Skip to content

Instantly share code, notes, and snippets.

@aojea

aojea/README.md

Last active March 26, 2024 13:13
Show Gist options
  • Save aojea/25d9e2ba451b428a314df90ba2e3b339 to your computer and use it in GitHub Desktop.
Save aojea/25d9e2ba451b428a314df90ba2e3b339 to your computer and use it in GitHub Desktop.
Download ZIP
BPF cheatsheet
Raw
README.md

BPF Cheatsheet

Download binary

curl -s -L https://github.com/libbpf/bpftool/releases/download/v7.2.0/bpftool-v7.2.0-amd64.tar.gz | tar xvzf - -C /tmp chmod +x /tmp/bpftool

List network

 ./bpftool net list
xdp:

tc:
cilium_net(2) clsact/ingress bpf_host_cilium_net.o:[to-host] id 207210
cilium_host(3) clsact/ingress bpf_host.o:[to-host] id 207175
cilium_host(3) clsact/egress bpf_host.o:[from-host] id 207190
cilium_vxlan(4) clsact/ingress bpf_overlay.o:[from-overlay] id 206944
cilium_vxlan(4) clsact/egress bpf_overlay.o:[to-overlay] id 206962
lxc_health(6) clsact/ingress bpf_lxc.o:[from-container] id 207124
lxc2c32c43536a5(8) clsact/ingress bpf_lxc.o:[from-container] id 207284
eth0(31) clsact/ingress bpf_netdev_eth0.o:[from-netdev] id 207230
eth0(31) clsact/egress bpf_netdev_eth0.o:[to-netdev] id 207250

flow_dissector:

Dump eBPF

./bpftool prog dump xlated id 207284 linum
int handle_xgress(struct __sk_buff * ctx):
; int handle_xgress(struct __ctx_buff *ctx) [file:/var/lib/cilium/bpf/bpf_lxc.c line_num:1326 line_col:0]
   0: (bf) r6 = r1
   1: (af) r7 ^= r7
; WRITE_ONCE(ctx->cb[0], zero); [file:/var/lib/cilium/bpf/lib/overloadable_skb.h line_num:12 line_col:2]
   2: (63) *(u32 *)(r6 +48) = r7
; WRITE_ONCE(ctx->cb[1], zero); [file:/var/lib/cilium/bpf/lib/overloadable_skb.h line_num:13 line_col:2]
   3: (63) *(u32 *)(r6 +52) = r7
; WRITE_ONCE(ctx->cb[2], zero); [file:/var/lib/cilium/bpf/lib/overloadable_skb.h line_num:14 line_col:2]
   4: (63) *(u32 *)(r6 +56) = r7
; WRITE_ONCE(ctx->cb[3], zero); [file:/var/lib/cilium/bpf/lib/overloadable_skb.h line_num:15 line_col:2]
   5: (63) *(u32 *)(r6 +60) = r7
; WRITE_ONCE(ctx->cb[4], zero); [file:/var/lib/cilium/bpf/lib/overloadable_skb.h line_num:16 line_col:2]
   6: (63) *(u32 *)(r6 +64) = r7
; ctx->queue_mapping = 0; [file:/var/lib/cilium/bpf/lib/qm.h line_num:20 line_col:21]
   7: (b7) r11 = 490974009
   8: (a7) r11 ^= 490951878
   9: (3d) if r7 >= r11 goto pc+1

// somewhere inside your BPF prog
bpf_trace_printk("Timestamp: %lld", ts);
$ cat /sys/kernel/debug/tracing/trace_pipe
$ bpftool prog tracelog

https://nakryiko.com/posts/bpf-tips-printk/

References

https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment