Reputation: 6464
eBPF: default bpf programs/maps?
I'm facing a strange behaviour of bpf with the latest net-next kernel. With all the BPF kernel options enabled (including CONFIG_BPF_JIT_ALWAYS_ON) and without any bpf programs loaded, bpftool reports the following:
# ./bpftool prog show
2: cgroup_skb tag 7be49e3934a125ba
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 2,3
3: cgroup_skb tag 2a142ef67aaad174
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 2,3
4: cgroup_skb tag 7be49e3934a125ba
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 4,5
5: cgroup_skb tag 2a142ef67aaad174
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 4,5
6: cgroup_skb tag 7be49e3934a125ba
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 6,7
7: cgroup_skb tag 2a142ef67aaad174
loaded_at Feb 05/10:17 uid 0
xlated 296B jited 229B memlock 4096B map_ids 6,7
#
# ./bpftool map show
2: lpm_trie flags 0x1
key 8B value 8B max_entries 1 memlock 4096B
3: lpm_trie flags 0x1
key 20B value 8B max_entries 1 memlock 4096B
4: lpm_trie flags 0x1
key 8B value 8B max_entries 1 memlock 4096B
5: lpm_trie flags 0x1
key 20B value 8B max_entries 1 memlock 4096B
6: lpm_trie flags 0x1
key 8B value 8B max_entries 1 memlock 4096B
7: lpm_trie flags 0x1
key 20B value 8B max_entries 1 memlock 4096B
#
This is what the program contains:
# ./bpftool prog dump xlated id 2
0: (bf) r6 = r1
1: (69) r7 = *(u16 *)(r6 +192)
2: (b4) (u32) r8 = (u32) 0
3: (55) if r7 != 0x8 goto pc+14
4: (bf) r1 = r6
5: (b4) (u32) r2 = (u32) 16
6: (bf) r3 = r10
7: (07) r3 += -4
8: (b4) (u32) r4 = (u32) 4
9: (85) call bpf_skb_load_bytes#6169312
10: (18) r1 = map[id:2]
12: (bf) r2 = r10
13: (07) r2 += -8
14: (62) *(u32 *)(r2 +0) = 32
15: (85) call bpf_map_lookup_elem#73712
16: (15) if r0 == 0x0 goto pc+1
17: (44) (u32) r8 |= (u32) 2
18: (55) if r7 != 0xdd86 goto pc+14
19: (bf) r1 = r6
20: (b4) (u32) r2 = (u32) 24
21: (bf) r3 = r10
22: (07) r3 += -16
23: (b4) (u32) r4 = (u32) 16
24: (85) call bpf_skb_load_bytes#6169312
25: (18) r1 = map[id:3]
27: (bf) r2 = r10
28: (07) r2 += -20
29: (62) *(u32 *)(r2 +0) = 128
30: (85) call bpf_map_lookup_elem#73712
31: (15) if r0 == 0x0 goto pc+1
32: (44) (u32) r8 |= (u32) 2
33: (b7) r0 = 1
34: (55) if r8 != 0x2 goto pc+1
35: (b7) r0 = 0
36: (95) exit
#
The funny thinks is that I have not loaded any eBPF program explicitly. I wonder if there's now a default eBPF blob in the kernel, that shows up?
This happens right after the machine has booted. The only difference between this system and another (running the same kernel and options, and where I don't see this issue with multiple cgroup_skb programs) is the presence of /sys/fs/cgroup/unified cgroup2 FS. I don't know if this is related to my issue, but I don't know how to disable /sys/fs/cgroup/unified, un-mounting is not allowed.
Upvotes: 2
Views: 980
Answers (1)
Reputation: 6464
As Qeole was suspecting, this is coming from systemd, in particular systemd v235 introduced IP access control eBPF feature with two config options exposed, IPAddressDeny and IPAddressAllow. (I don't know if it is possible to disable it at compile time).
Upvotes: 2
Related Questions
- What is the difference between BPF and eBPF?
- How to access BPF map from userspace that was created in kernel space
- how to access to bpf map which was made by user program in the kernel program (kernel context)?
- BPF lib documentation
- Accessing BPF maps from kernel space
- eBPF: How to use `bpf_map_update_elem` to send data from kernel space?
- Access BPF maps via classic BPF
- Push to bpf map stack type
- who creates map in BPF
- implicit declaration of function ‘bpf’