Tracing Network Packets in the Linux Kernel using eBPF

During the development and maintenance of complex network infrastructure for a big project, developers face a lot of problems. Although there exist plenty of tools and software that helps to troubleshoot such problems, their functionality is limited by the API that Linux kernel provides. Usually, they are narrowly targeted on solving one problem and cannot show a system-wide network stack view, which could be helpful in finding the source of the malfunction. This situation could be changed with the appearance of a new type of tools powered by the Linux kernel's eBPF technology, which provides a flexible and powerful way to run a userspace code inside the kernel. In this paper, an approach to tracing the path of network packets in the Linux kernel using eBPF is described.

1. Steven McCanne, Van Jacobson. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proc. of the USENIX Winter 1993 Conference, 1993, pp. 259-270.

2. Marek Majkowski. BPF - the forgotten bytecode. The Cloudflare Blog, May 2014, available at: https://blog.cloudflare.com/bpf-the-forgotten-bytecode/.

3. Matt Fleming. A thorough introduction to eBPF. LWN.net, December 2017, available at: https://lwn.net/Articles/740157/.

4. Alexei Starovoitov. net: filter: rework/optimize internal BPF interpreter's instruction set. index: kernel/git/torvalds/linux.git, March 2014, available at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd4cf0ed331a275e9bf5a49e6d0fd55dffc551b8.

5. Jay Schulist, Daniel Borkmann, Alexei Starovoitov. Linux Socket Filtering aka Berkeley Packet Filter (BPF). Linux in-kernel documentation, available at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/filter.txt

6. Alexei Starovoitov. net: filter: split filter.h and expose eBPF to user space. kernel/git/torvalds/linux.git, September 2014, available at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=daedfb22451dd02b35c0549566cbb7cc06bdd53b

7. Viet-Hoang Tran, Olivier Bonaventure. Making the Linux TCP stack more extensible with eBPF. In Proc. of the Netdev 0x13, Technical Conference on Linux Networking, 2019, available at: https://netdevconf.info/0x13/session.html?talk-tcp-ebpf.

8. Brendan Gregg. BPF Performance Tools. Addison-Wesley Professional, 2019, 880 p.

9. Alexei Starovoitov. BPF backend. LLVM project, commit, December 2014, available at: https://reviews.llvm.org/D6494.

10. BPF and XDP Reference Guide. Cilium, available at: https://docs.cilium.io/en/latest/bpf/.

11. Daniel Borkmann, Alexei Starovoitov. Merge branch 'bpf-bounded-loops', kernel/git/torvalds/linux.git, June 2019, available at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94079b64255fe40b9b53fd2e4081f68b9b14f54a.

12. BPF-HELPERS - list of eBPF helper functions, manual page, available at: http://man7.org/linux/man-pages/man7/bpf-helpers.7.html.

13. Bert Hubert. tc - show / manipulate traffic control settings. manual page, available at: http://man7.org/linux/man-pages/man8/tc.8.html.

14. Cristian Gafton. limits.conf - configuration file for the pam_limits module. available at: http://man7.org/linux/man-pages/man5/limits.conf.5.html.

15. VMware Docs. VMware NSX Data Center for vSphere Documentation. Traceflow documentation, May 2019, available at: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-233EB2CE-4B8A-474C-897A-AA1482DBBF3D.html.

16. .ftrace - Function Tracer. Linux in-kernel documentation. available at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/trace/ftrace.rst.

17. Brendan Gregg. Linux bcc/eBPF tcpdrop. Brendan Gregg's Blog, May 2018, available at: http://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html.

18. Mark Kovalev. Bpfpath. GitHub repository, available at: https://github.com/restonich/bpfpath.