Re: Describing howto read the eBPF generated ELF binary


Jesper Dangaard Brouer
 

On Tue, 07 Mar 2017 12:40:03 +0100
Daniel Borkmann <daniel@...> wrote:

On 03/07/2017 12:07 PM, Jesper Dangaard Brouer via iovisor-dev wrote:
On Mon, 6 Mar 2017 16:14:06 -0800
Alexei Starovoitov via iovisor-dev <iovisor-dev@...> wrote:
[...]
that's practically impossible to know in advance, since hardening and
start address randomization will play a role.
Or use sysctl net.core.bpf_jit_enable=2
at load time which gives raw x86 hex.
The sysctl adjusting sounds interesting:

sysctl net.core.bpf_jit_enable=2

What is below "proglen=335" the JIT'ed asm-code size?
It's in bpf_jit_dump(): proglen is the len of opcode sequence generated
and flen is the number of bpf insns. You can use tools/net/bpf_jit_disasm.c
to disassemble that output. bpf_jit_disasm -o will dump the related opcodes
as well.
Thanks for input, added:
https://github.com/netoptimizer/prototype-kernel/commit/0b31532f42cd8

flen=55 proglen=335 pass=4 image=ffffffffa0006820 from=xdp_ddos01_blac pid=13333
JIT code: 00000000: 55 48 89 e5 48 81 ec 28 02 00 00 48 89 9d d8 fd
JIT code: 00000010: ff ff 4c 89 ad e0 fd ff ff 4c 89 b5 e8 fd ff ff
JIT code: 00000020: 4c 89 bd f0 fd ff ff 31 c0 48 89 85 f8 fd ff ff
JIT code: 00000030: bb 02 00 00 00 48 8b 77 08 48 8b 7f 00 48 89 fa
JIT code: 00000040: 48 83 c2 0e 48 39 f2 0f 87 e1 00 00 00 48 0f b6
JIT code: 00000050: 4f 0c 48 0f b6 57 0d 48 c1 e2 08 48 09 ca 48 89
JIT code: 00000060: d1 48 81 e1 ff 00 00 00 41 b8 06 00 00 00 49 39
JIT code: 00000070: c8 0f 87 b7 00 00 00 48 81 fa 88 a8 00 00 74 0e
JIT code: 00000080: b9 0e 00 00 00 48 81 fa 81 00 00 00 75 1a 48 89
JIT code: 00000090: fa 48 83 c2 12 48 39 f2 0f 87 90 00 00 00 b9 12
JIT code: 000000a0: 00 00 00 48 0f b7 57 10 bb 02 00 00 00 48 81 e2
JIT code: 000000b0: ff ff 00 00 48 83 fa 08 75 49 48 01 cf 31 db 48
JIT code: 000000c0: 89 fa 48 83 c2 14 48 39 f2 77 38 8b 7f 0c 89 7d
JIT code: 000000d0: fc 48 89 ee 48 83 c6 fc 48 bf 00 9c 24 5f 07 88
JIT code: 000000e0: ff ff e8 29 cd 13 e1 bb 02 00 00 00 48 83 f8 00
JIT code: 000000f0: 74 11 48 8b 78 00 48 83 c7 01 48 89 78 00 bb 01
JIT code: 00000100: 00 00 00 89 5d f8 48 89 ee 48 83 c6 f8 48 bf c0
JIT code: 00000110: 76 12 13 04 88 ff ff e8 f4 cc 13 e1 48 83 f8 00
JIT code: 00000120: 74 0c 48 8b 78 00 48 83 c7 01 48 89 78 00 48 89
JIT code: 00000130: d8 48 8b 9d d8 fd ff ff 4c 8b ad e0 fd ff ff 4c
JIT code: 00000140: 8b b5 e8 fd ff ff 4c 8b bd f0 fd ff ff c9 c3

$ echo $((0x140))
320
$ echo $((0x140 + 15))
335

Using same example code, thus BPF instructions-size was 440 bytes, so
the JIT'ed code size does get smaller.


--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.