BPF-HELPERS(7) Miscellaneous Information Manual BPF-HELPERS(7) -BPF - eBPF (eBPF) . BPF "" ( "cBPF") ( "") . . eBPF . eBPF . eBPF . eBPF . eBPF . . eBPF. ( ). void *bpf_map_lookup_elem(struct bpf_map *map, const void *key) map key. key NULL . long bpf_map_update_elem(struct bpf_map *map, const void *key, const void *value, u64 flags) key map value. flags : BPF_NOEXIST key . BPF_EXIST key . BPF_ANY key. BPF_NOEXIST BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_ARRAY ( ) . 0 . long bpf_map_delete_elem(struct bpf_map *map, const void *key) key map. 0 . long bpf_probe_read(void *dst, u32 size, const void *unsafe_ptr) size unsafe_ptr dst. bpf_probe_read_user() bpf_probe_read_kernel() . 0 . u64 bpf_ktime_get_ns(void) . . : clock_gettime(CLOCK_MONOTONIC) ktime . long bpf_trace_printk(const char *fmt, u32 fmt_size, ...) " printk()" . fmt ( fmt_size) /sys/kernel/tracing/trace TraceFS . u64 ( eBPF ). . /sys/kernel/tracing/trace /sys/kernel/tracing/trace_pipe . /sys/kernel/tracing/trace_options ( README ). : telnet-470 [001] .N.. 419421.045894: 0x00000001: : o telnet . o 470 (PID) . o 001 . o .N.. ( irqs hard/softirqs preempt_disabled ). N TIF_NEED_RESCHED PREEMPT_NEED_RESCHED . o 419421.045894 . o 0x00000001 BPF . o fmt. fmt printk(). %d %i %u %x %ld %li %lu %lx %lld %lli %llu %llx %p %s. ( ) -EINVAL ( ) . bpf_trace_printk() . ( ) " " ( trace_printk() ). perf. . u32 bpf_get_prandom_u32(void) . . . 32 . u32 bpf_get_smp_processor_id(void) SMP ( ). SMP . SMP . long bpf_skb_store_bytes(struct sk_buff *skb, u32 offset, const void *from, u32 len, u64 flags) len from skb offset. flags : BPF_F_RECOMPUTE_CSUM skb->csum . BPF_F_INVALIDATE_HASH skb->hash skb->swhash skb->l4hash 0. . . 0 . long bpf_l3_csum_replace(struct sk_buff *skb, u32 offset, u64 from, u64 to, u64 size) 3 ( IP) skb. (from) (to) (2 4) size. to from size 0. offset IP . bpf_csum_diff() 2 4 . . . 0 . long bpf_l4_csum_replace(struct sk_buff *skb, u32 offset, u64 from, u64 to, u64 flags) 4 ( TCP UDP ICMP) skb. (from) (to) (2 4) flags. to from flags 0. offset IP . ( bitwise OR) flags. BPF_F_MARK_MANGLED_0 ( BPF_F_MARK_ENFORCE ) CSUM_MANGLED_0 . BPF_F_PSEUDO_HDR . BPF_F_IPV6 IPv6. bpf_csum_diff() 2 4 . . . 0 . long bpf_tail_call(void *ctx, struct bpf_map *prog_array_map, u32 index) " " eBPF . ( ). eBPF . . index prog_array_map BPF_MAP_TYPE_PROG_ARRAY ctx . . . . ( index prog_array_map) . MAX_TAIL_CALL_CNT ( ) 33. 0 . long bpf_clone_redirect(struct sk_buff *skb, u32 ifindex, u64 flags) skb ifindex. (ingress) (egress) . BPF_F_INGRESS flags ( ). . bpf_redirect() bpf_clone_redirect() eBPF. bpf_redirect() eBPF. . . 0 . . . u64 bpf_get_current_pid_tgid(void) pid tgid . 64 tgid pid : current_task->tgid << 32 | current_task->pid. u64 bpf_get_current_uid_gid(void) uid gid . 64 GID UID : current_gid << 32 | current_uid. long bpf_get_current_comm(void *buf, u32 size_of_buf) comm buf size_of_buf. comm ( ) . size_of_buf . buf NUL. . 0 . u32 bpf_get_cgroup_classid(struct sk_buff *skb) classid net_cls cgroup skb. (egress) TC (ingress). net_cls cgroup cgroup . Documentation/admin-guide/cgroup-v1/net_cls.rst. cgroups: cgroups v1 cgroups v2. net_cls cgroup cgroup v1 . BPF cgroups cgroup-v2 ( cgroups ). CONFIG_CGROUP_NET_CLASSID "y" "m". classid 0 classid . long bpf_skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci) vlan_tci ( VLAN) vlan_proto skb . vlan_proto ETH_P_8021Q ETH_P_8021AD ETH_P_8021Q. . . 0 . long bpf_skb_vlan_pop(struct sk_buff *skb) VLAN skb. . . 0 . long bpf_skb_get_tunnel_key(struct sk_buff *skb, struct bpf_tunnel_key *key, u32 size, u64 flags) (metadata). key struct bpf_tunnel_key size skb. flags BPF_F_TUNINFO_IPV6 IPv6 IPv4. struct bpf_tunnel_key . "" . IP (IPv4 IPv6 ) key->remote_ipv4 key->remote_ipv6. key->tunnel_id VNI ( ) bpf_skb_set_tunnel_key(). TC GRE IPv4 10.0.0.1: int ret; struct bpf_tunnel_key key = {}; ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0); if (ret < 0) return TC_ACT_SHOT; // if (key.remote_ipv4 != 0x0a000001) return TC_ACT_SHOT; // return TC_ACT_OK; // " ": " " . VXLan Geneve GRE IP in IP (IPIP). 0 . long bpf_skb_set_tunnel_key(struct sk_buff *skb, struct bpf_tunnel_key *key, u32 size, u64 flags) skb. key size. flags : BPF_F_TUNINFO_IPV6 IPv6 IPv4. BPF_F_ZERO_CSUM_TX IPv4 (checksum) . BPF_F_DONT_FRAGMENT . BPF_F_SEQ_NUMBER . GRE . BPF_F_NO_TUNNEL_KEY . : struct bpf_tunnel_key key; ... bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0); bpf_clone_redirect(skb, vxlan_dev_ifindex, 0); bpf_skb_get_tunnel_key() . 0 . u64 bpf_perf_event_read(struct bpf_map *map, u64 flags) (perf event). map BPF_MAP_TYPE_PERF_EVENT_ARRAY. map . map . flags BPF_F_INDEX_MASK. flags BPF_F_CURRENT_CPU . 4.13 . bpf_perf_event_read_value() bpf_perf_event_read(). (ABI) ( ). bpf_perf_event_read_value() bpf_perf_event_read(). bpf_perf_event_read_value() . . long bpf_redirect(u32 ifindex, u64 flags) ifindex. bpf_clone_redirect() . XDP . BPF_F_INGRESS flags ( ). XDP . bpf_redirect_map() BPF . XDP XDP_REDIRECT XDP_ABORTED . TC_ACT_REDIRECT TC_ACT_SHOT . u32 bpf_get_route_realm(struct sk_buff *skb) (realm) tclassid skb. net_cls cgroup ( bpf_get_cgroup_classid()) ( ) . clsact TC ( tc-bpf(8)) qdiscs TC. clsact TC . netif_keep_dst() qdisc skb. CONFIG_IP_ROUTE_CLASSID. skb 0 . long bpf_perf_event_output(void *ctx, struct bpf_map *map, u64 flags, void *data, u64 size) data BPF map BPF_MAP_TYPE_PERF_EVENT_ARRAY. : PERF_SAMPLE_RAW sample_type PERF_TYPE_SOFTWARE type PERF_COUNT_SW_BPF_OUTPUT config. flags map BPF_F_INDEX_MASK. flags BPF_F_CURRENT_CPU . size eBPF data. ctx . perf_event_open() ( ) map. eBPF . samples/bpf/trace_output_user.c ( eBPF samples/bpf/trace_output.bpf.c). bpf_perf_event_output() bpf_trace_printk() eBPF. TC XDP . : o (structs) o o . 0 . long bpf_skb_load_bytes(const void *skb, u32 offset, void *to, u32 len) . len offset skb to. 4.7 " " skb->data skb->data_end . eBPF. 0 . long bpf_get_stackid(void *ctx, struct bpf_map *map, u64 flags) . ctx map BPF_MAP_TYPE_STACK_TRACE. flags ( 0 255) BPF_F_SKIP_FIELD_MASK. : BPF_F_USER_STACK . BPF_F_FAST_STACK_CMP (hash) . BPF_F_REUSE_STACKID stackid . 32 ( ) . ( flame graphs off-cpu graphs). bpf_probe_read() eBPF. bpf_get_stackid() PERF_MAX_STACK_DEPTH . sysctl ( ). : # sysctl kernel.perf_event_max_stack=< > . s64 bpf_csum_diff(__be32 *from, u32 from_size, __be32 *to, u32 to_size, __wsum seed) from from_size ( 4) to to_size ( ). seed ( ). : o from_size == 0 to_size > 0 seed . o from_size > 0 to_size == 0 seed . o from_size > 0 to_size > 0 seed 0 . from_size to_size . bpf_l3_csum_replace() bpf_l4_csum_replace() bpf_csum_diff(). . long bpf_skb_get_tunnel_opt(struct sk_buff *skb, void *opt, u32 size) skb opt size. " " ( bpf_skb_get_tunnel_key() ). Geneve ( bpf_skb_get_tunnel_opt()) TLVs ( --) eBPF. . . long bpf_skb_set_tunnel_opt(struct sk_buff *skb, void *opt, u32 size) skb opt size. bpf_skb_get_tunnel_opt() . 0 . long bpf_skb_change_proto(struct sk_buff *skb, __be16 proto, u64 flags) skb proto. IPv4 IPv6 IPv6 IPv4. . eBPF skb_store_bytes() bpf_l3_csum_replace() bpf_l4_csum_replace(). NAT64 eBPF. GSO (dodgy) GSO/GRO. GSO . flags . . . 0 . long bpf_skb_change_type(struct sk_buff *skb, u32 type) skb. skb->pkt_type type eBPF skb->pkt_type . . skb*s **PACKET_HOST* redirect(..., BPF_F_INGRESS) . type . : PACKET_HOST . PACKET_BROADCAST . PACKET_MULTICAST . PACKET_OTHERHOST . 0 . long bpf_skb_under_cgroup(struct sk_buff *skb, struct bpf_map *map, u32 index) skb cgroup2 map BPF_MAP_TYPE_CGROUP_ARRAY index. : o 0 skb cgroup2. o 1 skb cgroup2. o . u32 bpf_get_hash_recalc(struct sk_buff *skb) skb->hash. . skb->hash. ()bpf_set_hash_invalid ()bpf_skb_change_proto ()bpf_skb_store_bytes BPF_F_INVALIDATE_HASH ()bpf_get_hash_recalc. 32 . u64 bpf_get_current_task(void) . . long bpf_probe_write_user(void *dst, const void *src, u32 len) len src dst . dst . TOC-TOU . . eBPF (PID) . 0 . long bpf_current_task_under_cgroup(struct bpf_map *map, u32 index) cgroup2. cgroup2 map BPF_MAP_TYPE_CGROUP_ARRAY index. : o 1 cgroup2. o 0 cgroup2. o . long bpf_skb_change_tail(struct sk_buff *skb, u32 len, u64 flags) ( ) skb len . flags . eBPF ()bpf_skb_store_bytes ()bpf_l3_csum_replace ()bpf_l3_csum_replace . . : (linearize) (unclone) (offloads) skb . . . 0 . long bpf_skb_pull_data(struct sk_buff *skb, u32 len) skb len . len skb . len skb . . ( skb->data_end) skb. . ()bpf_skb_load_bytes . bpf_skb_pull_data . skb . (verifier) (prologue) ()bpf_skb_pull_data skb . . . 0 . s64 bpf_csum_update(struct sk_buff *skb, __wsum csum) csum skb->csum . . ()bpf_csum_diff . . void bpf_set_hash_invalid(struct sk_buff *skb) skb->hash . ()bpf_get_hash_recalc. void. long bpf_get_numa_node_id(void) NUMA . NUMA SO_ATTACH_REUSEPORT_EBPF ( socket(7)) eBPF ()bpf_get_smp_processor_id. NUMA . long bpf_skb_change_head(struct sk_buff *skb, u32 len, u64 flags) (headroom) skb MAC len . . skb 3 MAC 2. flags . . . 0 . long bpf_xdp_adjust_head(struct xdp_buff *xdp_md, int delta) () xdp_md->data delta . delta. . . . 0 . long bpf_probe_read_str(void *dst, u32 size, const void *unsafe_ptr) NUL unsafe_ptr dst. ()bpf_probe_read_kernel_str . ()bpf_probe_read_user_str ()bpf_probe_read_kernel_str . NUL . . u64 bpf_get_socket_cookie(struct sk_buff *skb) struct sk_buff skb ( ) . . . . 8 0 skb. u64 bpf_get_socket_cookie(struct bpf_sock_addr *ctx) ()bpf_get_socket_cookie skb struct bpf_sock_addr. 8 . u64 bpf_get_socket_cookie(struct bpf_sock_ops *ctx) ()bpf_get_socket_cookie skb struct bpf_sock_ops. 8 . u64 bpf_get_socket_cookie(struct sock *sk) ()bpf_get_socket_cookie sk BTF struct sock. . 8 0 sk (NULL). u32 bpf_get_socket_uid(struct sk_buff *skb) (UID) skb. (UID) skb. NULL ( ) overflowuid ( overflowuid UID ). long bpf_set_hash(struct sk_buff *skb, u32 hash) skb ( skb->hash) hash. 0 long bpf_setsockopt(void *bpf_socket, int level, int optname, void *optval, int optlen) ()setsockopt bpf_socket . (level) optname (2)setsockopt . optval optlen. bpf_socket : o struct bpf_sock_ops BPF_PROG_TYPE_SOCK_OPS. o struct bpf_sock_addr BPF_CGROUP_INET4_CONNECT BPF_CGROUP_INET6_CONNECT BPF_CGROUP_UNIX_CONNECT. ()setsockopt. (levels) : o SOL_SOCKET optname : SO_RCVBUF SO_SNDBUF SO_MAX_PACING_RATE SO_PRIORITY SO_RCVLOWAT SO_MARK SO_BINDTODEVICE SO_KEEPALIVE SO_REUSEADDR SO_REUSEPORT SO_BINDTOIFINDEX SO_TXREHASH. o IPPROTO_TCP optname : TCP_CONGESTION TCP_BPF_IW TCP_BPF_SNDCWND_CLAMP TCP_SAVE_SYN TCP_KEEPIDLE TCP_KEEPINTVL TCP_KEEPCNT TCP_SYNCNT TCP_USER_TIMEOUT TCP_NOTSENT_LOWAT TCP_NODELAY TCP_MAXSEG TCP_WINDOW_CLAMP TCP_THIN_LINEAR_TIMEOUTS TCP_BPF_DELACK_MAX TCP_BPF_RTO_MIN TCP_BPF_SOCK_OPS_CB_FLAGS. o IPPROTO_IP optname IP_TOS. o IPPROTO_IPV6 optname : IPV6_TCLASS IPV6_AUTOFLOWLABEL. 0 . long bpf_skb_adjust_room(struct sk_buff *skb, s32 len_diff, u32 mode, u64 flags) skb len_diff (mode) . (offloaded) skb CHECKSUM_NONE. : o BPF_F_ADJ_ROOM_NO_CSUM_RESET: skb CHECKSUM_NONE. : o BPF_ADJ_ROOM_MAC: MAC ( 2 3). o BPF_ADJ_ROOM_NET: ( 3 4). : o BPF_F_ADJ_ROOM_FIXED_GSO: gso_size. mss (datagrams). o BPF_F_ADJ_ROOM_ENCAP_L3_IPV4 BPF_F_ADJ_ROOM_ENCAP_L3_IPV6: . skb . o BPF_F_ADJ_ROOM_ENCAP_L4_GRE BPF_F_ADJ_ROOM_ENCAP_L4_UDP: ENCAP_L3 . o BPF_F_ADJ_ROOM_ENCAP_L2(len): ENCAP_L3/L4 len MAC . o BPF_F_ADJ_ROOM_ENCAP_L2_ETH: BPF_F_ADJ_ROOM_ENCAP_L2 2 . o BPF_F_ADJ_ROOM_DECAP_L3_IPV4 BPF_F_ADJ_ROOM_DECAP_L3_IPV6: IP IP . IP . . . 0 . long bpf_redirect_map(struct bpf_map *map, u64 key, u64 flags) map key. map ( ) ( XDP XDP ( ) ). flags . XDP XDP_TX . flags BPF_F_BROADCAST BPF_F_EXCLUDE_INGRESS . BPF_F_BROADCAST BPF_F_EXCLUDE_INGRESS (ingress) . ()bpf_redirect ifindex . XDP_REDIRECT flags . long bpf_sk_redirect_map(struct sk_buff *skb, struct bpf_map *map, u32 key, u64 flags) map ( BPF_MAP_TYPE_SOCKMAP) key. (ingress) (egress) . BPF_F_INGRESS flags ( ). . SK_PASS SK_DROP . long bpf_sock_map_update(struct bpf_sock_ops *skops, struct bpf_map *map, void *key, u64 flags) map . skops key. flags : BPF_NOEXIST key . BPF_EXIST key . BPF_ANY key. map eBPF ( ) . eBPF . 0 . long bpf_xdp_adjust_meta(struct xdp_buff *xdp_md, int delta) xdp_md->data_meta delta ( ). xdp_md->data . xdp_md->data_meta . XDP ( DoS) (meta data) eBPF (ingress) TC . TC (socket buffers) mark priority XDP. (scratch space) . . . 0 . long bpf_perf_event_read_value(struct bpf_map *map, u64 flags, struct bpf_perf_event_value *buf, u32 buf_size) (perf event counter) buf buf_size. map BPF_MAP_TYPE_PERF_EVENT_ARRAY. map . map (CPUs) . flags BPF_F_INDEX_MASK. flags BPF_F_CURRENT_CPU . bpf_perf_event_read() buf. : ( buf->enabled buf->running ) . bpf_perf_event_read_value() bpf_perf_event_read() ABI . (PMU) . PMU (multiplex) ( ) PMU. . . (normalize) . . normalized_counter = counter * t_enabled / t_running t_enabled t_running . . eBPF (CPU id) ( perf) eBPF. 0 . long bpf_perf_prog_read_value(struct bpf_perf_event_data *ctx, struct bpf_perf_event_value *buf, u32 buf_size) eBPF ctx buf buf_size. ( bpf_perf_event_read_value() ). 0 . long bpf_getsockopt(void *bpf_socket, int level, int optname, void *optval, int optlen) getsockopt() bpf_socket . (level) optname getsockopt(2) . opval optlen. bpf_socket : o struct bpf_sock_ops BPF_PROG_TYPE_SOCK_OPS. o struct bpf_sock_addr BPF_CGROUP_INET4_CONNECT BPF_CGROUP_INET6_CONNECT BPF_CGROUP_UNIX_CONNECT. getsockopt(). optname bpf_setsockopt(). TCP_BPF_* bpf_setsockopt() TCP_SAVED_SYN bpf_getsockopt() . 0 . long bpf_override_return(struct pt_regs *regs, u64 rc) kprobes rc. regs kprobe. PC ( ) . . . . CONFIG_BPF_KPROBE_OVERRIDE ALLOW_ERROR_INJECTION . 0 long bpf_sock_ops_cb_flags_set(struct bpf_sock_ops *bpf_sock, int argval) bpf_sock_ops_cb_flags TCP bpf_sock_ops argval. eBPF BPF_PROG_TYPE_SOCK_OPS TCP. . eBPF (callback) . argval : o BPF_SOCK_OPS_RTO_CB_FLAG ( ) o BPF_SOCK_OPS_RETRANS_CB_FLAG ( ) o BPF_SOCK_OPS_STATE_CB_FLAG ( TCP) o BPF_SOCK_OPS_RTT_CB_FLAG ( RTT) . RTO: bpf_sock_ops_cb_flags_set(bpf_sock, bpf_sock->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG) eBPF: o RTO. o . o . o . o . -EINVAL TCP ( 0 ). long bpf_msg_redirect_map(struct sk_msg_buff *msg, struct bpf_map *map, u32 key, u64 flags) . msg ( eBPF SK_PASS) map ( BPF_MAP_TYPE_SOCKMAP) key. (ingress) (egress) . BPF_F_INGRESS flags ( ). . SK_PASS SK_DROP . long bpf_msg_apply_bytes(struct sk_msg_buff *msg, u32 bytes) eBPF bytes ( ) msg. : o sendmsg() sendfile() eBPF . o eBPF bytes msg. eBPF . eBPF BPF bytes . bytes sendmsg() sendfile() bytes eBPF bytes + 1. bytes eBPF sendmsg() sendfile() bytes. bytes . 0 long bpf_msg_cork_bytes(struct sk_msg_buff *msg, u32 bytes) eBPF msg bytes ( ). sendmsg() sendfile(). sendmsg() 1 . . eBPF bytes eBPF bytes . 0 long bpf_msg_pull_data(struct sk_msg_buff *msg, u32 start, u32 end, u64 flags) msg msg->data msg->data_end start end msg . BPF_PROG_TYPE_SK_MSG msg (data, data_end) . sendmsg() (scatterlist) . sendpage ( sendfile()) (0, 0) ( ) eBPF. . ( ). . . flags . 0 . long bpf_bind(struct bpf_sock_addr *ctx, struct sockaddr *addr, int addr_len) ctx addr addr_len. IP cgroup IP IP . IPv4 IPv6 TCP UDP. (addr->sa_family) AF_INET ( AF_INET6). (sin_port sin6_port) IP_BIND_ADDRESS_NO_PORT (4-tuple) . . 0 . long bpf_xdp_adjust_tail(struct xdp_buff *xdp_md, int delta) () xdp_md->data_end delta . . delta . . . 0 . long bpf_skb_get_xfrm_state(struct sk_buff *skb, u32 index, struct bpf_xfrm_state *xfrm_state, u32 size, u64 flags) XFRM ( IP ip-xfrm(8)) index " " XFRM skb. struct bpf_xfrm_state xfrm_state size. flags . CONFIG_XFRM. 0 . long bpf_get_stack(void *ctx, void *buf, u32 size, u64 flags) bpf. ctx . (stacktrace) bpf buf size . flags ( 0 255) BPF_F_SKIP_FIELD_MASK. : BPF_F_USER_STACK . BPF_F_USER_BUILD_ID (build_id file_offset) ips BPF_F_USER_STACK . file_offset vma ip. . (sh_addr - sh_offset) sh_{addr,offset} file_offset st_value . bpf_get_stack() PERF_MAX_STACK_DEPTH . sysctl ( Java). : # sysctl kernel.perf_event_max_stack=< > buf size . long bpf_skb_load_bytes_relative(const void *skb, u32 offset, void *to, u32 len, u32 start_header) bpf_skb_load_bytes() len offset skb to. bpf_skb_load_bytes() start_header . start_header : BPF_HDR_START_MAC mac skb. BPF_HDR_START_NET skb. " " (direct packet access) skb->data mac " ". 0 . long bpf_fib_lookup(void *ctx, struct bpf_fib_lookup *params, int plen, u32 flags) FIB ( ) params. (neighbor tables) (nexthop). ( FIB ) ipv4_dst ipv6_dst smac mac dmac mac rt_metric (metric) (IPv4/IPv6 ) ifindex FIB. plen . flags : BPF_FIB_LOOKUP_DIRECT FIB. BPF_FIB_LOOKUP_TBID BPF_FIB_LOOKUP_DIRECT. params->tbid fib. BPF_FIB_LOOKUP_OUTPUT (egress) ( ingress). BPF_FIB_LOOKUP_SKIP_NEIGH . params->dmac params->smac . bpf_redirect_neigh() bpf_fib_lookup(). BPF_FIB_LOOKUP_SRC IP params->ipv{4,6}_src . BPF_FIB_LKUP_RET_NO_SRC_ADDR. params->dmac params->smac . BPF_FIB_LOOKUP_MARK (mark) params->mark fib. BPF_FIB_LOOKUP_DIRECT . ctx struct xdp_md XDP struct sk_buff tc cls_act. o < 0 o 0 ( ) o > 0 BPF_FIB_LKUP_RET_ BPF_FIB_LKUP_RET_FRAG_NEEDED MTU params->mtu_result MTU. long bpf_sock_hash_update(struct bpf_sock_ops *skops, struct bpf_map *map, void *key, u64 flags) (sockhash) map . skops key. flags : BPF_NOEXIST key . BPF_EXIST key . BPF_ANY key. map eBPF ( ) . eBPF . 0 . long bpf_msg_redirect_hash(struct sk_msg_buff *msg, struct bpf_map *map, void *key, u64 flags) . msg ( eBPF SK_PASS) map ( BPF_MAP_TYPE_SOCKHASH) key. (ingress) (egress) . BPF_F_INGRESS flags ( ). . SK_PASS SK_DROP . long bpf_sk_redirect_hash(struct sk_buff *skb, struct bpf_map *map, void *key, u64 flags) skb. sk_buff skb ( eBPF SK_PASS) map ( BPF_MAP_TYPE_SOCKHASH) key. (ingress) (egress) . BPF_F_INGRESS flags ( ). . SK_PASS SK_DROP . long bpf_lwt_push_encap(struct sk_buff *skb, u32 type, void *hdr, u32 len) skb . hdr len . type : BPF_LWT_ENCAP_SEG6 IPv6 (struct ipv6_sr_hdr). hdr SRH IPv6 . BPF_LWT_ENCAP_SEG6_INLINE skb IPv6. (struct ipv6_sr_hdr) IPv6. BPF_LWT_ENCAP_IP IP (GRE/GUE/IPIP/). IPv4 IPv6 LWT_BPF_MAX_HEADROOM . skb_is_gso(skb) GRE UDP/GUE. *BPF_LWT_ENCAP_SEG6 BPF BPF_PROG_TYPE_LWT_IN BPF_LWT_ENCAP_IP bpf BPF_PROG_TYPE_LWT_IN BPF_PROG_TYPE_LWT_XMIT. . . 0 . long bpf_lwt_seg6_store_bytes(struct sk_buff *skb, u32 offset, const void *from, u32 len) len from skb offset. TLVs IPv6 . . . 0 . long bpf_lwt_seg6_adjust_srh(struct sk_buff *skb, u32 offset, s32 delta) TLVs IPv6 Segment Routing skb offset delta . (segments). delta () (). . . 0 . long bpf_lwt_seg6_action(struct sk_buff *skb, u32 action, void *param, u32 param_len) IPv6 action skb. param param_len . action : SEG6_LOCAL_ACTION_END_X End.X: . param: struct in6_addr. SEG6_LOCAL_ACTION_END_T End.T: IPv6 . param: int. SEG6_LOCAL_ACTION_END_B6 End.B6: SRv6. param: struct ipv6_sr_hdr. SEG6_LOCAL_ACTION_END_B6_ENCAP End.B6.Encap: SRv6. param: struct ipv6_sr_hdr. . . 0 . long bpf_rc_repeat(void *ctx) (IR) . . NEC IR . ctx lirc . CONFIG_BPF_LIRC_MODE2 "y". 0 long bpf_rc_keydown(void *ctx, u32 protocol, u64 scancode, u32 toggle) scancode toggle protocol . (scancode) rc . . bpf_rc_keydown() bpf_rc_repeat(). (toggle bit) . ctx lirc . protocol ( enum rc_proto ). CONFIG_BPF_LIRC_MODE2 "y". 0 u64 bpf_skb_cgroup_id(struct sk_buff *skb) cgroup v2 skb. bpf_get_cgroup_classid() cgroup v1 . cgroup v2 f_handle 64 . TC CONFIG_SOCK_CGROUP_DATA. 0 . u64 bpf_get_current_cgroup_id(void) cgroup cgroup . 64 cgroup cgroup . void *bpf_get_local_storage(void *map, u64 flags) . map. flags 0 cgroup. BPF BPF . . BPF_ATOMIC . . long bpf_sk_select_reuseport(struct sk_reuseport_md *reuse, struct bpf_map *map, void *key, u64 flags) SO_REUSEPORT map BPF_MAP_TYPE_REUSEPORT_SOCKARRAY. . 0 . u64 bpf_skb_ancestor_cgroup_id(struct sk_buff *skb, int ancestor_level) cgroup v2 cgroup skb ancestor_level. cgroup ancestor_level . ancestor_level == cgroup skb bpf_skb_cgroup_id(). cgroup cgroup skb. bpf_skb_cgroup_id(). 0 . struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags) TCP tuple netns. NULL bpf_sk_release(). ctx skb ( ). . tuple_size : sizeof(tuple->ipv4) IPv4. sizeof(tuple->ipv6) IPv6. netns 32 ctx. TC skb. . netns 32 ctx. netns 32 . flags . CONFIG_NET. struct bpf_sock NULL . reuseport struct bpf_sock reuse->socks[] . struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags) UDP tuple netns. NULL bpf_sk_release(). ctx skb ( ). . tuple_size : sizeof(tuple->ipv4) IPv4. sizeof(tuple->ipv6) IPv6. netns 32 ctx. TC skb. . netns 32 ctx. netns 32 . flags . CONFIG_NET. struct bpf_sock NULL . reuseport struct bpf_sock reuse->socks[] . long bpf_sk_release(void *sock) sock. sock NULL bpf_sk_lookup_xxx(). 0 . long bpf_map_push_elem(struct bpf_map *map, const void *value, u64 flags) value map. flags : BPF_EXIST / . 0 . long bpf_map_pop_elem(struct bpf_map *map, void *value) map. 0 . long bpf_map_peek_elem(struct bpf_map *map, void *value) map . 0 . long bpf_msg_push_data(struct sk_msg_buff *msg, u32 start, u32 len, u64 flags) len msg start. BPF_PROG_TYPE_SK_MSG msg msg. BPF . ( malloc) BPF BPF . 0 . long bpf_msg_pop_data(struct sk_msg_buff *msg, u32 start, u32 len, u64 flags) len msg start. ENOMEM . . start msg / pop . 0 . long bpf_rc_pointer_rel(void *ctx, s32 rel_x, s32 rel_y) . ctx lirc . CONFIG_BPF_LIRC_MODE2 "y". 0 long bpf_spin_lock(struct bpf_spin_lock *lock) (spinlock) lock . . () bpf_spin_unlock(lock). BPF : o bpf_spin_lock BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY ( ). o BTF . o BPF (dead locks). o struct bpf_spin_lock . o ( BPF BPF ). o BPF_LD_ABS BPF_LD_IND . o BPF bpf_spin_unlock() . o BPF struct bpf_spin_lock bpf_spin_lock() bpf_spin_unlock(). struct bpf_spin_lock lock; . o bpf_spin_lock() BTF (struct) struct bpf_spin_lock anyname; . . o struct bpf_spin_lock lock 4 . o BPF_MAP_LOOKUP_ELEM bpf_spin_lock . o BPF_MAP_UPDATE_ELEM BPF bpf_spin_lock. o bpf_spin_lock ( ). o bpf_spin_lock (root) . o bpf_spin_lock() (Preemption) ( ). o bpf_spin_lock map-in-map. 0 long bpf_spin_unlock(struct bpf_spin_lock *lock) lock bpf_spin_lock(lock). 0 struct bpf_sock *bpf_sk_fullsock(struct bpf_sock *sk) struct bpf_sock bpf_sock . struct bpf_sock NULL . struct bpf_tcp_sock *bpf_tcp_sock(struct bpf_sock *sk) struct bpf_tcp_sock struct bpf_sock. struct bpf_tcp_sock NULL . long bpf_skb_ecn_set_ce(struct sk_buff *skb) ECN ( ) IP CE ( ) ECT ( ECN). . IPv6 IPv4. 1 CE ( ) 0 . struct bpf_sock *bpf_get_listener_sock(struct bpf_sock *sk) struct bpf_sock TCP_LISTEN. bpf_sk_release() . struct bpf_sock NULL . struct bpf_sock *bpf_skc_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags) TCP tuple netns. NULL bpf_sk_release(). bpf_sk_lookup_tcp() (timewait) (request). bpf_sk_fullsock() bpf_tcp_sock() . CONFIG_NET. struct bpf_sock NULL . reuseport struct bpf_sock reuse->socks[] . long bpf_tcp_check_syncookie(void *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len) iph th SYN cookie ACK sk. iph IPv4 IPv6 iph_len sizeof(struct iphdr) sizeof(struct ipv6hdr). th TCP th_len TCP ( sizeof(struct tcphdr)). 0 iph th SYN cookie ACK . long bpf_sysctl_get_name(struct bpf_sysctl *ctx, char *buf, size_t buf_len, u64 flags) sysctl /proc/sys/ buf buf_len. NUL . flags ( "net/ipv4/tcp_mem"). BPF_F_SYSCTL_BASE_NAME ( "tcp_mem"). ( NUL ). -E2BIG ( buf ). long bpf_sysctl_get_current_value(struct bpf_sysctl *ctx, char *buf, size_t buf_len) sysctl /proc/sys ( ) buf buf_len. sys_read . NUL . ( NUL ). -E2BIG ( buf ). -EINVAL sysctl -EIO . long bpf_sysctl_get_new_value(struct bpf_sysctl *ctx, char *buf, size_t buf_len) sysctl ( ) buf buf_len. 0. NUL . ( NUL ). -E2BIG ( buf ). -EINVAL sysctl. long bpf_sysctl_set_new_value(struct bpf_sysctl *ctx, const char *buf, size_t buf_len) sysctl buf buf_len. buf sysctl. 0. sysctl . 0 . -E2BIG buf_len . -EINVAL sysctl. long bpf_strtol(const char *buf, size_t buf_len, u64 flags, long *res) buf buf_len res. ( isspace(3)) '-' . flags . 8 10 16 0 strtol(3) . . buf_len. -EINVAL . -ERANGE . long bpf_strtoul(const char *buf, size_t buf_len, u64 flags, unsigned long *res) buf buf_len res. ( isspace(3)). flags . 8 10 16 0 strtoul(3) . . buf_len. -EINVAL . -ERANGE . void *bpf_sk_storage_get(struct bpf_map *map, void *sk, void *value, u64 flags) bpf-local-storage sk. map sk key. bpf_map_lookup_elem(map, &sk) (full socket) BPF_MAP_TYPE_SK_STORAGE . sk map. map "" bpf. "" ( ) bpf sk. sk struct sock LSM. sk struct bpf_sock . flags (BPF_SK_STORAGE_GET_F_CREATE) bpf . value BPF_SK_STORAGE_GET_F_CREATE . value NULL . bpf . NULL bpf . long bpf_sk_storage_delete(struct bpf_map *map, void *sk) bpf sk. 0 . -ENOENT bpf. -EINVAL sk ( request_sock). long bpf_send_signal(u32 sig) sig . (threads) . 0 . -EBUSY nmi . -EINVAL sig . -EPERM sig. -EAGAIN bpf . s64 bpf_tcp_gen_syncookie(void *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len) SYN cookie IP/TCP iph th sk. iph IPv4 IPv6 iph_len sizeof(struct iphdr) sizeof(struct ipv6hdr). th TCP th_len TCP ( sizeof(struct tcphdr)). 32 SYN cookie 16 MSS 16 . : -EINVAL SYN cookie -ENOENT SYN cookie ( SYN flood) -EOPNOTSUPP SYN cookies -EPROTONOSUPPORT IP 4 6 long bpf_skb_output(void *ctx, struct bpf_map *map, u64 flags, void *data, u64 size) data BPF map BPF_MAP_TYPE_PERF_EVENT_ARRAY. : PERF_SAMPLE_RAW sample_type PERF_TYPE_SOFTWARE type PERF_COUNT_SW_BPF_OUTPUT config. flags map BPF_F_INDEX_MASK. flags BPF_F_CURRENT_CPU . size eBPF data. ctx struct sk_buff . bpf_perf_event_output() bpf raw_tracepoint. 0 . long bpf_probe_read_user(void *dst, u32 size, const void *unsafe_ptr) size unsafe_ptr dst. 0 . long bpf_probe_read_kernel(void *dst, u32 size, const void *unsafe_ptr) size unsafe_ptr dst. 0 . long bpf_probe_read_user_str(void *dst, u32 size, const void *unsafe_ptr) NUL unsafe_ptr dst. size NUL . size NUL. size size-1 NUL. NUL . . : SEC("kprobe/sys_open") void bpf_sys_open(struct pt_regs *ctx) { char buf[PATHLEN]; // PATHLEN 256 int res = bpf_probe_read_user_str(buf, sizeof(buf), ctx->di); // buf // bpf_perf_event_output() // res ( ) // . } bpf_probe_read_user() . current->mm->arg_start current->mm->env_start: . NUL . . long bpf_probe_read_kernel_str(void *dst, u32 size, const void *unsafe_ptr) NUL unsafe_ptr dst. bpf_probe_read_user_str(). NUL . . long bpf_tcp_send_ack(void *tp, u32 rcv_nxt) tcp-ack. tp tcp_sock . rcv_nxt ack_seq . 0 . long bpf_send_signal_thread(u32 sig) sig (thread) . 0 . -EBUSY nmi . -EINVAL sig . -EPERM sig. -EAGAIN bpf . u64 bpf_jiffies64(void) jiffies 64 jiffies 64 long bpf_read_branch_records(struct bpf_perf_event_data *ctx, void *buf, u32 size, u64 flags) eBPF perf (struct perf_branch_entry) ctx buf size . buf. . flags BPF_F_GET_BRANCH_RECORDS_SIZE . buf (NULL). -EINVAL size sizeof(struct perf_branch_entry). -ENOENT . long bpf_get_ns_current_pid_tgid(u64 dev, u64 ino, struct bpf_pidns_info *nsdata, u32 size) 0 pid tgid namespace nsdata. 0 : -EINVAL dev inum dev_t inode nsfs dev dev_t . -ENOENT pidns . long bpf_xdp_output(void *ctx, struct bpf_map *map, u64 flags, void *data, u64 size) data BPF map BPF_MAP_TYPE_PERF_EVENT_ARRAY. : PERF_SAMPLE_RAW sample_type PERF_TYPE_SOFTWARE type PERF_COUNT_SW_BPF_OUTPUT config. flags map BPF_F_INDEX_MASK. flags BPF_F_CURRENT_CPU . size eBPF data. ctx struct xdp_buff . bpf_perf_eventoutput() raw_tracepoint bpf. 0 . u64 bpf_get_netns_cookie(void *ctx) ( ) ctx. . ctx (NULL) . bpf_get_socket_cookie() . 8 . u64 bpf_get_current_ancestor_cgroup_id(int ancestor_level) cgroup v2 cgroup ancestor_level. cgroup ancestor_level . ancestor_level cgroup bpf_get_current_cgroup_id(). cgroups cgroup . bpf_get_current_cgroup_id(). 0 . long bpf_sk_assign(struct sk_buff *skb, void *sk, u64 flags) BPF. BPF_PROG_TYPE_SCHED_CLS BPF_PROG_TYPE_SCHED_ACT. sk skb. skb . skb bpf_redirect() bpf_clone_redirect() BPF . (ingress) TC. flags . 0 : -EINVAL flags . -ENOENT . -ENETUNREACH ( ). -EOPNOTSUPP TC. long bpf_sk_assign(struct bpf_sk_lookup *ctx, struct bpf_sock *sk, u64 flags) BPF. BPF_PROG_TYPE_SK_LOOKUP. sk . ctx. L4 (IPPROTO_TCP IPPROTO_UDP) . (AF_INET AF_INET6) IPv6 v6-only IPv4. TCP UDP . sk (NULL) . flags : o BPF_SK_LOOKUP_F_REPLACE BPF . o BPF_SK_LOOKUP_F_NO_REUSEPORT reuseport . ctx->sk . 0 . o -EAFNOSUPPORT (sk->family) (ctx->family). o -EEXIST BPF_SK_LOOKUP_F_REPLACE. o -EINVAL . o -EPROTOTYPE L4 (sk->protocol) (ctx->protocol). o -ESOCKTNOSUPPORT (TCP UDP ). u64 bpf_ktime_get_boot_ns(void) . . : clock_gettime(CLOCK_BOOTTIME) ktime . long bpf_seq_printf(struct seq_file *m, const char *fmt, u32 fmt_size, const void *data, u32 data_len) bpf_seq_printf() seq_printf() seq_file . m seq_file. fmt fmt_size . data data_len . data u64 . data. data_len data - 8. %s %p{i,I}{4,6} . . %s ip %p{i,I}{4,6} 0. bpf bpf_trace_printk() . 0 : -EBUSY 1 bpf. -EINVAL fmt / . -E2BIG fmt . -EOVERFLOW : . long bpf_seq_write(struct seq_file *m, const void *data, u32 len) bpf_seq_write() seq_write() seq_file . m seq_file. data len . 0 : -EOVERFLOW : . u64 bpf_sk_cgroup_id(void *sk) cgroup v2 sk. sk (non-NULL) bpf_sk_lookup_xxx() bpf_sk_fullsock() . bpf_skb_cgroup_id(). CONFIG_SOCK_CGROUP_DATA. 0 . u64 bpf_sk_ancestor_cgroup_id(void *sk, int ancestor_level) cgroup v2 cgroup sk ancestor_level. cgroup ancestor_level . ancestor_level cgroup sk bpf_sk_cgroup_id(). cgroups cgroup sk. bpf_sk_cgroup_id(). 0 . long bpf_ringbuf_output(void *ringbuf, void *data, u64 size, u64 flags) size data ringbuf. BPF_RB_NO_WAKEUP flags . BPF_RB_FORCE_WAKEUP flags . 0 flags . . . 0 . void *bpf_ringbuf_reserve(void *ringbuf, u64 size, u64 flags) size ringbuf. flags 0. size NULL. void bpf_ringbuf_submit(void *data, u64 flags) data. BPF_RB_NO_WAKEUP flags . BPF_RB_FORCE_WAKEUP flags . 0 flags . 'bpf_ringbuf_output()' . . . void bpf_ringbuf_discard(void *data, u64 flags) data. BPF_RB_NO_WAKEUP flags . BPF_RB_FORCE_WAKEUP flags . 0 flags . 'bpf_ringbuf_output()' . . . u64 bpf_ringbuf_query(void *ringbuf, u64 flags) . flags: o BPF_RB_AVAIL_DATA: . o BPF_RB_RING_SIZE: . o BPF_RB_CONS_POS: ( ). o BPF_RB_PROD_POS: () ( ). 100%. 0 flags. long bpf_csum_level(struct sk_buff *skb, u64 level) skb . : TCP UDP GRE SCTP FCOE. | ETH | IP | UDP | GUE | IP | TCP | | ETH | IP | TCP | bpf_skb_adjust_room() BPF_F_ADJ_ROOM_NO_CSUM_RESET bpf_csum_level() BPF_CSUM_LEVEL_DEC UDP. bpf_csum_level() BPF_CSUM_LEVEL_INC skb tc. : o BPF_CSUM_LEVEL_INC: skb->csum_level skbs CHECKSUM_UNNECESSARY. o BPF_CSUM_LEVEL_DEC: skb->csum_level skbs CHECKSUM_UNNECESSARY. o BPF_CSUM_LEVEL_RESET: skb->csum_level 0 CHECKSUM_NONE . o BPF_CSUM_LEVEL_QUERY: skb->csum_level . 0 . BPF_CSUM_LEVEL_QUERY skb->csum_level -EACCES skb CHECKSUM_UNNECESSARY. struct tcp6_sock *bpf_skc_to_tcp6_sock(void *sk) sk tcp6_sock. sk NULL. struct tcp_sock *bpf_skc_to_tcp_sock(void *sk) sk tcp_sock. sk NULL. struct tcp_timewait_sock *bpf_skc_to_tcp_timewait_sock(void *sk) sk tcp_timewait_sock. sk NULL. struct tcp_request_sock *bpf_skc_to_tcp_request_sock(void *sk) sk tcp_request_sock. sk NULL. struct udp6_sock *bpf_skc_to_udp6_sock(void *sk) sk udp6_sock. sk NULL. long bpf_get_task_stack(struct task_struct *task, void *buf, u32 size, u64 flags) bpf. : task -EOPNOTSUPP. task struct task_struct. (stacktrace) bpf buf size . flags ( 0 255) BPF_F_SKIP_FIELD_MASK. : BPF_F_USER_STACK . task . BPF_F_USER_BUILD_ID buildid+offset ips BPF_F_USER_STACK . bpf_get_task_stack() PERF_MAX_STACK_DEPTH . sysctl ( Java). : # sysctl kernel.perf_event_max_stack=< > buf size . long bpf_load_hdr_opt(struct bpf_sock_ops *skops, void *searchby_res, u32 len, u64 flags) . TCP bpf (BPF_PROG_TYPE_SOCK_OPS). flags 0 skops->skb_data. struct bpf_sock_ops skb_data skops->op . searchby_res . ( 253 254 RFC6994) "magic" 2 4 . magic "kind-length" TCP "kind-length" "kind" "kind-length" TCP . 254 magic 2 0xeB9F searchby_res [ 254, 4, 0xeB, 0x9F, 0, 0, .... 0 ]. (3) searchby_res [ 3, 0, 0, .... 0 ]. kind-length . No-Op (0) End-of-Option-List (1) . len . : o BPF_LOAD_HDR_OPT_TCP_SYN saved_syn syn . > 0 searchby_res. . : -EINVAL . -ENOMSG . -ENOENT syn BPF_LOAD_HDR_OPT_TCP_SYN. -ENOSPC . len . -EFAULT . -EPERM skops->op . long bpf_store_hdr_opt(struct bpf_sock_ops *skops, const void *from, u32 len, u64 flags) . from len TCP. from (kind) (kind-length) . len kind-length . kind-length 4 . (padding) 4 th->doff. skb . BPF_SOCK_OPS_WRITE_HDR_OPT_CB. 0 : -EINVAL . -ENOSPC . . -EEXIST . -EFAULT . -EPERM skops->op . long bpf_reserve_hdr_opt(struct bpf_sock_ops *skops, u32 len, u64 flags) len bpf. bpf_store_hdr_opt() BPF_SOCK_OPS_WRITE_HDR_OPT_CB. bpf_reserve_hdr_opt() . BPF_SOCK_OPS_HDR_OPT_LEN_CB. 0 : -EINVAL . -ENOSPC . -EPERM skops->op . void *bpf_inode_storage_get(struct bpf_map *map, void *inode, void *value, u64 flags) bpf_local_storage inode. map inode . bpf_map_lookup_elem(map, &inode) inode BPF_MAP_TYPE_INODE_STORAGE. inode map. map "" bpf-local-storage. "" bpf-local-storage ( map) bpf_local_storage inode. flags (BPF_LOCAL_STORAGE_GET_F_CREATE) bpf_local_storage . value BPF_LOCAL_STORAGE_GET_F_CREATE bpf_local_storage. value NULL bpf_local_storage . bpf_local_storage . NULL bpf_local_storage . int bpf_inode_storage_delete(struct bpf_map *map, void *inode) bpf_local_storage inode. 0 . -ENOENT bpf_local_storage. long bpf_d_path(const struct path *path, char *buf, u32 sz) struct path path BTF . buf sz NULL. NUL . . long bpf_copy_from_user(void *dst, u32 size, const void *user_ptr) size user_ptr dst. copy_from_user(). 0 . long bpf_snprintf_btf(char *str, u32 str_size, struct btf_ptr *ptr, u32 btf_ptr_size, u64 flags) BTF ptr->ptr str ptr->type_id. ptr->ptr. LLVM __builtin_btf_type_id(type, 1) BTF vmlinux. BTF str_size - 1 str. . . bpf_perf_event_output() (ring buffer). bpf_trace_printk() . flags BTF_F_COMPACT BTF_F_NONAME struct/union BTF_F_PTR_RAW ( ) printk %px. BTF_F_ZERO struct/union ( ) . long bpf_seq_printf_btf(struct seq_file *m, struct btf_ptr *ptr, u32 ptr_size, u64 flags) BTF seq_write ptr->ptr ptr->type_id bpf_snprintf_btf(). flags bpf_snprintf_btf. 0 . u64 bpf_skb_cgroup_classid(struct sk_buff *skb) bpf_get_cgroup_classid() . bpf_get_cgroup_classid() net_cls cgroup v1 skb . 0 . long bpf_redirect_neigh(u32 ifindex, struct bpf_redir_neigh *params, int plen, u64 flags) ifindex L2 . bpf_redirect() L2 L2 (nexthop). FIB skb params. plen params 0 params NULL. flags 0. tc BPF IPv4 IPv6. TC_ACT_REDIRECT TC_ACT_SHOT . void *bpf_per_cpu_ptr(const void *percpu_ptr, u32 cpu) ksym percpu_ptr cpu. ksym (extern) '__ksym'. ksym ( ) . ksym . cpu. bpf_per_cpu_ptr() per_cpu_ptr() bpf_per_cpu_ptr() NULL. cpu nr_cpu_ids. bpf_per_cpu_ptr() . cpu NULL cpu . void *bpf_this_cpu_ptr(const void *percpu_ptr) ksym percpu_ptr . 'ksym' bpf_per_cpu_ptr(). bpf_this_cpu_ptr() this_cpu_ptr() . bpf_per_cpu_ptr() NULL . . long bpf_redirect_peer(u32 ifindex, u64 flags) ifindex. bpf_redirect() (peer) ifindex (netns) (ingress) (backlog queue) . skb->mark skb->tstamp netns. flags 0. tc BPF (ingress hook) veth netkit. . TC_ACT_REDIRECT TC_ACT_SHOT . void *bpf_task_storage_get(struct bpf_map *map, struct task_struct *task, void *value, u64 flags) bpf_local_storage task. map task . bpf_map_lookup_elem(map, &task) task_struct BPF_MAP_TYPE_TASK_STORAGE. task map. map "" bpf-local-storage. "" bpf-local-storage ( map) bpf_local_storage task. flags (BPF_LOCAL_STORAGE_GET_F_CREATE) bpf_local_storage . value BPF_LOCAL_STORAGE_GET_F_CREATE bpf_local_storage. value NULL bpf_local_storage . bpf_local_storage . NULL bpf_local_storage . long bpf_task_storage_delete(struct bpf_map *map, struct task_struct *task) bpf_local_storage task. 0 . -ENOENT bpf_local_storage. struct task_struct *bpf_get_current_task_btf(void) BTF "". ARG_PTR_TO_BTF_ID task_struct. . long bpf_bprm_opts_set(struct linux_binprm *bprm, u64 flags) bprm: BPF_F_BPRM_SECUREEXEC (secureexec) AT_SECURE auxv glibc. . -EINVAL flags . u64 bpf_ktime_get_coarse_ns(void) . . : clock_gettime(CLOCK_MONOTONIC_COARSE) ktime . long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size) IMA inode ( ). size size dst hash_algo -EOPNOTSUPP IMA -EINVAL . struct socket *bpf_sock_from_file(struct file *file) . struct socket NULL . long bpf_check_mtu(void *ctx, u32 ifindex, u32 *mtu_len, s32 len_diff, u64 flags) (MTU) ( ifindex). / . len_diff . MTU (ctx) . len_diff ( ) MTU . BPF . ifindex MTU . . mtu_len BPF. mtu_len (ctx). mtu_len (L3) MTU . XDP TC (L2) L3 MTU IP-header tot_len L3 ( bpf_fib_lookup). MTU . MTU bpf_fib_lookup(). ctx struct xdp_md XDP struct sk_buff tc cls_act. flags : BPF_MTU_CHK_SEGS ctx struct sk_buff. ( GSO skb) MTU skb ( ). MTU MTU . len_diff. mtu_len MTU . MTU L3 XDP TC L2. MTU BPF . o 0 MTU mtu_len. o 0 ( mtu_len) MTU MTU mtu_len PMTU: o BPF_MTU_CHK_RET_FRAG_NEEDED o BPF_MTU_CHK_RET_SEGS_TOOBIG long bpf_for_each_map_elem(struct bpf_map *map, void *callback_fn, void *callback_ctx, u64 flags) map callback_fn map callback_ctx . callback_fn callback_ctx . flags . flags . : BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_PERCPU_HASH, BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PERCPU_ARRAY long (*callback_fn)(struct bpf_map *map, const void *key, void *value, void *ctx); per_cpu map_value bpf_prog. callback_fn 0 . 1 . . -EINVAL flags . long bpf_snprintf(char *str, u32 str_size, const char *fmt, u64 *data, u32 data_len) str str_size fmt. fmt u64 data. data. data_len data - 8. %s %p{i,I}{4,6} . . %s ip %p{i,I}{4,6} 0. bpf bpf_trace_printk() . . str_size str str_size . -EBUSY per-CPU . long bpf_sys_bpf(u32 cmd, void *attr, u32 attr_size) bpf . . long bpf_btf_find_by_name_kind(char *name, int name_sz, u32 kind, int flags) BTF vmlinux BTF BTFs . btf_id btf_obj_fd 32 . long bpf_sys_close(u32 fd) FD . . long bpf_timer_init(struct bpf_timer *timer, struct bpf_map *map, u64 flags) . 4 flags clockid. CLOCK_MONOTONIC CLOCK_REALTIME CLOCK_BOOTTIME. flags . timer map. 0 . -EBUSY timer . -EINVAL flags . -EPERM . bpffs. . long bpf_timer_set_callback(struct bpf_timer *timer, void *callback_fn) callback_fn . 0 . -EINVAL timer bpf_timer_init() . -EPERM . bpffs. . long bpf_timer_start(struct bpf_timer *timer, u64 nsecs, u64 flags) N . (soft irq) bpf_timer_start() . . struct bpf_timer . bpf_timer_set_callback() (refcnt) BPF callback_fn . . Ctrl-C . bpffs callback_fn . bpf_map_update/delete_elem() sys_bpf . callback_fn . callback_fn / . bpf_timer_set_callback() callback_fn . flags : BPF_F_TIMER_ABS . BPF_F_TIMER_CPU_PIN . 0 . -EINVAL timer bpf_timer_init() flags . long bpf_timer_cancel(struct bpf_timer *timer) callback_fn . 0 . 1 . -EINVAL timer bpf_timer_init() . -EDEADLK callback_fn bpf_timer_cancel() (deadlock) . u64 bpf_get_func_ip(void *ctx) ( kprobe). kprobe uprobe uprobe . kprobe. kprobes ( ). uprobe return uprobe. u64 bpf_get_attach_cookie(void *ctx) bpf_cookie () . BPF . BPF ctx. : o kprobe/uprobe o tracepoint o perf_event. BPF/ 0 . long bpf_task_pt_regs(struct task_struct *task) struct pt_regs task. struct pt_regs. long bpf_get_branch_snapshot(void *entries, u32 size, u64 flags) Intel LBR. . . BPF BPF. struct perf_branch_entry entries. size entries . flags . buf. . -EINVAL flags . -ENOENT . long bpf_trace_vprintk(const char *fmt, u32 fmt_size, const void *data, u32 data_len) bpf_trace_printk() u64 . bpf_seq_printf(). . struct unix_sock *bpf_skc_to_unix_sock(void *sk) sk unix_sock. sk NULL. long bpf_kallsyms_lookup_name(const char *name, int name_sz, int flags, u64 *res) res. res 0 . . . -EINVAL flags . -EINVAL name name_sz. -ENOENT . -EPERM . long bpf_find_vma(struct task_struct *task, u64 addr, void *callback_fn, void *callback_ctx, u64 flags) vma task addr callback_fn task vma callback_ctx. callback_fn callback_ctx . flags . flags . long (*callback_fn)(struct task_struct *task, struct vm_area_struct *vma, void *callback_ctx); 0 . -ENOENT task->mm NULL vma addr. -EBUSY mmap_lock. -EINVAL flags . long bpf_loop(u32 nr_loops, void *callback_fn, void *callback_ctx, u64 flags) nr_loops callback_fn callback_ctx . callback_fn callback_ctx . flags . flags . nr_loops 1 << 23 ( 8 ) . long (*callback_fn)(u64 index, void *ctx); index . . callback_fn 0 . 1 . . -EINVAL flags -E2BIG nr_loops . long bpf_strncmp(const char *s1, u32 s1_sz, const char *s2) strncmp() s1 s2. s1 null s1_sz s1. s2 . s1_sz s1 s2. long bpf_get_func_arg(void *ctx, u32 n, u64 *value) n ( ) ( ) value. 0 . -EINVAL n >= . long bpf_get_func_ret(void *ctx, u64 *value) ( ) value. 0 . -EOPNOTSUPP BPF_TRACE_FEXIT BPF_MODIFY_RETURN. long bpf_get_func_arg_cnt(void *ctx) ( ) . . int bpf_get_retval(void) BPF . cgroup (hooks) BPF errno. BPF. int bpf_set_retval(int retval) BPF . cgroup (hooks) BPF errno. bpf_set_retval 'return 1': bpf_set_retval(-EPERM); return 1; BPF -EPERM. cgroup/bind{4,6} 'return 3'. 0 . u64 bpf_xdp_get_buff_len(struct xdp_buff *xdp_md) xdp ( ) xdp . long bpf_xdp_load_bytes(struct xdp_buff *xdp_md, u32 offset, void *buf, u32 len) xdp. len offset xdp_md buf. 0 . long bpf_xdp_store_bytes(struct xdp_buff *xdp_md, u32 offset, void *buf, u32 len) len buf xdp_md offset. 0 . long bpf_copy_from_user_task(void *dst, u32 size, const void *user_ptr, struct task_struct *tsk, u64 flags) size user_ptr tsk dst. flags . . 0 . dst. long bpf_skb_set_tstamp(struct sk_buff *skb, u64 tstamp, u32 tstamp_type) __sk_buff->tstamp_type tstamp_type tstamp __sk_buff->tstamp . __sk_buff->tstamp_type tstamp __sk_buff->tstamp . BPF_SKB_TSTAMP_DELIVERY_MONO bpf_redirect_*(). tstamp tstamp_type BPF_SKB_TSTAMP_DELIVERY_MONO. BPF_SKB_TSTAMP_UNSPEC tstamp_type tstamp . skb->protocol IPv4 IPv6 . (mono) __sk_buff->tstamp bpf_redirect_*() (egress) . () __sk_buff->tstamp bpf_redirect_*() . 0 . -EINVAL -EOPNOTSUPP . long bpf_ima_file_hash(struct file *file, void *dst, u32 size) (hash) IMA file. size size dst hash_algo -EOPNOTSUPP -EINVAL . void *bpf_kptr_xchg(void *dst, void *ptr) kptr dst ptr . dst kptr . ptr NULL . kptr ( NULL). NULL BPF . void *bpf_map_lookup_percpu_elem(struct bpf_map *map, const void *key, u32 cpu) percpu map key cpu. key cpu NULL cpu . struct mptcp_sock *bpf_skc_to_mptcp_sock(void *sk) (cast) sk mptcp_sock. sk NULL. long bpf_dynptr_from_mem(void *data, u64 size, u64 flags, struct bpf_dynptr *ptr) dynptr data. data . size DYNPTR_MAX_SIZE. flags . 0 -E2BIG DYNPTR_MAX_SIZE -EINVAL 0. long bpf_ringbuf_reserve_dynptr(void *ringbuf, u32 size, u64 flags, struct bpf_dynptr *ptr) size ringbuf dynptr. flags 0. bpf_ringbuf_submit_dynptr bpf_ringbuf_discard_dynptr ptr . (verifier). 0 . void bpf_ringbuf_submit_dynptr(struct bpf_dynptr *ptr, u64 flags) data dynptr. dynptr NULL. flags 'bpf_ringbuf_submit'. . . void bpf_ringbuf_discard_dynptr(struct bpf_dynptr *ptr, u64 flags) dynptr. dynptr NULL. flags 'bpf_ringbuf_discard'. . . long bpf_dynptr_read(void *dst, u64 len, const struct bpf_dynptr *src, u64 offset, u64 flags) len src dst offset src. flags . 0 -E2BIG offset + len src -EINVAL src dynptr flags 0. long bpf_dynptr_write(const struct bpf_dynptr *dst, u64 offset, void *src, u64 len, u64 flags) len src dst offset dst. flags 0 dynptrs skb. dynptrs skb: o dynptr bpf_dynptr_write(). skb . o flags bpf_skb_store_bytes(). 0 -E2BIG offset + len dst -EINVAL dst dynptr dst dynptr flags . dynptrs skb bpf_skb_store_bytes(). void *bpf_dynptr_data(const struct bpf_dynptr *ptr, u64 offset, u64 len) dynptr . len . dynptr. dynptrs skb xdp bpf_dynptr_data. bpf_dynptr_slice bpf_dynptr_slice_rdwr . dynptr NULL dynptr dynptr . s64 bpf_tcp_raw_gen_syncookie_ipv4(struct iphdr *iph, struct tcphdr *th, u32 th_len) SYN IPv4/TCP iph th . iph IPv4. th TCP th_len TCP ( sizeof(struct tcphdr)). 32 SYN cookie 16 MSS 16 . : -EINVAL th_len . s64 bpf_tcp_raw_gen_syncookie_ipv6(struct ipv6hdr *iph, struct tcphdr *th, u32 th_len) SYN IPv6/TCP iph th . iph IPv6. th TCP th_len TCP ( sizeof(struct tcphdr)). 32 SYN cookie 16 MSS 16 . : -EINVAL th_len . -EPROTONOSUPPORT CONFIG_IPV6 . long bpf_tcp_raw_check_syncookie_ipv4(struct iphdr *iph, struct tcphdr *th) iph th ACK SYN . iph IPv4. th TCP. 0 iph th ACK SYN. : -EACCES SYN . long bpf_tcp_raw_check_syncookie_ipv6(struct ipv6hdr *iph, struct tcphdr *th) iph th ACK SYN . iph IPv6. th TCP. 0 iph th ACK SYN. : -EACCES SYN . -EPROTONOSUPPORT CONFIG_IPV6 . u64 bpf_ktime_get_tai_ns(void) . (NTP) CLOCK_REALTIME. : clock_gettime(CLOCK_TAI) ktime . long bpf_user_ringbuf_drain(struct bpf_map *map, void *callback_fn, void *ctx, u64 flags) : long (*callback_fn)(const struct bpf_dynptr *dynptr, void *ctx); callback_fn 0 BPF_MAX_USER_RINGBUF_SAMPLES . 1 . (verifier). 0 . epoll . BPF_RB_NO_WAKEUP . BPF_RB_FORCE_WAKEUP . : -EBUSY . -EINVAL 8 8 . -E2BIG struct bpf_dynptr. void *bpf_cgrp_storage_get(struct bpf_map *map, struct cgroup *cgroup, void *value, u64 flags) bpf_local_storage cgroup. map cgroup key. bpf_map_lookup_elem(map, &cgroup) cgroup BPF_MAP_TYPE_CGRP_STORAGE. (local-storage) cgroup BPF_MAP_TYPE_CGRP_STORAGE. map cgroup O(n) cgroup map. flags (BPF_LOCAL_STORAGE_GET_F_CREATE) bpf_local_storage . value BPF_LOCAL_STORAGE_GET_F_CREATE bpf_local_storage. value NULL bpf_local_storage . bpf_local_storage . NULL bpf_local_storage . long bpf_cgrp_storage_delete(struct bpf_map *map, struct cgroup *cgroup) bpf_local_storage cgroup. 0 . -ENOENT bpf_local_storage. eBPF : o samples/bpf/ o tools/testing/selftests/bpf/ eBPF . ( "Dual BSD/GPL"). (GNU GPL). eBPF ( attr) bpf() C : char ____license[] __attribute__((section("license"), used)) = "GPL"; eBPF . BPF . eBPF . . . : o include/uapi/linux/bpf.h BPF . BPF . o net/core/filter.c . o kernel/trace/bpf_trace.c . o kernel/bpf/verifier.c eBPF . o kernel/bpf/ ( cgroups sockmaps ). o bpftool ( ). bpftool feature probe ( bpftool-feature(8) ). unprivileged . . struct bpf_func_proto : . default: switch ... case . GPL struct bpf_func_proto. check_map_func_compatibility() kernel/bpf/verifier.c. data data_end bpf_helper_changes_pkt_data() net/core/filter.c. bpf(2), bpftool(8), cgroups(7), ip(8), perf_event_open(2), sendmsg(2), socket(7), tc-bpf(8) 3 . . : . v7.0 27 2025 BPF-HELPERS(7)