Search code examples
clinuxlinux-kernelebpfbpf

In "xdp ebpf SEC("tracepoint/xdp/xdp_devmap_xmit")" what is xdp_devmap_xmit -- is this trace means trap handler code start for some kernel function


I have ebpf xdp program with a function with elf section

  SEC("tracepoint/xdp/xdp_devmap_xmit")
  1. I like to know in above is this a hook for which kernel function
  2. and what is tracepoint/xdp/xdp_devmap_xmit

So the questions are

does this above SEC elf section makes my ebpf program an XDP program?

so if its true then inside tracepoint/ in tracepoint/xdp/xdp_devmap_xmit what are the other options are available. I can see xdp is obviously available inside tracepoint/ as tracepoint/[xdp]/xdp_dexmap_xmit is obviously available and there are samples programs out there and | can anyone please explain a bit on this what else options in tracepoint/ are availble? and can I make custom tracepoint for my some function in kernel


Solution

  • What does the section name refer to?

    and what is tracepoint/xdp/xdp_devmap_xmit

    tracepoint/xdp/xdp_devmap_xmit is the name of the ELF section for this BPF program. The loader (here libbpf) will use this section name to know which BPF program type it is, and in this case, where to attach it.

    The section name for BPF programs of type tracepoint takes the format:

    tracepoint/<category>/<name>
    

    name is the name of the tracepoint itself. Tracepoints are organized in categories. You can list all tracepoint for a category with perf list '<category>:*'. For example, for XDP:

    $ sudo ./perf list 'xdp:*'
    
    List of pre-defined events (to be used in -e):
    
      xdp:mem_connect                                    [Tracepoint event]
      xdp:mem_disconnect                                 [Tracepoint event]
      xdp:mem_return_failed                              [Tracepoint event]
      xdp:xdp_bulk_tx                                    [Tracepoint event]
      xdp:xdp_cpumap_enqueue                             [Tracepoint event]
      xdp:xdp_cpumap_kthread                             [Tracepoint event]
      xdp:xdp_devmap_xmit                                [Tracepoint event]
      xdp:xdp_exception                                  [Tracepoint event]
      xdp:xdp_redirect                                   [Tracepoint event]
      xdp:xdp_redirect_err                               [Tracepoint event]
      xdp:xdp_redirect_map                               [Tracepoint event]
      xdp:xdp_redirect_map_err                           [Tracepoint event]
    

    What is this tracepoint?

    I like to know in above is this a hook for which kernel function

    You can get information on that tracepoint as follows:

    $ cat /sys/kernel/debug/tracing/events/xdp/xdp_devmap_xmit/format 
    name: xdp_devmap_xmit
    ID: 467
    format:
        field:unsigned short common_type;   offset:0;   size:2; signed:0;
        field:unsigned char common_flags;   offset:2;   size:1; signed:0;
        field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
        field:int common_pid;   offset:4;   size:4; signed:1;
    
        field:int map_id;   offset:8;   size:4; signed:1;
        field:u32 act;  offset:12;  size:4; signed:0;
        field:u32 map_index;    offset:16;  size:4; signed:0;
        field:int drops;    offset:20;  size:4; signed:1;
        field:int sent; offset:24;  size:4; signed:1;
        field:int from_ifindex; offset:28;  size:4; signed:1;
        field:int to_ifindex;   offset:32;  size:4; signed:1;
        field:int err;  offset:36;  size:4; signed:1;
    
    print fmt: "ndo_xdp_xmit map_id=%d map_index=%d action=%s sent=%d drops=%d from_ifindex=%d to_ifindex=%d err=%d", REC->map_id, REC->map_index, __print_symbolic(REC->act, { 0, "ABORTED" }, { 1, "DROP" }, { 2, "PASS" }, { 3, "TX" }, { 4, "REDIRECT" }, { -1, ((void *)0) }), REC->sent, REC->drops, REC->from_ifindex, REC->to_ifindex, REC->err
    

    This particular tracepoint will trace executions of function ndo_xdp_xmit.

    What's the link to XDP?

    does this above SEC elf section makes my ebpf program an XDP program?

    No, this section name makes your BPF program a tracepoint program. It's a tracepoint program that will trace the execution of the receive hook for XDP.

    How can I trace kernel functions?

    can I make custom tracepoint for my some function in kernel

    Tracepoints are only defined for specific points in the kernel (such as the XDP receive hook above). To be able to trace most kernel functions, you might want to use kprobes BPF programs.