* How to get system localtime/wall time from eBPF?
@ 2023-03-20 15:33 Vincent Li
2023-03-20 17:15 ` Jesper Dangaard Brouer
0 siblings, 1 reply; 8+ messages in thread
From: Vincent Li @ 2023-03-20 15:33 UTC (permalink / raw)
To: xdp-newbies
Hi,
if I have a XDP based firewall to block ip access based on system
localtime/wall time, is it still impossible like what mentioned here
https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
If so, is there any way to workaround this?
Thanks!
Vincent
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-20 15:33 How to get system localtime/wall time from eBPF? Vincent Li
@ 2023-03-20 17:15 ` Jesper Dangaard Brouer
2023-03-20 21:57 ` Vincent Li
0 siblings, 1 reply; 8+ messages in thread
From: Jesper Dangaard Brouer @ 2023-03-20 17:15 UTC (permalink / raw)
To: Vincent Li, xdp-newbies; +Cc: brouer
On 20/03/2023 16.33, Vincent Li wrote:
>
> if I have a XDP based firewall to block ip access based on system
> localtime/wall time, is it still impossible like what mentioned here
> https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> If so, is there any way to workaround this?
You could use the BPF-helper named: bpf_ktime_get_tai_ns()
See man clock_gettime(2). It is the same as CLOCK_TAI, which is
(currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
Perhaps kernel should be extended with a bpf_ktime_get_wall_ns() ?
--Jesper
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-20 17:15 ` Jesper Dangaard Brouer
@ 2023-03-20 21:57 ` Vincent Li
2023-03-21 17:27 ` Vincent Li
0 siblings, 1 reply; 8+ messages in thread
From: Vincent Li @ 2023-03-20 21:57 UTC (permalink / raw)
To: Jesper Dangaard Brouer; +Cc: xdp-newbies, brouer
On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
<jbrouer@redhat.com> wrote:
>
>
> On 20/03/2023 16.33, Vincent Li wrote:
> >
> > if I have a XDP based firewall to block ip access based on system
> > localtime/wall time, is it still impossible like what mentioned here
> > https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> > If so, is there any way to workaround this?
>
> You could use the BPF-helper named: bpf_ktime_get_tai_ns()
>
> See man clock_gettime(2). It is the same as CLOCK_TAI, which is
> (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
>
> Perhaps kernel should be extended with a bpf_ktime_get_wall_ns() ?
>
I guess it would be useful, I have a scenario that only allow ip
access between 07:00AM - 10:30PM for middle school kids everyday. now
I use cron job to run an user space program to add/delete IP from eBPF
map pinned by the XDP firewall program :)
> --Jesper
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-20 21:57 ` Vincent Li
@ 2023-03-21 17:27 ` Vincent Li
2023-03-21 17:37 ` Vincent Li
2023-03-21 17:43 ` Toke Høiland-Jørgensen
0 siblings, 2 replies; 8+ messages in thread
From: Vincent Li @ 2023-03-21 17:27 UTC (permalink / raw)
To: Jesper Dangaard Brouer; +Cc: xdp-newbies, brouer
On Mon, Mar 20, 2023 at 2:57 PM Vincent Li <vincent.mc.li@gmail.com> wrote:
>
> On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
> <jbrouer@redhat.com> wrote:
> >
> >
> > On 20/03/2023 16.33, Vincent Li wrote:
> > >
> > > if I have a XDP based firewall to block ip access based on system
> > > localtime/wall time, is it still impossible like what mentioned here
> > > https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> > > If so, is there any way to workaround this?
> >
> > You could use the BPF-helper named: bpf_ktime_get_tai_ns()
> >
> > See man clock_gettime(2). It is the same as CLOCK_TAI, which is
> > (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
> >
sorry a follow-up question, the bpf_ktime_get_tai_ns will return time
as nano seconds, right?
I do not need the nanoseconds precision, I only need HH:MM like hours
and minutes of the day, for example 10:30 = 10 * 60 + 30 is good
enough,
any trick get that from bpf_ktime_get_tai_ns()
> > Perhaps kernel should be extended with a bpf_ktime_get_wall_ns() ?
> >
> I guess it would be useful, I have a scenario that only allow ip
> access between 07:00AM - 10:30PM for middle school kids everyday. now
> I use cron job to run an user space program to add/delete IP from eBPF
> map pinned by the XDP firewall program :)
>
> > --Jesper
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-21 17:27 ` Vincent Li
@ 2023-03-21 17:37 ` Vincent Li
2023-03-21 17:43 ` Toke Høiland-Jørgensen
1 sibling, 0 replies; 8+ messages in thread
From: Vincent Li @ 2023-03-21 17:37 UTC (permalink / raw)
To: Jesper Dangaard Brouer; +Cc: xdp-newbies, brouer
On Tue, Mar 21, 2023 at 10:27 AM Vincent Li <vincent.mc.li@gmail.com> wrote:
>
> On Mon, Mar 20, 2023 at 2:57 PM Vincent Li <vincent.mc.li@gmail.com> wrote:
> >
> > On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
> > <jbrouer@redhat.com> wrote:
> > >
> > >
> > > On 20/03/2023 16.33, Vincent Li wrote:
> > > >
> > > > if I have a XDP based firewall to block ip access based on system
> > > > localtime/wall time, is it still impossible like what mentioned here
> > > > https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> > > > If so, is there any way to workaround this?
> > >
> > > You could use the BPF-helper named: bpf_ktime_get_tai_ns()
> > >
> > > See man clock_gettime(2). It is the same as CLOCK_TAI, which is
> > > (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
> > >
>
> sorry a follow-up question, the bpf_ktime_get_tai_ns will return time
> as nano seconds, right?
> I do not need the nanoseconds precision, I only need HH:MM like hours
> and minutes of the day, for example 10:30 = 10 * 60 + 30 is good
> enough,
> any trick get that from bpf_ktime_get_tai_ns()
>
so I guess I just do bpf_ktime_get_tai_ns() / 60000000000 to convert
to minutes ?
> > > Perhaps kernel should be extended with a bpf_ktime_get_wall_ns() ?
> > >
> > I guess it would be useful, I have a scenario that only allow ip
> > access between 07:00AM - 10:30PM for middle school kids everyday. now
> > I use cron job to run an user space program to add/delete IP from eBPF
> > map pinned by the XDP firewall program :)
> >
> > > --Jesper
> > >
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-21 17:27 ` Vincent Li
2023-03-21 17:37 ` Vincent Li
@ 2023-03-21 17:43 ` Toke Høiland-Jørgensen
2023-03-21 17:55 ` Vincent Li
1 sibling, 1 reply; 8+ messages in thread
From: Toke Høiland-Jørgensen @ 2023-03-21 17:43 UTC (permalink / raw)
To: Vincent Li, Jesper Dangaard Brouer; +Cc: xdp-newbies, brouer
Vincent Li <vincent.mc.li@gmail.com> writes:
> On Mon, Mar 20, 2023 at 2:57 PM Vincent Li <vincent.mc.li@gmail.com> wrote:
>>
>> On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
>> <jbrouer@redhat.com> wrote:
>> >
>> >
>> > On 20/03/2023 16.33, Vincent Li wrote:
>> > >
>> > > if I have a XDP based firewall to block ip access based on system
>> > > localtime/wall time, is it still impossible like what mentioned here
>> > > https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
>> > > If so, is there any way to workaround this?
>> >
>> > You could use the BPF-helper named: bpf_ktime_get_tai_ns()
>> >
>> > See man clock_gettime(2). It is the same as CLOCK_TAI, which is
>> > (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
>> >
>
> sorry a follow-up question, the bpf_ktime_get_tai_ns will return time
> as nano seconds, right?
> I do not need the nanoseconds precision, I only need HH:MM like hours
> and minutes of the day, for example 10:30 = 10 * 60 + 30 is good
> enough,
> any trick get that from bpf_ktime_get_tai_ns()
Populate the time at latest midnight from userspace when installing the
program and calculate offsets from that?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: How to get system localtime/wall time from eBPF?
2023-03-21 17:43 ` Toke Høiland-Jørgensen
@ 2023-03-21 17:55 ` Vincent Li
2023-03-21 18:04 ` Fingerhut, John Andy
0 siblings, 1 reply; 8+ messages in thread
From: Vincent Li @ 2023-03-21 17:55 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Jesper Dangaard Brouer, xdp-newbies, brouer
On Tue, Mar 21, 2023 at 10:43 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
> Vincent Li <vincent.mc.li@gmail.com> writes:
>
> > On Mon, Mar 20, 2023 at 2:57 PM Vincent Li <vincent.mc.li@gmail.com> wrote:
> >>
> >> On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
> >> <jbrouer@redhat.com> wrote:
> >> >
> >> >
> >> > On 20/03/2023 16.33, Vincent Li wrote:
> >> > >
> >> > > if I have a XDP based firewall to block ip access based on system
> >> > > localtime/wall time, is it still impossible like what mentioned here
> >> > > https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> >> > > If so, is there any way to workaround this?
> >> >
> >> > You could use the BPF-helper named: bpf_ktime_get_tai_ns()
> >> >
> >> > See man clock_gettime(2). It is the same as CLOCK_TAI, which is
> >> > (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
> >> >
> >
> > sorry a follow-up question, the bpf_ktime_get_tai_ns will return time
> > as nano seconds, right?
> > I do not need the nanoseconds precision, I only need HH:MM like hours
> > and minutes of the day, for example 10:30 = 10 * 60 + 30 is good
> > enough,
> > any trick get that from bpf_ktime_get_tai_ns()
>
> Populate the time at latest midnight from userspace when installing the
> program and calculate offsets from that?
>
Yes, I populated the map with 10 * 60 + 30 from user space, the
remaining question is how to get minutes of the day from
bpf_ktime_get_tai_ns(), I guess that is what you mean to calculate the
offsets from kernel bpf code?
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: How to get system localtime/wall time from eBPF?
2023-03-21 17:55 ` Vincent Li
@ 2023-03-21 18:04 ` Fingerhut, John Andy
0 siblings, 0 replies; 8+ messages in thread
From: Fingerhut, John Andy @ 2023-03-21 18:04 UTC (permalink / raw)
To: Vincent Li, Toke Høiland-Jørgensen
Cc: Jesper Dangaard Brouer, xdp-newbies@vger.kernel.org,
Brouer, Jesper
I may have misunderstood the goal of getting the time in the questioner's particular use case, but if it is a time-based decision of allowing/denying traffic for fairly long blocks of time, you could have a user-space program populating an ebpf table with the current "allow/deny" setting for now, and have the user space program update that when it changes.
Populating the delta between the time that is currently readable from the ebpf code, vs. one that cannot, from a user-space program, as suggested by another person, is another workable approach with no kernel enhancements required. Update that delta as often as you think you need to, e.g. even doing it once per minute is low CPU overhead.
Andy
-----Original Message-----
From: Vincent Li <vincent.mc.li@gmail.com>
Sent: Tuesday, March 21, 2023 1:55 PM
To: Toke Høiland-Jørgensen <toke@redhat.com>
Cc: Jesper Dangaard Brouer <jbrouer@redhat.com>; xdp-newbies@vger.kernel.org; Brouer, Jesper <brouer@redhat.com>
Subject: Re: How to get system localtime/wall time from eBPF?
On Tue, Mar 21, 2023 at 10:43 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
> Vincent Li <vincent.mc.li@gmail.com> writes:
>
> > On Mon, Mar 20, 2023 at 2:57 PM Vincent Li <vincent.mc.li@gmail.com> wrote:
> >>
> >> On Mon, Mar 20, 2023 at 10:15 AM Jesper Dangaard Brouer
> >> <jbrouer@redhat.com> wrote:
> >> >
> >> >
> >> > On 20/03/2023 16.33, Vincent Li wrote:
> >> > >
> >> > > if I have a XDP based firewall to block ip access based on
> >> > > system localtime/wall time, is it still impossible like what
> >> > > mentioned here https://github.com/xdp-project/xdp-tutorial/issues/204#issuecomment-819419800?
> >> > > If so, is there any way to workaround this?
> >> >
> >> > You could use the BPF-helper named: bpf_ktime_get_tai_ns()
> >> >
> >> > See man clock_gettime(2). It is the same as CLOCK_TAI, which is
> >> > (currently) offset with 37 sec to CLOCK_REALTIME which is wall-clock.
> >> >
> >
> > sorry a follow-up question, the bpf_ktime_get_tai_ns will return
> > time as nano seconds, right?
> > I do not need the nanoseconds precision, I only need HH:MM like
> > hours and minutes of the day, for example 10:30 = 10 * 60 + 30 is
> > good enough, any trick get that from bpf_ktime_get_tai_ns()
>
> Populate the time at latest midnight from userspace when installing
> the program and calculate offsets from that?
>
Yes, I populated the map with 10 * 60 + 30 from user space, the remaining question is how to get minutes of the day from bpf_ktime_get_tai_ns(), I guess that is what you mean to calculate the offsets from kernel bpf code?
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-03-21 18:05 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-20 15:33 How to get system localtime/wall time from eBPF? Vincent Li
2023-03-20 17:15 ` Jesper Dangaard Brouer
2023-03-20 21:57 ` Vincent Li
2023-03-21 17:27 ` Vincent Li
2023-03-21 17:37 ` Vincent Li
2023-03-21 17:43 ` Toke Høiland-Jørgensen
2023-03-21 17:55 ` Vincent Li
2023-03-21 18:04 ` Fingerhut, John Andy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.