asm

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 23, 2024 License: MIT Imports: 12 Imported by: 111

Documentation

Overview

Package asm is an assembler for eBPF bytecode.

Index

Examples

Constants

View Source
const (
	PseudoMapFD     = R1 // BPF_PSEUDO_MAP_FD
	PseudoMapValue  = R2 // BPF_PSEUDO_MAP_VALUE
	PseudoCall      = R1 // BPF_PSEUDO_CALL
	PseudoFunc      = R4 // BPF_PSEUDO_FUNC
	PseudoKfuncCall = R2 // BPF_PSEUDO_KFUNC_CALL
)

Pseudo registers used by 64bit loads and jumps

View Source
const InstructionSize = 8

InstructionSize is the size of a BPF instruction in bytes

Variables

View Source
var ErrUnreferencedSymbol = errors.New("unreferenced symbol")
View Source
var ErrUnsatisfiedMapReference = errors.New("unsatisfied map reference")
View Source
var ErrUnsatisfiedProgramReference = errors.New("unsatisfied program reference")

Functions

func IsUnreferencedSymbol deprecated

func IsUnreferencedSymbol(err error) bool

IsUnreferencedSymbol returns true if err was caused by an unreferenced symbol.

Deprecated: use errors.Is(err, asm.ErrUnreferencedSymbol).

Types

type ALUOp

type ALUOp uint16

ALUOp are ALU / ALU64 operations

msb              lsb
+-------+----+-+---+
|  EXT  | OP |s|cls|
+-------+----+-+---+
const (
	// InvalidALUOp is returned by getters when invoked
	// on non ALU OpCodes
	InvalidALUOp ALUOp = 0xffff
	// Add - addition
	Add ALUOp = 0x0000
	// Sub - subtraction
	Sub ALUOp = 0x0010
	// Mul - multiplication
	Mul ALUOp = 0x0020
	// Div - division
	Div ALUOp = 0x0030
	// SDiv - signed division
	SDiv ALUOp = Div + 0x0100
	// Or - bitwise or
	Or ALUOp = 0x0040
	// And - bitwise and
	And ALUOp = 0x0050
	// LSh - bitwise shift left
	LSh ALUOp = 0x0060
	// RSh - bitwise shift right
	RSh ALUOp = 0x0070
	// Neg - sign/unsign signing bit
	Neg ALUOp = 0x0080
	// Mod - modulo
	Mod ALUOp = 0x0090
	// SMod - signed modulo
	SMod ALUOp = Mod + 0x0100
	// Xor - bitwise xor
	Xor ALUOp = 0x00a0
	// Mov - move value from one place to another
	Mov ALUOp = 0x00b0
	// MovSX8 - move lower 8 bits, sign extended upper bits of target
	MovSX8 ALUOp = Mov + 0x0100
	// MovSX16 - move lower 16 bits, sign extended upper bits of target
	MovSX16 ALUOp = Mov + 0x0200
	// MovSX32 - move lower 32 bits, sign extended upper bits of target
	MovSX32 ALUOp = Mov + 0x0300
	// ArSh - arithmetic shift
	ArSh ALUOp = 0x00c0
	// Swap - endian conversions
	Swap ALUOp = 0x00d0
)

func (ALUOp) Imm

func (op ALUOp) Imm(dst Register, value int32) Instruction

Imm emits `dst (op) value`.

func (ALUOp) Imm32

func (op ALUOp) Imm32(dst Register, value int32) Instruction

Imm32 emits `dst (op) value`, zeroing the upper 32 bit of dst.

func (ALUOp) Op

func (op ALUOp) Op(source Source) OpCode

Op returns the OpCode for an ALU operation with a given source.

func (ALUOp) Op32

func (op ALUOp) Op32(source Source) OpCode

Op32 returns the OpCode for a 32-bit ALU operation with a given source.

func (ALUOp) Reg

func (op ALUOp) Reg(dst, src Register) Instruction

Reg emits `dst (op) src`.

func (ALUOp) Reg32

func (op ALUOp) Reg32(dst, src Register) Instruction

Reg32 emits `dst (op) src`, zeroing the upper 32 bit of dst.

func (ALUOp) String

func (i ALUOp) String() string

type BuiltinFunc

type BuiltinFunc int32

BuiltinFunc is a built-in eBPF function.

const (
	FnUnspec BuiltinFunc = iota
	FnMapLookupElem
	FnMapUpdateElem
	FnMapDeleteElem
	FnProbeRead
	FnKtimeGetNs
	FnTracePrintk
	FnGetPrandomU32
	FnGetSmpProcessorId
	FnSkbStoreBytes
	FnL3CsumReplace
	FnL4CsumReplace
	FnTailCall
	FnCloneRedirect
	FnGetCurrentPidTgid
	FnGetCurrentUidGid
	FnGetCurrentComm
	FnGetCgroupClassid
	FnSkbVlanPush
	FnSkbVlanPop
	FnSkbGetTunnelKey
	FnSkbSetTunnelKey
	FnPerfEventRead
	FnRedirect
	FnGetRouteRealm
	FnPerfEventOutput
	FnSkbLoadBytes
	FnGetStackid
	FnCsumDiff
	FnSkbGetTunnelOpt
	FnSkbSetTunnelOpt
	FnSkbChangeProto
	FnSkbChangeType
	FnSkbUnderCgroup
	FnGetHashRecalc
	FnGetCurrentTask
	FnProbeWriteUser
	FnCurrentTaskUnderCgroup
	FnSkbChangeTail
	FnSkbPullData
	FnCsumUpdate
	FnSetHashInvalid
	FnGetNumaNodeId
	FnSkbChangeHead
	FnXdpAdjustHead
	FnProbeReadStr
	FnGetSocketCookie
	FnGetSocketUid
	FnSetHash
	FnSetsockopt
	FnSkbAdjustRoom
	FnRedirectMap
	FnSkRedirectMap
	FnSockMapUpdate
	FnXdpAdjustMeta
	FnPerfEventReadValue
	FnPerfProgReadValue
	FnGetsockopt
	FnOverrideReturn
	FnSockOpsCbFlagsSet
	FnMsgRedirectMap
	FnMsgApplyBytes
	FnMsgCorkBytes
	FnMsgPullData
	FnBind
	FnXdpAdjustTail
	FnSkbGetXfrmState
	FnGetStack
	FnSkbLoadBytesRelative
	FnFibLookup
	FnSockHashUpdate
	FnMsgRedirectHash
	FnSkRedirectHash
	FnLwtPushEncap
	FnLwtSeg6StoreBytes
	FnLwtSeg6AdjustSrh
	FnLwtSeg6Action
	FnRcRepeat
	FnRcKeydown
	FnSkbCgroupId
	FnGetCurrentCgroupId
	FnGetLocalStorage
	FnSkSelectReuseport
	FnSkbAncestorCgroupId
	FnSkLookupTcp
	FnSkLookupUdp
	FnSkRelease
	FnMapPushElem
	FnMapPopElem
	FnMapPeekElem
	FnMsgPushData
	FnMsgPopData
	FnRcPointerRel
	FnSpinLock
	FnSpinUnlock
	FnSkFullsock
	FnTcpSock
	FnSkbEcnSetCe
	FnGetListenerSock
	FnSkcLookupTcp
	FnTcpCheckSyncookie
	FnSysctlGetName
	FnSysctlGetCurrentValue
	FnSysctlGetNewValue
	FnSysctlSetNewValue
	FnStrtol
	FnStrtoul
	FnSkStorageGet
	FnSkStorageDelete
	FnSendSignal
	FnTcpGenSyncookie
	FnSkbOutput
	FnProbeReadUser
	FnProbeReadKernel
	FnProbeReadUserStr
	FnProbeReadKernelStr
	FnTcpSendAck
	FnSendSignalThread
	FnJiffies64
	FnReadBranchRecords
	FnGetNsCurrentPidTgid
	FnXdpOutput
	FnGetNetnsCookie
	FnGetCurrentAncestorCgroupId
	FnSkAssign
	FnKtimeGetBootNs
	FnSeqPrintf
	FnSeqWrite
	FnSkCgroupId
	FnSkAncestorCgroupId
	FnRingbufOutput
	FnRingbufReserve
	FnRingbufSubmit
	FnRingbufDiscard
	FnRingbufQuery
	FnCsumLevel
	FnSkcToTcp6Sock
	FnSkcToTcpSock
	FnSkcToTcpTimewaitSock
	FnSkcToTcpRequestSock
	FnSkcToUdp6Sock
	FnGetTaskStack
	FnLoadHdrOpt
	FnStoreHdrOpt
	FnReserveHdrOpt
	FnInodeStorageGet
	FnInodeStorageDelete
	FnDPath
	FnCopyFromUser
	FnSnprintfBtf
	FnSeqPrintfBtf
	FnSkbCgroupClassid
	FnRedirectNeigh
	FnPerCpuPtr
	FnThisCpuPtr
	FnRedirectPeer
	FnTaskStorageGet
	FnTaskStorageDelete
	FnGetCurrentTaskBtf
	FnBprmOptsSet
	FnKtimeGetCoarseNs
	FnImaInodeHash
	FnSockFromFile
	FnCheckMtu
	FnForEachMapElem
	FnSnprintf
	FnSysBpf
	FnBtfFindByNameKind
	FnSysClose
	FnTimerInit
	FnTimerSetCallback
	FnTimerStart
	FnTimerCancel
	FnGetFuncIp
	FnGetAttachCookie
	FnTaskPtRegs
	FnGetBranchSnapshot
	FnTraceVprintk
	FnSkcToUnixSock
	FnKallsymsLookupName
	FnFindVma
	FnLoop
	FnStrncmp
	FnGetFuncArg
	FnGetFuncRet
	FnGetFuncArgCnt
	FnGetRetval
	FnSetRetval
	FnXdpGetBuffLen
	FnXdpLoadBytes
	FnXdpStoreBytes
	FnCopyFromUserTask
	FnSkbSetTstamp
	FnImaFileHash
	FnKptrXchg
	FnMapLookupPercpuElem
	FnSkcToMptcpSock
	FnDynptrFromMem
	FnRingbufReserveDynptr
	FnRingbufSubmitDynptr
	FnRingbufDiscardDynptr
	FnDynptrRead
	FnDynptrWrite
	FnDynptrData
	FnTcpRawGenSyncookieIpv4
	FnTcpRawGenSyncookieIpv6
	FnTcpRawCheckSyncookieIpv4
	FnTcpRawCheckSyncookieIpv6
	FnKtimeGetTaiNs
	FnUserRingbufDrain
	FnCgrpStorageGet
	FnCgrpStorageDelete
)

eBPF built-in functions

You can regenerate this list using the following gawk script:

/FN\(.+\),/ {
  match($1, /\(([a-z_0-9]+),/, r)
  split(r[1], p, "_")
  printf "Fn"
  for (i in p) {
    printf "%s%s", toupper(substr(p[i], 1, 1)), substr(p[i], 2)
  }
  print ""
}

The script expects include/uapi/linux/bpf.h as it's input.

func (BuiltinFunc) Call

func (fn BuiltinFunc) Call() Instruction

Call emits a function call.

func (BuiltinFunc) Max added in v0.9.0

func (_ BuiltinFunc) Max() BuiltinFunc

func (BuiltinFunc) String

func (i BuiltinFunc) String() string

type Class

type Class uint8

Class of operations

msb      lsb
+---+--+---+
|  ??  |CLS|
+---+--+---+
const (
	// LdClass loads immediate values into registers.
	// Also used for non-standard load operations from cBPF.
	LdClass Class = 0x00
	// LdXClass loads memory into registers.
	LdXClass Class = 0x01
	// StClass stores immediate values to memory.
	StClass Class = 0x02
	// StXClass stores registers to memory.
	StXClass Class = 0x03
	// ALUClass describes arithmetic operators.
	ALUClass Class = 0x04
	// JumpClass describes jump operators.
	JumpClass Class = 0x05
	// Jump32Class describes jump operators with 32-bit comparisons.
	// Requires kernel 5.1.
	Jump32Class Class = 0x06
	// ALU64Class describes arithmetic operators in 64-bit mode.
	ALU64Class Class = 0x07
)

func (Class) IsALU added in v0.8.0

func (cls Class) IsALU() bool

IsALU checks if this is either ALUClass or ALU64Class.

func (Class) IsJump added in v0.8.0

func (cls Class) IsJump() bool

IsJump checks if this is either JumpClass or Jump32Class.

func (Class) IsLoad added in v0.8.0

func (cls Class) IsLoad() bool

IsLoad checks if this is either LdClass or LdXClass.

func (Class) IsStore added in v0.8.0

func (cls Class) IsStore() bool

IsStore checks if this is either StClass or StXClass.

func (Class) String

func (i Class) String() string

type Comment added in v0.9.0

type Comment string

A Comment can be passed to Instruction.WithSource to add a comment to an instruction.

func (Comment) String added in v0.9.0

func (s Comment) String() string

type Endianness

type Endianness uint8

The Endianness of a byte swap instruction.

const (
	InvalidEndian Endianness = 0xff
	// Convert to little endian
	LE Endianness = 0x00
	// Convert to big endian
	BE Endianness = 0x08
)

Endian flags

func (Endianness) String

func (i Endianness) String() string

type FDer added in v0.9.0

type FDer interface {
	FD() int
}

FDer represents a resource tied to an underlying file descriptor. Used as a stand-in for e.g. ebpf.Map since that type cannot be imported here and FD() is the only method we rely on.

type Instruction

type Instruction struct {
	OpCode   OpCode
	Dst      Register
	Src      Register
	Offset   int16
	Constant int64

	// Metadata contains optional metadata about this instruction.
	Metadata Metadata
}

Instruction is a single eBPF instruction.

func BSwap added in v0.12.3

func BSwap(dst Register, size Size) Instruction

BSwap unconditionally reverses the order of bytes in a register.

func HostTo

func HostTo(endian Endianness, dst Register, size Size) Instruction

HostTo converts from host to another endianness.

func LoadAbs

func LoadAbs(offset int32, size Size) Instruction

LoadAbs emits `r0 = ntoh(*(size *)(((sk_buff *)R6)->data + offset))`.

func LoadImm

func LoadImm(dst Register, value int64, size Size) Instruction

LoadImm emits `dst = (size)value`.

As of kernel 4.20, only DWord size is accepted.

func LoadInd

func LoadInd(dst, src Register, offset int32, size Size) Instruction

LoadInd emits `dst = ntoh(*(size *)(((sk_buff *)R6)->data + src + offset))`.

func LoadMapPtr

func LoadMapPtr(dst Register, fd int) Instruction

LoadMapPtr stores a pointer to a map in dst.

func LoadMapValue

func LoadMapValue(dst Register, fd int, offset uint32) Instruction

LoadMapValue stores a pointer to the value at a certain offset of a map.

func LoadMem

func LoadMem(dst, src Register, offset int16, size Size) Instruction

LoadMem emits `dst = *(size *)(src + offset)`.

func LoadMemSX added in v0.12.3

func LoadMemSX(dst, src Register, offset int16, size Size) Instruction

LoadMemSX emits `dst = *(size *)(src + offset)` but sign extends dst.

func LongJump added in v0.12.3

func LongJump(label string) Instruction

LongJump returns a jump always instruction with a range of [-2^31, 2^31 - 1].

func Return

func Return() Instruction

Return emits an exit instruction.

Requires a return value in R0.

func StoreImm

func StoreImm(dst Register, offset int16, value int64, size Size) Instruction

StoreImm emits `*(size *)(dst + offset) = value`.

func StoreMem

func StoreMem(dst Register, offset int16, src Register, size Size) Instruction

StoreMem emits `*(size *)(dst + offset) = src`

func StoreXAdd

func StoreXAdd(dst, src Register, size Size) Instruction

StoreXAdd atomically adds src to *dst.

func (*Instruction) AssociateMap added in v0.9.0

func (ins *Instruction) AssociateMap(m FDer) error

AssociateMap associates a Map with this Instruction.

Implicitly clears the Instruction's Reference field.

Returns an error if the Instruction is not a map load.

func (Instruction) Format

func (ins Instruction) Format(f fmt.State, c rune)

Format implements fmt.Formatter.

func (*Instruction) IsBuiltinCall added in v0.7.0

func (ins *Instruction) IsBuiltinCall() bool

IsBuiltinCall returns true if the instruction is a built-in call, i.e. BPF helper call.

func (*Instruction) IsConstantLoad added in v0.6.0

func (ins *Instruction) IsConstantLoad(size Size) bool

IsConstantLoad returns true if the instruction loads a constant of the given size.

func (*Instruction) IsFunctionCall

func (ins *Instruction) IsFunctionCall() bool

IsFunctionCall returns true if the instruction calls another BPF function.

This is not the same thing as a BPF helper call.

func (*Instruction) IsFunctionReference added in v0.8.0

func (ins *Instruction) IsFunctionReference() bool

IsFunctionReference returns true if the instruction references another BPF function, either by invoking a Call jump operation or by loading a function pointer.

func (*Instruction) IsKfuncCall added in v0.11.0

func (ins *Instruction) IsKfuncCall() bool

IsKfuncCall returns true if the instruction calls a kfunc.

This is not the same thing as a BPF helper call.

func (*Instruction) IsLoadFromMap added in v0.6.0

func (ins *Instruction) IsLoadFromMap() bool

IsLoadFromMap returns true if the instruction loads from a map.

This covers both loading the map pointer and direct map value loads.

func (*Instruction) IsLoadOfFunctionPointer added in v0.8.0

func (ins *Instruction) IsLoadOfFunctionPointer() bool

IsLoadOfFunctionPointer returns true if the instruction loads a function pointer.

func (Instruction) Map added in v0.9.0

func (ins Instruction) Map() FDer

Map returns the Map referenced by ins, if any. An Instruction will contain a Map if e.g. it references an existing, pinned map that was opened during ELF loading.

func (*Instruction) MapPtr deprecated added in v0.6.0

func (ins *Instruction) MapPtr() int

MapPtr returns the map fd for this instruction.

The result is undefined if the instruction is not a load from a map, see IsLoadFromMap.

Deprecated: use Map() instead.

func (Instruction) Marshal

func (ins Instruction) Marshal(w io.Writer, bo binary.ByteOrder) (uint64, error)

Marshal encodes a BPF instruction.

func (Instruction) Reference

func (ins Instruction) Reference() string

Reference returns the Symbol or map name referenced by ins, if any.

func (*Instruction) RewriteMapOffset

func (ins *Instruction) RewriteMapOffset(offset uint32) error

RewriteMapOffset changes the offset of a direct load from a map.

Returns an error if the instruction is not a direct load.

func (*Instruction) RewriteMapPtr deprecated

func (ins *Instruction) RewriteMapPtr(fd int) error

RewriteMapPtr changes an instruction to use a new map fd.

Returns an error if the instruction doesn't load a map.

Deprecated: use AssociateMap instead. If you cannot provide a Map, wrap an fd in a type implementing FDer.

func (Instruction) Size added in v0.8.0

func (ins Instruction) Size() uint64

Size returns the amount of bytes ins would occupy in binary form.

func (Instruction) Source added in v0.9.0

func (ins Instruction) Source() fmt.Stringer

Source returns source information about the Instruction. The field is present when the compiler emits BTF line info about the Instruction and usually contains the line of source code responsible for it.

func (Instruction) Sym deprecated

func (ins Instruction) Sym(name string) Instruction

Sym creates a symbol.

Deprecated: use WithSymbol instead.

func (Instruction) Symbol

func (ins Instruction) Symbol() string

Symbol returns the value ins has been marked with using WithSymbol, otherwise returns an empty string. A symbol is often an Instruction at the start of a function body.

func (*Instruction) Unmarshal

func (ins *Instruction) Unmarshal(r io.Reader, bo binary.ByteOrder) (uint64, error)

Unmarshal decodes a BPF instruction.

func (Instruction) WithMetadata added in v0.10.0

func (ins Instruction) WithMetadata(meta Metadata) Instruction

WithMetadata sets the given Metadata on the Instruction. e.g. to copy Metadata from another Instruction when replacing it.

func (Instruction) WithReference added in v0.9.0

func (ins Instruction) WithReference(ref string) Instruction

WithReference makes ins reference another Symbol or map by name.

func (Instruction) WithSource added in v0.9.0

func (ins Instruction) WithSource(src fmt.Stringer) Instruction

WithSource adds source information about the Instruction.

func (Instruction) WithSymbol added in v0.9.0

func (ins Instruction) WithSymbol(name string) Instruction

WithSymbol marks the Instruction as a Symbol, which other Instructions can point to using corresponding calls to WithReference.

type InstructionIterator

type InstructionIterator struct {

	// The instruction in question.
	Ins *Instruction
	// The index of the instruction in the original instruction slice.
	Index int
	// The offset of the instruction in raw BPF instructions. This accounts
	// for double-wide instructions.
	Offset RawInstructionOffset
	// contains filtered or unexported fields
}

InstructionIterator iterates over a BPF program.

func (*InstructionIterator) Next

func (iter *InstructionIterator) Next() bool

Next returns true as long as there are any instructions remaining.

type Instructions

type Instructions []Instruction

Instructions is an eBPF program.

func (Instructions) AssociateMap added in v0.9.0

func (insns Instructions) AssociateMap(symbol string, m FDer) error

AssociateMap updates all Instructions that Reference the given symbol to point to an existing Map m instead.

Returns ErrUnreferencedSymbol error if no references to symbol are found in insns. If symbol is anything else than the symbol name of map (e.g. a bpf2bpf subprogram), an error is returned.

func (Instructions) Format

func (insns Instructions) Format(f fmt.State, c rune)

Format implements fmt.Formatter.

You can control indentation of symbols by specifying a width. Setting a precision controls the indentation of instructions. The default character is a tab, which can be overridden by specifying the ' ' space flag.

Example

You can use format flags to change the way an eBPF program is stringified.

insns := Instructions{
	FnMapLookupElem.Call().WithSymbol("my_func").WithSource(Comment("bpf_map_lookup_elem()")),
	LoadImm(R0, 42, DWord).WithSource(Comment("abc = 42")),
	Return(),
}

fmt.Println("Default format:")
fmt.Printf("%v\n", insns)

fmt.Println("Don't indent instructions:")
fmt.Printf("%.0v\n", insns)

fmt.Println("Indent using spaces:")
fmt.Printf("% v\n", insns)

fmt.Println("Control symbol indentation:")
fmt.Printf("%2v\n", insns)
Output:

Default format:
my_func:
	 ; bpf_map_lookup_elem()
	0: Call FnMapLookupElem
	 ; abc = 42
	1: LdImmDW dst: r0 imm: 42
	3: Exit

Don't indent instructions:
my_func:
 ; bpf_map_lookup_elem()
0: Call FnMapLookupElem
 ; abc = 42
1: LdImmDW dst: r0 imm: 42
3: Exit

Indent using spaces:
my_func:
  ; bpf_map_lookup_elem()
 0: Call FnMapLookupElem
  ; abc = 42
 1: LdImmDW dst: r0 imm: 42
 3: Exit

Control symbol indentation:
		my_func:
	 ; bpf_map_lookup_elem()
	0: Call FnMapLookupElem
	 ; abc = 42
	1: LdImmDW dst: r0 imm: 42
	3: Exit

func (Instructions) FunctionReferences added in v0.8.0

func (insns Instructions) FunctionReferences() []string

FunctionReferences returns a set of symbol names these Instructions make bpf-to-bpf calls to.

func (Instructions) Iterate

func (insns Instructions) Iterate() *InstructionIterator

Iterate allows iterating a BPF program while keeping track of various offsets.

Modifying the instruction slice will lead to undefined behaviour.

func (Instructions) Marshal

func (insns Instructions) Marshal(w io.Writer, bo binary.ByteOrder) error

Marshal encodes a BPF program into the kernel format.

insns may be modified if there are unresolved jumps or bpf2bpf calls.

Returns ErrUnsatisfiedProgramReference if there is a Reference Instruction without a matching Symbol Instruction within insns.

func (Instructions) Name added in v0.8.0

func (insns Instructions) Name() string

Name returns the name of the function insns belongs to, if any.

func (Instructions) ReferenceOffsets

func (insns Instructions) ReferenceOffsets() map[string][]int

ReferenceOffsets returns the set of references and their offset in the instructions.

func (Instructions) RewriteMapPtr deprecated

func (insns Instructions) RewriteMapPtr(symbol string, fd int) error

RewriteMapPtr rewrites all loads of a specific map pointer to a new fd.

Returns ErrUnreferencedSymbol if the symbol isn't used.

Deprecated: use AssociateMap instead.

func (Instructions) Size added in v0.8.0

func (insns Instructions) Size() uint64

Size returns the amount of bytes insns would occupy in binary form.

func (Instructions) String

func (insns Instructions) String() string

func (Instructions) SymbolOffsets

func (insns Instructions) SymbolOffsets() (map[string]int, error)

SymbolOffsets returns the set of symbols and their offset in the instructions.

func (Instructions) Tag added in v0.4.0

func (insns Instructions) Tag(bo binary.ByteOrder) (string, error)

Tag calculates the kernel tag for a series of instructions.

It mirrors bpf_prog_calc_tag in the kernel and so can be compared to ProgramInfo.Tag to figure out whether a loaded program matches certain instructions.

func (*Instructions) Unmarshal added in v0.8.0

func (insns *Instructions) Unmarshal(r io.Reader, bo binary.ByteOrder) error

Unmarshal unmarshals an Instructions from a binary instruction stream. All instructions in insns are replaced by instructions decoded from r.

type JumpOp

type JumpOp uint8

JumpOp affect control flow.

msb      lsb
+----+-+---+
|OP  |s|cls|
+----+-+---+
const (
	// InvalidJumpOp is returned by getters when invoked
	// on non branch OpCodes
	InvalidJumpOp JumpOp = 0xff
	// Ja jumps by offset unconditionally
	Ja JumpOp = 0x00
	// JEq jumps by offset if r == imm
	JEq JumpOp = 0x10
	// JGT jumps by offset if r > imm
	JGT JumpOp = 0x20
	// JGE jumps by offset if r >= imm
	JGE JumpOp = 0x30
	// JSet jumps by offset if r & imm
	JSet JumpOp = 0x40
	// JNE jumps by offset if r != imm
	JNE JumpOp = 0x50
	// JSGT jumps by offset if signed r > signed imm
	JSGT JumpOp = 0x60
	// JSGE jumps by offset if signed r >= signed imm
	JSGE JumpOp = 0x70
	// Call builtin or user defined function from imm
	Call JumpOp = 0x80
	// Exit ends execution, with value in r0
	Exit JumpOp = 0x90
	// JLT jumps by offset if r < imm
	JLT JumpOp = 0xa0
	// JLE jumps by offset if r <= imm
	JLE JumpOp = 0xb0
	// JSLT jumps by offset if signed r < signed imm
	JSLT JumpOp = 0xc0
	// JSLE jumps by offset if signed r <= signed imm
	JSLE JumpOp = 0xd0
)

func (JumpOp) Imm

func (op JumpOp) Imm(dst Register, value int32, label string) Instruction

Imm compares 64 bit dst to 64 bit value (sign extended), and adjusts PC by offset if the condition is fulfilled.

func (JumpOp) Imm32 added in v0.8.0

func (op JumpOp) Imm32(dst Register, value int32, label string) Instruction

Imm32 compares 32 bit dst to 32 bit value, and adjusts PC by offset if the condition is fulfilled. Requires kernel 5.1.

func (JumpOp) Label

func (op JumpOp) Label(label string) Instruction

Label adjusts PC to the address of the label.

func (JumpOp) Op

func (op JumpOp) Op(source Source) OpCode

Op returns the OpCode for a given jump source.

func (JumpOp) Reg

func (op JumpOp) Reg(dst, src Register, label string) Instruction

Reg compares 64 bit dst to 64 bit src, and adjusts PC by offset if the condition is fulfilled.

func (JumpOp) Reg32 added in v0.8.0

func (op JumpOp) Reg32(dst, src Register, label string) Instruction

Reg32 compares 32 bit dst to 32 bit src, and adjusts PC by offset if the condition is fulfilled. Requires kernel 5.1.

func (JumpOp) String

func (i JumpOp) String() string

type Metadata added in v0.9.0

type Metadata struct {
	// contains filtered or unexported fields
}

Metadata contains metadata about an instruction.

func (*Metadata) Get added in v0.9.0

func (m *Metadata) Get(key interface{}) interface{}

Get the value of a key.

Returns nil if no value with the given key is present.

func (*Metadata) Set added in v0.9.0

func (m *Metadata) Set(key, value interface{})

Set a key to a value.

If value is nil, the key is removed. Avoids modifying old metadata by copying if necessary.

type Mode

type Mode uint8

Mode for load and store operations

msb      lsb
+---+--+---+
|MDE|sz|cls|
+---+--+---+
const (
	// InvalidMode is returned by getters when invoked
	// on non load / store OpCodes
	InvalidMode Mode = 0xff
	// ImmMode - immediate value
	ImmMode Mode = 0x00
	// AbsMode - immediate value + offset
	AbsMode Mode = 0x20
	// IndMode - indirect (imm+src)
	IndMode Mode = 0x40
	// MemMode - load from memory
	MemMode Mode = 0x60
	// MemSXMode - load from memory, sign extension
	MemSXMode Mode = 0x80
	// XAddMode - add atomically across processors.
	XAddMode Mode = 0xc0
)

func (Mode) String

func (i Mode) String() string

type OpCode

type OpCode uint16

OpCode represents a single operation. It is not a 1:1 mapping to real eBPF opcodes.

The encoding varies based on a 3-bit Class:

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
           ???           | CLS

For ALUClass and ALUCLass32:

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
           OPC         |S| CLS

For LdClass, LdXclass, StClass and StXClass:

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
        0      | MDE |SIZ| CLS

For JumpClass, Jump32Class:

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
        0      |  OPC  |S| CLS
const InvalidOpCode OpCode = 0xffff

InvalidOpCode is returned by setters on OpCode

func LoadAbsOp

func LoadAbsOp(size Size) OpCode

LoadAbsOp returns the OpCode for loading a value of given size from an sk_buff.

func LoadImmOp

func LoadImmOp(size Size) OpCode

LoadImmOp returns the OpCode to load an immediate of given size.

As of kernel 4.20, only DWord size is accepted.

func LoadIndOp

func LoadIndOp(size Size) OpCode

LoadIndOp returns the OpCode for loading a value of given size from an sk_buff.

func LoadMemOp

func LoadMemOp(size Size) OpCode

LoadMemOp returns the OpCode to load a value of given size from memory.

func LoadMemSXOp added in v0.12.3

func LoadMemSXOp(size Size) OpCode

LoadMemSXOp returns the OpCode to load a value of given size from memory sign extended.

func StoreImmOp

func StoreImmOp(size Size) OpCode

StoreImmOp returns the OpCode for storing an immediate of given size in memory.

func StoreMemOp

func StoreMemOp(size Size) OpCode

StoreMemOp returns the OpCode for storing a register of given size in memory.

func StoreXAddOp

func StoreXAddOp(size Size) OpCode

StoreXAddOp returns the OpCode to atomically add a register to a value in memory.

func (OpCode) ALUOp

func (op OpCode) ALUOp() ALUOp

ALUOp returns the ALUOp.

func (OpCode) Class

func (op OpCode) Class() Class

Class returns the class of operation.

func (OpCode) Endianness

func (op OpCode) Endianness() Endianness

Endianness returns the Endianness for a byte swap instruction.

func (OpCode) IsDWordLoad added in v0.6.0

func (op OpCode) IsDWordLoad() bool

func (OpCode) JumpOp

func (op OpCode) JumpOp() JumpOp

JumpOp returns the JumpOp. Returns InvalidJumpOp if it doesn't encode a jump.

func (OpCode) Mode

func (op OpCode) Mode() Mode

Mode returns the mode for load and store operations.

func (OpCode) SetALUOp

func (op OpCode) SetALUOp(alu ALUOp) OpCode

SetALUOp sets the ALUOp on ALU operations.

Returns InvalidOpCode if op is of the wrong class.

func (OpCode) SetJumpOp

func (op OpCode) SetJumpOp(jump JumpOp) OpCode

SetJumpOp sets the JumpOp on jump operations.

Returns InvalidOpCode if op is of the wrong class.

func (OpCode) SetMode

func (op OpCode) SetMode(mode Mode) OpCode

SetMode sets the mode on load and store operations.

Returns InvalidOpCode if op is of the wrong class.

func (OpCode) SetSize

func (op OpCode) SetSize(size Size) OpCode

SetSize sets the size on load and store operations.

Returns InvalidOpCode if op is of the wrong class.

func (OpCode) SetSource

func (op OpCode) SetSource(source Source) OpCode

SetSource sets the source on jump and ALU operations.

Returns InvalidOpCode if op is of the wrong class.

func (OpCode) Size

func (op OpCode) Size() Size

Size returns the size for load and store operations.

func (OpCode) Source

func (op OpCode) Source() Source

Source returns the source for branch and ALU operations.

func (OpCode) String

func (op OpCode) String() string

type RawInstructionOffset

type RawInstructionOffset uint64

RawInstructionOffset is an offset in units of raw BPF instructions.

func (RawInstructionOffset) Bytes

func (rio RawInstructionOffset) Bytes() uint64

Bytes returns the offset of an instruction in bytes.

type Register

type Register uint8

Register is the source or destination of most operations.

const (
	R1 Register = R0 + 1 + iota
	R2
	R3
	R4
	R5
)

Registers for function arguments.

const (
	R6 Register = R5 + 1 + iota
	R7
	R8
	R9
)

Callee saved registers preserved by function calls.

const (
	R10 Register = R9 + 1
	RFP          = R10
)

Read-only frame pointer to access stack.

const R0 Register = 0

R0 contains return values.

func (Register) String

func (r Register) String() string

type Size

type Size uint8

Size of load and store operations

msb      lsb
+---+--+---+
|mde|SZ|cls|
+---+--+---+
const (
	// InvalidSize is returned by getters when invoked
	// on non load / store OpCodes
	InvalidSize Size = 0xff
	// DWord - double word; 64 bits
	DWord Size = 0x18
	// Word - word; 32 bits
	Word Size = 0x00
	// Half - half-word; 16 bits
	Half Size = 0x08
	// Byte - byte; 8 bits
	Byte Size = 0x10
)

func (Size) Sizeof

func (s Size) Sizeof() int

Sizeof returns the size in bytes.

func (Size) String

func (i Size) String() string

type Source

type Source uint16

Source of ALU / ALU64 / Branch operations

msb              lsb
+------------+-+---+
|     op     |S|cls|
+------------+-+---+
const (
	// InvalidSource is returned by getters when invoked
	// on non ALU / branch OpCodes.
	InvalidSource Source = 0xffff
	// ImmSource src is from constant
	ImmSource Source = 0x0000
	// RegSource src is from register
	RegSource Source = 0x0008
)

Source bitmask

func (Source) String

func (i Source) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL