I'm using Archlinux

Linux sherlockholo-pc 5.14.14-arch1-1 #1 SMP PREEMPT Wed, 20 Oct 2021 21:35:18 +0000 x86_64 GNU/Linux

I try this codes

#![no_std]
#![no_main]

use redbpf_probes::tc::prelude::*;
// use redbpf_probes::xdp::prelude::*;

program!(0xFFFFFFFE, "GPL");

#[tc_action]
fn test(skb: SkBuff) -> TcActionResult {
    Ok(TcAction::Ok)
}

and build with cargo bpf build

When I try to load it by sudo tc filter add ingress bpf da obj target/bpf/programs/learn_bpf/learn_bpf.elf sec tc_action/test

it reports

Error fetching program/map! Unable to load program

also I try to use cargo-bpf, sudo -E cargo bpf load -i lo target/bpf/programs/learn_bpf/learn_bpf.elf, it just stuck without any output.

How should I do to load the bpf tc program?

#![no_std]
#![no_main]

use core::mem::{size_of, transmute};

use cty::c_void;
use redbpf_macros::map;
use redbpf_probes::tc::prelude::*;

program!(0xFFFFFFFE, "GPL");

#[map(link_section = "redirect_map")]
static mut REDIRECT_MAP: TcHashMap<__be16, u16> =
    TcHashMap::with_max_entries(1024, TcMapPinning::GlobalNamespace);

#[tc_action]
fn test(skb: SkBuff) -> TcActionResult {
    let mut n: __be16 = 1;
    n = n.to_be();

    unsafe {
        REDIRECT_MAP.set(&n, &1);
    }

    Ok(TcAction::Ok)
}

when compile this codes and load by tc, it reports

Prog section 'tc_action/test' rejected: Permission denied (13)!
 - Type:         3
 - Instructions: 12 (0 over limit)
 - License:      GPL

Verifier analysis:

0: (b7) r1 = 256
1: (6b) *(u16 *)(r10 -2) = r1
2: (bf) r2 = r10
3: (07) r2 += -2
4: (18) r1 = 0x0
6: (18) r3 = 0x0
8: (b7) r4 = 0
9: (85) call bpf_map_update_elem#2
R1 type=inv expected=map_ptr
processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

Error fetching program/map!
Unable to load program

it seems when uses the bpf_map_update_elem, the pointer is incorrect? but I don't know what's wrong in https://github.com/foniod/redbpf/blob/a9b98c2f9dfa1481a93d46560b0e11deec800865/redbpf-probes/src/tc/maps.rs#L172

Hello,

I first followed the tutorial to get started with redbpf which worked very nicely. I then used the tutorial template and changed it to hook into the kernel function __dev_queue_xmit to read properties of network packets being transmitted. Compilation works without errors but the program panicks when trying to load the probe program. In the probe program, I use the struct SkBuff from redbpf_probes::socket::SkBuff, which internally calls bpf_skb_load_bytes. When running it, it panicks with the error "unknown func bpf_skb_load_bytes":

     Running `target/debug/redbpf-tutorial`
Nov 14 16:52:30.587 ERROR redbpf: error loading BPF program `__dev_queue_xmit' with bpf_load_program_xattr. ret=-1 os error=Invalid argument (os error 22): 0: (bf) r6 = r1
1: (b7) r8 = 0
2: (63) *(u32 *)(r10 -24) = r8
last_idx 2 first_idx 0
regs=100 stack=0 before 1: (b7) r8 = 0
3: (7b) *(u64 *)(r10 -32) = r8
4: (7b) *(u64 *)(r10 -40) = r8
5: (7b) *(u64 *)(r10 -48) = r8
6: (7b) *(u64 *)(r10 -56) = r8
7: (7b) *(u64 *)(r10 -64) = r8
8: (7b) *(u64 *)(r10 -72) = r8
9: (7b) *(u64 *)(r10 -80) = r8
10: (7b) *(u64 *)(r10 -88) = r8
11: (7b) *(u64 *)(r10 -96) = r8
12: (7b) *(u64 *)(r10 -104) = r8
13: (7b) *(u64 *)(r10 -112) = r8
14: (7b) *(u64 *)(r10 -120) = r8
15: (7b) *(u64 *)(r10 -128) = r8
16: (7b) *(u64 *)(r10 -136) = r8
17: (7b) *(u64 *)(r10 -144) = r8
18: (79) r7 = *(u64 *)(r6 +112)
19: (85) call bpf_ktime_get_ns#5
20: (7b) *(u64 *)(r10 -160) = r0
21: (85) call bpf_get_current_pid_tgid#14
22: (7b) *(u64 *)(r10 -152) = r0
23: (7b) *(u64 *)(r10 -8) = r8
24: (7b) *(u64 *)(r10 -16) = r8
25: (bf) r1 = r10
26: (07) r1 += -16
27: (b7) r2 = 16
28: (85) call bpf_get_current_comm#16
last_idx 28 first_idx 22
regs=4 stack=0 before 27: (b7) r2 = 16
29: (79) r1 = *(u64 *)(r10 -8)
30: (7b) *(u64 *)(r10 -128) = r1
31: (79) r1 = *(u64 *)(r10 -16)
32: (7b) *(u64 *)(r10 -136) = r1
33: (bf) r3 = r10
34: (07) r3 += -16
35: (bf) r1 = r7
36: (b7) r2 = 0
37: (b7) r4 = 4
38: (85) call bpf_skb_load_bytes#26
unknown func bpf_skb_load_bytes#26
processed 39 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1

thread 'main' panicked at 'error on Loader::load: LoadError("__dev_queue_xmit", BPF)', src/main.rs:22:49
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace`

I am not quite sure what the issue is here, I'd really appreciate any help!

This is my system info:

rustc 1.56.1
llvm 13.0.0-3
Kernel: Linux 5.10.78-1-lts

I tried to set up a development env in Docker with RedBPF, using:

FROM amazonlinux:2
RUN curl https://sh.rustup.rs -sSf | \
        sh -s -- -y --default-toolchain stable && \
        PATH="/root/.cargo/bin:$PATH" rustup install stable
RUN yum -y install clang-10.0.0 \
    llvm-10.0.0 \
    llvm-libs-10.0.0 \
    llvm-devel-10.0.0 \
    llvm-static-10.0.0 \
    kernel \
    kernel-devel \
    elfutils-libelf-devel \
    ca-certificates 
RUN PATH="/root/.cargo/bin:$PATH" cargo install cargo-bpf
ENV PATH $PATH:/root/.cargo/bin
WORKDIR /tmp

When I do a docker build this fails with:

...
error: No suitable version of LLVM was found system-wide or pointed
       to by LLVM_SYS_100_PREFIX.

       Consider using `llvmenv` to compile an appropriate copy of LLVM, and
       refer to the llvm-sys documentation for more information.

       llvm-sys: https://crates.io/crates/llvm-sys
       llvmenv: https://crates.io/crates/llvmenv
   --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/llvm-sys-100.2.0/src/lib.rs:483:1
    |
483 | / std::compile_error!(concat!(
484 | |       "No suitable version of LLVM was found system-wide or pointed
485 | |        to by LLVM_SYS_", env!("CARGO_PKG_VERSION_MAJOR"), "_PREFIX.
486 | |
...   |
490 | |        llvm-sys: https://crates.io/crates/llvm-sys
491 | |        llvmenv: https://crates.io/crates/llvmenv"));
    | |____________________________________________________^

error: aborting due to previous error

error: could not compile `llvm-sys`.

To learn more, run the command again with --verbose.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `cargo-bpf v1.1.2`, intermediate artifacts can be found at `/tmp/cargo-installKGJVzw`

Any idea what I'm doing wrong? I thought I got all the deps? 8-}

Great project, BTW!

Running a program based on https://github.com/foniod/redbpf/blob/main/examples/example-probes/src/tcp_lifetime/main.rs with code:

// This program can be executed by
// # cargo run --example tcp-lifetime [interface]
#![no_std]
#![no_main]
use core::mem::{self, MaybeUninit};
use memoffset::offset_of;

use redbpf_probes::socket_filter::prelude::*;

use monitor::usage::{SocketAddr,message};

#[map(link_section = "maps/perf_events")]
static mut perf_events: PerfMap<message> = PerfMap::with_max_entries(1024);
#[map(link_section = "maps/usage")]
static mut usage: HashMap<u32, u32> = HashMap::with_max_entries(4096);

#[map(link_section = "maps/time")]
static mut time: HashMap<u32, u64> = HashMap::with_max_entries(4096);

program!(0xFFFFFFFE, "GPL");
#[socket_filter]
fn measure_tcp_lifetime(skb: SkBuff) -> SkBuffResult {
    let eth_len = mem::size_of::<ethhdr>();
    let eth_proto = skb.load::<__be16>(offset_of!(ethhdr, h_proto))? as u32;
    if eth_proto != ETH_P_IP {
        return Ok(SkBuffAction::Ignore);
    }

    let ip_proto = skb.load::<__u8>(eth_len + offset_of!(iphdr, protocol))? as u32;
    if ip_proto != IPPROTO_TCP {
        return Ok(SkBuffAction::Ignore);
    }

    Ok(SkBuffAction::Ignore)
}
´´´

Gives a segmentation fault, however, used to work about a month ago don't know if it started to happen due to rust updates or redBPF updates.
Thanks in Advance.

Centos7 3.10.0-1062.4.1.el7.x86_64 rust 1.39 clang version 9.0.0 (tags/RELEASE_900/final)

cargo bpf build block_http Compiling redbpf-probes v0.9.6 error[E0588]: packed type cannot transitively contain a [repr(align)] type --> /home/alphapo/rust/hello-bpf/target/release/build/redbpf-probes-fcf682ba7259472e/out/gen_helpers.rs:977:1 | 977 | / pub struct desc_struct { 978 | | pub __bindgen_anon_1: desc_struct__bindgen_ty_1, 979 | | } | |_^

error[E0587]: type has conflicting packed and align representation hints --> /home/alphapo/rust/hello-bpf/target/release/build/redbpf-probes-fcf682ba7259472e/out/gen_helpers.rs:5432:1 | 5432 | / pub struct xsave_struct { 5433 | | pub i387: i387_fxsave_struct, 5434 | | pub xsave_hdr: xsave_hdr_struct, 5435 | | pub ymmh: ymmh_struct, ... | 5439 | | pub __bindgen_padding_0: [u8; 48usize], 5440 | | } | |_^

error: aborting due to 2 previous errors

error: could not compile redbpf-probes.

To learn more, run the command again with --verbose. error: failed to compile the `block_http' program

Hi, again I am running a Kubernetes deployment with multiple pods (17), where one of them injects rust programs in the rest of them, these rust programs run eBPF stuff specifically a part where they load an eBPF program, however, 6 of them load the eBPF program without an issue and the rest of them give the following error:

"thread 'async-std/runtime' panicked at 'called Result::unwrap() on an Err value: IO(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })', redbpf/redbpf/src/load/loader.rs:51:67"

After looking into the code I saw this was the line: let map = PerfMap::bind(m, -1, *cpuid, 16, -1, 0).unwrap();

Bind is described here: https://github.com/foniod/redbpf/blob/c7f4b6811a2527ed033ec42aa34fe1d8cb4d97d4/redbpf/src/perf.rs#L274 The map section of the eBPF program (same for all Pods) loaded looks like this:

#[map(link_section = "maps")]
static mut perf_events: PerfMap<message> = PerfMap::with_max_entries(1024);
#[map(link_section = "maps")]
static mut usage: HashMap<u32, u32> = HashMap::with_max_entries(4096);

#[map(link_section = "maps")]
static mut time: HashMap<u32, u64> = HashMap::with_max_entries(4096);

As a side note, this works completely fine in Docker, working in Docker, and the fact that 6 of them work makes this extremely confusing for me. Does anyone have any idea why this might happen or a way to continue debugging? Thanks in advance.

I come up with this PR when I ran into the build failure of #131. Because I tried building RedBPF only under my Pop OS, I could not recognize the build failures derived from other distros.

And also by Dockerfile-alpine-20210212 this PR suggests the solution of #130.

Hello everyone, I am running a program similar to this https://github.com/foniod/redbpf/blob/main/examples/example-userspace/examples/tcp-lifetime.rs I have a quick question, when are these socket filters removed? Or is there a certain way to remove them? (Didn't know where I could ask this, without creating an issue sorry if it is not supposed to be here) Thanks in advance.

Hello,

As I am doing a tc program the creation of the map is not shared between user space and kernel space because we launch it with tc commands such as:

tc qdisc add dev lo clsact

sudo tc filter add dev lo ingress \
  bpf da obj target/bpf/programs/limit/limit.elf sec tc_action/limit

So in order to share the file descriptor of the map created by this we need to do a global map in order to put it a global namespace so I can get it in other ebpf programs.

To do that I see that I can modify the 'pinning' in the map options :

/* This example has a pinning of PIN_OBJECT_NS, so it's private and
* thus shared among various program sections within the object.
*
* A setting of PIN_GLOBAL_NS would place it into a global namespace,
* so that it can be shared among different object files. A setting
* of PIN_NONE (= 0) means no sharing, so each tc invocation a new map
* instance is being created.
*/

https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/tree/examples/bpf/bpf_shared.c

I saw in the documentation the implementation of Hash table map the High level API for BPF_MAP_TYPE_HASH maps

impl<K, V> HashMap<K, V> {
    /// Creates a map with the specified maximum number of elements.
    pub const fn with_max_entries(max_entries: u32) -> Self {
        Self {
            def: bpf_map_def {
                type_: bpf_map_type_BPF_MAP_TYPE_HASH,
                key_size: mem::size_of::<K>() as u32,
                value_size: mem::size_of::<V>() as u32,
                max_entries,
                map_flags: 0,
            },
            _k: PhantomData,
            _v: PhantomData,
        }
    }

And in C they have the pinning options :

struct bpf_elf_map {
    u32 type;
    u32 size_key;
    u32 size_value;
    u32 max_elem;
    u32 flags;
    u32 id;
    __u32 pinning;
};

Is it possible to choose the pinning value or there is pinning default value ? Can I retrieve the map fd with other solutions for the tc_action program ?

Thank you

I was reading the post at https://blog.redsift.com/labs/writing-bpf-code-in-rust/ and started playing around with it. While debugging I glanced at the source code for Data::read here:

https://github.com/redsift/redbpf/blob/master/redbpf-probes/src/xdp.rs#L236

    pub fn read<T>(&self) -> Option<T> {
        unsafe {
            let len = mem::size_of::<T>();
            if self.base.add(len) as *const u8 > (*self.ctx).data_end as *const u8 {
                return None;
            }
            Some((self.base as *const T).read_unaligned())
        }
    }

This function is not sound for all values of T and should at least be marked unsafe. Right beneath that is the MapData type which appears to be equally unsound and at the very least should have the payload method marked unsafe.

These are just the first pieces of code I glanced at when trying to figure out what the http trace example in the blog post is doing, it is far from an exhaustive scan of the redbpf code base.

Would you welcome changes that mark those API's unsafe?

Hi, I am trying to load this BPF program, however, I get the error: thread 'tokio-runtime-worker' panicked at 'error loading BPF program: LoadError("measure_tcp_lifetime", BPF)', In RedBPF as far as I am aware tracks to this block https://github.com/foniod/redbpf/blob/55331987dc31a26feb192e4a668bf9bfc336e1e0/redbpf/src/lib.rs#L727 This is the code in the program

#![no_std]
#![no_main]
use core::mem::{self, MaybeUninit};
use memoffset::offset_of;

use redbpf_probes::socket_filter::prelude::*;

use monitor::usage::{SocketAddr,message};

//map to hold perf_events
#[map(link_section = "maps")]
static mut perf_events: PerfMap<message> = PerfMap::with_max_entries(512);

//map to hold the bytes sent
#[map(link_section = "maps")]
static mut usage: HashMap<u32, u128> = HashMap::with_max_entries(4096);

//map to hold time that has passed
#[map(link_section = "maps")]
static mut time: HashMap<u32, u64> = HashMap::with_max_entries(4096);

program!(0xFFFFFFFE, "GPL");
#[socket_filter]
fn measure_tcp_lifetime(skb: SkBuff) -> SkBuffResult {
    let eth_len = mem::size_of::<ethhdr>();
    let eth_proto = skb.load::<__be16>(offset_of!(ethhdr, h_proto))? as u32;
    if eth_proto != ETH_P_IP {
        return Ok(SkBuffAction::Ignore);
    }

    let ip_proto = skb.load::<__u8>(eth_len + offset_of!(iphdr, protocol))? as u32;
    if ip_proto != IPPROTO_TCP {
        return Ok(SkBuffAction::Ignore);
    }

    let mut ip_hdr = unsafe { MaybeUninit::<iphdr>::zeroed().assume_init() };
    ip_hdr._bitfield_1 = __BindgenBitfieldUnit::new([skb.load::<u8>(eth_len)?]);
    if ip_hdr.version() != 4 {
        return Ok(SkBuffAction::Ignore);
    }
    //Retrieve IPs from skbuff
    let ihl = ip_hdr.ihl() as usize;
    let dst = SocketAddr::new(
        skb.load::<__be32>(eth_len + offset_of!(iphdr, daddr))?,
        skb.load::<__be16>(eth_len + ihl * 4 + offset_of!(tcphdr, dest))?,
    );
    //We send new values every 25 milli seconds for a given ip, via perf_events
    unsafe{
        //retrieve size of packet
        let len:u128 = ((*skb.skb).len).into();
        let currenttime = bpf_ktime_get_ns();
        match time.get(&dst.addr){
            None=>{
                time.set(&dst.addr,&currenttime);
            },
            Some(oldtime)=>{
                if currenttime-oldtime > 25000000{
                //if currenttime-oldtime > 0{
                    match usage.get(&dst.addr){
                        None => usage.set(&dst.addr,&len),
                        Some(value) =>{
                            let newvalue:u128 = value + len;
                            usage.set(&dst.addr,&newvalue);
                            perf_events.insert(skb.skb as *mut __sk_buff,&message {dst:dst.addr,bytes:newvalue,}, );
                            time.set(&dst.addr,&currenttime);
                        }
                    }   
                }else{
                    match usage.get(&dst.addr){
                        None => usage.set(&dst.addr,&len),
                        Some(value) =>{
                            let newvalue:u128 = value + len;
                            usage.set(&dst.addr,&newvalue);
                        }
                    }
                }
            }
        }
    }

    Ok(SkBuffAction::Ignore)
}

I previously managed to get this program correctly loaded when I used u32 instead of u128, however, I need to change it now. Is there anything related to u128 that the kernel does not allow? Thank you in advance.

I got a strange error while testing the tutorial, related to the assert that checks for the alignment in the read_array function of the zero crate used by redbpf:

pub fn read_array<T: Pod>(input: &[u8]) -> &[T] {
    let t_size = mem::size_of::<T>();
    assert!(t_size > 0, "Can't read arrays of zero-sized types");
    assert!(input.len() % t_size == 0);
    let addr = input.as_ptr() as usize;
    assert!(addr & (mem::align_of::<T>() - 1) == 0); // We speak of this assert that checks the alignment

    unsafe { read_array_unsafe(input) }
}

The error happens randomly, for example while commenting out the code that attach the probe to do_sys_openat2.

I think redbpf was not affected until recently, as they pushed it a few days ago to crate.io (as explained here).

A quick fix would be to call read_array_unsafe instead of read_array (same with all read occurrences, if any).

But I'm not sure I understand why this assert fails.

BPF probes want the offset of a symbol in the object file. In shared object and executable files, at least, the current logic seems to return the virtual address of the symbol as opposed to the offset in the object file.

The st_value for a goblin::elf:sym::Sym with st_info of STT_FUNC (2) refers to the virtual memory address. In order to compute the offset, one needs to find the offset by translating it to be relative to the address of the section containing the symbol and then adding the offset of the section in the file.

The offending code is:

https://github.com/foniod/redbpf/blob/55331987dc31a26feb192e4a668bf9bfc336e1e0/redbpf/src/lib.rs#L965

In some cases, the address of the symbol is its offset, but certainly not in all cases.

See: https://github.com/iovisor/bpftrace/issues/1763#issuecomment-1238935968

I'm trying to run this program, which is compiled with clang:

#include <linux/bpf.h>
#define SEC(NAME) __attribute__((section(NAME), used))

SEC("tracepoint/syscalls/sys_enter_execve")
int bpf_prog(void *ctx) {
  char msg[] = "Hello, BPF World!\n";
  bpf_trace_printk(msg, sizeof(msg));

  return 0;
}

char _license[] SEC("license") = "GFPL";

On version = "2.3.0" it seems to work, but tracepoints_mut() is not present and I think I need that to make the program do something. Loader::load() returns an Ok.

On master it complains about this: ParseError(Reloc).

I'm new to this so any advice is welcomed. Perhaps I should not load programs compiled from c with clang with this library.

Hello,

Thank you for your great work, this library is awesome. I am wondering whether you plan to do a minor release with tracepoints implemented because v2.3.0 does not ?

Cheers,