sfc-gh-gshe
commented
8 months ago Open sfc-gh-gshe opened 8 months ago
sfc-gh-gshe
commented
8 months ago 
kevsecurity
commented
8 months ago kevsecurity
commented
8 months ago apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "dev-hard-start-xmit"
spec:
kprobes:
- call: "dev_hard_start_xmit"
syscall: false
args:
- index: 1
type: "net_device"
selectors:
- matchArgs:
- index: 1
operator: Equal
values:
- "lo"or if you do want to use a tracepoint, then you could use a tracepoint policy like this instead (based on a recent addition, again use latest CI image):
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "net-dev-start-xmit"
spec:
tracepoints:
- subsystem: "net"
event: "net_dev_start_xmit"
args:
- index: 4
type: "data_loc"
- index: 6
type: "skb"
selectors:
- matchArgs:
- index: 4
operator: Equal
values:
- "lo"
Is there an existing issue for this?
Is your feature request related to a problem?
Yes.
I was wondering is there any ongoing plan to support
struct net_deviceas the available argument selector option? Then I may leverage net_dev_xmit tracepoint to filter the traffic by devices name(net_device->name) at ebpf level.It will kind of achieve the similar capability of what
tcpdump -iprovides.Describe the feature you would like
With such feature, we may further be able to achieve the similar functionality of tcpdump filtering by devices.
Describe your proposed solution
I find that we already have argTypeSkb and argTypeSock for filtering. So I am thinking about if we can add argTypeDev, MsgGenericKprobeDev, MsgGenericKprobeArgDev for
struct net_device.Code of Conduct