  • 419
1 vote
1 answer
264 views

I am trying to understand how 'bpftool prog detach' works. To experiment, I created a simple ebpf program and below is output from 'bpftool prog show name sys_exit' at runtime 81: tracing name ...
cooldude's user avatar
  • 13
0 votes
0 answers
79 views

I am trying to learn eBPF with the project https://github.com/masmullin2000/libbpf-sample/. The simple program works perfectly fine but when I try to use the ringbuffer I get a segmentation fault when ...
Huchsle's user avatar
  • 80
0 votes
0 answers
86 views

The BPF program in src/bpf/test.bpf.c is the following: #include <linux/bpf.h> #include <bpf/bpf_helpers.h> #define MAX_CPUS 32 // Size: 8 bytes struct flow_key_t { __u32 src_ip_be; ...
eof's user avatar
  • 609
0 votes
1 answer
100 views

I have an XDP program, which contains the following maps: // The flow state of a single core struct { __uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(max_entries, 512000); __type(key, struct ...
eof's user avatar
  • 609
0 votes
1 answer
142 views

Here is the scene: When A iface uses bpf_redirect() to redirect data packets to B iface, will B's tc ingress be triggered?? When testing on my machine, I found that B's tc ingress bpf prog is not ...
light_rain's user avatar
  • 3
3 votes
1 answer
327 views

I'm writing a Linux Security Module (LSM) eBPF program using the hook lsm.s/inode_rename, and I want to capture the full path of the renamed file or directory. I'm using CO-RE and Cilium's toolchain. ...
KnightChaser's user avatar
  • 356
0 votes
1 answer
71 views

I have the following eBPF XDP program, which refuses to load: #include <linux/bpf.h> #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> #include <linux/if_ether.h> #...
eof's user avatar
  • 609
1 vote
1 answer
179 views

I’m building an eBPF-based file-audit tool on Linux by attaching to various LSM hooks (file_open, file_read, file_write, file_permission, etc.) to log every file event in real time. With the sleepable ...
KnightChaser's user avatar
  • 356
2 votes
1 answer
169 views

I'm attempting to write a tracing eBPF program using the fentry attach type to hook into the open system call. Here's a minimal example: SEC("fentry/__x64_sys_open") int BPF_PROG(...
Polo's user avatar
  • 147
0 votes
1 answer
275 views

I'm writing an eBPF program using the aya framework in Rust. I'm attaching a fentry hook to the filp_close function and trying to obtain the file path using bpf_d_path. Here's a simplified version of ...
goodpeanuts's user avatar
  • 1
0 votes
0 answers
48 views

I need to capture the call stack information of specific, different processes using eBPF. I'm currently using a combination of perf_event_open and bpf_program__attach_perf_event_opts to achieve this. ...
Yong Fu's user avatar
  • 1
1 vote
1 answer
144 views

I'm using bpf_dynptr_from_mem and the BPF verifier fails on the size argument (total_size) with R2 unbounded memory access, even though I check the size against the buffer limit (MAX_DATA_SIZE) ...
LogicDX342's user avatar
  • 13
1 vote
1 answer
54 views

To use global variables in eBPF, libbpf internally creates BPF maps. I found that global variables are copied into memory during the open phase, before creating the BPF maps. static int ...
sewonnam's user avatar
  • 13
0 votes
0 answers
107 views

I am working on a project that will enable TCP traffic tunneling to remote networks and I have a few questions about my approach and specifically about the use of eBPF to transparently intercept ...
lampwins's user avatar
  • 920
0 votes
0 answers
35 views

I have the following stream parser and verdict ebpf program (BPF_PROG_TYPE_SK_SKB) using Aya which is intended as a noop: #[map] static HYDRO_SOCKET_MAP: SockMap = SockMap::with_max_entries(1024, 0); ...
rhalameddine's user avatar
  • 323
2 votes
1 answer
97 views

I'm working on a project with a #![no_std] context in which I'm trying to use the hexhex crate It has std enabled by default but that can be disable by disabling the default feature flags. So I have ...
BeowolfK's user avatar
  • 47
0 votes
0 answers
48 views

Is it possible for a process to probe dtrace/perf/etc USDTs for its own process (or even better, process group or uid) without needing elevated privileges or being able to trace processes with other ...
Craig Ringer's user avatar
  • 329k
1 vote
2 answers
113 views

I'm trying to explore using BPF arena in XDP programs. I learned from this post that XDP programs aren't sleepable and, therefore, they cannot use the kfunc to allocate BPF arenas' pages. So, my ...
pedro_m's user avatar
  • 71
0 votes
0 answers
62 views

I'm experimenting with eBPF, specifically using the BPF_PROG_TYPE_SOCKET_FILTER program type. From what I understand, this type is typically used with raw sockets. However, I'm wondering if it's ...
Tamir's user avatar
  • 1
2 votes
0 answers
45 views

I noticed that when I attach a dummy XDP program (that simply returns XDP_PASS) to the NIC driver, the single-core TCP throughput drops from 28 Gbps to 24 Gbps. Upon inspecting the CPU function stack ...
munikarmanish's user avatar
  • 442
0 votes
0 answers
183 views

(sorry for posting here, couldn't create ticket on github/libbpf ) libbf failure on system with BTF disabled. Issue : we are doing negative testing for our product like disabling BTF INFO from kernel....
nullptr's user avatar
  • 25
-1 votes
1 answer
106 views

I have a confusion about how the eBPF verifier behaves in my usecase. In general, I want to implement an eBPF program deployed from a python bcc module to look for my custom option 31 and remove it ...
Đức Anh Nguyễn Đỗ's user avatar
  • 3
1 vote
1 answer
200 views

I have Debian 12 which has 6.1 kernel. After fresh install I ran the following commands to get required source code to start building eBPF LSM program: apt update apt upgrade -y apt install -y build-...
u4963840's user avatar
  • 367
0 votes
1 answer
152 views

I am trying to insert my new option field into packets using ebpf but I do not know what is the correct way to shift the rest of the payload after the IP header to the right without using a CONSTANT ...
Đức Anh Nguyễn Đỗ's user avatar
  • 3
3 votes
0 answers
73 views

I am looking for ways to prevent file deletion using eBPF LSM hooks. I have previously looked into pure LSM solution without eBPF but I had to give up on that because that would have required me to ...
u4963840's user avatar
  • 367
-1 votes
1 answer
65 views

I found that when using bpf_program__attach_uprobe_opts, it can only set one PID. Unless set to -1, it indicates all processes. Is there a way to set multiple PIDs? Or can it only be achieved through ...
Sunjal's user avatar
  • 9
2 votes
0 answers
102 views

Title pretty much sums it up. I'm trying to run this eBPF program but I keep getting the following error when running: libbpf: prog 'do_entry_point': BPF program load failed: Invalid argument libbpf: ...
Gary Watson's user avatar
  • 21
0 votes
1 answer
109 views

Recently, I've been trying to work with BPF_ARENA. My objective is to use it on XDP programs. However, the following error appears when I try to use bpf_arena_alloc_pages: program must be sleepable ...
pedro_m's user avatar
  • 71
1 vote
0 answers
41 views

I followed guide on https://github.com/iovisor/bcc/blob/e70627709cd71394ac0f4b0fbe2fe2c94ece1c9d/docs/special_filtering.md#filtering-by-mount-namespace and got it working on VM. But running on a ...
phoxd's user avatar
  • 1,652
0 votes
1 answer
54 views

I am currently writing a program for testing an experimental TCP option. For that, I activate two flags: BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG for setting the length of the option and writing it into ...
hugo rimlinger's user avatar
  • 3
2 votes
0 answers
80 views

My Linux system is WSL2 with kernel-5.15.133, and I wrote a eBPF codes to count calling of kmalloc in kernel with kprobe. The code failed with kprobe attach failed: Invalid argument. // ...
wangt13's user avatar
  • 1,307
0 votes
1 answer
86 views

I am trying to parse a simple gRPC payload in an eBPF program. The code below shows my eBPF program, which I am trying to attach at TC hook (ingress). SEC("classifier") int find_grpc(struct ...
Ashwin Kumar's user avatar
  • 93
0 votes
1 answer
189 views

I am trying to set a uprobe in the libart.so android library on an Android x86_64 emulator with Rust (aya[0]). All is well on Android-14 (Kernel 6.1), but not in Android-13 (Kernel 5.15). As far as I ...
Sergej Isbrecht's user avatar
  • 4,022
0 votes
0 answers
63 views

I try to understand how write linux ebpf tetragon block execution rule. Example 1. I want block execution of command "curl google.com" Next rule block curl with any domain, why? apiVersion: ...
Kriks_87 Kriks_87's user avatar
  • 1
0 votes
0 answers
73 views

Using a eBPF lsm program, I trace file opening events for a specific container. Events are filtered by cgroups. void handle_event(struct file *file, long ret, __u64 cgroup_id, void *ctx) { struct ...
polo's user avatar
  • 39
1 vote
0 answers
104 views

I have the following program structure: src/main.bpf.c: #include "../vmlinux.h" #include <bpf/bpf_helpers.h> #include <bpf/bpf_tracing.h> #include <bpf/bpf_endian.h> #...
Mr. Pascal's user avatar
  • 11

1
2 3 4 5
17