ebpf

package
v0.0.0-...-c73473a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 10, 2026 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DirectionRequest  = "request"
	DirectionResponse = "response"
)
View Source 
const (
	// DirectionUnset is a convenience value to specify an unset/removed direction field
	DirectionUnset = 0xFF
	// DirectionIngress and DirectionEgress values according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
	DirectionIngress = 0
	DirectionEgress  = 1

	// InitiatorSrc and InitiatorDst values set accordingly to flows_common.h definition
	InitiatorSrc = 1
	InitiatorDst = 2

	InterfaceUnset = 0xFFFFFFFF
)

Variables

This section is empty.

Functions

func LoadNet 

func LoadNet() (*ebpf.CollectionSpec, error)

LoadNet returns the embedded CollectionSpec for Net.

func LoadNetObjects 

func LoadNetObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadNetObjects loads Net and converts it into a struct.

The following types are suitable as obj argument: 

*NetObjects
*NetPrograms
*NetMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

func LoadNetSk 

func LoadNetSk() (*ebpf.CollectionSpec, error)

LoadNetSk returns the embedded CollectionSpec for NetSk.

func LoadNetSkObjects 

func LoadNetSkObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadNetSkObjects loads NetSk and converts it into a struct.

The following types are suitable as obj argument: 

*NetSkObjects
*NetSkPrograms
*NetSkMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

func RecordGetters 

func RecordGetters(name attr.Name) (attributes.Getter[*Record, attribute.KeyValue], bool)

RecordGetters returns the attributes.Getter function that returns the string value of a given attribute name.

func RecordStringGetters 

func RecordStringGetters(name attr.Name) (attributes.Getter[*Record, string], bool)

Types

type FlowFetcher 

type FlowFetcher struct {
	// contains filtered or unexported fields
}

FlowFetcher reads and forwards the Flows from the Traffic Control hooks in the eBPF kernel space. It provides access both to flows that are aggregated in the kernel space (via PerfCPU hashmap) and to flows that are forwarded by the kernel via ringbuffer because could not be aggregated in the map

func NewFlowFetcher 

func NewFlowFetcher(
	sampling, cacheMaxSize int,
	ingress, egress bool,
	ifaceManager *tcmanager.InterfaceManager,
	tcBackend config.TCBackend,
) (*FlowFetcher, error)

func (*FlowFetcher) Close 

func (m *FlowFetcher) Close() error

Close the eBPF fetcher from the system. We don't need an "Close(iface)" method because the filters and qdiscs are automatically removed when the interface is down

func (*FlowFetcher) LookupAndDeleteMap 

func (m *FlowFetcher) LookupAndDeleteMap() map[NetFlowId][]NetFlowMetrics

LookupAndDeleteMap reads all the entries from the eBPF map and removes them from it. It returns a map where the key For synchronization purposes, we get/delete a whole snapshot of the flows map. This way we avoid missing packets that could be updated on the ebpf side while we process/aggregate them here Changing this method invocation by BatchLookupAndDelete could improve performance TODO: detect whether BatchLookupAndDelete is supported (Kernel>=5.6) and use it selectively Supported Lookup/Delete operations by kernel: https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md Race conditions here causes that some flows are lost in high-load scenarios

func (*FlowFetcher) ReadRingBuf 

func (m *FlowFetcher) ReadRingBuf() (ringbuf.Record, error)

type IPAddr 

type IPAddr [net.IPv6len]uint8

IPAddr encodes v4 and v6 IPs with a fixed length. IPv4 addresses are encoded as IPv6 addresses with prefix ::ffff/96 as described in https://datatracker.ietf.org/doc/html/rfc4038#section-4.2 (same behavior as Go's net.IP type)

func (*IPAddr) IP 

func (ia *IPAddr) IP() net.IP

IP returns the net.IP equivalent object

func (*IPAddr) IntEncodeV4 

func (ia *IPAddr) IntEncodeV4() uint32

IntEncodeV4 encodes an IPv4 address as an integer (in network encoding, big endian). It assumes that the passed IP is already IPv4. Otherwise it would just encode the last 4 bytes of an IPv6 address

func (*IPAddr) MarshalJSON 

func (ia *IPAddr) MarshalJSON() ([]byte, error)

type NetConnInitiatorKey 

type NetConnInitiatorKey struct {
	LowIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	HighIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	LowIpPort  uint16
	HighIpPort uint16
	// contains filtered or unexported fields
}

type NetFlowId 

type NetFlowId NetFlowIdT

func (*NetFlowId) DstIP 

func (fi *NetFlowId) DstIP() *IPAddr

DstIP is never null. Returned as pointer for efficiency.

func (*NetFlowId) SrcIP 

func (fi *NetFlowId) SrcIP() *IPAddr

SrcIP is never null. Returned as pointer for efficiency.

type NetFlowIdT 

type NetFlowIdT struct {
	SrcIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	DstIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	IfIndex           uint32
	EthProtocol       uint16
	SrcPort           uint16
	DstPort           uint16
	TransportProtocol uint8
	Pad               [1]uint8
	// contains filtered or unexported fields
}

type NetFlowMetrics 

type NetFlowMetrics NetFlowMetricsT

func (*NetFlowMetrics) Accumulate 

func (fm *NetFlowMetrics) Accumulate(src *NetFlowMetrics)

type NetFlowMetricsT 

type NetFlowMetricsT struct {
	Bytes           uint64
	StartMonoTimeNs uint64
	EndMonoTimeNs   uint64
	Packets         uint32
	Flags           uint16
	IfaceDirection  uint8
	Initiator       uint8
	Errno           uint8
	Pad             [7]uint8
	// contains filtered or unexported fields
}

type NetFlowRecordT 

type NetFlowRecordT struct {
	Metrics NetFlowMetrics
	Id      NetFlowId
	Pad     [4]uint8
	// contains filtered or unexported fields
}

func ReadFrom 

func ReadFrom(reader io.Reader) (NetFlowRecordT, error)

ReadFrom reads a Record from a binary source, in LittleEndian order

type NetMapSpecs 

type NetMapSpecs struct {
	AggregatedFlows *ebpf.MapSpec `ebpf:"aggregated_flows"`
	ConnInitiators  *ebpf.MapSpec `ebpf:"conn_initiators"`
	DebugEvents     *ebpf.MapSpec `ebpf:"debug_events"`
	DirectFlows     *ebpf.MapSpec `ebpf:"direct_flows"`
	FlowDirections  *ebpf.MapSpec `ebpf:"flow_directions"`
}

NetMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetMaps 

type NetMaps struct {
	AggregatedFlows *ebpf.Map `ebpf:"aggregated_flows"`
	ConnInitiators  *ebpf.Map `ebpf:"conn_initiators"`
	DebugEvents     *ebpf.Map `ebpf:"debug_events"`
	DirectFlows     *ebpf.Map `ebpf:"direct_flows"`
	FlowDirections  *ebpf.Map `ebpf:"flow_directions"`
}

NetMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadNetObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetMaps) Close 

func (m *NetMaps) Close() error

type NetObjects 

type NetObjects struct {
	NetPrograms
	NetMaps
	NetVariables
}

NetObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadNetObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetObjects) Close 

func (o *NetObjects) Close() error

type NetProgramSpecs 

type NetProgramSpecs struct {
	ObiEgressFlowParse  *ebpf.ProgramSpec `ebpf:"obi_egress_flow_parse"`
	ObiIngressFlowParse *ebpf.ProgramSpec `ebpf:"obi_ingress_flow_parse"`
}

NetProgramSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetPrograms 

type NetPrograms struct {
	ObiEgressFlowParse  *ebpf.Program `ebpf:"obi_egress_flow_parse"`
	ObiIngressFlowParse *ebpf.Program `ebpf:"obi_ingress_flow_parse"`
}

NetPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadNetObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetPrograms) Close 

func (p *NetPrograms) Close() error

type NetSkConnInitiatorKey 

type NetSkConnInitiatorKey struct {
	LowIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	HighIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	LowIpPort  uint16
	HighIpPort uint16
	// contains filtered or unexported fields
}

type NetSkFlowId 

type NetSkFlowId NetSkFlowIdT

type NetSkFlowIdT 

type NetSkFlowIdT struct {
	SrcIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	DstIp struct {
		In6U struct {
			U6Addr8 [16]uint8
			// contains filtered or unexported fields
		}
		// contains filtered or unexported fields
	}
	IfIndex           uint32
	EthProtocol       uint16
	SrcPort           uint16
	DstPort           uint16
	TransportProtocol uint8
	Pad               [1]uint8
	// contains filtered or unexported fields
}

type NetSkFlowMetrics 

type NetSkFlowMetrics NetSkFlowMetricsT

type NetSkFlowMetricsT 

type NetSkFlowMetricsT struct {
	Bytes           uint64
	StartMonoTimeNs uint64
	EndMonoTimeNs   uint64
	Packets         uint32
	Flags           uint16
	IfaceDirection  uint8
	Initiator       uint8
	Errno           uint8
	Pad             [7]uint8
	// contains filtered or unexported fields
}

type NetSkFlowRecordT 

type NetSkFlowRecordT struct {
	Metrics NetSkFlowMetrics
	Id      NetSkFlowId
	Pad     [4]uint8
	// contains filtered or unexported fields
}

type NetSkMapSpecs 

type NetSkMapSpecs struct {
	AggregatedFlows *ebpf.MapSpec `ebpf:"aggregated_flows"`
	ConnInitiators  *ebpf.MapSpec `ebpf:"conn_initiators"`
	DebugEvents     *ebpf.MapSpec `ebpf:"debug_events"`
	DirectFlows     *ebpf.MapSpec `ebpf:"direct_flows"`
	FlowDirections  *ebpf.MapSpec `ebpf:"flow_directions"`
}

NetSkMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetSkMaps 

type NetSkMaps struct {
	AggregatedFlows *ebpf.Map `ebpf:"aggregated_flows"`
	ConnInitiators  *ebpf.Map `ebpf:"conn_initiators"`
	DebugEvents     *ebpf.Map `ebpf:"debug_events"`
	DirectFlows     *ebpf.Map `ebpf:"direct_flows"`
	FlowDirections  *ebpf.Map `ebpf:"flow_directions"`
}

NetSkMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadNetSkObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetSkMaps) Close 

func (m *NetSkMaps) Close() error

type NetSkObjects 

type NetSkObjects struct {
	NetSkPrograms
	NetSkMaps
	NetSkVariables
}

NetSkObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadNetSkObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetSkObjects) Close 

func (o *NetSkObjects) Close() error

type NetSkProgramSpecs 

type NetSkProgramSpecs struct {
	ObiSocketFilter *ebpf.ProgramSpec `ebpf:"obi_socket__filter"`
}

NetSkProgramSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetSkPrograms 

type NetSkPrograms struct {
	ObiSocketFilter *ebpf.Program `ebpf:"obi_socket__filter"`
}

NetSkPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadNetSkObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*NetSkPrograms) Close 

func (p *NetSkPrograms) Close() error

type NetSkSpecs 

type NetSkSpecs struct {
	NetSkProgramSpecs
	NetSkMapSpecs
	NetSkVariableSpecs
}

NetSkSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetSkVariableSpecs 

type NetSkVariableSpecs struct {
	G_bpfDebug              *ebpf.VariableSpec `ebpf:"g_bpf_debug"`
	G_bpfHeaderPropagation  *ebpf.VariableSpec `ebpf:"g_bpf_header_propagation"`
	G_bpfTraceparentEnabled *ebpf.VariableSpec `ebpf:"g_bpf_traceparent_enabled"`
	Ip4in6                  *ebpf.VariableSpec `ebpf:"ip4in6"`
	Sampling                *ebpf.VariableSpec `ebpf:"sampling"`
	TraceMessages           *ebpf.VariableSpec `ebpf:"trace_messages"`
	UnusedFlowId            *ebpf.VariableSpec `ebpf:"unused_flow_id"`
	UnusedFlowMetrics       *ebpf.VariableSpec `ebpf:"unused_flow_metrics"`
	UnusedFlowRecord        *ebpf.VariableSpec `ebpf:"unused_flow_record"`
}

NetSkVariableSpecs contains global variables before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetSkVariables 

type NetSkVariables struct {
	G_bpfDebug              *ebpf.Variable `ebpf:"g_bpf_debug"`
	G_bpfHeaderPropagation  *ebpf.Variable `ebpf:"g_bpf_header_propagation"`
	G_bpfTraceparentEnabled *ebpf.Variable `ebpf:"g_bpf_traceparent_enabled"`
	Ip4in6                  *ebpf.Variable `ebpf:"ip4in6"`
	Sampling                *ebpf.Variable `ebpf:"sampling"`
	TraceMessages           *ebpf.Variable `ebpf:"trace_messages"`
	UnusedFlowId            *ebpf.Variable `ebpf:"unused_flow_id"`
	UnusedFlowMetrics       *ebpf.Variable `ebpf:"unused_flow_metrics"`
	UnusedFlowRecord        *ebpf.Variable `ebpf:"unused_flow_record"`
}

NetSkVariables contains all global variables after they have been loaded into the kernel.

It can be passed to LoadNetSkObjects or ebpf.CollectionSpec.LoadAndAssign.

type NetSpecs 

type NetSpecs struct {
	NetProgramSpecs
	NetMapSpecs
	NetVariableSpecs
}

NetSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetVariableSpecs 

type NetVariableSpecs struct {
	G_bpfDebug              *ebpf.VariableSpec `ebpf:"g_bpf_debug"`
	G_bpfHeaderPropagation  *ebpf.VariableSpec `ebpf:"g_bpf_header_propagation"`
	G_bpfTraceparentEnabled *ebpf.VariableSpec `ebpf:"g_bpf_traceparent_enabled"`
	Ip4in6                  *ebpf.VariableSpec `ebpf:"ip4in6"`
	Sampling                *ebpf.VariableSpec `ebpf:"sampling"`
	TraceMessages           *ebpf.VariableSpec `ebpf:"trace_messages"`
	UnusedFlowId            *ebpf.VariableSpec `ebpf:"unused_flow_id"`
	UnusedFlowMetrics       *ebpf.VariableSpec `ebpf:"unused_flow_metrics"`
	UnusedFlowRecord        *ebpf.VariableSpec `ebpf:"unused_flow_record"`
}

NetVariableSpecs contains global variables before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type NetVariables 

type NetVariables struct {
	G_bpfDebug              *ebpf.Variable `ebpf:"g_bpf_debug"`
	G_bpfHeaderPropagation  *ebpf.Variable `ebpf:"g_bpf_header_propagation"`
	G_bpfTraceparentEnabled *ebpf.Variable `ebpf:"g_bpf_traceparent_enabled"`
	Ip4in6                  *ebpf.Variable `ebpf:"ip4in6"`
	Sampling                *ebpf.Variable `ebpf:"sampling"`
	TraceMessages           *ebpf.Variable `ebpf:"trace_messages"`
	UnusedFlowId            *ebpf.Variable `ebpf:"unused_flow_id"`
	UnusedFlowMetrics       *ebpf.Variable `ebpf:"unused_flow_metrics"`
	UnusedFlowRecord        *ebpf.Variable `ebpf:"unused_flow_record"`
}

NetVariables contains all global variables after they have been loaded into the kernel.

It can be passed to LoadNetObjects or ebpf.CollectionSpec.LoadAndAssign.

type Record 

type Record struct {
	NetFlowRecordT

	// Attrs of the flow record: source/destination, Interface, Beyla IP, etc...
	Attrs RecordAttrs
}

Record contains accumulated metrics from a flow, with extra metadata that is added from the user space REMINDER: any attribute here must be also added to the functions RecordGetters and getDefinitions in pkg/internal/export/metric/definitions.go

func NewRecord 

func NewRecord(
	key NetFlowId,
	metrics NetFlowMetrics,
) *Record

type RecordAttrs 

type RecordAttrs struct {
	// SrcName and DstName might be set from several sources along the processing/decoration pipeline:
	// - K8s entity
	// - Host name
	// - IP
	SrcName string
	DstName string

	// SrcZone and DstZone represent the Cloud availability zones of the source and destination
	SrcZone string
	DstZone string

	Interface string
	// OBIIP provides information about the source of the flow (the Agent that traced it)
	OBIIP    string
	Metadata map[attr.Name]string
}

type SockFlowFetcher 

type SockFlowFetcher struct {
	// contains filtered or unexported fields
}

SockFlowFetcher reads and forwards the Flows from the eBPF kernel space with a socket filter implementation. It provides access both to flows that are aggregated in the kernel space (via PerfCPU hashmap) and to flows that are forwarded by the kernel via ringbuffer because could not be aggregated in the map

func NewSockFlowFetcher 

func NewSockFlowFetcher(
	sampling, cacheMaxSize int,
) (*SockFlowFetcher, error)

func (*SockFlowFetcher) Close 

func (m *SockFlowFetcher) Close() error

Close any resources that are taken up by the socket filter, the filter itself and some maps.

func (*SockFlowFetcher) LookupAndDeleteMap 

func (m *SockFlowFetcher) LookupAndDeleteMap() map[NetFlowId][]NetFlowMetrics

LookupAndDeleteMap reads all the entries from the eBPF map and removes them from it. It returns a map where the key For synchronization purposes, we get/delete a whole snapshot of the flows map. This way we avoid missing packets that could be updated on the ebpf side while we process/aggregate them here Changing this method invocation by BatchLookupAndDelete could improve performance TODO: detect whether BatchLookupAndDelete is supported (Kernel>=5.6) and use it selectively Supported Lookup/Delete operations by kernel: https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md Race conditions here causes that some flows are lost in high-load scenarios

func (*SockFlowFetcher) ReadRingBuf 

func (m *SockFlowFetcher) ReadRingBuf() (ringbuf.Record, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.