Re: Notification when an eBPF map is modified


Raffaele Sommese
 

Il giorno lun 6 ago 2018 alle ore 19:40 Y Song <ys114321@...> ha scritto:

On Mon, Aug 6, 2018 at 10:17 AM, Raffaele Sommese <raffysommy@...> wrote:
bpf tracepoints have been removed from recent linux so the you need to
use kprobe to trace update/delete.

typical map_update_elem and map_delete_elem first argument is
'struct bpf_map *map', you can get name and id from there:
Hello again :)
It seems that there is 2 function that can be traced inside the
kernel, one is map_update_elem, and it is the syscall, the other one
is the BPF helper.
I have successful attach my ebpf code to the first one, but it doesn't
have as parameter struct bpf_map *map (it have a union bpf_attr).
If I attach my program to the bpf_map_update_elem (that I think is the
function name of BPF helper), I don't receive any event.
I'm using the last version of bcc and of kernel.
I try also with kprobe program of perf kernel suite with the same results.
I was looking for this helper BPF_CALL_4 (bpf_map_update_elem, struct
bpf_map *, map, void *, key, void *, value, u64, flags)
Please directly use the map lookup function for the specific map.
For example, for hashmap, the verifier is smart enough to
change the byte code to call the underlying hashmap map lookup function.
Thank you, right now I will try only to implement a solution for hashmap.
I have detected a strange behavior for lookup I can receive the event
when the map was looked, but for the updates, I don't receive
anything.
I have checked the kernel and there was the map_gen_lookup.
The strange thing is that if I use kprobe tool I can see the event on
htab_map_update_elem.
Here is my test code: (I have tried with lookup and it works)
https://gist.github.com/raffysommy/1dabe5bf9487d974f3acd1f7a32ed01c
https://gist.github.com/raffysommy/587f61c14d3e157f86da1aadd07442b1
Thanks again,
Raffaele

--
________________________________
Raffaele Sommese
Mail:raffysommy@...
About me:https://about.me/r4ffy
Gpg Key:http://www.r4ffy.info/Openpgp.asc
GPG key ID: 0x830b1428cf91db2a on http://pgp.mit.edu:11371/

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.