Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data

Hi, I am looking for tracking inbound connections on a system using tracepoints/kprobes. I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection

It is possible. See the patch below: https://lore.kernel.org/bpf/20200819042759.51280-1-alexei.starovoitov@.../ I tried to load a BPF program and pin it in bpffs system. The system could be

Hi, Is it possible to load a BPF program at boot time? What I'm trying to achieve is to trace every single call to a certain function since the kernel starts, without missing anything. More

It's expected right now. BTF started out as purely debug information, but got elevated into pretty much a mandatory thing for modern BPF applications. We've talked about making .BTF emitted without

Interestingly enough adding just -g in my Makefile built the BPF programs and allowed the BTF section to be found and properly loaded. My BPF program was loaded and is running properly with my desired

[...] Ok, this is a very different issue than the kernel missing BTF. libbpf is complaining that your opensnoop.bpf.o itself is missing BTF. And right, BTF is required to parse map definitions

Hello, Here is the libbpf Logs at all levels for the open snoop program when using the pinned option for a map. This was tested on Linux Kernel v5.4 with libbpf 0.0.9, 0.1.0, and the current version.

Check example [0] for how to set custom logging callback and print all libbpf logs (including those at DEBUG level of verbosity). [0]

Hey Andrii, I tried using the same BPF program with the declarative pinning of maps with Libbpf v.0.0.9, v.0.1.0 and the current master branch under commit 7bc52e6. All of these had the same error

<mayfieldtristan@...> wrote: Which version of libbpf are you seeing this on? We've had bugs in libbpf where we'd attempt to load kernel BTF unnecessarily, but I believe we've fixed all those

[...] I don't see anything needing kernel BTF in there, so if libbpf still fails on not being able to load kernel BTF, that might be a bug in libbpf. Can you please double-check this with the latest

I wanted to chime in and mention that I've seen the BTF error before when trying to declare maps the way shown in

Hello! Sorry for the wait, I just started back at uni and things are a little bit crazy around here! Anyways, this is the source code for my version of open snoop. Which is what I have been testing

Your BPF code must be relying on CO-RE. I can check if you can show me your BPF source code. The pinning and map definition itself doesn't rely on CO-RE and thus doesn't need kernel BTF.

Interestingly enough I am using clang version 10.0.0! Even with that creating a structure from the examples like so: struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1);

It doesn't require kernel BTF for that. Only BPF program's BTF generated by Clang. So you'll need something like Clang 10 (or maybe Clang 9 will do as well), but no requirements for kernel BTF. >

These examples are exactly what I am looking for but it appears that they either require BTF activated in the kernel or require a 5.8 kernel. Unfortunately I am targeting the new Ubuntu 20.04 system

Libbpf supports declarative pinning of maps, that's how you easily get "map re-use" from BPF side. See [0] for example. But there is also bpf_map__pin() and bpf_map__reuse_fd() API on user-space side

It was my understanding that bpf_obj_get was intended to be used as a user space API. I am looking to "open" or obtain a reference to a map in the actual eBPF program that is loaded into the kernel