1 .\" Man page generated from reStructuredText.
4 .nr rst2man-indent-level 0
8 level \\n[rst2man-indent-level]
9 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
16 .\" .rstReportMargin pre:
18 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
19 . nr rst2man-indent-level +1
20 .\" .rstReportMargin post:
24 .\" indent \\n[an-margin]
25 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
26 .nr rst2man-indent-level -1
27 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
28 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
30 .TH "BPF-HELPERS" 7 "2024-01-23" "Linux v6.9"
32 BPF-HELPERS \- list of eBPF helper functions
33 .\" Copyright (C) All BPF authors and contributors from 2014 to present.
35 .\" See git log include/uapi/linux/bpf.h in kernel tree for details.
39 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
43 .\" Please do not edit this file. It was generated from the documentation
45 .\" located in file include/uapi/linux/bpf.h of the Linux kernel sources
47 .\" (helpers description), and from scripts/bpf_doc.py in the same
49 .\" repository (header and footer).
53 The extended Berkeley Packet Filter (eBPF) subsystem consists in programs
54 written in a pseudo\-assembly language, then attached to one of the several
55 kernel hooks and run in reaction of specific events. This framework differs
56 from the older, \(dqclassic\(dq BPF (or \(dqcBPF\(dq) in several aspects, one of them being
57 the ability to call special functions (or \(dqhelpers\(dq) from within a program.
58 These functions are restricted to a white\-list of helpers defined in the
61 These helpers are used by eBPF programs to interact with the system, or with
62 the context in which they work. For instance, they can be used to print
63 debugging messages, to get the time since the system was booted, to interact
64 with eBPF maps, or to manipulate network packets. Since there are several eBPF
65 program types, and that they do not run in the same context, each program type
66 can only call a subset of those helpers.
68 Due to eBPF conventions, a helper can not have more than five arguments.
70 Internally, eBPF programs call directly into the compiled helper functions
71 without requiring any foreign\-function interface. As a result, calling helpers
72 introduces no overhead, thus offering excellent performance.
74 This document is an attempt to list and document the helpers available to eBPF
75 developers. They are sorted by chronological order (the oldest helpers in the
80 .B \fBvoid *bpf_map_lookup_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB)\fP
84 Perform a lookup in \fImap\fP for an entry associated to \fIkey\fP\&.
87 Map value associated to \fIkey\fP, or \fBNULL\fP if no entry was
91 .B \fBlong bpf_map_update_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB, const void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
95 Add or update the value of the entry associated to \fIkey\fP in
96 \fImap\fP with \fIvalue\fP\&. \fIflags\fP is one of:
100 The entry for \fIkey\fP must not exist in the map.
103 The entry for \fIkey\fP must already exist in the map.
106 No condition on the existence of the entry for \fIkey\fP\&.
109 Flag value \fBBPF_NOEXIST\fP cannot be used for maps of types
110 \fBBPF_MAP_TYPE_ARRAY\fP or \fBBPF_MAP_TYPE_PERCPU_ARRAY\fP (all
111 elements always exist), the helper would return an error.
114 0 on success, or a negative error in case of failure.
117 .B \fBlong bpf_map_delete_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB)\fP
121 Delete entry with \fIkey\fP from \fImap\fP\&.
124 0 on success, or a negative error in case of failure.
127 .B \fBlong bpf_probe_read(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
131 For tracing programs, safely attempt to read \fIsize\fP bytes from
132 kernel space address \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
134 Generally, use \fBbpf_probe_read_user\fP() or
135 \fBbpf_probe_read_kernel\fP() instead.
138 0 on success, or a negative error in case of failure.
141 .B \fBu64 bpf_ktime_get_ns(void)\fP
145 Return the time elapsed since system boot, in nanoseconds.
146 Does not include time the system was suspended.
147 See: \fBclock_gettime\fP(\fBCLOCK_MONOTONIC\fP)
150 Current \fIktime\fP\&.
153 .B \fBlong bpf_trace_printk(const char *\fP\fIfmt\fP\fB, u32\fP \fIfmt_size\fP\fB, ...)\fP
157 This helper is a \(dqprintk()\-like\(dq facility for debugging. It
158 prints a message defined by format \fIfmt\fP (of size \fIfmt_size\fP)
159 to file \fI/sys/kernel/tracing/trace\fP from TraceFS, if
160 available. It can take up to three additional \fBu64\fP
161 arguments (as an eBPF helpers, the total number of arguments is
164 Each time the helper is called, it appends a line to the trace.
165 Lines are discarded while \fI/sys/kernel/tracing/trace\fP is
166 open, use \fI/sys/kernel/tracing/trace_pipe\fP to avoid this.
167 The format of the trace is customizable, and the exact output
168 one will get depends on the options set in
169 \fI/sys/kernel/tracing/trace_options\fP (see also the
170 \fIREADME\fP file under the same directory). However, it usually
171 defaults to something like:
176 telnet\-470 [001] .N.. 419421.045894: 0x00000001: <formatted msg>
186 \fBtelnet\fP is the name of the current task.
188 \fB470\fP is the PID of the current task.
190 \fB001\fP is the CPU number on which the task is
193 In \fB\&.N..\fP, each character refers to a set of
194 options (whether irqs are enabled, scheduling
195 options, whether hard/softirqs are running, level of
196 preempt_disabled respectively). \fBN\fP means that
197 \fBTIF_NEED_RESCHED\fP and \fBPREEMPT_NEED_RESCHED\fP
200 \fB419421.045894\fP is a timestamp.
202 \fB0x00000001\fP is a fake value used by BPF for the
203 instruction pointer register.
205 \fB<formatted msg>\fP is the message formatted with
211 The conversion specifiers supported by \fIfmt\fP are similar, but
212 more limited than for printk(). They are \fB%d\fP, \fB%i\fP,
213 \fB%u\fP, \fB%x\fP, \fB%ld\fP, \fB%li\fP, \fB%lu\fP, \fB%lx\fP, \fB%lld\fP,
214 \fB%lli\fP, \fB%llu\fP, \fB%llx\fP, \fB%p\fP, \fB%s\fP\&. No modifier (size
215 of field, padding with zeroes, etc.) is available, and the
216 helper will return \fB\-EINVAL\fP (but print nothing) if it
217 encounters an unknown specifier.
219 Also, note that \fBbpf_trace_printk\fP() is slow, and should
220 only be used for debugging purposes. For this reason, a notice
221 block (spanning several lines) is printed to kernel logs and
222 states that the helper should not be used \(dqfor production use\(dq
223 the first time this helper is used (or more precisely, when
224 \fBtrace_printk\fP() buffers are allocated). For passing values
225 to user space, perf events should be preferred.
228 The number of bytes written to the buffer, or a negative error
232 .B \fBu32 bpf_get_prandom_u32(void)\fP
236 Get a pseudo\-random number.
238 From a security point of view, this helper uses its own
239 pseudo\-random internal state, and cannot be used to infer the
240 seed of other random functions in the kernel. However, it is
241 essential to note that the generator used by the helper is not
242 cryptographically secure.
245 A random 32\-bit unsigned value.
248 .B \fBu32 bpf_get_smp_processor_id(void)\fP
252 Get the SMP (symmetric multiprocessing) processor id. Note that
253 all programs run with migration disabled, which means that the
254 SMP processor id is stable during all the execution of the
258 The SMP id of the processor running the program.
261 .B \fBlong bpf_skb_store_bytes(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, const void *\fP\fIfrom\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
265 Store \fIlen\fP bytes from address \fIfrom\fP into the packet
266 associated to \fIskb\fP, at \fIoffset\fP\&. \fIflags\fP are a combination of
267 \fBBPF_F_RECOMPUTE_CSUM\fP (automatically recompute the
268 checksum for the packet after storing the bytes) and
269 \fBBPF_F_INVALIDATE_HASH\fP (set \fIskb\fP\fB\->hash\fP, \fIskb\fP\fB\->swhash\fP and \fIskb\fP\fB\->l4hash\fP to 0).
271 A call to this helper is susceptible to change the underlying
272 packet buffer. Therefore, at load time, all checks on pointers
273 previously done by the verifier are invalidated and must be
274 performed again, if the helper is used in combination with
275 direct packet access.
278 0 on success, or a negative error in case of failure.
281 .B \fBlong bpf_l3_csum_replace(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, u64\fP \fIfrom\fP\fB, u64\fP \fIto\fP\fB, u64\fP \fIsize\fP\fB)\fP
285 Recompute the layer 3 (e.g. IP) checksum for the packet
286 associated to \fIskb\fP\&. Computation is incremental, so the helper
287 must know the former value of the header field that was
288 modified (\fIfrom\fP), the new value of this field (\fIto\fP), and the
289 number of bytes (2 or 4) for this field, stored in \fIsize\fP\&.
290 Alternatively, it is possible to store the difference between
291 the previous and the new values of the header field in \fIto\fP, by
292 setting \fIfrom\fP and \fIsize\fP to 0. For both methods, \fIoffset\fP
293 indicates the location of the IP checksum within the packet.
295 This helper works in combination with \fBbpf_csum_diff\fP(),
296 which does not update the checksum in\-place, but offers more
297 flexibility and can handle sizes larger than 2 or 4 for the
300 A call to this helper is susceptible to change the underlying
301 packet buffer. Therefore, at load time, all checks on pointers
302 previously done by the verifier are invalidated and must be
303 performed again, if the helper is used in combination with
304 direct packet access.
307 0 on success, or a negative error in case of failure.
310 .B \fBlong bpf_l4_csum_replace(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, u64\fP \fIfrom\fP\fB, u64\fP \fIto\fP\fB, u64\fP \fIflags\fP\fB)\fP
314 Recompute the layer 4 (e.g. TCP, UDP or ICMP) checksum for the
315 packet associated to \fIskb\fP\&. Computation is incremental, so the
316 helper must know the former value of the header field that was
317 modified (\fIfrom\fP), the new value of this field (\fIto\fP), and the
318 number of bytes (2 or 4) for this field, stored on the lowest
319 four bits of \fIflags\fP\&. Alternatively, it is possible to store
320 the difference between the previous and the new values of the
321 header field in \fIto\fP, by setting \fIfrom\fP and the four lowest
322 bits of \fIflags\fP to 0. For both methods, \fIoffset\fP indicates the
323 location of the IP checksum within the packet. In addition to
324 the size of the field, \fIflags\fP can be added (bitwise OR) actual
325 flags. With \fBBPF_F_MARK_MANGLED_0\fP, a null checksum is left
326 untouched (unless \fBBPF_F_MARK_ENFORCE\fP is added as well), and
327 for updates resulting in a null checksum the value is set to
328 \fBCSUM_MANGLED_0\fP instead. Flag \fBBPF_F_PSEUDO_HDR\fP indicates
329 the checksum is to be computed against a pseudo\-header.
331 This helper works in combination with \fBbpf_csum_diff\fP(),
332 which does not update the checksum in\-place, but offers more
333 flexibility and can handle sizes larger than 2 or 4 for the
336 A call to this helper is susceptible to change the underlying
337 packet buffer. Therefore, at load time, all checks on pointers
338 previously done by the verifier are invalidated and must be
339 performed again, if the helper is used in combination with
340 direct packet access.
343 0 on success, or a negative error in case of failure.
346 .B \fBlong bpf_tail_call(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fIprog_array_map\fP\fB, u32\fP \fIindex\fP\fB)\fP
350 This special helper is used to trigger a \(dqtail call\(dq, or in
351 other words, to jump into another eBPF program. The same stack
352 frame is used (but values on stack and in registers for the
353 caller are not accessible to the callee). This mechanism allows
354 for program chaining, either for raising the maximum number of
355 available eBPF instructions, or to execute given programs in
356 conditional blocks. For security reasons, there is an upper
357 limit to the number of successive tail calls that can be
360 Upon call of this helper, the program attempts to jump into a
361 program referenced at index \fIindex\fP in \fIprog_array_map\fP, a
362 special map of type \fBBPF_MAP_TYPE_PROG_ARRAY\fP, and passes
363 \fIctx\fP, a pointer to the context.
365 If the call succeeds, the kernel immediately runs the first
366 instruction of the new program. This is not a function call,
367 and it never returns to the previous program. If the call
368 fails, then the helper has no effect, and the caller continues
369 to run its subsequent instructions. A call can fail if the
370 destination program for the jump does not exist (i.e. \fIindex\fP
371 is superior to the number of entries in \fIprog_array_map\fP), or
372 if the maximum number of tail calls has been reached for this
373 chain of programs. This limit is defined in the kernel by the
374 macro \fBMAX_TAIL_CALL_CNT\fP (not accessible to user space),
375 which is currently set to 33.
378 0 on success, or a negative error in case of failure.
381 .B \fBlong bpf_clone_redirect(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIifindex\fP\fB, u64\fP \fIflags\fP\fB)\fP
385 Clone and redirect the packet associated to \fIskb\fP to another
386 net device of index \fIifindex\fP\&. Both ingress and egress
387 interfaces can be used for redirection. The \fBBPF_F_INGRESS\fP
388 value in \fIflags\fP is used to make the distinction (ingress path
389 is selected if the flag is present, egress path otherwise).
390 This is the only flag supported for now.
392 In comparison with \fBbpf_redirect\fP() helper,
393 \fBbpf_clone_redirect\fP() has the associated cost of
394 duplicating the packet buffer, but this can be executed out of
395 the eBPF program. Conversely, \fBbpf_redirect\fP() is more
396 efficient, but it is handled through an action code where the
397 redirection happens only after the eBPF program has returned.
399 A call to this helper is susceptible to change the underlying
400 packet buffer. Therefore, at load time, all checks on pointers
401 previously done by the verifier are invalidated and must be
402 performed again, if the helper is used in combination with
403 direct packet access.
406 0 on success, or a negative error in case of failure. Positive
407 error indicates a potential drop or congestion in the target
408 device. The particular positive error codes are not defined.
411 .B \fBu64 bpf_get_current_pid_tgid(void)\fP
415 Get the current pid and tgid.
418 A 64\-bit integer containing the current tgid and pid, and
420 \fIcurrent_task\fP\fB\->tgid << 32 |\fP
421 \fIcurrent_task\fP\fB\->pid\fP\&.
424 .B \fBu64 bpf_get_current_uid_gid(void)\fP
428 Get the current uid and gid.
431 A 64\-bit integer containing the current GID and UID, and
432 created as such: \fIcurrent_gid\fP \fB<< 32 |\fP \fIcurrent_uid\fP\&.
435 .B \fBlong bpf_get_current_comm(void *\fP\fIbuf\fP\fB, u32\fP \fIsize_of_buf\fP\fB)\fP
439 Copy the \fBcomm\fP attribute of the current task into \fIbuf\fP of
440 \fIsize_of_buf\fP\&. The \fBcomm\fP attribute contains the name of
441 the executable (excluding the path) for the current task. The
442 \fIsize_of_buf\fP must be strictly positive. On success, the
443 helper makes sure that the \fIbuf\fP is NUL\-terminated. On failure,
444 it is filled with zeroes.
447 0 on success, or a negative error in case of failure.
450 .B \fBu32 bpf_get_cgroup_classid(struct sk_buff *\fP\fIskb\fP\fB)\fP
454 Retrieve the classid for the current task, i.e. for the net_cls
455 cgroup to which \fIskb\fP belongs.
457 This helper can be used on TC egress path, but not on ingress.
459 The net_cls cgroup provides an interface to tag network packets
460 based on a user\-provided identifier for all traffic coming from
461 the tasks belonging to the related cgroup. See also the related
462 kernel documentation, available from the Linux sources in file
463 \fIDocumentation/admin\-guide/cgroup\-v1/net_cls.rst\fP\&.
465 The Linux kernel has two versions for cgroups: there are
466 cgroups v1 and cgroups v2. Both are available to users, who can
467 use a mixture of them, but note that the net_cls cgroup is for
468 cgroup v1 only. This makes it incompatible with BPF programs
469 run on cgroups, which is a cgroup\-v2\-only feature (a socket can
470 only hold data for one version of cgroups at a time).
472 This helper is only available is the kernel was compiled with
473 the \fBCONFIG_CGROUP_NET_CLASSID\fP configuration option set to
474 \(dq\fBy\fP\(dq or to \(dq\fBm\fP\(dq.
477 The classid, or 0 for the default unconfigured classid.
480 .B \fBlong bpf_skb_vlan_push(struct sk_buff *\fP\fIskb\fP\fB, __be16\fP \fIvlan_proto\fP\fB, u16\fP \fIvlan_tci\fP\fB)\fP
484 Push a \fIvlan_tci\fP (VLAN tag control information) of protocol
485 \fIvlan_proto\fP to the packet associated to \fIskb\fP, then update
486 the checksum. Note that if \fIvlan_proto\fP is different from
487 \fBETH_P_8021Q\fP and \fBETH_P_8021AD\fP, it is considered to
488 be \fBETH_P_8021Q\fP\&.
490 A call to this helper is susceptible to change the underlying
491 packet buffer. Therefore, at load time, all checks on pointers
492 previously done by the verifier are invalidated and must be
493 performed again, if the helper is used in combination with
494 direct packet access.
497 0 on success, or a negative error in case of failure.
500 .B \fBlong bpf_skb_vlan_pop(struct sk_buff *\fP\fIskb\fP\fB)\fP
504 Pop a VLAN header from the packet associated to \fIskb\fP\&.
506 A call to this helper is susceptible to change the underlying
507 packet buffer. Therefore, at load time, all checks on pointers
508 previously done by the verifier are invalidated and must be
509 performed again, if the helper is used in combination with
510 direct packet access.
513 0 on success, or a negative error in case of failure.
516 .B \fBlong bpf_skb_get_tunnel_key(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_tunnel_key *\fP\fIkey\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
520 Get tunnel metadata. This helper takes a pointer \fIkey\fP to an
521 empty \fBstruct bpf_tunnel_key\fP of \fBsize\fP, that will be
522 filled with tunnel metadata for the packet associated to \fIskb\fP\&.
523 The \fIflags\fP can be set to \fBBPF_F_TUNINFO_IPV6\fP, which
524 indicates that the tunnel is based on IPv6 protocol instead of
527 The \fBstruct bpf_tunnel_key\fP is an object that generalizes the
528 principal parameters used by various tunneling protocols into a
529 single struct. This way, it can be used to easily make a
530 decision based on the contents of the encapsulation header,
531 \(dqsummarized\(dq in this struct. In particular, it holds the IP
532 address of the remote end (IPv4 or IPv6, depending on the case)
533 in \fIkey\fP\fB\->remote_ipv4\fP or \fIkey\fP\fB\->remote_ipv6\fP\&. Also,
534 this struct exposes the \fIkey\fP\fB\->tunnel_id\fP, which is
535 generally mapped to a VNI (Virtual Network Identifier), making
536 it programmable together with the \fBbpf_skb_set_tunnel_key\fP() helper.
538 Let\(aqs imagine that the following code is part of a program
539 attached to the TC ingress interface, on one end of a GRE
540 tunnel, and is supposed to filter out all messages coming from
541 remote ends with IPv4 address other than 10.0.0.1:
547 struct bpf_tunnel_key key = {};
549 ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0);
551 return TC_ACT_SHOT; // drop packet
553 if (key.remote_ipv4 != 0x0a000001)
554 return TC_ACT_SHOT; // drop packet
556 return TC_ACT_OK; // accept packet
561 This interface can also be used with all encapsulation devices
562 that can operate in \(dqcollect metadata\(dq mode: instead of having
563 one network device per specific configuration, the \(dqcollect
564 metadata\(dq mode only requires a single device where the
565 configuration can be extracted from this helper.
567 This can be used together with various tunnels such as VXLan,
568 Geneve, GRE or IP in IP (IPIP).
571 0 on success, or a negative error in case of failure.
574 .B \fBlong bpf_skb_set_tunnel_key(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_tunnel_key *\fP\fIkey\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
578 Populate tunnel metadata for packet associated to \fIskb.\fP The
579 tunnel metadata is set to the contents of \fIkey\fP, of \fIsize\fP\&. The
580 \fIflags\fP can be set to a combination of the following values:
583 .B \fBBPF_F_TUNINFO_IPV6\fP
584 Indicate that the tunnel is based on IPv6 protocol
587 .B \fBBPF_F_ZERO_CSUM_TX\fP
588 For IPv4 packets, add a flag to tunnel metadata
589 indicating that checksum computation should be skipped
590 and checksum set to zeroes.
592 .B \fBBPF_F_DONT_FRAGMENT\fP
593 Add a flag to tunnel metadata indicating that the
594 packet should not be fragmented.
596 .B \fBBPF_F_SEQ_NUMBER\fP
597 Add a flag to tunnel metadata indicating that a
598 sequence number should be added to tunnel header before
599 sending the packet. This flag was added for GRE
600 encapsulation, but might be used with other protocols
601 as well in the future.
603 .B \fBBPF_F_NO_TUNNEL_KEY\fP
604 Add a flag to tunnel metadata indicating that no tunnel
605 key should be set in the resulting tunnel header.
608 Here is a typical usage on the transmit path:
613 struct bpf_tunnel_key key;
615 bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0);
616 bpf_clone_redirect(skb, vxlan_dev_ifindex, 0);
621 See also the description of the \fBbpf_skb_get_tunnel_key\fP()
622 helper for additional information.
625 0 on success, or a negative error in case of failure.
628 .B \fBu64 bpf_perf_event_read(struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
632 Read the value of a perf event counter. This helper relies on a
633 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. The nature of
634 the perf event counter is selected when \fImap\fP is updated with
635 perf event file descriptors. The \fImap\fP is an array whose size
636 is the number of available CPUs, and each cell contains a value
637 relative to one CPU. The value to retrieve is indicated by
638 \fIflags\fP, that contains the index of the CPU to look up, masked
639 with \fBBPF_F_INDEX_MASK\fP\&. Alternatively, \fIflags\fP can be set to
640 \fBBPF_F_CURRENT_CPU\fP to indicate that the value for the
641 current CPU should be retrieved.
643 Note that before Linux 4.13, only hardware perf event can be
646 Also, be aware that the newer helper
647 \fBbpf_perf_event_read_value\fP() is recommended over
648 \fBbpf_perf_event_read\fP() in general. The latter has some ABI
649 quirks where error and counter value are used as a return code
650 (which is wrong to do since ranges may overlap). This issue is
651 fixed with \fBbpf_perf_event_read_value\fP(), which at the same
652 time provides more features over the \fBbpf_perf_event_read\fP() interface. Please refer to the description of
653 \fBbpf_perf_event_read_value\fP() for details.
656 The value of the perf event counter read from the map, or a
657 negative error code in case of failure.
660 .B \fBlong bpf_redirect(u32\fP \fIifindex\fP\fB, u64\fP \fIflags\fP\fB)\fP
664 Redirect the packet to another net device of index \fIifindex\fP\&.
665 This helper is somewhat similar to \fBbpf_clone_redirect\fP(), except that the packet is not cloned, which provides
666 increased performance.
668 Except for XDP, both ingress and egress interfaces can be used
669 for redirection. The \fBBPF_F_INGRESS\fP value in \fIflags\fP is used
670 to make the distinction (ingress path is selected if the flag
671 is present, egress path otherwise). Currently, XDP only
672 supports redirection to the egress interface, and accepts no
675 The same effect can also be attained with the more generic
676 \fBbpf_redirect_map\fP(), which uses a BPF map to store the
677 redirect target instead of providing it directly to the helper.
680 For XDP, the helper returns \fBXDP_REDIRECT\fP on success or
681 \fBXDP_ABORTED\fP on error. For other program types, the values
682 are \fBTC_ACT_REDIRECT\fP on success or \fBTC_ACT_SHOT\fP on
686 .B \fBu32 bpf_get_route_realm(struct sk_buff *\fP\fIskb\fP\fB)\fP
690 Retrieve the realm or the route, that is to say the
691 \fBtclassid\fP field of the destination for the \fIskb\fP\&. The
692 identifier retrieved is a user\-provided tag, similar to the
693 one used with the net_cls cgroup (see description for
694 \fBbpf_get_cgroup_classid\fP() helper), but here this tag is
695 held by a route (a destination entry), not by a task.
697 Retrieving this identifier works with the clsact TC egress hook
698 (see also \fBtc\-bpf(8)\fP), or alternatively on conventional
699 classful egress qdiscs, but not on TC ingress path. In case of
700 clsact TC egress hook, this has the advantage that, internally,
701 the destination entry has not been dropped yet in the transmit
702 path. Therefore, the destination entry does not need to be
703 artificially held via \fBnetif_keep_dst\fP() for a classful
704 qdisc until the \fIskb\fP is freed.
706 This helper is available only if the kernel was compiled with
707 \fBCONFIG_IP_ROUTE_CLASSID\fP configuration option.
710 The realm of the route for the packet associated to \fIskb\fP, or 0
714 .B \fBlong bpf_perf_event_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
718 Write raw \fIdata\fP blob into a special BPF perf event held by
719 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
720 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
721 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
722 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
724 The \fIflags\fP are used to indicate the index in \fImap\fP for which
725 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
726 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
727 to indicate that the index of the current CPU core should be
730 The value to write, of \fIsize\fP, is passed through eBPF stack and
731 pointed by \fIdata\fP\&.
733 The context of the program \fIctx\fP needs also be passed to the
736 On user space, a program willing to read the values needs to
737 call \fBperf_event_open\fP() on the perf event (either for
738 one or for all CPUs) and to store the file descriptor into the
739 \fImap\fP\&. This must be done before the eBPF program can send data
740 into it. An example is available in file
741 \fIsamples/bpf/trace_output_user.c\fP in the Linux kernel source
742 tree (the eBPF program counterpart is in
743 \fIsamples/bpf/trace_output_kern.c\fP).
745 \fBbpf_perf_event_output\fP() achieves better performance
746 than \fBbpf_trace_printk\fP() for sharing data with user
747 space, and is much better suitable for streaming data from eBPF
750 Note that this helper is not restricted to tracing use cases
751 and can be used with programs attached to TC or XDP as well,
752 where it allows for passing data to user space listeners. Data
758 Only the packet payload, or
760 A combination of both.
764 0 on success, or a negative error in case of failure.
767 .B \fBlong bpf_skb_load_bytes(const void *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIto\fP\fB, u32\fP \fIlen\fP\fB)\fP
771 This helper was provided as an easy way to load data from a
772 packet. It can be used to load \fIlen\fP bytes from \fIoffset\fP from
773 the packet associated to \fIskb\fP, into the buffer pointed by
776 Since Linux 4.7, usage of this helper has mostly been replaced
777 by \(dqdirect packet access\(dq, enabling packet data to be
778 manipulated with \fIskb\fP\fB\->data\fP and \fIskb\fP\fB\->data_end\fP
779 pointing respectively to the first byte of packet data and to
780 the byte after the last byte of packet data. However, it
781 remains useful if one wishes to read large quantities of data
782 at once from a packet into the eBPF stack.
785 0 on success, or a negative error in case of failure.
788 .B \fBlong bpf_get_stackid(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
792 Walk a user or a kernel stack and return its id. To achieve
793 this, the helper needs \fIctx\fP, which is a pointer to the context
794 on which the tracing program is executed, and a pointer to a
795 \fImap\fP of type \fBBPF_MAP_TYPE_STACK_TRACE\fP\&.
797 The last argument, \fIflags\fP, holds the number of stack frames to
798 skip (from 0 to 255), masked with
799 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
800 a combination of the following flags:
803 .B \fBBPF_F_USER_STACK\fP
804 Collect a user space stack instead of a kernel stack.
806 .B \fBBPF_F_FAST_STACK_CMP\fP
807 Compare stacks by hash only.
809 .B \fBBPF_F_REUSE_STACKID\fP
810 If two different stacks hash into the same \fIstackid\fP,
814 The stack id retrieved is a 32 bit long integer handle which
815 can be further combined with other data (including other stack
816 ids) and used as a key into maps. This can be useful for
817 generating a variety of graphs (such as flame graphs or off\-cpu
820 For walking a stack, this helper is an improvement over
821 \fBbpf_probe_read\fP(), which can be used with unrolled loops
822 but is not efficient and consumes a lot of eBPF instructions.
823 Instead, \fBbpf_get_stackid\fP() can collect up to
824 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames. Note that
825 this limit can be controlled with the \fBsysctl\fP program, and
826 that it should be manually increased in order to profile long
827 user stacks (such as stacks for Java programs). To do so, use:
832 # sysctl kernel.perf_event_max_stack=<new value>
838 The positive or null stack id on success, or a negative error
842 .B \fBs64 bpf_csum_diff(__be32 *\fP\fIfrom\fP\fB, u32\fP \fIfrom_size\fP\fB, __be32 *\fP\fIto\fP\fB, u32\fP \fIto_size\fP\fB, __wsum\fP \fIseed\fP\fB)\fP
846 Compute a checksum difference, from the raw buffer pointed by
847 \fIfrom\fP, of length \fIfrom_size\fP (that must be a multiple of 4),
848 towards the raw buffer pointed by \fIto\fP, of size \fIto_size\fP
849 (same remark). An optional \fIseed\fP can be added to the value
850 (this can be cascaded, the seed may come from a previous call
853 This is flexible enough to be used in several ways:
856 With \fIfrom_size\fP == 0, \fIto_size\fP > 0 and \fIseed\fP set to
857 checksum, it can be used when pushing new data.
859 With \fIfrom_size\fP > 0, \fIto_size\fP == 0 and \fIseed\fP set to
860 checksum, it can be used when removing data from a packet.
862 With \fIfrom_size\fP > 0, \fIto_size\fP > 0 and \fIseed\fP set to 0, it
863 can be used to compute a diff. Note that \fIfrom_size\fP and
864 \fIto_size\fP do not need to be equal.
867 This helper can be used in combination with
868 \fBbpf_l3_csum_replace\fP() and \fBbpf_l4_csum_replace\fP(), to
869 which one can feed in the difference computed with
870 \fBbpf_csum_diff\fP().
873 The checksum result, or a negative error code in case of
877 .B \fBlong bpf_skb_get_tunnel_opt(struct sk_buff *\fP\fIskb\fP\fB, void *\fP\fIopt\fP\fB, u32\fP \fIsize\fP\fB)\fP
881 Retrieve tunnel options metadata for the packet associated to
882 \fIskb\fP, and store the raw tunnel option data to the buffer \fIopt\fP
885 This helper can be used with encapsulation devices that can
886 operate in \(dqcollect metadata\(dq mode (please refer to the related
887 note in the description of \fBbpf_skb_get_tunnel_key\fP() for
888 more details). A particular example where this can be used is
889 in combination with the Geneve encapsulation protocol, where it
890 allows for pushing (with \fBbpf_skb_get_tunnel_opt\fP() helper)
891 and retrieving arbitrary TLVs (Type\-Length\-Value headers) from
892 the eBPF program. This allows for full customization of these
896 The size of the option data retrieved.
899 .B \fBlong bpf_skb_set_tunnel_opt(struct sk_buff *\fP\fIskb\fP\fB, void *\fP\fIopt\fP\fB, u32\fP \fIsize\fP\fB)\fP
903 Set tunnel options metadata for the packet associated to \fIskb\fP
904 to the option data contained in the raw buffer \fIopt\fP of \fIsize\fP\&.
906 See also the description of the \fBbpf_skb_get_tunnel_opt\fP()
907 helper for additional information.
910 0 on success, or a negative error in case of failure.
913 .B \fBlong bpf_skb_change_proto(struct sk_buff *\fP\fIskb\fP\fB, __be16\fP \fIproto\fP\fB, u64\fP \fIflags\fP\fB)\fP
917 Change the protocol of the \fIskb\fP to \fIproto\fP\&. Currently
918 supported are transition from IPv4 to IPv6, and from IPv6 to
919 IPv4. The helper takes care of the groundwork for the
920 transition, including resizing the socket buffer. The eBPF
921 program is expected to fill the new headers, if any, via
922 \fBskb_store_bytes\fP() and to recompute the checksums with
923 \fBbpf_l3_csum_replace\fP() and \fBbpf_l4_csum_replace\fP(). The main case for this helper is to perform NAT64
924 operations out of an eBPF program.
926 Internally, the GSO type is marked as dodgy so that headers are
927 checked and segments are recalculated by the GSO/GRO engine.
928 The size for GSO target is adapted as well.
930 All values for \fIflags\fP are reserved for future usage, and must
933 A call to this helper is susceptible to change the underlying
934 packet buffer. Therefore, at load time, all checks on pointers
935 previously done by the verifier are invalidated and must be
936 performed again, if the helper is used in combination with
937 direct packet access.
940 0 on success, or a negative error in case of failure.
943 .B \fBlong bpf_skb_change_type(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fItype\fP\fB)\fP
947 Change the packet type for the packet associated to \fIskb\fP\&. This
948 comes down to setting \fIskb\fP\fB\->pkt_type\fP to \fItype\fP, except
949 the eBPF program does not have a write access to \fIskb\fP\fB\->pkt_type\fP beside this helper. Using a helper here allows
950 for graceful handling of errors.
952 The major use case is to change incoming \fIskb*s to
953 **PACKET_HOST*\fP in a programmatic way instead of having to
954 recirculate via \fBredirect\fP(..., \fBBPF_F_INGRESS\fP), for
957 Note that \fItype\fP only allows certain values. At this time, they
964 .B \fBPACKET_BROADCAST\fP
967 .B \fBPACKET_MULTICAST\fP
968 Send packet to group.
970 .B \fBPACKET_OTHERHOST\fP
971 Send packet to someone else.
975 0 on success, or a negative error in case of failure.
978 .B \fBlong bpf_skb_under_cgroup(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIindex\fP\fB)\fP
982 Check whether \fIskb\fP is a descendant of the cgroup2 held by
983 \fImap\fP of type \fBBPF_MAP_TYPE_CGROUP_ARRAY\fP, at \fIindex\fP\&.
986 The return value depends on the result of the test, and can be:
989 0, if the \fIskb\fP failed the cgroup2 descendant test.
991 1, if the \fIskb\fP succeeded the cgroup2 descendant test.
993 A negative error code, if an error occurred.
997 .B \fBu32 bpf_get_hash_recalc(struct sk_buff *\fP\fIskb\fP\fB)\fP
1001 Retrieve the hash of the packet, \fIskb\fP\fB\->hash\fP\&. If it is
1002 not set, in particular if the hash was cleared due to mangling,
1003 recompute this hash. Later accesses to the hash can be done
1004 directly with \fIskb\fP\fB\->hash\fP\&.
1006 Calling \fBbpf_set_hash_invalid\fP(), changing a packet
1007 prototype with \fBbpf_skb_change_proto\fP(), or calling
1008 \fBbpf_skb_store_bytes\fP() with the
1009 \fBBPF_F_INVALIDATE_HASH\fP are actions susceptible to clear
1010 the hash and to trigger a new computation for the next call to
1011 \fBbpf_get_hash_recalc\fP().
1017 .B \fBu64 bpf_get_current_task(void)\fP
1021 Get the current task.
1024 A pointer to the current task struct.
1027 .B \fBlong bpf_probe_write_user(void *\fP\fIdst\fP\fB, const void *\fP\fIsrc\fP\fB, u32\fP \fIlen\fP\fB)\fP
1031 Attempt in a safe way to write \fIlen\fP bytes from the buffer
1032 \fIsrc\fP to \fIdst\fP in memory. It only works for threads that are in
1033 user context, and \fIdst\fP must be a valid user space address.
1035 This helper should not be used to implement any kind of
1036 security mechanism because of TOC\-TOU attacks, but rather to
1037 debug, divert, and manipulate execution of semi\-cooperative
1040 Keep in mind that this feature is meant for experiments, and it
1041 has a risk of crashing the system and running programs.
1042 Therefore, when an eBPF program using this helper is attached,
1043 a warning including PID and process name is printed to kernel
1047 0 on success, or a negative error in case of failure.
1050 .B \fBlong bpf_current_task_under_cgroup(struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIindex\fP\fB)\fP
1054 Check whether the probe is being run is the context of a given
1055 subset of the cgroup2 hierarchy. The cgroup2 to test is held by
1056 \fImap\fP of type \fBBPF_MAP_TYPE_CGROUP_ARRAY\fP, at \fIindex\fP\&.
1059 The return value depends on the result of the test, and can be:
1062 1, if current task belongs to the cgroup2.
1064 0, if current task does not belong to the cgroup2.
1066 A negative error code, if an error occurred.
1070 .B \fBlong bpf_skb_change_tail(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
1074 Resize (trim or grow) the packet associated to \fIskb\fP to the
1075 new \fIlen\fP\&. The \fIflags\fP are reserved for future usage, and must
1078 The basic idea is that the helper performs the needed work to
1079 change the size of the packet, then the eBPF program rewrites
1080 the rest via helpers like \fBbpf_skb_store_bytes\fP(),
1081 \fBbpf_l3_csum_replace\fP(), \fBbpf_l3_csum_replace\fP()
1082 and others. This helper is a slow path utility intended for
1083 replies with control messages. And because it is targeted for
1084 slow path, the helper itself can afford to be slow: it
1085 implicitly linearizes, unclones and drops offloads from the
1088 A call to this helper is susceptible to change the underlying
1089 packet buffer. Therefore, at load time, all checks on pointers
1090 previously done by the verifier are invalidated and must be
1091 performed again, if the helper is used in combination with
1092 direct packet access.
1095 0 on success, or a negative error in case of failure.
1098 .B \fBlong bpf_skb_pull_data(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB)\fP
1102 Pull in non\-linear data in case the \fIskb\fP is non\-linear and not
1103 all of \fIlen\fP are part of the linear section. Make \fIlen\fP bytes
1104 from \fIskb\fP readable and writable. If a zero value is passed for
1105 \fIlen\fP, then all bytes in the linear part of \fIskb\fP will be made
1106 readable and writable.
1108 This helper is only needed for reading and writing with direct
1111 For direct packet access, testing that offsets to access
1112 are within packet boundaries (test on \fIskb\fP\fB\->data_end\fP) is
1113 susceptible to fail if offsets are invalid, or if the requested
1114 data is in non\-linear parts of the \fIskb\fP\&. On failure the
1115 program can just bail out, or in the case of a non\-linear
1116 buffer, use a helper to make the data available. The
1117 \fBbpf_skb_load_bytes\fP() helper is a first solution to access
1118 the data. Another one consists in using \fBbpf_skb_pull_data\fP
1119 to pull in once the non\-linear parts, then retesting and
1120 eventually access the data.
1122 At the same time, this also makes sure the \fIskb\fP is uncloned,
1123 which is a necessary condition for direct write. As this needs
1124 to be an invariant for the write part only, the verifier
1125 detects writes and adds a prologue that is calling
1126 \fBbpf_skb_pull_data()\fP to effectively unclone the \fIskb\fP from
1127 the very beginning in case it is indeed cloned.
1129 A call to this helper is susceptible to change the underlying
1130 packet buffer. Therefore, at load time, all checks on pointers
1131 previously done by the verifier are invalidated and must be
1132 performed again, if the helper is used in combination with
1133 direct packet access.
1136 0 on success, or a negative error in case of failure.
1139 .B \fBs64 bpf_csum_update(struct sk_buff *\fP\fIskb\fP\fB, __wsum\fP \fIcsum\fP\fB)\fP
1143 Add the checksum \fIcsum\fP into \fIskb\fP\fB\->csum\fP in case the
1144 driver has supplied a checksum for the entire packet into that
1145 field. Return an error otherwise. This helper is intended to be
1146 used in combination with \fBbpf_csum_diff\fP(), in particular
1147 when the checksum needs to be updated after data has been
1148 written into the packet through direct packet access.
1151 The checksum on success, or a negative error code in case of
1155 .B \fBvoid bpf_set_hash_invalid(struct sk_buff *\fP\fIskb\fP\fB)\fP
1159 Invalidate the current \fIskb\fP\fB\->hash\fP\&. It can be used after
1160 mangling on headers through direct packet access, in order to
1161 indicate that the hash is outdated and to trigger a
1162 recalculation the next time the kernel tries to access this
1163 hash or when the \fBbpf_get_hash_recalc\fP() helper is called.
1169 .B \fBlong bpf_get_numa_node_id(void)\fP
1173 Return the id of the current NUMA node. The primary use case
1174 for this helper is the selection of sockets for the local NUMA
1175 node, when the program is attached to sockets using the
1176 \fBSO_ATTACH_REUSEPORT_EBPF\fP option (see also \fBsocket(7)\fP),
1177 but the helper is also available to other eBPF program types,
1178 similarly to \fBbpf_get_smp_processor_id\fP().
1181 The id of current NUMA node.
1184 .B \fBlong bpf_skb_change_head(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
1188 Grows headroom of packet associated to \fIskb\fP and adjusts the
1189 offset of the MAC header accordingly, adding \fIlen\fP bytes of
1190 space. It automatically extends and reallocates memory as
1193 This helper can be used on a layer 3 \fIskb\fP to push a MAC header
1194 for redirection into a layer 2 device.
1196 All values for \fIflags\fP are reserved for future usage, and must
1199 A call to this helper is susceptible to change the underlying
1200 packet buffer. Therefore, at load time, all checks on pointers
1201 previously done by the verifier are invalidated and must be
1202 performed again, if the helper is used in combination with
1203 direct packet access.
1206 0 on success, or a negative error in case of failure.
1209 .B \fBlong bpf_xdp_adjust_head(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1213 Adjust (move) \fIxdp_md\fP\fB\->data\fP by \fIdelta\fP bytes. Note that
1214 it is possible to use a negative value for \fIdelta\fP\&. This helper
1215 can be used to prepare the packet for pushing or popping
1218 A call to this helper is susceptible to change the underlying
1219 packet buffer. Therefore, at load time, all checks on pointers
1220 previously done by the verifier are invalidated and must be
1221 performed again, if the helper is used in combination with
1222 direct packet access.
1225 0 on success, or a negative error in case of failure.
1228 .B \fBlong bpf_probe_read_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
1232 Copy a NUL terminated string from an unsafe kernel address
1233 \fIunsafe_ptr\fP to \fIdst\fP\&. See \fBbpf_probe_read_kernel_str\fP() for
1236 Generally, use \fBbpf_probe_read_user_str\fP() or
1237 \fBbpf_probe_read_kernel_str\fP() instead.
1240 On success, the strictly positive length of the string,
1241 including the trailing NUL character. On error, a negative
1245 .B \fBu64 bpf_get_socket_cookie(struct sk_buff *\fP\fIskb\fP\fB)\fP
1249 If the \fBstruct sk_buff\fP pointed by \fIskb\fP has a known socket,
1250 retrieve the cookie (generated by the kernel) of this socket.
1251 If no cookie has been set yet, generate a new cookie. Once
1252 generated, the socket cookie remains stable for the life of the
1253 socket. This helper can be useful for monitoring per socket
1254 networking traffic statistics as it provides a global socket
1255 identifier that can be assumed unique.
1258 A 8\-byte long unique number on success, or 0 if the socket
1259 field is missing inside \fIskb\fP\&.
1262 .B \fBu64 bpf_get_socket_cookie(struct bpf_sock_addr *\fP\fIctx\fP\fB)\fP
1266 Equivalent to bpf_get_socket_cookie() helper that accepts
1267 \fIskb\fP, but gets socket from \fBstruct bpf_sock_addr\fP context.
1270 A 8\-byte long unique number.
1273 .B \fBu64 bpf_get_socket_cookie(struct bpf_sock_ops *\fP\fIctx\fP\fB)\fP
1277 Equivalent to \fBbpf_get_socket_cookie\fP() helper that accepts
1278 \fIskb\fP, but gets socket from \fBstruct bpf_sock_ops\fP context.
1281 A 8\-byte long unique number.
1284 .B \fBu64 bpf_get_socket_cookie(struct sock *\fP\fIsk\fP\fB)\fP
1288 Equivalent to \fBbpf_get_socket_cookie\fP() helper that accepts
1289 \fIsk\fP, but gets socket from a BTF \fBstruct sock\fP\&. This helper
1290 also works for sleepable programs.
1293 A 8\-byte long unique number or 0 if \fIsk\fP is NULL.
1296 .B \fBu32 bpf_get_socket_uid(struct sk_buff *\fP\fIskb\fP\fB)\fP
1300 Get the owner UID of the socked associated to \fIskb\fP\&.
1303 The owner UID of the socket associated to \fIskb\fP\&. If the socket
1304 is \fBNULL\fP, or if it is not a full socket (i.e. if it is a
1305 time\-wait or a request socket instead), \fBoverflowuid\fP value
1306 is returned (note that \fBoverflowuid\fP might also be the actual
1307 UID value for the socket).
1310 .B \fBlong bpf_set_hash(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIhash\fP\fB)\fP
1314 Set the full hash for \fIskb\fP (set the field \fIskb\fP\fB\->hash\fP)
1315 to value \fIhash\fP\&.
1321 .B \fBlong bpf_setsockopt(void *\fP\fIbpf_socket\fP\fB, int\fP \fIlevel\fP\fB, int\fP \fIoptname\fP\fB, void *\fP\fIoptval\fP\fB, int\fP \fIoptlen\fP\fB)\fP
1325 Emulate a call to \fBsetsockopt()\fP on the socket associated to
1326 \fIbpf_socket\fP, which must be a full socket. The \fIlevel\fP at
1327 which the option resides and the name \fIoptname\fP of the option
1328 must be specified, see \fBsetsockopt(2)\fP for more information.
1329 The option value of length \fIoptlen\fP is pointed by \fIoptval\fP\&.
1331 \fIbpf_socket\fP should be one of the following:
1334 \fBstruct bpf_sock_ops\fP for \fBBPF_PROG_TYPE_SOCK_OPS\fP\&.
1336 \fBstruct bpf_sock_addr\fP for \fBBPF_CGROUP_INET4_CONNECT\fP,
1337 \fBBPF_CGROUP_INET6_CONNECT\fP and \fBBPF_CGROUP_UNIX_CONNECT\fP\&.
1340 This helper actually implements a subset of \fBsetsockopt()\fP\&.
1341 It supports the following \fIlevel\fPs:
1344 \fBSOL_SOCKET\fP, which supports the following \fIoptname\fPs:
1345 \fBSO_RCVBUF\fP, \fBSO_SNDBUF\fP, \fBSO_MAX_PACING_RATE\fP,
1346 \fBSO_PRIORITY\fP, \fBSO_RCVLOWAT\fP, \fBSO_MARK\fP,
1347 \fBSO_BINDTODEVICE\fP, \fBSO_KEEPALIVE\fP, \fBSO_REUSEADDR\fP,
1348 \fBSO_REUSEPORT\fP, \fBSO_BINDTOIFINDEX\fP, \fBSO_TXREHASH\fP\&.
1350 \fBIPPROTO_TCP\fP, which supports the following \fIoptname\fPs:
1351 \fBTCP_CONGESTION\fP, \fBTCP_BPF_IW\fP,
1352 \fBTCP_BPF_SNDCWND_CLAMP\fP, \fBTCP_SAVE_SYN\fP,
1353 \fBTCP_KEEPIDLE\fP, \fBTCP_KEEPINTVL\fP, \fBTCP_KEEPCNT\fP,
1354 \fBTCP_SYNCNT\fP, \fBTCP_USER_TIMEOUT\fP, \fBTCP_NOTSENT_LOWAT\fP,
1355 \fBTCP_NODELAY\fP, \fBTCP_MAXSEG\fP, \fBTCP_WINDOW_CLAMP\fP,
1356 \fBTCP_THIN_LINEAR_TIMEOUTS\fP, \fBTCP_BPF_DELACK_MAX\fP,
1357 \fBTCP_BPF_RTO_MIN\fP\&.
1359 \fBIPPROTO_IP\fP, which supports \fIoptname\fP \fBIP_TOS\fP\&.
1361 \fBIPPROTO_IPV6\fP, which supports the following \fIoptname\fPs:
1362 \fBIPV6_TCLASS\fP, \fBIPV6_AUTOFLOWLABEL\fP\&.
1366 0 on success, or a negative error in case of failure.
1369 .B \fBlong bpf_skb_adjust_room(struct sk_buff *\fP\fIskb\fP\fB, s32\fP \fIlen_diff\fP\fB, u32\fP \fImode\fP\fB, u64\fP \fIflags\fP\fB)\fP
1373 Grow or shrink the room for data in the packet associated to
1374 \fIskb\fP by \fIlen_diff\fP, and according to the selected \fImode\fP\&.
1376 By default, the helper will reset any offloaded checksum
1377 indicator of the skb to CHECKSUM_NONE. This can be avoided
1378 by the following flag:
1381 \fBBPF_F_ADJ_ROOM_NO_CSUM_RESET\fP: Do not reset offloaded
1382 checksum data of the skb to CHECKSUM_NONE.
1385 There are two supported modes at this time:
1388 \fBBPF_ADJ_ROOM_MAC\fP: Adjust room at the mac layer
1389 (room space is added or removed between the layer 2 and
1392 \fBBPF_ADJ_ROOM_NET\fP: Adjust room at the network layer
1393 (room space is added or removed between the layer 3 and
1397 The following flags are supported at this time:
1400 \fBBPF_F_ADJ_ROOM_FIXED_GSO\fP: Do not adjust gso_size.
1401 Adjusting mss in this way is not allowed for datagrams.
1403 \fBBPF_F_ADJ_ROOM_ENCAP_L3_IPV4\fP,
1404 \fBBPF_F_ADJ_ROOM_ENCAP_L3_IPV6\fP:
1405 Any new space is reserved to hold a tunnel header.
1406 Configure skb offsets and other fields accordingly.
1408 \fBBPF_F_ADJ_ROOM_ENCAP_L4_GRE\fP,
1409 \fBBPF_F_ADJ_ROOM_ENCAP_L4_UDP\fP:
1410 Use with ENCAP_L3 flags to further specify the tunnel type.
1412 \fBBPF_F_ADJ_ROOM_ENCAP_L2\fP(\fIlen\fP):
1413 Use with ENCAP_L3/L4 flags to further specify the tunnel
1414 type; \fIlen\fP is the length of the inner MAC header.
1416 \fBBPF_F_ADJ_ROOM_ENCAP_L2_ETH\fP:
1417 Use with BPF_F_ADJ_ROOM_ENCAP_L2 flag to further specify the
1418 L2 type as Ethernet.
1420 \fBBPF_F_ADJ_ROOM_DECAP_L3_IPV4\fP,
1421 \fBBPF_F_ADJ_ROOM_DECAP_L3_IPV6\fP:
1422 Indicate the new IP header version after decapsulating the outer
1423 IP header. Used when the inner and outer IP versions are different.
1426 A call to this helper is susceptible to change the underlying
1427 packet buffer. Therefore, at load time, all checks on pointers
1428 previously done by the verifier are invalidated and must be
1429 performed again, if the helper is used in combination with
1430 direct packet access.
1433 0 on success, or a negative error in case of failure.
1436 .B \fBlong bpf_redirect_map(struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1440 Redirect the packet to the endpoint referenced by \fImap\fP at
1441 index \fIkey\fP\&. Depending on its type, this \fImap\fP can contain
1442 references to net devices (for forwarding packets through other
1443 ports), or to CPUs (for redirecting XDP frames to another CPU;
1444 but this is only implemented for native XDP (with driver
1445 support) as of this writing).
1447 The lower two bits of \fIflags\fP are used as the return code if
1448 the map lookup fails. This is so that the return value can be
1449 one of the XDP program return codes up to \fBXDP_TX\fP, as chosen
1450 by the caller. The higher bits of \fIflags\fP can be set to
1451 BPF_F_BROADCAST or BPF_F_EXCLUDE_INGRESS as defined below.
1453 With BPF_F_BROADCAST the packet will be broadcasted to all the
1454 interfaces in the map, with BPF_F_EXCLUDE_INGRESS the ingress
1455 interface will be excluded when do broadcasting.
1457 See also \fBbpf_redirect\fP(), which only supports redirecting
1458 to an ifindex, but doesn\(aqt require a map to do so.
1461 \fBXDP_REDIRECT\fP on success, or the value of the two lower bits
1462 of the \fIflags\fP argument on error.
1465 .B \fBlong bpf_sk_redirect_map(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1469 Redirect the packet to the socket referenced by \fImap\fP (of type
1470 \fBBPF_MAP_TYPE_SOCKMAP\fP) at index \fIkey\fP\&. Both ingress and
1471 egress interfaces can be used for redirection. The
1472 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
1473 distinction (ingress path is selected if the flag is present,
1474 egress path otherwise). This is the only flag supported for now.
1477 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
1480 .B \fBlong bpf_sock_map_update(struct bpf_sock_ops *\fP\fIskops\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1484 Add an entry to, or update a \fImap\fP referencing sockets. The
1485 \fIskops\fP is used as a new value for the entry associated to
1486 \fIkey\fP\&. \fIflags\fP is one of:
1489 .B \fBBPF_NOEXIST\fP
1490 The entry for \fIkey\fP must not exist in the map.
1493 The entry for \fIkey\fP must already exist in the map.
1496 No condition on the existence of the entry for \fIkey\fP\&.
1499 If the \fImap\fP has eBPF programs (parser and verdict), those will
1500 be inherited by the socket being added. If the socket is
1501 already attached to eBPF programs, this results in an error.
1504 0 on success, or a negative error in case of failure.
1507 .B \fBlong bpf_xdp_adjust_meta(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1511 Adjust the address pointed by \fIxdp_md\fP\fB\->data_meta\fP by
1512 \fIdelta\fP (which can be positive or negative). Note that this
1513 operation modifies the address stored in \fIxdp_md\fP\fB\->data\fP,
1514 so the latter must be loaded only after the helper has been
1517 The use of \fIxdp_md\fP\fB\->data_meta\fP is optional and programs
1518 are not required to use it. The rationale is that when the
1519 packet is processed with XDP (e.g. as DoS filter), it is
1520 possible to push further meta data along with it before passing
1521 to the stack, and to give the guarantee that an ingress eBPF
1522 program attached as a TC classifier on the same device can pick
1523 this up for further post\-processing. Since TC works with socket
1524 buffers, it remains possible to set from XDP the \fBmark\fP or
1525 \fBpriority\fP pointers, or other pointers for the socket buffer.
1526 Having this scratch space generic and programmable allows for
1527 more flexibility as the user is free to store whatever meta
1530 A call to this helper is susceptible to change the underlying
1531 packet buffer. Therefore, at load time, all checks on pointers
1532 previously done by the verifier are invalidated and must be
1533 performed again, if the helper is used in combination with
1534 direct packet access.
1537 0 on success, or a negative error in case of failure.
1540 .B \fBlong bpf_perf_event_read_value(struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, struct bpf_perf_event_value *\fP\fIbuf\fP\fB, u32\fP \fIbuf_size\fP\fB)\fP
1544 Read the value of a perf event counter, and store it into \fIbuf\fP
1545 of size \fIbuf_size\fP\&. This helper relies on a \fImap\fP of type
1546 \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. The nature of the perf event
1547 counter is selected when \fImap\fP is updated with perf event file
1548 descriptors. The \fImap\fP is an array whose size is the number of
1549 available CPUs, and each cell contains a value relative to one
1550 CPU. The value to retrieve is indicated by \fIflags\fP, that
1551 contains the index of the CPU to look up, masked with
1552 \fBBPF_F_INDEX_MASK\fP\&. Alternatively, \fIflags\fP can be set to
1553 \fBBPF_F_CURRENT_CPU\fP to indicate that the value for the
1554 current CPU should be retrieved.
1556 This helper behaves in a way close to
1557 \fBbpf_perf_event_read\fP() helper, save that instead of
1558 just returning the value observed, it fills the \fIbuf\fP
1559 structure. This allows for additional data to be retrieved: in
1560 particular, the enabled and running times (in \fIbuf\fP\fB\->enabled\fP and \fIbuf\fP\fB\->running\fP, respectively) are
1561 copied. In general, \fBbpf_perf_event_read_value\fP() is
1562 recommended over \fBbpf_perf_event_read\fP(), which has some
1563 ABI issues and provides fewer functionalities.
1565 These values are interesting, because hardware PMU (Performance
1566 Monitoring Unit) counters are limited resources. When there are
1567 more PMU based perf events opened than available counters,
1568 kernel will multiplex these events so each event gets certain
1569 percentage (but not all) of the PMU time. In case that
1570 multiplexing happens, the number of samples or counter value
1571 will not reflect the case compared to when no multiplexing
1572 occurs. This makes comparison between different runs difficult.
1573 Typically, the counter value should be normalized before
1574 comparing to other experiments. The usual normalization is done
1580 normalized_counter = counter * t_enabled / t_running
1585 Where t_enabled is the time enabled for event and t_running is
1586 the time running for event since last normalization. The
1587 enabled and running times are accumulated since the perf event
1588 open. To achieve scaling factor between two invocations of an
1589 eBPF program, users can use CPU id as the key (which is
1590 typical for perf array usage model) to remember the previous
1591 value and do the calculation inside the eBPF program.
1594 0 on success, or a negative error in case of failure.
1597 .B \fBlong bpf_perf_prog_read_value(struct bpf_perf_event_data *\fP\fIctx\fP\fB, struct bpf_perf_event_value *\fP\fIbuf\fP\fB, u32\fP \fIbuf_size\fP\fB)\fP
1601 For an eBPF program attached to a perf event, retrieve the
1602 value of the event counter associated to \fIctx\fP and store it in
1603 the structure pointed by \fIbuf\fP and of size \fIbuf_size\fP\&. Enabled
1604 and running times are also stored in the structure (see
1605 description of helper \fBbpf_perf_event_read_value\fP() for
1609 0 on success, or a negative error in case of failure.
1612 .B \fBlong bpf_getsockopt(void *\fP\fIbpf_socket\fP\fB, int\fP \fIlevel\fP\fB, int\fP \fIoptname\fP\fB, void *\fP\fIoptval\fP\fB, int\fP \fIoptlen\fP\fB)\fP
1616 Emulate a call to \fBgetsockopt()\fP on the socket associated to
1617 \fIbpf_socket\fP, which must be a full socket. The \fIlevel\fP at
1618 which the option resides and the name \fIoptname\fP of the option
1619 must be specified, see \fBgetsockopt(2)\fP for more information.
1620 The retrieved value is stored in the structure pointed by
1621 \fIopval\fP and of length \fIoptlen\fP\&.
1623 \fIbpf_socket\fP should be one of the following:
1626 \fBstruct bpf_sock_ops\fP for \fBBPF_PROG_TYPE_SOCK_OPS\fP\&.
1628 \fBstruct bpf_sock_addr\fP for \fBBPF_CGROUP_INET4_CONNECT\fP,
1629 \fBBPF_CGROUP_INET6_CONNECT\fP and \fBBPF_CGROUP_UNIX_CONNECT\fP\&.
1632 This helper actually implements a subset of \fBgetsockopt()\fP\&.
1633 It supports the same set of \fIoptname\fPs that is supported by
1634 the \fBbpf_setsockopt\fP() helper. The exceptions are
1635 \fBTCP_BPF_*\fP is \fBbpf_setsockopt\fP() only and
1636 \fBTCP_SAVED_SYN\fP is \fBbpf_getsockopt\fP() only.
1639 0 on success, or a negative error in case of failure.
1642 .B \fBlong bpf_override_return(struct pt_regs *\fP\fIregs\fP\fB, u64\fP \fIrc\fP\fB)\fP
1646 Used for error injection, this helper uses kprobes to override
1647 the return value of the probed function, and to set it to \fIrc\fP\&.
1648 The first argument is the context \fIregs\fP on which the kprobe
1651 This helper works by setting the PC (program counter)
1652 to an override function which is run in place of the original
1653 probed function. This means the probed function is not run at
1654 all. The replacement function just returns with the required
1657 This helper has security implications, and thus is subject to
1658 restrictions. It is only available if the kernel was compiled
1659 with the \fBCONFIG_BPF_KPROBE_OVERRIDE\fP configuration
1660 option, and in this case it only works on functions tagged with
1661 \fBALLOW_ERROR_INJECTION\fP in the kernel code.
1663 Also, the helper is only available for the architectures having
1664 the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing,
1665 x86 architecture is the only one to support this feature.
1671 .B \fBlong bpf_sock_ops_cb_flags_set(struct bpf_sock_ops *\fP\fIbpf_sock\fP\fB, int\fP \fIargval\fP\fB)\fP
1675 Attempt to set the value of the \fBbpf_sock_ops_cb_flags\fP field
1676 for the full TCP socket associated to \fIbpf_sock_ops\fP to
1679 The primary use of this field is to determine if there should
1680 be calls to eBPF programs of type
1681 \fBBPF_PROG_TYPE_SOCK_OPS\fP at various points in the TCP
1682 code. A program of the same type can change its value, per
1683 connection and as necessary, when the connection is
1684 established. This field is directly accessible for reading, but
1685 this helper must be used for updates in order to return an
1686 error if an eBPF program tries to set a callback that is not
1687 supported in the current kernel.
1689 \fIargval\fP is a flag array which can combine these flags:
1692 \fBBPF_SOCK_OPS_RTO_CB_FLAG\fP (retransmission time out)
1694 \fBBPF_SOCK_OPS_RETRANS_CB_FLAG\fP (retransmission)
1696 \fBBPF_SOCK_OPS_STATE_CB_FLAG\fP (TCP state change)
1698 \fBBPF_SOCK_OPS_RTT_CB_FLAG\fP (every RTT)
1701 Therefore, this function can be used to clear a callback flag by
1702 setting the appropriate bit to zero. e.g. to disable the RTO
1706 .B \fBbpf_sock_ops_cb_flags_set(bpf_sock,\fP
1707 \fBbpf_sock\->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)\fP
1710 Here are some examples of where one could call such eBPF
1716 When a packet is retransmitted.
1718 When the connection terminates.
1720 When a packet is sent.
1722 When a packet is received.
1726 Code \fB\-EINVAL\fP if the socket is not a full TCP socket;
1727 otherwise, a positive number containing the bits that could not
1728 be set is returned (which comes down to 0 if all bits were set
1732 .B \fBlong bpf_msg_redirect_map(struct sk_msg_buff *\fP\fImsg\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1736 This helper is used in programs implementing policies at the
1737 socket level. If the message \fImsg\fP is allowed to pass (i.e. if
1738 the verdict eBPF program returns \fBSK_PASS\fP), redirect it to
1739 the socket referenced by \fImap\fP (of type
1740 \fBBPF_MAP_TYPE_SOCKMAP\fP) at index \fIkey\fP\&. Both ingress and
1741 egress interfaces can be used for redirection. The
1742 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
1743 distinction (ingress path is selected if the flag is present,
1744 egress path otherwise). This is the only flag supported for now.
1747 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
1750 .B \fBlong bpf_msg_apply_bytes(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIbytes\fP\fB)\fP
1754 For socket policies, apply the verdict of the eBPF program to
1755 the next \fIbytes\fP (number of bytes) of message \fImsg\fP\&.
1757 For example, this helper can be used in the following cases:
1760 A single \fBsendmsg\fP() or \fBsendfile\fP() system call
1761 contains multiple logical messages that the eBPF program is
1762 supposed to read and for which it should apply a verdict.
1764 An eBPF program only cares to read the first \fIbytes\fP of a
1765 \fImsg\fP\&. If the message has a large payload, then setting up
1766 and calling the eBPF program repeatedly for all bytes, even
1767 though the verdict is already known, would create unnecessary
1771 When called from within an eBPF program, the helper sets a
1772 counter internal to the BPF infrastructure, that is used to
1773 apply the last verdict to the next \fIbytes\fP\&. If \fIbytes\fP is
1774 smaller than the current data being processed from a
1775 \fBsendmsg\fP() or \fBsendfile\fP() system call, the first
1776 \fIbytes\fP will be sent and the eBPF program will be re\-run with
1777 the pointer for start of data pointing to byte number \fIbytes\fP
1778 \fB+ 1\fP\&. If \fIbytes\fP is larger than the current data being
1779 processed, then the eBPF verdict will be applied to multiple
1780 \fBsendmsg\fP() or \fBsendfile\fP() calls until \fIbytes\fP are
1783 Note that if a socket closes with the internal counter holding
1784 a non\-zero value, this is not a problem because data is not
1785 being buffered for \fIbytes\fP and is sent as it is received.
1791 .B \fBlong bpf_msg_cork_bytes(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIbytes\fP\fB)\fP
1795 For socket policies, prevent the execution of the verdict eBPF
1796 program for message \fImsg\fP until \fIbytes\fP (byte number) have been
1799 This can be used when one needs a specific number of bytes
1800 before a verdict can be assigned, even if the data spans
1801 multiple \fBsendmsg\fP() or \fBsendfile\fP() calls. The extreme
1802 case would be a user calling \fBsendmsg\fP() repeatedly with
1803 1\-byte long message segments. Obviously, this is bad for
1804 performance, but it is still valid. If the eBPF program needs
1805 \fIbytes\fP bytes to validate a header, this helper can be used to
1806 prevent the eBPF program to be called again until \fIbytes\fP have
1813 .B \fBlong bpf_msg_pull_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIend\fP\fB, u64\fP \fIflags\fP\fB)\fP
1817 For socket policies, pull in non\-linear data from user space
1818 for \fImsg\fP and set pointers \fImsg\fP\fB\->data\fP and \fImsg\fP\fB\->data_end\fP to \fIstart\fP and \fIend\fP bytes offsets into \fImsg\fP,
1821 If a program of type \fBBPF_PROG_TYPE_SK_MSG\fP is run on a
1822 \fImsg\fP it can only parse data that the (\fBdata\fP, \fBdata_end\fP)
1823 pointers have already consumed. For \fBsendmsg\fP() hooks this
1824 is likely the first scatterlist element. But for calls relying
1825 on the \fBsendpage\fP handler (e.g. \fBsendfile\fP()) this will
1826 be the range (\fB0\fP, \fB0\fP) because the data is shared with
1827 user space and by default the objective is to avoid allowing
1828 user space to modify data while (or after) eBPF verdict is
1829 being decided. This helper can be used to pull in data and to
1830 set the start and end pointer to given values. Data will be
1831 copied if necessary (i.e. if data was not linear and if start
1832 and end pointers do not point to the same chunk).
1834 A call to this helper is susceptible to change the underlying
1835 packet buffer. Therefore, at load time, all checks on pointers
1836 previously done by the verifier are invalidated and must be
1837 performed again, if the helper is used in combination with
1838 direct packet access.
1840 All values for \fIflags\fP are reserved for future usage, and must
1844 0 on success, or a negative error in case of failure.
1847 .B \fBlong bpf_bind(struct bpf_sock_addr *\fP\fIctx\fP\fB, struct sockaddr *\fP\fIaddr\fP\fB, int\fP \fIaddr_len\fP\fB)\fP
1851 Bind the socket associated to \fIctx\fP to the address pointed by
1852 \fIaddr\fP, of length \fIaddr_len\fP\&. This allows for making outgoing
1853 connection from the desired IP address, which can be useful for
1854 example when all processes inside a cgroup should use one
1855 single IP address on a host that has multiple IP configured.
1857 This helper works for IPv4 and IPv6, TCP and UDP sockets. The
1858 domain (\fIaddr\fP\fB\->sa_family\fP) must be \fBAF_INET\fP (or
1859 \fBAF_INET6\fP). It\(aqs advised to pass zero port (\fBsin_port\fP
1860 or \fBsin6_port\fP) which triggers IP_BIND_ADDRESS_NO_PORT\-like
1861 behavior and lets the kernel efficiently pick up an unused
1862 port as long as 4\-tuple is unique. Passing non\-zero port might
1863 lead to degraded performance.
1866 0 on success, or a negative error in case of failure.
1869 .B \fBlong bpf_xdp_adjust_tail(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1873 Adjust (move) \fIxdp_md\fP\fB\->data_end\fP by \fIdelta\fP bytes. It is
1874 possible to both shrink and grow the packet tail.
1875 Shrink done via \fIdelta\fP being a negative integer.
1877 A call to this helper is susceptible to change the underlying
1878 packet buffer. Therefore, at load time, all checks on pointers
1879 previously done by the verifier are invalidated and must be
1880 performed again, if the helper is used in combination with
1881 direct packet access.
1884 0 on success, or a negative error in case of failure.
1887 .B \fBlong bpf_skb_get_xfrm_state(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIindex\fP\fB, struct bpf_xfrm_state *\fP\fIxfrm_state\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
1891 Retrieve the XFRM state (IP transform framework, see also
1892 \fBip\-xfrm(8)\fP) at \fIindex\fP in XFRM \(dqsecurity path\(dq for \fIskb\fP\&.
1894 The retrieved value is stored in the \fBstruct bpf_xfrm_state\fP
1895 pointed by \fIxfrm_state\fP and of length \fIsize\fP\&.
1897 All values for \fIflags\fP are reserved for future usage, and must
1900 This helper is available only if the kernel was compiled with
1901 \fBCONFIG_XFRM\fP configuration option.
1904 0 on success, or a negative error in case of failure.
1907 .B \fBlong bpf_get_stack(void *\fP\fIctx\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
1911 Return a user or a kernel stack in bpf program provided buffer.
1912 To achieve this, the helper needs \fIctx\fP, which is a pointer
1913 to the context on which the tracing program is executed.
1914 To store the stacktrace, the bpf program provides \fIbuf\fP with
1915 a nonnegative \fIsize\fP\&.
1917 The last argument, \fIflags\fP, holds the number of stack frames to
1918 skip (from 0 to 255), masked with
1919 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
1920 the following flags:
1923 .B \fBBPF_F_USER_STACK\fP
1924 Collect a user space stack instead of a kernel stack.
1926 .B \fBBPF_F_USER_BUILD_ID\fP
1927 Collect (build_id, file_offset) instead of ips for user
1928 stack, only valid if \fBBPF_F_USER_STACK\fP is also
1931 \fIfile_offset\fP is an offset relative to the beginning
1932 of the executable or shared object file backing the vma
1933 which the \fIip\fP falls in. It is \fInot\fP an offset relative
1934 to that object\(aqs base address. Accordingly, it must be
1935 adjusted by adding (sh_addr \- sh_offset), where
1936 sh_{addr,offset} correspond to the executable section
1937 containing \fIfile_offset\fP in the object, for comparisons
1938 to symbols\(aq st_value to be valid.
1941 \fBbpf_get_stack\fP() can collect up to
1942 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames, subject
1943 to sufficient large buffer size. Note that
1944 this limit can be controlled with the \fBsysctl\fP program, and
1945 that it should be manually increased in order to profile long
1946 user stacks (such as stacks for Java programs). To do so, use:
1951 # sysctl kernel.perf_event_max_stack=<new value>
1957 The non\-negative copied \fIbuf\fP length equal to or less than
1958 \fIsize\fP on success, or a negative error in case of failure.
1961 .B \fBlong bpf_skb_load_bytes_relative(const void *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIto\fP\fB, u32\fP \fIlen\fP\fB, u32\fP \fIstart_header\fP\fB)\fP
1965 This helper is similar to \fBbpf_skb_load_bytes\fP() in that
1966 it provides an easy way to load \fIlen\fP bytes from \fIoffset\fP
1967 from the packet associated to \fIskb\fP, into the buffer pointed
1968 by \fIto\fP\&. The difference to \fBbpf_skb_load_bytes\fP() is that
1969 a fifth argument \fIstart_header\fP exists in order to select a
1970 base offset to start from. \fIstart_header\fP can be one of:
1973 .B \fBBPF_HDR_START_MAC\fP
1974 Base offset to load data from is \fIskb\fP\(aqs mac header.
1976 .B \fBBPF_HDR_START_NET\fP
1977 Base offset to load data from is \fIskb\fP\(aqs network header.
1980 In general, \(dqdirect packet access\(dq is the preferred method to
1981 access packet data, however, this helper is in particular useful
1982 in socket filters where \fIskb\fP\fB\->data\fP does not always point
1983 to the start of the mac header and where \(dqdirect packet access\(dq
1987 0 on success, or a negative error in case of failure.
1990 .B \fBlong bpf_fib_lookup(void *\fP\fIctx\fP\fB, struct bpf_fib_lookup *\fP\fIparams\fP\fB, int\fP \fIplen\fP\fB, u32\fP \fIflags\fP\fB)\fP
1994 Do FIB lookup in kernel tables using parameters in \fIparams\fP\&.
1995 If lookup is successful and result shows packet is to be
1996 forwarded, the neighbor tables are searched for the nexthop.
1997 If successful (ie., FIB lookup shows forwarding and nexthop
1998 is resolved), the nexthop address is returned in ipv4_dst
1999 or ipv6_dst based on family, smac is set to mac address of
2000 egress device, dmac is set to nexthop mac address, rt_metric
2001 is set to metric from route (IPv4/IPv6 only), and ifindex
2002 is set to the device index of the nexthop from the FIB lookup.
2004 \fIplen\fP argument is the size of the passed in struct.
2005 \fIflags\fP argument can be a combination of one or more of the
2009 .B \fBBPF_FIB_LOOKUP_DIRECT\fP
2010 Do a direct table lookup vs full lookup using FIB
2013 .B \fBBPF_FIB_LOOKUP_TBID\fP
2014 Used with BPF_FIB_LOOKUP_DIRECT.
2015 Use the routing table ID present in \fIparams\fP\->tbid
2018 .B \fBBPF_FIB_LOOKUP_OUTPUT\fP
2019 Perform lookup from an egress perspective (default is
2022 .B \fBBPF_FIB_LOOKUP_SKIP_NEIGH\fP
2023 Skip the neighbour table lookup. \fIparams\fP\->dmac
2024 and \fIparams\fP\->smac will not be set as output. A common
2025 use case is to call \fBbpf_redirect_neigh\fP() after
2026 doing \fBbpf_fib_lookup\fP().
2028 .B \fBBPF_FIB_LOOKUP_SRC\fP
2029 Derive and set source IP addr in \fIparams\fP\->ipv{4,6}_src
2030 for the nexthop. If the src addr cannot be derived,
2031 \fBBPF_FIB_LKUP_RET_NO_SRC_ADDR\fP is returned. In this
2032 case, \fIparams\fP\->dmac and \fIparams\fP\->smac are not set either.
2035 \fIctx\fP is either \fBstruct xdp_md\fP for XDP programs or
2036 \fBstruct sk_buff\fP tc cls_act programs.
2041 < 0 if any input argument is invalid
2043 0 on success (packet is forwarded, nexthop neighbor exists)
2045 > 0 one of \fBBPF_FIB_LKUP_RET_\fP codes explaining why the
2046 packet is not forwarded or needs assist from full stack
2049 If lookup fails with BPF_FIB_LKUP_RET_FRAG_NEEDED, then the MTU
2050 was exceeded and output params\->mtu_result contains the MTU.
2053 .B \fBlong bpf_sock_hash_update(struct bpf_sock_ops *\fP\fIskops\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2057 Add an entry to, or update a sockhash \fImap\fP referencing sockets.
2058 The \fIskops\fP is used as a new value for the entry associated to
2059 \fIkey\fP\&. \fIflags\fP is one of:
2062 .B \fBBPF_NOEXIST\fP
2063 The entry for \fIkey\fP must not exist in the map.
2066 The entry for \fIkey\fP must already exist in the map.
2069 No condition on the existence of the entry for \fIkey\fP\&.
2072 If the \fImap\fP has eBPF programs (parser and verdict), those will
2073 be inherited by the socket being added. If the socket is
2074 already attached to eBPF programs, this results in an error.
2077 0 on success, or a negative error in case of failure.
2080 .B \fBlong bpf_msg_redirect_hash(struct sk_msg_buff *\fP\fImsg\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2084 This helper is used in programs implementing policies at the
2085 socket level. If the message \fImsg\fP is allowed to pass (i.e. if
2086 the verdict eBPF program returns \fBSK_PASS\fP), redirect it to
2087 the socket referenced by \fImap\fP (of type
2088 \fBBPF_MAP_TYPE_SOCKHASH\fP) using hash \fIkey\fP\&. Both ingress and
2089 egress interfaces can be used for redirection. The
2090 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
2091 distinction (ingress path is selected if the flag is present,
2092 egress path otherwise). This is the only flag supported for now.
2095 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
2098 .B \fBlong bpf_sk_redirect_hash(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2102 This helper is used in programs implementing policies at the
2103 skb socket level. If the sk_buff \fIskb\fP is allowed to pass (i.e.
2104 if the verdict eBPF program returns \fBSK_PASS\fP), redirect it
2105 to the socket referenced by \fImap\fP (of type
2106 \fBBPF_MAP_TYPE_SOCKHASH\fP) using hash \fIkey\fP\&. Both ingress and
2107 egress interfaces can be used for redirection. The
2108 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
2109 distinction (ingress path is selected if the flag is present,
2110 egress otherwise). This is the only flag supported for now.
2113 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
2116 .B \fBlong bpf_lwt_push_encap(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fItype\fP\fB, void *\fP\fIhdr\fP\fB, u32\fP \fIlen\fP\fB)\fP
2120 Encapsulate the packet associated to \fIskb\fP within a Layer 3
2121 protocol header. This header is provided in the buffer at
2122 address \fIhdr\fP, with \fIlen\fP its size in bytes. \fItype\fP indicates
2123 the protocol of the header and can be one of:
2126 .B \fBBPF_LWT_ENCAP_SEG6\fP
2127 IPv6 encapsulation with Segment Routing Header
2128 (\fBstruct ipv6_sr_hdr\fP). \fIhdr\fP only contains the SRH,
2129 the IPv6 header is computed by the kernel.
2131 .B \fBBPF_LWT_ENCAP_SEG6_INLINE\fP
2132 Only works if \fIskb\fP contains an IPv6 packet. Insert a
2133 Segment Routing Header (\fBstruct ipv6_sr_hdr\fP) inside
2136 .B \fBBPF_LWT_ENCAP_IP\fP
2137 IP encapsulation (GRE/GUE/IPIP/etc). The outer header
2138 must be IPv4 or IPv6, followed by zero or more
2139 additional headers, up to \fBLWT_BPF_MAX_HEADROOM\fP
2140 total bytes in all prepended headers. Please note that
2141 if \fBskb_is_gso\fP(\fIskb\fP) is true, no more than two
2142 headers can be prepended, and the inner header, if
2143 present, should be either GRE or UDP/GUE.
2146 \fBBPF_LWT_ENCAP_SEG6\fP* types can be called by BPF programs
2147 of type \fBBPF_PROG_TYPE_LWT_IN\fP; \fBBPF_LWT_ENCAP_IP\fP type can
2148 be called by bpf programs of types \fBBPF_PROG_TYPE_LWT_IN\fP and
2149 \fBBPF_PROG_TYPE_LWT_XMIT\fP\&.
2151 A call to this helper is susceptible to change the underlying
2152 packet buffer. Therefore, at load time, all checks on pointers
2153 previously done by the verifier are invalidated and must be
2154 performed again, if the helper is used in combination with
2155 direct packet access.
2158 0 on success, or a negative error in case of failure.
2161 .B \fBlong bpf_lwt_seg6_store_bytes(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, const void *\fP\fIfrom\fP\fB, u32\fP \fIlen\fP\fB)\fP
2165 Store \fIlen\fP bytes from address \fIfrom\fP into the packet
2166 associated to \fIskb\fP, at \fIoffset\fP\&. Only the flags, tag and TLVs
2167 inside the outermost IPv6 Segment Routing Header can be
2168 modified through this helper.
2170 A call to this helper is susceptible to change the underlying
2171 packet buffer. Therefore, at load time, all checks on pointers
2172 previously done by the verifier are invalidated and must be
2173 performed again, if the helper is used in combination with
2174 direct packet access.
2177 0 on success, or a negative error in case of failure.
2180 .B \fBlong bpf_lwt_seg6_adjust_srh(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, s32\fP \fIdelta\fP\fB)\fP
2184 Adjust the size allocated to TLVs in the outermost IPv6
2185 Segment Routing Header contained in the packet associated to
2186 \fIskb\fP, at position \fIoffset\fP by \fIdelta\fP bytes. Only offsets
2187 after the segments are accepted. \fIdelta\fP can be as well
2188 positive (growing) as negative (shrinking).
2190 A call to this helper is susceptible to change the underlying
2191 packet buffer. Therefore, at load time, all checks on pointers
2192 previously done by the verifier are invalidated and must be
2193 performed again, if the helper is used in combination with
2194 direct packet access.
2197 0 on success, or a negative error in case of failure.
2200 .B \fBlong bpf_lwt_seg6_action(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIaction\fP\fB, void *\fP\fIparam\fP\fB, u32\fP \fIparam_len\fP\fB)\fP
2204 Apply an IPv6 Segment Routing action of type \fIaction\fP to the
2205 packet associated to \fIskb\fP\&. Each action takes a parameter
2206 contained at address \fIparam\fP, and of length \fIparam_len\fP bytes.
2207 \fIaction\fP can be one of:
2210 .B \fBSEG6_LOCAL_ACTION_END_X\fP
2211 End.X action: Endpoint with Layer\-3 cross\-connect.
2212 Type of \fIparam\fP: \fBstruct in6_addr\fP\&.
2214 .B \fBSEG6_LOCAL_ACTION_END_T\fP
2215 End.T action: Endpoint with specific IPv6 table lookup.
2216 Type of \fIparam\fP: \fBint\fP\&.
2218 .B \fBSEG6_LOCAL_ACTION_END_B6\fP
2219 End.B6 action: Endpoint bound to an SRv6 policy.
2220 Type of \fIparam\fP: \fBstruct ipv6_sr_hdr\fP\&.
2222 .B \fBSEG6_LOCAL_ACTION_END_B6_ENCAP\fP
2223 End.B6.Encap action: Endpoint bound to an SRv6
2224 encapsulation policy.
2225 Type of \fIparam\fP: \fBstruct ipv6_sr_hdr\fP\&.
2228 A call to this helper is susceptible to change the underlying
2229 packet buffer. Therefore, at load time, all checks on pointers
2230 previously done by the verifier are invalidated and must be
2231 performed again, if the helper is used in combination with
2232 direct packet access.
2235 0 on success, or a negative error in case of failure.
2238 .B \fBlong bpf_rc_repeat(void *\fP\fIctx\fP\fB)\fP
2242 This helper is used in programs implementing IR decoding, to
2243 report a successfully decoded repeat key message. This delays
2244 the generation of a key up event for previously generated
2247 Some IR protocols like NEC have a special IR message for
2248 repeating last button, for when a button is held down.
2250 The \fIctx\fP should point to the lirc sample as passed into
2253 This helper is only available is the kernel was compiled with
2254 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2261 .B \fBlong bpf_rc_keydown(void *\fP\fIctx\fP\fB, u32\fP \fIprotocol\fP\fB, u64\fP \fIscancode\fP\fB, u32\fP \fItoggle\fP\fB)\fP
2265 This helper is used in programs implementing IR decoding, to
2266 report a successfully decoded key press with \fIscancode\fP,
2267 \fItoggle\fP value in the given \fIprotocol\fP\&. The scancode will be
2268 translated to a keycode using the rc keymap, and reported as
2269 an input key down event. After a period a key up event is
2270 generated. This period can be extended by calling either
2271 \fBbpf_rc_keydown\fP() again with the same values, or calling
2272 \fBbpf_rc_repeat\fP().
2274 Some protocols include a toggle bit, in case the button was
2275 released and pressed again between consecutive scancodes.
2277 The \fIctx\fP should point to the lirc sample as passed into
2280 The \fIprotocol\fP is the decoded protocol number (see
2281 \fBenum rc_proto\fP for some predefined values).
2283 This helper is only available is the kernel was compiled with
2284 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2291 .B \fBu64 bpf_skb_cgroup_id(struct sk_buff *\fP\fIskb\fP\fB)\fP
2295 Return the cgroup v2 id of the socket associated with the \fIskb\fP\&.
2296 This is roughly similar to the \fBbpf_get_cgroup_classid\fP()
2297 helper for cgroup v1 by providing a tag resp. identifier that
2298 can be matched on or used for map lookups e.g. to implement
2299 policy. The cgroup v2 id of a given path in the hierarchy is
2300 exposed in user space through the f_handle API in order to get
2301 to the same 64\-bit id.
2303 This helper can be used on TC egress path, but not on ingress,
2304 and is available only if the kernel was compiled with the
2305 \fBCONFIG_SOCK_CGROUP_DATA\fP configuration option.
2308 The id is returned or 0 in case the id could not be retrieved.
2311 .B \fBu64 bpf_get_current_cgroup_id(void)\fP
2315 Get the current cgroup id based on the cgroup within which
2316 the current task is running.
2319 A 64\-bit integer containing the current cgroup id based
2320 on the cgroup within which the current task is running.
2323 .B \fBvoid *bpf_get_local_storage(void *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
2327 Get the pointer to the local storage area.
2328 The type and the size of the local storage is defined
2329 by the \fImap\fP argument.
2330 The \fIflags\fP meaning is specific for each map type,
2331 and has to be 0 for cgroup local storage.
2333 Depending on the BPF program type, a local storage area
2334 can be shared between multiple instances of the BPF program,
2335 running simultaneously.
2337 A user should care about the synchronization by himself.
2338 For example, by using the \fBBPF_ATOMIC\fP instructions to alter
2342 A pointer to the local storage area.
2345 .B \fBlong bpf_sk_select_reuseport(struct sk_reuseport_md *\fP\fIreuse\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2349 Select a \fBSO_REUSEPORT\fP socket from a
2350 \fBBPF_MAP_TYPE_REUSEPORT_SOCKARRAY\fP \fImap\fP\&.
2351 It checks the selected socket is matching the incoming
2352 request in the socket buffer.
2355 0 on success, or a negative error in case of failure.
2358 .B \fBu64 bpf_skb_ancestor_cgroup_id(struct sk_buff *\fP\fIskb\fP\fB, int\fP \fIancestor_level\fP\fB)\fP
2362 Return id of cgroup v2 that is ancestor of cgroup associated
2363 with the \fIskb\fP at the \fIancestor_level\fP\&. The root cgroup is at
2364 \fIancestor_level\fP zero and each step down the hierarchy
2365 increments the level. If \fIancestor_level\fP == level of cgroup
2366 associated with \fIskb\fP, then return value will be same as that
2367 of \fBbpf_skb_cgroup_id\fP().
2369 The helper is useful to implement policies based on cgroups
2370 that are upper in hierarchy than immediate cgroup associated
2373 The format of returned id and helper limitations are same as in
2374 \fBbpf_skb_cgroup_id\fP().
2377 The id is returned or 0 in case the id could not be retrieved.
2380 .B \fBstruct bpf_sock *bpf_sk_lookup_tcp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2384 Look for TCP socket matching \fItuple\fP, optionally in a child
2385 network namespace \fInetns\fP\&. The return value must be checked,
2386 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2388 The \fIctx\fP should point to the context of the program, such as
2389 the skb or socket (depending on the hook in use). This is used
2390 to determine the base network namespace for the lookup.
2392 \fItuple_size\fP must be one of:
2395 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv4\fP)
2396 Look for an IPv4 socket.
2398 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv6\fP)
2399 Look for an IPv6 socket.
2402 If the \fInetns\fP is a negative signed 32\-bit integer, then the
2403 socket lookup table in the netns associated with the \fIctx\fP
2404 will be used. For the TC hooks, this is the netns of the device
2405 in the skb. For socket hooks, this is the netns of the socket.
2406 If \fInetns\fP is any other signed 32\-bit value greater than or
2407 equal to zero then it specifies the ID of the netns relative to
2408 the netns associated with the \fIctx\fP\&. \fInetns\fP values beyond the
2409 range of 32\-bit integers are reserved for future use.
2411 All values for \fIflags\fP are reserved for future usage, and must
2414 This helper is available only if the kernel was compiled with
2415 \fBCONFIG_NET\fP configuration option.
2418 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2419 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2420 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2424 .B \fBstruct bpf_sock *bpf_sk_lookup_udp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2428 Look for UDP socket matching \fItuple\fP, optionally in a child
2429 network namespace \fInetns\fP\&. The return value must be checked,
2430 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2432 The \fIctx\fP should point to the context of the program, such as
2433 the skb or socket (depending on the hook in use). This is used
2434 to determine the base network namespace for the lookup.
2436 \fItuple_size\fP must be one of:
2439 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv4\fP)
2440 Look for an IPv4 socket.
2442 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv6\fP)
2443 Look for an IPv6 socket.
2446 If the \fInetns\fP is a negative signed 32\-bit integer, then the
2447 socket lookup table in the netns associated with the \fIctx\fP
2448 will be used. For the TC hooks, this is the netns of the device
2449 in the skb. For socket hooks, this is the netns of the socket.
2450 If \fInetns\fP is any other signed 32\-bit value greater than or
2451 equal to zero then it specifies the ID of the netns relative to
2452 the netns associated with the \fIctx\fP\&. \fInetns\fP values beyond the
2453 range of 32\-bit integers are reserved for future use.
2455 All values for \fIflags\fP are reserved for future usage, and must
2458 This helper is available only if the kernel was compiled with
2459 \fBCONFIG_NET\fP configuration option.
2462 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2463 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2464 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2468 .B \fBlong bpf_sk_release(void *\fP\fIsock\fP\fB)\fP
2472 Release the reference held by \fIsock\fP\&. \fIsock\fP must be a
2473 non\-\fBNULL\fP pointer that was returned from
2474 \fBbpf_sk_lookup_xxx\fP().
2477 0 on success, or a negative error in case of failure.
2480 .B \fBlong bpf_map_push_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
2484 Push an element \fIvalue\fP in \fImap\fP\&. \fIflags\fP is one of:
2488 If the queue/stack is full, the oldest element is
2489 removed to make room for this.
2493 0 on success, or a negative error in case of failure.
2496 .B \fBlong bpf_map_pop_elem(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIvalue\fP\fB)\fP
2500 Pop an element from \fImap\fP\&.
2503 0 on success, or a negative error in case of failure.
2506 .B \fBlong bpf_map_peek_elem(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIvalue\fP\fB)\fP
2510 Get an element from \fImap\fP without removing it.
2513 0 on success, or a negative error in case of failure.
2516 .B \fBlong bpf_msg_push_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
2520 For socket policies, insert \fIlen\fP bytes into \fImsg\fP at offset
2523 If a program of type \fBBPF_PROG_TYPE_SK_MSG\fP is run on a
2524 \fImsg\fP it may want to insert metadata or options into the \fImsg\fP\&.
2525 This can later be read and used by any of the lower layer BPF
2528 This helper may fail if under memory pressure (a malloc
2529 fails) in these cases BPF programs will get an appropriate
2530 error and BPF programs will need to handle them.
2533 0 on success, or a negative error in case of failure.
2536 .B \fBlong bpf_msg_pop_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
2540 Will remove \fIlen\fP bytes from a \fImsg\fP starting at byte \fIstart\fP\&.
2541 This may result in \fBENOMEM\fP errors under certain situations if
2542 an allocation and copy are required due to a full ring buffer.
2543 However, the helper will try to avoid doing the allocation
2544 if possible. Other errors can occur if input parameters are
2545 invalid either due to \fIstart\fP byte not being valid part of \fImsg\fP
2546 payload and/or \fIpop\fP value being to large.
2549 0 on success, or a negative error in case of failure.
2552 .B \fBlong bpf_rc_pointer_rel(void *\fP\fIctx\fP\fB, s32\fP \fIrel_x\fP\fB, s32\fP \fIrel_y\fP\fB)\fP
2556 This helper is used in programs implementing IR decoding, to
2557 report a successfully decoded pointer movement.
2559 The \fIctx\fP should point to the lirc sample as passed into
2562 This helper is only available is the kernel was compiled with
2563 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2570 .B \fBlong bpf_spin_lock(struct bpf_spin_lock *\fP\fIlock\fP\fB)\fP
2574 Acquire a spinlock represented by the pointer \fIlock\fP, which is
2575 stored as part of a value of a map. Taking the lock allows to
2576 safely update the rest of the fields in that value. The
2577 spinlock can (and must) later be released with a call to
2578 \fBbpf_spin_unlock\fP(\fIlock\fP).
2580 Spinlocks in BPF programs come with a number of restrictions
2584 \fBbpf_spin_lock\fP objects are only allowed inside maps of
2585 types \fBBPF_MAP_TYPE_HASH\fP and \fBBPF_MAP_TYPE_ARRAY\fP (this
2586 list could be extended in the future).
2588 BTF description of the map is mandatory.
2590 The BPF program can take ONE lock at a time, since taking two
2591 or more could cause dead locks.
2593 Only one \fBstruct bpf_spin_lock\fP is allowed per map element.
2595 When the lock is taken, calls (either BPF to BPF or helpers)
2598 The \fBBPF_LD_ABS\fP and \fBBPF_LD_IND\fP instructions are not
2599 allowed inside a spinlock\-ed region.
2601 The BPF program MUST call \fBbpf_spin_unlock\fP() to release
2602 the lock, on all execution paths, before it returns.
2604 The BPF program can access \fBstruct bpf_spin_lock\fP only via
2605 the \fBbpf_spin_lock\fP() and \fBbpf_spin_unlock\fP()
2606 helpers. Loading or storing data into the \fBstruct
2607 bpf_spin_lock\fP \fIlock\fP\fB;\fP field of a map is not allowed.
2609 To use the \fBbpf_spin_lock\fP() helper, the BTF description
2610 of the map value must be a struct and have \fBstruct
2611 bpf_spin_lock\fP \fIanyname\fP\fB;\fP field at the top level.
2612 Nested lock inside another struct is not allowed.
2614 The \fBstruct bpf_spin_lock\fP \fIlock\fP field in a map value must
2615 be aligned on a multiple of 4 bytes in that value.
2617 Syscall with command \fBBPF_MAP_LOOKUP_ELEM\fP does not copy
2618 the \fBbpf_spin_lock\fP field to user space.
2620 Syscall with command \fBBPF_MAP_UPDATE_ELEM\fP, or update from
2621 a BPF program, do not update the \fBbpf_spin_lock\fP field.
2623 \fBbpf_spin_lock\fP cannot be on the stack or inside a
2624 networking packet (it can only be inside of a map values).
2626 \fBbpf_spin_lock\fP is available to root only.
2628 Tracing programs and socket filter programs cannot use
2629 \fBbpf_spin_lock\fP() due to insufficient preemption checks
2630 (but this may change in the future).
2632 \fBbpf_spin_lock\fP is not allowed in inner maps of map\-in\-map.
2639 .B \fBlong bpf_spin_unlock(struct bpf_spin_lock *\fP\fIlock\fP\fB)\fP
2643 Release the \fIlock\fP previously locked by a call to
2644 \fBbpf_spin_lock\fP(\fIlock\fP).
2650 .B \fBstruct bpf_sock *bpf_sk_fullsock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2654 This helper gets a \fBstruct bpf_sock\fP pointer such
2655 that all the fields in this \fBbpf_sock\fP can be accessed.
2658 A \fBstruct bpf_sock\fP pointer on success, or \fBNULL\fP in
2662 .B \fBstruct bpf_tcp_sock *bpf_tcp_sock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2666 This helper gets a \fBstruct bpf_tcp_sock\fP pointer from a
2667 \fBstruct bpf_sock\fP pointer.
2670 A \fBstruct bpf_tcp_sock\fP pointer on success, or \fBNULL\fP in
2674 .B \fBlong bpf_skb_ecn_set_ce(struct sk_buff *\fP\fIskb\fP\fB)\fP
2678 Set ECN (Explicit Congestion Notification) field of IP header
2679 to \fBCE\fP (Congestion Encountered) if current value is \fBECT\fP
2680 (ECN Capable Transport). Otherwise, do nothing. Works with IPv6
2684 1 if the \fBCE\fP flag is set (either by the current helper call
2685 or because it was already present), 0 if it is not set.
2688 .B \fBstruct bpf_sock *bpf_get_listener_sock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2692 Return a \fBstruct bpf_sock\fP pointer in \fBTCP_LISTEN\fP state.
2693 \fBbpf_sk_release\fP() is unnecessary and not allowed.
2696 A \fBstruct bpf_sock\fP pointer on success, or \fBNULL\fP in
2700 .B \fBstruct bpf_sock *bpf_skc_lookup_tcp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2704 Look for TCP socket matching \fItuple\fP, optionally in a child
2705 network namespace \fInetns\fP\&. The return value must be checked,
2706 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2708 This function is identical to \fBbpf_sk_lookup_tcp\fP(), except
2709 that it also returns timewait or request sockets. Use
2710 \fBbpf_sk_fullsock\fP() or \fBbpf_tcp_sock\fP() to access the
2713 This helper is available only if the kernel was compiled with
2714 \fBCONFIG_NET\fP configuration option.
2717 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2718 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2719 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2723 .B \fBlong bpf_tcp_check_syncookie(void *\fP\fIsk\fP\fB, void *\fP\fIiph\fP\fB, u32\fP \fIiph_len\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
2727 Check whether \fIiph\fP and \fIth\fP contain a valid SYN cookie ACK for
2728 the listening socket in \fIsk\fP\&.
2730 \fIiph\fP points to the start of the IPv4 or IPv6 header, while
2731 \fIiph_len\fP contains \fBsizeof\fP(\fBstruct iphdr\fP) or
2732 \fBsizeof\fP(\fBstruct ipv6hdr\fP).
2734 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
2735 contains the length of the TCP header (at least
2736 \fBsizeof\fP(\fBstruct tcphdr\fP)).
2739 0 if \fIiph\fP and \fIth\fP are a valid SYN cookie ACK, or a negative
2743 .B \fBlong bpf_sysctl_get_name(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB)\fP
2747 Get name of sysctl in /proc/sys/ and copy it into provided by
2748 program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2750 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2752 If \fIflags\fP is zero, full name (e.g. \(dqnet/ipv4/tcp_mem\(dq) is
2753 copied. Use \fBBPF_F_SYSCTL_BASE_NAME\fP flag to copy base name
2754 only (e.g. \(dqtcp_mem\(dq).
2757 Number of character copied (not including the trailing NUL).
2759 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2760 truncated name in this case).
2763 .B \fBlong bpf_sysctl_get_current_value(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2767 Get current value of sysctl as it is presented in /proc/sys
2768 (incl. newline, etc), and copy it as a string into provided
2769 by program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2771 The whole value is copied, no matter what file position user
2772 space issued e.g. sys_read at.
2774 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2777 Number of character copied (not including the trailing NUL).
2779 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2780 truncated name in this case).
2782 \fB\-EINVAL\fP if current value was unavailable, e.g. because
2783 sysctl is uninitialized and read returns \-EIO for it.
2786 .B \fBlong bpf_sysctl_get_new_value(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2790 Get new value being written by user space to sysctl (before
2791 the actual write happens) and copy it as a string into
2792 provided by program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2794 User space may write new value at file position > 0.
2796 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2799 Number of character copied (not including the trailing NUL).
2801 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2802 truncated name in this case).
2804 \fB\-EINVAL\fP if sysctl is being read.
2807 .B \fBlong bpf_sysctl_set_new_value(struct bpf_sysctl *\fP\fIctx\fP\fB, const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2811 Override new value being written by user space to sysctl with
2812 value provided by program in buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2814 \fIbuf\fP should contain a string in same form as provided by user
2815 space on sysctl write.
2817 User space may write new value at file position > 0. To override
2818 the whole sysctl value file position should be set to zero.
2823 \fB\-E2BIG\fP if the \fIbuf_len\fP is too big.
2825 \fB\-EINVAL\fP if sysctl is being read.
2828 .B \fBlong bpf_strtol(const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB, long *\fP\fIres\fP\fB)\fP
2832 Convert the initial part of the string from buffer \fIbuf\fP of
2833 size \fIbuf_len\fP to a long integer according to the given base
2834 and save the result in \fIres\fP\&.
2836 The string may begin with an arbitrary amount of white space
2837 (as determined by \fBisspace\fP(3)) followed by a single
2838 optional \(aq\fB\-\fP\(aq sign.
2840 Five least significant bits of \fIflags\fP encode base, other bits
2841 are currently unused.
2843 Base must be either 8, 10, 16 or 0 to detect it automatically
2844 similar to user space \fBstrtol\fP(3).
2847 Number of characters consumed on success. Must be positive but
2848 no more than \fIbuf_len\fP\&.
2850 \fB\-EINVAL\fP if no valid digits were found or unsupported base
2853 \fB\-ERANGE\fP if resulting value was out of range.
2856 .B \fBlong bpf_strtoul(const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB, unsigned long *\fP\fIres\fP\fB)\fP
2860 Convert the initial part of the string from buffer \fIbuf\fP of
2861 size \fIbuf_len\fP to an unsigned long integer according to the
2862 given base and save the result in \fIres\fP\&.
2864 The string may begin with an arbitrary amount of white space
2865 (as determined by \fBisspace\fP(3)).
2867 Five least significant bits of \fIflags\fP encode base, other bits
2868 are currently unused.
2870 Base must be either 8, 10, 16 or 0 to detect it automatically
2871 similar to user space \fBstrtoul\fP(3).
2874 Number of characters consumed on success. Must be positive but
2875 no more than \fIbuf_len\fP\&.
2877 \fB\-EINVAL\fP if no valid digits were found or unsupported base
2880 \fB\-ERANGE\fP if resulting value was out of range.
2883 .B \fBvoid *bpf_sk_storage_get(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIsk\fP\fB, void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
2887 Get a bpf\-local\-storage from a \fIsk\fP\&.
2889 Logically, it could be thought of getting the value from
2890 a \fImap\fP with \fIsk\fP as the \fBkey\fP\&. From this
2891 perspective, the usage is not much different from
2892 \fBbpf_map_lookup_elem\fP(\fImap\fP, \fB&\fP\fIsk\fP) except this
2893 helper enforces the key must be a full socket and the map must
2894 be a \fBBPF_MAP_TYPE_SK_STORAGE\fP also.
2896 Underneath, the value is stored locally at \fIsk\fP instead of
2897 the \fImap\fP\&. The \fImap\fP is used as the bpf\-local\-storage
2898 \(dqtype\(dq. The bpf\-local\-storage \(dqtype\(dq (i.e. the \fImap\fP) is
2899 searched against all bpf\-local\-storages residing at \fIsk\fP\&.
2901 \fIsk\fP is a kernel \fBstruct sock\fP pointer for LSM program.
2902 \fIsk\fP is a \fBstruct bpf_sock\fP pointer for other program types.
2904 An optional \fIflags\fP (\fBBPF_SK_STORAGE_GET_F_CREATE\fP) can be
2905 used such that a new bpf\-local\-storage will be
2906 created if one does not exist. \fIvalue\fP can be used
2907 together with \fBBPF_SK_STORAGE_GET_F_CREATE\fP to specify
2908 the initial value of a bpf\-local\-storage. If \fIvalue\fP is
2909 \fBNULL\fP, the new bpf\-local\-storage will be zero initialized.
2912 A bpf\-local\-storage pointer is returned on success.
2914 \fBNULL\fP if not found or there was an error in adding
2915 a new bpf\-local\-storage.
2918 .B \fBlong bpf_sk_storage_delete(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIsk\fP\fB)\fP
2922 Delete a bpf\-local\-storage from a \fIsk\fP\&.
2927 \fB\-ENOENT\fP if the bpf\-local\-storage cannot be found.
2928 \fB\-EINVAL\fP if sk is not a fullsock (e.g. a request_sock).
2931 .B \fBlong bpf_send_signal(u32\fP \fIsig\fP\fB)\fP
2935 Send signal \fIsig\fP to the process of the current task.
2936 The signal may be delivered to any of this process\(aqs threads.
2939 0 on success or successfully queued.
2941 \fB\-EBUSY\fP if work queue under nmi is full.
2943 \fB\-EINVAL\fP if \fIsig\fP is invalid.
2945 \fB\-EPERM\fP if no permission to send the \fIsig\fP\&.
2947 \fB\-EAGAIN\fP if bpf program can try again.
2950 .B \fBs64 bpf_tcp_gen_syncookie(void *\fP\fIsk\fP\fB, void *\fP\fIiph\fP\fB, u32\fP \fIiph_len\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
2954 Try to issue a SYN cookie for the packet with corresponding
2955 IP/TCP headers, \fIiph\fP and \fIth\fP, on the listening socket in \fIsk\fP\&.
2957 \fIiph\fP points to the start of the IPv4 or IPv6 header, while
2958 \fIiph_len\fP contains \fBsizeof\fP(\fBstruct iphdr\fP) or
2959 \fBsizeof\fP(\fBstruct ipv6hdr\fP).
2961 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
2962 contains the length of the TCP header with options (at least
2963 \fBsizeof\fP(\fBstruct tcphdr\fP)).
2966 On success, lower 32 bits hold the generated SYN cookie in
2967 followed by 16 bits which hold the MSS value for that cookie,
2968 and the top 16 bits are unused.
2970 On failure, the returned value is one of the following:
2972 \fB\-EINVAL\fP SYN cookie cannot be issued due to error
2974 \fB\-ENOENT\fP SYN cookie should not be issued (no SYN flood)
2976 \fB\-EOPNOTSUPP\fP kernel configuration does not enable SYN cookies
2978 \fB\-EPROTONOSUPPORT\fP IP packet version is not 4 or 6
2981 .B \fBlong bpf_skb_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
2985 Write raw \fIdata\fP blob into a special BPF perf event held by
2986 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
2987 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
2988 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
2989 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
2991 The \fIflags\fP are used to indicate the index in \fImap\fP for which
2992 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
2993 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
2994 to indicate that the index of the current CPU core should be
2997 The value to write, of \fIsize\fP, is passed through eBPF stack and
2998 pointed by \fIdata\fP\&.
3000 \fIctx\fP is a pointer to in\-kernel struct sk_buff.
3002 This helper is similar to \fBbpf_perf_event_output\fP() but
3003 restricted to raw_tracepoint bpf programs.
3006 0 on success, or a negative error in case of failure.
3009 .B \fBlong bpf_probe_read_user(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
3013 Safely attempt to read \fIsize\fP bytes from user space address
3014 \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
3017 0 on success, or a negative error in case of failure.
3020 .B \fBlong bpf_probe_read_kernel(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
3024 Safely attempt to read \fIsize\fP bytes from kernel space address
3025 \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
3028 0 on success, or a negative error in case of failure.
3031 .B \fBlong bpf_probe_read_user_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
3035 Copy a NUL terminated string from an unsafe user address
3036 \fIunsafe_ptr\fP to \fIdst\fP\&. The \fIsize\fP should include the
3037 terminating NUL byte. In case the string length is smaller than
3038 \fIsize\fP, the target is not padded with further NUL bytes. If the
3039 string length is larger than \fIsize\fP, just \fIsize\fP\-1 bytes are
3040 copied and the last byte is set to NUL.
3042 On success, returns the number of bytes that were written,
3043 including the terminal NUL. This makes this helper useful in
3044 tracing programs for reading strings, and more importantly to
3045 get its length at runtime. See the following snippet:
3050 SEC(\(dqkprobe/sys_open\(dq)
3051 void bpf_sys_open(struct pt_regs *ctx)
3053 char buf[PATHLEN]; // PATHLEN is defined to 256
3054 int res = bpf_probe_read_user_str(buf, sizeof(buf),
3057 // Consume buf, for example push it to
3058 // userspace via bpf_perf_event_output(); we
3059 // can use res (the string length) as event
3060 // size, after checking its boundaries.
3066 In comparison, using \fBbpf_probe_read_user\fP() helper here
3067 instead to read the string would require to estimate the length
3068 at compile time, and would often result in copying more memory
3071 Another useful use case is when parsing individual process
3072 arguments or individual environment variables navigating
3073 \fIcurrent\fP\fB\->mm\->arg_start\fP and \fIcurrent\fP\fB\->mm\->env_start\fP: using this helper and the return value,
3074 one can quickly iterate at the right offset of the memory area.
3077 On success, the strictly positive length of the output string,
3078 including the trailing NUL character. On error, a negative
3082 .B \fBlong bpf_probe_read_kernel_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
3086 Copy a NUL terminated string from an unsafe kernel address \fIunsafe_ptr\fP
3087 to \fIdst\fP\&. Same semantics as with \fBbpf_probe_read_user_str\fP() apply.
3090 On success, the strictly positive length of the string, including
3091 the trailing NUL character. On error, a negative value.
3094 .B \fBlong bpf_tcp_send_ack(void *\fP\fItp\fP\fB, u32\fP \fIrcv_nxt\fP\fB)\fP
3098 Send out a tcp\-ack. \fItp\fP is the in\-kernel struct \fBtcp_sock\fP\&.
3099 \fIrcv_nxt\fP is the ack_seq to be sent out.
3102 0 on success, or a negative error in case of failure.
3105 .B \fBlong bpf_send_signal_thread(u32\fP \fIsig\fP\fB)\fP
3109 Send signal \fIsig\fP to the thread corresponding to the current task.
3112 0 on success or successfully queued.
3114 \fB\-EBUSY\fP if work queue under nmi is full.
3116 \fB\-EINVAL\fP if \fIsig\fP is invalid.
3118 \fB\-EPERM\fP if no permission to send the \fIsig\fP\&.
3120 \fB\-EAGAIN\fP if bpf program can try again.
3123 .B \fBu64 bpf_jiffies64(void)\fP
3127 Obtain the 64bit jiffies
3133 .B \fBlong bpf_read_branch_records(struct bpf_perf_event_data *\fP\fIctx\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3137 For an eBPF program attached to a perf event, retrieve the
3138 branch records (\fBstruct perf_branch_entry\fP) associated to \fIctx\fP
3139 and store it in the buffer pointed by \fIbuf\fP up to size
3143 On success, number of bytes written to \fIbuf\fP\&. On error, a
3146 The \fIflags\fP can be set to \fBBPF_F_GET_BRANCH_RECORDS_SIZE\fP to
3147 instead return the number of bytes required to store all the
3148 branch entries. If this flag is set, \fIbuf\fP may be NULL.
3150 \fB\-EINVAL\fP if arguments invalid or \fBsize\fP not a multiple
3151 of \fBsizeof\fP(\fBstruct perf_branch_entry\fP).
3153 \fB\-ENOENT\fP if architecture does not support branch records.
3156 .B \fBlong bpf_get_ns_current_pid_tgid(u64\fP \fIdev\fP\fB, u64\fP \fIino\fP\fB, struct bpf_pidns_info *\fP\fInsdata\fP\fB, u32\fP \fIsize\fP\fB)\fP
3160 Returns 0 on success, values for \fIpid\fP and \fItgid\fP as seen from the current
3161 \fInamespace\fP will be returned in \fInsdata\fP\&.
3164 0 on success, or one of the following in case of failure:
3166 \fB\-EINVAL\fP if dev and inum supplied don\(aqt match dev_t and inode number
3167 with nsfs of current task, or if dev conversion to dev_t lost high bits.
3169 \fB\-ENOENT\fP if pidns does not exists for the current task.
3172 .B \fBlong bpf_xdp_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
3176 Write raw \fIdata\fP blob into a special BPF perf event held by
3177 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
3178 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
3179 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
3180 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
3182 The \fIflags\fP are used to indicate the index in \fImap\fP for which
3183 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
3184 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
3185 to indicate that the index of the current CPU core should be
3188 The value to write, of \fIsize\fP, is passed through eBPF stack and
3189 pointed by \fIdata\fP\&.
3191 \fIctx\fP is a pointer to in\-kernel struct xdp_buff.
3193 This helper is similar to \fBbpf_perf_eventoutput\fP() but
3194 restricted to raw_tracepoint bpf programs.
3197 0 on success, or a negative error in case of failure.
3200 .B \fBu64 bpf_get_netns_cookie(void *\fP\fIctx\fP\fB)\fP
3204 Retrieve the cookie (generated by the kernel) of the network
3205 namespace the input \fIctx\fP is associated with. The network
3206 namespace cookie remains stable for its lifetime and provides
3207 a global identifier that can be assumed unique. If \fIctx\fP is
3208 NULL, then the helper returns the cookie for the initial
3209 network namespace. The cookie itself is very similar to that
3210 of \fBbpf_get_socket_cookie\fP() helper, but for network
3211 namespaces instead of sockets.
3214 A 8\-byte long opaque number.
3217 .B \fBu64 bpf_get_current_ancestor_cgroup_id(int\fP \fIancestor_level\fP\fB)\fP
3221 Return id of cgroup v2 that is ancestor of the cgroup associated
3222 with the current task at the \fIancestor_level\fP\&. The root cgroup
3223 is at \fIancestor_level\fP zero and each step down the hierarchy
3224 increments the level. If \fIancestor_level\fP == level of cgroup
3225 associated with the current task, then return value will be the
3226 same as that of \fBbpf_get_current_cgroup_id\fP().
3228 The helper is useful to implement policies based on cgroups
3229 that are upper in hierarchy than immediate cgroup associated
3230 with the current task.
3232 The format of returned id and helper limitations are same as in
3233 \fBbpf_get_current_cgroup_id\fP().
3236 The id is returned or 0 in case the id could not be retrieved.
3239 .B \fBlong bpf_sk_assign(struct sk_buff *\fP\fIskb\fP\fB, void *\fP\fIsk\fP\fB, u64\fP \fIflags\fP\fB)\fP
3243 Helper is overloaded depending on BPF program type. This
3244 description applies to \fBBPF_PROG_TYPE_SCHED_CLS\fP and
3245 \fBBPF_PROG_TYPE_SCHED_ACT\fP programs.
3247 Assign the \fIsk\fP to the \fIskb\fP\&. When combined with appropriate
3248 routing configuration to receive the packet towards the socket,
3249 will cause \fIskb\fP to be delivered to the specified socket.
3250 Subsequent redirection of \fIskb\fP via \fBbpf_redirect\fP(),
3251 \fBbpf_clone_redirect\fP() or other methods outside of BPF may
3252 interfere with successful delivery to the socket.
3254 This operation is only valid from TC ingress path.
3256 The \fIflags\fP argument must be zero.
3259 0 on success, or a negative error in case of failure:
3261 \fB\-EINVAL\fP if specified \fIflags\fP are not supported.
3263 \fB\-ENOENT\fP if the socket is unavailable for assignment.
3265 \fB\-ENETUNREACH\fP if the socket is unreachable (wrong netns).
3267 \fB\-EOPNOTSUPP\fP if the operation is not supported, for example
3268 a call from outside of TC ingress.
3271 .B \fBlong bpf_sk_assign(struct bpf_sk_lookup *\fP\fIctx\fP\fB, struct bpf_sock *\fP\fIsk\fP\fB, u64\fP \fIflags\fP\fB)\fP
3275 Helper is overloaded depending on BPF program type. This
3276 description applies to \fBBPF_PROG_TYPE_SK_LOOKUP\fP programs.
3278 Select the \fIsk\fP as a result of a socket lookup.
3280 For the operation to succeed passed socket must be compatible
3281 with the packet description provided by the \fIctx\fP object.
3283 L4 protocol (\fBIPPROTO_TCP\fP or \fBIPPROTO_UDP\fP) must
3284 be an exact match. While IP family (\fBAF_INET\fP or
3285 \fBAF_INET6\fP) must be compatible, that is IPv6 sockets
3286 that are not v6\-only can be selected for IPv4 packets.
3288 Only TCP listeners and UDP unconnected sockets can be
3289 selected. \fIsk\fP can also be NULL to reset any previous
3292 \fIflags\fP argument can combination of following values:
3295 \fBBPF_SK_LOOKUP_F_REPLACE\fP to override the previous
3296 socket selection, potentially done by a BPF program
3299 \fBBPF_SK_LOOKUP_F_NO_REUSEPORT\fP to skip
3300 load\-balancing within reuseport group for the socket
3304 On success \fIctx\->sk\fP will point to the selected socket.
3307 0 on success, or a negative errno in case of failure.
3310 \fB\-EAFNOSUPPORT\fP if socket family (\fIsk\->family\fP) is
3311 not compatible with packet family (\fIctx\->family\fP).
3313 \fB\-EEXIST\fP if socket has been already selected,
3314 potentially by another program, and
3315 \fBBPF_SK_LOOKUP_F_REPLACE\fP flag was not specified.
3317 \fB\-EINVAL\fP if unsupported flags were specified.
3319 \fB\-EPROTOTYPE\fP if socket L4 protocol
3320 (\fIsk\->protocol\fP) doesn\(aqt match packet protocol
3321 (\fIctx\->protocol\fP).
3323 \fB\-ESOCKTNOSUPPORT\fP if socket is not in allowed
3324 state (TCP listening or UDP unconnected).
3328 .B \fBu64 bpf_ktime_get_boot_ns(void)\fP
3332 Return the time elapsed since system boot, in nanoseconds.
3333 Does include the time the system was suspended.
3334 See: \fBclock_gettime\fP(\fBCLOCK_BOOTTIME\fP)
3337 Current \fIktime\fP\&.
3340 .B \fBlong bpf_seq_printf(struct seq_file *\fP\fIm\fP\fB, const char *\fP\fIfmt\fP\fB, u32\fP \fIfmt_size\fP\fB, const void *\fP\fIdata\fP\fB, u32\fP \fIdata_len\fP\fB)\fP
3344 \fBbpf_seq_printf\fP() uses seq_file \fBseq_printf\fP() to print
3345 out the format string.
3346 The \fIm\fP represents the seq_file. The \fIfmt\fP and \fIfmt_size\fP are for
3347 the format string itself. The \fIdata\fP and \fIdata_len\fP are format string
3348 arguments. The \fIdata\fP are a \fBu64\fP array and corresponding format string
3349 values are stored in the array. For strings and pointers where pointees
3350 are accessed, only the pointer values are stored in the \fIdata\fP array.
3351 The \fIdata_len\fP is the size of \fIdata\fP in bytes \- must be a multiple of 8.
3353 Formats \fB%s\fP, \fB%p{i,I}{4,6}\fP requires to read kernel memory.
3354 Reading kernel memory may fail due to either invalid address or
3355 valid address but requiring a major memory fault. If reading kernel memory
3356 fails, the string for \fB%s\fP will be an empty string, and the ip
3357 address for \fB%p{i,I}{4,6}\fP will be 0. Not returning error to
3358 bpf program is consistent with what \fBbpf_trace_printk\fP() does for now.
3361 0 on success, or a negative error in case of failure:
3363 \fB\-EBUSY\fP if per\-CPU memory copy buffer is busy, can try again
3364 by returning 1 from bpf program.
3366 \fB\-EINVAL\fP if arguments are invalid, or if \fIfmt\fP is invalid/unsupported.
3368 \fB\-E2BIG\fP if \fIfmt\fP contains too many format specifiers.
3370 \fB\-EOVERFLOW\fP if an overflow happened: The same object will be tried again.
3373 .B \fBlong bpf_seq_write(struct seq_file *\fP\fIm\fP\fB, const void *\fP\fIdata\fP\fB, u32\fP \fIlen\fP\fB)\fP
3377 \fBbpf_seq_write\fP() uses seq_file \fBseq_write\fP() to write the data.
3378 The \fIm\fP represents the seq_file. The \fIdata\fP and \fIlen\fP represent the
3379 data to write in bytes.
3382 0 on success, or a negative error in case of failure:
3384 \fB\-EOVERFLOW\fP if an overflow happened: The same object will be tried again.
3387 .B \fBu64 bpf_sk_cgroup_id(void *\fP\fIsk\fP\fB)\fP
3391 Return the cgroup v2 id of the socket \fIsk\fP\&.
3393 \fIsk\fP must be a non\-\fBNULL\fP pointer to a socket, e.g. one
3394 returned from \fBbpf_sk_lookup_xxx\fP(),
3395 \fBbpf_sk_fullsock\fP(), etc. The format of returned id is
3396 same as in \fBbpf_skb_cgroup_id\fP().
3398 This helper is available only if the kernel was compiled with
3399 the \fBCONFIG_SOCK_CGROUP_DATA\fP configuration option.
3402 The id is returned or 0 in case the id could not be retrieved.
3405 .B \fBu64 bpf_sk_ancestor_cgroup_id(void *\fP\fIsk\fP\fB, int\fP \fIancestor_level\fP\fB)\fP
3409 Return id of cgroup v2 that is ancestor of cgroup associated
3410 with the \fIsk\fP at the \fIancestor_level\fP\&. The root cgroup is at
3411 \fIancestor_level\fP zero and each step down the hierarchy
3412 increments the level. If \fIancestor_level\fP == level of cgroup
3413 associated with \fIsk\fP, then return value will be same as that
3414 of \fBbpf_sk_cgroup_id\fP().
3416 The helper is useful to implement policies based on cgroups
3417 that are upper in hierarchy than immediate cgroup associated
3420 The format of returned id and helper limitations are same as in
3421 \fBbpf_sk_cgroup_id\fP().
3424 The id is returned or 0 in case the id could not be retrieved.
3427 .B \fBlong bpf_ringbuf_output(void *\fP\fIringbuf\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3431 Copy \fIsize\fP bytes from \fIdata\fP into a ring buffer \fIringbuf\fP\&.
3432 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3433 of new data availability is sent.
3434 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3435 of new data availability is sent unconditionally.
3436 If \fB0\fP is specified in \fIflags\fP, an adaptive notification
3437 of new data availability is sent.
3439 An adaptive notification is a notification sent whenever the user\-space
3440 process has caught up and consumed all available payloads. In case the user\-space
3441 process is still processing a previous payload, then no notification is needed
3442 as it will process the newly added payload automatically.
3445 0 on success, or a negative error in case of failure.
3448 .B \fBvoid *bpf_ringbuf_reserve(void *\fP\fIringbuf\fP\fB, u64\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3452 Reserve \fIsize\fP bytes of payload in a ring buffer \fIringbuf\fP\&.
3453 \fIflags\fP must be 0.
3456 Valid pointer with \fIsize\fP bytes of memory available; NULL,
3460 .B \fBvoid bpf_ringbuf_submit(void *\fP\fIdata\fP\fB, u64\fP \fIflags\fP\fB)\fP
3464 Submit reserved ring buffer sample, pointed to by \fIdata\fP\&.
3465 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3466 of new data availability is sent.
3467 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3468 of new data availability is sent unconditionally.
3469 If \fB0\fP is specified in \fIflags\fP, an adaptive notification
3470 of new data availability is sent.
3472 See \(aqbpf_ringbuf_output()\(aq for the definition of adaptive notification.
3475 Nothing. Always succeeds.
3478 .B \fBvoid bpf_ringbuf_discard(void *\fP\fIdata\fP\fB, u64\fP \fIflags\fP\fB)\fP
3482 Discard reserved ring buffer sample, pointed to by \fIdata\fP\&.
3483 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3484 of new data availability is sent.
3485 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3486 of new data availability is sent unconditionally.
3487 If \fB0\fP is specified in \fIflags\fP, an adaptive notification
3488 of new data availability is sent.
3490 See \(aqbpf_ringbuf_output()\(aq for the definition of adaptive notification.
3493 Nothing. Always succeeds.
3496 .B \fBu64 bpf_ringbuf_query(void *\fP\fIringbuf\fP\fB, u64\fP \fIflags\fP\fB)\fP
3500 Query various characteristics of provided ring buffer. What
3501 exactly is queries is determined by \fIflags\fP:
3504 \fBBPF_RB_AVAIL_DATA\fP: Amount of data not yet consumed.
3506 \fBBPF_RB_RING_SIZE\fP: The size of ring buffer.
3508 \fBBPF_RB_CONS_POS\fP: Consumer position (can wrap around).
3510 \fBBPF_RB_PROD_POS\fP: Producer(s) position (can wrap around).
3513 Data returned is just a momentary snapshot of actual values
3514 and could be inaccurate, so this facility should be used to
3515 power heuristics and for reporting, not to make 100% correct
3519 Requested value, or 0, if \fIflags\fP are not recognized.
3522 .B \fBlong bpf_csum_level(struct sk_buff *\fP\fIskb\fP\fB, u64\fP \fIlevel\fP\fB)\fP
3526 Change the skbs checksum level by one layer up or down, or
3527 reset it entirely to none in order to have the stack perform
3528 checksum validation. The level is applicable to the following
3529 protocols: TCP, UDP, GRE, SCTP, FCOE. For example, a decap of
3530 | ETH | IP | UDP | GUE | IP | TCP | into | ETH | IP | TCP |
3531 through \fBbpf_skb_adjust_room\fP() helper with passing in
3532 \fBBPF_F_ADJ_ROOM_NO_CSUM_RESET\fP flag would require one call
3533 to \fBbpf_csum_level\fP() with \fBBPF_CSUM_LEVEL_DEC\fP since
3534 the UDP header is removed. Similarly, an encap of the latter
3535 into the former could be accompanied by a helper call to
3536 \fBbpf_csum_level\fP() with \fBBPF_CSUM_LEVEL_INC\fP if the
3537 skb is still intended to be processed in higher layers of the
3538 stack instead of just egressing at tc.
3540 There are three supported level settings at this time:
3543 \fBBPF_CSUM_LEVEL_INC\fP: Increases skb\->csum_level for skbs
3544 with CHECKSUM_UNNECESSARY.
3546 \fBBPF_CSUM_LEVEL_DEC\fP: Decreases skb\->csum_level for skbs
3547 with CHECKSUM_UNNECESSARY.
3549 \fBBPF_CSUM_LEVEL_RESET\fP: Resets skb\->csum_level to 0 and
3550 sets CHECKSUM_NONE to force checksum validation by the stack.
3552 \fBBPF_CSUM_LEVEL_QUERY\fP: No\-op, returns the current
3557 0 on success, or a negative error in case of failure. In the
3558 case of \fBBPF_CSUM_LEVEL_QUERY\fP, the current skb\->csum_level
3559 is returned or the error code \-EACCES in case the skb is not
3560 subject to CHECKSUM_UNNECESSARY.
3563 .B \fBstruct tcp6_sock *bpf_skc_to_tcp6_sock(void *\fP\fIsk\fP\fB)\fP
3567 Dynamically cast a \fIsk\fP pointer to a \fItcp6_sock\fP pointer.
3570 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
3573 .B \fBstruct tcp_sock *bpf_skc_to_tcp_sock(void *\fP\fIsk\fP\fB)\fP
3577 Dynamically cast a \fIsk\fP pointer to a \fItcp_sock\fP pointer.
3580 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
3583 .B \fBstruct tcp_timewait_sock *bpf_skc_to_tcp_timewait_sock(void *\fP\fIsk\fP\fB)\fP
3587 Dynamically cast a \fIsk\fP pointer to a \fItcp_timewait_sock\fP pointer.
3590 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
3593 .B \fBstruct tcp_request_sock *bpf_skc_to_tcp_request_sock(void *\fP\fIsk\fP\fB)\fP
3597 Dynamically cast a \fIsk\fP pointer to a \fItcp_request_sock\fP pointer.
3600 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
3603 .B \fBstruct udp6_sock *bpf_skc_to_udp6_sock(void *\fP\fIsk\fP\fB)\fP
3607 Dynamically cast a \fIsk\fP pointer to a \fIudp6_sock\fP pointer.
3610 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
3613 .B \fBlong bpf_get_task_stack(struct task_struct *\fP\fItask\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3617 Return a user or a kernel stack in bpf program provided buffer.
3618 Note: the user stack will only be populated if the \fItask\fP is
3619 the current task; all other tasks will return \-EOPNOTSUPP.
3620 To achieve this, the helper needs \fItask\fP, which is a valid
3621 pointer to \fBstruct task_struct\fP\&. To store the stacktrace, the
3622 bpf program provides \fIbuf\fP with a nonnegative \fIsize\fP\&.
3624 The last argument, \fIflags\fP, holds the number of stack frames to
3625 skip (from 0 to 255), masked with
3626 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
3627 the following flags:
3630 .B \fBBPF_F_USER_STACK\fP
3631 Collect a user space stack instead of a kernel stack.
3632 The \fItask\fP must be the current task.
3634 .B \fBBPF_F_USER_BUILD_ID\fP
3635 Collect buildid+offset instead of ips for user stack,
3636 only valid if \fBBPF_F_USER_STACK\fP is also specified.
3639 \fBbpf_get_task_stack\fP() can collect up to
3640 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames, subject
3641 to sufficient large buffer size. Note that
3642 this limit can be controlled with the \fBsysctl\fP program, and
3643 that it should be manually increased in order to profile long
3644 user stacks (such as stacks for Java programs). To do so, use:
3649 # sysctl kernel.perf_event_max_stack=<new value>
3655 The non\-negative copied \fIbuf\fP length equal to or less than
3656 \fIsize\fP on success, or a negative error in case of failure.
3659 .B \fBlong bpf_load_hdr_opt(struct bpf_sock_ops *\fP\fIskops\fP\fB, void *\fP\fIsearchby_res\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
3663 Load header option. Support reading a particular TCP header
3664 option for bpf program (\fBBPF_PROG_TYPE_SOCK_OPS\fP).
3666 If \fIflags\fP is 0, it will search the option from the
3667 \fIskops\fP\fB\->skb_data\fP\&. The comment in \fBstruct bpf_sock_ops\fP
3668 has details on what skb_data contains under different
3669 \fIskops\fP\fB\->op\fP\&.
3671 The first byte of the \fIsearchby_res\fP specifies the
3672 kind that it wants to search.
3674 If the searching kind is an experimental kind
3675 (i.e. 253 or 254 according to RFC6994). It also
3676 needs to specify the \(dqmagic\(dq which is either
3677 2 bytes or 4 bytes. It then also needs to
3678 specify the size of the magic by using
3679 the 2nd byte which is \(dqkind\-length\(dq of a TCP
3680 header option and the \(dqkind\-length\(dq also
3681 includes the first 2 bytes \(dqkind\(dq and \(dqkind\-length\(dq
3682 itself as a normal TCP header option also does.
3684 For example, to search experimental kind 254 with
3685 2 byte magic 0xeB9F, the searchby_res should be
3686 [ 254, 4, 0xeB, 0x9F, 0, 0, .... 0 ].
3688 To search for the standard window scale option (3),
3689 the \fIsearchby_res\fP should be [ 3, 0, 0, .... 0 ].
3690 Note, kind\-length must be 0 for regular option.
3692 Searching for No\-Op (0) and End\-of\-Option\-List (1) are
3695 \fIlen\fP must be at least 2 bytes which is the minimal size
3701 \fBBPF_LOAD_HDR_OPT_TCP_SYN\fP to search from the
3702 saved_syn packet or the just\-received syn packet.
3706 > 0 when found, the header option is copied to \fIsearchby_res\fP\&.
3707 The return value is the total length copied. On failure, a
3708 negative error code is returned:
3710 \fB\-EINVAL\fP if a parameter is invalid.
3712 \fB\-ENOMSG\fP if the option is not found.
3714 \fB\-ENOENT\fP if no syn packet is available when
3715 \fBBPF_LOAD_HDR_OPT_TCP_SYN\fP is used.
3717 \fB\-ENOSPC\fP if there is not enough space. Only \fIlen\fP number of
3720 \fB\-EFAULT\fP on failure to parse the header options in the
3723 \fB\-EPERM\fP if the helper cannot be used under the current
3724 \fIskops\fP\fB\->op\fP\&.
3727 .B \fBlong bpf_store_hdr_opt(struct bpf_sock_ops *\fP\fIskops\fP\fB, const void *\fP\fIfrom\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
3731 Store header option. The data will be copied
3732 from buffer \fIfrom\fP with length \fIlen\fP to the TCP header.
3734 The buffer \fIfrom\fP should have the whole option that
3735 includes the kind, kind\-length, and the actual
3736 option data. The \fIlen\fP must be at least kind\-length
3737 long. The kind\-length does not have to be 4 byte
3738 aligned. The kernel will take care of the padding
3739 and setting the 4 bytes aligned value to th\->doff.
3741 This helper will check for duplicated option
3742 by searching the same option in the outgoing skb.
3744 This helper can only be called during
3745 \fBBPF_SOCK_OPS_WRITE_HDR_OPT_CB\fP\&.
3748 0 on success, or negative error in case of failure:
3750 \fB\-EINVAL\fP If param is invalid.
3752 \fB\-ENOSPC\fP if there is not enough space in the header.
3753 Nothing has been written
3755 \fB\-EEXIST\fP if the option already exists.
3757 \fB\-EFAULT\fP on failure to parse the existing header options.
3759 \fB\-EPERM\fP if the helper cannot be used under the current
3760 \fIskops\fP\fB\->op\fP\&.
3763 .B \fBlong bpf_reserve_hdr_opt(struct bpf_sock_ops *\fP\fIskops\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
3767 Reserve \fIlen\fP bytes for the bpf header option. The
3768 space will be used by \fBbpf_store_hdr_opt\fP() later in
3769 \fBBPF_SOCK_OPS_WRITE_HDR_OPT_CB\fP\&.
3771 If \fBbpf_reserve_hdr_opt\fP() is called multiple times,
3772 the total number of bytes will be reserved.
3774 This helper can only be called during
3775 \fBBPF_SOCK_OPS_HDR_OPT_LEN_CB\fP\&.
3778 0 on success, or negative error in case of failure:
3780 \fB\-EINVAL\fP if a parameter is invalid.
3782 \fB\-ENOSPC\fP if there is not enough space in the header.
3784 \fB\-EPERM\fP if the helper cannot be used under the current
3785 \fIskops\fP\fB\->op\fP\&.
3788 .B \fBvoid *bpf_inode_storage_get(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIinode\fP\fB, void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
3792 Get a bpf_local_storage from an \fIinode\fP\&.
3794 Logically, it could be thought of as getting the value from
3795 a \fImap\fP with \fIinode\fP as the \fBkey\fP\&. From this
3796 perspective, the usage is not much different from
3797 \fBbpf_map_lookup_elem\fP(\fImap\fP, \fB&\fP\fIinode\fP) except this
3798 helper enforces the key must be an inode and the map must also
3799 be a \fBBPF_MAP_TYPE_INODE_STORAGE\fP\&.
3801 Underneath, the value is stored locally at \fIinode\fP instead of
3802 the \fImap\fP\&. The \fImap\fP is used as the bpf\-local\-storage
3803 \(dqtype\(dq. The bpf\-local\-storage \(dqtype\(dq (i.e. the \fImap\fP) is
3804 searched against all bpf_local_storage residing at \fIinode\fP\&.
3806 An optional \fIflags\fP (\fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP) can be
3807 used such that a new bpf_local_storage will be
3808 created if one does not exist. \fIvalue\fP can be used
3809 together with \fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP to specify
3810 the initial value of a bpf_local_storage. If \fIvalue\fP is
3811 \fBNULL\fP, the new bpf_local_storage will be zero initialized.
3814 A bpf_local_storage pointer is returned on success.
3816 \fBNULL\fP if not found or there was an error in adding
3817 a new bpf_local_storage.
3820 .B \fBint bpf_inode_storage_delete(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIinode\fP\fB)\fP
3824 Delete a bpf_local_storage from an \fIinode\fP\&.
3829 \fB\-ENOENT\fP if the bpf_local_storage cannot be found.
3832 .B \fBlong bpf_d_path(struct path *\fP\fIpath\fP\fB, char *\fP\fIbuf\fP\fB, u32\fP \fIsz\fP\fB)\fP
3836 Return full path for given \fBstruct path\fP object, which
3837 needs to be the kernel BTF \fIpath\fP object. The path is
3838 returned in the provided buffer \fIbuf\fP of size \fIsz\fP and
3842 On success, the strictly positive length of the string,
3843 including the trailing NUL character. On error, a negative
3847 .B \fBlong bpf_copy_from_user(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIuser_ptr\fP\fB)\fP
3851 Read \fIsize\fP bytes from user space address \fIuser_ptr\fP and store
3852 the data in \fIdst\fP\&. This is a wrapper of \fBcopy_from_user\fP().
3855 0 on success, or a negative error in case of failure.
3858 .B \fBlong bpf_snprintf_btf(char *\fP\fIstr\fP\fB, u32\fP \fIstr_size\fP\fB, struct btf_ptr *\fP\fIptr\fP\fB, u32\fP \fIbtf_ptr_size\fP\fB, u64\fP \fIflags\fP\fB)\fP
3862 Use BTF to store a string representation of \fIptr\fP\->ptr in \fIstr\fP,
3863 using \fIptr\fP\->type_id. This value should specify the type
3864 that \fIptr\fP\->ptr points to. LLVM __builtin_btf_type_id(type, 1)
3865 can be used to look up vmlinux BTF type ids. Traversing the
3866 data structure using BTF, the type information and values are
3867 stored in the first \fIstr_size\fP \- 1 bytes of \fIstr\fP\&. Safe copy of
3868 the pointer data is carried out to avoid kernel crashes during
3869 operation. Smaller types can use string space on the stack;
3870 larger programs can use map data to store the string
3873 The string can be subsequently shared with userspace via
3874 bpf_perf_event_output() or ring buffer interfaces.
3875 bpf_trace_printk() is to be avoided as it places too small
3876 a limit on string size to be useful.
3878 \fIflags\fP is a combination of
3881 .B \fBBTF_F_COMPACT\fP
3882 no formatting around type information
3884 .B \fBBTF_F_NONAME\fP
3885 no struct/union member names/types
3887 .B \fBBTF_F_PTR_RAW\fP
3888 show raw (unobfuscated) pointer values;
3889 equivalent to printk specifier %px.
3892 show zero\-valued struct/union members; they
3893 are not displayed by default
3897 The number of bytes that were written (or would have been
3898 written if output had to be truncated due to string size),
3899 or a negative error in cases of failure.
3902 .B \fBlong bpf_seq_printf_btf(struct seq_file *\fP\fIm\fP\fB, struct btf_ptr *\fP\fIptr\fP\fB, u32\fP \fIptr_size\fP\fB, u64\fP \fIflags\fP\fB)\fP
3906 Use BTF to write to seq_write a string representation of
3907 \fIptr\fP\->ptr, using \fIptr\fP\->type_id as per bpf_snprintf_btf().
3908 \fIflags\fP are identical to those used for bpf_snprintf_btf.
3911 0 on success or a negative error in case of failure.
3914 .B \fBu64 bpf_skb_cgroup_classid(struct sk_buff *\fP\fIskb\fP\fB)\fP
3918 See \fBbpf_get_cgroup_classid\fP() for the main description.
3919 This helper differs from \fBbpf_get_cgroup_classid\fP() in that
3920 the cgroup v1 net_cls class is retrieved only from the \fIskb\fP\(aqs
3921 associated socket instead of the current process.
3924 The id is returned or 0 in case the id could not be retrieved.
3927 .B \fBlong bpf_redirect_neigh(u32\fP \fIifindex\fP\fB, struct bpf_redir_neigh *\fP\fIparams\fP\fB, int\fP \fIplen\fP\fB, u64\fP \fIflags\fP\fB)\fP
3931 Redirect the packet to another net device of index \fIifindex\fP
3932 and fill in L2 addresses from neighboring subsystem. This helper
3933 is somewhat similar to \fBbpf_redirect\fP(), except that it
3934 populates L2 addresses as well, meaning, internally, the helper
3935 relies on the neighbor lookup for the L2 address of the nexthop.
3937 The helper will perform a FIB lookup based on the skb\(aqs
3938 networking header to get the address of the next hop, unless
3939 this is supplied by the caller in the \fIparams\fP argument. The
3940 \fIplen\fP argument indicates the len of \fIparams\fP and should be set
3941 to 0 if \fIparams\fP is NULL.
3943 The \fIflags\fP argument is reserved and must be 0. The helper is
3944 currently only supported for tc BPF program types, and enabled
3945 for IPv4 and IPv6 protocols.
3948 The helper returns \fBTC_ACT_REDIRECT\fP on success or
3949 \fBTC_ACT_SHOT\fP on error.
3952 .B \fBvoid *bpf_per_cpu_ptr(const void *\fP\fIpercpu_ptr\fP\fB, u32\fP \fIcpu\fP\fB)\fP
3956 Take a pointer to a percpu ksym, \fIpercpu_ptr\fP, and return a
3957 pointer to the percpu kernel variable on \fIcpu\fP\&. A ksym is an
3958 extern variable decorated with \(aq__ksym\(aq. For ksym, there is a
3959 global var (either static or global) defined of the same name
3960 in the kernel. The ksym is percpu if the global var is percpu.
3961 The returned pointer points to the global percpu var on \fIcpu\fP\&.
3963 bpf_per_cpu_ptr() has the same semantic as per_cpu_ptr() in the
3964 kernel, except that bpf_per_cpu_ptr() may return NULL. This
3965 happens if \fIcpu\fP is larger than nr_cpu_ids. The caller of
3966 bpf_per_cpu_ptr() must check the returned value.
3969 A pointer pointing to the kernel percpu variable on \fIcpu\fP, or
3970 NULL, if \fIcpu\fP is invalid.
3973 .B \fBvoid *bpf_this_cpu_ptr(const void *\fP\fIpercpu_ptr\fP\fB)\fP
3977 Take a pointer to a percpu ksym, \fIpercpu_ptr\fP, and return a
3978 pointer to the percpu kernel variable on this cpu. See the
3979 description of \(aqksym\(aq in \fBbpf_per_cpu_ptr\fP().
3981 bpf_this_cpu_ptr() has the same semantic as this_cpu_ptr() in
3982 the kernel. Different from \fBbpf_per_cpu_ptr\fP(), it would
3986 A pointer pointing to the kernel percpu variable on this cpu.
3989 .B \fBlong bpf_redirect_peer(u32\fP \fIifindex\fP\fB, u64\fP \fIflags\fP\fB)\fP
3993 Redirect the packet to another net device of index \fIifindex\fP\&.
3994 This helper is somewhat similar to \fBbpf_redirect\fP(), except
3995 that the redirection happens to the \fIifindex\fP\(aq peer device and
3996 the netns switch takes place from ingress to ingress without
3997 going through the CPU\(aqs backlog queue.
3999 The \fIflags\fP argument is reserved and must be 0. The helper is
4000 currently only supported for tc BPF program types at the
4001 ingress hook and for veth and netkit target device types. The
4002 peer device must reside in a different network namespace.
4005 The helper returns \fBTC_ACT_REDIRECT\fP on success or
4006 \fBTC_ACT_SHOT\fP on error.
4009 .B \fBvoid *bpf_task_storage_get(struct bpf_map *\fP\fImap\fP\fB, struct task_struct *\fP\fItask\fP\fB, void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
4013 Get a bpf_local_storage from the \fItask\fP\&.
4015 Logically, it could be thought of as getting the value from
4016 a \fImap\fP with \fItask\fP as the \fBkey\fP\&. From this
4017 perspective, the usage is not much different from
4018 \fBbpf_map_lookup_elem\fP(\fImap\fP, \fB&\fP\fItask\fP) except this
4019 helper enforces the key must be a task_struct and the map must also
4020 be a \fBBPF_MAP_TYPE_TASK_STORAGE\fP\&.
4022 Underneath, the value is stored locally at \fItask\fP instead of
4023 the \fImap\fP\&. The \fImap\fP is used as the bpf\-local\-storage
4024 \(dqtype\(dq. The bpf\-local\-storage \(dqtype\(dq (i.e. the \fImap\fP) is
4025 searched against all bpf_local_storage residing at \fItask\fP\&.
4027 An optional \fIflags\fP (\fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP) can be
4028 used such that a new bpf_local_storage will be
4029 created if one does not exist. \fIvalue\fP can be used
4030 together with \fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP to specify
4031 the initial value of a bpf_local_storage. If \fIvalue\fP is
4032 \fBNULL\fP, the new bpf_local_storage will be zero initialized.
4035 A bpf_local_storage pointer is returned on success.
4037 \fBNULL\fP if not found or there was an error in adding
4038 a new bpf_local_storage.
4041 .B \fBlong bpf_task_storage_delete(struct bpf_map *\fP\fImap\fP\fB, struct task_struct *\fP\fItask\fP\fB)\fP
4045 Delete a bpf_local_storage from a \fItask\fP\&.
4050 \fB\-ENOENT\fP if the bpf_local_storage cannot be found.
4053 .B \fBstruct task_struct *bpf_get_current_task_btf(void)\fP
4057 Return a BTF pointer to the \(dqcurrent\(dq task.
4058 This pointer can also be used in helpers that accept an
4059 \fIARG_PTR_TO_BTF_ID\fP of type \fItask_struct\fP\&.
4062 Pointer to the current task.
4065 .B \fBlong bpf_bprm_opts_set(struct linux_binprm *\fP\fIbprm\fP\fB, u64\fP \fIflags\fP\fB)\fP
4069 Set or clear certain options on \fIbprm\fP:
4071 \fBBPF_F_BPRM_SECUREEXEC\fP Set the secureexec bit
4072 which sets the \fBAT_SECURE\fP auxv for glibc. The bit
4073 is cleared if the flag is not specified.
4076 \fB\-EINVAL\fP if invalid \fIflags\fP are passed, zero otherwise.
4079 .B \fBu64 bpf_ktime_get_coarse_ns(void)\fP
4083 Return a coarse\-grained version of the time elapsed since
4084 system boot, in nanoseconds. Does not include time the system
4087 See: \fBclock_gettime\fP(\fBCLOCK_MONOTONIC_COARSE\fP)
4090 Current \fIktime\fP\&.
4093 .B \fBlong bpf_ima_inode_hash(struct inode *\fP\fIinode\fP\fB, void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB)\fP
4097 Returns the stored IMA hash of the \fIinode\fP (if it\(aqs available).
4098 If the hash is larger than \fIsize\fP, then only \fIsize\fP
4099 bytes will be copied to \fIdst\fP
4102 The \fBhash_algo\fP is returned on success,
4103 \fB\-EOPNOTSUP\fP if IMA is disabled or \fB\-EINVAL\fP if
4104 invalid arguments are passed.
4107 .B \fBstruct socket *bpf_sock_from_file(struct file *\fP\fIfile\fP\fB)\fP
4111 If the given file represents a socket, returns the associated
4115 A pointer to a struct socket on success or NULL if the file is
4119 .B \fBlong bpf_check_mtu(void *\fP\fIctx\fP\fB, u32\fP \fIifindex\fP\fB, u32 *\fP\fImtu_len\fP\fB, s32\fP \fIlen_diff\fP\fB, u64\fP \fIflags\fP\fB)\fP
4123 Check packet size against exceeding MTU of net device (based
4124 on \fIifindex\fP). This helper will likely be used in combination
4125 with helpers that adjust/change the packet size.
4127 The argument \fIlen_diff\fP can be used for querying with a planned
4128 size change. This allows to check MTU prior to changing packet
4129 ctx. Providing a \fIlen_diff\fP adjustment that is larger than the
4130 actual packet size (resulting in negative packet size) will in
4131 principle not exceed the MTU, which is why it is not considered
4132 a failure. Other BPF helpers are needed for performing the
4133 planned size change; therefore the responsibility for catching
4134 a negative packet size belongs in those helpers.
4136 Specifying \fIifindex\fP zero means the MTU check is performed
4137 against the current net device. This is practical if this isn\(aqt
4138 used prior to redirect.
4140 On input \fImtu_len\fP must be a valid pointer, else verifier will
4141 reject BPF program. If the value \fImtu_len\fP is initialized to
4142 zero then the ctx packet size is use. When value \fImtu_len\fP is
4143 provided as input this specify the L3 length that the MTU check
4144 is done against. Remember XDP and TC length operate at L2, but
4145 this value is L3 as this correlate to MTU and IP\-header tot_len
4146 values which are L3 (similar behavior as bpf_fib_lookup).
4148 The Linux kernel route table can configure MTUs on a more
4149 specific per route level, which is not provided by this helper.
4150 For route level MTU checks use the \fBbpf_fib_lookup\fP()
4153 \fIctx\fP is either \fBstruct xdp_md\fP for XDP programs or
4154 \fBstruct sk_buff\fP for tc cls_act programs.
4156 The \fIflags\fP argument can be a combination of one or more of the
4160 .B \fBBPF_MTU_CHK_SEGS\fP
4161 This flag will only works for \fIctx\fP \fBstruct sk_buff\fP\&.
4162 If packet context contains extra packet segment buffers
4163 (often knows as GSO skb), then MTU check is harder to
4164 check at this point, because in transmit path it is
4165 possible for the skb packet to get re\-segmented
4166 (depending on net device features). This could still be
4167 a MTU violation, so this flag enables performing MTU
4168 check against segments, with a different violation
4169 return code to tell it apart. Check cannot use len_diff.
4172 On return \fImtu_len\fP pointer contains the MTU value of the net
4173 device. Remember the net device configured MTU is the L3 size,
4174 which is returned here and XDP and TC length operate at L2.
4175 Helper take this into account for you, but remember when using
4176 MTU value in your BPF\-code.
4181 0 on success, and populate MTU value in \fImtu_len\fP pointer.
4183 < 0 if any input argument is invalid (\fImtu_len\fP not updated)
4186 MTU violations return positive values, but also populate MTU
4187 value in \fImtu_len\fP pointer, as this can be needed for
4188 implementing PMTU handing:
4191 \fBBPF_MTU_CHK_RET_FRAG_NEEDED\fP
4193 \fBBPF_MTU_CHK_RET_SEGS_TOOBIG\fP
4197 .B \fBlong bpf_for_each_map_elem(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIcallback_fn\fP\fB, void *\fP\fIcallback_ctx\fP\fB, u64\fP \fIflags\fP\fB)\fP
4201 For each element in \fBmap\fP, call \fBcallback_fn\fP function with
4202 \fBmap\fP, \fBcallback_ctx\fP and other map\-specific parameters.
4203 The \fBcallback_fn\fP should be a static function and
4204 the \fBcallback_ctx\fP should be a pointer to the stack.
4205 The \fBflags\fP is used to control certain aspects of the helper.
4206 Currently, the \fBflags\fP must be 0.
4208 The following are a list of supported map types and their
4209 respective expected callback signatures:
4211 BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_PERCPU_HASH,
4212 BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH,
4213 BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PERCPU_ARRAY
4215 long (*callback_fn)(struct bpf_map *map, const void *key, void *value, void *ctx);
4217 For per_cpu maps, the map_value is the value on the cpu where the
4218 bpf_prog is running.
4220 If \fBcallback_fn\fP return 0, the helper will continue to the next
4221 element. If return value is 1, the helper will skip the rest of
4222 elements and return. Other return values are not used now.
4225 The number of traversed map elements for success, \fB\-EINVAL\fP for
4226 invalid \fBflags\fP\&.
4229 .B \fBlong bpf_snprintf(char *\fP\fIstr\fP\fB, u32\fP \fIstr_size\fP\fB, const char *\fP\fIfmt\fP\fB, u64 *\fP\fIdata\fP\fB, u32\fP \fIdata_len\fP\fB)\fP
4233 Outputs a string into the \fBstr\fP buffer of size \fBstr_size\fP
4234 based on a format string stored in a read\-only map pointed by
4237 Each format specifier in \fBfmt\fP corresponds to one u64 element
4238 in the \fBdata\fP array. For strings and pointers where pointees
4239 are accessed, only the pointer values are stored in the \fIdata\fP
4240 array. The \fIdata_len\fP is the size of \fIdata\fP in bytes \- must be
4243 Formats \fB%s\fP and \fB%p{i,I}{4,6}\fP require to read kernel
4244 memory. Reading kernel memory may fail due to either invalid
4245 address or valid address but requiring a major memory fault. If
4246 reading kernel memory fails, the string for \fB%s\fP will be an
4247 empty string, and the ip address for \fB%p{i,I}{4,6}\fP will be 0.
4248 Not returning error to bpf program is consistent with what
4249 \fBbpf_trace_printk\fP() does for now.
4252 The strictly positive length of the formatted string, including
4253 the trailing zero character. If the return value is greater than
4254 \fBstr_size\fP, \fBstr\fP contains a truncated string, guaranteed to
4255 be zero\-terminated except when \fBstr_size\fP is 0.
4257 Or \fB\-EBUSY\fP if the per\-CPU memory copy buffer is busy.
4260 .B \fBlong bpf_sys_bpf(u32\fP \fIcmd\fP\fB, void *\fP\fIattr\fP\fB, u32\fP \fIattr_size\fP\fB)\fP
4264 Execute bpf syscall with given arguments.
4270 .B \fBlong bpf_btf_find_by_name_kind(char *\fP\fIname\fP\fB, int\fP \fIname_sz\fP\fB, u32\fP \fIkind\fP\fB, int\fP \fIflags\fP\fB)\fP
4274 Find BTF type with given name and kind in vmlinux BTF or in module\(aqs BTFs.
4277 Returns btf_id and btf_obj_fd in lower and upper 32 bits.
4280 .B \fBlong bpf_sys_close(u32\fP \fIfd\fP\fB)\fP
4284 Execute close syscall for given FD.
4290 .B \fBlong bpf_timer_init(struct bpf_timer *\fP\fItimer\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
4294 Initialize the timer.
4295 First 4 bits of \fIflags\fP specify clockid.
4296 Only CLOCK_MONOTONIC, CLOCK_REALTIME, CLOCK_BOOTTIME are allowed.
4297 All other bits of \fIflags\fP are reserved.
4298 The verifier will reject the program if \fItimer\fP is not from
4299 the same \fImap\fP\&.
4303 \fB\-EBUSY\fP if \fItimer\fP is already initialized.
4304 \fB\-EINVAL\fP if invalid \fIflags\fP are passed.
4305 \fB\-EPERM\fP if \fItimer\fP is in a map that doesn\(aqt have any user references.
4306 The user space should either hold a file descriptor to a map with timers
4307 or pin such map in bpffs. When map is unpinned or file descriptor is
4308 closed all timers in the map will be cancelled and freed.
4311 .B \fBlong bpf_timer_set_callback(struct bpf_timer *\fP\fItimer\fP\fB, void *\fP\fIcallback_fn\fP\fB)\fP
4315 Configure the timer to call \fIcallback_fn\fP static function.
4319 \fB\-EINVAL\fP if \fItimer\fP was not initialized with bpf_timer_init() earlier.
4320 \fB\-EPERM\fP if \fItimer\fP is in a map that doesn\(aqt have any user references.
4321 The user space should either hold a file descriptor to a map with timers
4322 or pin such map in bpffs. When map is unpinned or file descriptor is
4323 closed all timers in the map will be cancelled and freed.
4326 .B \fBlong bpf_timer_start(struct bpf_timer *\fP\fItimer\fP\fB, u64\fP \fInsecs\fP\fB, u64\fP \fIflags\fP\fB)\fP
4330 Set timer expiration N nanoseconds from the current time. The
4331 configured callback will be invoked in soft irq context on some cpu
4332 and will not repeat unless another bpf_timer_start() is made.
4333 In such case the next invocation can migrate to a different cpu.
4334 Since struct bpf_timer is a field inside map element the map
4335 owns the timer. The bpf_timer_set_callback() will increment refcnt
4336 of BPF program to make sure that callback_fn code stays valid.
4337 When user space reference to a map reaches zero all timers
4338 in a map are cancelled and corresponding program\(aqs refcnts are
4339 decremented. This is done to make sure that Ctrl\-C of a user
4340 process doesn\(aqt leave any timers running. If map is pinned in
4341 bpffs the callback_fn can re\-arm itself indefinitely.
4342 bpf_map_update/delete_elem() helpers and user space sys_bpf commands
4343 cancel and free the timer in the given map element.
4344 The map can contain timers that invoke callback_fn\-s from different
4345 programs. The same callback_fn can serve different timers from
4346 different maps if key/value layout matches across maps.
4347 Every bpf_timer_set_callback() can have different callback_fn.
4349 \fIflags\fP can be one of:
4352 .B \fBBPF_F_TIMER_ABS\fP
4353 Start the timer in absolute expire value instead of the
4354 default relative one.
4356 .B \fBBPF_F_TIMER_CPU_PIN\fP
4357 Timer will be pinned to the CPU of the caller.
4362 \fB\-EINVAL\fP if \fItimer\fP was not initialized with bpf_timer_init() earlier
4363 or invalid \fIflags\fP are passed.
4366 .B \fBlong bpf_timer_cancel(struct bpf_timer *\fP\fItimer\fP\fB)\fP
4370 Cancel the timer and wait for callback_fn to finish if it was running.
4373 0 if the timer was not active.
4374 1 if the timer was active.
4375 \fB\-EINVAL\fP if \fItimer\fP was not initialized with bpf_timer_init() earlier.
4376 \fB\-EDEADLK\fP if callback_fn tried to call bpf_timer_cancel() on its
4377 own timer which would have led to a deadlock otherwise.
4380 .B \fBu64 bpf_get_func_ip(void *\fP\fIctx\fP\fB)\fP
4384 Get address of the traced function (for tracing and kprobe programs).
4386 When called for kprobe program attached as uprobe it returns
4387 probe address for both entry and return uprobe.
4390 Address of the traced function for kprobe.
4391 0 for kprobes placed within the function (not at the entry).
4392 Address of the probe for uprobe and return uprobe.
4395 .B \fBu64 bpf_get_attach_cookie(void *\fP\fIctx\fP\fB)\fP
4399 Get bpf_cookie value provided (optionally) during the program
4400 attachment. It might be different for each individual
4401 attachment, even if BPF program itself is the same.
4402 Expects BPF program context \fIctx\fP as a first argument.
4405 .B Supported for the following program types:
4417 Value specified by user at BPF link creation/attachment time
4418 or 0, if it was not specified.
4421 .B \fBlong bpf_task_pt_regs(struct task_struct *\fP\fItask\fP\fB)\fP
4425 Get the struct pt_regs associated with \fBtask\fP\&.
4428 A pointer to struct pt_regs.
4431 .B \fBlong bpf_get_branch_snapshot(void *\fP\fIentries\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
4435 Get branch trace from hardware engines like Intel LBR. The
4436 hardware engine is stopped shortly after the helper is
4437 called. Therefore, the user need to filter branch entries
4438 based on the actual use case. To capture branch trace
4439 before the trigger point of the BPF program, the helper
4440 should be called at the beginning of the BPF program.
4442 The data is stored as struct perf_branch_entry into output
4443 buffer \fIentries\fP\&. \fIsize\fP is the size of \fIentries\fP in bytes.
4444 \fIflags\fP is reserved for now and must be zero.
4447 On success, number of bytes written to \fIbuf\fP\&. On error, a
4450 \fB\-EINVAL\fP if \fIflags\fP is not zero.
4452 \fB\-ENOENT\fP if architecture does not support branch records.
4455 .B \fBlong bpf_trace_vprintk(const char *\fP\fIfmt\fP\fB, u32\fP \fIfmt_size\fP\fB, const void *\fP\fIdata\fP\fB, u32\fP \fIdata_len\fP\fB)\fP
4459 Behaves like \fBbpf_trace_printk\fP() helper, but takes an array of u64
4460 to format and can handle more format args as a result.
4462 Arguments are to be used as in \fBbpf_seq_printf\fP() helper.
4465 The number of bytes written to the buffer, or a negative error
4469 .B \fBstruct unix_sock *bpf_skc_to_unix_sock(void *\fP\fIsk\fP\fB)\fP
4473 Dynamically cast a \fIsk\fP pointer to a \fIunix_sock\fP pointer.
4476 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
4479 .B \fBlong bpf_kallsyms_lookup_name(const char *\fP\fIname\fP\fB, int\fP \fIname_sz\fP\fB, int\fP \fIflags\fP\fB, u64 *\fP\fIres\fP\fB)\fP
4483 Get the address of a kernel symbol, returned in \fIres\fP\&. \fIres\fP is
4484 set to 0 if the symbol is not found.
4487 On success, zero. On error, a negative value.
4489 \fB\-EINVAL\fP if \fIflags\fP is not zero.
4491 \fB\-EINVAL\fP if string \fIname\fP is not the same size as \fIname_sz\fP\&.
4493 \fB\-ENOENT\fP if symbol is not found.
4495 \fB\-EPERM\fP if caller does not have permission to obtain kernel address.
4498 .B \fBlong bpf_find_vma(struct task_struct *\fP\fItask\fP\fB, u64\fP \fIaddr\fP\fB, void *\fP\fIcallback_fn\fP\fB, void *\fP\fIcallback_ctx\fP\fB, u64\fP \fIflags\fP\fB)\fP
4502 Find vma of \fItask\fP that contains \fIaddr\fP, call \fIcallback_fn\fP
4503 function with \fItask\fP, \fIvma\fP, and \fIcallback_ctx\fP\&.
4504 The \fIcallback_fn\fP should be a static function and
4505 the \fIcallback_ctx\fP should be a pointer to the stack.
4506 The \fIflags\fP is used to control certain aspects of the helper.
4507 Currently, the \fIflags\fP must be 0.
4509 The expected callback signature is
4511 long (*callback_fn)(struct task_struct *task, struct vm_area_struct *vma, void *callback_ctx);
4515 \fB\-ENOENT\fP if \fItask\->mm\fP is NULL, or no vma contains \fIaddr\fP\&.
4516 \fB\-EBUSY\fP if failed to try lock mmap_lock.
4517 \fB\-EINVAL\fP for invalid \fBflags\fP\&.
4520 .B \fBlong bpf_loop(u32\fP \fInr_loops\fP\fB, void *\fP\fIcallback_fn\fP\fB, void *\fP\fIcallback_ctx\fP\fB, u64\fP \fIflags\fP\fB)\fP
4524 For \fBnr_loops\fP, call \fBcallback_fn\fP function
4525 with \fBcallback_ctx\fP as the context parameter.
4526 The \fBcallback_fn\fP should be a static function and
4527 the \fBcallback_ctx\fP should be a pointer to the stack.
4528 The \fBflags\fP is used to control certain aspects of the helper.
4529 Currently, the \fBflags\fP must be 0. Currently, nr_loops is
4530 limited to 1 << 23 (~8 million) loops.
4532 long (*callback_fn)(u32 index, void *ctx);
4534 where \fBindex\fP is the current index in the loop. The index
4537 If \fBcallback_fn\fP returns 0, the helper will continue to the next
4538 loop. If return value is 1, the helper will skip the rest of
4539 the loops and return. Other return values are not used now,
4540 and will be rejected by the verifier.
4543 The number of loops performed, \fB\-EINVAL\fP for invalid \fBflags\fP,
4544 \fB\-E2BIG\fP if \fBnr_loops\fP exceeds the maximum number of loops.
4547 .B \fBlong bpf_strncmp(const char *\fP\fIs1\fP\fB, u32\fP \fIs1_sz\fP\fB, const char *\fP\fIs2\fP\fB)\fP
4551 Do strncmp() between \fBs1\fP and \fBs2\fP\&. \fBs1\fP doesn\(aqt need
4552 to be null\-terminated and \fBs1_sz\fP is the maximum storage
4553 size of \fBs1\fP\&. \fBs2\fP must be a read\-only string.
4556 An integer less than, equal to, or greater than zero
4557 if the first \fBs1_sz\fP bytes of \fBs1\fP is found to be
4558 less than, to match, or be greater than \fBs2\fP\&.
4561 .B \fBlong bpf_get_func_arg(void *\fP\fIctx\fP\fB, u32\fP \fIn\fP\fB, u64 *\fP\fIvalue\fP\fB)\fP
4565 Get \fBn\fP\-th argument register (zero based) of the traced function (for tracing programs)
4566 returned in \fBvalue\fP\&.
4570 \fB\-EINVAL\fP if n >= argument register count of traced function.
4573 .B \fBlong bpf_get_func_ret(void *\fP\fIctx\fP\fB, u64 *\fP\fIvalue\fP\fB)\fP
4577 Get return value of the traced function (for tracing programs)
4582 \fB\-EOPNOTSUPP\fP for tracing programs other than BPF_TRACE_FEXIT or BPF_MODIFY_RETURN.
4585 .B \fBlong bpf_get_func_arg_cnt(void *\fP\fIctx\fP\fB)\fP
4589 Get number of registers of the traced function (for tracing programs) where
4590 function arguments are stored in these registers.
4593 The number of argument registers of the traced function.
4596 .B \fBint bpf_get_retval(void)\fP
4600 Get the BPF program\(aqs return value that will be returned to the upper layers.
4602 This helper is currently supported by cgroup programs and only by the hooks
4603 where BPF program\(aqs return value is returned to the userspace via errno.
4606 The BPF program\(aqs return value.
4609 .B \fBint bpf_set_retval(int\fP \fIretval\fP\fB)\fP
4613 Set the BPF program\(aqs return value that will be returned to the upper layers.
4615 This helper is currently supported by cgroup programs and only by the hooks
4616 where BPF program\(aqs return value is returned to the userspace via errno.
4618 Note that there is the following corner case where the program exports an error
4619 via bpf_set_retval but signals success via \(aqreturn 1\(aq:
4622 bpf_set_retval(\-EPERM);
4627 In this case, the BPF program\(aqs return value will use helper\(aqs \-EPERM. This
4628 still holds true for cgroup/bind{4,6} which supports extra \(aqreturn 3\(aq success case.
4631 0 on success, or a negative error in case of failure.
4634 .B \fBu64 bpf_xdp_get_buff_len(struct xdp_buff *\fP\fIxdp_md\fP\fB)\fP
4638 Get the total size of a given xdp buff (linear and paged area)
4641 The total size of a given xdp buffer.
4644 .B \fBlong bpf_xdp_load_bytes(struct xdp_buff *\fP\fIxdp_md\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIlen\fP\fB)\fP
4648 This helper is provided as an easy way to load data from a
4649 xdp buffer. It can be used to load \fIlen\fP bytes from \fIoffset\fP from
4650 the frame associated to \fIxdp_md\fP, into the buffer pointed by
4654 0 on success, or a negative error in case of failure.
4657 .B \fBlong bpf_xdp_store_bytes(struct xdp_buff *\fP\fIxdp_md\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIlen\fP\fB)\fP
4661 Store \fIlen\fP bytes from buffer \fIbuf\fP into the frame
4662 associated to \fIxdp_md\fP, at \fIoffset\fP\&.
4665 0 on success, or a negative error in case of failure.
4668 .B \fBlong bpf_copy_from_user_task(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIuser_ptr\fP\fB, struct task_struct *\fP\fItsk\fP\fB, u64\fP \fIflags\fP\fB)\fP
4672 Read \fIsize\fP bytes from user space address \fIuser_ptr\fP in \fItsk\fP\(aqs
4673 address space, and stores the data in \fIdst\fP\&. \fIflags\fP is not
4674 used yet and is provided for future extensibility. This helper
4675 can only be used by sleepable programs.
4678 0 on success, or a negative error in case of failure. On error
4679 \fIdst\fP buffer is zeroed out.
4682 .B \fBlong bpf_skb_set_tstamp(struct sk_buff *\fP\fIskb\fP\fB, u64\fP \fItstamp\fP\fB, u32\fP \fItstamp_type\fP\fB)\fP
4686 Change the __sk_buff\->tstamp_type to \fItstamp_type\fP
4687 and set \fItstamp\fP to the __sk_buff\->tstamp together.
4689 If there is no need to change the __sk_buff\->tstamp_type,
4690 the tstamp value can be directly written to __sk_buff\->tstamp
4693 BPF_SKB_TSTAMP_DELIVERY_MONO is the only tstamp that
4694 will be kept during bpf_redirect_*(). A non zero
4695 \fItstamp\fP must be used with the BPF_SKB_TSTAMP_DELIVERY_MONO
4696 \fItstamp_type\fP\&.
4698 A BPF_SKB_TSTAMP_UNSPEC \fItstamp_type\fP can only be used
4699 with a zero \fItstamp\fP\&.
4701 Only IPv4 and IPv6 skb\->protocol are supported.
4703 This function is most useful when it needs to set a
4704 mono delivery time to __sk_buff\->tstamp and then
4705 bpf_redirect_*() to the egress of an iface. For example,
4706 changing the (rcv) timestamp in __sk_buff\->tstamp at
4707 ingress to a mono delivery time and then bpf_redirect_*()
4708 to \fI\%sch_fq@phy\-dev\fP\&.
4712 \fB\-EINVAL\fP for invalid input
4713 \fB\-EOPNOTSUPP\fP for unsupported protocol
4716 .B \fBlong bpf_ima_file_hash(struct file *\fP\fIfile\fP\fB, void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB)\fP
4720 Returns a calculated IMA hash of the \fIfile\fP\&.
4721 If the hash is larger than \fIsize\fP, then only \fIsize\fP
4722 bytes will be copied to \fIdst\fP
4725 The \fBhash_algo\fP is returned on success,
4726 \fB\-EOPNOTSUP\fP if the hash calculation failed or \fB\-EINVAL\fP if
4727 invalid arguments are passed.
4730 .B \fBvoid *bpf_kptr_xchg(void *\fP\fImap_value\fP\fB, void *\fP\fIptr\fP\fB)\fP
4734 Exchange kptr at pointer \fImap_value\fP with \fIptr\fP, and return the
4735 old value. \fIptr\fP can be NULL, otherwise it must be a referenced
4736 pointer which will be released when this helper is called.
4739 The old value of kptr (which can be NULL). The returned pointer
4740 if not NULL, is a reference which must be released using its
4741 corresponding release function, or moved into a BPF map before
4745 .B \fBvoid *bpf_map_lookup_percpu_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB, u32\fP \fIcpu\fP\fB)\fP
4749 Perform a lookup in \fIpercpu map\fP for an entry associated to
4750 \fIkey\fP on \fIcpu\fP\&.
4753 Map value associated to \fIkey\fP on \fIcpu\fP, or \fBNULL\fP if no entry
4754 was found or \fIcpu\fP is invalid.
4757 .B \fBstruct mptcp_sock *bpf_skc_to_mptcp_sock(void *\fP\fIsk\fP\fB)\fP
4761 Dynamically cast a \fIsk\fP pointer to a \fImptcp_sock\fP pointer.
4764 \fIsk\fP if casting is valid, or \fBNULL\fP otherwise.
4767 .B \fBlong bpf_dynptr_from_mem(void *\fP\fIdata\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB, struct bpf_dynptr *\fP\fIptr\fP\fB)\fP
4771 Get a dynptr to local memory \fIdata\fP\&.
4773 \fIdata\fP must be a ptr to a map value.
4774 The maximum \fIsize\fP supported is DYNPTR_MAX_SIZE.
4775 \fIflags\fP is currently unused.
4778 0 on success, \-E2BIG if the size exceeds DYNPTR_MAX_SIZE,
4779 \-EINVAL if flags is not 0.
4782 .B \fBlong bpf_ringbuf_reserve_dynptr(void *\fP\fIringbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB, struct bpf_dynptr *\fP\fIptr\fP\fB)\fP
4786 Reserve \fIsize\fP bytes of payload in a ring buffer \fIringbuf\fP
4787 through the dynptr interface. \fIflags\fP must be 0.
4789 Please note that a corresponding bpf_ringbuf_submit_dynptr or
4790 bpf_ringbuf_discard_dynptr must be called on \fIptr\fP, even if the
4791 reservation fails. This is enforced by the verifier.
4794 0 on success, or a negative error in case of failure.
4797 .B \fBvoid bpf_ringbuf_submit_dynptr(struct bpf_dynptr *\fP\fIptr\fP\fB, u64\fP \fIflags\fP\fB)\fP
4801 Submit reserved ring buffer sample, pointed to by \fIdata\fP,
4802 through the dynptr interface. This is a no\-op if the dynptr is
4805 For more information on \fIflags\fP, please see
4806 \(aqbpf_ringbuf_submit\(aq.
4809 Nothing. Always succeeds.
4812 .B \fBvoid bpf_ringbuf_discard_dynptr(struct bpf_dynptr *\fP\fIptr\fP\fB, u64\fP \fIflags\fP\fB)\fP
4816 Discard reserved ring buffer sample through the dynptr
4817 interface. This is a no\-op if the dynptr is invalid/null.
4819 For more information on \fIflags\fP, please see
4820 \(aqbpf_ringbuf_discard\(aq.
4823 Nothing. Always succeeds.
4826 .B \fBlong bpf_dynptr_read(void *\fP\fIdst\fP\fB, u32\fP \fIlen\fP\fB, const struct bpf_dynptr *\fP\fIsrc\fP\fB, u32\fP \fIoffset\fP\fB, u64\fP \fIflags\fP\fB)\fP
4830 Read \fIlen\fP bytes from \fIsrc\fP into \fIdst\fP, starting from \fIoffset\fP
4832 \fIflags\fP is currently unused.
4835 0 on success, \-E2BIG if \fIoffset\fP + \fIlen\fP exceeds the length
4836 of \fIsrc\fP\(aqs data, \-EINVAL if \fIsrc\fP is an invalid dynptr or if
4837 \fIflags\fP is not 0.
4840 .B \fBlong bpf_dynptr_write(const struct bpf_dynptr *\fP\fIdst\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIsrc\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
4844 Write \fIlen\fP bytes from \fIsrc\fP into \fIdst\fP, starting from \fIoffset\fP
4847 \fIflags\fP must be 0 except for skb\-type dynptrs.
4850 .B For skb\-type dynptrs:
4853 All data slices of the dynptr are automatically
4854 invalidated after \fBbpf_dynptr_write\fP(). This is
4855 because writing may pull the skb and change the
4856 underlying packet buffer.
4858 For \fIflags\fP, please see the flags accepted by
4859 \fBbpf_skb_store_bytes\fP().
4864 0 on success, \-E2BIG if \fIoffset\fP + \fIlen\fP exceeds the length
4865 of \fIdst\fP\(aqs data, \-EINVAL if \fIdst\fP is an invalid dynptr or if \fIdst\fP
4866 is a read\-only dynptr or if \fIflags\fP is not correct. For skb\-type dynptrs,
4867 other errors correspond to errors returned by \fBbpf_skb_store_bytes\fP().
4870 .B \fBvoid *bpf_dynptr_data(const struct bpf_dynptr *\fP\fIptr\fP\fB, u32\fP \fIoffset\fP\fB, u32\fP \fIlen\fP\fB)\fP
4874 Get a pointer to the underlying dynptr data.
4876 \fIlen\fP must be a statically known value. The returned data slice
4877 is invalidated whenever the dynptr is invalidated.
4879 skb and xdp type dynptrs may not use bpf_dynptr_data. They should
4880 instead use bpf_dynptr_slice and bpf_dynptr_slice_rdwr.
4883 Pointer to the underlying dynptr data, NULL if the dynptr is
4884 read\-only, if the dynptr is invalid, or if the offset and length
4888 .B \fBs64 bpf_tcp_raw_gen_syncookie_ipv4(struct iphdr *\fP\fIiph\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
4892 Try to issue a SYN cookie for the packet with corresponding
4893 IPv4/TCP headers, \fIiph\fP and \fIth\fP, without depending on a
4896 \fIiph\fP points to the IPv4 header.
4898 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
4899 contains the length of the TCP header (at least
4900 \fBsizeof\fP(\fBstruct tcphdr\fP)).
4903 On success, lower 32 bits hold the generated SYN cookie in
4904 followed by 16 bits which hold the MSS value for that cookie,
4905 and the top 16 bits are unused.
4907 On failure, the returned value is one of the following:
4909 \fB\-EINVAL\fP if \fIth_len\fP is invalid.
4912 .B \fBs64 bpf_tcp_raw_gen_syncookie_ipv6(struct ipv6hdr *\fP\fIiph\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
4916 Try to issue a SYN cookie for the packet with corresponding
4917 IPv6/TCP headers, \fIiph\fP and \fIth\fP, without depending on a
4920 \fIiph\fP points to the IPv6 header.
4922 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
4923 contains the length of the TCP header (at least
4924 \fBsizeof\fP(\fBstruct tcphdr\fP)).
4927 On success, lower 32 bits hold the generated SYN cookie in
4928 followed by 16 bits which hold the MSS value for that cookie,
4929 and the top 16 bits are unused.
4931 On failure, the returned value is one of the following:
4933 \fB\-EINVAL\fP if \fIth_len\fP is invalid.
4935 \fB\-EPROTONOSUPPORT\fP if CONFIG_IPV6 is not builtin.
4938 .B \fBlong bpf_tcp_raw_check_syncookie_ipv4(struct iphdr *\fP\fIiph\fP\fB, struct tcphdr *\fP\fIth\fP\fB)\fP
4942 Check whether \fIiph\fP and \fIth\fP contain a valid SYN cookie ACK
4943 without depending on a listening socket.
4945 \fIiph\fP points to the IPv4 header.
4947 \fIth\fP points to the TCP header.
4950 0 if \fIiph\fP and \fIth\fP are a valid SYN cookie ACK.
4952 On failure, the returned value is one of the following:
4954 \fB\-EACCES\fP if the SYN cookie is not valid.
4957 .B \fBlong bpf_tcp_raw_check_syncookie_ipv6(struct ipv6hdr *\fP\fIiph\fP\fB, struct tcphdr *\fP\fIth\fP\fB)\fP
4961 Check whether \fIiph\fP and \fIth\fP contain a valid SYN cookie ACK
4962 without depending on a listening socket.
4964 \fIiph\fP points to the IPv6 header.
4966 \fIth\fP points to the TCP header.
4969 0 if \fIiph\fP and \fIth\fP are a valid SYN cookie ACK.
4971 On failure, the returned value is one of the following:
4973 \fB\-EACCES\fP if the SYN cookie is not valid.
4975 \fB\-EPROTONOSUPPORT\fP if CONFIG_IPV6 is not builtin.
4978 .B \fBu64 bpf_ktime_get_tai_ns(void)\fP
4982 A nonsettable system\-wide clock derived from wall\-clock time but
4983 ignoring leap seconds. This clock does not experience
4984 discontinuities and backwards jumps caused by NTP inserting leap
4985 seconds as CLOCK_REALTIME does.
4987 See: \fBclock_gettime\fP(\fBCLOCK_TAI\fP)
4990 Current \fIktime\fP\&.
4993 .B \fBlong bpf_user_ringbuf_drain(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIcallback_fn\fP\fB, void *\fP\fIctx\fP\fB, u64\fP \fIflags\fP\fB)\fP
4997 Drain samples from the specified user ring buffer, and invoke
4998 the provided callback for each such sample:
5000 long (*callback_fn)(const struct bpf_dynptr *dynptr, void *ctx);
5002 If \fBcallback_fn\fP returns 0, the helper will continue to try
5003 and drain the next sample, up to a maximum of
5004 BPF_MAX_USER_RINGBUF_SAMPLES samples. If the return value is 1,
5005 the helper will skip the rest of the samples and return. Other
5006 return values are not used now, and will be rejected by the
5010 The number of drained samples if no error was encountered while
5011 draining samples, or 0 if no samples were present in the ring
5012 buffer. If a user\-space producer was epoll\-waiting on this map,
5013 and at least one sample was drained, they will receive an event
5014 notification notifying them of available space in the ring
5015 buffer. If the BPF_RB_NO_WAKEUP flag is passed to this
5016 function, no wakeup notification will be sent. If the
5017 BPF_RB_FORCE_WAKEUP flag is passed, a wakeup notification will
5018 be sent even if no sample was drained.
5020 On failure, the returned value is one of the following:
5022 \fB\-EBUSY\fP if the ring buffer is contended, and another calling
5023 context was concurrently draining the ring buffer.
5025 \fB\-EINVAL\fP if user\-space is not properly tracking the ring
5026 buffer due to the producer position not being aligned to 8
5027 bytes, a sample not being aligned to 8 bytes, or the producer
5028 position not matching the advertised length of a sample.
5030 \fB\-E2BIG\fP if user\-space has tried to publish a sample which is
5031 larger than the size of the ring buffer, or which cannot fit
5032 within a struct bpf_dynptr.
5035 .B \fBvoid *bpf_cgrp_storage_get(struct bpf_map *\fP\fImap\fP\fB, struct cgroup *\fP\fIcgroup\fP\fB, void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
5039 Get a bpf_local_storage from the \fIcgroup\fP\&.
5041 Logically, it could be thought of as getting the value from
5042 a \fImap\fP with \fIcgroup\fP as the \fBkey\fP\&. From this
5043 perspective, the usage is not much different from
5044 \fBbpf_map_lookup_elem\fP(\fImap\fP, \fB&\fP\fIcgroup\fP) except this
5045 helper enforces the key must be a cgroup struct and the map must also
5046 be a \fBBPF_MAP_TYPE_CGRP_STORAGE\fP\&.
5048 In reality, the local\-storage value is embedded directly inside of the
5049 \fIcgroup\fP object itself, rather than being located in the
5050 \fBBPF_MAP_TYPE_CGRP_STORAGE\fP map. When the local\-storage value is
5051 queried for some \fImap\fP on a \fIcgroup\fP object, the kernel will perform an
5052 O(n) iteration over all of the live local\-storage values for that
5053 \fIcgroup\fP object until the local\-storage value for the \fImap\fP is found.
5055 An optional \fIflags\fP (\fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP) can be
5056 used such that a new bpf_local_storage will be
5057 created if one does not exist. \fIvalue\fP can be used
5058 together with \fBBPF_LOCAL_STORAGE_GET_F_CREATE\fP to specify
5059 the initial value of a bpf_local_storage. If \fIvalue\fP is
5060 \fBNULL\fP, the new bpf_local_storage will be zero initialized.
5063 A bpf_local_storage pointer is returned on success.
5065 \fBNULL\fP if not found or there was an error in adding
5066 a new bpf_local_storage.
5069 .B \fBlong bpf_cgrp_storage_delete(struct bpf_map *\fP\fImap\fP\fB, struct cgroup *\fP\fIcgroup\fP\fB)\fP
5073 Delete a bpf_local_storage from a \fIcgroup\fP\&.
5078 \fB\-ENOENT\fP if the bpf_local_storage cannot be found.
5083 Example usage for most of the eBPF helpers listed in this manual page are
5084 available within the Linux kernel sources, at the following locations:
5089 \fItools/testing/selftests/bpf/\fP
5093 eBPF programs can have an associated license, passed along with the bytecode
5094 instructions to the kernel when the programs are loaded. The format for that
5095 string is identical to the one in use for kernel modules (Dual licenses, such
5096 as \(dqDual BSD/GPL\(dq, may be used). Some helper functions are only accessible to
5097 programs that are compatible with the GNU General Public License (GNU GPL).
5099 In order to use such helpers, the eBPF program must be loaded with the correct
5100 license string passed (via \fBattr\fP) to the \fBbpf\fP() system call, and this
5101 generally translates into the C source code of the program containing a line
5102 similar to the following:
5107 char ____license[] __attribute__((section(\(dqlicense\(dq), used)) = \(dqGPL\(dq;
5113 This manual page is an effort to document the existing eBPF helper functions.
5114 But as of this writing, the BPF sub\-system is under heavy development. New eBPF
5115 program or map types are added, along with new helper functions. Some helpers
5116 are occasionally made available for additional program types. So in spite of
5117 the efforts of the community, this page might not be up\-to\-date. If you want to
5118 check by yourself what helper functions exist in your kernel, or what types of
5119 programs they can support, here are some files among the kernel tree that you
5120 may be interested in:
5123 \fIinclude/uapi/linux/bpf.h\fP is the main BPF header. It contains the full list
5124 of all helper functions, as well as many other BPF definitions including most
5125 of the flags, structs or constants used by the helpers.
5127 \fInet/core/filter.c\fP contains the definition of most network\-related helper
5128 functions, and the list of program types from which they can be used.
5130 \fIkernel/trace/bpf_trace.c\fP is the equivalent for most tracing program\-related
5133 \fIkernel/bpf/verifier.c\fP contains the functions used to check that valid types
5134 of eBPF maps are used with a given helper function.
5136 \fIkernel/bpf/\fP directory contains other files in which additional helpers are
5137 defined (for cgroups, sockmaps, etc.).
5139 The bpftool utility can be used to probe the availability of helper functions
5140 on the system (as well as supported program and map types, and a number of
5141 other parameters). To do so, run \fBbpftool feature probe\fP (see
5142 \fBbpftool\-feature\fP(8) for details). Add the \fBunprivileged\fP keyword to
5143 list features available to unprivileged users.
5146 Compatibility between helper functions and program types can generally be found
5147 in the files where helper functions are defined. Look for the \fBstruct
5148 bpf_func_proto\fP objects and for functions returning them: these functions
5149 contain a list of helpers that a given program type can call. Note that the
5150 \fBdefault:\fP label of the \fBswitch ... case\fP used to filter helpers can call
5151 other functions, themselves allowing access to additional helpers. The
5152 requirement for GPL license is also in those \fBstruct bpf_func_proto\fP\&.
5154 Compatibility between helper functions and map types can be found in the
5155 \fBcheck_map_func_compatibility\fP() function in file \fIkernel/bpf/verifier.c\fP\&.
5157 Helper functions that invalidate the checks on \fBdata\fP and \fBdata_end\fP
5158 pointers for network processing are listed in function
5159 \fBbpf_helper_changes_pkt_data\fP() in file \fInet/core/filter.c\fP\&.
5166 \fBperf_event_open\fP(2),
5170 .\" Generated by docutils manpage writer.