Track network interfaces with cilium ebpf-go

Question

I'm trying to write a go program that write something in the terminal each time a new network interface is created. To do that I'm using the Go library Cilium ebpf-go (https://github.com/cilium/ebpf). I'm new to ebpf so I need a help. For the moment what I understood is that I have to use a kprobe or fentry program, since I have to attach the ebpf program to a function which not have a defined tracepoint to use. I looked in the linux kernel and I'm pretty sure that I should attach the program to dev_alloc_name or rtnl_create_link but please let me know if I'm wrong. Also, since it's the first time I write something using this library as first thing I tried to take examples from the repository and modify them. I tried with the kprobe one (https://github.com/cilium/ebpf/tree/main/examples/kprobe) and the fentry one (https://github.com/cilium/ebpf/tree/main/examples/fentry) but I'm facing some difficulties to understand how they work.

Answer 1

Did you consider just using LinkSubscribe from the Golang netlink library, as follows?

ctx, cancel := context.WithCancel(context.Background())
updates := make(chan netlink.LinkUpdate)

if err := netlink.LinkSubscribe(updates, ctx.Done()); err != nil {
    log.WithError(err).Fatal("Failed to subscribe for link changes")
}

See how Cilium uses it for a more complete examples: pkg/datapath/loader/netlink.go#L480.