|
| typedef ebpf_result_t(* | _ebpf_extension_dispatch_function) () |
| |
| typedef uint64_t | epoch_state_t[4] |
| |
| typedef struct _ebpf_extension_dispatch_table | ebpf_extension_dispatch_table_t |
| |
| typedef ebpf_result_t(* | ebpf_program_invoke_function_t) (const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result) |
| | Invoke the eBPF program.
|
| |
| typedef ebpf_result_t(* | ebpf_program_batch_begin_invoke_function_t) (size_t state_size, _Out_writes_(state_size) void *state) |
| | Prepare the eBPF program for batch invocation.
|
| |
| typedef ebpf_result_t(* | ebpf_program_batch_invoke_function_t) (const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result, const void *state) |
| | Invoke the eBPF program in batch mode.
|
| |
| typedef ebpf_result_t(* | ebpf_program_batch_end_invoke_function_t) (_Inout_ void *state) |
| | Clean up the eBPF program after batch invocation.
|
| |
| typedef enum _ebpf_link_dispatch_table_version | ebpf_link_dispatch_table_version_t |
| |
| typedef struct _ebpf_extension_program_dispatch_table | ebpf_extension_program_dispatch_table_t |
| |
| typedef struct _ebpf_extension_data | ebpf_extension_data_t |
| |
| typedef struct _ebpf_attach_provider_data | ebpf_attach_provider_data_t |
| |
| typedef struct _ebpf_execution_context_state | ebpf_execution_context_state_t |
| |
| typedef ebpf_result_t(* | ebpf_preprocess_map_create_t) (void *binding_context, uint32_t map_type, uint32_t key_size, uint32_t value_size, uint32_t max_entries, uint32_t *actual_value_size, void **map_context) |
| | Process map creation notification.
|
| |
| typedef void(* | ebpf_postprocess_map_delete_t) (void *binding_context, void *map_context) |
| | Process a map delete notification.
|
| |
| typedef ebpf_result_t(* | ebpf_postprocess_map_find_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags) |
| | Post-process a found element in a provider-backed map (called after the core lookup).
|
| |
| typedef ebpf_result_t(* | ebpf_preprocess_map_update_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags) |
| | Pre-process an element update in a provider-backed map (called before the core update).
|
| |
| typedef ebpf_result_t(* | ebpf_preprocess_map_delete_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t value_size, _In_reads_(value_size) const uint8_t *value, uint32_t flags) |
| | Pre-process an element deletion from a provider-backed map (called before the core delete).
|
| |
| typedef void(* | ebpf_postprocess_map_delete_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t value_size, _In_reads_(value_size) const uint8_t *value, uint32_t flags) |
| | Post-process an element deletion from a provider-backed map (called after the core delete).
|
| |
| typedef ebpf_result_t(* | ebpf_preprocess_map_associate_program_type_t) (void *binding_context, void *map_context, const ebpf_program_type_t *program_type) |
| | Associate a program type with the map, which allows the map to be used by programs of that type.
|
| |
| typedef struct _ebpf_base_map_provider_properties | ebpf_base_map_provider_properties_t |
| |
| typedef struct _ebpf_map_provider_dispatch_table | ebpf_base_map_provider_dispatch_table_t |
| |
| typedef uint32_t | tag |
| |
| typedef void(* | ebpf_epoch_free_t) (void *memory) |
| | Free memory under epoch control.
|
| |
| typedef void(* | ebpf_epoch_free_cache_aligned_t) (void *pointer) |
| | Free memory under epoch control.
|
| |
| typedef void(* | ebpf_epoch_enter_t) (void *epoch_state) |
| | Enter an epoch-protected region.
|
| |
| typedef void(* | ebpf_epoch_exit_t) (void *epoch_state) |
| | Exit an epoch-protected region.
|
| |
| typedef ebpf_result_t(* | ebpf_map_find_element_t) (const void *map, const uint8_t *key, uint8_t **value) |
| | Find an element in an eBPF map (client/runtime helper version).
|
| |
| typedef struct _ebpf_map_client_dispatch_table | ebpf_base_map_client_dispatch_table_t |
| |
| typedef struct _ebpf_map_provider_data | ebpf_map_provider_data_t |
| | Custom map provider data.
|
| |
| typedef struct _ebpf_map_client_data | ebpf_map_client_data_t |
| | Custom map client data.
|
| |
Dispatch table implemented by the eBPF runtime to provide RCU / epoch operations.
Notes:
Functions epoch_enter and epoch_exit allow a thread to enter and exit an epoch-protected region, which is necessary when calling the epoch memory operations. These functions are re-entrant, but should always be called in pairs.
Below is the list of epoch memory related functions exposed by eBPF runtime:
epoch_allocate_with_tag: Allocate memory under epoch control with tag.epoch_allocate_cache_aligned_with_tag: Allocate cache aligned memory under epoch control with tag.epoch_free: Free memory under epoch control.epoch_free_cache_aligned: Free cache aligned memory under epoch control.
Each of the above four functions MUST be called within an epoch-protected region (i.e., after ebpf_epoch_enter() and before ebpf_epoch_exit()). Failure to do so may lead to undefined behavior. Provider dispatch function invocations (defined in ebpf_base_map_provider_dispatch_table_t), and BPF helper function callbacks already are epoch-protected, hence these APIs can be directly called in those contexts. If the provider intends to use these APIs outside the above mentioned contexts, it must ensure that the calls are made within an epoch-protected region.
Similarly, find_element_function can only be invoked in an epoch-protected region, as explained above. Calling it from outside an epoch-protected region may lead to undefined behavior.
| typedef void(* ebpf_postprocess_map_delete_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t value_size, _In_reads_(value_size) const uint8_t *value, uint32_t flags) |
Post-process an element deletion from a provider-backed map (called after the core delete).
This is the preferred callback for handling element deletions. It is invoked after the entry has been removed from the hash table and after the per-bucket lock has been released. A provider must register exactly one of preprocess_map_delete_element or postprocess_map_delete_element, not both.
This function can be called in three scenarios:
- Normal map element deletion.
- Deletion performed as part of an update operation (replacing an existing entry).
- Deletion performed as part of map cleanup. When deletion is part of an update operation, EBPF_MAP_OPERATION_UPDATE is set in the flags parameter. When map cleanup is in progress, EBPF_MAP_OPERATION_MAP_CLEANUP is set in the flags parameter.
- Parameters
-
| [in] | binding_context | The binding context provided when the map provider was bound. |
| [in] | map_context | The eBPF map context. |
| [in] | key_size | The size of the key in bytes. |
| [in] | key | Pointer to the key that was deleted. |
| [in] | value_size | The size in bytes of the provider's stored value buffer. |
| [in] | value | Pointer to the provider's stored value buffer for the entry that was deleted. |
| [in] | flags | Delete flags. Possible values: EBPF_MAP_OPERATION_UPDATE - The delete is invoked as part of an update operation. EBPF_MAP_OPERATION_MAP_CLEANUP - The delete is invoked as part of a map cleanup operation. EBPF_MAP_OPERATION_HELPER - The delete is invoked from a BPF program. When this flag is not set, the function is called in the context of the original user mode process, so the provider may implicitly use the current process's handle table (e.g., to resolve file descriptors passed as map values). |
IRQL: When EBPF_MAP_OPERATION_HELPER is not set (user-mode caller), this function is called at PASSIVE_LEVEL. Currently, the eBPF runtime blocks map delete operations from BPF programs when updates_original_value is true, so this callback is not invoked at DISPATCH_LEVEL in that configuration. If updates_original_value is false, this callback may be invoked at up to DISPATCH_LEVEL when called from a BPF program.
| typedef ebpf_result_t(* ebpf_preprocess_map_create_t) (void *binding_context, uint32_t map_type, uint32_t key_size, uint32_t value_size, uint32_t max_entries, uint32_t *actual_value_size, void **map_context) |
Process map creation notification.
- Parameters
-
| [in] | binding_context | The binding context provided when the map provider was bound. |
| [in] | map_type | The type of map to create. |
| [in] | key_size | The size of the key in bytes. |
| [in] | value_size | The value size requested by the caller in bytes. |
| [in] | max_entries | The maximum number of entries in the map. |
| [out] | actual_value_size | The value size in bytes that will actually be stored in the map. |
| [out] | map_context | Provider-defined per-map context. The eBPF core will pass this back to subsequent map operations and will eventually pass it to ebpf_postprocess_map_delete_t. |
Note: When a map lookup happens from user mode, the value is copied into the buffer provided by the user, whereas when a map lookup happens from a BPF program, a pointer to the value is provided to the program, and the program can read or modify the value in place.
Therefore, for maps where an extension intends to modify the actual value being stored in the map, map CRUD operations from BPF programs are disallowed by the eBPF runtime.
- Return values
-
| EBPF_SUCCESS | The operation was successful. |
| EBPF_NO_MEMORY | Unable to allocate memory. |
| EBPF_INVALID_ARGUMENT | One or more parameters are incorrect. |
| typedef ebpf_result_t(* ebpf_preprocess_map_update_element_t) (void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags) |
Pre-process an element update in a provider-backed map (called before the core update).
If the provider does not update the original value, i.e., updates_original_value is set to false in ebpf_base_map_provider_properties_t, out_value will be NULL and out_value_size will be 0.
- Parameters
-
| [in] | binding_context | The binding context provided when the map provider was bound. |
| [in] | map_context | The eBPF map context. |
| [in] | key_size | The size of the key in bytes. |
| [in] | key | Pointer to the key being updated (may be NULL for helper-mode operations, depending on the base map implementation). |
| [in] | in_value_size | The size in bytes of the input value. |
| [in] | in_value | Pointer to the input value bytes. |
| [in] | out_value_size | The size in bytes of the destination (stored) value buffer. |
| [out] | out_value | Optional pointer to the destination (stored) value buffer to populate. |
| [in] | flags | Update flags. Supported values: EBPF_MAP_OPERATION_HELPER - The update is invoked from a BPF program. When this flag is not set, the function is called in the context of the original user mode process, so the provider may implicitly use the current process's handle table (e.g., to resolve file descriptors passed as map values). |
- Note
- If this function succeeds but the subsequent core map update fails, the eBPF runtime will call ebpf_postprocess_map_delete_element_t with the EBPF_MAP_OPERATION_UPDATE flag to allow the provider to undo any state changes made during this call.
-
In a replace operation (updating an existing key), after the core update succeeds, ebpf_postprocess_map_delete_element_t will be called for the old value being replaced, also with the EBPF_MAP_OPERATION_UPDATE flag set.
IRQL: When EBPF_MAP_OPERATION_HELPER is not set (user-mode caller), this function is called at PASSIVE_LEVEL. Currently, the eBPF runtime blocks map update operations from BPF programs when updates_original_value is true, so this callback is not invoked at DISPATCH_LEVEL in that configuration. If updates_original_value is false, this callback may be invoked at up to DISPATCH_LEVEL when called from a BPF program.
- Return values
-
| EBPF_SUCCESS | The operation was successful. |
| EBPF_OPERATION_NOT_SUPPORTED | The operation is not supported. |
| EBPF_INVALID_ARGUMENT | One or more parameters are incorrect. |
| EBPF_NO_MEMORY | Unable to allocate memory. |
