bpf

package
v0.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 10, 2024 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadBpf 

func LoadBpf() (*ebpf.CollectionSpec, error)

LoadBpf returns the embedded CollectionSpec for Bpf.

func LoadBpfObjects 

func LoadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadBpfObjects loads Bpf and converts it into a struct.

The following types are suitable as obj argument: 

*BpfObjects
*BpfPrograms
*BpfMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

Types

type BPF 

type BPF struct {
	// contains filtered or unexported fields
}

func NewBPF 

func NewBPF() (*BPF, error)

func (*BPF) AttachCgroups added in v0.6.0 

func (b *BPF) AttachCgroups(cgroupPath string) error

func (*BPF) AttachKprobes 

func (b *BPF) AttachKprobes() error

func (*BPF) AttachTcHooks 

func (b *BPF) AttachTcHooks(ifindex int, egress, ingress bool) error

func (*BPF) AttachTracepoints 

func (b *BPF) AttachTracepoints() error

func (*BPF) Close 

func (b *BPF) Close()

func (*BPF) CountReport added in v0.7.0 

func (b *BPF) CountReport() types.CountReport

func (*BPF) Load 

func (b *BPF) Load(opts Options) error

func (*BPF) PullExecEvents added in v0.2.0 

func (b *BPF) PullExecEvents(ctx context.Context, chanSize int) (<-chan BpfExecEventT, error)

func (*BPF) PullExitEvents added in v0.15.0 

func (b *BPF) PullExitEvents(ctx context.Context, chanSize int) (<-chan BpfExitEventT, error)

func (*BPF) PullPacketEvents added in v0.2.0 

func (b *BPF) PullPacketEvents(ctx context.Context, chanSize int, maxPacketSize int) (<-chan BpfPacketEventWithPayloadT, error)

func (*BPF) UpdateFlowPidMapValues added in v0.5.2 

func (b *BPF) UpdateFlowPidMapValues(data map[*BpfFlowPidKeyT]BpfProcessMetaT) error

type BpfExecEventT 

type BpfExecEventT struct {
	Meta              BpfProcessMetaT
	FilenameTruncated uint8
	ArgsTruncated     uint8

	ArgsSize uint32
	Filename [512]int8
	Args     [4096]int8
	// contains filtered or unexported fields
}

type BpfExitEventT added in v0.15.0 

type BpfExitEventT struct{ Pid uint32 }

type BpfFlowPidKeyT 

type BpfFlowPidKeyT struct {
	Saddr [2]uint64
	Sport uint16
	// contains filtered or unexported fields
}

type BpfGconfigT added in v0.16.0 

type BpfGconfigT struct {
	FilterPid         uint32
	FilterFollowForks uint8
	FilterComm        [16]int8
	FilterCommEnable  uint8

	FilterMntnsId  uint32
	FilterNetnsId  uint32
	FilterPidnsId  uint32
	MaxPayloadSize uint32
	// contains filtered or unexported fields
}

type BpfMapSpecs 

type BpfMapSpecs struct {
	ConfigMap           *ebpf.MapSpec `ebpf:"config_map"`
	ExecEventStack      *ebpf.MapSpec `ebpf:"exec_event_stack"`
	ExecEvents          *ebpf.MapSpec `ebpf:"exec_events"`
	ExitEvents          *ebpf.MapSpec `ebpf:"exit_events"`
	FilterByKernelCount *ebpf.MapSpec `ebpf:"filter_by_kernel_count"`
	FilterPidMap        *ebpf.MapSpec `ebpf:"filter_pid_map"`
	FlowPidMap          *ebpf.MapSpec `ebpf:"flow_pid_map"`
	NatFlowMap          *ebpf.MapSpec `ebpf:"nat_flow_map"`
	PacketEventStack    *ebpf.MapSpec `ebpf:"packet_event_stack"`
	PacketEvents        *ebpf.MapSpec `ebpf:"packet_events"`
	SockCookiePidMap    *ebpf.MapSpec `ebpf:"sock_cookie_pid_map"`
}

BpfMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfMaps 

type BpfMaps struct {
	ConfigMap           *ebpf.Map `ebpf:"config_map"`
	ExecEventStack      *ebpf.Map `ebpf:"exec_event_stack"`
	ExecEvents          *ebpf.Map `ebpf:"exec_events"`
	ExitEvents          *ebpf.Map `ebpf:"exit_events"`
	FilterByKernelCount *ebpf.Map `ebpf:"filter_by_kernel_count"`
	FilterPidMap        *ebpf.Map `ebpf:"filter_pid_map"`
	FlowPidMap          *ebpf.Map `ebpf:"flow_pid_map"`
	NatFlowMap          *ebpf.Map `ebpf:"nat_flow_map"`
	PacketEventStack    *ebpf.Map `ebpf:"packet_event_stack"`
	PacketEvents        *ebpf.Map `ebpf:"packet_events"`
	SockCookiePidMap    *ebpf.Map `ebpf:"sock_cookie_pid_map"`
}

BpfMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfMaps) Close 

func (m *BpfMaps) Close() error

type BpfNatFlowT added in v0.9.0 

type BpfNatFlowT struct {
	Saddr [2]uint64
	Daddr [2]uint64
	Sport uint16
	Dport uint16
	// contains filtered or unexported fields
}

type BpfObjects 

type BpfObjects struct {
	BpfPrograms
	BpfMaps
}

BpfObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfObjects) Close 

func (o *BpfObjects) Close() error

func (*BpfObjects) FromLegacy added in v0.17.0 

func (b *BpfObjects) FromLegacy(o *BpfObjectsForLegacyKernel)

type BpfObjectsForLegacyKernel added in v0.17.0 

type BpfObjectsForLegacyKernel struct {
	KprobeTcpSendmsg              *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendmsg              *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	KprobeUdpSendSkb              *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeNfNatManipPkt           *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket             *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow  *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	RawTracepointSchedProcessExec *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                      *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                     *ebpf.Program `ebpf:"tc_ingress"`

	BpfMaps
}

type BpfPacketEventMetaT added in v0.10.0 

type BpfPacketEventMetaT struct {
	Timestamp  uint64
	PacketType uint8

	Ifindex    uint32
	PayloadLen uint64
	PacketSize uint64
	Process    BpfProcessMetaT
	// contains filtered or unexported fields
}

type BpfPacketEventT 

type BpfPacketEventT struct{ Meta BpfPacketEventMetaT }

type BpfPacketEventWithPayloadT added in v0.15.0 

type BpfPacketEventWithPayloadT struct {
	BpfPacketEventT
	Payload []byte
}

type BpfProcessMetaT added in v0.10.0 

type BpfProcessMetaT struct {
	Ppid       uint32
	Pid        uint32
	PidnsId    uint32
	MntnsId    uint32
	NetnsId    uint32
	CgroupName [128]int8
}

type BpfProgramSpecs 

type BpfProgramSpecs struct {
	CgroupSockCreate              *ebpf.ProgramSpec `ebpf:"cgroup__sock_create"`
	CgroupSockRelease             *ebpf.ProgramSpec `ebpf:"cgroup__sock_release"`
	KprobeNfNatManipPkt           *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket             *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow  *ebpf.ProgramSpec `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg              *ebpf.ProgramSpec `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb              *ebpf.ProgramSpec `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg              *ebpf.ProgramSpec `ebpf:"kprobe__udp_sendmsg"`
	RawTracepointSchedProcessExec *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                      *ebpf.ProgramSpec `ebpf:"tc_egress"`
	TcIngress                     *ebpf.ProgramSpec `ebpf:"tc_ingress"`
}

BpfSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfPrograms 

type BpfPrograms struct {
	CgroupSockCreate              *ebpf.Program `ebpf:"cgroup__sock_create"`
	CgroupSockRelease             *ebpf.Program `ebpf:"cgroup__sock_release"`
	KprobeNfNatManipPkt           *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket             *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow  *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg              *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb              *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg              *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	RawTracepointSchedProcessExec *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                      *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                     *ebpf.Program `ebpf:"tc_ingress"`
}

BpfPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfPrograms) Close 

func (p *BpfPrograms) Close() error

type BpfSpecs 

type BpfSpecs struct {
	BpfProgramSpecs
	BpfMapSpecs
}

BpfSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type Options 

type Options struct {
	Pid  uint32
	Comm [16]int8

	FollowForks uint8
	PcapFilter  string

	KernelTypes *btf.Spec
	// contains filtered or unexported fields
}

func NewOptions 

func NewOptions(pid uint, comm string, followForks bool, pcapFilter string,
	mntnsId uint32, pidnsId uint32, netnsId uint32, maxPayloadSize uint32) Options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.