bpf

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2024 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadBpf 

func LoadBpf() (*ebpf.CollectionSpec, error)

LoadBpf returns the embedded CollectionSpec for Bpf.

func LoadBpfObjects 

func LoadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadBpfObjects loads Bpf and converts it into a struct.

The following types are suitable as obj argument: 

*BpfObjects
*BpfPrograms
*BpfMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

Types

type BPF 

type BPF struct {
	// contains filtered or unexported fields
}

func NewBPF 

func NewBPF() (*BPF, error)

func (*BPF) AttachKprobes 

func (b *BPF) AttachKprobes() error

func (*BPF) AttachTcHooks 

func (b *BPF) AttachTcHooks(ifindex int, egress, ingress bool) error

func (*BPF) AttachTracepoints 

func (b *BPF) AttachTracepoints() error

func (*BPF) Close 

func (b *BPF) Close()

func (*BPF) Load 

func (b *BPF) Load(opts Options) error

func (*BPF) PullExecEvents added in v0.2.0 

func (b *BPF) PullExecEvents(ctx context.Context) (<-chan BpfExecEventT, error)

func (*BPF) PullPacketEvents added in v0.2.0 

func (b *BPF) PullPacketEvents(ctx context.Context) (<-chan BpfPacketEventT, error)

type BpfExecEventT 

type BpfExecEventT struct {
	Pid               uint32
	FilenameTruncated uint8
	ArgsTruncated     uint8

	ArgsSize uint32
	Filename [512]int8
	Args     [4096]int8
	// contains filtered or unexported fields
}

type BpfFlowPidKeyT 

type BpfFlowPidKeyT struct {
	Saddr [4]uint32
	Sport uint16
	// contains filtered or unexported fields
}

type BpfFlowPidValueT 

type BpfFlowPidValueT struct {
	Pid     uint32
	Comm    [16]int8
	TtyName [64]int8
}

type BpfMapSpecs 

type BpfMapSpecs struct {
	ExecEventStack   *ebpf.MapSpec `ebpf:"exec_event_stack"`
	ExecEvents       *ebpf.MapSpec `ebpf:"exec_events"`
	FilterPidMap     *ebpf.MapSpec `ebpf:"filter_pid_map"`
	FlowPidMap       *ebpf.MapSpec `ebpf:"flow_pid_map"`
	PacketEventStack *ebpf.MapSpec `ebpf:"packet_event_stack"`
	PacketEvents     *ebpf.MapSpec `ebpf:"packet_events"`
}

BpfMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfMaps 

type BpfMaps struct {
	ExecEventStack   *ebpf.Map `ebpf:"exec_event_stack"`
	ExecEvents       *ebpf.Map `ebpf:"exec_events"`
	FilterPidMap     *ebpf.Map `ebpf:"filter_pid_map"`
	FlowPidMap       *ebpf.Map `ebpf:"flow_pid_map"`
	PacketEventStack *ebpf.Map `ebpf:"packet_event_stack"`
	PacketEvents     *ebpf.Map `ebpf:"packet_events"`
}

BpfMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfMaps) Close 

func (m *BpfMaps) Close() error

type BpfObjects 

type BpfObjects struct {
	BpfPrograms
	BpfMaps
}

BpfObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfObjects) Close 

func (o *BpfObjects) Close() error

type BpfPacketEventT 

type BpfPacketEventT struct {
	Meta struct {
		Timestamp  uint64
		PacketType uint8

		Ifindex uint32
		Pid     uint32

		PayloadLen uint64
		PacketSize uint64
		Comm       [16]int8
		// contains filtered or unexported fields
	}
	Payload [1500]uint8
	// contains filtered or unexported fields
}

type BpfProgramSpecs 

type BpfProgramSpecs struct {
	KprobeSecuritySkClassifyFlow    *ebpf.ProgramSpec `ebpf:"kprobe__security_sk_classify_flow"`
	TcEgress                        *ebpf.ProgramSpec `ebpf:"tc_egress"`
	TcIngress                       *ebpf.ProgramSpec `ebpf:"tc_ingress"`
	TracepointSchedSchedProcessExec *ebpf.ProgramSpec `ebpf:"tracepoint__sched__sched_process_exec"`
	TracepointSyscallsSysExitClone  *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_exit_clone"`
	TracepointSyscallsSysExitClone3 *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_exit_clone3"`
	TracepointSyscallsSysExitFork   *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_exit_fork"`
	TracepointSyscallsSysExitVfork  *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_exit_vfork"`
}

BpfSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfPrograms 

type BpfPrograms struct {
	KprobeSecuritySkClassifyFlow    *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	TcEgress                        *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                       *ebpf.Program `ebpf:"tc_ingress"`
	TracepointSchedSchedProcessExec *ebpf.Program `ebpf:"tracepoint__sched__sched_process_exec"`
	TracepointSyscallsSysExitClone  *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_clone"`
	TracepointSyscallsSysExitClone3 *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_clone3"`
	TracepointSyscallsSysExitFork   *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_fork"`
	TracepointSyscallsSysExitVfork  *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_vfork"`
}

BpfPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfPrograms) Close 

func (p *BpfPrograms) Close() error

type BpfSpecs 

type BpfSpecs struct {
	BpfProgramSpecs
	BpfMapSpecs
}

BpfSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type Options 

type Options struct {
	Pid         uint32
	Comm        [16]int8
	FollowForks uint8
	PcapFilter  string
}

func NewOptions 

func NewOptions(pid uint, comm string, followForks bool, pcapFilter string) Options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.