Prototype for creating Linux kernel eBPF applications using C#.
While the linux kernel's eBPF virtual machine does not natively support MSIL bytecode generated by the C# compiler, we can transpile the MSIL bytecode into C and then use native toolchains to compile that C into a valid Linux eBPF application that runs inside the kernel.
This project provides a .net API for common eBPF functions. C# applications that are written against these APIs are then able to utilize the .net to c transpiler to convert them into C code. Once in C, native Linux eBPF compilers can be used to generate the resulting eBPF application.
Since Linux eBPF programs do not manual allow dynamic memory allocations, reference types
cannot be used when writing eBPF programs in C#. Therefore, any custom types you wish
to utilize must be structs instead of classes.
After cloning the repository, it is important to do a git submodule update --recursive --init
to ensure all dependencies have been downloaded from their respective repositories.
The DotnetEbpf.Core C# Project contains the common APIs which allow access to eBPF functions.
A few examples from the libbpf-bootstrap repository have been ported over:
The minimal example is the smallest practical eBPF application.
It demonstrates how to attach a tracepoint handler, using the printk() function to log values,
and read values passed in from the user space application.
The user space application which installs the eBPF application into the kernel is built from the minimal.c source file.
To build and run the example:
cd examples
make minimal
sudo ./minimal
# In another shell
sudo cat /sys/kernel/debug/tracing/trace_pipeThe uprobe example shows how to attach uprobe and
uretprobe traces to log arguments provided when a user space application calls specific
functions, as well as to log what values are returned from those function calls.
The user space application which installes the eBPF application into the kernel is built from the uprobe.c source file.
To build and run the example:
cd examples
make uprobe
sudo ./uprobe
# In another shell
sudo cat /sys/kernel/debug/tracing/trace_pipeThe profile example shows how to implement a basic profiler. It attaches to perf events and periodically samples these events on each processor. It uses the rust blazesym library to show addresses, symbols, file names, and line numbers of stack traces.
The user space application which installes the eBPF application into the kernel is built from the profile.c source file.
To build and run the example:
cd examples
make profile
sudo ./profile