From: Alan Maguire <alan.maguire@oracle.com> To: ast@kernel.org, daniel@iogearbox.net, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, davem@davemloft.net, jakub.kicinski@netronome.com, hawk@kernel.org, john.fastabend@gmail.com, rostedt@goodmis.org, mingo@redhat.com, quentin.monnet@netronome.com, rdna@fb.com, joe@wand.net.nz, acme@redhat.com, jolsa@kernel.org, alexey.budankov@linux.intel.com, gregkh@linuxfoundation.org, namhyung@kernel.org, sdf@google.com, f.fainelli@gmail.com, shuah@kernel.org, peter@lekensteyn.nl, ivan@cloudflare.com, andriin@fb.com, bhole_prashant_q7@lab.ntt.co.jp, david.calavera@gmail.com, danieltimlee@gmail.com, ctakshak@fb.com, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org Cc: Alan Maguire <alan.maguire@oracle.com> Subject: [RFC bpf-next 0/7] bpf: packet capture helpers, bpftool support Date: Sat, 7 Sep 2019 22:40:37 +0100 [thread overview] Message-ID: <1567892444-16344-1-git-send-email-alan.maguire@oracle.com> (raw) Packet capture is useful from a general debugging standpoint, and is useful in particular in debugging BPF programs that do packet processing. For general debugging, being able to initiate arbitrary packet capture from kprobes and tracepoints is highly valuable; e.g. what do the packets that reach kfree_skb() - representing error codepaths - look like? Arbitrary packet capture is distinct from the traditional concept of pre-defined hooks, and gives much more flexibility in probing system behaviour. For packet-processing BPF programs, packet capture can be useful for doing things such as debugging checksum errors. The intent of this RFC patchset is to initiate discussion on if and how to work packet capture-specific capabilities into BPF. It is possible - and indeed projects like xdpcap [1] have demonstrated how - to carry out packet capture in BPF today via perf events, but the aim here is to simplify both the in-BPF capture and the userspace collection. The suggested approach is to add a new bpf helper - bpf_pcap() - to simplify packet capture within BPF programs, and to enhance bpftool to add a "pcap" subcommand to aid in retrieving packets. The helper is for the most part a wrapper around perf event sending, using data relevant for packet capture as metadata. The end result is being able to capture packet data in the following manner. For example if we add an iptables drop rule, we can observe TCP SYN segments being freed at kfree_skb: $ iptables -A INPUT -p tcp --dport 6666 -j DROP $ bpftool pcap trace kprobe:kfree_skb proto ip data_out /tmp/cap & $ nc 127.0.0.1 6666 Ncat: Connection timed out. $ fg ^C $ tshark -r /tmp/cap Running as user "root" and group "root". This could be dangerous. ... 3 7 127.0.0.1 -> 127.0.0.1 TCP 60 54732 > ircu [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=696475539 TSecr=0 WS=128 ... Tracepoints are also supported, and by default data is sent to stdout, so we can pipe to tcpdump: $ bpftool pcap trace tracepoint:net_dev_xmit:arg1 proto eth | tcpdump -r - reading from file -, link-type EN10MB (Ethernet) 00:16:49.150880 IP 10.11.12.13 > 10.11.12.14: ICMP echo reply, id 10519, seq 1, length 64 ... Patch 1 adds support for bpf_pcap() in skb and XDP programs. In those cases, the argument is the relevant context (struct __sk_buff or xdp metadata) from which we capture. Patch 2 extends the helper to allow it to work for tracing programs, and in that case the data argument is a pointer to an skb, derived from raw tracepoint or kprobe arguments. Patch 3 syncs uapi and tools headers for the new helper, flags and associated pcap header type. Patch 4 adds a feature test for libpcap which will be used in the next patch. Patch 5 adds a "pcap" subcommand to bpftool to collect packet data from BPF-driven perf event maps in existing programs. Also supplied are simple tracepoint and kprobe programs which can be used to attach to a kprobe or raw tracepoint to retrieve arguments and capture the associated skb. Patch 6 adds documentation for the new pcap subcommand. Patch 7 tests the pcap subcommand for tracing, skb and xdp programs. Alan Maguire (7): bpf: add bpf_pcap() helper to simplify packet capture bpf: extend bpf_pcap support to tracing programs bpf: sync tools/include/uapi/linux/bpf.h for pcap support bpf: add libpcap feature test bpf: add pcap support to bpftool bpf: add documentation for bpftool pcap subcommand bpf: add tests for bpftool packet capture include/linux/bpf.h | 20 + include/uapi/linux/bpf.h | 92 +++- kernel/bpf/verifier.c | 4 +- kernel/trace/bpf_trace.c | 214 +++++++++ net/core/filter.c | 67 +++ tools/bpf/bpftool/Documentation/bpftool-btf.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-cgroup.rst | 1 + .../bpf/bpftool/Documentation/bpftool-feature.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-map.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-net.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-pcap.rst | 119 +++++ tools/bpf/bpftool/Documentation/bpftool-perf.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-prog.rst | 1 + tools/bpf/bpftool/Documentation/bpftool.rst | 1 + tools/bpf/bpftool/Makefile | 39 +- tools/bpf/bpftool/main.c | 3 +- tools/bpf/bpftool/main.h | 1 + tools/bpf/bpftool/pcap.c | 496 +++++++++++++++++++++ tools/bpf/bpftool/progs/bpftool_pcap_kprobe.c | 80 ++++ tools/bpf/bpftool/progs/bpftool_pcap_tracepoint.c | 68 +++ tools/build/Makefile.feature | 2 + tools/build/feature/Makefile | 4 + tools/build/feature/test-libpcap.c | 26 ++ tools/include/uapi/linux/bpf.h | 92 +++- tools/testing/selftests/bpf/Makefile | 3 +- tools/testing/selftests/bpf/bpf_helpers.h | 11 + .../testing/selftests/bpf/progs/bpftool_pcap_tc.c | 41 ++ .../testing/selftests/bpf/progs/bpftool_pcap_xdp.c | 39 ++ tools/testing/selftests/bpf/test_bpftool_pcap.sh | 132 ++++++ 29 files changed, 1549 insertions(+), 12 deletions(-) create mode 100644 tools/bpf/bpftool/Documentation/bpftool-pcap.rst create mode 100644 tools/bpf/bpftool/pcap.c create mode 100644 tools/bpf/bpftool/progs/bpftool_pcap_kprobe.c create mode 100644 tools/bpf/bpftool/progs/bpftool_pcap_tracepoint.c create mode 100644 tools/build/feature/test-libpcap.c create mode 100644 tools/testing/selftests/bpf/progs/bpftool_pcap_tc.c create mode 100644 tools/testing/selftests/bpf/progs/bpftool_pcap_xdp.c create mode 100755 tools/testing/selftests/bpf/test_bpftool_pcap.sh -- 1.8.3.1
next reply other threads:[~2019-09-07 21:43 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-07 21:40 Alan Maguire [this message] 2019-09-07 21:40 ` [RFC bpf-next 1/7] bpf: add bpf_pcap() helper to simplify packet capture Alan Maguire 2019-09-08 22:02 ` Yonghong Song 2019-09-07 21:40 ` [RFC bpf-next 2/7] bpf: extend bpf_pcap support to tracing programs Alan Maguire 2019-09-08 22:18 ` Yonghong Song 2019-09-09 22:25 ` Alan Maguire 2019-09-10 7:43 ` Yonghong Song 2019-09-07 21:40 ` [RFC bpf-next 3/7] bpf: sync tools/include/uapi/linux/bpf.h for pcap support Alan Maguire 2019-09-07 21:40 ` [RFC bpf-next 4/7] bpf: add libpcap feature test Alan Maguire 2019-09-07 21:40 ` [RFC bpf-next 5/7] bpf: add pcap support to bpftool Alan Maguire 2019-09-07 21:40 ` [RFC bpf-next 6/7] bpf: add documentation for bpftool pcap subcommand Alan Maguire 2019-09-07 21:40 ` [RFC bpf-next 7/7] bpf: add tests for bpftool packet capture Alan Maguire
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1567892444-16344-1-git-send-email-alan.maguire@oracle.com \ --to=alan.maguire@oracle.com \ --cc=acme@redhat.com \ --cc=alexey.budankov@linux.intel.com \ --cc=andriin@fb.com \ --cc=ast@kernel.org \ --cc=bhole_prashant_q7@lab.ntt.co.jp \ --cc=bpf@vger.kernel.org \ --cc=ctakshak@fb.com \ --cc=daniel@iogearbox.net \ --cc=danieltimlee@gmail.com \ --cc=davem@davemloft.net \ --cc=david.calavera@gmail.com \ --cc=f.fainelli@gmail.com \ --cc=gregkh@linuxfoundation.org \ --cc=hawk@kernel.org \ --cc=ivan@cloudflare.com \ --cc=jakub.kicinski@netronome.com \ --cc=joe@wand.net.nz \ --cc=john.fastabend@gmail.com \ --cc=jolsa@kernel.org \ --cc=kafai@fb.com \ --cc=linux-kselftest@vger.kernel.org \ --cc=mingo@redhat.com \ --cc=namhyung@kernel.org \ --cc=netdev@vger.kernel.org \ --cc=peter@lekensteyn.nl \ --cc=quentin.monnet@netronome.com \ --cc=rdna@fb.com \ --cc=rostedt@goodmis.org \ --cc=sdf@google.com \ --cc=shuah@kernel.org \ --cc=songliubraving@fb.com \ --cc=yhs@fb.com \ --subject='Re: [RFC bpf-next 0/7] bpf: packet capture helpers, bpftool support' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).