search

microsoft / ebpf-for-windows

eBPF implementation that runs on top of Windows
MIT License
2.85k stars 217 forks source link

ioctl: allow common operations without allocations #3726

Open lmb opened 1 month ago

lmb commented 1 month ago

Describe the feature you'd like supported

Operations like looking up a map value via EBPF_OPERATION_MAP_FIND_ELEMENT are currently forced to allocate a buffer because of the way that the request structure is defined:

https://github.com/microsoft/ebpf-for-windows/blob/2448139787f618901fa64b614d30a27aabb06cae/libs/execution_context/ebpf_protocol.h#L145-L151

The key is appended to the request buffer. This means that the caller has to allocate memory and perform copying. This is especially bad for batch operations where the amount if memory to be allocated and copied is larger:

https://github.com/microsoft/ebpf-for-windows/blob/2448139787f618901fa64b614d30a27aabb06cae/libs/execution_context/ebpf_protocol.h#L481-L489

It would be nice if common performance critical map operations could be implemented without allocations.

Proposed solution

This could be achieved by making map keys and values pointers, like it is done for struct bpf_prog_info:

https://github.com/microsoft/ebpf-for-windows/blob/2448139787f618901fa64b614d30a27aabb06cae/include/ebpf_structs.h#L397

Additional context

No response

jrfastab commented 1 month ago

I'll take a look at performance here once we get Tetragon up and running so we cant est.