ebpf-for-windows/ebpf__extension_8h_source.html

// Copyright (c) eBPF for Windows contributors

// SPDX-License-Identifier: MIT

#pragma once


#include "ebpf_result.h"

#include "ebpf_structs.h"

#include "ebpf_windows.h"


#define EBPF_MAP_OPERATION_HELPER                                                                                      \

    0x01                               /* Called by a BPF program. When this flag is not set, the provider function is \


                                        * called in the context of the original user mode process, so the provider may \

                                        * implicitly use the current process's handle table (e.g., to resolve file     \

                                        * descriptors passed as map values). */

#define EBPF_MAP_OPERATION_UPDATE 0x02 /* Update operation. */

#define EBPF_MAP_OPERATION_MAP_CLEANUP 0x04 /* Map cleanup operation. */


typedef ebpf_result_t (*_ebpf_extension_dispatch_function)();


typedef uint64_t epoch_state_t[4];


typedef struct _ebpf_extension_dispatch_table

{

    uint16_t version;


    uint16_t count;

    _Field_size_(count) _ebpf_extension_dispatch_function function[1];

} ebpf_extension_dispatch_table_t;


typedef ebpf_result_t (*ebpf_program_invoke_function_t)(

    _In_ const void* extension_client_binding_context, _Inout_ void* program_context, _Out_ uint32_t* result);


typedef ebpf_result_t (*ebpf_program_batch_begin_invoke_function_t)(

    size_t state_size, _Out_writes_(state_size) void* state);


typedef ebpf_result_t (*ebpf_program_batch_invoke_function_t)(

    _In_ const void* extension_client_binding_context,

    _Inout_ void* program_context,

    _Out_ uint32_t* result,

    _In_ const void* state);


typedef ebpf_result_t (*ebpf_program_batch_end_invoke_function_t)(_Inout_ void* state);


typedef enum _ebpf_link_dispatch_table_version

{

    EBPF_LINK_DISPATCH_TABLE_VERSION_1 = 1,

    EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT =

        EBPF_LINK_DISPATCH_TABLE_VERSION_1,

} ebpf_link_dispatch_table_version_t;


#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1 4


#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_CURRENT \

    EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1


typedef struct _ebpf_extension_program_dispatch_table

{

    uint16_t version;

    uint16_t count;

    ebpf_program_invoke_function_t ebpf_program_invoke_function;

    ebpf_program_batch_begin_invoke_function_t ebpf_program_batch_begin_invoke_function;


    ebpf_program_batch_invoke_function_t ebpf_program_batch_invoke_function;


    ebpf_program_batch_end_invoke_function_t ebpf_program_batch_end_invoke_function;

} ebpf_extension_program_dispatch_table_t;


typedef struct _ebpf_extension_data

{

    ebpf_extension_header_t header;

    const void* data;


    size_t data_size;


    uint64_t prog_attach_flags;

} ebpf_extension_data_t;


typedef struct _ebpf_attach_provider_data

{

    ebpf_extension_header_t header;

    ebpf_program_type_t supported_program_type;


    bpf_attach_type_t bpf_attach_type;

    enum bpf_link_type link_type;

} ebpf_attach_provider_data_t;


/***

 * The state of the execution context when the eBPF program was invoked.


 * This is used to cache state that won't change during the execution of

 * the eBPF program and is expensive to query.

 */

typedef struct _ebpf_execution_context_state

{

    epoch_state_t epoch_state;

    union

    {

        uint64_t thread;

        uint32_t cpu;

    } id;

    uint8_t current_irql;

    struct

    {

        const void* next_program;


        uint32_t count;

    } tail_call_state;

} ebpf_execution_context_state_t;


#define EBPF_CONTEXT_HEADER uint64_t context_header[8]

#define EBPF_CONTEXT_HEADER_SIZE (sizeof(uint64_t) * 8)


typedef ebpf_result_t (*ebpf_process_map_create_t)(

    _In_ void* binding_context,

    uint32_t map_type,

    uint32_t key_size,

    uint32_t value_size,

    uint32_t max_entries,

    _Out_ uint32_t* actual_value_size,

    _Outptr_ void** map_context);


typedef void (*ebpf_process_map_delete_t)(_In_ void* binding_context, _In_ _Post_invalid_ void* map_context);


typedef ebpf_result_t (*ebpf_postprocess_map_find_element_t)(

    _In_ void* binding_context,

    _In_ void* map_context,

    size_t key_size,

    _In_reads_opt_(key_size) const uint8_t* key,

    size_t in_value_size,

    _In_reads_(in_value_size) const uint8_t* in_value,

    size_t out_value_size,

    _Out_writes_opt_(out_value_size) uint8_t* out_value,

    uint32_t flags);


typedef ebpf_result_t (*ebpf_preprocess_map_update_element_t)(

    _In_ void* binding_context,

    _In_ void* map_context,

    size_t key_size,

    _In_reads_opt_(key_size) const uint8_t* key,

    size_t in_value_size,

    _In_reads_(in_value_size) const uint8_t* in_value,

    size_t out_value_size,

    _Out_writes_opt_(out_value_size) uint8_t* out_value,

    uint32_t flags);


typedef ebpf_result_t (*ebpf_preprocess_map_delete_element_t)(

    _In_ void* binding_context,

    _In_ void* map_context,

    size_t key_size,

    _In_reads_opt_(key_size) const uint8_t* key,

    size_t value_size,

    _In_reads_(value_size) const uint8_t* value,

    uint32_t flags);


typedef ebpf_result_t (*ebpf_map_associate_program_type_t)(

    _In_ void* binding_context, _In_ void* map_context, _In_ const ebpf_program_type_t* program_type);


typedef struct _ebpf_base_map_provider_properties

{

    ebpf_extension_header_t header;


    bool updates_original_value; // Whether the provider updates the original value during map operations, which

                                 // controls whether BPF programs can perform map CRUD operations.

} ebpf_base_map_provider_properties_t;


typedef struct _ebpf_map_provider_dispatch_table

{

    ebpf_extension_header_t header;

    _Notnull_ ebpf_process_map_create_t process_map_create;

    _Notnull_ ebpf_process_map_delete_t process_map_delete;

    _Notnull_ ebpf_map_associate_program_type_t associate_program_function;

    ebpf_postprocess_map_find_element_t postprocess_map_find_element;

    ebpf_preprocess_map_update_element_t preprocess_map_update_element;

    ebpf_preprocess_map_delete_element_t preprocess_map_delete_element;

} ebpf_base_map_provider_dispatch_table_t;


typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_with_tag_t)(size_t size, uint32_t tag);


typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_cache_aligned_with_tag_t)(size_t size, uint32_t tag);


typedef void (*ebpf_epoch_free_t)(_In_opt_ _Post_invalid_ void* memory);


typedef void (*ebpf_epoch_free_cache_aligned_t)(_In_opt_ _Post_invalid_ void* pointer);


typedef void (*ebpf_epoch_enter_t)(_Out_ void* epoch_state);


typedef void (*ebpf_epoch_exit_t)(_In_ void* epoch_state);


typedef ebpf_result_t (*ebpf_map_find_element_t)(

    _In_ const void* map, _In_ const uint8_t* key, _Outptr_ uint8_t** value);


typedef struct _ebpf_map_client_dispatch_table

{

    ebpf_extension_header_t header;

    ebpf_map_find_element_t find_element_function;

    ebpf_epoch_enter_t epoch_enter;

    ebpf_epoch_exit_t epoch_exit;

    ebpf_epoch_allocate_with_tag_t epoch_allocate_with_tag;

    ebpf_epoch_allocate_cache_aligned_with_tag_t epoch_allocate_cache_aligned_with_tag;

    ebpf_epoch_free_t epoch_free;

    ebpf_epoch_free_cache_aligned_t epoch_free_cache_aligned;

} ebpf_base_map_client_dispatch_table_t;


typedef struct _ebpf_map_provider_data

{

    ebpf_extension_header_t header;

    uint32_t map_type;

    uint32_t base_map_type;

    ebpf_base_map_provider_properties_t* base_properties;

    ebpf_base_map_provider_dispatch_table_t* base_provider_table;

} ebpf_map_provider_data_t;


typedef struct _ebpf_map_client_data

{

    ebpf_extension_header_t header;

    uint64_t map_context_offset;

    ebpf_base_map_client_dispatch_table_t* base_client_table;

} ebpf_map_client_data_t;


#define MAP_CONTEXT(map_pointer, offset) ((void**)(((uint8_t*)(map_pointer)) + (offset)))

ebpf_base_map_provider_properties_t
struct _ebpf_base_map_provider_properties ebpf_base_map_provider_properties_t

ebpf_program_batch_begin_invoke_function_t
ebpf_result_t(* ebpf_program_batch_begin_invoke_function_t)(size_t state_size, _Out_writes_(state_size) void *state)
Prepare the eBPF program for batch invocation.
Definition ebpf_extension.h:51

ebpf_attach_provider_data_t
struct _ebpf_attach_provider_data ebpf_attach_provider_data_t

ebpf_process_map_create_t
ebpf_result_t(* ebpf_process_map_create_t)(void *binding_context, uint32_t map_type, uint32_t key_size, uint32_t value_size, uint32_t max_entries, uint32_t *actual_value_size, void **map_context)
Process map creation notification.
Definition ebpf_extension.h:164

ebpf_map_find_element_t
ebpf_result_t(* ebpf_map_find_element_t)(const void *map, const uint8_t *key, uint8_t **value)
Find an element in an eBPF map (client/runtime helper version).
Definition ebpf_extension.h:386

ebpf_base_map_provider_dispatch_table_t
struct _ebpf_map_provider_dispatch_table ebpf_base_map_provider_dispatch_table_t

ebpf_extension_dispatch_table_t
struct _ebpf_extension_dispatch_table ebpf_extension_dispatch_table_t

ebpf_epoch_exit_t
void(* ebpf_epoch_exit_t)(void *epoch_state)
Exit an epoch-protected region.
Definition ebpf_extension.h:373

ebpf_epoch_free_t
void(* ebpf_epoch_free_t)(void *memory)
Free memory under epoch control.
Definition ebpf_extension.h:355

ebpf_map_client_data_t
struct _ebpf_map_client_data ebpf_map_client_data_t
Custom map client data.

ebpf_extension_data_t
struct _ebpf_extension_data ebpf_extension_data_t

ebpf_extension_program_dispatch_table_t
struct _ebpf_extension_program_dispatch_table ebpf_extension_program_dispatch_table_t

ebpf_link_dispatch_table_version_t
enum _ebpf_link_dispatch_table_version ebpf_link_dispatch_table_version_t

_ebpf_extension_dispatch_function
ebpf_result_t(* _ebpf_extension_dispatch_function)()
Definition ebpf_extension.h:14

_Ret_writes_maybenull_
typedef _Ret_writes_maybenull_(size) void *(*ebpf_epoch_allocate_with_tag_t)(size_t size
Allocate memory under epoch control.

ebpf_base_map_client_dispatch_table_t
struct _ebpf_map_client_dispatch_table ebpf_base_map_client_dispatch_table_t

ebpf_program_batch_invoke_function_t
ebpf_result_t(* ebpf_program_batch_invoke_function_t)(const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result, const void *state)
Invoke the eBPF program in batch mode.
Definition ebpf_extension.h:65

tag
uint32_t tag
Definition ebpf_extension.h:339

ebpf_map_provider_data_t
struct _ebpf_map_provider_data ebpf_map_provider_data_t
Custom map provider data.

ebpf_preprocess_map_update_element_t
ebpf_result_t(* ebpf_preprocess_map_update_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags)
Pre-process an element update in a provider-backed map (called before the core update).
Definition ebpf_extension.h:248

ebpf_preprocess_map_delete_element_t
ebpf_result_t(* ebpf_preprocess_map_delete_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t value_size, _In_reads_(value_size) const uint8_t *value, uint32_t flags)
Pre-process an element deletion from a provider-backed map (called before the core delete).
Definition ebpf_extension.h:287

ebpf_process_map_delete_t
void(* ebpf_process_map_delete_t)(void *binding_context, void *map_context)
Process a map delete notification.
Definition ebpf_extension.h:179

ebpf_execution_context_state_t
struct _ebpf_execution_context_state ebpf_execution_context_state_t

ebpf_epoch_enter_t
void(* ebpf_epoch_enter_t)(void *epoch_state)
Enter an epoch-protected region.
Definition ebpf_extension.h:367

ebpf_postprocess_map_find_element_t
ebpf_result_t(* ebpf_postprocess_map_find_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags)
Post-process a found element in a provider-backed map (called after the core lookup).
Definition ebpf_extension.h:205

ebpf_program_batch_end_invoke_function_t
ebpf_result_t(* ebpf_program_batch_end_invoke_function_t)(_Inout_ void *state)
Clean up the eBPF program after batch invocation.
Definition ebpf_extension.h:78

epoch_state_t
uint64_t epoch_state_t[4]
Definition ebpf_extension.h:16

ebpf_map_associate_program_type_t
ebpf_result_t(* ebpf_map_associate_program_type_t)(void *binding_context, void *map_context, const ebpf_program_type_t *program_type)
Associate a program type with the map, which allows the map to be used by programs of that type.
Definition ebpf_extension.h:306

ebpf_program_invoke_function_t
ebpf_result_t(* ebpf_program_invoke_function_t)(const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result)
Invoke the eBPF program.
Definition ebpf_extension.h:37

_ebpf_link_dispatch_table_version
_ebpf_link_dispatch_table_version
Definition ebpf_extension.h:81

EBPF_LINK_DISPATCH_TABLE_VERSION_1
@ EBPF_LINK_DISPATCH_TABLE_VERSION_1
Initial version of the dispatch table.
Definition ebpf_extension.h:82

EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT
@ EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT
Current version of the dispatch table.
Definition ebpf_extension.h:83

ebpf_epoch_free_cache_aligned_t
void(* ebpf_epoch_free_cache_aligned_t)(void *pointer)
Free memory under epoch control.
Definition ebpf_extension.h:361

ebpf_result.h

ebpf_result_t
enum ebpf_result ebpf_result_t

ebpf_structs.h
This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF AP...

bpf_link_type
bpf_link_type
Definition ebpf_structs.h:272

bpf_attach_type_t
enum bpf_attach_type bpf_attach_type_t
Definition ebpf_structs.h:353

ebpf_windows.h

ebpf_program_type_t
GUID ebpf_program_type_t
Definition ebpf_windows.h:61

_ebpf_attach_provider_data
Definition ebpf_extension.h:110

_ebpf_attach_provider_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:111

_ebpf_attach_provider_data::supported_program_type
ebpf_program_type_t supported_program_type
Definition ebpf_extension.h:112

_ebpf_attach_provider_data::bpf_attach_type
bpf_attach_type_t bpf_attach_type
Definition ebpf_extension.h:113

_ebpf_attach_provider_data::link_type
enum bpf_link_type link_type
Definition ebpf_extension.h:114

_ebpf_base_map_provider_properties
Definition ebpf_extension.h:310

_ebpf_base_map_provider_properties::updates_original_value
bool updates_original_value
Definition ebpf_extension.h:312

_ebpf_base_map_provider_properties::header
ebpf_extension_header_t header
Definition ebpf_extension.h:311

_ebpf_execution_context_state
Definition ebpf_extension.h:123

_ebpf_execution_context_state::id
union _ebpf_execution_context_state::@6 id

_ebpf_execution_context_state::tail_call_state
struct _ebpf_execution_context_state::@7 tail_call_state

_ebpf_execution_context_state::current_irql
uint8_t current_irql
Definition ebpf_extension.h:130

_ebpf_execution_context_state::count
uint32_t count
Definition ebpf_extension.h:134

_ebpf_execution_context_state::epoch_state
epoch_state_t epoch_state
Definition ebpf_extension.h:124

_ebpf_execution_context_state::thread
uint64_t thread
Definition ebpf_extension.h:127

_ebpf_execution_context_state::next_program
const void * next_program
Definition ebpf_extension.h:133

_ebpf_execution_context_state::cpu
uint32_t cpu
Definition ebpf_extension.h:128

_ebpf_extension_data
Definition ebpf_extension.h:102

_ebpf_extension_data::prog_attach_flags
uint64_t prog_attach_flags
Definition ebpf_extension.h:106

_ebpf_extension_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:103

_ebpf_extension_data::data
const void * data
Definition ebpf_extension.h:104

_ebpf_extension_data::data_size
size_t data_size
Definition ebpf_extension.h:105

_ebpf_extension_dispatch_table
Definition ebpf_extension.h:19

_ebpf_extension_dispatch_table::version
uint16_t version
Version of the dispatch table.
Definition ebpf_extension.h:20

_ebpf_extension_dispatch_table::count
uint16_t count
Number of entries in the dispatch table.
Definition ebpf_extension.h:21

_ebpf_extension_dispatch_table::_Field_size_
_Field_size_(count) _ebpf_extension_dispatch_function function[1]

_ebpf_extension_header
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
Definition ebpf_windows.h:196

_ebpf_extension_program_dispatch_table
Definition ebpf_extension.h:92

_ebpf_extension_program_dispatch_table::ebpf_program_invoke_function
ebpf_program_invoke_function_t ebpf_program_invoke_function
Definition ebpf_extension.h:95

_ebpf_extension_program_dispatch_table::ebpf_program_batch_begin_invoke_function
ebpf_program_batch_begin_invoke_function_t ebpf_program_batch_begin_invoke_function
Definition ebpf_extension.h:96

_ebpf_extension_program_dispatch_table::ebpf_program_batch_end_invoke_function
ebpf_program_batch_end_invoke_function_t ebpf_program_batch_end_invoke_function
Definition ebpf_extension.h:98

_ebpf_extension_program_dispatch_table::version
uint16_t version
Version of the dispatch table.
Definition ebpf_extension.h:93

_ebpf_extension_program_dispatch_table::ebpf_program_batch_invoke_function
ebpf_program_batch_invoke_function_t ebpf_program_batch_invoke_function
Definition ebpf_extension.h:97

_ebpf_extension_program_dispatch_table::count
uint16_t count
Number of entries in the dispatch table.
Definition ebpf_extension.h:94

_ebpf_map_client_data
Custom map client data.
Definition ebpf_extension.h:442

_ebpf_map_client_data::base_client_table
ebpf_base_map_client_dispatch_table_t * base_client_table
Pointer to base map client dispatch table.
Definition ebpf_extension.h:445

_ebpf_map_client_data::map_context_offset
uint64_t map_context_offset
Offset within the map structure where the provider context data is stored.
Definition ebpf_extension.h:444

_ebpf_map_client_data::header
ebpf_extension_header_t header
Standard extension header containing version and size information.
Definition ebpf_extension.h:443

_ebpf_map_client_dispatch_table
Definition ebpf_extension.h:415

_ebpf_map_client_dispatch_table::epoch_free_cache_aligned
ebpf_epoch_free_cache_aligned_t epoch_free_cache_aligned
Definition ebpf_extension.h:423

_ebpf_map_client_dispatch_table::epoch_allocate_cache_aligned_with_tag
ebpf_epoch_allocate_cache_aligned_with_tag_t epoch_allocate_cache_aligned_with_tag
Definition ebpf_extension.h:421

_ebpf_map_client_dispatch_table::epoch_exit
ebpf_epoch_exit_t epoch_exit
Definition ebpf_extension.h:419

_ebpf_map_client_dispatch_table::epoch_enter
ebpf_epoch_enter_t epoch_enter
Definition ebpf_extension.h:418

_ebpf_map_client_dispatch_table::epoch_allocate_with_tag
ebpf_epoch_allocate_with_tag_t epoch_allocate_with_tag
Definition ebpf_extension.h:420

_ebpf_map_client_dispatch_table::epoch_free
ebpf_epoch_free_t epoch_free
Definition ebpf_extension.h:422

_ebpf_map_client_dispatch_table::header
ebpf_extension_header_t header
Definition ebpf_extension.h:416

_ebpf_map_client_dispatch_table::find_element_function
ebpf_map_find_element_t find_element_function
Definition ebpf_extension.h:417

_ebpf_map_provider_data
Custom map provider data.
Definition ebpf_extension.h:430

_ebpf_map_provider_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:431

_ebpf_map_provider_data::base_provider_table
ebpf_base_map_provider_dispatch_table_t * base_provider_table
Pointer to base map provider dispatch table.
Definition ebpf_extension.h:435

_ebpf_map_provider_data::map_type
uint32_t map_type
Custom map type implemented by the provider.
Definition ebpf_extension.h:432

_ebpf_map_provider_data::base_map_type
uint32_t base_map_type
Base map type used to implement the custom map.
Definition ebpf_extension.h:433

_ebpf_map_provider_data::base_properties
ebpf_base_map_provider_properties_t * base_properties
Base map provider properties.
Definition ebpf_extension.h:434

_ebpf_map_provider_dispatch_table
Definition ebpf_extension.h:321

_ebpf_map_provider_dispatch_table::associate_program_function
_Notnull_ ebpf_map_associate_program_type_t associate_program_function
Definition ebpf_extension.h:325

_ebpf_map_provider_dispatch_table::process_map_delete
_Notnull_ ebpf_process_map_delete_t process_map_delete
Definition ebpf_extension.h:324

_ebpf_map_provider_dispatch_table::preprocess_map_update_element
ebpf_preprocess_map_update_element_t preprocess_map_update_element
Definition ebpf_extension.h:327

_ebpf_map_provider_dispatch_table::process_map_create
_Notnull_ ebpf_process_map_create_t process_map_create
Definition ebpf_extension.h:323

_ebpf_map_provider_dispatch_table::preprocess_map_delete_element
ebpf_preprocess_map_delete_element_t preprocess_map_delete_element
Definition ebpf_extension.h:328

_ebpf_map_provider_dispatch_table::postprocess_map_find_element
ebpf_postprocess_map_find_element_t postprocess_map_find_element
Definition ebpf_extension.h:326

_ebpf_map_provider_dispatch_table::header
ebpf_extension_header_t header
Definition ebpf_extension.h:322