/plushcap/analysis/cloudflare/epbf_sockets_hop_distance

eBPF, Sockets, Hop Distance and manually writing eBPF assembly

What's this blog post about?

The author was tasked with extracting IP TTL values from TCP connections established by a userspace program to ensure that the connections are routed outside of their datacenter. They initially considered using raw sockets or the IP_RECVTTL socket option, but ultimately decided on attaching an eBPF filtering program to a socket. The BPF map abstraction allowed them to store data and share it with userspace code. By creating an "eBPF map" and writing an eBPF program, they were able to extract the TTL values of passing packets and analyze the recorded values from userspace. They also discussed the calling convention for eBPF programs, accessing packet payloads, a magical Layer 3 offset, and the return value of BPF programs. The author concluded by recommending keeping dependencies small when working with eBPF and noting that there is more to explore beyond network packets and socket programming.

Company
Cloudflare

Date published
March 29, 2018

Author(s)
Marek Majkowski

Word count
2315

Language
English

Hacker News points
8


By Matt Makai. 2021-2024.