draft

Signed-off-by: gray <[email protected]>

Author: jschwinger233

Diff for: bpf/kprobe_pwru.c

@@ -82,6 +82,7 @@ struct event_t {
 	u64 ts;
 	u64 print_skb_id;
 	u64 print_shinfo_id;
+	//u64 print_bpf_map_id;
 	struct skb_meta meta;
 	struct tuple tuple;
 	s64 print_stack_id;
@@ -143,7 +144,8 @@ struct config {
 	u8 output_shinfo: 1;
 	u8 output_stack: 1;
 	u8 output_caller: 1;
-	u8 output_unused: 2;
+	u8 output_bpf_map: 1;
+	u8 output_unused: 1;
 	u8 is_set: 1;
 	u8 track_skb: 1;
 	u8 track_skb_by_stackid: 1;
@@ -394,6 +396,21 @@ set_shinfo_btf(struct sk_buff *skb, u64 *event_id) {
 #endif
 }
 
+static __always_inline void
+set_bpf_map(struct pt_regs *ctx, u64 cookie, u64 *event_id) {
+	if (cookie == 1)
+		bpf_printk("bpf_map_lookup/delete");
+	else if (cookie == 2)
+		bpf_printk("bpf_map_update");
+
+	struct bpf_map *map = (struct bpf_map *)PT_REGS_PARM1(ctx);
+
+	char name[16];
+	BPF_CORE_READ_STR_INTO(&name, map, name);
+	bpf_printk(" name=%s key_size=%ld value_size=%ld\n", &name, BPF_CORE_READ(map, key_size), BPF_CORE_READ(map, value_size));
+	// TODO@gray: print/collect key and value hex
+}
+
 static __always_inline u64
 get_stackid(struct pt_regs *ctx) {
 	u64 caller_fp;
@@ -509,6 +526,13 @@ kprobe_skb(struct sk_buff *skb, struct pt_regs *ctx, bool has_get_func_ip, u64 *
 	if (CFG.output_caller)
 		bpf_probe_read_kernel(&event.caller_addr, sizeof(event.caller_addr), (void *)PT_REGS_SP(ctx));
 
+	if (CFG.output_bpf_map) {
+		// TODO@gray: kernel>=5.15
+		__u64 cookie = bpf_get_attach_cookie(ctx);
+		if (cookie)
+			set_bpf_map(ctx, cookie, NULL);
+	}
+
 	bpf_map_push_elem(&events, &event, BPF_EXIST);
 
 	return BPF_OK;

Diff for: internal/pwru/config.go

@@ -22,6 +22,7 @@ const (
 	OutputShinfoMask
 	OutputStackMask
 	OutputCallerMask
+	OutputBpfMapMask
 )
 
 const (
@@ -66,6 +67,9 @@ func GetConfig(flags *Flags) (cfg FilterCfg, err error) {
 	if flags.OutputCaller {
 		cfg.OutputFlags |= OutputCallerMask
 	}
+	if flags.OutputBpfMap {
+		cfg.OutputFlags |= OutputBpfMapMask
+	}
 	if flags.FilterTrackSkb {
 		cfg.FilterFlags |= TrackSkbMask
 	}

Diff for: internal/pwru/kprobe.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/cheggaaa/pb/v3"
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/btf"
 	"github.com/cilium/ebpf/link"
 	"golang.org/x/sync/errgroup"
 )
@@ -246,7 +247,7 @@ func NewKprober(ctx context.Context, funcs Funcs, coll *ebpf.Collection, a2n Add
 	return &k
 }
 
-func NewNonSkbFuncsKprober(nonSkbFuncs []string, funcs Funcs, coll *ebpf.Collection) *kprober {
+func NewNonSkbFuncsKprober(nonSkbFuncs []string, funcs Funcs, bpfMapFuncs map[string]*btf.FuncProto, coll *ebpf.Collection) *kprober {
 	slices.Sort(nonSkbFuncs)
 	nonSkbFuncs = slices.Compact(nonSkbFuncs)
 
@@ -263,7 +264,18 @@ func NewNonSkbFuncsKprober(nonSkbFuncs []string, funcs Funcs, coll *ebpf.Collect
 			continue
 		}
 
-		kp, err := link.Kprobe(fn, coll.Programs["kprobe_skb_by_stackid"], nil)
+		var cookie uint64
+		if proto, ok := bpfMapFuncs[fn]; ok {
+			cookie = 1
+			for _, p := range proto.Params {
+				if p.Name == "value" {
+					cookie = 2
+				}
+			}
+		}
+
+		opts := &link.KprobeOptions{Cookie: cookie}
+		kp, err := link.Kprobe(fn, coll.Programs["kprobe_skb_by_stackid"], opts)
 		if err != nil {
 			if errors.Is(err, os.ErrNotExist) {
 				continue

Diff for: internal/pwru/types.go

@@ -45,6 +45,7 @@ type Flags struct {
 	OutputShinfo     bool
 	OutputStack      bool
 	OutputCaller     bool
+	OutputBpfMap     bool
 	OutputLimitLines uint64
 	OutputFile       string
 	OutputJson       bool
@@ -81,6 +82,7 @@ func (f *Flags) SetFlags() {
 	flag.BoolVar(&f.OutputShinfo, "output-skb-shared-info", false, "print skb shared info")
 	flag.BoolVar(&f.OutputStack, "output-stack", false, "print stack")
 	flag.BoolVar(&f.OutputCaller, "output-caller", false, "print caller function name")
+	flag.BoolVar(&f.OutputBpfMap, "output-bpf-map", false, "print bpf helper arguments related to bpf maps")
 	flag.Uint64Var(&f.OutputLimitLines, "output-limit-lines", 0, "exit the program after the number of events has been received/printed")
 
 	flag.StringVar(&f.OutputFile, "output-file", "", "write traces to file")

Diff for: internal/pwru/utils.go

@@ -42,8 +42,9 @@ func getAvailableFilterFunctions() (map[string]struct{}, error) {
 	return availableFuncs, nil
 }
 
-func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti bool) (Funcs, error) {
+func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti, bpfMap bool) (Funcs, map[string]*btf.FuncProto, error) {
 	funcs := Funcs{}
+	bpfMapFuncs := make(map[string]*btf.FuncProto)
 
 	type iterator struct {
 		kmod string
@@ -52,7 +53,7 @@ func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti bool)
 
 	reg, err := regexp.Compile(pattern)
 	if err != nil {
-		return nil, fmt.Errorf("failed to compile regular expression %v", err)
+		return nil, nil, fmt.Errorf("failed to compile regular expression %v", err)
 	}
 
 	var availableFuncs map[string]struct{}
@@ -68,13 +69,13 @@ func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti bool)
 		path := filepath.Join("/sys/kernel/btf", module)
 		f, err := os.Open(path)
 		if err != nil {
-			return nil, fmt.Errorf("failed to open %s: %v", path, err)
+			return nil, nil, fmt.Errorf("failed to open %s: %v", path, err)
 		}
 		defer f.Close()
 
 		modSpec, err := btf.LoadSplitSpecFromReader(f, spec)
 		if err != nil {
-			return nil, fmt.Errorf("failed to load %s btf: %v", module, err)
+			return nil, nil, fmt.Errorf("failed to load %s btf: %v", module, err)
 		}
 		iters = append(iters, iterator{module, modSpec.Iterate()})
 	}
@@ -108,6 +109,9 @@ func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti bool)
 			for _, p := range fnProto.Params {
 				if ptr, ok := p.Type.(*btf.Pointer); ok {
 					if strct, ok := ptr.Target.(*btf.Struct); ok {
+						if bpfMap && strct.Name == "bpf_map" {
+							bpfMapFuncs[fnName] = fnProto
+						}
 						if strct.Name == "sk_buff" && i <= 5 {
 							name := fnName
 							if kprobeMulti && it.kmod != "" {
@@ -123,7 +127,7 @@ func GetFuncs(pattern string, spec *btf.Spec, kmods []string, kprobeMulti bool)
 		}
 	}
 
-	return funcs, nil
+	return funcs, bpfMapFuncs, nil
 }
 
 func GetFuncsByPos(funcs Funcs) map[int][]string {

Diff for: main.go

@@ -94,7 +94,7 @@ func main() {
 		useKprobeMulti = true
 	}
 
-	funcs, err := pwru.GetFuncs(flags.FilterFunc, btfSpec, flags.KMods, useKprobeMulti)
+	funcs, bpfMapFuncs, err := pwru.GetFuncs(flags.FilterFunc, btfSpec, flags.KMods, useKprobeMulti, flags.OutputBpfMap)
 	if err != nil {
 		log.Fatalf("Failed to get skb-accepting functions: %s", err)
 	}
@@ -250,7 +250,7 @@ func main() {
 	}
 
 	if nonSkbFuncs := flags.FilterNonSkbFuncs; len(nonSkbFuncs) != 0 {
-		k := pwru.NewNonSkbFuncsKprober(nonSkbFuncs, funcs, coll)
+		k := pwru.NewNonSkbFuncsKprober(nonSkbFuncs, funcs, bpfMapFuncs, coll)
 		defer k.DetachKprobes()
 	}