creating elf file

[ghost]

I am trying to create my own elf file using examples suggested in the examples. .c file as below

#include "bpf_helpers.h"

struct iphdr {
  __u8 ihl : 4;
  __u8 version : 4;
  __u8 tos;
  __u16 tot_len;
  __u16 id;
  __u16 frag_off;
  __u8 ttl;
  __u8 protocol;
  __u16 check;
  __u32 saddr;
  __u32 daddr;
};

struct Key {
  __u32 src_ip;               //source ip
  __u32 dst_ip;               //destination ip
  __u16 src_port;  //source port
  __u16 dst_port;  //destination port
};

struct Leaf {
  __u64 timestamp;            //timestamp in ns
};

// eBPF map to store IP proto counters (tcp, udp, etc)
BPF_MAP_DEF(sessions) = {
    .map_type = BPF_MAP_TYPE_HASH,
    .key_size = 96,
    .value_size = 64,
    .max_entries = 255,
};
BPF_MAP_ADD(sessions);

SEC("socket_filter")
int ip_filter(struct __sk_buff *skb) {
  struct Key key = {};
  struct Leaf zero = {0};
  
struct iphdr *ip = (struct iphdr *)skb_network_header(skb);
  

1. Getting following warning. Basically how to get iphdr from sk_buff ?

clang -I../../.. -O2 -target bpf -c ebpf_prog/xdp.c  -o ebpf_prog/xdp.elf -static
ebpf_prog/xdp.c:59:38: warning: implicit declaration of function 'skb_network_header' is invalid in C99
      [-Wimplicit-function-declaration]
  struct iphdr *ip = (struct iphdr *)skb_network_header(skb);
                                     ^
ebpf_prog/xdp.c:59:22: warning: cast to 'struct iphdr *' from smaller integer type 'int' [-Wint-to-pointer-cast]
  struct iphdr *ip = (struct iphdr *)skb_network_header(skb);

2. When i run the program using go, get following issue ?
   LoadElf() failed: loadPrograms() failed: Invalid BPF instruction (at 0): &{133 0 1 0 4294967295}

[belyalov]

Hi!

ebpf_prog/xdp.c:59:22: warning: cast to 'struct iphdr *' from smaller integer type 'int' [-Wint-to-pointer-cast]
  struct iphdr *ip = (struct iphdr *)skb_network_header(skb);

This is actually error, not warning - in eBPF there is no standard library present, so, you must define all functions somewhere. In particular, you may find a lot of functions defined in bpf_helpers.h - as you can see there is no skb_network_header defined yet.
If you google for definition you may find it [here].(https://elixir.bootlin.com/linux/v4.9/source/include/linux/skbuff.h#L2151)

So you can either:

• Copy implementation of needed functions into your project.
• Include needed linux kernel headers

[belyalov]

LoadElf() failed: loadPrograms() failed: Invalid BPF instruction (at 0): &{133 0 1 0 4294967295}

This is most likely because you haven't defined skb_network_header.

So I'd suggest you to firstly try to get rid of all warnings, defined all missed functions and then hopefully this will gone away.

[ghost]

Thanks for the reply.

Looked at bpf_helpers.h. It already defines sk_buff. This look different from sk_buff(https://elixir.bootlin.com/linux/v4.9/source/include/linux/skbuff.h#L633).

So, will copying help ?

Also, from the sk_buff defined, it has remote_ip4 and local_ip4. Is there a way to tell if it tx or rx ?

[belyalov]

BTW, you don't have to use bpf_helpers.h - this is mostly for examples.
You can include kernel headers from your project directly.

Regarding sk_buff

goebpf/bpf_helpers.h

Lines 116 to 120 in 10d6705

	struct __sk_buff {
	__u32 len;
	__u32 pkt_type;
	__u32 mark;
	__u32 queue_mapping;

This is minimal version taken from kernel 4.15

[belyalov]

BTW, what problem you're trying to solve with eBPF?
From the code you provided I see that you're trying to write socket_filter program, but, from compiler output I noticed that this is xdp?

ebpf_prog/xdp.c:59:22: warning: cast to 'struct iphdr *' from smaller integer type 'int' [-Wint-to-pointer-cast]
          ^^^^

[ghost]

1. As part of small project, trying to capture flow information. Started of with xdp but realized that it supports only RX and not TX but continued to use xdp.c that i modified.

2. What you are saying is instead of #include bpf_helpers.h, i can directly use #include <linux/skbuff.h> in my C file and use from there ?.

[belyalov]

1. Got it
2. Yep, something like that, but you also need to add path to kernel headers (usually they are in /usr/src/...

Meanwhile I'll try to improve socket_filter example, but, it will take time.

[ghost]

Meanwhile I'll try to improve socket_filter example, but, it will take time.

I can improve socket_filter with help. How about adding an example of capturing flow information src-ip, dst-ip, src-port, dst-port and protocol ?

[belyalov]

👍
Yeah, that's sounds totally fine to me,
Feel free to submit PR, we'd really appreciate it.

[ghost]

Sure will do. As a first step, will do the IP 5 tuple info. I need to know how to get sk_buff info ?. In the example, you have is _skb_buff defined in buffers.h. Will copying skbuff from linux/skbuff.h to bpf_helpers.h help ?

[belyalov]

@kkbrat9 sorry I'm on PTO now and have limit access to github.

It will help, but, original skbuff is too large and maybe you don't need all fields (so you may want to consider copy part of skbuff)

P.S recently #11 has been merged which could be used as example of how to bring kernel structures into bpf_helpers.h

[ghost]

@belyalov Sorry for late response. I was away to deal with some personal . Can work on this early next week onwards.

Did see the recent update to bpf_helpers.h, it has bpf_sock_tuple which has ip-address information. Can i use them directly inside the bpf code ?

[belyalov]

@kkbrat9 yeah, absolutely, if it fits your needs.. :)