Skip to content

dropbox/goebpf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
.github
.github
 
 
examples
examples
 
 
goebpf_mock
goebpf_mock
 
 
itest
itest
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bpf.h
bpf.h
 
 
bpf_helpers.h
bpf_helpers.h
 
 
doc.go
doc.go
 
 
ebpf.go
ebpf.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
loader.go
loader.go
 
 
loader_test.go
loader_test.go
 
 
map.go
map.go
 
 
map_test.go
map_test.go
 
 
mmap_ring_buffer.go
mmap_ring_buffer.go
 
 
mmap_ring_buffer_test.go
mmap_ring_buffer_test.go
 
 
perf_events.go
perf_events.go
 
 
perf_events_handler.go
perf_events_handler.go
 
 
perf_events_handler_test.go
perf_events_handler_test.go
 
 
perf_events_poller.go
perf_events_poller.go
 
 
program_base.go
program_base.go
 
 
program_kprobe.go
program_kprobe.go
 
 
program_socket_filter.go
program_socket_filter.go
 
 
program_tc.go
program_tc.go
 
 
program_xdp.go
program_xdp.go
 
 
utils.go
utils.go
 
 
utils_test.go
utils_test.go
 
 

Repository files navigation

Go eBPF

Build Status Go Report Card Documentation

A nice and convenient way to work with eBPF programs / perf events from Go.

Requirements

  • Go 1.11+
  • Linux Kernel 4.15+

Supported eBPF features

  • eBPF programs
    • SocketFilter
    • XDP
    • Kprobe / Kretprobe
    • tc-cls (tc-act is partially implemented, currently)
  • Perf Events

Support for other program types / features can be added in future. Meanwhile your contributions are warmly welcomed.. :)

Installation

# Main library
go get github.com/dropbox/goebpf

# Mock version (if needed)
go get github.com/dropbox/goebpf/goebpf_mock

Quick start

Consider very simple example of Read / Load / Attach

    // In order to be simple this examples does not handle errors
    bpf := goebpf.NewDefaultEbpfSystem()
    // Read clang compiled binary
    bpf.LoadElf("test.elf")
    // Load XDP program into kernel (name matches function name in C)
    xdp := bpf.GetProgramByName("xdp_test")
    xdp.Load()
    // Attach to interface
    xdp.Attach("eth0")
    defer xdp.Detach()
    // Work with maps
    test := bpf.GetMapByName("test")
    value, _ := test.LookupInt(0)
    fmt.Printf("Value at index 0 of map 'test': %d\n", value)

Like it? Check our examples

Perf Events

Currently library has support for one, most popular use case of perf_events: where eBPF map key maps to cpu_id. So eBPF and go parts actually bind cpu_id to map index. It maybe as simple as:

    // Define special, perf_events map where key maps to CPU_ID
    BPF_MAP_DEF(perfmap) = {
        .map_type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
        .max_entries = 128,     // Max supported CPUs
    };
    BPF_MAP_ADD(perfmap);

    // ...

    // Emit perf event with "data" to map "perfmap" where index is current CPU_ID
    bpf_perf_event_output(ctx, &perfmap, BPF_F_CURRENT_CPU, &data, sizeof(data));

And the go part:

    perf, err := goebpf.NewPerfEvents("perfmap")
    // 4096 is ring buffer size
    perfEvents, err := perf.StartForAllProcessesAndCPUs(4096)
    defer perf.Stop()

    for {
        select {
            case data := <-perfEvents:
                fmt.Println(data)
        }
    }

Looks simple? Check our full XDP dump example

Kprobes

Library currently has support for kprobes and kretprobes. It can be as simple as:

    // kprobe handler function
    SEC("kprobe/guess_execve")
    int execve_entry(struct pt_regs *ctx) {
      // ...
      buf_perf_output(ctx);
      return 0;
    }

And the go part:

	// Cleanup old probes
	err := goebpf.CleanupProbes()

	// Attach all probe programs
	for _, prog := range bpf.GetPrograms() {
		err := prog.Attach(nil)
	}

	// Create perf events
	eventsMap := p.bpf.GetMapByName("events")
	p.pe, err = goebpf.NewPerfEvents(eventsMap)
	events, err := p.pe.StartForAllProcessesAndCPUs(4096)
	defer events.Stop()

	for {
		select {
		case data := <-events:
			fmt.Println(data) // kProbe event
		}
	}

Simple? Check exec dump example

Good readings

About

Library to work with eBPF programs from Go

Topics

cats go golang golang-library ebpf xdp bpf cats-effect perfevents xdpdump

Resources

Readme

License

View license
Activity
Custom properties

Stars

1.2k stars

Watchers

32 watching

Forks

85 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 12

Languages