Introduction
PROJECT Link and ReadMe: https://github.com/cilium/pwru/
Implementation
eBPF progs
Defined 5 eBPF prog with skb_buff args in different field
https://github.com/cilium/pwru/blob/v0.0.6/bpf/kprobe_pwru.c#L383-L416
The other functions are:
-
metadata related
https://github.com/cilium/pwru/blob/v0.0.6/bpf/kprobe_pwru.c#L24-L32
-
filter related
https://github.com/cilium/pwru/blob/v0.0.6/bpf/kprobe_pwru.c#L266
-
output related
https://github.com/cilium/pwru/blob/v0.0.6/bpf/kprobe_pwru.c#L344
Filter functions and args
-
Get the functions which can be kprobed from ‘/sys/kernel/debug/tracing/available_filter_functions’ (Only the function names, no args info)
-
Get the functions from kmod from
/sys/kernel/btf/<modules> -
Get the functions from vmlinux
-
Get the functions with args sk_buff and its index which can be kprobed
-
Link the functions to the bpf progs with kprobe
pwru usage
pwru uses kprobe to hook for more than 500 functions on the system if no function filter specified, which can be showed by bpftool perf list
It has performance impact , should not be used in production environment which has high traffic.