Access bpf maps data in batch / copy bpf_map data and clear it in one syscall

[codekaust]

I am developing a network telemetry system in which I need to read all the data from ebpf table, make a copy in userspace and clear the table. Currently, I am doing like:

arr = []
for k in bpf_map:
     arr.append([k,bpf_map[k]])
     del bpf_map[k]

On profiling, I have found that the next() function takes the maximum amount of time for the program., i.e. iterating through keys and values takes the maximum amount of time.

To the best of my knowledge, ebpf and bcc provides methods to only iterate over map and nothing for this purpose.

Is there any way to copy the bpf_map data and then clear it in a whole batch from user space? If not bcc, is it possible if one uses native ebpf?

[willfindlay]

There is a way to do this with the BPF system call. BPF_MAP_LOOKUP_BATCH, BPF_MAP_LOOKUP_AND_DELETE_BATCH, BPF_MAP_UPDATE_BATCH, BPF_MAP_DELETE_BATCH might be supported, depending on your kernel version. I don't think we currently support this in bcc, but adding support wouldn't be too difficult.