ebpf_extension.h

Go to the documentation of this file.

// Copyright (c) eBPF for Windows contributors
// SPDX-License-Identifier: MIT
#pragma once
 
#include "ebpf_result.h"
#include "ebpf_structs.h"
#include "ebpf_windows.h"
 
#define EBPF_MAP_OPERATION_HELPER 0x01      /* Called by a BPF program. */
#define EBPF_MAP_OPERATION_UPDATE 0x02      /* Update operation. */
#define EBPF_MAP_OPERATION_MAP_CLEANUP 0x04 /* Map cleanup operation. */
 
typedef ebpf_result_t (*_ebpf_extension_dispatch_function)();
 
typedef uint64_t epoch_state_t[4];
 
typedef struct _ebpf_extension_dispatch_table
{
    uint16_t version; 
    uint16_t count;   
    _Field_size_(count) _ebpf_extension_dispatch_function function[1];
} ebpf_extension_dispatch_table_t;
 
typedef ebpf_result_t (*ebpf_program_invoke_function_t)(
    _In_ const void* extension_client_binding_context, _Inout_ void* program_context, _Out_ uint32_t* result);
 
typedef ebpf_result_t (*ebpf_program_batch_begin_invoke_function_t)(
    size_t state_size, _Out_writes_(state_size) void* state);
 
typedef ebpf_result_t (*ebpf_program_batch_invoke_function_t)(
    _In_ const void* extension_client_binding_context,
    _Inout_ void* program_context,
    _Out_ uint32_t* result,
    _In_ const void* state);
 
typedef ebpf_result_t (*ebpf_program_batch_end_invoke_function_t)(_Inout_ void* state);
 
typedef enum _ebpf_link_dispatch_table_version
{
    EBPF_LINK_DISPATCH_TABLE_VERSION_1 = 1, 
    EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT =
        EBPF_LINK_DISPATCH_TABLE_VERSION_1, 
} ebpf_link_dispatch_table_version_t;
 
#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1 4
#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_CURRENT \
    EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1 
 
typedef struct _ebpf_extension_program_dispatch_table
{
    uint16_t version; 
    uint16_t count;   
    ebpf_program_invoke_function_t ebpf_program_invoke_function;
    ebpf_program_batch_begin_invoke_function_t ebpf_program_batch_begin_invoke_function;
    ebpf_program_batch_invoke_function_t ebpf_program_batch_invoke_function;
    ebpf_program_batch_end_invoke_function_t ebpf_program_batch_end_invoke_function;
} ebpf_extension_program_dispatch_table_t;
 
typedef struct _ebpf_extension_data
{
    ebpf_extension_header_t header;
    const void* data;
    size_t data_size;
    uint64_t prog_attach_flags;
} ebpf_extension_data_t;
 
typedef struct _ebpf_attach_provider_data
{
    ebpf_extension_header_t header;
    ebpf_program_type_t supported_program_type;
    bpf_attach_type_t bpf_attach_type;
    enum bpf_link_type link_type;
} ebpf_attach_provider_data_t;
 
/***
 * The state of the execution context when the eBPF program was invoked.
 * This is used to cache state that won't change during the execution of
 * the eBPF program and is expensive to query.
 */
typedef struct _ebpf_execution_context_state
{
    epoch_state_t epoch_state;
    union
    {
        uint64_t thread;
        uint32_t cpu;
    } id;
    uint8_t current_irql;
    struct
    {
        const void* next_program;
        uint32_t count;
    } tail_call_state;
} ebpf_execution_context_state_t;
 
#define EBPF_CONTEXT_HEADER uint64_t context_header[8]
#define EBPF_CONTEXT_HEADER_SIZE (sizeof(uint64_t) * 8)
 
typedef ebpf_result_t (*ebpf_process_map_create_t)(
    _In_ void* binding_context,
    uint32_t map_type,
    uint32_t key_size,
    uint32_t value_size,
    uint32_t max_entries,
    _Out_ uint32_t* actual_value_size,
    _Outptr_ void** map_context);
 
typedef void (*ebpf_process_map_delete_t)(_In_ void* binding_context, _In_ _Post_invalid_ void* map_context);
 
typedef ebpf_result_t (*ebpf_process_map_find_element_t)(
    _In_ void* binding_context,
    _In_ void* map_context,
    size_t key_size,
    _In_reads_opt_(key_size) const uint8_t* key,
    size_t in_value_size,
    _In_reads_(in_value_size) const uint8_t* in_value,
    size_t out_value_size,
    _Out_writes_opt_(out_value_size) uint8_t* out_value,
    uint32_t flags);
 
typedef ebpf_result_t (*ebpf_process_map_add_element_t)(
    _In_ void* binding_context,
    _In_ void* map_context,
    size_t key_size,
    _In_reads_opt_(key_size) const uint8_t* key,
    size_t in_value_size,
    _In_reads_(in_value_size) const uint8_t* in_value,
    size_t out_value_size,
    _Out_writes_opt_(out_value_size) uint8_t* out_value,
    uint32_t flags);
 
typedef ebpf_result_t (*ebpf_process_map_delete_element_t)(
    _In_ void* binding_context,
    _In_ void* map_context,
    size_t key_size,
    _In_reads_opt_(key_size) const uint8_t* key,
    size_t value_size,
    _In_reads_(value_size) const uint8_t* value,
    uint32_t flags);
 
typedef ebpf_result_t (*ebpf_map_associate_program_type_t)(
    _In_ void* binding_context, _In_ void* map_context, _In_ const ebpf_program_type_t* program_type);
 
typedef struct _ebpf_base_map_provider_properties
{
    ebpf_extension_header_t header;
    bool updates_original_value; // Whether the provider updates the original value during map operations, which
                                 // controls whether BPF programs can perform map CRUD operations.
} ebpf_base_map_provider_properties_t;
 
typedef struct _ebpf_map_provider_dispatch_table
{
    ebpf_extension_header_t header;
    _Notnull_ ebpf_process_map_create_t process_map_create;
    _Notnull_ ebpf_process_map_delete_t process_map_delete;
    _Notnull_ ebpf_map_associate_program_type_t associate_program_function;
    ebpf_process_map_find_element_t process_map_find_element;
    ebpf_process_map_add_element_t process_map_add_element;
    ebpf_process_map_delete_element_t process_map_delete_element;
} ebpf_base_map_provider_dispatch_table_t;
 
typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_with_tag_t)(size_t size, uint32_t tag);
 
typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_cache_aligned_with_tag_t)(size_t size, uint32_t tag);
 
typedef void (*ebpf_epoch_free_t)(_In_opt_ _Post_invalid_ void* memory);
 
typedef void (*ebpf_epoch_free_cache_aligned_t)(_In_opt_ _Post_invalid_ void* pointer);
 
typedef void (*ebpf_epoch_enter_t)(_Out_ void* epoch_state);
 
typedef void (*ebpf_epoch_exit_t)(_In_ void* epoch_state);
 
typedef ebpf_result_t (*ebpf_map_find_element_t)(
    _In_ const void* map, _In_ const uint8_t* key, _Outptr_ uint8_t** value);
 
typedef struct _ebpf_map_client_dispatch_table
{
    ebpf_extension_header_t header;
    ebpf_map_find_element_t find_element_function;
    ebpf_epoch_enter_t epoch_enter;
    ebpf_epoch_exit_t epoch_exit;
    ebpf_epoch_allocate_with_tag_t epoch_allocate_with_tag;
    ebpf_epoch_allocate_cache_aligned_with_tag_t epoch_allocate_cache_aligned_with_tag;
    ebpf_epoch_free_t epoch_free;
    ebpf_epoch_free_cache_aligned_t epoch_free_cache_aligned;
} ebpf_base_map_client_dispatch_table_t;
 
typedef struct _ebpf_map_provider_data
{
    ebpf_extension_header_t header;
    uint32_t map_type;                                            
    uint32_t base_map_type;                                       
    ebpf_base_map_provider_properties_t* base_properties;         
    ebpf_base_map_provider_dispatch_table_t* base_provider_table; 
} ebpf_map_provider_data_t;
 
typedef struct _ebpf_map_client_data
{
    ebpf_extension_header_t header; 
    uint64_t map_context_offset;    
    ebpf_base_map_client_dispatch_table_t* base_client_table; 
} ebpf_map_client_data_t;
 
#define MAP_CONTEXT(map_pointer, offset) ((void**)(((uint8_t*)(map_pointer)) + (offset)))