bpftool v7.4

Breaking change

• Kernel configuration options related to bpfilter (namely: CONFIG_BPFILTER and CONFIG_BPFILTER_UMH) are no longer checked with bpftool feature probe, following bpfilter's removal in recent kernels. (e725e62)

New features

The information displayed for BPF links (bpftool link list) keeps getting enriched:

• Display uprobe_multi links. (dd0b761)
• Display cookie for perf event link probes. (25df69b)
• Display cookie for kprobe_multi links. (4263cc0)

Other features:

• Generate shadow variables for struct_ops maps in program skeletons. Shadow types allow skeleton users to easily access the fields of struct_ops maps at runtime. An example program using shadow types is also added to the bpftool-gen manual page. (fc0ad76, 579d6b0)

• Mark orphaned programs as such when listing programs. Orphaned programs are programs removed in IRQ context, on their way to be unloaded from kernel memory, but possibly passing through audit hooks. Such programs would only be listed on recent kernels. (5b0a3a4)

• Recognize arena map types (a09e203) and global variables (73a2c7e), and support the addr_space_cast instruction in the disassembler for translated programs, used for working with arena maps (c305ebf).

Bug fixes

• In the mirror repository, fix the detection of clang-bpf-co-re (for skeletons support) for some clang versions. (515739f)
• Displaying PIDs for processes holding references to BPF links when listing links with bpftool link list on older kernels broke in v7.3.0, because the internal program pid_iter would fail to load. Fix the program to ensure that pid_iter loads and PIDs are displayed. (3214350)
• When loading the internal pid_iter program for displaying PIDs of processes holding file descriptors to BPF programs, we would suppress the logs from libbpf. Display them when running bpftool in debug mode (--debug). (0cb4aaf)

Other internal changes

• Silence build warning from calloc() appearing with recent versions of GCC (supporting -Wcalloc-transposed-args). (c4cc180)
• Use POSIX's version of basename() for more portability. (6e0d7d0)
• Improve bpftool's bootstrap build by skipping compilation for some unnecessary object files (3dc1ac6) and passing more relevant values in HOST_CFLAGS and HOST_LDFLAGS (c1adf4a). This also results in more accurate results when listing features with bpftool version for the boostrap bpftool binary.

Known bugs

• Command bpftool cgroup tree may be broken when running with kernels under v6.1. (#41)
• When loading multiple programs with bpftool prog loadall and passing a directory name for pinning them that is not located under an existing bpffs, bpftool attempts to mount a new bpffs on the parent of the directory rather than on the directory itself, possibly leading to a portion of the file arborescence to be unexpectedly hidden by the mount. (#100)

Full Changelog: v7.3.0...v7.4.0

bpftool v7.3

We now have a logo for bpftool!

Deprecation

• Keyword dev for specifying an interface name to use for program and map offload with bpftool prog load ... dev <ifname> and bpftool map create ... dev <ifname> is deprecated. Use offload_dev instead. (3270b21)
• When loading programs, the type can be inferred from the ELF section name containing the data. Libbpf v1.3.0, used in this release, considers the following SEC definitions legacy: SEC("tc"), SEC("action"), SEC("classifier"). Refer to the libbpf release notes for details.

New features

Libbpf v1.3.0 supports the following ELF section definitions for loading programs (refer to the libbpf release notes for details):

• SEC("netfilter")
• SEC("tc/egress")
• SEC("tc/ingress")
• SEC("tcx/egress")
• SEC("tcx/ingress")
• SEC("uprobe.multi")
• SEC("uprobe.multi.s")
• SEC("uretprobe.multi")
• SEC("uretprobe.multi.s")
• SEC("cgroup/connect_unix")
• SEC("cgroup/sendmsg_unix")
• SEC("cgroup/recvmsg_unix")
• SEC("cgroup/getpeername_unix")
• SEC("cgroup/getsockname_unix")

The objective for the dev keyword deprecation is to avoid confusion with a new interface-related keyword:

• Support passing an interface name with xdpmeta_dev <ifname> for resolving XDP hints kfuncs when loading programs with bpftool prog load. (3270b21)

The information displayed for BPF links (bpftool link list) has been enriched:

• Show map IDs along with struct_ops links. (d89768b)
• Show target_obj_id and target_btf_id along with tracing links information. (57fc1ef)
• Show details for multi-kprobes links. (b65dc7b)
• Show details for perf event links. (bd2f4d6, 7561b06)
• Show details for netfilter links. (103f441)
• Show details (interface, attach types) for tcx links. (b76b36e)
• Show details (interface) for XDP links. (9f6d353)
• Show details (interface, attach types) for netkit links. (0fcd8de)
• Show the count of missed kprobes for multi-kprobes links and perf event links. (aa4f5fb, 58046e2)

Several new networking program types also get their information displayed with bpftool net list:

• Print information on netfilter programs. (103f441)
• Print information on tcx programs. (4294230)
• Print information on netkit programs. (d712a3e)

Other features:

• Support the new cgroup UNIX socket attach points for attaching programs with bpftool prog attach. These attach points are: connect_unix, sendmsg_unix, recvmsg_unix, getpeername_unix, getsockname_unix. (087d22a)
• For struct_ops, support registering structs in the .struct_ops.link ELF section (in addition to .struct_ops), and also create a link for structs in that section. Accept an optional directory path when registering struct_ops (bpftool struct_ops register OBJ [LINK_DIR]), to indicate where to pin such links. (9d58b65, 6b24c3e)
• Dump inner map IDs instead of raw values when dumping maps of maps with bpftool map dump. (e552682)
• Display kernel module name when relevant for symbols printed as part of a program dump (bpftool prog dump xlated). (eb8a15a)
• Support LLVM's v4 instructions in the disassembler. (ad25b69)

Bug fixes

• Fix the long-standing bug (#17) what would prevent from building bpftool with features requiring the use of “skeletons” (feature-clang-bpf-co-re compilation option) with kernels older than 5.15 or without CONFIG_PERF_EVENTS set. (1f5829e, 0773871, fc96090, b00d0c5)
• On aarch64, when probing features (bpftool feature probe), fix the value of the global memory limit for JIT compiler for unprivileged users, which was previously reported as a negative value (expecting an int instead of a long). (b2489e0)
• When passing a directory to pin programs to bpftool prog loadall, avoid re-mounting accidentally the bpffs to the parent of that directory. (fb96eed)
• Fix a warning (-Wcast-qual) that might appear when compiling skeletons generated with bpftool gen. (24f4661)
• When generating skeletons, align on a 8-byte boundary the data retrieved from ELF files to avoid potential alignment issues and errors from libbpf. (e8b7df5, f12f538)
• When printing pointers in JSON, for example as part of a struct_ops dump with bpftool -j struct_ops dump, enquote the pointer address (or (nil) value) to avoid breaking JSON. (5978b98)
• Fix JSON for struct_ops dumps from an ID with bpftool -j struct_ops dump id <id> by wrapping the information for the structs in an array. (b9530de)
• Fix a subcommand name (prog instead of program) in bpftool.8 manual page. (fa46ebb)
• Fix the interactive help message for bpftool perf. (dc53c79)

Known bugs

• Command bpftool cgroup tree may be broken when running with kernels under v6.1 (#41).

Full Changelog: v7.2.0...v7.3.0

bpftool v7.2

Breaking change

• When trying to dump the control flow graph (CFG) for a BPF program (bpftool prog dump xlated <program> visual), return an error if the user passed one of the --json or --pretty options, instead of simply ignoring the option.

New features

• Support printing the C source code (inline annotations), if available, in the CFGs for programs. Also support line numbers and opcodes in the CFGs with the linum and opcodes keywords, just like for regular program dumps.
• In the Makefile's feature detection for the mirror repository, output the name, results, and stderr when probing features with V=1.

Bug fixes

• Fix linkage with statically built LLVM libraries for the disassembler for JIT-compiled BPF programs. Some flags and libraries were missing.
• With bpftool prog profile, profile online CPUs instead of “possible” CPUs, given that some of the latter may not be online and hence not available for profiling.
• In BPF-related feature probing, avoid marking kernel config option as not set if the kernel configuration file is not found.
• In the Makefile, add missing quotes to libbpf bootstrap submake variables, to fix use cases where $(HOSTCC) is set to /usr/bin/ccache /usr/bin/gcc, for example.
• Fix a bug in the JSON writer, which would produce an escaped line break instead of escaped backslash for a \ character.
• Fix another bug in the JSON writer, about an invalid JSON escape for \'.
• Fix bug for long instructions (such as loading a 64-bit long immediate into a register) not displayed properly in program CFG dumps.
• Fix documentation about line information display for program dumps: the document hinted that displaying the source line could be turn off, and that the file name would be printed “on top of” the source line, but these indications were not accurate.
• Ignore $(CFLAGS), use $(EXTRA_CFLAGS) in the Makefile's feature detection framework, thus mirroring the behavior of the kernel version. On top of that, fix feature detection for static builds.
• Fix the feature detection system to account for $(FEATURE_TESTS) defined in the main Makefile.

Other internal changes

• Add static build instructions for bpftool in the README.md of the mirror repository.
• Use bpf_{btf,link,map,prog}_get_info_by_fd() (wrappers around bpf_obj_get_info_by_fd()), to improve type safety in the code, and to help with the Memory Sanitizer.
• Always disable stack protection for building BPF programs used by bpftool. If present, as is the default on Gentoo for example, stack protection for the clang toolchain would produce errors when trying to compile the relevant object files, but stack protection is not relevant in the case of BPF programs and it is safe to turn it off.

CI

• Add a release workflow to build and ship static binaries for amd64 and arm64 (and SHA256 sums) on releases (the workflow creates a draft release when tags are pushed, and attaches the assets). Also use this workflow to ship a tarball containing all sources required to compile (bpftool, plus libbpf submodule). Add a script to update GitHub labels for some of these release assets.
• Add a workflow for static builds with both LLVM and libbfd disassemblers. The early version for the LLVM disassembler would include compiling the LLVM libraries and take around 80 minutes to complete, but later we switched to downloading libraries compatible with static linking from LLVM's CI, cutting down the duration for the workflow to about 2 minutes.
• Remove deprecated Ubuntu 18.04 GitHub runner from the CI in the matrix for the build workflow.
• In workflow definitions, add concurrency groups to cancel outdated runs.
• Add path filters to workflow definitions, to avoid running all workflows if some are not relevant for a given Pull Request.
• Add a CI workflow to make sure GitHub mirror commits have valid prefixes (mirror: or sync: or ci: only, so we can easily distinguish them from the commits coming from the kernel repository).
• Switch to the Hadolint linter for checking the Dockerfile, and improve the related workflow.

Known bugs

• Some features requiring the use of “skeletons” (feature-clang-bpf-co-re compilation option) require kernel 5.15 or more recent, with CONFIG_PERF_EVENTS set, to compile bpftool (#17).
• Command bpftool cgroup tree may be broken when running with kernels under v6.1 (#41).

Full Changelog: v7.1.0...v7.2.0

bpftool v7.2.0-snapshot.0

This is a snapshot release, before we reach v7.2.0.

This snapshot was created to validate the release workflow introduced in recent Pull Requests (#84, #85), and to publish statically-compiled binaries for users to pick up.

Changelog: v7.1.0...v7.2.0-snapshot.0

bpftool v7.1

New features

• Add support for disassembling JIT-compiled programs with the LLVM library (instead of libbfd), and switch to LLVM by default. Disassembling with libbfd is still supported as a fallback if the LLVM library is not present when building bpftool. This is to help with packaging, and in response to several API changes from libbfd that we've had to handle.
• Add an autoattach feature to bpftool prog (load|loadall), to tell bpftool to attach as BPF links some tracing programs immediately after loading them, using the information found in the ELF object file, provided this information is sufficient.
• Add support for cgroup local storage, and user ring buffer maps.
• Show parameters of BPF task iterators (tid, pid) when listing them.
• Support dumping more information for cgroup iterator links, such as the cgroup ID and the order for walking the cgroup hierarchy.
• Add boostrap feature to version output, to tell if the bpftool binary is a “bootstrap” version (limited in features, used as an intermediary build step for compiling BPF skeletons used by bpftool) or not.
• Set binary name in interactive help output to bpftool instead of argv[0], for more consistency accross installations (and with other tools like iproute2).
• Add a Dockerfile to the current repository to easily run bpftool from a Docker image.

Bug fixes

• When displaying a cgroup tree, with some programs from a sub-cgroup overriding those of a parent cgroup, remove attach flags for those effective sub-cgroup programs, given that these flags do not make sense in that case (they only do for the programs attached to the parent cgroup) .
• Fix a null pointer dereferencing when attempting to pin a BPF object without providing a file name.
• Fix a wrong type cast in the code in charge of dumping BTF objects.
• Fix some error messages that would produce unknown errors, when we do in fact know the nature of the error.
• Fix a typo in an error message of the disassembler for JIT-compiled programs.
• Fix display of libbfd-related features as detected by the Makefiles of the mirror repository, at build time.

Other internal changes

• Turn asserts in the disassembler for JIT-compiled programs into error handling, for consistency with the rest of the code.
• Enable verbose builds in CI.
• Add CI linters for the synchronisation script and the Dockerfile, clean up issues reported by the linters.
• Add a README.md file under scripts/ to explain how sync-kernel.sh works.

Known bugs

• Some features requiring the use of “skeletons” (feature-clang-bpf-co-re compilation option) require kernel 5.15 or more recent, with CONFIG_PERF_EVENTS set, to compile bpftool (#17).
• Command bpftool cgroup tree may be broken when running with kernels under v6.1 (#41).

Full Changelog: v7.0.0...v7.1.0.

bpftool v7.0

Note

Bpftool's version number is aligned on libbpf's version number (with an offset). The change of major version number for the current release reflects libbpf's bump (v1.0.0), but is not necessarily synonym of breaking changes in bpftool - although we do have one in this release.

Breaking change

• Given that bpftool now relies on libbpf to provide the string names for various BPF objects, the names of cgroup attach types as displayed with bpftool cgroup show may have changed. The former names were defined in bpftool here, now they come from libbpf, here.

New features

• Implement bpftool cgroup tree for BPF_LSM_CGROUP
• Use strings provided by libbpf for program types, map types, attach types, link types, instead of redefining them in bpftool, including for parsing these types from the command line
• Add bpftool feature list_builtins to list program, map, attach, or link types known to libbpf (but independent from what the system supports), to allow iterating on these types in scripts, and use this in bash completion
• Support passing longer strings for referencing programs by name on the command line, now that the kernel can use longer names with BTF
• Add support for BTF_KIND_ENUM64 in BTF
• Add support for BTF_KIND_RESTRICT for bpftool gen min_core_btf
• Support BPF_CORE_TYPE_MATCHES relocations, for bpftool gen min_core_btf
• Indicate that a pinned object is a BPF link (when relevant) instead of “unknown” when passing a pinned path to an incorrect object type on the command line

Bug fixes

• Fix compilation with libbfd 2.39 and newer, following a change of interface of the function used to initialise the context for the disassembler and which needs an additional printer for styled output
• Fix feature-libbfd-liberty-z detection in the mirror's Makefile
• Fix bootstrap for cross-compilation, by passing down the host ar to libbpf's Makefile
• Clean errno at the beginning of the program execution to clean up after the checks performed by libcap < 2.63 and avoid breaking the batch mode
• Check for NULL pointer in codegen_asserts() to avoid a NULL pointer dereference on skeleton generation
• Revert the switch to libbpf's API to lift the memlock rlimit restriction, as detection for cgroup-based memory accounting would fail in some corner cases, and implement instead a more thorough probe in bpftool to check whether we need to lift the rlimit
• Do not return value from void function in skeleton, which would produce a warning

Other internal changes

• Remove zlib feature test from Makefile
• Do not print the result of the disassembler-four-args feature test when building bpftool
• Replace the use of multiple sizeof() by ARRAY_SIZE() on the array of metrics in prog.c
• Remove outdated attach_type_name forward declaration in main.h
• Fix a typo in a comment, which would reference the wrong library (libpcap/libcap)
• CI: Build on several runners (Ubuntu 18.04, 20.04, 22.04)
• README.md: Fix a broken link

Known bugs

• Some features requiring the use of “skeletons” (feature-clang-bpf-co-re compilation option) require kernel 5.15 or more recent, with CONFIG_PERF_EVENTS set, to compile bpftool (#17).
• Map dumps with BTF information may print erroneous values for bool fields inside of a struct (#38).

Full Changelog: v6.8.0...v7.0.0

bpftool v6.8

New features

• Implement bpftool gen min_core_btf to generate the minimal BTF file necessary to load a program
• Add C++-specific skeleton wrappers
• Restore support for probing BPF features on hardware (such as Netronome SmartNICs)
• Add bpf_cookie to bpftool link output
• Add support for generating sub-skeletons for “incomplete” BPF object files
• Defaults to sysfs vmlinux when dumping BTF objects and no base BTF was specified
• Extend skeletons for LSM programs to create links
• Add name for trace_kprobe_multi attach type
• Add name for syscall program types
• Add names for xdp, perf_event, kprobe_multi link types
• Add distinction, for feature probes, between reversible or permanent disabling of bpf() syscall for unprivileged users
• Handle better the probing of BPF helpers for programs types that are not available
• Assert type sizes in BPF skeletons
• Expand autogeneration warnings in skeletons by mentioning bpftool

Bug fixes

• Fix error when looking up for keys in map with no associated BTF information
• Fix pretty-print dump for maps with no associated BTF information
• Fix formatting of bytes_memlock for JSON map listing
• Show process PIDs for BPF maps even if there is no associated BTF id or the map is frozen
• Add the description of missing commands in the top-level bpftool.8 man page
• Handle libbpf_probe_prog_type() and libbpf_probe_bpf_helper() errors correctly in feature probing

Other internal changes

• Switch to libbpf's API to lift the rlimit restriction, on legacy systems without memcg-based memory accounting for BPF
• Replace the use of libc's reallocarray() with the implementation from libbpf
• Remove redundant slashes in Makefile

Known bugs

• Some features requiring the use of “skeletons” (feature-clang-bpf-co-re compilation option) require kernel 5.15 or more recent, with CONFIG_PERF_EVENTS set, to compile bpftool (#17).

Full Changelog: v6.7.0...v6.8.0

bpftool v6.7

First tagged release in the mirror repository.

The history for the sources of bpftool so far can be found in Linux kernel's Git history.