Pakcet where are you (pwru) multi kprobe hack I learned

Опубликовано: 01 Октябрь 2022
на канале: BPFire

237

pwru can be slow when attaching bpf program to over thousands of kernel functions through kprobe hook point to trace kernel packet. the kernel multi kprobe feature supported since kernel 5.18 is to speed up the batch kprobe attachment, cilium/ebpf library has this multi kprobe supported in most recent 0.9.2 release. since pwru uses cilium/ebpf library, so I thought I would try to improve pwru and at same time learn how to use the cilium/ebpf library multi kprobe API, with the help of pwru maintainer, I learned four things:

1, multi kprobe kernel requires kernel config CONFIG_FPROBE, Linux distro should usually include this config. but I forgot to enable it on my custom kernel build

2, I forgot to use the proper BPF hook point kprobe.multi, this can result in wrong attach type error message, actually the strace of BPF system call with BPF_PROG_LOAD operation will have 'expected_attach_type" to give you clue what attach type the loaded program expects.

3, make sure all to be attached kernel functions exist in /sys/kernel/debug/tracing/available_filter_functions

4, make sure no duplicate symbols are supplied to kernel, kernel will return ESRCH

https://github.com/cilium/pwru
https://github.com/cilium/ebpf