bice

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 28, 2025 License: Apache-2.0 Imports: 10 Imported by: 0

README

bice

bice is short for Bpf Instructions from simple C Expression.

Go Test CI Go Reference

It is a pure Go library that allows you to compile simple C expressions into BPF instructions directly.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrNotFound = errors.New("not found")

Functions

func IsMemberBitfield added in v0.1.1 

func IsMemberBitfield(member *btf.Member) bool

IsMemberBitfield reports whether the member is a bitfield attribute.

func SimpleCompile 

func SimpleCompile(expr string, typ btf.Type) (asm.Instructions, error)

SimpleCompile compiles simple C expressions to bpf instructions.

It can not handle complex expressions like function calls, pointer dereferences, or array accesses. Currently, it only supports struct member access and comparison operators.

For examples with ATT-like syntax:

  1. skb->dev->ifindex == 1 movq r1, r3 addq offsetof(skb->dev), r3 movq 8, r2 movq r10, r1 subq 8, r1 callq bpf_probe_read_kernel(r1, 8, r3) movq -8(r10), r3 testq %rdx, %rdx, goto __exit addq offsetof(dev->ifindex), r3 movq 8, r2 movq r10, r1 subq 8, r1 callq bpf_probe_read_kernel(r1, 8, r3) movq -8(r10), r3 movq 1, r0 cmpq 1, r3 je __return __exit: movq 0, r0 __return: retq

  2. skb->users.refs.counter != 0 movq r1, r3 addq offsetof(skb->users), r3 addq offsetof(users.refs), r3 addq offsetof(refs.counter), r3 movq 8, r2 movq r10, r1 subq 8, r1 callq bpf_probe_read_kernel(r1, 8, r3) movq -8(r10), r3 movq 1, r0 cmpq 0, r3 jne __return __exit: movq r4, r0 __return: retq

Only struct/union member access and comparison operators are supported. No function calls, pointer dereferences, array accesses, parentheses, bitwise operators, logical operators, or arithmetic operators are supported.

The left part of the expression must be struct/union member access, and the right part must be a constant number.

The operator must be one of the following: =, ==, !=, <, <=, >, >=. '=' is used for comparison too.

func SimpleInjectFilter 

func SimpleInjectFilter(opts InjectOptions) error

SimpleInjectFilter injects the simply compiled instructions into the given bpf program's stub function.

Types

type AccessOptions added in v0.1.1 

type AccessOptions struct {
	Insns     asm.Instructions
	Expr      string
	Type      btf.Type
	Src       asm.Register
	Dst       asm.Register
	LabelExit string
}

type AccessResult added in v0.1.1 

type AccessResult struct {
	Insns     asm.Instructions
	LastField btf.Type
	LabelUsed bool
}

func Access added in v0.1.1 

func Access(opts AccessOptions) (AccessResult, error)

type InjectOptions 

type InjectOptions struct {
	Prog     *ebpf.ProgramSpec
	StubFunc string
	Expr     string
	Type     btf.Type
}

Source Files

View all Source files

Directories

Path Synopsis
internal
assert
test

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.