netstacklat: Add script to fill in filter maps externally

simosund · simosund · commit 6a63c20ba484 · 2025-07-02T15:18:28.000+02:00
Many of the options to filter for a subset of values (--pids,
--interfaces, and --cgroups) rely on filling BPF maps with the values
to include. When running together with the provided netstacklat user
space process, the user space process handles filling these maps with
the values passed on the command line. However, when using the
netstacklat eBPF programs with some external loader, like the
ebpf-exporter, these maps have to be filled by the user in some other
manner.

To make it easier to use netstacklat with external eBPF loaders,
provide the fill_filter_maps.sh script. Rely on bpftool to fill the
BPF maps (based on the map names as defined in the netstacklat.bpf.c
file). in the script. Make the script support all the current filters
that make use of maps, i.e. PIDs (pid), network interfaces (iface) and
cgroups (cgroup).

The pid option only supports integers. The iface option support either
interface names or their ifindex. The cgroup option accepts either the
cgroup ID (their inode number) or the full path to the cgroup.

Examples:
$ ./fill_filter_maps.sh pid 1234 98765
$ ./fill_filter_maps.sh iface veth0 lo 123
$ ./fill_filter_maps.sh cgroup /sys/fs/cgroup/system.slice/prometheus.service/ 12345

Note that for the values in the filter map to actually be used by the
netstacklat eBPF programs, the corresponding
filter_{pid,ifindex,cgroup} value must be true (by default they're all
false). The netstacklat user space process normally takes care of
enabling these as needed, but if used with an external loader the
easiest way to enable these is probably to just change them in
user_config at the start of netstacklat.bpf.c (and recompile).

Also note that this script can also be used together with the
netstacklat user space loader to add additional values to filter for
after the starting the program. However, the netstacklat user space
loader automatically minimizes the size of the filter maps since
commit "netstacklat: Dynamically configure map sizes". So unless the
initial filter values provided as netstacklat CLI arguments resulted
in sufficiently large filter maps, the fill_filter_maps.sh script may
not be able to successfully add the desired values.

Finally, note that as bpftool expects you to feed it the individual
bytes of the keys, the order of the bytes will be dependant on the
endianess of the machine. Currently only support little-endian
machines, big-endian support can be added later if needed.

Signed-off-by: Simon Sundberg &lt;simon.sundberg@kau.se&gt;
diff --git a/netstacklat/fill_filter_maps.sh b/netstacklat/fill_filter_maps.sh
@@ -0,0 +1,131 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+declare -rA bpf_maps=(
+    [pid]="netstack_pidfil"
+    [iface]="netstack_ifinde"
+    [cgroup]="netstack_cgroup"
+)
+
+declare -rA key_converters=(
+    [pid]=pid_to_bpftool
+    [iface]=iface_to_bpftool
+    [cgroup]=cgroup_to_bpftool
+)
+
+print_usage()
+{
+    echo "usage: $0 TYPE val1 [val2 val3 val4...]"
+    echo "TYPE: { $(echo "${!bpf_maps[@]}" | tr ' ' '\|') }"
+}
+
+pid_to_bpftool()
+{
+    local val="$1"
+
+    uint_to_bpftool_u32 "$val"
+}
+
+# Supports ifname or ifindex
+iface_to_bpftool()
+{
+    local val="$1"
+
+    if ! is_uint "$val"; then
+	val="$(ifname_to_idx "$val")"
+    fi
+
+    uint_to_bpftool_u32 "$val"
+}
+
+# Supports full cgroup path or direct cgroup id (inode)
+cgroup_to_bpftool()
+{
+    local val="$1"
+
+    if ! is_uint "$val"; then
+	val="$(cgroup_path_to_id "$val")"
+    fi
+
+    uint_to_bpftool_u64 "$val"
+}
+
+is_uint()
+{
+    local val="$1"
+
+    [[ "$val" == +([0-9]) ]]
+}
+
+ifname_to_idx()
+{
+    local ifname="$1"
+    local ifindex=0
+
+    ifindex="$(ip address show "$ifname" | grep "[0-9]*: ${ifname}:")"
+    ifindex="${ifindex%%:*}"
+
+    if [[ -z "$ifindex" ]]; then
+	return 1
+    fi
+
+    echo "$ifindex"
+}
+
+cgroup_path_to_id()
+{
+    local cpath="$1"
+
+    stat -L -c '%i' "$(realpath "$cpath")"
+}
+
+# When providing keys/values to bpftool map update, it basically wants one
+# argument for each byte in the key/value. So if you have a u32 key (as in any
+# array map) and you want to update key 1234, then you will have to provide
+# key 0xd2 0x04 0x00 0x00 (1234 in hex split up as the 4 bytes in a u32 in
+# little-endian order). These helpers assume you're on a little endian machine.
+uint_to_bpftool_u32()
+{
+    local val="$1"
+
+    printf "0x%02x 0x%02x 0x%02x 0x%02x\n" \
+	   $((val & 0xff)) $(((val >> 8) & 0xff)) $(((val >> 16) & 0xff)) $(((val >> 24) & 0xff))
+}
+
+uint_to_bpftool_u64()
+{
+    printf "0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n" \
+	   $((val & 0xff)) $(((val >> 8) & 0xff)) $(((val >> 16) & 0xff)) $(((val >> 24) & 0xff)) \
+	   $(((val >> 32) & 0xff)) $(((val >> 40) & 0xff)) $(((val >> 48) & 0xff)) $(((val >> 56) & 0xff))
+}
+
+# All the filter maps use a u8 as the value, so just set that single byte to 1
+add_to_filter_map()
+{
+    local map="$1"
+    local key="$2"
+
+    bpftool map update name "$map" key $key value 1
+}
+
+if (( $# < 2 )); then
+    print_usage
+    exit 1
+fi
+
+type=$1
+if [[ -z "${bpf_maps[$type]}" ]]; then
+    echo "Error: unrecognized type $type, must be one of: ${!bpf_maps[*]}"
+    exit 1
+fi
+
+map=${bpf_maps[$type]}
+converter=${key_converters[$type]}
+
+for val in "${@:2}"; do
+    key=$($converter "$val")
+    if ! add_to_filter_map "$map" "$key"; then
+	echo "Error adding $val ($key) to map $map"
+	exit 1
+    fi
+done
