bpf

package
v0.24.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 4, 2024 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadBpf 

func LoadBpf() (*ebpf.CollectionSpec, error)

LoadBpf returns the embedded CollectionSpec for Bpf.

func LoadBpfObjects 

func LoadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadBpfObjects loads Bpf and converts it into a struct.

The following types are suitable as obj argument: 

*BpfObjects
*BpfPrograms
*BpfMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

Types

type BPF 

type BPF struct {
	// contains filtered or unexported fields
}

func NewBPF 

func NewBPF() (*BPF, error)

func (*BPF) AttachCgroups added in v0.6.0 

func (b *BPF) AttachCgroups(cgroupPath string) error

func (*BPF) AttachGoTLSUprobeHooks added in v0.23.0 

func (b *BPF) AttachGoTLSUprobeHooks(exec *link.Executable, symbol string,
	funcAddr uint64, retOffset uint64, pid int) error

func (*BPF) AttachKprobes 

func (b *BPF) AttachKprobes() error

func (*BPF) AttachTcHooks 

func (b *BPF) AttachTcHooks(ifindex int, egress, ingress bool) error

func (*BPF) AttachTracepoints 

func (b *BPF) AttachTracepoints() error

func (*BPF) Close 

func (b *BPF) Close()

func (*BPF) CountReport added in v0.7.0 

func (b *BPF) CountReport() types.CountReport

func (*BPF) Load 

func (b *BPF) Load(opts Options) error

func (*BPF) PullExecEvents added in v0.2.0 

func (b *BPF) PullExecEvents(ctx context.Context, chanSize int) (<-chan BpfExecEventT, error)

func (*BPF) PullExitEvents added in v0.15.0 

func (b *BPF) PullExitEvents(ctx context.Context, chanSize int) (<-chan BpfExitEventT, error)

func (*BPF) PullGoKeyLogEvents added in v0.23.0 

func (b *BPF) PullGoKeyLogEvents(ctx context.Context, chanSize int) (<-chan BpfGoKeylogEventT, error)

func (*BPF) PullPacketEvents added in v0.2.0 

func (b *BPF) PullPacketEvents(ctx context.Context, chanSize int, maxPacketSize int) (<-chan BpfPacketEventWithPayloadT, error)

func (*BPF) UpdateFlowPidMapValues added in v0.5.2 

func (b *BPF) UpdateFlowPidMapValues(data map[*BpfFlowPidKeyT]BpfProcessMetaT) error

type BpfExecEventT 

type BpfExecEventT struct {
	Meta              BpfProcessMetaT
	FilenameTruncated uint8
	ArgsTruncated     uint8

	ArgsSize uint32
	Filename [512]int8
	Args     [4096]int8
	// contains filtered or unexported fields
}

type BpfExitEventT added in v0.15.0 

type BpfExitEventT struct{ Pid uint32 }

type BpfFlowPidKeyT 

type BpfFlowPidKeyT struct {
	Saddr [2]uint64
	Sport uint16
	// contains filtered or unexported fields
}

type BpfGconfigT added in v0.16.0 

type BpfGconfigT struct {
	HaveFilter        uint8
	FilterFollowForks uint8
	FilterComm        [16]int8
	FilterCommEnable  uint8

	MaxPayloadSize uint32
	// contains filtered or unexported fields
}

type BpfGoKeylogBufT added in v0.23.0 

type BpfGoKeylogBufT struct {
	LabelPtr     uint64
	LabelLenPtr  uint64
	RandomPtr    uint64
	RandomLenPtr uint64
	SecretPtr    uint64
	SecretLenPtr uint64
}

type BpfGoKeylogEventT added in v0.23.0 

type BpfGoKeylogEventT struct {
	Label           [32]int8
	ClientRandom    [32]int8
	Secret          [64]int8
	LabelLen        uint8
	ClientRandomLen uint8
	SecretLen       uint8
}

type BpfMapSpecs 

type BpfMapSpecs struct {
	ConfigMap           *ebpf.MapSpec `ebpf:"config_map"`
	ExecEventStack      *ebpf.MapSpec `ebpf:"exec_event_stack"`
	ExecEvents          *ebpf.MapSpec `ebpf:"exec_events"`
	ExitEvents          *ebpf.MapSpec `ebpf:"exit_events"`
	FilterByKernelCount *ebpf.MapSpec `ebpf:"filter_by_kernel_count"`
	FilterMntnsMap      *ebpf.MapSpec `ebpf:"filter_mntns_map"`
	FilterNetnsMap      *ebpf.MapSpec `ebpf:"filter_netns_map"`
	FilterPidMap        *ebpf.MapSpec `ebpf:"filter_pid_map"`
	FilterPidnsMap      *ebpf.MapSpec `ebpf:"filter_pidns_map"`
	FlowPidMap          *ebpf.MapSpec `ebpf:"flow_pid_map"`
	GoKeylogBufStorage  *ebpf.MapSpec `ebpf:"go_keylog_buf_storage"`
	GoKeylogEvents      *ebpf.MapSpec `ebpf:"go_keylog_events"`
	NatFlowMap          *ebpf.MapSpec `ebpf:"nat_flow_map"`
	PacketEventStack    *ebpf.MapSpec `ebpf:"packet_event_stack"`
	PacketEvents        *ebpf.MapSpec `ebpf:"packet_events"`
	SockCookiePidMap    *ebpf.MapSpec `ebpf:"sock_cookie_pid_map"`
}

BpfMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfMaps 

type BpfMaps struct {
	ConfigMap           *ebpf.Map `ebpf:"config_map"`
	ExecEventStack      *ebpf.Map `ebpf:"exec_event_stack"`
	ExecEvents          *ebpf.Map `ebpf:"exec_events"`
	ExitEvents          *ebpf.Map `ebpf:"exit_events"`
	FilterByKernelCount *ebpf.Map `ebpf:"filter_by_kernel_count"`
	FilterMntnsMap      *ebpf.Map `ebpf:"filter_mntns_map"`
	FilterNetnsMap      *ebpf.Map `ebpf:"filter_netns_map"`
	FilterPidMap        *ebpf.Map `ebpf:"filter_pid_map"`
	FilterPidnsMap      *ebpf.Map `ebpf:"filter_pidns_map"`
	FlowPidMap          *ebpf.Map `ebpf:"flow_pid_map"`
	GoKeylogBufStorage  *ebpf.Map `ebpf:"go_keylog_buf_storage"`
	GoKeylogEvents      *ebpf.Map `ebpf:"go_keylog_events"`
	NatFlowMap          *ebpf.Map `ebpf:"nat_flow_map"`
	PacketEventStack    *ebpf.Map `ebpf:"packet_event_stack"`
	PacketEvents        *ebpf.Map `ebpf:"packet_events"`
	SockCookiePidMap    *ebpf.Map `ebpf:"sock_cookie_pid_map"`
}

BpfMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfMaps) Close 

func (m *BpfMaps) Close() error

type BpfNatFlowT added in v0.9.0 

type BpfNatFlowT struct {
	Saddr [2]uint64
	Daddr [2]uint64
	Sport uint16
	Dport uint16
	// contains filtered or unexported fields
}

type BpfObjects 

type BpfObjects struct {
	BpfPrograms
	BpfMaps
}

BpfObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfObjects) Close 

func (o *BpfObjects) Close() error

func (*BpfObjects) FromLegacy added in v0.17.0 

func (b *BpfObjects) FromLegacy(o *BpfObjectsForLegacyKernel)

type BpfObjectsForLegacyKernel added in v0.17.0 

type BpfObjectsForLegacyKernel struct {
	KprobeTcpSendmsg                 *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendmsg                 *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	KprobeUdpSendSkb                 *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeNfNatManipPkt              *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow     *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	RawTracepointSchedProcessExec    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                         *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                        *ebpf.Program `ebpf:"tc_ingress"`
	UprobeGoBuiltinTlsWriteKeyLog    *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`

	BpfMaps
}

type BpfPacketEventMetaT added in v0.10.0 

type BpfPacketEventMetaT struct {
	Timestamp  uint64
	PacketType uint8

	Ifindex    uint32
	PayloadLen uint64
	PacketSize uint64
	Process    BpfProcessMetaT
	// contains filtered or unexported fields
}

type BpfPacketEventT 

type BpfPacketEventT struct{ Meta BpfPacketEventMetaT }

type BpfPacketEventWithPayloadT added in v0.15.0 

type BpfPacketEventWithPayloadT struct {
	BpfPacketEventT
	Payload []byte
}

type BpfProcessMetaT added in v0.10.0 

type BpfProcessMetaT struct {
	Ppid       uint32
	Pid        uint32
	PidnsId    uint32
	MntnsId    uint32
	NetnsId    uint32
	CgroupName [128]int8
}

type BpfProgramSpecs 

type BpfProgramSpecs struct {
	CgroupSockCreate                 *ebpf.ProgramSpec `ebpf:"cgroup__sock_create"`
	CgroupSockRelease                *ebpf.ProgramSpec `ebpf:"cgroup__sock_release"`
	KprobeNfNatManipPkt              *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow     *ebpf.ProgramSpec `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg                 *ebpf.ProgramSpec `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb                 *ebpf.ProgramSpec `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg                 *ebpf.ProgramSpec `ebpf:"kprobe__udp_sendmsg"`
	RawTracepointSchedProcessExec    *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit    *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork    *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                         *ebpf.ProgramSpec `ebpf:"tc_egress"`
	TcIngress                        *ebpf.ProgramSpec `ebpf:"tc_ingress"`
	UprobeGoBuiltinTlsWriteKeyLog    *ebpf.ProgramSpec `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet *ebpf.ProgramSpec `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`
}

BpfSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfPrograms 

type BpfPrograms struct {
	CgroupSockCreate                 *ebpf.Program `ebpf:"cgroup__sock_create"`
	CgroupSockRelease                *ebpf.Program `ebpf:"cgroup__sock_release"`
	KprobeNfNatManipPkt              *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeSecuritySkClassifyFlow     *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg                 *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb                 *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg                 *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	RawTracepointSchedProcessExec    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork    *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                         *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                        *ebpf.Program `ebpf:"tc_ingress"`
	UprobeGoBuiltinTlsWriteKeyLog    *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`
}

BpfPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfPrograms) Close 

func (p *BpfPrograms) Close() error

type BpfSpecs 

type BpfSpecs struct {
	BpfProgramSpecs
	BpfMapSpecs
}

BpfSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type Options 

type Options struct {
	// contains filtered or unexported fields
}

func (*Options) WithComm added in v0.19.0 

func (opts *Options) WithComm(comm string) *Options

func (*Options) WithFollowFork added in v0.19.0 

func (opts *Options) WithFollowFork(v bool) *Options

func (*Options) WithKernelTypes added in v0.19.0 

func (opts *Options) WithKernelTypes(spec *btf.Spec) *Options

func (*Options) WithMaxPayloadSize added in v0.19.0 

func (opts *Options) WithMaxPayloadSize(n uint32) *Options

func (*Options) WithMntNsIds added in v0.19.0 

func (opts *Options) WithMntNsIds(ids []uint32) *Options

func (*Options) WithNetNsIds added in v0.19.0 

func (opts *Options) WithNetNsIds(ids []uint32) *Options

func (*Options) WithPcapFilter added in v0.19.0 

func (opts *Options) WithPcapFilter(pcapFilter string) *Options

func (*Options) WithPidNsIds added in v0.19.0 

func (opts *Options) WithPidNsIds(ids []uint32) *Options

func (*Options) WithPids added in v0.19.0 

func (opts *Options) WithPids(pids []uint) *Options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.