sk_buff填充0 incume_skb tracepoint

发布于 2025-02-11 14:29:55 字数 1026 浏览 2 评论 0原文

这是一个（已删除）上一个问题的后续行动。我发现我要阅读的sk_buff填充了0 s。请注意，以下代码打印0两次，一次成功阅读，另一个时间为data_len的假定值。我在阅读结构上是错误的，还是在进入跟踪点时没有填写？

SEC("tracepoint/skb/consume_skb")
int handle_skb(struct sk_buff *skb)
{
    unsigned int data_len = 1;
    long ret;

    ret = bpf_probe_read_kernel(&data_len, sizeof(data_len), &(skb->data_len));
    if (ret < 0) {
        bpf_printk("Error on probe read.n \n");
    }
    bpf_printk("ret: %d \n", ret);

    bpf_printk("len: %u \n", data_len);

    return 0;
}

（尽管此代码完美地显示了我的问题，但我尝试了许多不同的配置，而没有任何结果更改）

我正在使用的加载程序： gist

任何帮助将不胜感激，谢谢！

编辑

我已经测试了与kfree_skb相似的东西，这里存在相同的问题。但是，当打印协议在跟踪点上可用时，我获得了1，也不能正确。

我现在认为这与设置中的某些内容而不是代码有关。

原文

This is sort of a follow up to a (deleted) previous question. I have discovered that the sk_buff I am trying to read is filled with 0s. Note that the following code prints 0 twice, once for the successful read, and another time for the supposed value of data_len. Am I going wrong about reading the struct, or is it just not filled on entry to the tracepoint?

SEC("tracepoint/skb/consume_skb")
int handle_skb(struct sk_buff *skb)
{
    unsigned int data_len = 1;
    long ret;

    ret = bpf_probe_read_kernel(&data_len, sizeof(data_len), &(skb->data_len));
    if (ret < 0) {
        bpf_printk("Error on probe read.n \n");
    }
    bpf_printk("ret: %d \n", ret);

    bpf_printk("len: %u \n", data_len);

    return 0;
}

(Although this code perfectly shows my problem, I have tried many different configurations without any change to the result)

The loader I am using: gist

Any help would be appreciated, thanks!

EDIT

I have tested something similar with kfree_skb, here the same problem persists. However when printing protocol available in the tracepoint I get 1 which also cannot be right.

I am now thinking this has to do with something in the setup instead of the code.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

江湖正好 2025-02-18 14:29:55

我认为，您正在使用错误的参数格式来suble_skb跟踪点。不用使用单个sk_buff参数，请尝试以下报告：

$ cat /sys/kernel/debug/tracing/events/skb/consume_skb/format
name: consume_skb
ID: 1425
format:
        field:unsigned short common_type;               offset:0;       size:2; signed:0;
        field:unsigned char common_flags;               offset:2;       size:1; signed:0;
        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
        field:int common_pid;                           offset:4;       size:4; signed:1;
        field:void * skbaddr;                           offset:8;       size:8; signed:0;

print fmt: "skbaddr=%p", REC->skbaddr

以下代码显示合理的，非零的输出：

struct __attribute__((__packed__)) consume_skb_args {
        unsigned short common_type;
        unsigned char common_flags;
        unsigned char common_preempt_count;
        int common_pid;
        void *skbaddr;
};

SEC("tracepoint/skb/consume_skb")
int tp_consume_skb(struct consume_skb_args *ctx)
{
        char devname[IFNAMSIZ];

        struct sk_buff *skb = (struct sk_buff *) ctx->skbaddr;
        struct net_device *dev;
        unsigned int data_len;

        bpf_probe_read(&dev, sizeof(dev), &(skb->dev));
        bpf_probe_read(devname, IFNAMSIZ, &(dev->name));
        bpf_probe_read(&data_len, sizeof(data_len), &(skb->data_len));

        bpf_printk("skbaddr=%p dev=%s datalen=%d\n", skb, devname, data_len);

        return 0;
}

ouput：

<idle>-0       [004] ..s. 20482442.519133: 0: skbaddr=00000000d60bcc39 dev=enp2s0 datalen=1232
<idle>-0       [004] ..s. 20482442.519183: 0: skbaddr=000000004be4ad2d dev=enp2s0 datalen=64
<idle>-0       [004] ..s. 20482442.534944: 0: skbaddr=000000005dbe2a3e dev=enp2s0 datalen=64
<idle>-0       [004] .Ns. 20482442.535075: 0: skbaddr=0000000068722cfa dev=enp2s0 datalen=496

I think, you are using the wrong argument format for the consume_skb tracepoint. Instead of using a single sk_buff argument, try the format as reported here:

$ cat /sys/kernel/debug/tracing/events/skb/consume_skb/format
name: consume_skb
ID: 1425
format:
        field:unsigned short common_type;               offset:0;       size:2; signed:0;
        field:unsigned char common_flags;               offset:2;       size:1; signed:0;
        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
        field:int common_pid;                           offset:4;       size:4; signed:1;
        field:void * skbaddr;                           offset:8;       size:8; signed:0;

print fmt: "skbaddr=%p", REC->skbaddr

The following code shows reasonable, non-zero output for me:

struct __attribute__((__packed__)) consume_skb_args {
        unsigned short common_type;
        unsigned char common_flags;
        unsigned char common_preempt_count;
        int common_pid;
        void *skbaddr;
};

SEC("tracepoint/skb/consume_skb")
int tp_consume_skb(struct consume_skb_args *ctx)
{
        char devname[IFNAMSIZ];

        struct sk_buff *skb = (struct sk_buff *) ctx->skbaddr;
        struct net_device *dev;
        unsigned int data_len;

        bpf_probe_read(&dev, sizeof(dev), &(skb->dev));
        bpf_probe_read(devname, IFNAMSIZ, &(dev->name));
        bpf_probe_read(&data_len, sizeof(data_len), &(skb->data_len));

        bpf_printk("skbaddr=%p dev=%s datalen=%d\n", skb, devname, data_len);

        return 0;
}

Ouput:

<idle>-0       [004] ..s. 20482442.519133: 0: skbaddr=00000000d60bcc39 dev=enp2s0 datalen=1232
<idle>-0       [004] ..s. 20482442.519183: 0: skbaddr=000000004be4ad2d dev=enp2s0 datalen=64
<idle>-0       [004] ..s. 20482442.534944: 0: skbaddr=000000005dbe2a3e dev=enp2s0 datalen=64
<idle>-0       [004] .Ns. 20482442.535075: 0: skbaddr=0000000068722cfa dev=enp2s0 datalen=496

回复收藏 0 原文

像你 2025-02-18 14:29:55

我不确定为什么，但是我尝试了多种方法来访问skb无用的数据。

“解决方法”是使用kprobe，因为至少运输标头变得可以阅读：

SEC("kprobe/consume_skb")
int BPF_KPROBE(consume_skb, struct sk_buff *skb)
{
    char *head;
    __u16 mh, eth_proto;
    __u8 m0, m1, m2, m3, m4, m5;

    bpf_probe_read(&head, sizeof(skb->head), &(skb->head));
    bpf_probe_read(&mh, sizeof(__u16), &(skb->mac_header));

    char *eth_head = head + mh;

    bpf_probe_read(ð_proto, sizeof(u16), ð_head[12]);
    bpf_probe_read(&m0, sizeof(__u8), ð_head[6]);
    bpf_probe_read(&m1, sizeof(__u8), ð_head[7]);
    bpf_probe_read(&m2, sizeof(__u8), ð_head[8]);
    bpf_probe_read(&m3, sizeof(__u8), ð_head[9]);
    bpf_probe_read(&m4, sizeof(__u8), ð_head[10]);
    bpf_probe_read(&m5, sizeof(__u8), ð_head[11]);

    //eth_proto contains the ethernet protocol field
    //m0 to m5 contain the source MAC-address

    return 0;
}

I am not sure why, but I have tried multiple ways to access the data in skb to no avail.

A "workaround" is to use a kprobe, as then at least the transport header becomes readable as such:

SEC("kprobe/consume_skb")
int BPF_KPROBE(consume_skb, struct sk_buff *skb)
{
    char *head;
    __u16 mh, eth_proto;
    __u8 m0, m1, m2, m3, m4, m5;

    bpf_probe_read(&head, sizeof(skb->head), &(skb->head));
    bpf_probe_read(&mh, sizeof(__u16), &(skb->mac_header));

    char *eth_head = head + mh;

    bpf_probe_read(ð_proto, sizeof(u16), ð_head[12]);
    bpf_probe_read(&m0, sizeof(__u8), ð_head[6]);
    bpf_probe_read(&m1, sizeof(__u8), ð_head[7]);
    bpf_probe_read(&m2, sizeof(__u8), ð_head[8]);
    bpf_probe_read(&m3, sizeof(__u8), ð_head[9]);
    bpf_probe_read(&m4, sizeof(__u8), ð_head[10]);
    bpf_probe_read(&m5, sizeof(__u8), ð_head[11]);

    //eth_proto contains the ethernet protocol field
    //m0 to m5 contain the source MAC-address

    return 0;
}

回复收藏 0 原文

~没有更多了~