pwru icon indicating copy to clipboard operation
pwru copied to clipboard
verified publisher icon cilium

Add --filter-trace-only-bpf

Open sachintiptur opened this issue 1 year ago • 5 comments

Add --filter-trace-only-bpf flag to trace only TC and XDP programs. Fixes [#394 ]

sachintiptur avatar Dec 16 '24 14:12 sachintiptur

I don't think this achieved the goal. Running pwru --filter-trace-only-bpf 'dst host 1.1.1.1' built from this PR also outputs tracing results from normal skb functions. Unless I misunderstand the original issue #394, the expected behavior is to attach bpf programs only, rather than normal skb funcitons.

Ah ok, sorry I think I misunderstood the issue, will re-look.

sachintiptur avatar Dec 18 '24 10:12 sachintiptur

From what I understood is that --filter-trace-xdp and --filter-trace-tc are tracing only respective bpf progs and hence i made the changes to enable both flags when --filter-trace-only-bpf is set . @brb @jschwinger233 can you let me know if my understanding is correct?

sachintiptur avatar Dec 18 '24 13:12 sachintiptur

@sachintiptur By default, pwru traces events from skb functions, such as ip_rcv. When setting --filter-trace-xdp, pwru also traces events from xdp bpf prog; when settings --filter-trace-tc, pwru also traces events from tc bpf prog.

Your PR that enables both flags makes pwru trace events from 1)skb functions + 2)xdp bpf + 3)tc bpf. The --filter-trace-only-bpf is supposed to trace 2)xdp bpf + 3)tc bpf only.

jschwinger233 avatar Dec 19 '24 07:12 jschwinger233

Thanks much for the explanation. So along with the PR changes, I added the below code and tested locally, no skb funcs are traced and also I don't see any bpf funcs too because I dont have any bpf programs to test. I hope this is expected.

if flags.FilterTraceOnlyBpf {
+               for i := 1; i <= 5; i++ {
+                       delete(bpfSpec.Programs, fmt.Sprintf("kprobe_skb_%d", i))
+                       delete(bpfSpec.Programs, fmt.Sprintf("kprobe_multi_skb_%d", i))
+               }
+               delete(bpfSpec.Programs, "kprobe_skb_by_stackid")
+       }

sachintiptur avatar Dec 20 '24 13:12 sachintiptur

Thanks much for the explanation. So along with the PR changes, I added the below code and tested locally, no skb funcs are traced and also I don't see any bpf funcs too because I dont have any bpf programs to test. I hope this is expected.

if flags.FilterTraceOnlyBpf {
+               for i := 1; i <= 5; i++ {
+                       delete(bpfSpec.Programs, fmt.Sprintf("kprobe_skb_%d", i))
+                       delete(bpfSpec.Programs, fmt.Sprintf("kprobe_multi_skb_%d", i))
+               }
+               delete(bpfSpec.Programs, "kprobe_skb_by_stackid")
+       }

Can someone review the PR for the changes?

sachintiptur avatar Feb 10 '25 13:02 sachintiptur