Skip to content

Switch host isolation eBPF probes to use skeleton headers#233

Merged
stanek-michal merged 3 commits intomainfrom
pr11704-modern-skeleton-ebpf
Mar 12, 2026
Merged

Switch host isolation eBPF probes to use skeleton headers#233
stanek-michal merged 3 commits intomainfrom
pr11704-modern-skeleton-ebpf

Conversation

@stanek-michal
Copy link
Copy Markdown
Contributor

@stanek-michal stanek-michal commented Mar 10, 2026

Two main changes:

  1. Switch to skeleton headers to be the same as our Events probes
    upside: no need to ship per-arch.o objects, no need to rely on fixed path with the objects
  2. change TCA_BPF_NAME for TcFilter so it can be easily identified when enumerating tc probes on the host

@stanek-michal
Migrate to using skeleton headers for TcFilter and KprobeConnectHook
55b951c 
Skeleton headers are already used by other non-HostIsolation related
probes. Migrate the two host isolation probes so that we do not have to
ship eBPF binaries separately and rely on the binaries being at a fixed
path.

Note that the eBPF maps used by the probes are still pinned at our bpf
sysfs path.

Another change in this patch is adding a prefix "el-endpo_" to
TCA_BPF_NAME of the tc filter. This will help us identify our own tc
filter on the system without having to store state (after restart, etc).
@stanek-michal
Parameterize TcLoaderDemo interface
62528f4 
Require the network interface name to be provided on the command line
@stanek-michal stanek-michal requested a review from a team as a code owner March 10, 2026 11:49
nicholasberlin
nicholasberlin reviewed Mar 10, 2026
View reviewed changes
nicholasberlin
nicholasberlin approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, there are formatting issues though.

Here's what my bot thinks. None of the suggested changes look necessary to me, as it suggests.

PR Review: #233 — Switch host isolation eBPF probes to use skeleton headers

Author: stanek-michal
Branch: pr11704-modern-skeleton-ebpf -> main
Commits: 2 | Files changed: 7 | +108 -120
URL: #233

Summary

This PR migrates the Host Isolation eBPF probes (KprobeConnectHook and TcFilter) from runtime .o file loading to compile-time skeleton headers, aligning them with the Events probes. It also parameterizes the TcLoaderDemo interface name (previously hardcoded to ens33) and changes the TCA_BPF_NAME to a structured format (el-endpo_<name>:[<id>]) for easier identification when enumerating tc probes. The changes are clean and well-structured.

Findings

Significant

  1. Skeleton retry loop does not reset ctx between attempts (KprobeConnectHookDemo.c)

    In main(), the retry loop calls try_load_ebpf_kprobe(load_method, &ctx) repeatedly. On failure, try_load_ebpf_kprobe destroys the local skeleton and does not write to *ctx_out, so ctx in main stays at its initialized NULL — this is correct. However, the pattern is subtle and relies on an implicit contract that the function never modifies *ctx_out on failure. A defensive *ctx_out = NULL on the error path inside try_load_ebpf_kprobe would make this contract explicit and guard against future regressions.

  2. bpf_obj_get_info_by_fd sets rv = 0 on success path, masking intent (TcLoader.c:489)

    After rv = bpf_obj_get_info_by_fd(fd, &info, &info_len), rv is 0 on success. This is fine functionally, but later at line 518 rv = 0 is set again redundantly. The dual assignment isn't a bug, but it makes the success flow slightly harder to follow — the original pattern of initializing rv = -1 and only setting rv = 0 at the single exit point was cleaner. Consider assigning the bpf_obj_get_info_by_fd result to a separate variable (or just checking < 0 with an inline expression) to preserve the single-exit-point rv = 0 pattern used elsewhere in this file.

Minor

  1. TCA_BPF_NAME buffer sizing is safe but tight for future changes (TcLoader.c:498)

    The format "el-endpo_%s:[%u]" with info.name (max 15 chars from BPF_OBJ_NAME_LEN) and info.id (max ~10 digits) fits comfortably in the 128-byte buffer (~38 bytes worst case). The truncation check is correctly in place. No action needed — just noting this is well-handled.

  2. Docs update correctly reflects the new CLI (hostisolation.md)

    The documentation now shows <iface> as a required argument and updates the unload command accordingly. Looks good.

Verdict

APPROVE — The migration to skeleton headers is straightforward, the removed ebpf_open_object_file and ebpf_load_and_attach_kprobe helpers are cleanly replaced by skeleton APIs, and the TcLoaderDemo interface parameterization is a nice usability improvement. The findings above are minor polish suggestions, not blockers.

@stanek-michal stanek-michal mentioned this pull request Mar 12, 2026
Closed
@stanek-michal stanek-michal merged commit 38d1327 into main Mar 12, 2026
26 checks passed
@stanek-michal stanek-michal deleted the pr11704-modern-skeleton-ebpf branch March 12, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicholasberlin nicholasberlin nicholasberlin approved these changes

@nfritts nfritts nfritts approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stanek-michal @nicholasberlin @nfritts