Skip to content

pwru: Add --filter-skb-expr and --filter-xdp-expr#499

Merged
brb merged 2 commits intocilium:mainfrom
Asphaltt:feat/dynamic-skb-meta
Aug 15, 2025
Merged

pwru: Add --filter-skb-expr and --filter-xdp-expr#499
brb merged 2 commits intocilium:mainfrom
Asphaltt:feat/dynamic-skb-meta

Conversation

@Asphaltt
Copy link
Contributor

@Asphaltt Asphaltt commented Feb 4, 2025
edited
Loading

Fixes #11

I'm porting such feature from bpfsnoop's --filter-arg 'skb->dev->ifindex == 11'.

The following message is valid even though it was wrote for the original draft PR.

If we want to filter some info dynamically like 'skb->dev->ifindex == 11', it is better to compile the simple C expression to bpf instructions directly.

In order to achieve it, we can:

  1. Parse provided C expression to AST.
  2. Validate AST as expectation.
  3. Convert AST to offsets based on BTF info.
  4. Generate bpf_probe_read_kernel() based on converted offsets.
  5. Generate jmp insn for the compare op in the C expression.
  6. Replace the insns of stub function with the generated insns.

As a result, add --filter-skb-expr to filter skb dynamically, and add --filter-xdp-expr to filter xdp dynamically.

For examples, the jited insns of --filter-skb-expr 'skb->dev->ifindex == 11' is

; bpf/kprobe_pwru.c:233:0 filter_skb_expr(struct sk_buff *skb)
0xffffffffc018f2d4: 0f 1f 44 00 00      nopl    (%rax, %rax)
0xffffffffc018f2d9: 66 90               nop
0xffffffffc018f2db: 55                  pushq   %rbp
0xffffffffc018f2dc: 48 89 e5            movq    %rsp, %rbp
0xffffffffc018f2df: 48 81 ec 08 00 00 00        subq    $8, %rsp
0xffffffffc018f2e6: 48 89 fa            movq    %rdi, %rdx
0xffffffffc018f2e9: 48 83 c2 10         addq    $0x10, %rdx
0xffffffffc018f2ed: be 08 00 00 00      movl    $8, %esi
0xffffffffc018f2f2: 48 89 ef            movq    %rbp, %rdi
0xffffffffc018f2f5: 48 83 c7 f8         addq    $-8, %rdi
0xffffffffc018f2f9: e8 c2 e6 b1 f4      callq   0xffffffffb4cad9c0  ; bpf_probe_read_kernel+0x0 kernel/trace/bpf_trace.c:233
0xffffffffc018f2fe: 48 8b 55 f8         movq    -8(%rbp), %rdx
0xffffffffc018f302: 48 85 d2            testq   %rdx, %rdx
0xffffffffc018f305: 74 2f               je      0xffffffffc018f336  ; filter_skb_expr+0x62 bpf/kprobe_pwru.c:233 [bpf]
0xffffffffc018f307: 48 81 c2 e0 00 00 00        addq    $0xe0, %rdx
0xffffffffc018f30e: be 08 00 00 00      movl    $8, %esi
0xffffffffc018f313: 48 89 ef            movq    %rbp, %rdi
0xffffffffc018f316: 48 83 c7 f8         addq    $-8, %rdi
0xffffffffc018f31a: e8 a1 e6 b1 f4      callq   0xffffffffb4cad9c0  ; bpf_probe_read_kernel+0x0 kernel/trace/bpf_trace.c:233
0xffffffffc018f31f: 48 8b 55 f8         movq    -8(%rbp), %rdx
0xffffffffc018f323: 48 c1 e2 20         shlq    $0x20, %rdx
0xffffffffc018f327: 48 c1 ea 20         shrq    $0x20, %rdx
0xffffffffc018f32b: b8 01 00 00 00      movl    $1, %eax
0xffffffffc018f330: 48 83 fa 0b         cmpq    $0xb, %rdx
0xffffffffc018f334: 74 02               je      0xffffffffc018f338  ; filter_skb_expr+0x64 bpf/kprobe_pwru.c:233 [bpf]
0xffffffffc018f336: 31 c0               xorl    %eax, %eax
0xffffffffc018f338: c9                  leave
0xffffffffc018f339: c3                  retq
0xffffffffc018f33a: cc                  int3

The jited insns of --filter-xdp-expr 'xdp->rxq->dev->ifindex == 9' is

; bpf/kprobe_pwru.c:659:0 filter_xdp_expr(struct xdp_buff *xdp)
0xffffffffc018f168: 0f 1f 44 00 00      nopl    (%rax, %rax)
0xffffffffc018f16d: 66 90               nop
0xffffffffc018f16f: 55                  pushq   %rbp
0xffffffffc018f170: 48 89 e5            movq    %rsp, %rbp
0xffffffffc018f173: 48 81 ec 08 00 00 00        subq    $8, %rsp
0xffffffffc018f17a: 48 89 fa            movq    %rdi, %rdx
0xffffffffc018f17d: 48 83 c2 20         addq    $0x20, %rdx
0xffffffffc018f181: be 08 00 00 00      movl    $8, %esi
0xffffffffc018f186: 48 89 ef            movq    %rbp, %rdi
0xffffffffc018f189: 48 83 c7 f8         addq    $-8, %rdi
0xffffffffc018f18d: e8 2e e8 b1 f4      callq   0xffffffffb4cad9c0  ; bpf_probe_read_kernel+0x0 kernel/trace/bpf_trace.c:233
0xffffffffc018f192: 48 8b 55 f8         movq    -8(%rbp), %rdx
0xffffffffc018f196: 48 85 d2            testq   %rdx, %rdx
0xffffffffc018f199: 74 49               je      0xffffffffc018f1e4  ; filter_xdp_expr+0x7c bpf/kprobe_pwru.c:659 [bpf]
0xffffffffc018f19b: be 08 00 00 00      movl    $8, %esi
0xffffffffc018f1a0: 48 89 ef            movq    %rbp, %rdi
0xffffffffc018f1a3: 48 83 c7 f8         addq    $-8, %rdi
0xffffffffc018f1a7: e8 14 e8 b1 f4      callq   0xffffffffb4cad9c0  ; bpf_probe_read_kernel+0x0 kernel/trace/bpf_trace.c:233
0xffffffffc018f1ac: 48 8b 55 f8         movq    -8(%rbp), %rdx
0xffffffffc018f1b0: 48 85 d2            testq   %rdx, %rdx
0xffffffffc018f1b3: 74 2f               je      0xffffffffc018f1e4  ; filter_xdp_expr+0x7c bpf/kprobe_pwru.c:659 [bpf]
0xffffffffc018f1b5: 48 81 c2 e0 00 00 00        addq    $0xe0, %rdx
0xffffffffc018f1bc: be 08 00 00 00      movl    $8, %esi
0xffffffffc018f1c1: 48 89 ef            movq    %rbp, %rdi
0xffffffffc018f1c4: 48 83 c7 f8         addq    $-8, %rdi
0xffffffffc018f1c8: e8 f3 e7 b1 f4      callq   0xffffffffb4cad9c0  ; bpf_probe_read_kernel+0x0 kernel/trace/bpf_trace.c:233
0xffffffffc018f1cd: 48 8b 55 f8         movq    -8(%rbp), %rdx
0xffffffffc018f1d1: 48 c1 e2 20         shlq    $0x20, %rdx
0xffffffffc018f1d5: 48 c1 ea 20         shrq    $0x20, %rdx
0xffffffffc018f1d9: b8 01 00 00 00      movl    $1, %eax
0xffffffffc018f1de: 48 83 fa 09         cmpq    $9, %rdx
0xffffffffc018f1e2: 74 02               je      0xffffffffc018f1e6  ; filter_xdp_expr+0x7e bpf/kprobe_pwru.c:659 [bpf]
0xffffffffc018f1e4: 31 c0               xorl    %eax, %eax
0xffffffffc018f1e6: c9                  leave
0xffffffffc018f1e7: c3                  retq
0xffffffffc018f1e8: cc                  int3

@Asphaltt Asphaltt force-pushed the feat/dynamic-skb-meta branch 2 times, most recently from aa80c7c to ab85e03 Compare February 4, 2025 04:07
@jschwinger233
Copy link
Member

jschwinger233 commented Feb 5, 2025

I like it, it's also the on the roadmap, thank you.
I'll try to review it ... not later than the end of next week...

@jschwinger233
Copy link
Member

jschwinger233 commented Feb 5, 2025

if this goes stable, we can deprecate --filter-mark --filter-netns --filter-ifname in favor of --filter-skb-expr skb->dev->nd_net.net->ns.inum == 0xff000233.

@Asphaltt Asphaltt mentioned this pull request Feb 9, 2025
Closed
@Asphaltt Asphaltt force-pushed the feat/dynamic-skb-meta branch from ab85e03 to 050c492 Compare February 14, 2025 15:16
@brb
Copy link
Member

brb commented Apr 4, 2025

The RFC makes sense to me. Could we use BPF_PROG_TEST_RUN to test some of the filters?

if this goes stable, we can deprecate --filter-mark --filter-netns --filter-ifname in favor of --filter-skb-expr skb->dev->nd_net.net->ns.inum == 0xff000233.

How does the filter look like for --filter-ifname?

@Asphaltt
Copy link
Contributor Author

Asphaltt commented Apr 4, 2025

Could we use BPF_PROG_TEST_RUN to test some of the filters?

Sure. I will add some tests if I have time for it.

How does the filter look like for --filter-ifname?

--filter-name should be converted to --filter-ifindex like skb->dev->ifindex == 3.

Asphaltt added 2 commits April 13, 2025 21:11
@Asphaltt
bpf: Do not cache xdp to avoid verifier failure
5e36c54 
It's to avoid such verifier error:

```log
	; set_xdp_metadata(xdp, xdp_metadata);
	642: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
	; u64 xdp_metadata[4] = {};
	643: (07) r1 += -288                  ; R1_w=fp-288
	; __builtin_memcpy(event->skb_metadata, xdp_metadata, sizeof(xdp_metadata));
	644: (79) r2 = *(u64 *)(r10 -40)      ; R2_w=ptr_xdp_buff() R10=fp0 fp-40_w=ptr_xdp_buff()
	645: (bf) r3 = r2                     ; R2_w=ptr_xdp_buff() R3_w=ptr_xdp_buff()
	646: (77) r3 >>= 56
	R3 pointer arithmetic with >>= operator prohibited
```

It's because `xdp_metadata[0] = xdp` and `xdp` is not allowed to do `>>= 56`.

Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
@Asphaltt
Add --filter-skb-expr and --filter-xdp-expr
6d4f324 
Like `--output-skb-metadata` and `--output-xdp-metadata`, implement
`--filter-skb-expr` and `--filter-xdp-expr` using
`github.com/leonhwangprojects/bice` library.

Because the limit of `bice` library, the expr must have three limited
parts, left part, operand and right part.

1. left part: limit like `--output-skb-metadata`.
2. operand: must be one of `=, ==, !=, <, <=, >, >=`, and '=' equals to
   '=='.
3. right part: a number or the enum value for the left part.

Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
@Asphaltt Asphaltt force-pushed the feat/dynamic-skb-meta branch from 050c492 to 6d4f324 Compare April 13, 2025 13:26
@Asphaltt Asphaltt changed the title RFC: Add --filter-skb-expr and --filter-xdp-expr pwru: Add --filter-skb-expr and --filter-xdp-expr Apr 13, 2025
@Asphaltt Asphaltt marked this pull request as ready for review April 13, 2025 15:33
@Asphaltt Asphaltt requested a review from a team as a code owner April 13, 2025 15:33
@Asphaltt Asphaltt requested review from rgo3 and removed request for a team April 13, 2025 15:33
@brb brb self-requested a review April 17, 2025 06:59
@brb
Copy link
Member

brb commented Apr 17, 2025

I will review it next week once I am back from holidays.

brb
brb approved these changes Aug 15, 2025
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@brb brb merged commit 66a3c5d into cilium:main Aug 15, 2025
8 checks passed
@brb brb mentioned this pull request Aug 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brb brb brb approved these changes

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 is a code owner automatically assigned from cilium/pwru

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add skb metadata dynamic filters

3 participants

@Asphaltt @jschwinger233 @brb