1 .\" Man page generated from reStructuredText.
3 .TH BPF-HELPERS 7 "" "" ""
5 BPF-HELPERS \- list of eBPF helper functions
7 .nr rst2man-indent-level 0
11 level \\n[rst2man-indent-level]
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
19 .\" .rstReportMargin pre:
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
22 . nr rst2man-indent-level +1
23 .\" .rstReportMargin post:
27 .\" indent \\n[an-margin]
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .nr rst2man-indent-level -1
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
33 .\" Copyright (C) All BPF authors and contributors from 2014 to present.
35 .\" See git log include/uapi/linux/bpf.h in kernel tree for details.
39 .\" %%%LICENSE_START(VERBATIM)
41 .\" Permission is granted to make and distribute verbatim copies of this
43 .\" manual provided the copyright notice and this permission notice are
45 .\" preserved on all copies.
49 .\" Permission is granted to copy and distribute modified versions of this
51 .\" manual under the conditions for verbatim copying, provided that the
53 .\" entire resulting derived work is distributed under the terms of a
55 .\" permission notice identical to this one.
59 .\" Since the Linux kernel and libraries are constantly changing, this
61 .\" manual page may be incorrect or out-of-date. The author(s) assume no
63 .\" responsibility for errors or omissions, or for damages resulting from
65 .\" the use of the information contained herein. The author(s) may not
67 .\" have taken the same level of care in the production of this manual,
69 .\" which is licensed free of charge, as they might when working
75 .\" Formatted or processed versions of this manual, if unaccompanied by
77 .\" the source, must acknowledge the copyright and authors of this work.
83 .\" Please do not edit this file. It was generated from the documentation
85 .\" located in file include/uapi/linux/bpf.h of the Linux kernel sources
87 .\" (helpers description), and from scripts/bpf_helpers_doc.py in the same
89 .\" repository (header and footer).
93 The extended Berkeley Packet Filter (eBPF) subsystem consists in programs
94 written in a pseudo\-assembly language, then attached to one of the several
95 kernel hooks and run in reaction of specific events. This framework differs
96 from the older, "classic" BPF (or "cBPF") in several aspects, one of them being
97 the ability to call special functions (or "helpers") from within a program.
98 These functions are restricted to a white\-list of helpers defined in the
101 These helpers are used by eBPF programs to interact with the system, or with
102 the context in which they work. For instance, they can be used to print
103 debugging messages, to get the time since the system was booted, to interact
104 with eBPF maps, or to manipulate network packets. Since there are several eBPF
105 program types, and that they do not run in the same context, each program type
106 can only call a subset of those helpers.
108 Due to eBPF conventions, a helper can not have more than five arguments.
110 Internally, eBPF programs call directly into the compiled helper functions
111 without requiring any foreign\-function interface. As a result, calling helpers
112 introduces no overhead, thus offering excellent performance.
114 This document is an attempt to list and document the helpers available to eBPF
115 developers. They are sorted by chronological order (the oldest helpers in the
120 .B \fBvoid *bpf_map_lookup_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB)\fP
124 Perform a lookup in \fImap\fP for an entry associated to \fIkey\fP\&.
127 Map value associated to \fIkey\fP, or \fBNULL\fP if no entry was
131 .B \fBlong bpf_map_update_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB, const void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
135 Add or update the value of the entry associated to \fIkey\fP in
136 \fImap\fP with \fIvalue\fP\&. \fIflags\fP is one of:
140 The entry for \fIkey\fP must not exist in the map.
143 The entry for \fIkey\fP must already exist in the map.
146 No condition on the existence of the entry for \fIkey\fP\&.
149 Flag value \fBBPF_NOEXIST\fP cannot be used for maps of types
150 \fBBPF_MAP_TYPE_ARRAY\fP or \fBBPF_MAP_TYPE_PERCPU_ARRAY\fP (all
151 elements always exist), the helper would return an error.
154 0 on success, or a negative error in case of failure.
157 .B \fBlong bpf_map_delete_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIkey\fP\fB)\fP
161 Delete entry with \fIkey\fP from \fImap\fP\&.
164 0 on success, or a negative error in case of failure.
167 .B \fBlong bpf_probe_read(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
171 For tracing programs, safely attempt to read \fIsize\fP bytes from
172 kernel space address \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
174 Generally, use \fBbpf_probe_read_user\fP() or
175 \fBbpf_probe_read_kernel\fP() instead.
178 0 on success, or a negative error in case of failure.
181 .B \fBu64 bpf_ktime_get_ns(void)\fP
185 Return the time elapsed since system boot, in nanoseconds.
186 Does not include time the system was suspended.
187 See: \fBclock_gettime\fP(\fBCLOCK_MONOTONIC\fP)
190 Current \fIktime\fP\&.
193 .B \fBlong bpf_trace_printk(const char *\fP\fIfmt\fP\fB, u32\fP \fIfmt_size\fP\fB, ...)\fP
197 This helper is a "printk()\-like" facility for debugging. It
198 prints a message defined by format \fIfmt\fP (of size \fIfmt_size\fP)
199 to file \fI/sys/kernel/debug/tracing/trace\fP from DebugFS, if
200 available. It can take up to three additional \fBu64\fP
201 arguments (as an eBPF helpers, the total number of arguments is
204 Each time the helper is called, it appends a line to the trace.
205 Lines are discarded while \fI/sys/kernel/debug/tracing/trace\fP is
206 open, use \fI/sys/kernel/debug/tracing/trace_pipe\fP to avoid this.
207 The format of the trace is customizable, and the exact output
208 one will get depends on the options set in
209 \fI/sys/kernel/debug/tracing/trace_options\fP (see also the
210 \fIREADME\fP file under the same directory). However, it usually
211 defaults to something like:
217 telnet\-470 [001] .N.. 419421.045894: 0x00000001: <formatted msg>
228 \fBtelnet\fP is the name of the current task.
230 \fB470\fP is the PID of the current task.
232 \fB001\fP is the CPU number on which the task is
235 In \fB\&.N..\fP, each character refers to a set of
236 options (whether irqs are enabled, scheduling
237 options, whether hard/softirqs are running, level of
238 preempt_disabled respectively). \fBN\fP means that
239 \fBTIF_NEED_RESCHED\fP and \fBPREEMPT_NEED_RESCHED\fP
242 \fB419421.045894\fP is a timestamp.
244 \fB0x00000001\fP is a fake value used by BPF for the
245 instruction pointer register.
247 \fB<formatted msg>\fP is the message formatted with
253 The conversion specifiers supported by \fIfmt\fP are similar, but
254 more limited than for printk(). They are \fB%d\fP, \fB%i\fP,
255 \fB%u\fP, \fB%x\fP, \fB%ld\fP, \fB%li\fP, \fB%lu\fP, \fB%lx\fP, \fB%lld\fP,
256 \fB%lli\fP, \fB%llu\fP, \fB%llx\fP, \fB%p\fP, \fB%s\fP\&. No modifier (size
257 of field, padding with zeroes, etc.) is available, and the
258 helper will return \fB\-EINVAL\fP (but print nothing) if it
259 encounters an unknown specifier.
261 Also, note that \fBbpf_trace_printk\fP() is slow, and should
262 only be used for debugging purposes. For this reason, a notice
263 block (spanning several lines) is printed to kernel logs and
264 states that the helper should not be used "for production use"
265 the first time this helper is used (or more precisely, when
266 \fBtrace_printk\fP() buffers are allocated). For passing values
267 to user space, perf events should be preferred.
270 The number of bytes written to the buffer, or a negative error
274 .B \fBu32 bpf_get_prandom_u32(void)\fP
278 Get a pseudo\-random number.
280 From a security point of view, this helper uses its own
281 pseudo\-random internal state, and cannot be used to infer the
282 seed of other random functions in the kernel. However, it is
283 essential to note that the generator used by the helper is not
284 cryptographically secure.
287 A random 32\-bit unsigned value.
290 .B \fBu32 bpf_get_smp_processor_id(void)\fP
294 Get the SMP (symmetric multiprocessing) processor id. Note that
295 all programs run with preemption disabled, which means that the
296 SMP processor id is stable during all the execution of the
300 The SMP id of the processor running the program.
303 .B \fBlong bpf_skb_store_bytes(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, const void *\fP\fIfrom\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
307 Store \fIlen\fP bytes from address \fIfrom\fP into the packet
308 associated to \fIskb\fP, at \fIoffset\fP\&. \fIflags\fP are a combination of
309 \fBBPF_F_RECOMPUTE_CSUM\fP (automatically recompute the
310 checksum for the packet after storing the bytes) and
311 \fBBPF_F_INVALIDATE_HASH\fP (set \fIskb\fP\fB\->hash\fP, \fIskb\fP\fB\->swhash\fP and \fIskb\fP\fB\->l4hash\fP to 0).
313 A call to this helper is susceptible to change the underlying
314 packet buffer. Therefore, at load time, all checks on pointers
315 previously done by the verifier are invalidated and must be
316 performed again, if the helper is used in combination with
317 direct packet access.
320 0 on success, or a negative error in case of failure.
323 .B \fBlong bpf_l3_csum_replace(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, u64\fP \fIfrom\fP\fB, u64\fP \fIto\fP\fB, u64\fP \fIsize\fP\fB)\fP
327 Recompute the layer 3 (e.g. IP) checksum for the packet
328 associated to \fIskb\fP\&. Computation is incremental, so the helper
329 must know the former value of the header field that was
330 modified (\fIfrom\fP), the new value of this field (\fIto\fP), and the
331 number of bytes (2 or 4) for this field, stored in \fIsize\fP\&.
332 Alternatively, it is possible to store the difference between
333 the previous and the new values of the header field in \fIto\fP, by
334 setting \fIfrom\fP and \fIsize\fP to 0. For both methods, \fIoffset\fP
335 indicates the location of the IP checksum within the packet.
337 This helper works in combination with \fBbpf_csum_diff\fP(),
338 which does not update the checksum in\-place, but offers more
339 flexibility and can handle sizes larger than 2 or 4 for the
342 A call to this helper is susceptible to change the underlying
343 packet buffer. Therefore, at load time, all checks on pointers
344 previously done by the verifier are invalidated and must be
345 performed again, if the helper is used in combination with
346 direct packet access.
349 0 on success, or a negative error in case of failure.
352 .B \fBlong bpf_l4_csum_replace(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, u64\fP \fIfrom\fP\fB, u64\fP \fIto\fP\fB, u64\fP \fIflags\fP\fB)\fP
356 Recompute the layer 4 (e.g. TCP, UDP, or ICMP) checksum for the
357 packet associated to \fIskb\fP\&. Computation is incremental, so the
358 helper must know the former value of the header field that was
359 modified (\fIfrom\fP), the new value of this field (\fIto\fP), and the
360 number of bytes (2 or 4) for this field, stored on the lowest
361 four bits of \fIflags\fP\&. Alternatively, it is possible to store
362 the difference between the previous and the new values of the
363 header field in \fIto\fP, by setting \fIfrom\fP and the four lowest
364 bits of \fIflags\fP to 0. For both methods, \fIoffset\fP indicates the
365 location of the IP checksum within the packet. In addition to
366 the size of the field, \fIflags\fP can be added (bitwise OR) actual
367 flags. With \fBBPF_F_MARK_MANGLED_0\fP, a null checksum is left
368 untouched (unless \fBBPF_F_MARK_ENFORCE\fP is added as well), and
369 for updates resulting in a null checksum the value is set to
370 \fBCSUM_MANGLED_0\fP instead. Flag \fBBPF_F_PSEUDO_HDR\fP indicates
371 the checksum is to be computed against a pseudo\-header.
373 This helper works in combination with \fBbpf_csum_diff\fP(),
374 which does not update the checksum in\-place, but offers more
375 flexibility and can handle sizes larger than 2 or 4 for the
378 A call to this helper is susceptible to change the underlying
379 packet buffer. Therefore, at load time, all checks on pointers
380 previously done by the verifier are invalidated and must be
381 performed again, if the helper is used in combination with
382 direct packet access.
385 0 on success, or a negative error in case of failure.
388 .B \fBlong bpf_tail_call(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fIprog_array_map\fP\fB, u32\fP \fIindex\fP\fB)\fP
392 This special helper is used to trigger a "tail call", or in
393 other words, to jump into another eBPF program. The same stack
394 frame is used (but values on stack and in registers for the
395 caller are not accessible to the callee). This mechanism allows
396 for program chaining, either for raising the maximum number of
397 available eBPF instructions, or to execute given programs in
398 conditional blocks. For security reasons, there is an upper
399 limit to the number of successive tail calls that can be
402 Upon call of this helper, the program attempts to jump into a
403 program referenced at index \fIindex\fP in \fIprog_array_map\fP, a
404 special map of type \fBBPF_MAP_TYPE_PROG_ARRAY\fP, and passes
405 \fIctx\fP, a pointer to the context.
407 If the call succeeds, the kernel immediately runs the first
408 instruction of the new program. This is not a function call,
409 and it never returns to the previous program. If the call
410 fails, then the helper has no effect, and the caller continues
411 to run its subsequent instructions. A call can fail if the
412 destination program for the jump does not exist (i.e. \fIindex\fP
413 is superior to the number of entries in \fIprog_array_map\fP), or
414 if the maximum number of tail calls has been reached for this
415 chain of programs. This limit is defined in the kernel by the
416 macro \fBMAX_TAIL_CALL_CNT\fP (not accessible to user space),
417 which is currently set to 32.
420 0 on success, or a negative error in case of failure.
423 .B \fBlong bpf_clone_redirect(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIifindex\fP\fB, u64\fP \fIflags\fP\fB)\fP
427 Clone and redirect the packet associated to \fIskb\fP to another
428 net device of index \fIifindex\fP\&. Both ingress and egress
429 interfaces can be used for redirection. The \fBBPF_F_INGRESS\fP
430 value in \fIflags\fP is used to make the distinction (ingress path
431 is selected if the flag is present, egress path otherwise).
432 This is the only flag supported for now.
434 In comparison with \fBbpf_redirect\fP() helper,
435 \fBbpf_clone_redirect\fP() has the associated cost of
436 duplicating the packet buffer, but this can be executed out of
437 the eBPF program. Conversely, \fBbpf_redirect\fP() is more
438 efficient, but it is handled through an action code where the
439 redirection happens only after the eBPF program has returned.
441 A call to this helper is susceptible to change the underlying
442 packet buffer. Therefore, at load time, all checks on pointers
443 previously done by the verifier are invalidated and must be
444 performed again, if the helper is used in combination with
445 direct packet access.
448 0 on success, or a negative error in case of failure.
451 .B \fBu64 bpf_get_current_pid_tgid(void)\fP
455 A 64\-bit integer containing the current tgid and pid, and
457 \fIcurrent_task\fP\fB\->tgid << 32 |\fP
458 \fIcurrent_task\fP\fB\->pid\fP\&.
461 .B \fBu64 bpf_get_current_uid_gid(void)\fP
465 A 64\-bit integer containing the current GID and UID, and
466 created as such: \fIcurrent_gid\fP \fB<< 32 |\fP \fIcurrent_uid\fP\&.
469 .B \fBlong bpf_get_current_comm(void *\fP\fIbuf\fP\fB, u32\fP \fIsize_of_buf\fP\fB)\fP
473 Copy the \fBcomm\fP attribute of the current task into \fIbuf\fP of
474 \fIsize_of_buf\fP\&. The \fBcomm\fP attribute contains the name of
475 the executable (excluding the path) for the current task. The
476 \fIsize_of_buf\fP must be strictly positive. On success, the
477 helper makes sure that the \fIbuf\fP is NUL\-terminated. On failure,
478 it is filled with zeroes.
481 0 on success, or a negative error in case of failure.
484 .B \fBu32 bpf_get_cgroup_classid(struct sk_buff *\fP\fIskb\fP\fB)\fP
488 Retrieve the classid for the current task, i.e. for the net_cls
489 cgroup to which \fIskb\fP belongs.
491 This helper can be used on TC egress path, but not on ingress.
493 The net_cls cgroup provides an interface to tag network packets
494 based on a user\-provided identifier for all traffic coming from
495 the tasks belonging to the related cgroup. See also the related
496 kernel documentation, available from the Linux sources in file
497 \fIDocumentation/admin\-guide/cgroup\-v1/net_cls.rst\fP\&.
499 The Linux kernel has two versions for cgroups: there are
500 cgroups v1 and cgroups v2. Both are available to users, who can
501 use a mixture of them, but note that the net_cls cgroup is for
502 cgroup v1 only. This makes it incompatible with BPF programs
503 run on cgroups, which is a cgroup\-v2\-only feature (a socket can
504 only hold data for one version of cgroups at a time).
506 This helper is only available is the kernel was compiled with
507 the \fBCONFIG_CGROUP_NET_CLASSID\fP configuration option set to
508 "\fBy\fP" or to "\fBm\fP".
511 The classid, or 0 for the default unconfigured classid.
514 .B \fBlong bpf_skb_vlan_push(struct sk_buff *\fP\fIskb\fP\fB, __be16\fP \fIvlan_proto\fP\fB, u16\fP \fIvlan_tci\fP\fB)\fP
518 Push a \fIvlan_tci\fP (VLAN tag control information) of protocol
519 \fIvlan_proto\fP to the packet associated to \fIskb\fP, then update
520 the checksum. Note that if \fIvlan_proto\fP is different from
521 \fBETH_P_8021Q\fP and \fBETH_P_8021AD\fP, it is considered to
522 be \fBETH_P_8021Q\fP\&.
524 A call to this helper is susceptible to change the underlying
525 packet buffer. Therefore, at load time, all checks on pointers
526 previously done by the verifier are invalidated and must be
527 performed again, if the helper is used in combination with
528 direct packet access.
531 0 on success, or a negative error in case of failure.
534 .B \fBlong bpf_skb_vlan_pop(struct sk_buff *\fP\fIskb\fP\fB)\fP
538 Pop a VLAN header from the packet associated to \fIskb\fP\&.
540 A call to this helper is susceptible to change the underlying
541 packet buffer. Therefore, at load time, all checks on pointers
542 previously done by the verifier are invalidated and must be
543 performed again, if the helper is used in combination with
544 direct packet access.
547 0 on success, or a negative error in case of failure.
550 .B \fBlong bpf_skb_get_tunnel_key(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_tunnel_key *\fP\fIkey\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
554 Get tunnel metadata. This helper takes a pointer \fIkey\fP to an
555 empty \fBstruct bpf_tunnel_key\fP of \fBsize\fP, that will be
556 filled with tunnel metadata for the packet associated to \fIskb\fP\&.
557 The \fIflags\fP can be set to \fBBPF_F_TUNINFO_IPV6\fP, which
558 indicates that the tunnel is based on IPv6 protocol instead of
561 The \fBstruct bpf_tunnel_key\fP is an object that generalizes the
562 principal parameters used by various tunneling protocols into a
563 single struct. This way, it can be used to easily make a
564 decision based on the contents of the encapsulation header,
565 "summarized" in this struct. In particular, it holds the IP
566 address of the remote end (IPv4 or IPv6, depending on the case)
567 in \fIkey\fP\fB\->remote_ipv4\fP or \fIkey\fP\fB\->remote_ipv6\fP\&. Also,
568 this struct exposes the \fIkey\fP\fB\->tunnel_id\fP, which is
569 generally mapped to a VNI (Virtual Network Identifier), making
570 it programmable together with the \fBbpf_skb_set_tunnel_key\fP() helper.
572 Let\(aqs imagine that the following code is part of a program
573 attached to the TC ingress interface, on one end of a GRE
574 tunnel, and is supposed to filter out all messages coming from
575 remote ends with IPv4 address other than 10.0.0.1:
582 struct bpf_tunnel_key key = {};
584 ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0);
586 return TC_ACT_SHOT; // drop packet
588 if (key.remote_ipv4 != 0x0a000001)
589 return TC_ACT_SHOT; // drop packet
591 return TC_ACT_OK; // accept packet
597 This interface can also be used with all encapsulation devices
598 that can operate in "collect metadata" mode: instead of having
599 one network device per specific configuration, the "collect
600 metadata" mode only requires a single device where the
601 configuration can be extracted from this helper.
603 This can be used together with various tunnels such as VXLan,
604 Geneve, GRE, or IP in IP (IPIP).
607 0 on success, or a negative error in case of failure.
610 .B \fBlong bpf_skb_set_tunnel_key(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_tunnel_key *\fP\fIkey\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
614 Populate tunnel metadata for packet associated to \fIskb.\fP The
615 tunnel metadata is set to the contents of \fIkey\fP, of \fIsize\fP\&. The
616 \fIflags\fP can be set to a combination of the following values:
619 .B \fBBPF_F_TUNINFO_IPV6\fP
620 Indicate that the tunnel is based on IPv6 protocol
623 .B \fBBPF_F_ZERO_CSUM_TX\fP
624 For IPv4 packets, add a flag to tunnel metadata
625 indicating that checksum computation should be skipped
626 and checksum set to zeroes.
628 .B \fBBPF_F_DONT_FRAGMENT\fP
629 Add a flag to tunnel metadata indicating that the
630 packet should not be fragmented.
632 .B \fBBPF_F_SEQ_NUMBER\fP
633 Add a flag to tunnel metadata indicating that a
634 sequence number should be added to tunnel header before
635 sending the packet. This flag was added for GRE
636 encapsulation, but might be used with other protocols
637 as well in the future.
640 Here is a typical usage on the transmit path:
646 struct bpf_tunnel_key key;
648 bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0);
649 bpf_clone_redirect(skb, vxlan_dev_ifindex, 0);
655 See also the description of the \fBbpf_skb_get_tunnel_key\fP()
656 helper for additional information.
659 0 on success, or a negative error in case of failure.
662 .B \fBu64 bpf_perf_event_read(struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
666 Read the value of a perf event counter. This helper relies on a
667 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. The nature of
668 the perf event counter is selected when \fImap\fP is updated with
669 perf event file descriptors. The \fImap\fP is an array whose size
670 is the number of available CPUs, and each cell contains a value
671 relative to one CPU. The value to retrieve is indicated by
672 \fIflags\fP, that contains the index of the CPU to look up, masked
673 with \fBBPF_F_INDEX_MASK\fP\&. Alternatively, \fIflags\fP can be set to
674 \fBBPF_F_CURRENT_CPU\fP to indicate that the value for the
675 current CPU should be retrieved.
677 Note that before Linux 4.13, only hardware perf event can be
680 Also, be aware that the newer helper
681 \fBbpf_perf_event_read_value\fP() is recommended over
682 \fBbpf_perf_event_read\fP() in general. The latter has some ABI
683 quirks where error and counter value are used as a return code
684 (which is wrong to do since ranges may overlap). This issue is
685 fixed with \fBbpf_perf_event_read_value\fP(), which at the same
686 time provides more features over the \fBbpf_perf_event_read\fP() interface. Please refer to the description of
687 \fBbpf_perf_event_read_value\fP() for details.
690 The value of the perf event counter read from the map, or a
691 negative error code in case of failure.
694 .B \fBlong bpf_redirect(u32\fP \fIifindex\fP\fB, u64\fP \fIflags\fP\fB)\fP
698 Redirect the packet to another net device of index \fIifindex\fP\&.
699 This helper is somewhat similar to \fBbpf_clone_redirect\fP(), except that the packet is not cloned, which provides
700 increased performance.
702 Except for XDP, both ingress and egress interfaces can be used
703 for redirection. The \fBBPF_F_INGRESS\fP value in \fIflags\fP is used
704 to make the distinction (ingress path is selected if the flag
705 is present, egress path otherwise). Currently, XDP only
706 supports redirection to the egress interface, and accepts no
709 The same effect can also be attained with the more generic
710 \fBbpf_redirect_map\fP(), which uses a BPF map to store the
711 redirect target instead of providing it directly to the helper.
714 For XDP, the helper returns \fBXDP_REDIRECT\fP on success or
715 \fBXDP_ABORTED\fP on error. For other program types, the values
716 are \fBTC_ACT_REDIRECT\fP on success or \fBTC_ACT_SHOT\fP on
720 .B \fBu32 bpf_get_route_realm(struct sk_buff *\fP\fIskb\fP\fB)\fP
724 Retrieve the realm or the route, that is to say the
725 \fBtclassid\fP field of the destination for the \fIskb\fP\&. The
726 identifier retrieved is a user\-provided tag, similar to the
727 one used with the net_cls cgroup (see description for
728 \fBbpf_get_cgroup_classid\fP() helper), but here this tag is
729 held by a route (a destination entry), not by a task.
731 Retrieving this identifier works with the clsact TC egress hook
732 (see also \fBtc\-bpf(8)\fP), or alternatively on conventional
733 classful egress qdiscs, but not on TC ingress path. In case of
734 clsact TC egress hook, this has the advantage that, internally,
735 the destination entry has not been dropped yet in the transmit
736 path. Therefore, the destination entry does not need to be
737 artificially held via \fBnetif_keep_dst\fP() for a classful
738 qdisc until the \fIskb\fP is freed.
740 This helper is available only if the kernel was compiled with
741 \fBCONFIG_IP_ROUTE_CLASSID\fP configuration option.
744 The realm of the route for the packet associated to \fIskb\fP, or 0
748 .B \fBlong bpf_perf_event_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
752 Write raw \fIdata\fP blob into a special BPF perf event held by
753 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
754 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
755 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
756 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
758 The \fIflags\fP are used to indicate the index in \fImap\fP for which
759 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
760 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
761 to indicate that the index of the current CPU core should be
764 The value to write, of \fIsize\fP, is passed through eBPF stack and
765 pointed by \fIdata\fP\&.
767 The context of the program \fIctx\fP needs also be passed to the
770 On user space, a program willing to read the values needs to
771 call \fBperf_event_open\fP() on the perf event (either for
772 one or for all CPUs) and to store the file descriptor into the
773 \fImap\fP\&. This must be done before the eBPF program can send data
774 into it. An example is available in file
775 \fIsamples/bpf/trace_output_user.c\fP in the Linux kernel source
776 tree (the eBPF program counterpart is in
777 \fIsamples/bpf/trace_output_kern.c\fP).
779 \fBbpf_perf_event_output\fP() achieves better performance
780 than \fBbpf_trace_printk\fP() for sharing data with user
781 space, and is much better suitable for streaming data from eBPF
784 Note that this helper is not restricted to tracing use cases
785 and can be used with programs attached to TC or XDP as well,
786 where it allows for passing data to user space listeners. Data
792 Only the packet payload, or
794 A combination of both.
798 0 on success, or a negative error in case of failure.
801 .B \fBlong bpf_skb_load_bytes(const void *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIto\fP\fB, u32\fP \fIlen\fP\fB)\fP
805 This helper was provided as an easy way to load data from a
806 packet. It can be used to load \fIlen\fP bytes from \fIoffset\fP from
807 the packet associated to \fIskb\fP, into the buffer pointed by
810 Since Linux 4.7, usage of this helper has mostly been replaced
811 by "direct packet access", enabling packet data to be
812 manipulated with \fIskb\fP\fB\->data\fP and \fIskb\fP\fB\->data_end\fP
813 pointing respectively to the first byte of packet data and to
814 the byte after the last byte of packet data. However, it
815 remains useful if one wishes to read large quantities of data
816 at once from a packet into the eBPF stack.
819 0 on success, or a negative error in case of failure.
822 .B \fBlong bpf_get_stackid(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
826 Walk a user or a kernel stack and return its id. To achieve
827 this, the helper needs \fIctx\fP, which is a pointer to the context
828 on which the tracing program is executed, and a pointer to a
829 \fImap\fP of type \fBBPF_MAP_TYPE_STACK_TRACE\fP\&.
831 The last argument, \fIflags\fP, holds the number of stack frames to
832 skip (from 0 to 255), masked with
833 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
834 a combination of the following flags:
837 .B \fBBPF_F_USER_STACK\fP
838 Collect a user space stack instead of a kernel stack.
840 .B \fBBPF_F_FAST_STACK_CMP\fP
841 Compare stacks by hash only.
843 .B \fBBPF_F_REUSE_STACKID\fP
844 If two different stacks hash into the same \fIstackid\fP,
848 The stack id retrieved is a 32 bit long integer handle which
849 can be further combined with other data (including other stack
850 ids) and used as a key into maps. This can be useful for
851 generating a variety of graphs (such as flame graphs or off\-cpu
854 For walking a stack, this helper is an improvement over
855 \fBbpf_probe_read\fP(), which can be used with unrolled loops
856 but is not efficient and consumes a lot of eBPF instructions.
857 Instead, \fBbpf_get_stackid\fP() can collect up to
858 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames. Note that
859 this limit can be controlled with the \fBsysctl\fP program, and
860 that it should be manually increased in order to profile long
861 user stacks (such as stacks for Java programs). To do so, use:
867 # sysctl kernel.perf_event_max_stack=<new value>
874 The positive or null stack id on success, or a negative error
878 .B \fBs64 bpf_csum_diff(__be32 *\fP\fIfrom\fP\fB, u32\fP \fIfrom_size\fP\fB, __be32 *\fP\fIto\fP\fB, u32\fP \fIto_size\fP\fB, __wsum\fP \fIseed\fP\fB)\fP
882 Compute a checksum difference, from the raw buffer pointed by
883 \fIfrom\fP, of length \fIfrom_size\fP (that must be a multiple of 4),
884 towards the raw buffer pointed by \fIto\fP, of size \fIto_size\fP
885 (same remark). An optional \fIseed\fP can be added to the value
886 (this can be cascaded, the seed may come from a previous call
889 This is flexible enough to be used in several ways:
892 With \fIfrom_size\fP == 0, \fIto_size\fP > 0 and \fIseed\fP set to
893 checksum, it can be used when pushing new data.
895 With \fIfrom_size\fP > 0, \fIto_size\fP == 0 and \fIseed\fP set to
896 checksum, it can be used when removing data from a packet.
898 With \fIfrom_size\fP > 0, \fIto_size\fP > 0 and \fIseed\fP set to 0, it
899 can be used to compute a diff. Note that \fIfrom_size\fP and
900 \fIto_size\fP do not need to be equal.
903 This helper can be used in combination with
904 \fBbpf_l3_csum_replace\fP() and \fBbpf_l4_csum_replace\fP(), to
905 which one can feed in the difference computed with
906 \fBbpf_csum_diff\fP().
909 The checksum result, or a negative error code in case of
913 .B \fBlong bpf_skb_get_tunnel_opt(struct sk_buff *\fP\fIskb\fP\fB, void *\fP\fIopt\fP\fB, u32\fP \fIsize\fP\fB)\fP
917 Retrieve tunnel options metadata for the packet associated to
918 \fIskb\fP, and store the raw tunnel option data to the buffer \fIopt\fP
921 This helper can be used with encapsulation devices that can
922 operate in "collect metadata" mode (please refer to the related
923 note in the description of \fBbpf_skb_get_tunnel_key\fP() for
924 more details). A particular example where this can be used is
925 in combination with the Geneve encapsulation protocol, where it
926 allows for pushing (with \fBbpf_skb_get_tunnel_opt\fP() helper)
927 and retrieving arbitrary TLVs (Type\-Length\-Value headers) from
928 the eBPF program. This allows for full customization of these
932 The size of the option data retrieved.
935 .B \fBlong bpf_skb_set_tunnel_opt(struct sk_buff *\fP\fIskb\fP\fB, void *\fP\fIopt\fP\fB, u32\fP \fIsize\fP\fB)\fP
939 Set tunnel options metadata for the packet associated to \fIskb\fP
940 to the option data contained in the raw buffer \fIopt\fP of \fIsize\fP\&.
942 See also the description of the \fBbpf_skb_get_tunnel_opt\fP()
943 helper for additional information.
946 0 on success, or a negative error in case of failure.
949 .B \fBlong bpf_skb_change_proto(struct sk_buff *\fP\fIskb\fP\fB, __be16\fP \fIproto\fP\fB, u64\fP \fIflags\fP\fB)\fP
953 Change the protocol of the \fIskb\fP to \fIproto\fP\&. Currently
954 supported are transition from IPv4 to IPv6, and from IPv6 to
955 IPv4. The helper takes care of the groundwork for the
956 transition, including resizing the socket buffer. The eBPF
957 program is expected to fill the new headers, if any, via
958 \fBskb_store_bytes\fP() and to recompute the checksums with
959 \fBbpf_l3_csum_replace\fP() and \fBbpf_l4_csum_replace\fP(). The main case for this helper is to perform NAT64
960 operations out of an eBPF program.
962 Internally, the GSO type is marked as dodgy so that headers are
963 checked and segments are recalculated by the GSO/GRO engine.
964 The size for GSO target is adapted as well.
966 All values for \fIflags\fP are reserved for future usage, and must
969 A call to this helper is susceptible to change the underlying
970 packet buffer. Therefore, at load time, all checks on pointers
971 previously done by the verifier are invalidated and must be
972 performed again, if the helper is used in combination with
973 direct packet access.
976 0 on success, or a negative error in case of failure.
979 .B \fBlong bpf_skb_change_type(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fItype\fP\fB)\fP
983 Change the packet type for the packet associated to \fIskb\fP\&. This
984 comes down to setting \fIskb\fP\fB\->pkt_type\fP to \fItype\fP, except
985 the eBPF program does not have a write access to \fIskb\fP\fB\->pkt_type\fP beside this helper. Using a helper here allows
986 for graceful handling of errors.
988 The major use case is to change incoming \fIskb*s to
989 **PACKET_HOST*\fP in a programmatic way instead of having to
990 recirculate via \fBredirect\fP(..., \fBBPF_F_INGRESS\fP), for
993 Note that \fItype\fP only allows certain values. At this time, they
1000 .B \fBPACKET_BROADCAST\fP
1003 .B \fBPACKET_MULTICAST\fP
1004 Send packet to group.
1006 .B \fBPACKET_OTHERHOST\fP
1007 Send packet to someone else.
1011 0 on success, or a negative error in case of failure.
1014 .B \fBlong bpf_skb_under_cgroup(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIindex\fP\fB)\fP
1018 Check whether \fIskb\fP is a descendant of the cgroup2 held by
1019 \fImap\fP of type \fBBPF_MAP_TYPE_CGROUP_ARRAY\fP, at \fIindex\fP\&.
1022 The return value depends on the result of the test, and can be:
1025 0, if the \fIskb\fP failed the cgroup2 descendant test.
1027 1, if the \fIskb\fP succeeded the cgroup2 descendant test.
1029 A negative error code, if an error occurred.
1033 .B \fBu32 bpf_get_hash_recalc(struct sk_buff *\fP\fIskb\fP\fB)\fP
1037 Retrieve the hash of the packet, \fIskb\fP\fB\->hash\fP\&. If it is
1038 not set, in particular if the hash was cleared due to mangling,
1039 recompute this hash. Later accesses to the hash can be done
1040 directly with \fIskb\fP\fB\->hash\fP\&.
1042 Calling \fBbpf_set_hash_invalid\fP(), changing a packet
1043 prototype with \fBbpf_skb_change_proto\fP(), or calling
1044 \fBbpf_skb_store_bytes\fP() with the
1045 \fBBPF_F_INVALIDATE_HASH\fP are actions susceptible to clear
1046 the hash and to trigger a new computation for the next call to
1047 \fBbpf_get_hash_recalc\fP().
1053 .B \fBu64 bpf_get_current_task(void)\fP
1057 A pointer to the current task struct.
1060 .B \fBlong bpf_probe_write_user(void *\fP\fIdst\fP\fB, const void *\fP\fIsrc\fP\fB, u32\fP \fIlen\fP\fB)\fP
1064 Attempt in a safe way to write \fIlen\fP bytes from the buffer
1065 \fIsrc\fP to \fIdst\fP in memory. It only works for threads that are in
1066 user context, and \fIdst\fP must be a valid user space address.
1068 This helper should not be used to implement any kind of
1069 security mechanism because of TOC\-TOU attacks, but rather to
1070 debug, divert, and manipulate execution of semi\-cooperative
1073 Keep in mind that this feature is meant for experiments, and it
1074 has a risk of crashing the system and running programs.
1075 Therefore, when an eBPF program using this helper is attached,
1076 a warning including PID and process name is printed to kernel
1080 0 on success, or a negative error in case of failure.
1083 .B \fBlong bpf_current_task_under_cgroup(struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIindex\fP\fB)\fP
1087 Check whether the probe is being run is the context of a given
1088 subset of the cgroup2 hierarchy. The cgroup2 to test is held by
1089 \fImap\fP of type \fBBPF_MAP_TYPE_CGROUP_ARRAY\fP, at \fIindex\fP\&.
1092 The return value depends on the result of the test, and can be:
1095 0, if the \fIskb\fP task belongs to the cgroup2.
1097 1, if the \fIskb\fP task does not belong to the cgroup2.
1099 A negative error code, if an error occurred.
1103 .B \fBlong bpf_skb_change_tail(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
1107 Resize (trim or grow) the packet associated to \fIskb\fP to the
1108 new \fIlen\fP\&. The \fIflags\fP are reserved for future usage, and must
1111 The basic idea is that the helper performs the needed work to
1112 change the size of the packet, then the eBPF program rewrites
1113 the rest via helpers like \fBbpf_skb_store_bytes\fP(),
1114 \fBbpf_l3_csum_replace\fP(), \fBbpf_l3_csum_replace\fP()
1115 and others. This helper is a slow path utility intended for
1116 replies with control messages. And because it is targeted for
1117 slow path, the helper itself can afford to be slow: it
1118 implicitly linearizes, unclones and drops offloads from the
1121 A call to this helper is susceptible to change the underlying
1122 packet buffer. Therefore, at load time, all checks on pointers
1123 previously done by the verifier are invalidated and must be
1124 performed again, if the helper is used in combination with
1125 direct packet access.
1128 0 on success, or a negative error in case of failure.
1131 .B \fBlong bpf_skb_pull_data(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB)\fP
1135 Pull in non\-linear data in case the \fIskb\fP is non\-linear and not
1136 all of \fIlen\fP are part of the linear section. Make \fIlen\fP bytes
1137 from \fIskb\fP readable and writable. If a zero value is passed for
1138 \fIlen\fP, then the whole length of the \fIskb\fP is pulled.
1140 This helper is only needed for reading and writing with direct
1143 For direct packet access, testing that offsets to access
1144 are within packet boundaries (test on \fIskb\fP\fB\->data_end\fP) is
1145 susceptible to fail if offsets are invalid, or if the requested
1146 data is in non\-linear parts of the \fIskb\fP\&. On failure the
1147 program can just bail out, or in the case of a non\-linear
1148 buffer, use a helper to make the data available. The
1149 \fBbpf_skb_load_bytes\fP() helper is a first solution to access
1150 the data. Another one consists in using \fBbpf_skb_pull_data\fP
1151 to pull in once the non\-linear parts, then retesting and
1152 eventually access the data.
1154 At the same time, this also makes sure the \fIskb\fP is uncloned,
1155 which is a necessary condition for direct write. As this needs
1156 to be an invariant for the write part only, the verifier
1157 detects writes and adds a prologue that is calling
1158 \fBbpf_skb_pull_data()\fP to effectively unclone the \fIskb\fP from
1159 the very beginning in case it is indeed cloned.
1161 A call to this helper is susceptible to change the underlying
1162 packet buffer. Therefore, at load time, all checks on pointers
1163 previously done by the verifier are invalidated and must be
1164 performed again, if the helper is used in combination with
1165 direct packet access.
1168 0 on success, or a negative error in case of failure.
1171 .B \fBs64 bpf_csum_update(struct sk_buff *\fP\fIskb\fP\fB, __wsum\fP \fIcsum\fP\fB)\fP
1175 Add the checksum \fIcsum\fP into \fIskb\fP\fB\->csum\fP in case the
1176 driver has supplied a checksum for the entire packet into that
1177 field. Return an error otherwise. This helper is intended to be
1178 used in combination with \fBbpf_csum_diff\fP(), in particular
1179 when the checksum needs to be updated after data has been
1180 written into the packet through direct packet access.
1183 The checksum on success, or a negative error code in case of
1187 .B \fBvoid bpf_set_hash_invalid(struct sk_buff *\fP\fIskb\fP\fB)\fP
1191 Invalidate the current \fIskb\fP\fB\->hash\fP\&. It can be used after
1192 mangling on headers through direct packet access, in order to
1193 indicate that the hash is outdated and to trigger a
1194 recalculation the next time the kernel tries to access this
1195 hash or when the \fBbpf_get_hash_recalc\fP() helper is called.
1198 .B \fBlong bpf_get_numa_node_id(void)\fP
1202 Return the id of the current NUMA node. The primary use case
1203 for this helper is the selection of sockets for the local NUMA
1204 node, when the program is attached to sockets using the
1205 \fBSO_ATTACH_REUSEPORT_EBPF\fP option (see also \fBsocket(7)\fP),
1206 but the helper is also available to other eBPF program types,
1207 similarly to \fBbpf_get_smp_processor_id\fP().
1210 The id of current NUMA node.
1213 .B \fBlong bpf_skb_change_head(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
1217 Grows headroom of packet associated to \fIskb\fP and adjusts the
1218 offset of the MAC header accordingly, adding \fIlen\fP bytes of
1219 space. It automatically extends and reallocates memory as
1222 This helper can be used on a layer 3 \fIskb\fP to push a MAC header
1223 for redirection into a layer 2 device.
1225 All values for \fIflags\fP are reserved for future usage, and must
1228 A call to this helper is susceptible to change the underlying
1229 packet buffer. Therefore, at load time, all checks on pointers
1230 previously done by the verifier are invalidated and must be
1231 performed again, if the helper is used in combination with
1232 direct packet access.
1235 0 on success, or a negative error in case of failure.
1238 .B \fBlong bpf_xdp_adjust_head(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1242 Adjust (move) \fIxdp_md\fP\fB\->data\fP by \fIdelta\fP bytes. Note that
1243 it is possible to use a negative value for \fIdelta\fP\&. This helper
1244 can be used to prepare the packet for pushing or popping
1247 A call to this helper is susceptible to change the underlying
1248 packet buffer. Therefore, at load time, all checks on pointers
1249 previously done by the verifier are invalidated and must be
1250 performed again, if the helper is used in combination with
1251 direct packet access.
1254 0 on success, or a negative error in case of failure.
1257 .B \fBlong bpf_probe_read_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
1261 Copy a NUL terminated string from an unsafe kernel address
1262 \fIunsafe_ptr\fP to \fIdst\fP\&. See \fBbpf_probe_read_kernel_str\fP() for
1265 Generally, use \fBbpf_probe_read_user_str\fP() or
1266 \fBbpf_probe_read_kernel_str\fP() instead.
1269 On success, the strictly positive length of the string,
1270 including the trailing NUL character. On error, a negative
1274 .B \fBu64 bpf_get_socket_cookie(struct sk_buff *\fP\fIskb\fP\fB)\fP
1278 If the \fBstruct sk_buff\fP pointed by \fIskb\fP has a known socket,
1279 retrieve the cookie (generated by the kernel) of this socket.
1280 If no cookie has been set yet, generate a new cookie. Once
1281 generated, the socket cookie remains stable for the life of the
1282 socket. This helper can be useful for monitoring per socket
1283 networking traffic statistics as it provides a global socket
1284 identifier that can be assumed unique.
1287 A 8\-byte long non\-decreasing number on success, or 0 if the
1288 socket field is missing inside \fIskb\fP\&.
1291 .B \fBu64 bpf_get_socket_cookie(struct bpf_sock_addr *\fP\fIctx\fP\fB)\fP
1295 Equivalent to bpf_get_socket_cookie() helper that accepts
1296 \fIskb\fP, but gets socket from \fBstruct bpf_sock_addr\fP context.
1299 A 8\-byte long non\-decreasing number.
1302 .B \fBu64 bpf_get_socket_cookie(struct bpf_sock_ops *\fP\fIctx\fP\fB)\fP
1306 Equivalent to \fBbpf_get_socket_cookie\fP() helper that accepts
1307 \fIskb\fP, but gets socket from \fBstruct bpf_sock_ops\fP context.
1310 A 8\-byte long non\-decreasing number.
1313 .B \fBu32 bpf_get_socket_uid(struct sk_buff *\fP\fIskb\fP\fB)\fP
1317 The owner UID of the socket associated to \fIskb\fP\&. If the socket
1318 is \fBNULL\fP, or if it is not a full socket (i.e. if it is a
1319 time\-wait or a request socket instead), \fBoverflowuid\fP value
1320 is returned (note that \fBoverflowuid\fP might also be the actual
1321 UID value for the socket).
1324 .B \fBlong bpf_set_hash(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIhash\fP\fB)\fP
1328 Set the full hash for \fIskb\fP (set the field \fIskb\fP\fB\->hash\fP)
1329 to value \fIhash\fP\&.
1335 .B \fBlong bpf_setsockopt(void *\fP\fIbpf_socket\fP\fB, int\fP \fIlevel\fP\fB, int\fP \fIoptname\fP\fB, void *\fP\fIoptval\fP\fB, int\fP \fIoptlen\fP\fB)\fP
1339 Emulate a call to \fBsetsockopt()\fP on the socket associated to
1340 \fIbpf_socket\fP, which must be a full socket. The \fIlevel\fP at
1341 which the option resides and the name \fIoptname\fP of the option
1342 must be specified, see \fBsetsockopt(2)\fP for more information.
1343 The option value of length \fIoptlen\fP is pointed by \fIoptval\fP\&.
1345 \fIbpf_socket\fP should be one of the following:
1348 \fBstruct bpf_sock_ops\fP for \fBBPF_PROG_TYPE_SOCK_OPS\fP\&.
1350 \fBstruct bpf_sock_addr\fP for \fBBPF_CGROUP_INET4_CONNECT\fP
1351 and \fBBPF_CGROUP_INET6_CONNECT\fP\&.
1354 This helper actually implements a subset of \fBsetsockopt()\fP\&.
1355 It supports the following \fIlevel\fPs:
1358 \fBSOL_SOCKET\fP, which supports the following \fIoptname\fPs:
1359 \fBSO_RCVBUF\fP, \fBSO_SNDBUF\fP, \fBSO_MAX_PACING_RATE\fP,
1360 \fBSO_PRIORITY\fP, \fBSO_RCVLOWAT\fP, \fBSO_MARK\fP,
1361 \fBSO_BINDTODEVICE\fP, \fBSO_KEEPALIVE\fP\&.
1363 \fBIPPROTO_TCP\fP, which supports the following \fIoptname\fPs:
1364 \fBTCP_CONGESTION\fP, \fBTCP_BPF_IW\fP,
1365 \fBTCP_BPF_SNDCWND_CLAMP\fP, \fBTCP_SAVE_SYN\fP,
1366 \fBTCP_KEEPIDLE\fP, \fBTCP_KEEPINTVL\fP, \fBTCP_KEEPCNT\fP,
1367 \fBTCP_SYNCNT\fP, \fBTCP_USER_TIMEOUT\fP\&.
1369 \fBIPPROTO_IP\fP, which supports \fIoptname\fP \fBIP_TOS\fP\&.
1371 \fBIPPROTO_IPV6\fP, which supports \fIoptname\fP \fBIPV6_TCLASS\fP\&.
1375 0 on success, or a negative error in case of failure.
1378 .B \fBlong bpf_skb_adjust_room(struct sk_buff *\fP\fIskb\fP\fB, s32\fP \fIlen_diff\fP\fB, u32\fP \fImode\fP\fB, u64\fP \fIflags\fP\fB)\fP
1382 Grow or shrink the room for data in the packet associated to
1383 \fIskb\fP by \fIlen_diff\fP, and according to the selected \fImode\fP\&.
1385 By default, the helper will reset any offloaded checksum
1386 indicator of the skb to CHECKSUM_NONE. This can be avoided
1387 by the following flag:
1390 \fBBPF_F_ADJ_ROOM_NO_CSUM_RESET\fP: Do not reset offloaded
1391 checksum data of the skb to CHECKSUM_NONE.
1394 There are two supported modes at this time:
1397 \fBBPF_ADJ_ROOM_MAC\fP: Adjust room at the mac layer
1398 (room space is added or removed below the layer 2 header).
1400 \fBBPF_ADJ_ROOM_NET\fP: Adjust room at the network layer
1401 (room space is added or removed below the layer 3 header).
1404 The following flags are supported at this time:
1407 \fBBPF_F_ADJ_ROOM_FIXED_GSO\fP: Do not adjust gso_size.
1408 Adjusting mss in this way is not allowed for datagrams.
1410 \fBBPF_F_ADJ_ROOM_ENCAP_L3_IPV4\fP,
1411 \fBBPF_F_ADJ_ROOM_ENCAP_L3_IPV6\fP:
1412 Any new space is reserved to hold a tunnel header.
1413 Configure skb offsets and other fields accordingly.
1415 \fBBPF_F_ADJ_ROOM_ENCAP_L4_GRE\fP,
1416 \fBBPF_F_ADJ_ROOM_ENCAP_L4_UDP\fP:
1417 Use with ENCAP_L3 flags to further specify the tunnel type.
1419 \fBBPF_F_ADJ_ROOM_ENCAP_L2\fP(\fIlen\fP):
1420 Use with ENCAP_L3/L4 flags to further specify the tunnel
1421 type; \fIlen\fP is the length of the inner MAC header.
1424 A call to this helper is susceptible to change the underlying
1425 packet buffer. Therefore, at load time, all checks on pointers
1426 previously done by the verifier are invalidated and must be
1427 performed again, if the helper is used in combination with
1428 direct packet access.
1431 0 on success, or a negative error in case of failure.
1434 .B \fBlong bpf_redirect_map(struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1438 Redirect the packet to the endpoint referenced by \fImap\fP at
1439 index \fIkey\fP\&. Depending on its type, this \fImap\fP can contain
1440 references to net devices (for forwarding packets through other
1441 ports), or to CPUs (for redirecting XDP frames to another CPU;
1442 but this is only implemented for native XDP (with driver
1443 support) as of this writing).
1445 The lower two bits of \fIflags\fP are used as the return code if
1446 the map lookup fails. This is so that the return value can be
1447 one of the XDP program return codes up to \fBXDP_TX\fP, as chosen
1448 by the caller. Any higher bits in the \fIflags\fP argument must be
1451 See also \fBbpf_redirect\fP(), which only supports redirecting
1452 to an ifindex, but doesn\(aqt require a map to do so.
1455 \fBXDP_REDIRECT\fP on success, or the value of the two lower bits
1456 of the \fIflags\fP argument on error.
1459 .B \fBlong bpf_sk_redirect_map(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1463 Redirect the packet to the socket referenced by \fImap\fP (of type
1464 \fBBPF_MAP_TYPE_SOCKMAP\fP) at index \fIkey\fP\&. Both ingress and
1465 egress interfaces can be used for redirection. The
1466 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
1467 distinction (ingress path is selected if the flag is present,
1468 egress path otherwise). This is the only flag supported for now.
1471 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
1474 .B \fBlong bpf_sock_map_update(struct bpf_sock_ops *\fP\fIskops\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1478 Add an entry to, or update a \fImap\fP referencing sockets. The
1479 \fIskops\fP is used as a new value for the entry associated to
1480 \fIkey\fP\&. \fIflags\fP is one of:
1483 .B \fBBPF_NOEXIST\fP
1484 The entry for \fIkey\fP must not exist in the map.
1487 The entry for \fIkey\fP must already exist in the map.
1490 No condition on the existence of the entry for \fIkey\fP\&.
1493 If the \fImap\fP has eBPF programs (parser and verdict), those will
1494 be inherited by the socket being added. If the socket is
1495 already attached to eBPF programs, this results in an error.
1498 0 on success, or a negative error in case of failure.
1501 .B \fBlong bpf_xdp_adjust_meta(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1505 Adjust the address pointed by \fIxdp_md\fP\fB\->data_meta\fP by
1506 \fIdelta\fP (which can be positive or negative). Note that this
1507 operation modifies the address stored in \fIxdp_md\fP\fB\->data\fP,
1508 so the latter must be loaded only after the helper has been
1511 The use of \fIxdp_md\fP\fB\->data_meta\fP is optional and programs
1512 are not required to use it. The rationale is that when the
1513 packet is processed with XDP (e.g. as DoS filter), it is
1514 possible to push further meta data along with it before passing
1515 to the stack, and to give the guarantee that an ingress eBPF
1516 program attached as a TC classifier on the same device can pick
1517 this up for further post\-processing. Since TC works with socket
1518 buffers, it remains possible to set from XDP the \fBmark\fP or
1519 \fBpriority\fP pointers, or other pointers for the socket buffer.
1520 Having this scratch space generic and programmable allows for
1521 more flexibility as the user is free to store whatever meta
1524 A call to this helper is susceptible to change the underlying
1525 packet buffer. Therefore, at load time, all checks on pointers
1526 previously done by the verifier are invalidated and must be
1527 performed again, if the helper is used in combination with
1528 direct packet access.
1531 0 on success, or a negative error in case of failure.
1534 .B \fBlong bpf_perf_event_read_value(struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, struct bpf_perf_event_value *\fP\fIbuf\fP\fB, u32\fP \fIbuf_size\fP\fB)\fP
1538 Read the value of a perf event counter, and store it into \fIbuf\fP
1539 of size \fIbuf_size\fP\&. This helper relies on a \fImap\fP of type
1540 \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. The nature of the perf event
1541 counter is selected when \fImap\fP is updated with perf event file
1542 descriptors. The \fImap\fP is an array whose size is the number of
1543 available CPUs, and each cell contains a value relative to one
1544 CPU. The value to retrieve is indicated by \fIflags\fP, that
1545 contains the index of the CPU to look up, masked with
1546 \fBBPF_F_INDEX_MASK\fP\&. Alternatively, \fIflags\fP can be set to
1547 \fBBPF_F_CURRENT_CPU\fP to indicate that the value for the
1548 current CPU should be retrieved.
1550 This helper behaves in a way close to
1551 \fBbpf_perf_event_read\fP() helper, save that instead of
1552 just returning the value observed, it fills the \fIbuf\fP
1553 structure. This allows for additional data to be retrieved: in
1554 particular, the enabled and running times (in \fIbuf\fP\fB\->enabled\fP and \fIbuf\fP\fB\->running\fP, respectively) are
1555 copied. In general, \fBbpf_perf_event_read_value\fP() is
1556 recommended over \fBbpf_perf_event_read\fP(), which has some
1557 ABI issues and provides fewer functionalities.
1559 These values are interesting, because hardware PMU (Performance
1560 Monitoring Unit) counters are limited resources. When there are
1561 more PMU based perf events opened than available counters,
1562 kernel will multiplex these events so each event gets certain
1563 percentage (but not all) of the PMU time. In case that
1564 multiplexing happens, the number of samples or counter value
1565 will not reflect the case compared to when no multiplexing
1566 occurs. This makes comparison between different runs difficult.
1567 Typically, the counter value should be normalized before
1568 comparing to other experiments. The usual normalization is done
1575 normalized_counter = counter * t_enabled / t_running
1581 Where t_enabled is the time enabled for event and t_running is
1582 the time running for event since last normalization. The
1583 enabled and running times are accumulated since the perf event
1584 open. To achieve scaling factor between two invocations of an
1585 eBPF program, users can use CPU id as the key (which is
1586 typical for perf array usage model) to remember the previous
1587 value and do the calculation inside the eBPF program.
1590 0 on success, or a negative error in case of failure.
1593 .B \fBlong bpf_perf_prog_read_value(struct bpf_perf_event_data *\fP\fIctx\fP\fB, struct bpf_perf_event_value *\fP\fIbuf\fP\fB, u32\fP \fIbuf_size\fP\fB)\fP
1597 For en eBPF program attached to a perf event, retrieve the
1598 value of the event counter associated to \fIctx\fP and store it in
1599 the structure pointed by \fIbuf\fP and of size \fIbuf_size\fP\&. Enabled
1600 and running times are also stored in the structure (see
1601 description of helper \fBbpf_perf_event_read_value\fP() for
1605 0 on success, or a negative error in case of failure.
1608 .B \fBlong bpf_getsockopt(void *\fP\fIbpf_socket\fP\fB, int\fP \fIlevel\fP\fB, int\fP \fIoptname\fP\fB, void *\fP\fIoptval\fP\fB, int\fP \fIoptlen\fP\fB)\fP
1612 Emulate a call to \fBgetsockopt()\fP on the socket associated to
1613 \fIbpf_socket\fP, which must be a full socket. The \fIlevel\fP at
1614 which the option resides and the name \fIoptname\fP of the option
1615 must be specified, see \fBgetsockopt(2)\fP for more information.
1616 The retrieved value is stored in the structure pointed by
1617 \fIopval\fP and of length \fIoptlen\fP\&.
1619 \fIbpf_socket\fP should be one of the following:
1622 \fBstruct bpf_sock_ops\fP for \fBBPF_PROG_TYPE_SOCK_OPS\fP\&.
1624 \fBstruct bpf_sock_addr\fP for \fBBPF_CGROUP_INET4_CONNECT\fP
1625 and \fBBPF_CGROUP_INET6_CONNECT\fP\&.
1628 This helper actually implements a subset of \fBgetsockopt()\fP\&.
1629 It supports the following \fIlevel\fPs:
1632 \fBIPPROTO_TCP\fP, which supports \fIoptname\fP
1633 \fBTCP_CONGESTION\fP\&.
1635 \fBIPPROTO_IP\fP, which supports \fIoptname\fP \fBIP_TOS\fP\&.
1637 \fBIPPROTO_IPV6\fP, which supports \fIoptname\fP \fBIPV6_TCLASS\fP\&.
1641 0 on success, or a negative error in case of failure.
1644 .B \fBlong bpf_override_return(struct pt_regs *\fP\fIregs\fP\fB, u64\fP \fIrc\fP\fB)\fP
1648 Used for error injection, this helper uses kprobes to override
1649 the return value of the probed function, and to set it to \fIrc\fP\&.
1650 The first argument is the context \fIregs\fP on which the kprobe
1653 This helper works by setting the PC (program counter)
1654 to an override function which is run in place of the original
1655 probed function. This means the probed function is not run at
1656 all. The replacement function just returns with the required
1659 This helper has security implications, and thus is subject to
1660 restrictions. It is only available if the kernel was compiled
1661 with the \fBCONFIG_BPF_KPROBE_OVERRIDE\fP configuration
1662 option, and in this case it only works on functions tagged with
1663 \fBALLOW_ERROR_INJECTION\fP in the kernel code.
1665 Also, the helper is only available for the architectures having
1666 the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing,
1667 x86 architecture is the only one to support this feature.
1673 .B \fBlong bpf_sock_ops_cb_flags_set(struct bpf_sock_ops *\fP\fIbpf_sock\fP\fB, int\fP \fIargval\fP\fB)\fP
1677 Attempt to set the value of the \fBbpf_sock_ops_cb_flags\fP field
1678 for the full TCP socket associated to \fIbpf_sock_ops\fP to
1681 The primary use of this field is to determine if there should
1682 be calls to eBPF programs of type
1683 \fBBPF_PROG_TYPE_SOCK_OPS\fP at various points in the TCP
1684 code. A program of the same type can change its value, per
1685 connection and as necessary, when the connection is
1686 established. This field is directly accessible for reading, but
1687 this helper must be used for updates in order to return an
1688 error if an eBPF program tries to set a callback that is not
1689 supported in the current kernel.
1691 \fIargval\fP is a flag array which can combine these flags:
1694 \fBBPF_SOCK_OPS_RTO_CB_FLAG\fP (retransmission time out)
1696 \fBBPF_SOCK_OPS_RETRANS_CB_FLAG\fP (retransmission)
1698 \fBBPF_SOCK_OPS_STATE_CB_FLAG\fP (TCP state change)
1700 \fBBPF_SOCK_OPS_RTT_CB_FLAG\fP (every RTT)
1703 Therefore, this function can be used to clear a callback flag by
1704 setting the appropriate bit to zero. e.g. to disable the RTO
1708 .B \fBbpf_sock_ops_cb_flags_set(bpf_sock,\fP
1709 \fBbpf_sock\->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)\fP
1712 Here are some examples of where one could call such eBPF
1718 When a packet is retransmitted.
1720 When the connection terminates.
1722 When a packet is sent.
1724 When a packet is received.
1728 Code \fB\-EINVAL\fP if the socket is not a full TCP socket;
1729 otherwise, a positive number containing the bits that could not
1730 be set is returned (which comes down to 0 if all bits were set
1734 .B \fBlong bpf_msg_redirect_map(struct sk_msg_buff *\fP\fImsg\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u32\fP \fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
1738 This helper is used in programs implementing policies at the
1739 socket level. If the message \fImsg\fP is allowed to pass (i.e. if
1740 the verdict eBPF program returns \fBSK_PASS\fP), redirect it to
1741 the socket referenced by \fImap\fP (of type
1742 \fBBPF_MAP_TYPE_SOCKMAP\fP) at index \fIkey\fP\&. Both ingress and
1743 egress interfaces can be used for redirection. The
1744 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
1745 distinction (ingress path is selected if the flag is present,
1746 egress path otherwise). This is the only flag supported for now.
1749 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
1752 .B \fBlong bpf_msg_apply_bytes(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIbytes\fP\fB)\fP
1756 For socket policies, apply the verdict of the eBPF program to
1757 the next \fIbytes\fP (number of bytes) of message \fImsg\fP\&.
1759 For example, this helper can be used in the following cases:
1762 A single \fBsendmsg\fP() or \fBsendfile\fP() system call
1763 contains multiple logical messages that the eBPF program is
1764 supposed to read and for which it should apply a verdict.
1766 An eBPF program only cares to read the first \fIbytes\fP of a
1767 \fImsg\fP\&. If the message has a large payload, then setting up
1768 and calling the eBPF program repeatedly for all bytes, even
1769 though the verdict is already known, would create unnecessary
1773 When called from within an eBPF program, the helper sets a
1774 counter internal to the BPF infrastructure, that is used to
1775 apply the last verdict to the next \fIbytes\fP\&. If \fIbytes\fP is
1776 smaller than the current data being processed from a
1777 \fBsendmsg\fP() or \fBsendfile\fP() system call, the first
1778 \fIbytes\fP will be sent and the eBPF program will be re\-run with
1779 the pointer for start of data pointing to byte number \fIbytes\fP
1780 \fB+ 1\fP\&. If \fIbytes\fP is larger than the current data being
1781 processed, then the eBPF verdict will be applied to multiple
1782 \fBsendmsg\fP() or \fBsendfile\fP() calls until \fIbytes\fP are
1785 Note that if a socket closes with the internal counter holding
1786 a non\-zero value, this is not a problem because data is not
1787 being buffered for \fIbytes\fP and is sent as it is received.
1793 .B \fBlong bpf_msg_cork_bytes(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIbytes\fP\fB)\fP
1797 For socket policies, prevent the execution of the verdict eBPF
1798 program for message \fImsg\fP until \fIbytes\fP (byte number) have been
1801 This can be used when one needs a specific number of bytes
1802 before a verdict can be assigned, even if the data spans
1803 multiple \fBsendmsg\fP() or \fBsendfile\fP() calls. The extreme
1804 case would be a user calling \fBsendmsg\fP() repeatedly with
1805 1\-byte long message segments. Obviously, this is bad for
1806 performance, but it is still valid. If the eBPF program needs
1807 \fIbytes\fP bytes to validate a header, this helper can be used to
1808 prevent the eBPF program to be called again until \fIbytes\fP have
1815 .B \fBlong bpf_msg_pull_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIend\fP\fB, u64\fP \fIflags\fP\fB)\fP
1819 For socket policies, pull in non\-linear data from user space
1820 for \fImsg\fP and set pointers \fImsg\fP\fB\->data\fP and \fImsg\fP\fB\->data_end\fP to \fIstart\fP and \fIend\fP bytes offsets into \fImsg\fP,
1823 If a program of type \fBBPF_PROG_TYPE_SK_MSG\fP is run on a
1824 \fImsg\fP it can only parse data that the (\fBdata\fP, \fBdata_end\fP)
1825 pointers have already consumed. For \fBsendmsg\fP() hooks this
1826 is likely the first scatterlist element. But for calls relying
1827 on the \fBsendpage\fP handler (e.g. \fBsendfile\fP()) this will
1828 be the range (\fB0\fP, \fB0\fP) because the data is shared with
1829 user space and by default the objective is to avoid allowing
1830 user space to modify data while (or after) eBPF verdict is
1831 being decided. This helper can be used to pull in data and to
1832 set the start and end pointer to given values. Data will be
1833 copied if necessary (i.e. if data was not linear and if start
1834 and end pointers do not point to the same chunk).
1836 A call to this helper is susceptible to change the underlying
1837 packet buffer. Therefore, at load time, all checks on pointers
1838 previously done by the verifier are invalidated and must be
1839 performed again, if the helper is used in combination with
1840 direct packet access.
1842 All values for \fIflags\fP are reserved for future usage, and must
1846 0 on success, or a negative error in case of failure.
1849 .B \fBlong bpf_bind(struct bpf_sock_addr *\fP\fIctx\fP\fB, struct sockaddr *\fP\fIaddr\fP\fB, int\fP \fIaddr_len\fP\fB)\fP
1853 Bind the socket associated to \fIctx\fP to the address pointed by
1854 \fIaddr\fP, of length \fIaddr_len\fP\&. This allows for making outgoing
1855 connection from the desired IP address, which can be useful for
1856 example when all processes inside a cgroup should use one
1857 single IP address on a host that has multiple IP configured.
1859 This helper works for IPv4 and IPv6, TCP and UDP sockets. The
1860 domain (\fIaddr\fP\fB\->sa_family\fP) must be \fBAF_INET\fP (or
1861 \fBAF_INET6\fP). It\(aqs advised to pass zero port (\fBsin_port\fP
1862 or \fBsin6_port\fP) which triggers IP_BIND_ADDRESS_NO_PORT\-like
1863 behavior and lets the kernel efficiently pick up an unused
1864 port as long as 4\-tuple is unique. Passing non\-zero port might
1865 lead to degraded performance.
1868 0 on success, or a negative error in case of failure.
1871 .B \fBlong bpf_xdp_adjust_tail(struct xdp_buff *\fP\fIxdp_md\fP\fB, int\fP \fIdelta\fP\fB)\fP
1875 Adjust (move) \fIxdp_md\fP\fB\->data_end\fP by \fIdelta\fP bytes. It is
1876 possible to both shrink and grow the packet tail.
1877 Shrink done via \fIdelta\fP being a negative integer.
1879 A call to this helper is susceptible to change the underlying
1880 packet buffer. Therefore, at load time, all checks on pointers
1881 previously done by the verifier are invalidated and must be
1882 performed again, if the helper is used in combination with
1883 direct packet access.
1886 0 on success, or a negative error in case of failure.
1889 .B \fBlong bpf_skb_get_xfrm_state(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIindex\fP\fB, struct bpf_xfrm_state *\fP\fIxfrm_state\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
1893 Retrieve the XFRM state (IP transform framework, see also
1894 \fBip\-xfrm(8)\fP) at \fIindex\fP in XFRM "security path" for \fIskb\fP\&.
1896 The retrieved value is stored in the \fBstruct bpf_xfrm_state\fP
1897 pointed by \fIxfrm_state\fP and of length \fIsize\fP\&.
1899 All values for \fIflags\fP are reserved for future usage, and must
1902 This helper is available only if the kernel was compiled with
1903 \fBCONFIG_XFRM\fP configuration option.
1906 0 on success, or a negative error in case of failure.
1909 .B \fBlong bpf_get_stack(void *\fP\fIctx\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
1913 Return a user or a kernel stack in bpf program provided buffer.
1914 To achieve this, the helper needs \fIctx\fP, which is a pointer
1915 to the context on which the tracing program is executed.
1916 To store the stacktrace, the bpf program provides \fIbuf\fP with
1917 a nonnegative \fIsize\fP\&.
1919 The last argument, \fIflags\fP, holds the number of stack frames to
1920 skip (from 0 to 255), masked with
1921 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
1922 the following flags:
1925 .B \fBBPF_F_USER_STACK\fP
1926 Collect a user space stack instead of a kernel stack.
1928 .B \fBBPF_F_USER_BUILD_ID\fP
1929 Collect buildid+offset instead of ips for user stack,
1930 only valid if \fBBPF_F_USER_STACK\fP is also specified.
1933 \fBbpf_get_stack\fP() can collect up to
1934 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames, subject
1935 to sufficient large buffer size. Note that
1936 this limit can be controlled with the \fBsysctl\fP program, and
1937 that it should be manually increased in order to profile long
1938 user stacks (such as stacks for Java programs). To do so, use:
1944 # sysctl kernel.perf_event_max_stack=<new value>
1951 A non\-negative value equal to or less than \fIsize\fP on success,
1952 or a negative error in case of failure.
1955 .B \fBlong bpf_skb_load_bytes_relative(const void *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, void *\fP\fIto\fP\fB, u32\fP \fIlen\fP\fB, u32\fP \fIstart_header\fP\fB)\fP
1959 This helper is similar to \fBbpf_skb_load_bytes\fP() in that
1960 it provides an easy way to load \fIlen\fP bytes from \fIoffset\fP
1961 from the packet associated to \fIskb\fP, into the buffer pointed
1962 by \fIto\fP\&. The difference to \fBbpf_skb_load_bytes\fP() is that
1963 a fifth argument \fIstart_header\fP exists in order to select a
1964 base offset to start from. \fIstart_header\fP can be one of:
1967 .B \fBBPF_HDR_START_MAC\fP
1968 Base offset to load data from is \fIskb\fP\(aqs mac header.
1970 .B \fBBPF_HDR_START_NET\fP
1971 Base offset to load data from is \fIskb\fP\(aqs network header.
1974 In general, "direct packet access" is the preferred method to
1975 access packet data, however, this helper is in particular useful
1976 in socket filters where \fIskb\fP\fB\->data\fP does not always point
1977 to the start of the mac header and where "direct packet access"
1981 0 on success, or a negative error in case of failure.
1984 .B \fBlong bpf_fib_lookup(void *\fP\fIctx\fP\fB, struct bpf_fib_lookup *\fP\fIparams\fP\fB, int\fP \fIplen\fP\fB, u32\fP \fIflags\fP\fB)\fP
1988 Do FIB lookup in kernel tables using parameters in \fIparams\fP\&.
1989 If lookup is successful and result shows packet is to be
1990 forwarded, the neighbor tables are searched for the nexthop.
1991 If successful (ie., FIB lookup shows forwarding and nexthop
1992 is resolved), the nexthop address is returned in ipv4_dst
1993 or ipv6_dst based on family, smac is set to mac address of
1994 egress device, dmac is set to nexthop mac address, rt_metric
1995 is set to metric from route (IPv4/IPv6 only), and ifindex
1996 is set to the device index of the nexthop from the FIB lookup.
1998 \fIplen\fP argument is the size of the passed in struct.
1999 \fIflags\fP argument can be a combination of one or more of the
2003 .B \fBBPF_FIB_LOOKUP_DIRECT\fP
2004 Do a direct table lookup vs full lookup using FIB
2007 .B \fBBPF_FIB_LOOKUP_OUTPUT\fP
2008 Perform lookup from an egress perspective (default is
2012 \fIctx\fP is either \fBstruct xdp_md\fP for XDP programs or
2013 \fBstruct sk_buff\fP tc cls_act programs.
2018 < 0 if any input argument is invalid
2020 0 on success (packet is forwarded, nexthop neighbor exists)
2022 > 0 one of \fBBPF_FIB_LKUP_RET_\fP codes explaining why the
2023 packet is not forwarded or needs assist from full stack
2027 .B \fBlong bpf_sock_hash_update(struct bpf_sock_ops *\fP\fIskops\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2031 Add an entry to, or update a sockhash \fImap\fP referencing sockets.
2032 The \fIskops\fP is used as a new value for the entry associated to
2033 \fIkey\fP\&. \fIflags\fP is one of:
2036 .B \fBBPF_NOEXIST\fP
2037 The entry for \fIkey\fP must not exist in the map.
2040 The entry for \fIkey\fP must already exist in the map.
2043 No condition on the existence of the entry for \fIkey\fP\&.
2046 If the \fImap\fP has eBPF programs (parser and verdict), those will
2047 be inherited by the socket being added. If the socket is
2048 already attached to eBPF programs, this results in an error.
2051 0 on success, or a negative error in case of failure.
2054 .B \fBlong bpf_msg_redirect_hash(struct sk_msg_buff *\fP\fImsg\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2058 This helper is used in programs implementing policies at the
2059 socket level. If the message \fImsg\fP is allowed to pass (i.e. if
2060 the verdict eBPF program returns \fBSK_PASS\fP), redirect it to
2061 the socket referenced by \fImap\fP (of type
2062 \fBBPF_MAP_TYPE_SOCKHASH\fP) using hash \fIkey\fP\&. Both ingress and
2063 egress interfaces can be used for redirection. The
2064 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
2065 distinction (ingress path is selected if the flag is present,
2066 egress path otherwise). This is the only flag supported for now.
2069 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
2072 .B \fBlong bpf_sk_redirect_hash(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2076 This helper is used in programs implementing policies at the
2077 skb socket level. If the sk_buff \fIskb\fP is allowed to pass (i.e.
2078 if the verdict eBPF program returns \fBSK_PASS\fP), redirect it
2079 to the socket referenced by \fImap\fP (of type
2080 \fBBPF_MAP_TYPE_SOCKHASH\fP) using hash \fIkey\fP\&. Both ingress and
2081 egress interfaces can be used for redirection. The
2082 \fBBPF_F_INGRESS\fP value in \fIflags\fP is used to make the
2083 distinction (ingress path is selected if the flag is present,
2084 egress otherwise). This is the only flag supported for now.
2087 \fBSK_PASS\fP on success, or \fBSK_DROP\fP on error.
2090 .B \fBlong bpf_lwt_push_encap(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fItype\fP\fB, void *\fP\fIhdr\fP\fB, u32\fP \fIlen\fP\fB)\fP
2094 Encapsulate the packet associated to \fIskb\fP within a Layer 3
2095 protocol header. This header is provided in the buffer at
2096 address \fIhdr\fP, with \fIlen\fP its size in bytes. \fItype\fP indicates
2097 the protocol of the header and can be one of:
2100 .B \fBBPF_LWT_ENCAP_SEG6\fP
2101 IPv6 encapsulation with Segment Routing Header
2102 (\fBstruct ipv6_sr_hdr\fP). \fIhdr\fP only contains the SRH,
2103 the IPv6 header is computed by the kernel.
2105 .B \fBBPF_LWT_ENCAP_SEG6_INLINE\fP
2106 Only works if \fIskb\fP contains an IPv6 packet. Insert a
2107 Segment Routing Header (\fBstruct ipv6_sr_hdr\fP) inside
2110 .B \fBBPF_LWT_ENCAP_IP\fP
2111 IP encapsulation (GRE/GUE/IPIP/etc). The outer header
2112 must be IPv4 or IPv6, followed by zero or more
2113 additional headers, up to \fBLWT_BPF_MAX_HEADROOM\fP
2114 total bytes in all prepended headers. Please note that
2115 if \fBskb_is_gso\fP(\fIskb\fP) is true, no more than two
2116 headers can be prepended, and the inner header, if
2117 present, should be either GRE or UDP/GUE.
2120 \fBBPF_LWT_ENCAP_SEG6\fP* types can be called by BPF programs
2121 of type \fBBPF_PROG_TYPE_LWT_IN\fP; \fBBPF_LWT_ENCAP_IP\fP type can
2122 be called by bpf programs of types \fBBPF_PROG_TYPE_LWT_IN\fP and
2123 \fBBPF_PROG_TYPE_LWT_XMIT\fP\&.
2125 A call to this helper is susceptible to change the underlying
2126 packet buffer. Therefore, at load time, all checks on pointers
2127 previously done by the verifier are invalidated and must be
2128 performed again, if the helper is used in combination with
2129 direct packet access.
2132 0 on success, or a negative error in case of failure.
2135 .B \fBlong bpf_lwt_seg6_store_bytes(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, const void *\fP\fIfrom\fP\fB, u32\fP \fIlen\fP\fB)\fP
2139 Store \fIlen\fP bytes from address \fIfrom\fP into the packet
2140 associated to \fIskb\fP, at \fIoffset\fP\&. Only the flags, tag and TLVs
2141 inside the outermost IPv6 Segment Routing Header can be
2142 modified through this helper.
2144 A call to this helper is susceptible to change the underlying
2145 packet buffer. Therefore, at load time, all checks on pointers
2146 previously done by the verifier are invalidated and must be
2147 performed again, if the helper is used in combination with
2148 direct packet access.
2151 0 on success, or a negative error in case of failure.
2154 .B \fBlong bpf_lwt_seg6_adjust_srh(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIoffset\fP\fB, s32\fP \fIdelta\fP\fB)\fP
2158 Adjust the size allocated to TLVs in the outermost IPv6
2159 Segment Routing Header contained in the packet associated to
2160 \fIskb\fP, at position \fIoffset\fP by \fIdelta\fP bytes. Only offsets
2161 after the segments are accepted. \fIdelta\fP can be as well
2162 positive (growing) as negative (shrinking).
2164 A call to this helper is susceptible to change the underlying
2165 packet buffer. Therefore, at load time, all checks on pointers
2166 previously done by the verifier are invalidated and must be
2167 performed again, if the helper is used in combination with
2168 direct packet access.
2171 0 on success, or a negative error in case of failure.
2174 .B \fBlong bpf_lwt_seg6_action(struct sk_buff *\fP\fIskb\fP\fB, u32\fP \fIaction\fP\fB, void *\fP\fIparam\fP\fB, u32\fP \fIparam_len\fP\fB)\fP
2178 Apply an IPv6 Segment Routing action of type \fIaction\fP to the
2179 packet associated to \fIskb\fP\&. Each action takes a parameter
2180 contained at address \fIparam\fP, and of length \fIparam_len\fP bytes.
2181 \fIaction\fP can be one of:
2184 .B \fBSEG6_LOCAL_ACTION_END_X\fP
2185 End.X action: Endpoint with Layer\-3 cross\-connect.
2186 Type of \fIparam\fP: \fBstruct in6_addr\fP\&.
2188 .B \fBSEG6_LOCAL_ACTION_END_T\fP
2189 End.T action: Endpoint with specific IPv6 table lookup.
2190 Type of \fIparam\fP: \fBint\fP\&.
2192 .B \fBSEG6_LOCAL_ACTION_END_B6\fP
2193 End.B6 action: Endpoint bound to an SRv6 policy.
2194 Type of \fIparam\fP: \fBstruct ipv6_sr_hdr\fP\&.
2196 .B \fBSEG6_LOCAL_ACTION_END_B6_ENCAP\fP
2197 End.B6.Encap action: Endpoint bound to an SRv6
2198 encapsulation policy.
2199 Type of \fIparam\fP: \fBstruct ipv6_sr_hdr\fP\&.
2202 A call to this helper is susceptible to change the underlying
2203 packet buffer. Therefore, at load time, all checks on pointers
2204 previously done by the verifier are invalidated and must be
2205 performed again, if the helper is used in combination with
2206 direct packet access.
2209 0 on success, or a negative error in case of failure.
2212 .B \fBlong bpf_rc_repeat(void *\fP\fIctx\fP\fB)\fP
2216 This helper is used in programs implementing IR decoding, to
2217 report a successfully decoded repeat key message. This delays
2218 the generation of a key up event for previously generated
2221 Some IR protocols like NEC have a special IR message for
2222 repeating last button, for when a button is held down.
2224 The \fIctx\fP should point to the lirc sample as passed into
2227 This helper is only available is the kernel was compiled with
2228 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2235 .B \fBlong bpf_rc_keydown(void *\fP\fIctx\fP\fB, u32\fP \fIprotocol\fP\fB, u64\fP \fIscancode\fP\fB, u32\fP \fItoggle\fP\fB)\fP
2239 This helper is used in programs implementing IR decoding, to
2240 report a successfully decoded key press with \fIscancode\fP,
2241 \fItoggle\fP value in the given \fIprotocol\fP\&. The scancode will be
2242 translated to a keycode using the rc keymap, and reported as
2243 an input key down event. After a period a key up event is
2244 generated. This period can be extended by calling either
2245 \fBbpf_rc_keydown\fP() again with the same values, or calling
2246 \fBbpf_rc_repeat\fP().
2248 Some protocols include a toggle bit, in case the button was
2249 released and pressed again between consecutive scancodes.
2251 The \fIctx\fP should point to the lirc sample as passed into
2254 The \fIprotocol\fP is the decoded protocol number (see
2255 \fBenum rc_proto\fP for some predefined values).
2257 This helper is only available is the kernel was compiled with
2258 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2265 .B \fBu64 bpf_skb_cgroup_id(struct sk_buff *\fP\fIskb\fP\fB)\fP
2269 Return the cgroup v2 id of the socket associated with the \fIskb\fP\&.
2270 This is roughly similar to the \fBbpf_get_cgroup_classid\fP()
2271 helper for cgroup v1 by providing a tag resp. identifier that
2272 can be matched on or used for map lookups e.g. to implement
2273 policy. The cgroup v2 id of a given path in the hierarchy is
2274 exposed in user space through the f_handle API in order to get
2275 to the same 64\-bit id.
2277 This helper can be used on TC egress path, but not on ingress,
2278 and is available only if the kernel was compiled with the
2279 \fBCONFIG_SOCK_CGROUP_DATA\fP configuration option.
2282 The id is returned or 0 in case the id could not be retrieved.
2285 .B \fBu64 bpf_get_current_cgroup_id(void)\fP
2289 A 64\-bit integer containing the current cgroup id based
2290 on the cgroup within which the current task is running.
2293 .B \fBvoid *bpf_get_local_storage(void *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB)\fP
2297 Get the pointer to the local storage area.
2298 The type and the size of the local storage is defined
2299 by the \fImap\fP argument.
2300 The \fIflags\fP meaning is specific for each map type,
2301 and has to be 0 for cgroup local storage.
2303 Depending on the BPF program type, a local storage area
2304 can be shared between multiple instances of the BPF program,
2305 running simultaneously.
2307 A user should care about the synchronization by himself.
2308 For example, by using the \fBBPF_STX_XADD\fP instruction to alter
2312 A pointer to the local storage area.
2315 .B \fBlong bpf_sk_select_reuseport(struct sk_reuseport_md *\fP\fIreuse\fP\fB, struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIkey\fP\fB, u64\fP \fIflags\fP\fB)\fP
2319 Select a \fBSO_REUSEPORT\fP socket from a
2320 \fBBPF_MAP_TYPE_REUSEPORT_ARRAY\fP \fImap\fP\&.
2321 It checks the selected socket is matching the incoming
2322 request in the socket buffer.
2325 0 on success, or a negative error in case of failure.
2328 .B \fBu64 bpf_skb_ancestor_cgroup_id(struct sk_buff *\fP\fIskb\fP\fB, int\fP \fIancestor_level\fP\fB)\fP
2332 Return id of cgroup v2 that is ancestor of cgroup associated
2333 with the \fIskb\fP at the \fIancestor_level\fP\&. The root cgroup is at
2334 \fIancestor_level\fP zero and each step down the hierarchy
2335 increments the level. If \fIancestor_level\fP == level of cgroup
2336 associated with \fIskb\fP, then return value will be same as that
2337 of \fBbpf_skb_cgroup_id\fP().
2339 The helper is useful to implement policies based on cgroups
2340 that are upper in hierarchy than immediate cgroup associated
2343 The format of returned id and helper limitations are same as in
2344 \fBbpf_skb_cgroup_id\fP().
2347 The id is returned or 0 in case the id could not be retrieved.
2350 .B \fBstruct bpf_sock *bpf_sk_lookup_tcp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2354 Look for TCP socket matching \fItuple\fP, optionally in a child
2355 network namespace \fInetns\fP\&. The return value must be checked,
2356 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2358 The \fIctx\fP should point to the context of the program, such as
2359 the skb or socket (depending on the hook in use). This is used
2360 to determine the base network namespace for the lookup.
2362 \fItuple_size\fP must be one of:
2365 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv4\fP)
2366 Look for an IPv4 socket.
2368 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv6\fP)
2369 Look for an IPv6 socket.
2372 If the \fInetns\fP is a negative signed 32\-bit integer, then the
2373 socket lookup table in the netns associated with the \fIctx\fP
2374 will be used. For the TC hooks, this is the netns of the device
2375 in the skb. For socket hooks, this is the netns of the socket.
2376 If \fInetns\fP is any other signed 32\-bit value greater than or
2377 equal to zero then it specifies the ID of the netns relative to
2378 the netns associated with the \fIctx\fP\&. \fInetns\fP values beyond the
2379 range of 32\-bit integers are reserved for future use.
2381 All values for \fIflags\fP are reserved for future usage, and must
2384 This helper is available only if the kernel was compiled with
2385 \fBCONFIG_NET\fP configuration option.
2388 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2389 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2390 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2394 .B \fBstruct bpf_sock *bpf_sk_lookup_udp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2398 Look for UDP socket matching \fItuple\fP, optionally in a child
2399 network namespace \fInetns\fP\&. The return value must be checked,
2400 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2402 The \fIctx\fP should point to the context of the program, such as
2403 the skb or socket (depending on the hook in use). This is used
2404 to determine the base network namespace for the lookup.
2406 \fItuple_size\fP must be one of:
2409 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv4\fP)
2410 Look for an IPv4 socket.
2412 .B \fBsizeof\fP(\fItuple\fP\fB\->ipv6\fP)
2413 Look for an IPv6 socket.
2416 If the \fInetns\fP is a negative signed 32\-bit integer, then the
2417 socket lookup table in the netns associated with the \fIctx\fP
2418 will be used. For the TC hooks, this is the netns of the device
2419 in the skb. For socket hooks, this is the netns of the socket.
2420 If \fInetns\fP is any other signed 32\-bit value greater than or
2421 equal to zero then it specifies the ID of the netns relative to
2422 the netns associated with the \fIctx\fP\&. \fInetns\fP values beyond the
2423 range of 32\-bit integers are reserved for future use.
2425 All values for \fIflags\fP are reserved for future usage, and must
2428 This helper is available only if the kernel was compiled with
2429 \fBCONFIG_NET\fP configuration option.
2432 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2433 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2434 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2438 .B \fBlong bpf_sk_release(struct bpf_sock *\fP\fIsock\fP\fB)\fP
2442 Release the reference held by \fIsock\fP\&. \fIsock\fP must be a
2443 non\-\fBNULL\fP pointer that was returned from
2444 \fBbpf_sk_lookup_xxx\fP().
2447 0 on success, or a negative error in case of failure.
2450 .B \fBlong bpf_map_push_elem(struct bpf_map *\fP\fImap\fP\fB, const void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
2454 Push an element \fIvalue\fP in \fImap\fP\&. \fIflags\fP is one of:
2458 If the queue/stack is full, the oldest element is
2459 removed to make room for this.
2463 0 on success, or a negative error in case of failure.
2466 .B \fBlong bpf_map_pop_elem(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIvalue\fP\fB)\fP
2470 Pop an element from \fImap\fP\&.
2473 0 on success, or a negative error in case of failure.
2476 .B \fBlong bpf_map_peek_elem(struct bpf_map *\fP\fImap\fP\fB, void *\fP\fIvalue\fP\fB)\fP
2480 Get an element from \fImap\fP without removing it.
2483 0 on success, or a negative error in case of failure.
2486 .B \fBlong bpf_msg_push_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
2490 For socket policies, insert \fIlen\fP bytes into \fImsg\fP at offset
2493 If a program of type \fBBPF_PROG_TYPE_SK_MSG\fP is run on a
2494 \fImsg\fP it may want to insert metadata or options into the \fImsg\fP\&.
2495 This can later be read and used by any of the lower layer BPF
2498 This helper may fail if under memory pressure (a malloc
2499 fails) in these cases BPF programs will get an appropriate
2500 error and BPF programs will need to handle them.
2503 0 on success, or a negative error in case of failure.
2506 .B \fBlong bpf_msg_pop_data(struct sk_msg_buff *\fP\fImsg\fP\fB, u32\fP \fIstart\fP\fB, u32\fP \fIlen\fP\fB, u64\fP \fIflags\fP\fB)\fP
2510 Will remove \fIlen\fP bytes from a \fImsg\fP starting at byte \fIstart\fP\&.
2511 This may result in \fBENOMEM\fP errors under certain situations if
2512 an allocation and copy are required due to a full ring buffer.
2513 However, the helper will try to avoid doing the allocation
2514 if possible. Other errors can occur if input parameters are
2515 invalid either due to \fIstart\fP byte not being valid part of \fImsg\fP
2516 payload and/or \fIpop\fP value being to large.
2519 0 on success, or a negative error in case of failure.
2522 .B \fBlong bpf_rc_pointer_rel(void *\fP\fIctx\fP\fB, s32\fP \fIrel_x\fP\fB, s32\fP \fIrel_y\fP\fB)\fP
2526 This helper is used in programs implementing IR decoding, to
2527 report a successfully decoded pointer movement.
2529 The \fIctx\fP should point to the lirc sample as passed into
2532 This helper is only available is the kernel was compiled with
2533 the \fBCONFIG_BPF_LIRC_MODE2\fP configuration option set to
2540 .B \fBlong bpf_spin_lock(struct bpf_spin_lock *\fP\fIlock\fP\fB)\fP
2544 Acquire a spinlock represented by the pointer \fIlock\fP, which is
2545 stored as part of a value of a map. Taking the lock allows to
2546 safely update the rest of the fields in that value. The
2547 spinlock can (and must) later be released with a call to
2548 \fBbpf_spin_unlock\fP(\fIlock\fP).
2550 Spinlocks in BPF programs come with a number of restrictions
2554 \fBbpf_spin_lock\fP objects are only allowed inside maps of
2555 types \fBBPF_MAP_TYPE_HASH\fP and \fBBPF_MAP_TYPE_ARRAY\fP (this
2556 list could be extended in the future).
2558 BTF description of the map is mandatory.
2560 The BPF program can take ONE lock at a time, since taking two
2561 or more could cause dead locks.
2563 Only one \fBstruct bpf_spin_lock\fP is allowed per map element.
2565 When the lock is taken, calls (either BPF to BPF or helpers)
2568 The \fBBPF_LD_ABS\fP and \fBBPF_LD_IND\fP instructions are not
2569 allowed inside a spinlock\-ed region.
2571 The BPF program MUST call \fBbpf_spin_unlock\fP() to release
2572 the lock, on all execution paths, before it returns.
2574 The BPF program can access \fBstruct bpf_spin_lock\fP only via
2575 the \fBbpf_spin_lock\fP() and \fBbpf_spin_unlock\fP()
2576 helpers. Loading or storing data into the \fBstruct
2577 bpf_spin_lock\fP \fIlock\fP\fB;\fP field of a map is not allowed.
2579 To use the \fBbpf_spin_lock\fP() helper, the BTF description
2580 of the map value must be a struct and have \fBstruct
2581 bpf_spin_lock\fP \fIanyname\fP\fB;\fP field at the top level.
2582 Nested lock inside another struct is not allowed.
2584 The \fBstruct bpf_spin_lock\fP \fIlock\fP field in a map value must
2585 be aligned on a multiple of 4 bytes in that value.
2587 Syscall with command \fBBPF_MAP_LOOKUP_ELEM\fP does not copy
2588 the \fBbpf_spin_lock\fP field to user space.
2590 Syscall with command \fBBPF_MAP_UPDATE_ELEM\fP, or update from
2591 a BPF program, do not update the \fBbpf_spin_lock\fP field.
2593 \fBbpf_spin_lock\fP cannot be on the stack or inside a
2594 networking packet (it can only be inside of a map values).
2596 \fBbpf_spin_lock\fP is available to root only.
2598 Tracing programs and socket filter programs cannot use
2599 \fBbpf_spin_lock\fP() due to insufficient preemption checks
2600 (but this may change in the future).
2602 \fBbpf_spin_lock\fP is not allowed in inner maps of map\-in\-map.
2609 .B \fBlong bpf_spin_unlock(struct bpf_spin_lock *\fP\fIlock\fP\fB)\fP
2613 Release the \fIlock\fP previously locked by a call to
2614 \fBbpf_spin_lock\fP(\fIlock\fP).
2620 .B \fBstruct bpf_sock *bpf_sk_fullsock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2624 This helper gets a \fBstruct bpf_sock\fP pointer such
2625 that all the fields in this \fBbpf_sock\fP can be accessed.
2628 A \fBstruct bpf_sock\fP pointer on success, or \fBNULL\fP in
2632 .B \fBstruct bpf_tcp_sock *bpf_tcp_sock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2636 This helper gets a \fBstruct bpf_tcp_sock\fP pointer from a
2637 \fBstruct bpf_sock\fP pointer.
2640 A \fBstruct bpf_tcp_sock\fP pointer on success, or \fBNULL\fP in
2644 .B \fBlong bpf_skb_ecn_set_ce(struct sk_buff *\fP\fIskb\fP\fB)\fP
2648 Set ECN (Explicit Congestion Notification) field of IP header
2649 to \fBCE\fP (Congestion Encountered) if current value is \fBECT\fP
2650 (ECN Capable Transport). Otherwise, do nothing. Works with IPv6
2654 1 if the \fBCE\fP flag is set (either by the current helper call
2655 or because it was already present), 0 if it is not set.
2658 .B \fBstruct bpf_sock *bpf_get_listener_sock(struct bpf_sock *\fP\fIsk\fP\fB)\fP
2662 Return a \fBstruct bpf_sock\fP pointer in \fBTCP_LISTEN\fP state.
2663 \fBbpf_sk_release\fP() is unnecessary and not allowed.
2666 A \fBstruct bpf_sock\fP pointer on success, or \fBNULL\fP in
2670 .B \fBstruct bpf_sock *bpf_skc_lookup_tcp(void *\fP\fIctx\fP\fB, struct bpf_sock_tuple *\fP\fItuple\fP\fB, u32\fP \fItuple_size\fP\fB, u64\fP \fInetns\fP\fB, u64\fP \fIflags\fP\fB)\fP
2674 Look for TCP socket matching \fItuple\fP, optionally in a child
2675 network namespace \fInetns\fP\&. The return value must be checked,
2676 and if non\-\fBNULL\fP, released via \fBbpf_sk_release\fP().
2678 This function is identical to \fBbpf_sk_lookup_tcp\fP(), except
2679 that it also returns timewait or request sockets. Use
2680 \fBbpf_sk_fullsock\fP() or \fBbpf_tcp_sock\fP() to access the
2683 This helper is available only if the kernel was compiled with
2684 \fBCONFIG_NET\fP configuration option.
2687 Pointer to \fBstruct bpf_sock\fP, or \fBNULL\fP in case of failure.
2688 For sockets with reuseport option, the \fBstruct bpf_sock\fP
2689 result is from \fIreuse\fP\fB\->socks\fP[] using the hash of the
2693 .B \fBlong bpf_tcp_check_syncookie(struct bpf_sock *\fP\fIsk\fP\fB, void *\fP\fIiph\fP\fB, u32\fP \fIiph_len\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
2697 Check whether \fIiph\fP and \fIth\fP contain a valid SYN cookie ACK for
2698 the listening socket in \fIsk\fP\&.
2700 \fIiph\fP points to the start of the IPv4 or IPv6 header, while
2701 \fIiph_len\fP contains \fBsizeof\fP(\fBstruct iphdr\fP) or
2702 \fBsizeof\fP(\fBstruct ip6hdr\fP).
2704 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
2705 contains \fBsizeof\fP(\fBstruct tcphdr\fP).
2708 0 if \fIiph\fP and \fIth\fP are a valid SYN cookie ACK, or a negative
2712 .B \fBlong bpf_sysctl_get_name(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB)\fP
2716 Get name of sysctl in /proc/sys/ and copy it into provided by
2717 program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2719 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2721 If \fIflags\fP is zero, full name (e.g. "net/ipv4/tcp_mem") is
2722 copied. Use \fBBPF_F_SYSCTL_BASE_NAME\fP flag to copy base name
2723 only (e.g. "tcp_mem").
2726 Number of character copied (not including the trailing NUL).
2728 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2729 truncated name in this case).
2732 .B \fBlong bpf_sysctl_get_current_value(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2736 Get current value of sysctl as it is presented in /proc/sys
2737 (incl. newline, etc), and copy it as a string into provided
2738 by program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2740 The whole value is copied, no matter what file position user
2741 space issued e.g. sys_read at.
2743 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2746 Number of character copied (not including the trailing NUL).
2748 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2749 truncated name in this case).
2751 \fB\-EINVAL\fP if current value was unavailable, e.g. because
2752 sysctl is uninitialized and read returns \-EIO for it.
2755 .B \fBlong bpf_sysctl_get_new_value(struct bpf_sysctl *\fP\fIctx\fP\fB, char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2759 Get new value being written by user space to sysctl (before
2760 the actual write happens) and copy it as a string into
2761 provided by program buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2763 User space may write new value at file position > 0.
2765 The buffer is always NUL terminated, unless it\(aqs zero\-sized.
2768 Number of character copied (not including the trailing NUL).
2770 \fB\-E2BIG\fP if the buffer wasn\(aqt big enough (\fIbuf\fP will contain
2771 truncated name in this case).
2773 \fB\-EINVAL\fP if sysctl is being read.
2776 .B \fBlong bpf_sysctl_set_new_value(struct bpf_sysctl *\fP\fIctx\fP\fB, const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB)\fP
2780 Override new value being written by user space to sysctl with
2781 value provided by program in buffer \fIbuf\fP of size \fIbuf_len\fP\&.
2783 \fIbuf\fP should contain a string in same form as provided by user
2784 space on sysctl write.
2786 User space may write new value at file position > 0. To override
2787 the whole sysctl value file position should be set to zero.
2792 \fB\-E2BIG\fP if the \fIbuf_len\fP is too big.
2794 \fB\-EINVAL\fP if sysctl is being read.
2797 .B \fBlong bpf_strtol(const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB, long *\fP\fIres\fP\fB)\fP
2801 Convert the initial part of the string from buffer \fIbuf\fP of
2802 size \fIbuf_len\fP to a long integer according to the given base
2803 and save the result in \fIres\fP\&.
2805 The string may begin with an arbitrary amount of white space
2806 (as determined by \fBisspace\fP(3)) followed by a single
2807 optional \(aq\fB\-\fP\(aq sign.
2809 Five least significant bits of \fIflags\fP encode base, other bits
2810 are currently unused.
2812 Base must be either 8, 10, 16, or 0 to detect it automatically
2813 similar to user space \fBstrtol\fP(3).
2816 Number of characters consumed on success. Must be positive but
2817 no more than \fIbuf_len\fP\&.
2819 \fB\-EINVAL\fP if no valid digits were found or unsupported base
2822 \fB\-ERANGE\fP if resulting value was out of range.
2825 .B \fBlong bpf_strtoul(const char *\fP\fIbuf\fP\fB, size_t\fP \fIbuf_len\fP\fB, u64\fP \fIflags\fP\fB, unsigned long *\fP\fIres\fP\fB)\fP
2829 Convert the initial part of the string from buffer \fIbuf\fP of
2830 size \fIbuf_len\fP to an unsigned long integer according to the
2831 given base and save the result in \fIres\fP\&.
2833 The string may begin with an arbitrary amount of white space
2834 (as determined by \fBisspace\fP(3)).
2836 Five least significant bits of \fIflags\fP encode base, other bits
2837 are currently unused.
2839 Base must be either 8, 10, 16, or 0 to detect it automatically
2840 similar to user space \fBstrtoul\fP(3).
2843 Number of characters consumed on success. Must be positive but
2844 no more than \fIbuf_len\fP\&.
2846 \fB\-EINVAL\fP if no valid digits were found or unsupported base
2849 \fB\-ERANGE\fP if resulting value was out of range.
2852 .B \fBvoid *bpf_sk_storage_get(struct bpf_map *\fP\fImap\fP\fB, struct bpf_sock *\fP\fIsk\fP\fB, void *\fP\fIvalue\fP\fB, u64\fP \fIflags\fP\fB)\fP
2856 Get a bpf\-local\-storage from a \fIsk\fP\&.
2858 Logically, it could be thought of getting the value from
2859 a \fImap\fP with \fIsk\fP as the \fBkey\fP\&. From this
2860 perspective, the usage is not much different from
2861 \fBbpf_map_lookup_elem\fP(\fImap\fP, \fB&\fP\fIsk\fP) except this
2862 helper enforces the key must be a full socket and the map must
2863 be a \fBBPF_MAP_TYPE_SK_STORAGE\fP also.
2865 Underneath, the value is stored locally at \fIsk\fP instead of
2866 the \fImap\fP\&. The \fImap\fP is used as the bpf\-local\-storage
2867 "type". The bpf\-local\-storage "type" (i.e. the \fImap\fP) is
2868 searched against all bpf\-local\-storages residing at \fIsk\fP\&.
2870 An optional \fIflags\fP (\fBBPF_SK_STORAGE_GET_F_CREATE\fP) can be
2871 used such that a new bpf\-local\-storage will be
2872 created if one does not exist. \fIvalue\fP can be used
2873 together with \fBBPF_SK_STORAGE_GET_F_CREATE\fP to specify
2874 the initial value of a bpf\-local\-storage. If \fIvalue\fP is
2875 \fBNULL\fP, the new bpf\-local\-storage will be zero initialized.
2878 A bpf\-local\-storage pointer is returned on success.
2880 \fBNULL\fP if not found or there was an error in adding
2881 a new bpf\-local\-storage.
2884 .B \fBlong bpf_sk_storage_delete(struct bpf_map *\fP\fImap\fP\fB, struct bpf_sock *\fP\fIsk\fP\fB)\fP
2888 Delete a bpf\-local\-storage from a \fIsk\fP\&.
2893 \fB\-ENOENT\fP if the bpf\-local\-storage cannot be found.
2896 .B \fBlong bpf_send_signal(u32\fP \fIsig\fP\fB)\fP
2900 Send signal \fIsig\fP to the process of the current task.
2901 The signal may be delivered to any of this process\(aqs threads.
2904 0 on success or successfully queued.
2906 \fB\-EBUSY\fP if work queue under nmi is full.
2908 \fB\-EINVAL\fP if \fIsig\fP is invalid.
2910 \fB\-EPERM\fP if no permission to send the \fIsig\fP\&.
2912 \fB\-EAGAIN\fP if bpf program can try again.
2915 .B \fBs64 bpf_tcp_gen_syncookie(struct bpf_sock *\fP\fIsk\fP\fB, void *\fP\fIiph\fP\fB, u32\fP \fIiph_len\fP\fB, struct tcphdr *\fP\fIth\fP\fB, u32\fP \fIth_len\fP\fB)\fP
2919 Try to issue a SYN cookie for the packet with corresponding
2920 IP/TCP headers, \fIiph\fP and \fIth\fP, on the listening socket in \fIsk\fP\&.
2922 \fIiph\fP points to the start of the IPv4 or IPv6 header, while
2923 \fIiph_len\fP contains \fBsizeof\fP(\fBstruct iphdr\fP) or
2924 \fBsizeof\fP(\fBstruct ip6hdr\fP).
2926 \fIth\fP points to the start of the TCP header, while \fIth_len\fP
2927 contains the length of the TCP header.
2930 On success, lower 32 bits hold the generated SYN cookie in
2931 followed by 16 bits which hold the MSS value for that cookie,
2932 and the top 16 bits are unused.
2934 On failure, the returned value is one of the following:
2936 \fB\-EINVAL\fP SYN cookie cannot be issued due to error
2938 \fB\-ENOENT\fP SYN cookie should not be issued (no SYN flood)
2940 \fB\-EOPNOTSUPP\fP kernel configuration does not enable SYN cookies
2942 \fB\-EPROTONOSUPPORT\fP IP packet version is not 4 or 6
2945 .B \fBlong bpf_skb_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
2949 Write raw \fIdata\fP blob into a special BPF perf event held by
2950 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
2951 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
2952 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
2953 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
2955 The \fIflags\fP are used to indicate the index in \fImap\fP for which
2956 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
2957 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
2958 to indicate that the index of the current CPU core should be
2961 The value to write, of \fIsize\fP, is passed through eBPF stack and
2962 pointed by \fIdata\fP\&.
2964 \fIctx\fP is a pointer to in\-kernel struct sk_buff.
2966 This helper is similar to \fBbpf_perf_event_output\fP() but
2967 restricted to raw_tracepoint bpf programs.
2970 0 on success, or a negative error in case of failure.
2973 .B \fBlong bpf_probe_read_user(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
2977 Safely attempt to read \fIsize\fP bytes from user space address
2978 \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
2981 0 on success, or a negative error in case of failure.
2984 .B \fBlong bpf_probe_read_kernel(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
2988 Safely attempt to read \fIsize\fP bytes from kernel space address
2989 \fIunsafe_ptr\fP and store the data in \fIdst\fP\&.
2992 0 on success, or a negative error in case of failure.
2995 .B \fBlong bpf_probe_read_user_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
2999 Copy a NUL terminated string from an unsafe user address
3000 \fIunsafe_ptr\fP to \fIdst\fP\&. The \fIsize\fP should include the
3001 terminating NUL byte. In case the string length is smaller than
3002 \fIsize\fP, the target is not padded with further NUL bytes. If the
3003 string length is larger than \fIsize\fP, just \fIsize\fP\-1 bytes are
3004 copied and the last byte is set to NUL.
3006 On success, the length of the copied string is returned. This
3007 makes this helper useful in tracing programs for reading
3008 strings, and more importantly to get its length at runtime. See
3009 the following snippet:
3015 SEC("kprobe/sys_open")
3016 void bpf_sys_open(struct pt_regs *ctx)
3018 char buf[PATHLEN]; // PATHLEN is defined to 256
3019 int res = bpf_probe_read_user_str(buf, sizeof(buf),
3022 // Consume buf, for example push it to
3023 // user space via bpf_perf_event_output(); we
3024 // can use res (the string length) as event
3025 // size, after checking its boundaries.
3032 In comparison, using \fBbpf_probe_read_user\fP() helper here
3033 instead to read the string would require to estimate the length
3034 at compile time, and would often result in copying more memory
3037 Another useful use case is when parsing individual process
3038 arguments or individual environment variables navigating
3039 \fIcurrent\fP\fB\->mm\->arg_start\fP and \fIcurrent\fP\fB\->mm\->env_start\fP: using this helper and the return value,
3040 one can quickly iterate at the right offset of the memory area.
3043 On success, the strictly positive length of the string,
3044 including the trailing NUL character. On error, a negative
3048 .B \fBlong bpf_probe_read_kernel_str(void *\fP\fIdst\fP\fB, u32\fP \fIsize\fP\fB, const void *\fP\fIunsafe_ptr\fP\fB)\fP
3052 Copy a NUL terminated string from an unsafe kernel address \fIunsafe_ptr\fP
3053 to \fIdst\fP\&. Same semantics as with \fBbpf_probe_read_user_str\fP() apply.
3056 On success, the strictly positive length of the string, including
3057 the trailing NUL character. On error, a negative value.
3060 .B \fBlong bpf_tcp_send_ack(void *\fP\fItp\fP\fB, u32\fP \fIrcv_nxt\fP\fB)\fP
3064 Send out a tcp\-ack. \fItp\fP is the in\-kernel struct \fBtcp_sock\fP\&.
3065 \fIrcv_nxt\fP is the ack_seq to be sent out.
3068 0 on success, or a negative error in case of failure.
3071 .B \fBlong bpf_send_signal_thread(u32\fP \fIsig\fP\fB)\fP
3075 Send signal \fIsig\fP to the thread corresponding to the current task.
3078 0 on success or successfully queued.
3080 \fB\-EBUSY\fP if work queue under nmi is full.
3082 \fB\-EINVAL\fP if \fIsig\fP is invalid.
3084 \fB\-EPERM\fP if no permission to send the \fIsig\fP\&.
3086 \fB\-EAGAIN\fP if bpf program can try again.
3089 .B \fBu64 bpf_jiffies64(void)\fP
3093 Obtain the 64bit jiffies
3099 .B \fBlong bpf_read_branch_records(struct bpf_perf_event_data *\fP\fIctx\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3103 For an eBPF program attached to a perf event, retrieve the
3104 branch records (\fBstruct perf_branch_entry\fP) associated to \fIctx\fP
3105 and store it in the buffer pointed by \fIbuf\fP up to size
3109 On success, number of bytes written to \fIbuf\fP\&. On error, a
3112 The \fIflags\fP can be set to \fBBPF_F_GET_BRANCH_RECORDS_SIZE\fP to
3113 instead return the number of bytes required to store all the
3114 branch entries. If this flag is set, \fIbuf\fP may be NULL.
3116 \fB\-EINVAL\fP if arguments invalid or \fBsize\fP not a multiple
3117 of \fBsizeof\fP(\fBstruct perf_branch_entry\fP).
3119 \fB\-ENOENT\fP if architecture does not support branch records.
3122 .B \fBlong bpf_get_ns_current_pid_tgid(u64\fP \fIdev\fP\fB, u64\fP \fIino\fP\fB, struct bpf_pidns_info *\fP\fInsdata\fP\fB, u32\fP \fIsize\fP\fB)\fP
3126 Returns 0 on success, values for \fIpid\fP and \fItgid\fP as seen from the current
3127 \fInamespace\fP will be returned in \fInsdata\fP\&.
3130 0 on success, or one of the following in case of failure:
3132 \fB\-EINVAL\fP if dev and inum supplied don\(aqt match dev_t and inode number
3133 with nsfs of current task, or if dev conversion to dev_t lost high bits.
3135 \fB\-ENOENT\fP if pidns does not exists for the current task.
3138 .B \fBlong bpf_xdp_output(void *\fP\fIctx\fP\fB, struct bpf_map *\fP\fImap\fP\fB, u64\fP \fIflags\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB)\fP
3142 Write raw \fIdata\fP blob into a special BPF perf event held by
3143 \fImap\fP of type \fBBPF_MAP_TYPE_PERF_EVENT_ARRAY\fP\&. This perf
3144 event must have the following attributes: \fBPERF_SAMPLE_RAW\fP
3145 as \fBsample_type\fP, \fBPERF_TYPE_SOFTWARE\fP as \fBtype\fP, and
3146 \fBPERF_COUNT_SW_BPF_OUTPUT\fP as \fBconfig\fP\&.
3148 The \fIflags\fP are used to indicate the index in \fImap\fP for which
3149 the value must be put, masked with \fBBPF_F_INDEX_MASK\fP\&.
3150 Alternatively, \fIflags\fP can be set to \fBBPF_F_CURRENT_CPU\fP
3151 to indicate that the index of the current CPU core should be
3154 The value to write, of \fIsize\fP, is passed through eBPF stack and
3155 pointed by \fIdata\fP\&.
3157 \fIctx\fP is a pointer to in\-kernel struct xdp_buff.
3159 This helper is similar to \fBbpf_perf_eventoutput\fP() but
3160 restricted to raw_tracepoint bpf programs.
3163 0 on success, or a negative error in case of failure.
3166 .B \fBu64 bpf_get_netns_cookie(void *\fP\fIctx\fP\fB)\fP
3170 Retrieve the cookie (generated by the kernel) of the network
3171 namespace the input \fIctx\fP is associated with. The network
3172 namespace cookie remains stable for its lifetime and provides
3173 a global identifier that can be assumed unique. If \fIctx\fP is
3174 NULL, then the helper returns the cookie for the initial
3175 network namespace. The cookie itself is very similar to that
3176 of \fBbpf_get_socket_cookie\fP() helper, but for network
3177 namespaces instead of sockets.
3180 A 8\-byte long opaque number.
3183 .B \fBu64 bpf_get_current_ancestor_cgroup_id(int\fP \fIancestor_level\fP\fB)\fP
3187 Return id of cgroup v2 that is ancestor of the cgroup associated
3188 with the current task at the \fIancestor_level\fP\&. The root cgroup
3189 is at \fIancestor_level\fP zero and each step down the hierarchy
3190 increments the level. If \fIancestor_level\fP == level of cgroup
3191 associated with the current task, then return value will be the
3192 same as that of \fBbpf_get_current_cgroup_id\fP().
3194 The helper is useful to implement policies based on cgroups
3195 that are upper in hierarchy than immediate cgroup associated
3196 with the current task.
3198 The format of returned id and helper limitations are same as in
3199 \fBbpf_get_current_cgroup_id\fP().
3202 The id is returned or 0 in case the id could not be retrieved.
3205 .B \fBlong bpf_sk_assign(struct sk_buff *\fP\fIskb\fP\fB, struct bpf_sock *\fP\fIsk\fP\fB, u64\fP \fIflags\fP\fB)\fP
3209 Helper is overloaded depending on BPF program type. This
3210 description applies to \fBBPF_PROG_TYPE_SCHED_CLS\fP and
3211 \fBBPF_PROG_TYPE_SCHED_ACT\fP programs.
3213 Assign the \fIsk\fP to the \fIskb\fP\&. When combined with appropriate
3214 routing configuration to receive the packet towards the socket,
3215 will cause \fIskb\fP to be delivered to the specified socket.
3216 Subsequent redirection of \fIskb\fP via \fBbpf_redirect\fP(),
3217 \fBbpf_clone_redirect\fP() or other methods outside of BPF may
3218 interfere with successful delivery to the socket.
3220 This operation is only valid from TC ingress path.
3222 The \fIflags\fP argument must be zero.
3225 0 on success, or a negative error in case of failure:
3227 \fB\-EINVAL\fP if specified \fIflags\fP are not supported.
3229 \fB\-ENOENT\fP if the socket is unavailable for assignment.
3231 \fB\-ENETUNREACH\fP if the socket is unreachable (wrong netns).
3233 \fB\-EOPNOTSUPP\fP if the operation is not supported, for example
3234 a call from outside of TC ingress.
3236 \fB\-ESOCKTNOSUPPORT\fP if the socket type is not supported
3240 .B \fBlong bpf_sk_assign(struct bpf_sk_lookup *\fP\fIctx\fP\fB, struct bpf_sock *\fP\fIsk\fP\fB, u64\fP \fIflags\fP\fB)\fP
3244 Helper is overloaded depending on BPF program type. This
3245 description applies to \fBBPF_PROG_TYPE_SK_LOOKUP\fP programs.
3247 Select the \fIsk\fP as a result of a socket lookup.
3249 For the operation to succeed passed socket must be compatible
3250 with the packet description provided by the \fIctx\fP object.
3252 L4 protocol (\fBIPPROTO_TCP\fP or \fBIPPROTO_UDP\fP) must
3253 be an exact match. While IP family (\fBAF_INET\fP or
3254 \fBAF_INET6\fP) must be compatible, that is IPv6 sockets
3255 that are not v6\-only can be selected for IPv4 packets.
3257 Only TCP listeners and UDP unconnected sockets can be
3258 selected. \fIsk\fP can also be NULL to reset any previous
3261 \fIflags\fP argument can combination of following values:
3264 \fBBPF_SK_LOOKUP_F_REPLACE\fP to override the previous
3265 socket selection, potentially done by a BPF program
3268 \fBBPF_SK_LOOKUP_F_NO_REUSEPORT\fP to skip
3269 load\-balancing within reuseport group for the socket
3273 On success \fIctx\->sk\fP will point to the selected socket.
3276 0 on success, or a negative errno in case of failure.
3279 \fB\-EAFNOSUPPORT\fP if socket family (\fIsk\->family\fP) is
3280 not compatible with packet family (\fIctx\->family\fP).
3282 \fB\-EEXIST\fP if socket has been already selected,
3283 potentially by another program, and
3284 \fBBPF_SK_LOOKUP_F_REPLACE\fP flag was not specified.
3286 \fB\-EINVAL\fP if unsupported flags were specified.
3288 \fB\-EPROTOTYPE\fP if socket L4 protocol
3289 (\fIsk\->protocol\fP) doesn\(aqt match packet protocol
3290 (\fIctx\->protocol\fP).
3292 \fB\-ESOCKTNOSUPPORT\fP if socket is not in allowed
3293 state (TCP listening or UDP unconnected).
3297 .B \fBu64 bpf_ktime_get_boot_ns(void)\fP
3301 Return the time elapsed since system boot, in nanoseconds.
3302 Does include the time the system was suspended.
3303 See: \fBclock_gettime\fP(\fBCLOCK_BOOTTIME\fP)
3306 Current \fIktime\fP\&.
3309 .B \fBlong bpf_seq_printf(struct seq_file *\fP\fIm\fP\fB, const char *\fP\fIfmt\fP\fB, u32\fP \fIfmt_size\fP\fB, const void *\fP\fIdata\fP\fB, u32\fP \fIdata_len\fP\fB)\fP
3313 \fBbpf_seq_printf\fP() uses seq_file \fBseq_printf\fP() to print
3314 out the format string.
3315 The \fIm\fP represents the seq_file. The \fIfmt\fP and \fIfmt_size\fP are for
3316 the format string itself. The \fIdata\fP and \fIdata_len\fP are format string
3317 arguments. The \fIdata\fP are a \fBu64\fP array and corresponding format string
3318 values are stored in the array. For strings and pointers where pointees
3319 are accessed, only the pointer values are stored in the \fIdata\fP array.
3320 The \fIdata_len\fP is the size of \fIdata\fP in bytes.
3322 Formats \fB%s\fP, \fB%p{i,I}{4,6}\fP requires to read kernel memory.
3323 Reading kernel memory may fail due to either invalid address or
3324 valid address but requiring a major memory fault. If reading kernel memory
3325 fails, the string for \fB%s\fP will be an empty string, and the ip
3326 address for \fB%p{i,I}{4,6}\fP will be 0. Not returning error to
3327 bpf program is consistent with what \fBbpf_trace_printk\fP() does for now.
3330 0 on success, or a negative error in case of failure:
3332 \fB\-EBUSY\fP if per\-CPU memory copy buffer is busy, can try again
3333 by returning 1 from bpf program.
3335 \fB\-EINVAL\fP if arguments are invalid, or if \fIfmt\fP is invalid/unsupported.
3337 \fB\-E2BIG\fP if \fIfmt\fP contains too many format specifiers.
3339 \fB\-EOVERFLOW\fP if an overflow happened: The same object will be tried again.
3342 .B \fBlong bpf_seq_write(struct seq_file *\fP\fIm\fP\fB, const void *\fP\fIdata\fP\fB, u32\fP \fIlen\fP\fB)\fP
3346 \fBbpf_seq_write\fP() uses seq_file \fBseq_write\fP() to write the data.
3347 The \fIm\fP represents the seq_file. The \fIdata\fP and \fIlen\fP represent the
3348 data to write in bytes.
3351 0 on success, or a negative error in case of failure:
3353 \fB\-EOVERFLOW\fP if an overflow happened: The same object will be tried again.
3356 .B \fBu64 bpf_sk_cgroup_id(struct bpf_sock *\fP\fIsk\fP\fB)\fP
3360 Return the cgroup v2 id of the socket \fIsk\fP\&.
3362 \fIsk\fP must be a non\-\fBNULL\fP pointer to a full socket, e.g. one
3363 returned from \fBbpf_sk_lookup_xxx\fP(),
3364 \fBbpf_sk_fullsock\fP(), etc. The format of returned id is
3365 same as in \fBbpf_skb_cgroup_id\fP().
3367 This helper is available only if the kernel was compiled with
3368 the \fBCONFIG_SOCK_CGROUP_DATA\fP configuration option.
3371 The id is returned or 0 in case the id could not be retrieved.
3374 .B \fBu64 bpf_sk_ancestor_cgroup_id(struct bpf_sock *\fP\fIsk\fP\fB, int\fP \fIancestor_level\fP\fB)\fP
3378 Return id of cgroup v2 that is ancestor of cgroup associated
3379 with the \fIsk\fP at the \fIancestor_level\fP\&. The root cgroup is at
3380 \fIancestor_level\fP zero and each step down the hierarchy
3381 increments the level. If \fIancestor_level\fP == level of cgroup
3382 associated with \fIsk\fP, then return value will be same as that
3383 of \fBbpf_sk_cgroup_id\fP().
3385 The helper is useful to implement policies based on cgroups
3386 that are upper in hierarchy than immediate cgroup associated
3389 The format of returned id and helper limitations are same as in
3390 \fBbpf_sk_cgroup_id\fP().
3393 The id is returned or 0 in case the id could not be retrieved.
3396 .B \fBlong bpf_ringbuf_output(void *\fP\fIringbuf\fP\fB, void *\fP\fIdata\fP\fB, u64\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3400 Copy \fIsize\fP bytes from \fIdata\fP into a ring buffer \fIringbuf\fP\&.
3401 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3402 of new data availability is sent.
3403 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3404 of new data availability is sent unconditionally.
3407 0 on success, or a negative error in case of failure.
3410 .B \fBvoid *bpf_ringbuf_reserve(void *\fP\fIringbuf\fP\fB, u64\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3414 Reserve \fIsize\fP bytes of payload in a ring buffer \fIringbuf\fP\&.
3417 Valid pointer with \fIsize\fP bytes of memory available; NULL,
3421 .B \fBvoid bpf_ringbuf_submit(void *\fP\fIdata\fP\fB, u64\fP \fIflags\fP\fB)\fP
3425 Submit reserved ring buffer sample, pointed to by \fIdata\fP\&.
3426 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3427 of new data availability is sent.
3428 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3429 of new data availability is sent unconditionally.
3432 Nothing. Always succeeds.
3435 .B \fBvoid bpf_ringbuf_discard(void *\fP\fIdata\fP\fB, u64\fP \fIflags\fP\fB)\fP
3439 Discard reserved ring buffer sample, pointed to by \fIdata\fP\&.
3440 If \fBBPF_RB_NO_WAKEUP\fP is specified in \fIflags\fP, no notification
3441 of new data availability is sent.
3442 If \fBBPF_RB_FORCE_WAKEUP\fP is specified in \fIflags\fP, notification
3443 of new data availability is sent unconditionally.
3446 Nothing. Always succeeds.
3449 .B \fBu64 bpf_ringbuf_query(void *\fP\fIringbuf\fP\fB, u64\fP \fIflags\fP\fB)\fP
3453 Query various characteristics of provided ring buffer. What
3454 exactly is queries is determined by \fIflags\fP:
3457 \fBBPF_RB_AVAIL_DATA\fP: Amount of data not yet consumed.
3459 \fBBPF_RB_RING_SIZE\fP: The size of ring buffer.
3461 \fBBPF_RB_CONS_POS\fP: Consumer position (can wrap around).
3463 \fBBPF_RB_PROD_POS\fP: Producer(s) position (can wrap around).
3466 Data returned is just a momentary snapshot of actual values
3467 and could be inaccurate, so this facility should be used to
3468 power heuristics and for reporting, not to make 100% correct
3472 Requested value, or 0, if \fIflags\fP are not recognized.
3475 .B \fBlong bpf_csum_level(struct sk_buff *\fP\fIskb\fP\fB, u64\fP \fIlevel\fP\fB)\fP
3479 Change the skbs checksum level by one layer up or down, or
3480 reset it entirely to none in order to have the stack perform
3481 checksum validation. The level is applicable to the following
3482 protocols: TCP, UDP, GRE, SCTP, FCOE. For example, a decap of
3483 | ETH | IP | UDP | GUE | IP | TCP | into | ETH | IP | TCP |
3484 through \fBbpf_skb_adjust_room\fP() helper with passing in
3485 \fBBPF_F_ADJ_ROOM_NO_CSUM_RESET\fP flag would require one call
3486 to \fBbpf_csum_level\fP() with \fBBPF_CSUM_LEVEL_DEC\fP since
3487 the UDP header is removed. Similarly, an encap of the latter
3488 into the former could be accompanied by a helper call to
3489 \fBbpf_csum_level\fP() with \fBBPF_CSUM_LEVEL_INC\fP if the
3490 skb is still intended to be processed in higher layers of the
3491 stack instead of just egressing at tc.
3493 There are three supported level settings at this time:
3496 \fBBPF_CSUM_LEVEL_INC\fP: Increases skb\->csum_level for skbs
3497 with CHECKSUM_UNNECESSARY.
3499 \fBBPF_CSUM_LEVEL_DEC\fP: Decreases skb\->csum_level for skbs
3500 with CHECKSUM_UNNECESSARY.
3502 \fBBPF_CSUM_LEVEL_RESET\fP: Resets skb\->csum_level to 0 and
3503 sets CHECKSUM_NONE to force checksum validation by the stack.
3505 \fBBPF_CSUM_LEVEL_QUERY\fP: No\-op, returns the current
3510 0 on success, or a negative error in case of failure. In the
3511 case of \fBBPF_CSUM_LEVEL_QUERY\fP, the current skb\->csum_level
3512 is returned or the error code \-EACCES in case the skb is not
3513 subject to CHECKSUM_UNNECESSARY.
3516 .B \fBstruct tcp6_sock *bpf_skc_to_tcp6_sock(void *\fP\fIsk\fP\fB)\fP
3520 Dynamically cast a \fIsk\fP pointer to a \fItcp6_sock\fP pointer.
3523 \fIsk\fP if casting is valid, or NULL otherwise.
3526 .B \fBstruct tcp_sock *bpf_skc_to_tcp_sock(void *\fP\fIsk\fP\fB)\fP
3530 Dynamically cast a \fIsk\fP pointer to a \fItcp_sock\fP pointer.
3533 \fIsk\fP if casting is valid, or NULL otherwise.
3536 .B \fBstruct tcp_timewait_sock *bpf_skc_to_tcp_timewait_sock(void *\fP\fIsk\fP\fB)\fP
3540 Dynamically cast a \fIsk\fP pointer to a \fItcp_timewait_sock\fP pointer.
3543 \fIsk\fP if casting is valid, or NULL otherwise.
3546 .B \fBstruct tcp_request_sock *bpf_skc_to_tcp_request_sock(void *\fP\fIsk\fP\fB)\fP
3550 Dynamically cast a \fIsk\fP pointer to a \fItcp_request_sock\fP pointer.
3553 \fIsk\fP if casting is valid, or NULL otherwise.
3556 .B \fBstruct udp6_sock *bpf_skc_to_udp6_sock(void *\fP\fIsk\fP\fB)\fP
3560 Dynamically cast a \fIsk\fP pointer to a \fIudp6_sock\fP pointer.
3563 \fIsk\fP if casting is valid, or NULL otherwise.
3566 .B \fBlong bpf_get_task_stack(struct task_struct *\fP\fItask\fP\fB, void *\fP\fIbuf\fP\fB, u32\fP \fIsize\fP\fB, u64\fP \fIflags\fP\fB)\fP
3570 Return a user or a kernel stack in bpf program provided buffer.
3571 To achieve this, the helper needs \fItask\fP, which is a valid
3572 pointer to struct task_struct. To store the stacktrace, the
3573 bpf program provides \fIbuf\fP with a nonnegative \fIsize\fP\&.
3575 The last argument, \fIflags\fP, holds the number of stack frames to
3576 skip (from 0 to 255), masked with
3577 \fBBPF_F_SKIP_FIELD_MASK\fP\&. The next bits can be used to set
3578 the following flags:
3581 .B \fBBPF_F_USER_STACK\fP
3582 Collect a user space stack instead of a kernel stack.
3584 .B \fBBPF_F_USER_BUILD_ID\fP
3585 Collect buildid+offset instead of ips for user stack,
3586 only valid if \fBBPF_F_USER_STACK\fP is also specified.
3589 \fBbpf_get_task_stack\fP() can collect up to
3590 \fBPERF_MAX_STACK_DEPTH\fP both kernel and user frames, subject
3591 to sufficient large buffer size. Note that
3592 this limit can be controlled with the \fBsysctl\fP program, and
3593 that it should be manually increased in order to profile long
3594 user stacks (such as stacks for Java programs). To do so, use:
3600 # sysctl kernel.perf_event_max_stack=<new value>
3607 A non\-negative value equal to or less than \fIsize\fP on success,
3608 or a negative error in case of failure.
3613 Example usage for most of the eBPF helpers listed in this manual page are
3614 available within the Linux kernel sources, at the following locations:
3619 \fItools/testing/selftests/bpf/\fP
3623 eBPF programs can have an associated license, passed along with the bytecode
3624 instructions to the kernel when the programs are loaded. The format for that
3625 string is identical to the one in use for kernel modules (Dual licenses, such
3626 as "Dual BSD/GPL", may be used). Some helper functions are only accessible to
3627 programs that are compatible with the GNU Privacy License (GPL).
3629 In order to use such helpers, the eBPF program must be loaded with the correct
3630 license string passed (via \fBattr\fP) to the \fBbpf\fP() system call, and this
3631 generally translates into the C source code of the program containing a line
3632 similar to the following:
3638 char ____license[] __attribute__((section("license"), used)) = "GPL";
3645 This manual page is an effort to document the existing eBPF helper functions.
3646 But as of this writing, the BPF sub\-system is under heavy development. New eBPF
3647 program or map types are added, along with new helper functions. Some helpers
3648 are occasionally made available for additional program types. So in spite of
3649 the efforts of the community, this page might not be up\-to\-date. If you want to
3650 check by yourself what helper functions exist in your kernel, or what types of
3651 programs they can support, here are some files among the kernel tree that you
3652 may be interested in:
3655 \fIinclude/uapi/linux/bpf.h\fP is the main BPF header. It contains the full list
3656 of all helper functions, as well as many other BPF definitions including most
3657 of the flags, structs or constants used by the helpers.
3659 \fInet/core/filter.c\fP contains the definition of most network\-related helper
3660 functions, and the list of program types from which they can be used.
3662 \fIkernel/trace/bpf_trace.c\fP is the equivalent for most tracing program\-related
3665 \fIkernel/bpf/verifier.c\fP contains the functions used to check that valid types
3666 of eBPF maps are used with a given helper function.
3668 \fIkernel/bpf/\fP directory contains other files in which additional helpers are
3669 defined (for cgroups, sockmaps, etc.).
3671 The bpftool utility can be used to probe the availability of helper functions
3672 on the system (as well as supported program and map types, and a number of
3673 other parameters). To do so, run \fBbpftool feature probe\fP (see
3674 \fBbpftool\-feature\fP(8) for details). Add the \fBunprivileged\fP keyword to
3675 list features available to unprivileged users.
3678 Compatibility between helper functions and program types can generally be found
3679 in the files where helper functions are defined. Look for the \fBstruct
3680 bpf_func_proto\fP objects and for functions returning them: these functions
3681 contain a list of helpers that a given program type can call. Note that the
3682 \fBdefault:\fP label of the \fBswitch ... case\fP used to filter helpers can call
3683 other functions, themselves allowing access to additional helpers. The
3684 requirement for GPL license is also in those \fBstruct bpf_func_proto\fP\&.
3686 Compatibility between helper functions and map types can be found in the
3687 \fBcheck_map_func_compatibility\fP() function in file \fIkernel/bpf/verifier.c\fP\&.
3689 Helper functions that invalidate the checks on \fBdata\fP and \fBdata_end\fP
3690 pointers for network processing are listed in function
3691 \fBbpf_helper_changes_pkt_data\fP() in file \fInet/core/filter.c\fP\&.
3698 \fBperf_event_open\fP(2),
3702 .\" Generated by docutils manpage writer.