dropbox / Goebpf
Licence: other
Library to work with eBPF programs from Go
Stars: ✭ 666
Projects that are alternatives of or similar to Goebpf
go-tc
traffic control in pure go - it allows to read and alter queues, filters and classes
Stars: ✭ 245 (-63.21%)
Mutual labels: ebpf, bpf
Bpftrace
High-level tracing language for Linux eBPF
Stars: ✭ 4,526 (+579.58%)
Mutual labels: bpf, ebpf
XDP-Firewall
An XDP firewall that is capable of filtering specific packets based off of filtering rules specified in a config file. IPv6 is supported!
Stars: ✭ 129 (-80.63%)
Mutual labels: ebpf, bpf
KubeArmor
Cloud-native Runtime Security Enforcement System
Stars: ✭ 434 (-34.83%)
Mutual labels: ebpf, bpf
oxdpus
A toy tool that leverages the super powers of XDP to bring in-kernel IP filtering
Stars: ✭ 59 (-91.14%)
Mutual labels: ebpf, bpf
ebpfpub
ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
Stars: ✭ 86 (-87.09%)
Mutual labels: ebpf, bpf
el7-bpf-specs
RPM specs for building bpf related tools on CentOS 7
Stars: ✭ 38 (-94.29%)
Mutual labels: ebpf, bpf
libbpf-sys
Rust bindings to libbpf from the Linux kernel
Stars: ✭ 103 (-84.53%)
Mutual labels: ebpf, bpf
pwru
Packet, where are you? -- Linux kernel networking debugger
Stars: ✭ 694 (+4.2%)
Mutual labels: ebpf, bpf
bpflock
bpflock - eBPF driven security for locking and auditing Linux machines
Stars: ✭ 54 (-91.89%)
Mutual labels: ebpf, bpf
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (-40.54%)
Mutual labels: bpf, ebpf
portablebpf
You came here so you could have a base code to serve you as an example on how to develop a BPF application, compatible to BCC and/or LIBBPF, specially LIBBPF, having the userland part made in C or PYTHON.
Stars: ✭ 32 (-95.2%)
Mutual labels: ebpf, bpf
aya
Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
Stars: ✭ 950 (+42.64%)
Mutual labels: ebpf, bpf
Xdp Project
XDP project collaboration through a git-repo
Stars: ✭ 127 (-80.93%)
Mutual labels: bpf, ebpf
Polycube
eBPF/XDP-based software framework for fast network services running in the Linux kernel.
Stars: ✭ 217 (-67.42%)
Mutual labels: bpf, ebpf
packiffer
lightweight cross-platform networking toolkit
Stars: ✭ 52 (-92.19%)
Mutual labels: ebpf, bpf
Go eBPF
A nice and convenient way to work with eBPF programs / perf events from Go.
Requirements
- Go 1.10+
- Linux Kernel 4.15+
Supported eBPF features
- eBPF programs
SocketFilterXDP-
Kprobe/Kretprobe
- Perf Events
Support for other program types / features can be added in future. Meanwhile your contributions are warmly welcomed.. :)
Installation
# Main library
go get github.com/dropbox/goebpf
# Mock version (if needed)
go get github.com/dropbox/goebpf/goebpf_mock
Quick start
Consider very simple example of Read / Load / Attach
// In order to be simple this examples does not handle errors
bpf := goebpf.NewDefaultEbpfSystem()
// Read clang compiled binary
bpf.LoadElf("test.elf")
// Load XDP program into kernel (name matches function name in C)
xdp := bpf.GetProgramByName("xdp_test")
xdp.Load()
// Attach to interface
xdp.Attach("eth0")
defer xdp.Detach()
// Work with maps
test := bpf.GetMapByName("test")
value, _ := test.LookupInt(0)
fmt.Printf("Value at index 0 of map 'test': %d\n", )
Like it? Check our examples
Perf Events
Library currently has support for one, most popular use case of perf_events - where eBPF map key maps to cpu_id.
So eBPF and go parts actually bind cpu_id to map index. It maybe as simple as:
// Define special, perf_events map where key maps to CPU_ID
BPF_MAP_DEF(perfmap) = {
.map_type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
.max_entries = 128, // Max supported CPUs
};
BPF_MAP_ADD(perfmap);
// ...
// Emit perf event with "data" to map "perfmap" where index is current CPU_ID
bpf_perf_event_output(ctx, &perfmap, BPF_F_CURRENT_CPU, &data, sizeof(data));
And the go part:
perf, err := goebpf.NewPerfEvents("perfmap")
// 4096 is ring buffer size
perfEvents, err := perf.StartForAllProcessesAndCPUs(4096)
defer perf.Stop()
for {
select {
case data := <-perfEvents:
fmt.Println(data)
}
}
Simple? Check full XDP dump example
Kprobes
Library currently has support for kprobes and kretprobes.
It can be as simple as:
// kprobe handler function
SEC("kprobe/guess_execve")
int execve_entry(struct pt_regs *ctx) {
// ...
buf_perf_output(ctx);
return 0;
}
And the go part:
// Cleanup old probes
err := goebpf.CleanupProbes()
// Attach all probe programs
for _, prog := range bpf.GetPrograms() {
err := prog.Attach(nil)
}
// Create perf events
eventsMap := p.bpf.GetMapByName("events")
p.pe, err = goebpf.NewPerfEvents(eventsMap)
events, err := p.pe.StartForAllProcessesAndCPUs(4096)
defer events.Stop()
for {
select {
case data := <-events:
fmt.Println(data) // kProbe event
}
}
Simple? Check exec dump example
Good readings
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].