ebpf: new way of compiling the modules

- Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf headers. The bpf_map_def struct has been deprecated for quite some time now, and it was been removed on >= 6.2 anyway. We still need it, because we use gobpf. - Improved compilation behaviour: - We don't require the kernel sources anymore. We can just use the kernel headers from the distribution. - There's no need to copy the sources to the kernel tree, the modules can be compiled from the ebpf_prog/ dir. - Compiling against kernels 6.x seems to solve the problem we had with VPNs, where connections were not intercepted with modules compiled against 5.8, on kernels >= 5.19. The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and 6.2 (kernel connections included). Closes: #939
2025-03-04 08:34:40 +01:00 · 2023-05-17 01:20:53 +02:00 · 2023-05-17 01:20:53 +02:00 · ba64379348
commit ba64379348
parent 9d353102df
11 changed files with 6030 additions and 211 deletions
--- a/.github/workflows/build_ebpf_modules.yml
+++ b/.github/workflows/build_ebpf_modules.yml
@ -24,11 +24,11 @@ jobs:
  # The matrix configuration will execute the steps, once per dimension defined:
  # kernel 5.8 + tag 1.5.0
  # kernel 5.8 + tag master
-  # kernel 5.19 + tag 1.5.0, etc
+  # kernel 6.0 + tag 1.5.0, etc
  build:  
    strategy:
        matrix:
-          kernel: ["5.8", "5.19"]
+          kernel: ["5.8", "6.0"]
          tag: ["1.5.0", "master"]
    runs-on: ubuntu-20.04
--- a/ebpf_prog/Makefile
+++ b/ebpf_prog/Makefile
@ -1,159 +1,57 @@
-#taken from /samples/bpf/Makefile and removed all targets 
+# OpenSnitch - 2023
-
+#
-# SPDX-License-Identifier: GPL-2.0
+# On Debian based distros we need the following 2 directories.
-
+# Otherwise, just use the kernel headers from the kernel sources.
-BPF_SAMPLES_PATH ?= $(abspath $(srctree)/$(src))
+#
-TOOLS_PATH := $(BPF_SAMPLES_PATH)/../../tools
+KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source
-
+KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/
 # Libbpf dependencies
 LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a
 CGROUP_HELPERS := ../../tools/testing/selftests/bpf/cgroup_helpers.o
 TRACE_HELPERS := ../../tools/testing/selftests/bpf/trace_helpers.o
 always-y += opensnitch.o opensnitch-dns.o opensnitch-procs.o
 ifeq ($(ARCH), arm)
 # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux
 # headers when arm instruction set identification is requested.
 ARM_ARCH_SELECTOR := $(filter -D__LINUX_ARM_ARCH__%, $(KBUILD_CFLAGS))
 BPF_EXTRA_CFLAGS := $(ARM_ARCH_SELECTOR)
 TPROGS_CFLAGS += $(ARM_ARCH_SELECTOR)
 endif
 TPROGS_CFLAGS += -Wall -O2
 TPROGS_CFLAGS += -Wmissing-prototypes
 TPROGS_CFLAGS += -Wstrict-prototypes
 TPROGS_CFLAGS += -I$(objtree)/usr/include
 TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
 TPROGS_CFLAGS += -I$(srctree)/tools/lib/
 TPROGS_CFLAGS += -I$(srctree)/tools/include
 TPROGS_CFLAGS += -I$(srctree)/tools/perf
 TPROGS_CFLAGS += -DHAVE_ATTR_TEST=0
 ifdef SYSROOT
 TPROGS_CFLAGS += --sysroot=$(SYSROOT)
 TPROGS_LDFLAGS := -L$(SYSROOT)/usr/lib
 endif
 TPROGCFLAGS_bpf_load.o += -Wno-unused-variable
 TPROGS_LDLIBS			+= $(LIBBPF) -lelf -lz
 TPROGLDLIBS_tracex4		+= -lrt
 TPROGLDLIBS_trace_output	+= -lrt
 TPROGLDLIBS_map_perf_test	+= -lrt
 TPROGLDLIBS_test_overhead	+= -lrt
 TPROGLDLIBS_xdpsock		+= -pthread
 # Allows pointing LLC/CLANG to a LLVM backend with bpf support, redefine on cmdline:
 #  make M=samples/bpf/ LLC=~/git/llvm/build/bin/llc CLANG=~/git/llvm/build/bin/clang
 LLC ?= llc
 CLANG ?= clang
-LLVM_OBJCOPY ?= llvm-objcopy
+LLC ?= llc
-BTF_PAHOLE ?= pahole
+LLVM_STRIP ?= llvm-strip -g
 ARCH ?= $(shell arch)
-# Detect that we're cross compiling and use the cross compiler
+# as in /usr/src/linux-headers-*/arch/
-ifdef CROSS_COMPILE
+# TODO: extract correctly the archs, and add more if needed.
-CLANG_ARCH_ARGS = --target=$(notdir $(CROSS_COMPILE:%-=%))
+ifeq ($(ARCH),x86_64)
 	ARCH := x86
 else ifeq ($(ARCH),i686)
 	ARCH := x86
 else ifeq ($(ARCH),armv7l)
 	ARCH := arm
 else ifeq ($(ARCH),aarch64)
 	ARCH := arm64
 endif
-# Don't evaluate probes and warnings if we need to run make recursively
+ifeq ($(ARCH),arm)
-ifneq ($(src),)
+	# on previous archs, it fails with "SMP not supported on pre-ARMv6"
-HDR_PROBE := $(shell printf "\#include <linux/types.h>\n struct list_head { int a; }; int main() { return 0; }" | \
+	EXTRA_FLAGS = "-D__LINUX_ARM_ARCH__=7"
 	$(CC) $(TPROGS_CFLAGS) $(TPROGS_LDFLAGS) -x c - \
 	-o /dev/null 2>/dev/null && echo okay)
 ifeq ($(HDR_PROBE),)
 $(warning WARNING: Detected possible issues with include path.)
 $(warning WARNING: Please install kernel headers locally (make headers_install).)
 endif
-BTF_LLC_PROBE := $(shell $(LLC) -march=bpf -mattr=help 2>&1 | grep dwarfris)
+BIN := opensnitch.o opensnitch-procs.o opensnitch-dns.o
-BTF_PAHOLE_PROBE := $(shell $(BTF_PAHOLE) --help 2>&1 | grep BTF)
+CLANG_FLAGS = -I. \
-BTF_OBJCOPY_PROBE := $(shell $(LLVM_OBJCOPY) --help 2>&1 | grep -i 'usage.*llvm')
+	-I$(KERNEL_HEADERS)/arch/x86/include/generated/ \
-BTF_LLVM_PROBE := $(shell echo "int main() { return 0; }" | \
+	-I$(KERNEL_HEADERS)/include \
-			  $(CLANG) -target bpf -O2 -g -c -x c - -o ./llvm_btf_verify.o; \
+	-include $(KERNEL_DIR)/include/linux/kconfig.h \
-			  readelf -S ./llvm_btf_verify.o | grep BTF; \
+	-I$(KERNEL_DIR)/include \
-			  /bin/rm -f ./llvm_btf_verify.o)
+	-I$(KERNEL_DIR)/include/uapi \
 	-I$(KERNEL_DIR)/include/generated/uapi \
 	-I$(KERNEL_DIR)/arch/$(ARCH)/include \
 	-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated \
 	-I$(KERNEL_DIR)/arch/$(ARCH)/include/uapi \
 	-I$(KERNEL_DIR)/arch/$(ARCH)/include/generated/uapi \
 	-I$(KERNEL_DIR)/tools/testing/selftests/bpf/ \
 	-D__KERNEL__ -D__BPF_TRACING__ -Wno-unused-value -Wno-pointer-sign \
 	-D__TARGET_ARCH_$(ARCH) -Wno-compare-distinct-pointer-types \
 	$(EXTRA_FLAGS) \
 	-Wno-gnu-variable-sized-type-not-at-end \
 	-Wno-address-of-packed-member -Wno-tautological-compare \
 	-Wno-unknown-warning-option  \
 	-g -O2 -emit-llvm
-BPF_EXTRA_CFLAGS += -fno-stack-protector
+all: $(BIN)
 ifneq ($(BTF_LLVM_PROBE),)
 	BPF_EXTRA_CFLAGS += -g
 else
 ifneq ($(and $(BTF_LLC_PROBE),$(BTF_PAHOLE_PROBE),$(BTF_OBJCOPY_PROBE)),)
 	BPF_EXTRA_CFLAGS += -g
 	LLC_FLAGS += -mattr=dwarfris
 	DWARF2BTF = y
 endif
 endif
 endif
 # Trick to allow make to be run from this directory
 all:
 	$(MAKE) -C ../../ M=$(CURDIR) BPF_SAMPLES_PATH=$(CURDIR)
 %.o: %.c
 	$(CLANG) $(CLANG_FLAGS) -c $< -o - | \
 		$(LLC) -march=bpf -mcpu=$(CPU) -filetype=obj -o $@
 clean:
-	$(MAKE) -C ../../ M=$(CURDIR) clean
+	rm -f *.o
 	@find $(CURDIR) -type f -name '*~' -delete
 $(LIBBPF): FORCE
 # Fix up variables inherited from Kbuild that tools/ build system won't like
 	$(MAKE) -C $(dir $@) RM='rm -rf' EXTRA_CFLAGS="$(TPROGS_CFLAGS)" \
 		LDFLAGS=$(TPROGS_LDFLAGS) srctree=$(BPF_SAMPLES_PATH)/../../ O=
 $(obj)/syscall_nrs.h:	$(obj)/syscall_nrs.s FORCE
 	$(call filechk,offsets,__SYSCALL_NRS_H__)
 targets += syscall_nrs.s
 clean-files += syscall_nrs.h
 FORCE:
 # Verify LLVM compiler tools are available and bpf target is supported by llc
 .PHONY: verify_cmds verify_target_bpf $(CLANG) $(LLC)
 verify_cmds: $(CLANG) $(LLC)
 	@for TOOL in $^ ; do \
 		if ! (which -- "$${TOOL}" > /dev/null 2>&1); then \
 			echo "*** ERROR: Cannot find LLVM tool $${TOOL}" ;\
 			exit 1; \
 		else true; fi; \
 	done
 verify_target_bpf: verify_cmds
 	@if ! (${LLC} -march=bpf -mattr=help > /dev/null 2>&1); then \
 		echo "*** ERROR: LLVM (${LLC}) does not support 'bpf' target" ;\
 		echo "   NOTICE: LLVM version >= 3.7.1 required" ;\
 		exit 2; \
 	else true; fi
 $(BPF_SAMPLES_PATH)/*.c: verify_target_bpf $(LIBBPF)
 $(src)/*.c: verify_target_bpf $(LIBBPF)
 $(obj)/tracex5_kern.o: $(obj)/syscall_nrs.h
 $(obj)/hbm_out_kern.o: $(src)/hbm.h $(src)/hbm_kern.h
 $(obj)/hbm.o: $(src)/hbm.h
 $(obj)/hbm_edt_kern.o: $(src)/hbm.h $(src)/hbm_kern.h
 -include $(BPF_SAMPLES_PATH)/Makefile.target
 # asm/sysreg.h - inline assembly used by it is incompatible with llvm.
 # But, there is no easy way to fix it, so just exclude it since it is
 # useless for BPF samples.
 $(obj)/%.o: $(src)/%.c
 	@echo "  CLANG-bpf " $@
 	$(Q)$(CLANG) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(BPF_EXTRA_CFLAGS) \
 		-I$(obj) -I$(srctree)/tools/testing/selftests/bpf/ \
 		-I$(srctree)/tools/lib/ \
 		-D__KERNEL__ -D__BPF_TRACING__ -Wno-unused-value -Wno-pointer-sign \
 		-D__TARGET_ARCH_$(SRCARCH) -Wno-compare-distinct-pointer-types \
 		-Wno-gnu-variable-sized-type-not-at-end \
 		-Wno-address-of-packed-member -Wno-tautological-compare \
 		-Wno-unknown-warning-option $(CLANG_ARCH_ARGS) \
 		-I$(srctree)/samples/bpf/ -include asm_goto_workaround.h \
 		-O2 -emit-llvm -c $< -o -| $(LLC) -march=bpf $(LLC_FLAGS) -filetype=obj -o $@
 ifeq ($(DWARF2BTF),y)
 	$(BTF_PAHOLE) -J $@
 endif
--- a/ebpf_prog/README
+++ b/ebpf_prog/README
@ -1,4 +1,4 @@
-Compilation requires getting kernel sources.
+Compilation requires getting kernel sources for now.
 There's a helper script to automate this process:
 https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh
@ -9,24 +9,36 @@ The basic steps to compile the modules are:
  cd opensnitch
  wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
  tar -xf v5.8.tar.gz
-  patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
+  cp ebpf_prog/opensnitch*.c ebpf_prog/common* ebpf_prog/Makefile linux-5.8/samples/bpf/
-  cp ebpf_prog/opensnitch*.c ebpf_prog/common.h ebpf_prog/Makefile linux-5.8/samples/bpf
+  cp -r ebpf_prog/bpf_headers/ linux-5.8/samples/bpf/
  cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
-  cd samples/bpf && make
+  cd samples/bpf && make KERNEL_DIR=../../linux-5.8/
-  objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
+  objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
-  llvm-strip -g opensnitch.o #remove debug info
+  llvm-strip -g opensnitch*.o # remove debug info
-  sudo cp opensnitch*.o /etc/opensnitchd/
+  sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
  cd ../../../daemon
-opensnitchd expects to find opensnitch.o in:
+Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
- /etc/opensnitchd/ # deprecated
+ /etc/opensnitchd/ # deprecated, only on < v1.5.x
 start opensnitchd with:
  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
 ---
 ### Compiling for Fedora (and others rpm based systems)
 You need to install the kernel-devel, clang and llvm packages.
 Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`
 (or just pass the kernel version you want)
 ### Notes
 The kernel where you intend to run it must have some options activated:
 $ grep BPF /boot/config-$(uname -r)
@ -42,11 +54,19 @@ For the opensnitch-procs.o module to work, this option must be enabled:
 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y
-Also, in some distributions debugfs is not mounted automatically, so you need
+(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)
-to do it manually:
+
 Also, in some distributions debugfs is not mounted automatically.
 Since v1.6.0 we try to mount it automatically. If you're running
 a lower version so you'll need to mount it manually:
 $ sudo mount -t debugfs none /sys/kernel/debug
 In order to make it permanent add it to /etc/fstab:
 debugfs    /sys/kernel/debug      debugfs  defaults  0 0
 opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
 bpf_probe_read_user*() were added on that kernel on:
 https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers
--- a/ebpf_prog/bpf_headers/bpf_core_read.h
+++ b/ebpf_prog/bpf_headers/bpf_core_read.h
@ -0,0 +1,484 @@
 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
 #ifndef __BPF_CORE_READ_H__
 #define __BPF_CORE_READ_H__
 /*
 * enum bpf_field_info_kind is passed as a second argument into
 * __builtin_preserve_field_info() built-in to get a specific aspect of
 * a field, captured as a first argument. __builtin_preserve_field_info(field,
 * info_kind) returns __u32 integer and produces BTF field relocation, which
 * is understood and processed by libbpf during BPF object loading. See
 * selftests/bpf for examples.
 */
 enum bpf_field_info_kind {
 	BPF_FIELD_BYTE_OFFSET = 0,	/* field byte offset */
 	BPF_FIELD_BYTE_SIZE = 1,
 	BPF_FIELD_EXISTS = 2,		/* field existence in target kernel */
 	BPF_FIELD_SIGNED = 3,
 	BPF_FIELD_LSHIFT_U64 = 4,
 	BPF_FIELD_RSHIFT_U64 = 5,
 };
 /* second argument to __builtin_btf_type_id() built-in */
 enum bpf_type_id_kind {
 	BPF_TYPE_ID_LOCAL = 0,		/* BTF type ID in local program */
 	BPF_TYPE_ID_TARGET = 1,		/* BTF type ID in target kernel */
 };
 /* second argument to __builtin_preserve_type_info() built-in */
 enum bpf_type_info_kind {
 	BPF_TYPE_EXISTS = 0,		/* type existence in target kernel */
 	BPF_TYPE_SIZE = 1,		/* type size in target kernel */
 	BPF_TYPE_MATCHES = 2,		/* type match in target kernel */
 };
 /* second argument to __builtin_preserve_enum_value() built-in */
 enum bpf_enum_value_kind {
 	BPF_ENUMVAL_EXISTS = 0,		/* enum value existence in kernel */
 	BPF_ENUMVAL_VALUE = 1,		/* enum value value relocation */
 };
 #define __CORE_RELO(src, field, info)					      \
 	__builtin_preserve_field_info((src)->field, BPF_FIELD_##info)
 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
 #define __CORE_BITFIELD_PROBE_READ(dst, src, fld)			      \
 	bpf_probe_read_kernel(						      \
 			(void *)dst,				      \
 			__CORE_RELO(src, fld, BYTE_SIZE),		      \
 			(const void *)src + __CORE_RELO(src, fld, BYTE_OFFSET))
 #else
 /* semantics of LSHIFT_64 assumes loading values into low-ordered bytes, so
 * for big-endian we need to adjust destination pointer accordingly, based on
 * field byte size
 */
 #define __CORE_BITFIELD_PROBE_READ(dst, src, fld)			      \
 	bpf_probe_read_kernel(						      \
 			(void *)dst + (8 - __CORE_RELO(src, fld, BYTE_SIZE)), \
 			__CORE_RELO(src, fld, BYTE_SIZE),		      \
 			(const void *)src + __CORE_RELO(src, fld, BYTE_OFFSET))
 #endif
 /*
 * Extract bitfield, identified by s->field, and return its value as u64.
 * All this is done in relocatable manner, so bitfield changes such as
 * signedness, bit size, offset changes, this will be handled automatically.
 * This version of macro is using bpf_probe_read_kernel() to read underlying
 * integer storage. Macro functions as an expression and its return type is
 * bpf_probe_read_kernel()'s return value: 0, on success, <0 on error.
 */
 #define BPF_CORE_READ_BITFIELD_PROBED(s, field) ({			      \
 	unsigned long long val = 0;					      \
 									      \
 	__CORE_BITFIELD_PROBE_READ(&val, s, field);			      \
 	val <<= __CORE_RELO(s, field, LSHIFT_U64);			      \
 	if (__CORE_RELO(s, field, SIGNED))				      \
 		val = ((long long)val) >> __CORE_RELO(s, field, RSHIFT_U64);  \
 	else								      \
 		val = val >> __CORE_RELO(s, field, RSHIFT_U64);		      \
 	val;								      \
 })
 /*
 * Extract bitfield, identified by s->field, and return its value as u64.
 * This version of macro is using direct memory reads and should be used from
 * BPF program types that support such functionality (e.g., typed raw
 * tracepoints).
 */
 #define BPF_CORE_READ_BITFIELD(s, field) ({				      \
 	const void *p = (const void *)s + __CORE_RELO(s, field, BYTE_OFFSET); \
 	unsigned long long val;						      \
 									      \
 	/* This is a so-called barrier_var() operation that makes specified   \
 	 * variable "a black box" for optimizing compiler.		      \
 	 * It forces compiler to perform BYTE_OFFSET relocation on p and use  \
 	 * its calculated value in the switch below, instead of applying      \
 	 * the same relocation 4 times for each individual memory load.       \
 	 */								      \
 	asm volatile("" : "=r"(p) : "0"(p));				      \
 									      \
 	switch (__CORE_RELO(s, field, BYTE_SIZE)) {			      \
 	case 1: val = *(const unsigned char *)p; break;			      \
 	case 2: val = *(const unsigned short *)p; break;		      \
 	case 4: val = *(const unsigned int *)p; break;			      \
 	case 8: val = *(const unsigned long long *)p; break;		      \
 	}								      \
 	val <<= __CORE_RELO(s, field, LSHIFT_U64);			      \
 	if (__CORE_RELO(s, field, SIGNED))				      \
 		val = ((long long)val) >> __CORE_RELO(s, field, RSHIFT_U64);  \
 	else								      \
 		val = val >> __CORE_RELO(s, field, RSHIFT_U64);		      \
 	val;								      \
 })
 #define ___bpf_field_ref1(field)	(field)
 #define ___bpf_field_ref2(type, field)	(((typeof(type) *)0)->field)
 #define ___bpf_field_ref(args...)					    \
 	___bpf_apply(___bpf_field_ref, ___bpf_narg(args))(args)
 /*
 * Convenience macro to check that field actually exists in target kernel's.
 * Returns:
 *    1, if matching field is present in target kernel;
 *    0, if no matching field found.
 *
 * Supports two forms:
 *   - field reference through variable access:
 *     bpf_core_field_exists(p->my_field);
 *   - field reference through type and field names:
 *     bpf_core_field_exists(struct my_type, my_field).
 */
 #define bpf_core_field_exists(field...)					    \
 	__builtin_preserve_field_info(___bpf_field_ref(field), BPF_FIELD_EXISTS)
 /*
 * Convenience macro to get the byte size of a field. Works for integers,
 * struct/unions, pointers, arrays, and enums.
 *
 * Supports two forms:
 *   - field reference through variable access:
 *     bpf_core_field_size(p->my_field);
 *   - field reference through type and field names:
 *     bpf_core_field_size(struct my_type, my_field).
 */
 #define bpf_core_field_size(field...)					    \
 	__builtin_preserve_field_info(___bpf_field_ref(field), BPF_FIELD_BYTE_SIZE)
 /*
 * Convenience macro to get field's byte offset.
 *
 * Supports two forms:
 *   - field reference through variable access:
 *     bpf_core_field_offset(p->my_field);
 *   - field reference through type and field names:
 *     bpf_core_field_offset(struct my_type, my_field).
 */
 #define bpf_core_field_offset(field...)					    \
 	__builtin_preserve_field_info(___bpf_field_ref(field), BPF_FIELD_BYTE_OFFSET)
 /*
 * Convenience macro to get BTF type ID of a specified type, using a local BTF
 * information. Return 32-bit unsigned integer with type ID from program's own
 * BTF. Always succeeds.
 */
 #define bpf_core_type_id_local(type)					    \
 	__builtin_btf_type_id(*(typeof(type) *)0, BPF_TYPE_ID_LOCAL)
 /*
 * Convenience macro to get BTF type ID of a target kernel's type that matches
 * specified local type.
 * Returns:
 *    - valid 32-bit unsigned type ID in kernel BTF;
 *    - 0, if no matching type was found in a target kernel BTF.
 */
 #define bpf_core_type_id_kernel(type)					    \
 	__builtin_btf_type_id(*(typeof(type) *)0, BPF_TYPE_ID_TARGET)
 /*
 * Convenience macro to check that provided named type
 * (struct/union/enum/typedef) exists in a target kernel.
 * Returns:
 *    1, if such type is present in target kernel's BTF;
 *    0, if no matching type is found.
 */
 #define bpf_core_type_exists(type)					    \
 	__builtin_preserve_type_info(*(typeof(type) *)0, BPF_TYPE_EXISTS)
 /*
 * Convenience macro to check that provided named type
 * (struct/union/enum/typedef) "matches" that in a target kernel.
 * Returns:
 *    1, if the type matches in the target kernel's BTF;
 *    0, if the type does not match any in the target kernel
 */
 #define bpf_core_type_matches(type)					    \
 	__builtin_preserve_type_info(*(typeof(type) *)0, BPF_TYPE_MATCHES)
 /*
 * Convenience macro to get the byte size of a provided named type
 * (struct/union/enum/typedef) in a target kernel.
 * Returns:
 *    >= 0 size (in bytes), if type is present in target kernel's BTF;
 *    0, if no matching type is found.
 */
 #define bpf_core_type_size(type)					    \
 	__builtin_preserve_type_info(*(typeof(type) *)0, BPF_TYPE_SIZE)
 /*
 * Convenience macro to check that provided enumerator value is defined in
 * a target kernel.
 * Returns:
 *    1, if specified enum type and its enumerator value are present in target
 *    kernel's BTF;
 *    0, if no matching enum and/or enum value within that enum is found.
 */
 #define bpf_core_enum_value_exists(enum_type, enum_value)		    \
 	__builtin_preserve_enum_value(*(typeof(enum_type) *)enum_value, BPF_ENUMVAL_EXISTS)
 /*
 * Convenience macro to get the integer value of an enumerator value in
 * a target kernel.
 * Returns:
 *    64-bit value, if specified enum type and its enumerator value are
 *    present in target kernel's BTF;
 *    0, if no matching enum and/or enum value within that enum is found.
 */
 #define bpf_core_enum_value(enum_type, enum_value)			    \
 	__builtin_preserve_enum_value(*(typeof(enum_type) *)enum_value, BPF_ENUMVAL_VALUE)
 /*
 * bpf_core_read() abstracts away bpf_probe_read_kernel() call and captures
 * offset relocation for source address using __builtin_preserve_access_index()
 * built-in, provided by Clang.
 *
 * __builtin_preserve_access_index() takes as an argument an expression of
 * taking an address of a field within struct/union. It makes compiler emit
 * a relocation, which records BTF type ID describing root struct/union and an
 * accessor string which describes exact embedded field that was used to take
 * an address. See detailed description of this relocation format and
 * semantics in comments to struct bpf_field_reloc in libbpf_internal.h.
 *
 * This relocation allows libbpf to adjust BPF instruction to use correct
 * actual field offset, based on target kernel BTF type that matches original
 * (local) BTF, used to record relocation.
 */
 #define bpf_core_read(dst, sz, src)					    \
 	bpf_probe_read_kernel(dst, sz, (const void *)__builtin_preserve_access_index(src))
 /* NOTE: see comments for BPF_CORE_READ_USER() about the proper types use. */
 #define bpf_core_read_user(dst, sz, src)				    \
 	bpf_probe_read_user(dst, sz, (const void *)__builtin_preserve_access_index(src))
 /*
 * bpf_core_read_str() is a thin wrapper around bpf_probe_read_str()
 * additionally emitting BPF CO-RE field relocation for specified source
 * argument.
 */
 #define bpf_core_read_str(dst, sz, src)					    \
 	bpf_probe_read_kernel_str(dst, sz, (const void *)__builtin_preserve_access_index(src))
 /* NOTE: see comments for BPF_CORE_READ_USER() about the proper types use. */
 #define bpf_core_read_user_str(dst, sz, src)				    \
 	bpf_probe_read_user_str(dst, sz, (const void *)__builtin_preserve_access_index(src))
 #define ___concat(a, b) a ## b
 #define ___apply(fn, n) ___concat(fn, n)
 #define ___nth(_1, _2, _3, _4, _5, _6, _7, _8, _9, _10, __11, N, ...) N
 /*
 * return number of provided arguments; used for switch-based variadic macro
 * definitions (see ___last, ___arrow, etc below)
 */
 #define ___narg(...) ___nth(_, ##__VA_ARGS__, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
 /*
 * return 0 if no arguments are passed, N - otherwise; used for
 * recursively-defined macros to specify termination (0) case, and generic
 * (N) case (e.g., ___read_ptrs, ___core_read)
 */
 #define ___empty(...) ___nth(_, ##__VA_ARGS__, N, N, N, N, N, N, N, N, N, N, 0)
 #define ___last1(x) x
 #define ___last2(a, x) x
 #define ___last3(a, b, x) x
 #define ___last4(a, b, c, x) x
 #define ___last5(a, b, c, d, x) x
 #define ___last6(a, b, c, d, e, x) x
 #define ___last7(a, b, c, d, e, f, x) x
 #define ___last8(a, b, c, d, e, f, g, x) x
 #define ___last9(a, b, c, d, e, f, g, h, x) x
 #define ___last10(a, b, c, d, e, f, g, h, i, x) x
 #define ___last(...) ___apply(___last, ___narg(__VA_ARGS__))(__VA_ARGS__)
 #define ___nolast2(a, _) a
 #define ___nolast3(a, b, _) a, b
 #define ___nolast4(a, b, c, _) a, b, c
 #define ___nolast5(a, b, c, d, _) a, b, c, d
 #define ___nolast6(a, b, c, d, e, _) a, b, c, d, e
 #define ___nolast7(a, b, c, d, e, f, _) a, b, c, d, e, f
 #define ___nolast8(a, b, c, d, e, f, g, _) a, b, c, d, e, f, g
 #define ___nolast9(a, b, c, d, e, f, g, h, _) a, b, c, d, e, f, g, h
 #define ___nolast10(a, b, c, d, e, f, g, h, i, _) a, b, c, d, e, f, g, h, i
 #define ___nolast(...) ___apply(___nolast, ___narg(__VA_ARGS__))(__VA_ARGS__)
 #define ___arrow1(a) a
 #define ___arrow2(a, b) a->b
 #define ___arrow3(a, b, c) a->b->c
 #define ___arrow4(a, b, c, d) a->b->c->d
 #define ___arrow5(a, b, c, d, e) a->b->c->d->e
 #define ___arrow6(a, b, c, d, e, f) a->b->c->d->e->f
 #define ___arrow7(a, b, c, d, e, f, g) a->b->c->d->e->f->g
 #define ___arrow8(a, b, c, d, e, f, g, h) a->b->c->d->e->f->g->h
 #define ___arrow9(a, b, c, d, e, f, g, h, i) a->b->c->d->e->f->g->h->i
 #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
 #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
 #define ___type(...) typeof(___arrow(__VA_ARGS__))
 #define ___read(read_fn, dst, src_type, src, accessor)			    \
 	read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
 /* "recursively" read a sequence of inner pointers using local __t var */
 #define ___rd_first(fn, src, a) ___read(fn, &__t, ___type(src), src, a);
 #define ___rd_last(fn, ...)						    \
 	___read(fn, &__t, ___type(___nolast(__VA_ARGS__)), __t, ___last(__VA_ARGS__));
 #define ___rd_p1(fn, ...) const void *__t; ___rd_first(fn, __VA_ARGS__)
 #define ___rd_p2(fn, ...) ___rd_p1(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p3(fn, ...) ___rd_p2(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p4(fn, ...) ___rd_p3(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p5(fn, ...) ___rd_p4(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p6(fn, ...) ___rd_p5(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p7(fn, ...) ___rd_p6(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p8(fn, ...) ___rd_p7(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___rd_p9(fn, ...) ___rd_p8(fn, ___nolast(__VA_ARGS__)) ___rd_last(fn, __VA_ARGS__)
 #define ___read_ptrs(fn, src, ...)					    \
 	___apply(___rd_p, ___narg(__VA_ARGS__))(fn, src, __VA_ARGS__)
 #define ___core_read0(fn, fn_ptr, dst, src, a)				    \
 	___read(fn, dst, ___type(src), src, a);
 #define ___core_readN(fn, fn_ptr, dst, src, ...)			    \
 	___read_ptrs(fn_ptr, src, ___nolast(__VA_ARGS__))		    \
 	___read(fn, dst, ___type(src, ___nolast(__VA_ARGS__)), __t,	    \
 		___last(__VA_ARGS__));
 #define ___core_read(fn, fn_ptr, dst, src, a, ...)			    \
 	___apply(___core_read, ___empty(__VA_ARGS__))(fn, fn_ptr, dst,	    \
 						      src, a, ##__VA_ARGS__)
 /*
 * BPF_CORE_READ_INTO() is a more performance-conscious variant of
 * BPF_CORE_READ(), in which final field is read into user-provided storage.
 * See BPF_CORE_READ() below for more details on general usage.
 */
 #define BPF_CORE_READ_INTO(dst, src, a, ...) ({				    \
 	___core_read(bpf_core_read, bpf_core_read,			    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /*
 * Variant of BPF_CORE_READ_INTO() for reading from user-space memory.
 *
 * NOTE: see comments for BPF_CORE_READ_USER() about the proper types use.
 */
 #define BPF_CORE_READ_USER_INTO(dst, src, a, ...) ({			    \
 	___core_read(bpf_core_read_user, bpf_core_read_user,		    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /* Non-CO-RE variant of BPF_CORE_READ_INTO() */
 #define BPF_PROBE_READ_INTO(dst, src, a, ...) ({			    \
 	___core_read(bpf_probe_read, bpf_probe_read,			    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /* Non-CO-RE variant of BPF_CORE_READ_USER_INTO().
 *
 * As no CO-RE relocations are emitted, source types can be arbitrary and are
 * not restricted to kernel types only.
 */
 #define BPF_PROBE_READ_USER_INTO(dst, src, a, ...) ({			    \
 	___core_read(bpf_probe_read_user, bpf_probe_read_user,		    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /*
 * BPF_CORE_READ_STR_INTO() does same "pointer chasing" as
 * BPF_CORE_READ() for intermediate pointers, but then executes (and returns
 * corresponding error code) bpf_core_read_str() for final string read.
 */
 #define BPF_CORE_READ_STR_INTO(dst, src, a, ...) ({			    \
 	___core_read(bpf_core_read_str, bpf_core_read,			    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /*
 * Variant of BPF_CORE_READ_STR_INTO() for reading from user-space memory.
 *
 * NOTE: see comments for BPF_CORE_READ_USER() about the proper types use.
 */
 #define BPF_CORE_READ_USER_STR_INTO(dst, src, a, ...) ({		    \
 	___core_read(bpf_core_read_user_str, bpf_core_read_user,	    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /* Non-CO-RE variant of BPF_CORE_READ_STR_INTO() */
 #define BPF_PROBE_READ_STR_INTO(dst, src, a, ...) ({			    \
 	___core_read(bpf_probe_read_str, bpf_probe_read,		    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /*
 * Non-CO-RE variant of BPF_CORE_READ_USER_STR_INTO().
 *
 * As no CO-RE relocations are emitted, source types can be arbitrary and are
 * not restricted to kernel types only.
 */
 #define BPF_PROBE_READ_USER_STR_INTO(dst, src, a, ...) ({		    \
 	___core_read(bpf_probe_read_user_str, bpf_probe_read_user,	    \
 		     dst, (src), a, ##__VA_ARGS__)			    \
 })
 /*
 * BPF_CORE_READ() is used to simplify BPF CO-RE relocatable read, especially
 * when there are few pointer chasing steps.
 * E.g., what in non-BPF world (or in BPF w/ BCC) would be something like:
 *	int x = s->a.b.c->d.e->f->g;
 * can be succinctly achieved using BPF_CORE_READ as:
 *	int x = BPF_CORE_READ(s, a.b.c, d.e, f, g);
 *
 * BPF_CORE_READ will decompose above statement into 4 bpf_core_read (BPF
 * CO-RE relocatable bpf_probe_read_kernel() wrapper) calls, logically
 * equivalent to:
 * 1. const void *__t = s->a.b.c;
 * 2. __t = __t->d.e;
 * 3. __t = __t->f;
 * 4. return __t->g;
 *
 * Equivalence is logical, because there is a heavy type casting/preservation
 * involved, as well as all the reads are happening through
 * bpf_probe_read_kernel() calls using __builtin_preserve_access_index() to
 * emit CO-RE relocations.
 *
 * N.B. Only up to 9 "field accessors" are supported, which should be more
 * than enough for any practical purpose.
 */
 #define BPF_CORE_READ(src, a, ...) ({					    \
 	___type((src), a, ##__VA_ARGS__) __r;				    \
 	BPF_CORE_READ_INTO(&__r, (src), a, ##__VA_ARGS__);		    \
 	__r;								    \
 })
 /*
 * Variant of BPF_CORE_READ() for reading from user-space memory.
 *
 * NOTE: all the source types involved are still *kernel types* and need to
 * exist in kernel (or kernel module) BTF, otherwise CO-RE relocation will
 * fail. Custom user types are not relocatable with CO-RE.
 * The typical situation in which BPF_CORE_READ_USER() might be used is to
 * read kernel UAPI types from the user-space memory passed in as a syscall
 * input argument.
 */
 #define BPF_CORE_READ_USER(src, a, ...) ({				    \
 	___type((src), a, ##__VA_ARGS__) __r;				    \
 	BPF_CORE_READ_USER_INTO(&__r, (src), a, ##__VA_ARGS__);		    \
 	__r;								    \
 })
 /* Non-CO-RE variant of BPF_CORE_READ() */
 #define BPF_PROBE_READ(src, a, ...) ({					    \
 	___type((src), a, ##__VA_ARGS__) __r;				    \
 	BPF_PROBE_READ_INTO(&__r, (src), a, ##__VA_ARGS__);		    \
 	__r;								    \
 })
 /*
 * Non-CO-RE variant of BPF_CORE_READ_USER().
 *
 * As no CO-RE relocations are emitted, source types can be arbitrary and are
 * not restricted to kernel types only.
 */
 #define BPF_PROBE_READ_USER(src, a, ...) ({				    \
 	___type((src), a, ##__VA_ARGS__) __r;				    \
 	BPF_PROBE_READ_USER_INTO(&__r, (src), a, ##__VA_ARGS__);	    \
 	__r;								    \
 })
 #endif
--- a/ebpf_prog/bpf_headers/bpf_helper_defs.h
+++ b/ebpf_prog/bpf_headers/bpf_helper_defs.h
--- a/ebpf_prog/bpf_headers/bpf_helpers.h
+++ b/ebpf_prog/bpf_headers/bpf_helpers.h
@ -0,0 +1,301 @@
 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
 #ifndef __BPF_HELPERS__
 #define __BPF_HELPERS__
 /*
 * Note that bpf programs need to include either
 * vmlinux.h (auto-generated from BTF) or linux/types.h
 * in advance since bpf_helper_defs.h uses such types
 * as __u64.
 */
 #include "bpf_helper_defs.h"
 #define __uint(name, val) int (*name)[val]
 #define __type(name, val) typeof(val) *name
 #define __array(name, val) typeof(val) *name[]
 /*
 * Helper macro to place programs, maps, license in
 * different sections in elf_bpf file. Section names
 * are interpreted by libbpf depending on the context (BPF programs, BPF maps,
 * extern variables, etc).
 * To allow use of SEC() with externs (e.g., for extern .maps declarations),
 * make sure __attribute__((unused)) doesn't trigger compilation warning.
 */
 #if __GNUC__ && !__clang__
 /*
 * Pragma macros are broken on GCC
 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=55578
 * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90400
 */
 #define SEC(name) __attribute__((section(name), used))
 #else
 #define SEC(name) \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wignored-attributes\"")	    \
 	__attribute__((section(name), used))				    \
 	_Pragma("GCC diagnostic pop")					    \
 #endif
 /* Avoid 'linux/stddef.h' definition of '__always_inline'. */
 #undef __always_inline
 #define __always_inline inline __attribute__((always_inline))
 #ifndef __noinline
 #define __noinline __attribute__((noinline))
 #endif
 #ifndef __weak
 #define __weak __attribute__((weak))
 #endif
 /*
 * Use __hidden attribute to mark a non-static BPF subprogram effectively
 * static for BPF verifier's verification algorithm purposes, allowing more
 * extensive and permissive BPF verification process, taking into account
 * subprogram's caller context.
 */
 #define __hidden __attribute__((visibility("hidden")))
 /* When utilizing vmlinux.h with BPF CO-RE, user BPF programs can't include
 * any system-level headers (such as stddef.h, linux/version.h, etc), and
 * commonly-used macros like NULL and KERNEL_VERSION aren't available through
 * vmlinux.h. This just adds unnecessary hurdles and forces users to re-define
 * them on their own. So as a convenience, provide such definitions here.
 */
 #ifndef NULL
 #define NULL ((void *)0)
 #endif
 #ifndef KERNEL_VERSION
 #define KERNEL_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + ((c) > 255 ? 255 : (c)))
 #endif
 /*
 * Helper macros to manipulate data structures
 */
 #ifndef offsetof
 #define offsetof(TYPE, MEMBER)	((unsigned long)&((TYPE *)0)->MEMBER)
 #endif
 #ifndef container_of
 #define container_of(ptr, type, member)				\
 	({							\
 		void *__mptr = (void *)(ptr);			\
 		((type *)(__mptr - offsetof(type, member)));	\
 	})
 #endif
 /*
 * Compiler (optimization) barrier.
 */
 #ifndef barrier
 #define barrier() asm volatile("" ::: "memory")
 #endif
 /* Variable-specific compiler (optimization) barrier. It's a no-op which makes
 * compiler believe that there is some black box modification of a given
 * variable and thus prevents compiler from making extra assumption about its
 * value and potential simplifications and optimizations on this variable.
 *
 * E.g., compiler might often delay or even omit 32-bit to 64-bit casting of
 * a variable, making some code patterns unverifiable. Putting barrier_var()
 * in place will ensure that cast is performed before the barrier_var()
 * invocation, because compiler has to pessimistically assume that embedded
 * asm section might perform some extra operations on that variable.
 *
 * This is a variable-specific variant of more global barrier().
 */
 #ifndef barrier_var
 #define barrier_var(var) asm volatile("" : "=r"(var) : "0"(var))
 #endif
 /*
 * Helper macro to throw a compilation error if __bpf_unreachable() gets
 * built into the resulting code. This works given BPF back end does not
 * implement __builtin_trap(). This is useful to assert that certain paths
 * of the program code are never used and hence eliminated by the compiler.
 *
 * For example, consider a switch statement that covers known cases used by
 * the program. __bpf_unreachable() can then reside in the default case. If
 * the program gets extended such that a case is not covered in the switch
 * statement, then it will throw a build error due to the default case not
 * being compiled out.
 */
 #ifndef __bpf_unreachable
 # define __bpf_unreachable()	__builtin_trap()
 #endif
 /*
 * Helper function to perform a tail call with a constant/immediate map slot.
 */
 #if __clang_major__ >= 8 && defined(__bpf__)
 static __always_inline void
 bpf_tail_call_static(void *ctx, const void *map, const __u32 slot)
 {
 	if (!__builtin_constant_p(slot))
 		__bpf_unreachable();
 	/*
 	 * Provide a hard guarantee that LLVM won't optimize setting r2 (map
 	 * pointer) and r3 (constant map index) from _different paths_ ending
 	 * up at the _same_ call insn as otherwise we won't be able to use the
 	 * jmpq/nopl retpoline-free patching by the x86-64 JIT in the kernel
 	 * given they mismatch. See also d2e4c1e6c294 ("bpf: Constant map key
 	 * tracking for prog array pokes") for details on verifier tracking.
 	 *
 	 * Note on clobber list: we need to stay in-line with BPF calling
 	 * convention, so even if we don't end up using r0, r4, r5, we need
 	 * to mark them as clobber so that LLVM doesn't end up using them
 	 * before / after the call.
 	 */
 	asm volatile("r1 = %[ctx]\n\t"
 		     "r2 = %[map]\n\t"
 		     "r3 = %[slot]\n\t"
 		     "call 12"
 		     :: [ctx]"r"(ctx), [map]"r"(map), [slot]"i"(slot)
 		     : "r0", "r1", "r2", "r3", "r4", "r5");
 }
 #endif
 /*
 * Helper structure used by eBPF C program
 * to describe BPF map attributes to libbpf loader
 */
 struct bpf_map_defold {
 	unsigned int type;
 	unsigned int key_size;
 	unsigned int value_size;
 	unsigned int max_entries;
 	unsigned int map_flags;
 } __attribute__((deprecated("use BTF-defined maps in .maps section")));
 enum libbpf_pin_type {
 	LIBBPF_PIN_NONE,
 	/* PIN_BY_NAME: pin maps by name (in /sys/fs/bpf by default) */
 	LIBBPF_PIN_BY_NAME,
 };
 enum libbpf_tristate {
 	TRI_NO = 0,
 	TRI_YES = 1,
 	TRI_MODULE = 2,
 };
 #define __kconfig __attribute__((section(".kconfig")))
 #define __ksym __attribute__((section(".ksyms")))
 #define __kptr __attribute__((btf_type_tag("kptr")))
 #define __kptr_ref __attribute__((btf_type_tag("kptr_ref")))
 #ifndef ___bpf_concat
 #define ___bpf_concat(a, b) a ## b
 #endif
 #ifndef ___bpf_apply
 #define ___bpf_apply(fn, n) ___bpf_concat(fn, n)
 #endif
 #ifndef ___bpf_nth
 #define ___bpf_nth(_, _1, _2, _3, _4, _5, _6, _7, _8, _9, _a, _b, _c, N, ...) N
 #endif
 #ifndef ___bpf_narg
 #define ___bpf_narg(...) \
 	___bpf_nth(_, ##__VA_ARGS__, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
 #endif
 #define ___bpf_fill0(arr, p, x) do {} while (0)
 #define ___bpf_fill1(arr, p, x) arr[p] = x
 #define ___bpf_fill2(arr, p, x, args...) arr[p] = x; ___bpf_fill1(arr, p + 1, args)
 #define ___bpf_fill3(arr, p, x, args...) arr[p] = x; ___bpf_fill2(arr, p + 1, args)
 #define ___bpf_fill4(arr, p, x, args...) arr[p] = x; ___bpf_fill3(arr, p + 1, args)
 #define ___bpf_fill5(arr, p, x, args...) arr[p] = x; ___bpf_fill4(arr, p + 1, args)
 #define ___bpf_fill6(arr, p, x, args...) arr[p] = x; ___bpf_fill5(arr, p + 1, args)
 #define ___bpf_fill7(arr, p, x, args...) arr[p] = x; ___bpf_fill6(arr, p + 1, args)
 #define ___bpf_fill8(arr, p, x, args...) arr[p] = x; ___bpf_fill7(arr, p + 1, args)
 #define ___bpf_fill9(arr, p, x, args...) arr[p] = x; ___bpf_fill8(arr, p + 1, args)
 #define ___bpf_fill10(arr, p, x, args...) arr[p] = x; ___bpf_fill9(arr, p + 1, args)
 #define ___bpf_fill11(arr, p, x, args...) arr[p] = x; ___bpf_fill10(arr, p + 1, args)
 #define ___bpf_fill12(arr, p, x, args...) arr[p] = x; ___bpf_fill11(arr, p + 1, args)
 #define ___bpf_fill(arr, args...) \
 	___bpf_apply(___bpf_fill, ___bpf_narg(args))(arr, 0, args)
 /*
 * BPF_SEQ_PRINTF to wrap bpf_seq_printf to-be-printed values
 * in a structure.
 */
 #define BPF_SEQ_PRINTF(seq, fmt, args...)			\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_seq_printf(seq, ___fmt, sizeof(___fmt),		\
 		       ___param, sizeof(___param));		\
 })
 /*
 * BPF_SNPRINTF wraps the bpf_snprintf helper with variadic arguments instead of
 * an array of u64.
 */
 #define BPF_SNPRINTF(out, out_size, fmt, args...)		\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_snprintf(out, out_size, ___fmt,			\
 		     ___param, sizeof(___param));		\
 })
 #ifdef BPF_NO_GLOBAL_DATA
 #define BPF_PRINTK_FMT_MOD
 #else
 #define BPF_PRINTK_FMT_MOD static const
 #endif
 #define __bpf_printk(fmt, ...)				\
 ({							\
 	BPF_PRINTK_FMT_MOD char ____fmt[] = fmt;	\
 	bpf_trace_printk(____fmt, sizeof(____fmt),	\
 			 ##__VA_ARGS__);		\
 })
 /*
 * __bpf_vprintk wraps the bpf_trace_vprintk helper with variadic arguments
 * instead of an array of u64.
 */
 #define __bpf_vprintk(fmt, args...)				\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_trace_vprintk(___fmt, sizeof(___fmt),		\
 			  ___param, sizeof(___param));		\
 })
 /* Use __bpf_printk when bpf_printk call has 3 or fewer fmt args
 * Otherwise use __bpf_vprintk
 */
 #define ___bpf_pick_printk(...) \
 	___bpf_nth(_, ##__VA_ARGS__, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk,	\
 		   __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk,		\
 		   __bpf_vprintk, __bpf_vprintk, __bpf_printk /*3*/, __bpf_printk /*2*/,\
 		   __bpf_printk /*1*/, __bpf_printk /*0*/)
 /* Helper macro to print out debug messages */
 #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
 #endif
--- a/ebpf_prog/bpf_headers/bpf_tracing.h
+++ b/ebpf_prog/bpf_headers/bpf_tracing.h
@ -0,0 +1,563 @@
 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
 #ifndef __BPF_TRACING_H__
 #define __BPF_TRACING_H__
 #include "bpf_helpers.h"
 /* Scan the ARCH passed in from ARCH env variable (see Makefile) */
 #if defined(__TARGET_ARCH_x86)
 	#define bpf_target_x86
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_s390)
 	#define bpf_target_s390
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_arm)
 	#define bpf_target_arm
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_arm64)
 	#define bpf_target_arm64
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_mips)
 	#define bpf_target_mips
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_powerpc)
 	#define bpf_target_powerpc
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_sparc)
 	#define bpf_target_sparc
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_riscv)
 	#define bpf_target_riscv
 	#define bpf_target_defined
 #elif defined(__TARGET_ARCH_arc)
 	#define bpf_target_arc
 	#define bpf_target_defined
 #else
 /* Fall back to what the compiler says */
 #if defined(__x86_64__)
 	#define bpf_target_x86
 	#define bpf_target_defined
 #elif defined(__s390__)
 	#define bpf_target_s390
 	#define bpf_target_defined
 #elif defined(__arm__)
 	#define bpf_target_arm
 	#define bpf_target_defined
 #elif defined(__aarch64__)
 	#define bpf_target_arm64
 	#define bpf_target_defined
 #elif defined(__mips__)
 	#define bpf_target_mips
 	#define bpf_target_defined
 #elif defined(__powerpc__)
 	#define bpf_target_powerpc
 	#define bpf_target_defined
 #elif defined(__sparc__)
 	#define bpf_target_sparc
 	#define bpf_target_defined
 #elif defined(__riscv) && __riscv_xlen == 64
 	#define bpf_target_riscv
 	#define bpf_target_defined
 #elif defined(__arc__)
 	#define bpf_target_arc
 	#define bpf_target_defined
 #endif /* no compiler target */
 #endif
 #ifndef __BPF_TARGET_MISSING
 #define __BPF_TARGET_MISSING "GCC error \"Must specify a BPF target arch via __TARGET_ARCH_xxx\""
 #endif
 #if defined(bpf_target_x86)
 #if defined(__KERNEL__) || defined(__VMLINUX_H__)
 #define __PT_PARM1_REG di
 #define __PT_PARM2_REG si
 #define __PT_PARM3_REG dx
 #define __PT_PARM4_REG cx
 #define __PT_PARM5_REG r8
 #define __PT_RET_REG sp
 #define __PT_FP_REG bp
 #define __PT_RC_REG ax
 #define __PT_SP_REG sp
 #define __PT_IP_REG ip
 /* syscall uses r10 for PARM4 */
 #define PT_REGS_PARM4_SYSCALL(x) ((x)->r10)
 #define PT_REGS_PARM4_CORE_SYSCALL(x) BPF_CORE_READ(x, r10)
 #else
 #ifdef __i386__
 #define __PT_PARM1_REG eax
 #define __PT_PARM2_REG edx
 #define __PT_PARM3_REG ecx
 /* i386 kernel is built with -mregparm=3 */
 #define __PT_PARM4_REG __unsupported__
 #define __PT_PARM5_REG __unsupported__
 #define __PT_RET_REG esp
 #define __PT_FP_REG ebp
 #define __PT_RC_REG eax
 #define __PT_SP_REG esp
 #define __PT_IP_REG eip
 #else /* __i386__ */
 #define __PT_PARM1_REG rdi
 #define __PT_PARM2_REG rsi
 #define __PT_PARM3_REG rdx
 #define __PT_PARM4_REG rcx
 #define __PT_PARM5_REG r8
 #define __PT_RET_REG rsp
 #define __PT_FP_REG rbp
 #define __PT_RC_REG rax
 #define __PT_SP_REG rsp
 #define __PT_IP_REG rip
 /* syscall uses r10 for PARM4 */
 #define PT_REGS_PARM4_SYSCALL(x) ((x)->r10)
 #define PT_REGS_PARM4_CORE_SYSCALL(x) BPF_CORE_READ(x, r10)
 #endif /* __i386__ */
 #endif /* __KERNEL__ || __VMLINUX_H__ */
 #elif defined(bpf_target_s390)
 struct pt_regs___s390 {
 	unsigned long orig_gpr2;
 };
 /* s390 provides user_pt_regs instead of struct pt_regs to userspace */
 #define __PT_REGS_CAST(x) ((const user_pt_regs *)(x))
 #define __PT_PARM1_REG gprs[2]
 #define __PT_PARM2_REG gprs[3]
 #define __PT_PARM3_REG gprs[4]
 #define __PT_PARM4_REG gprs[5]
 #define __PT_PARM5_REG gprs[6]
 #define __PT_RET_REG grps[14]
 #define __PT_FP_REG gprs[11]	/* Works only with CONFIG_FRAME_POINTER */
 #define __PT_RC_REG gprs[2]
 #define __PT_SP_REG gprs[15]
 #define __PT_IP_REG psw.addr
 #define PT_REGS_PARM1_SYSCALL(x) PT_REGS_PARM1_CORE_SYSCALL(x)
 #define PT_REGS_PARM1_CORE_SYSCALL(x) BPF_CORE_READ((const struct pt_regs___s390 *)(x), orig_gpr2)
 #elif defined(bpf_target_arm)
 #define __PT_PARM1_REG uregs[0]
 #define __PT_PARM2_REG uregs[1]
 #define __PT_PARM3_REG uregs[2]
 #define __PT_PARM4_REG uregs[3]
 #define __PT_PARM5_REG uregs[4]
 #define __PT_RET_REG uregs[14]
 #define __PT_FP_REG uregs[11]	/* Works only with CONFIG_FRAME_POINTER */
 #define __PT_RC_REG uregs[0]
 #define __PT_SP_REG uregs[13]
 #define __PT_IP_REG uregs[12]
 #elif defined(bpf_target_arm64)
 struct pt_regs___arm64 {
 	unsigned long orig_x0;
 };
 /* arm64 provides struct user_pt_regs instead of struct pt_regs to userspace */
 #define __PT_REGS_CAST(x) ((const struct user_pt_regs *)(x))
 #define __PT_PARM1_REG regs[0]
 #define __PT_PARM2_REG regs[1]
 #define __PT_PARM3_REG regs[2]
 #define __PT_PARM4_REG regs[3]
 #define __PT_PARM5_REG regs[4]
 #define __PT_RET_REG regs[30]
 #define __PT_FP_REG regs[29]	/* Works only with CONFIG_FRAME_POINTER */
 #define __PT_RC_REG regs[0]
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc
 #define PT_REGS_PARM1_SYSCALL(x) PT_REGS_PARM1_CORE_SYSCALL(x)
 #define PT_REGS_PARM1_CORE_SYSCALL(x) BPF_CORE_READ((const struct pt_regs___arm64 *)(x), orig_x0)
 #elif defined(bpf_target_mips)
 #define __PT_PARM1_REG regs[4]
 #define __PT_PARM2_REG regs[5]
 #define __PT_PARM3_REG regs[6]
 #define __PT_PARM4_REG regs[7]
 #define __PT_PARM5_REG regs[8]
 #define __PT_RET_REG regs[31]
 #define __PT_FP_REG regs[30]	/* Works only with CONFIG_FRAME_POINTER */
 #define __PT_RC_REG regs[2]
 #define __PT_SP_REG regs[29]
 #define __PT_IP_REG cp0_epc
 #elif defined(bpf_target_powerpc)
 #define __PT_PARM1_REG gpr[3]
 #define __PT_PARM2_REG gpr[4]
 #define __PT_PARM3_REG gpr[5]
 #define __PT_PARM4_REG gpr[6]
 #define __PT_PARM5_REG gpr[7]
 #define __PT_RET_REG regs[31]
 #define __PT_FP_REG __unsupported__
 #define __PT_RC_REG gpr[3]
 #define __PT_SP_REG sp
 #define __PT_IP_REG nip
 /* powerpc does not select ARCH_HAS_SYSCALL_WRAPPER. */
 #define PT_REGS_SYSCALL_REGS(ctx) ctx
 #elif defined(bpf_target_sparc)
 #define __PT_PARM1_REG u_regs[UREG_I0]
 #define __PT_PARM2_REG u_regs[UREG_I1]
 #define __PT_PARM3_REG u_regs[UREG_I2]
 #define __PT_PARM4_REG u_regs[UREG_I3]
 #define __PT_PARM5_REG u_regs[UREG_I4]
 #define __PT_RET_REG u_regs[UREG_I7]
 #define __PT_FP_REG __unsupported__
 #define __PT_RC_REG u_regs[UREG_I0]
 #define __PT_SP_REG u_regs[UREG_FP]
 /* Should this also be a bpf_target check for the sparc case? */
 #if defined(__arch64__)
 #define __PT_IP_REG tpc
 #else
 #define __PT_IP_REG pc
 #endif
 #elif defined(bpf_target_riscv)
 #define __PT_REGS_CAST(x) ((const struct user_regs_struct *)(x))
 #define __PT_PARM1_REG a0
 #define __PT_PARM2_REG a1
 #define __PT_PARM3_REG a2
 #define __PT_PARM4_REG a3
 #define __PT_PARM5_REG a4
 #define __PT_RET_REG ra
 #define __PT_FP_REG s0
 #define __PT_RC_REG a0
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc
 /* riscv does not select ARCH_HAS_SYSCALL_WRAPPER. */
 #define PT_REGS_SYSCALL_REGS(ctx) ctx
 #elif defined(bpf_target_arc)
 /* arc provides struct user_pt_regs instead of struct pt_regs to userspace */
 #define __PT_REGS_CAST(x) ((const struct user_regs_struct *)(x))
 #define __PT_PARM1_REG scratch.r0
 #define __PT_PARM2_REG scratch.r1
 #define __PT_PARM3_REG scratch.r2
 #define __PT_PARM4_REG scratch.r3
 #define __PT_PARM5_REG scratch.r4
 #define __PT_RET_REG scratch.blink
 #define __PT_FP_REG __unsupported__
 #define __PT_RC_REG scratch.r0
 #define __PT_SP_REG scratch.sp
 #define __PT_IP_REG scratch.ret
 /* arc does not select ARCH_HAS_SYSCALL_WRAPPER. */
 #define PT_REGS_SYSCALL_REGS(ctx) ctx
 #endif
 #if defined(bpf_target_defined)
 struct pt_regs;
 /* allow some architecutres to override `struct pt_regs` */
 #ifndef __PT_REGS_CAST
 #define __PT_REGS_CAST(x) (x)
 #endif
 #define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
 #define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
 #define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
 #define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG)
 #define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
 #define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)
 #define PT_REGS_FP(x) (__PT_REGS_CAST(x)->__PT_FP_REG)
 #define PT_REGS_RC(x) (__PT_REGS_CAST(x)->__PT_RC_REG)
 #define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
 #define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
 #define PT_REGS_PARM1_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM1_REG)
 #define PT_REGS_PARM2_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM2_REG)
 #define PT_REGS_PARM3_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM3_REG)
 #define PT_REGS_PARM4_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM4_REG)
 #define PT_REGS_PARM5_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM5_REG)
 #define PT_REGS_RET_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RET_REG)
 #define PT_REGS_FP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_FP_REG)
 #define PT_REGS_RC_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RC_REG)
 #define PT_REGS_SP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_SP_REG)
 #define PT_REGS_IP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_IP_REG)
 #if defined(bpf_target_powerpc)
 #define BPF_KPROBE_READ_RET_IP(ip, ctx)		({ (ip) = (ctx)->link; })
 #define BPF_KRETPROBE_READ_RET_IP		BPF_KPROBE_READ_RET_IP
 #elif defined(bpf_target_sparc)
 #define BPF_KPROBE_READ_RET_IP(ip, ctx)		({ (ip) = PT_REGS_RET(ctx); })
 #define BPF_KRETPROBE_READ_RET_IP		BPF_KPROBE_READ_RET_IP
 #else
 #define BPF_KPROBE_READ_RET_IP(ip, ctx)					    \
 	({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)PT_REGS_RET(ctx)); })
 #define BPF_KRETPROBE_READ_RET_IP(ip, ctx)				    \
 	({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)(PT_REGS_FP(ctx) + sizeof(ip))); })
 #endif
 #ifndef PT_REGS_PARM1_SYSCALL
 #define PT_REGS_PARM1_SYSCALL(x) PT_REGS_PARM1(x)
 #endif
 #define PT_REGS_PARM2_SYSCALL(x) PT_REGS_PARM2(x)
 #define PT_REGS_PARM3_SYSCALL(x) PT_REGS_PARM3(x)
 #ifndef PT_REGS_PARM4_SYSCALL
 #define PT_REGS_PARM4_SYSCALL(x) PT_REGS_PARM4(x)
 #endif
 #define PT_REGS_PARM5_SYSCALL(x) PT_REGS_PARM5(x)
 #ifndef PT_REGS_PARM1_CORE_SYSCALL
 #define PT_REGS_PARM1_CORE_SYSCALL(x) PT_REGS_PARM1_CORE(x)
 #endif
 #define PT_REGS_PARM2_CORE_SYSCALL(x) PT_REGS_PARM2_CORE(x)
 #define PT_REGS_PARM3_CORE_SYSCALL(x) PT_REGS_PARM3_CORE(x)
 #ifndef PT_REGS_PARM4_CORE_SYSCALL
 #define PT_REGS_PARM4_CORE_SYSCALL(x) PT_REGS_PARM4_CORE(x)
 #endif
 #define PT_REGS_PARM5_CORE_SYSCALL(x) PT_REGS_PARM5_CORE(x)
 #else /* defined(bpf_target_defined) */
 #define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM2(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM3(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM4(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM5(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_RET(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_FP(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_RC(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_SP(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_IP(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM1_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM2_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM3_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM4_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM5_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_RET_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_FP_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_RC_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_SP_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_IP_CORE(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM1_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM2_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM3_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM4_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM5_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM1_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM2_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM3_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM4_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #define PT_REGS_PARM5_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
 #endif /* defined(bpf_target_defined) */
 /*
 * When invoked from a syscall handler kprobe, returns a pointer to a
 * struct pt_regs containing syscall arguments and suitable for passing to
 * PT_REGS_PARMn_SYSCALL() and PT_REGS_PARMn_CORE_SYSCALL().
 */
 #ifndef PT_REGS_SYSCALL_REGS
 /* By default, assume that the arch selects ARCH_HAS_SYSCALL_WRAPPER. */
 #define PT_REGS_SYSCALL_REGS(ctx) ((struct pt_regs *)PT_REGS_PARM1(ctx))
 #endif
 #ifndef ___bpf_concat
 #define ___bpf_concat(a, b) a ## b
 #endif
 #ifndef ___bpf_apply
 #define ___bpf_apply(fn, n) ___bpf_concat(fn, n)
 #endif
 #ifndef ___bpf_nth
 #define ___bpf_nth(_, _1, _2, _3, _4, _5, _6, _7, _8, _9, _a, _b, _c, N, ...) N
 #endif
 #ifndef ___bpf_narg
 #define ___bpf_narg(...) ___bpf_nth(_, ##__VA_ARGS__, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
 #endif
 #define ___bpf_ctx_cast0()            ctx
 #define ___bpf_ctx_cast1(x)           ___bpf_ctx_cast0(), (void *)ctx[0]
 #define ___bpf_ctx_cast2(x, args...)  ___bpf_ctx_cast1(args), (void *)ctx[1]
 #define ___bpf_ctx_cast3(x, args...)  ___bpf_ctx_cast2(args), (void *)ctx[2]
 #define ___bpf_ctx_cast4(x, args...)  ___bpf_ctx_cast3(args), (void *)ctx[3]
 #define ___bpf_ctx_cast5(x, args...)  ___bpf_ctx_cast4(args), (void *)ctx[4]
 #define ___bpf_ctx_cast6(x, args...)  ___bpf_ctx_cast5(args), (void *)ctx[5]
 #define ___bpf_ctx_cast7(x, args...)  ___bpf_ctx_cast6(args), (void *)ctx[6]
 #define ___bpf_ctx_cast8(x, args...)  ___bpf_ctx_cast7(args), (void *)ctx[7]
 #define ___bpf_ctx_cast9(x, args...)  ___bpf_ctx_cast8(args), (void *)ctx[8]
 #define ___bpf_ctx_cast10(x, args...) ___bpf_ctx_cast9(args), (void *)ctx[9]
 #define ___bpf_ctx_cast11(x, args...) ___bpf_ctx_cast10(args), (void *)ctx[10]
 #define ___bpf_ctx_cast12(x, args...) ___bpf_ctx_cast11(args), (void *)ctx[11]
 #define ___bpf_ctx_cast(args...)      ___bpf_apply(___bpf_ctx_cast, ___bpf_narg(args))(args)
 /*
 * BPF_PROG is a convenience wrapper for generic tp_btf/fentry/fexit and
 * similar kinds of BPF programs, that accept input arguments as a single
 * pointer to untyped u64 array, where each u64 can actually be a typed
 * pointer or integer of different size. Instead of requring user to write
 * manual casts and work with array elements by index, BPF_PROG macro
 * allows user to declare a list of named and typed input arguments in the
 * same syntax as for normal C function. All the casting is hidden and
 * performed transparently, while user code can just assume working with
 * function arguments of specified type and name.
 *
 * Original raw context argument is preserved as well as 'ctx' argument.
 * This is useful when using BPF helpers that expect original context
 * as one of the parameters (e.g., for bpf_perf_event_output()).
 */
 #define BPF_PROG(name, args...)						    \
 name(unsigned long long *ctx);						    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(unsigned long long *ctx, ##args);				    \
 typeof(name(0)) name(unsigned long long *ctx)				    \
 {									    \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")		    \
 	return ____##name(___bpf_ctx_cast(args));			    \
 	_Pragma("GCC diagnostic pop")					    \
 }									    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(unsigned long long *ctx, ##args)
 struct pt_regs;
 #define ___bpf_kprobe_args0()           ctx
 #define ___bpf_kprobe_args1(x)          ___bpf_kprobe_args0(), (void *)PT_REGS_PARM1(ctx)
 #define ___bpf_kprobe_args2(x, args...) ___bpf_kprobe_args1(args), (void *)PT_REGS_PARM2(ctx)
 #define ___bpf_kprobe_args3(x, args...) ___bpf_kprobe_args2(args), (void *)PT_REGS_PARM3(ctx)
 #define ___bpf_kprobe_args4(x, args...) ___bpf_kprobe_args3(args), (void *)PT_REGS_PARM4(ctx)
 #define ___bpf_kprobe_args5(x, args...) ___bpf_kprobe_args4(args), (void *)PT_REGS_PARM5(ctx)
 #define ___bpf_kprobe_args(args...)     ___bpf_apply(___bpf_kprobe_args, ___bpf_narg(args))(args)
 /*
 * BPF_KPROBE serves the same purpose for kprobes as BPF_PROG for
 * tp_btf/fentry/fexit BPF programs. It hides the underlying platform-specific
 * low-level way of getting kprobe input arguments from struct pt_regs, and
 * provides a familiar typed and named function arguments syntax and
 * semantics of accessing kprobe input paremeters.
 *
 * Original struct pt_regs* context is preserved as 'ctx' argument. This might
 * be necessary when using BPF helpers like bpf_perf_event_output().
 */
 #define BPF_KPROBE(name, args...)					    \
 name(struct pt_regs *ctx);						    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(struct pt_regs *ctx, ##args);				    \
 typeof(name(0)) name(struct pt_regs *ctx)				    \
 {									    \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")		    \
 	return ____##name(___bpf_kprobe_args(args));			    \
 	_Pragma("GCC diagnostic pop")					    \
 }									    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(struct pt_regs *ctx, ##args)
 #define ___bpf_kretprobe_args0()       ctx
 #define ___bpf_kretprobe_args1(x)      ___bpf_kretprobe_args0(), (void *)PT_REGS_RC(ctx)
 #define ___bpf_kretprobe_args(args...) ___bpf_apply(___bpf_kretprobe_args, ___bpf_narg(args))(args)
 /*
 * BPF_KRETPROBE is similar to BPF_KPROBE, except, it only provides optional
 * return value (in addition to `struct pt_regs *ctx`), but no input
 * arguments, because they will be clobbered by the time probed function
 * returns.
 */
 #define BPF_KRETPROBE(name, args...)					    \
 name(struct pt_regs *ctx);						    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(struct pt_regs *ctx, ##args);				    \
 typeof(name(0)) name(struct pt_regs *ctx)				    \
 {									    \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")		    \
 	return ____##name(___bpf_kretprobe_args(args));			    \
 	_Pragma("GCC diagnostic pop")					    \
 }									    \
 static __always_inline typeof(name(0)) ____##name(struct pt_regs *ctx, ##args)
 /* If kernel has CONFIG_ARCH_HAS_SYSCALL_WRAPPER, read pt_regs directly */
 #define ___bpf_syscall_args0()           ctx
 #define ___bpf_syscall_args1(x)          ___bpf_syscall_args0(), (void *)PT_REGS_PARM1_SYSCALL(regs)
 #define ___bpf_syscall_args2(x, args...) ___bpf_syscall_args1(args), (void *)PT_REGS_PARM2_SYSCALL(regs)
 #define ___bpf_syscall_args3(x, args...) ___bpf_syscall_args2(args), (void *)PT_REGS_PARM3_SYSCALL(regs)
 #define ___bpf_syscall_args4(x, args...) ___bpf_syscall_args3(args), (void *)PT_REGS_PARM4_SYSCALL(regs)
 #define ___bpf_syscall_args5(x, args...) ___bpf_syscall_args4(args), (void *)PT_REGS_PARM5_SYSCALL(regs)
 #define ___bpf_syscall_args(args...)     ___bpf_apply(___bpf_syscall_args, ___bpf_narg(args))(args)
 /* If kernel doesn't have CONFIG_ARCH_HAS_SYSCALL_WRAPPER, we have to BPF_CORE_READ from pt_regs */
 #define ___bpf_syswrap_args0()           ctx
 #define ___bpf_syswrap_args1(x)          ___bpf_syswrap_args0(), (void *)PT_REGS_PARM1_CORE_SYSCALL(regs)
 #define ___bpf_syswrap_args2(x, args...) ___bpf_syswrap_args1(args), (void *)PT_REGS_PARM2_CORE_SYSCALL(regs)
 #define ___bpf_syswrap_args3(x, args...) ___bpf_syswrap_args2(args), (void *)PT_REGS_PARM3_CORE_SYSCALL(regs)
 #define ___bpf_syswrap_args4(x, args...) ___bpf_syswrap_args3(args), (void *)PT_REGS_PARM4_CORE_SYSCALL(regs)
 #define ___bpf_syswrap_args5(x, args...) ___bpf_syswrap_args4(args), (void *)PT_REGS_PARM5_CORE_SYSCALL(regs)
 #define ___bpf_syswrap_args(args...)     ___bpf_apply(___bpf_syswrap_args, ___bpf_narg(args))(args)
 /*
 * BPF_KSYSCALL is a variant of BPF_KPROBE, which is intended for
 * tracing syscall functions, like __x64_sys_close. It hides the underlying
 * platform-specific low-level way of getting syscall input arguments from
 * struct pt_regs, and provides a familiar typed and named function arguments
 * syntax and semantics of accessing syscall input parameters.
 *
 * Original struct pt_regs * context is preserved as 'ctx' argument. This might
 * be necessary when using BPF helpers like bpf_perf_event_output().
 *
 * At the moment BPF_KSYSCALL does not transparently handle all the calling
 * convention quirks for the following syscalls:
 *
 * - mmap(): __ARCH_WANT_SYS_OLD_MMAP.
 * - clone(): CONFIG_CLONE_BACKWARDS, CONFIG_CLONE_BACKWARDS2 and
 *            CONFIG_CLONE_BACKWARDS3.
 * - socket-related syscalls: __ARCH_WANT_SYS_SOCKETCALL.
 * - compat syscalls.
 *
 * This may or may not change in the future. User needs to take extra measures
 * to handle such quirks explicitly, if necessary.
 *
 * This macro relies on BPF CO-RE support and virtual __kconfig externs.
 */
 #define BPF_KSYSCALL(name, args...)					    \
 name(struct pt_regs *ctx);						    \
 extern _Bool LINUX_HAS_SYSCALL_WRAPPER __kconfig;			    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(struct pt_regs *ctx, ##args);				    \
 typeof(name(0)) name(struct pt_regs *ctx)				    \
 {									    \
 	struct pt_regs *regs = LINUX_HAS_SYSCALL_WRAPPER		    \
 			       ? (struct pt_regs *)PT_REGS_PARM1(ctx)	    \
 			       : ctx;					    \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")		    \
 	if (LINUX_HAS_SYSCALL_WRAPPER)					    \
 		return ____##name(___bpf_syswrap_args(args));		    \
 	else								    \
 		return ____##name(___bpf_syscall_args(args));		    \
 	_Pragma("GCC diagnostic pop")					    \
 }									    \
 static __attribute__((always_inline)) typeof(name(0))			    \
 ____##name(struct pt_regs *ctx, ##args)
 #define BPF_KPROBE_SYSCALL BPF_KSYSCALL
 #endif
--- a/ebpf_prog/common_defs.h
+++ b/ebpf_prog/common_defs.h
@ -4,9 +4,9 @@
 #include <linux/sched.h>
 #include <linux/ptrace.h>
 #include <uapi/linux/bpf.h>
-#include <bpf/bpf_helpers.h>
+#include "bpf_headers/bpf_helpers.h"
-#include <bpf/bpf_tracing.h> 
+#include "bpf_headers/bpf_tracing.h"
-#include <bpf/bpf_core_read.h> 
+//#include <bpf/bpf_core_read.h> 
 #define BUF_SIZE_MAP_NS 256
 #define MAPSIZE 12000
--- a/ebpf_prog/file.patch
+++ b/ebpf_prog/file.patch
@ -1,11 +0,0 @@
 --- linux-5.8/tools/lib/bpf/bpf_helpers.h	2020-08-03 00:21:45.000000000 +0300
 +++ linux-5.8/tools/lib/bpf/bpf_helpersnew.h	2021-02-23 18:45:21.789624834 +0300
@@ -54,7 +54,7 @@
  * Helper structure used by eBPF C program
  * to describe BPF map attributes to libbpf loader
  */
 -struct bpf_map_def {
 +struct bpf_map_defold {
 	unsigned int type;
 	unsigned int key_size;
 	unsigned int value_size;
--- a/ebpf_prog/opensnitch-dns.c
+++ b/ebpf_prog/opensnitch-dns.c
@ -8,31 +8,10 @@
 #include <net/sock.h>
 #include <uapi/linux/bpf.h>
 #include <uapi/linux/tcp.h>
-#include <bpf/bpf_helpers.h>
+#include "common_defs.h"
-#include <bpf/bpf_tracing.h>
+#include "bpf_headers/bpf_helpers.h"
 #include "bpf_headers/bpf_tracing.h"
 #define MAPSIZE 12000
 //-------------------------------map definitions
 // which github.com/iovisor/gobpf/elf expects
 #define BUF_SIZE_MAP_NS 256
 typedef struct bpf_map_def {
    unsigned int type;
    unsigned int key_size;
    unsigned int value_size;
    unsigned int max_entries;
    unsigned int map_flags;
    unsigned int pinning;
    char namespace[BUF_SIZE_MAP_NS];
 } bpf_map_def;
 enum bpf_pin_type {
    PIN_NONE = 0,
    PIN_OBJECT_NS,
    PIN_GLOBAL_NS,
    PIN_CUSTOM_NS,
 };
 //-----------------------------------
 #define MAX_ALIASES 5
--- a/utils/packaging/build_modules.sh
+++ b/utils/packaging/build_modules.sh
@ -34,12 +34,8 @@ tar -xf v${kernel_version}.tar.gz && echo "OK" || echo "ERROR"
 echo "[+] Patching kernel sources"
 if [ "${ARCH}" == "arm" -o "${ARCH}" == "arm64" ]; then
 	patch linux-${kernel_version}/arch/arm/include/asm/unified.h < ebpf_prog/arm-clang-asm-fix.patch
 else
 	patch linux-${kernel_version}/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
 fi
 cp ebpf_prog/opensnitch*.c ebpf_prog/common.h ebpf_prog/common_defs.h ebpf_prog/Makefile linux-${kernel_version}/samples/bpf
 echo -n "[+] Preparing kernel sources... (1-2 minutes): "
 echo -n "."
 cd linux-${kernel_version} && yes "" | make oldconfig 1>/dev/null
@ -48,20 +44,27 @@ make prepare 1>/dev/null
 echo -n "."
 make headers_install 1>/dev/null
 echo " DONE"
 cd ../
 if [ -z $ARCH ]; then
    ARCH=x86
 fi
 echo "[+] Compiling eBPF modules..."
-cd samples/bpf && make 1>/dev/null
+cd ebpf_prog && make KERNEL_DIR=../linux-${kernel_version} KERNEL_HEADERS=../linux-${kernel_version} ARCH=${ARCH} >/dev/null
 # objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
-if [ ! -d ../../../ebpf_prog/modules/ ]; then
+if [ ! -d modules/ ]; then
-    mkdir ../../../ebpf_prog/modules/
+    mkdir modules/
 fi
-cp opensnitch*o ../../../ebpf_prog/modules/
+mv opensnitch*o modules/
-cd ../../../
+cd ../
-llvm-strip -g ebpf_prog/modules/opensnitch.o #remove debug info
+llvm-strip -g ebpf_prog/modules/opensnitch*.o #remove debug info
 if [ -f ebpf_prog/modules/opensnitch.o ]; then
    echo
    ls ebpf_prog/modules/*.o
    echo -e "\n * eBPF modules compiled. Now you can copy the *.o files to /etc/opensnitchd/ and restart the daemon\n"
 else
    echo -e "\n [WARN] opensnitch.o module not compiled\n"
 fi