|
eBPF for Windows
|
This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF API library. More...
#include "ebpf_windows.h"Go to the source code of this file.
Data Structures | |
| struct | _ebpf_map_definition_in_memory |
| eBPF Map Definition as it is stored in memory. More... | |
| struct | _ebpf_map_definition_in_file |
| eBPF Map Definition as it appears in the maps section of an ELF file. More... | |
| struct | bpf_link_info |
| eBPF link information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a link fd. More... | |
| struct | bpf_map_info |
| eBPF map information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a map fd. More... | |
| struct | bpf_prog_info |
| eBPF program information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a program fd. More... | |
Macros | |
| #define | MAX_TAIL_CALL_CNT 33 |
| #define | BPF_ENUM_TO_STRING(X) #X |
| #define | BPF_MAP_TYPE_PER_CPU(X) |
| #define | EBPF_ID_NONE 0 |
| #define | XDP_FLAGS_REPLACE 0x01 |
| #define | BPF_OBJ_NAME_LEN 64 |
| #define | BPF_ANY 0x0 |
| #define | BPF_NOEXIST 0x1 |
| #define | BPF_EXIST 0x2 |
| #define | EBPF_MAP_FLAG_INDEX_MASK 0xffffffffULL |
| #define | EBPF_MAP_FLAG_INDEX_SHIFT 0 |
| #define | EBPF_MAP_FLAG_CURRENT_CPU EBPF_MAP_FLAG_INDEX_MASK |
| #define | EBPF_MAP_FLAG_CTX_LENGTH_SHIFT 32 |
| #define | EBPF_MAP_FLAG_CTX_LENGTH_MAX (0xfffffULL) |
| #define | EBPF_MAP_FLAG_CTX_LENGTH_MASK (EBPF_MAP_FLAG_CTX_LENGTH_MAX << EBPF_MAP_FLAG_CTX_LENGTH_SHIFT) |
Typedefs | |
| typedef enum bpf_map_type | ebpf_map_type_t |
| typedef enum ebpf_map_option | ebpf_map_option_t |
| typedef enum ebpf_pin_type | ebpf_pin_type_t |
| Pinning type for eBPF objects. The values should match the LIBBPF_PIN_* pin types defined in libbpf. | |
| typedef uint32_t | ebpf_id_t |
| typedef struct _ebpf_map_definition_in_memory | ebpf_map_definition_in_memory_t |
| eBPF Map Definition as it is stored in memory. | |
| typedef struct _ebpf_map_definition_in_file | ebpf_map_definition_in_file_t |
| eBPF Map Definition as it appears in the maps section of an ELF file. | |
| typedef enum bpf_prog_type | bpf_prog_type_t |
| typedef enum bpf_attach_type | bpf_attach_type_t |
| typedef ebpf_extension_header_t | ebpf_native_module_header_t |
| Header of an eBPF native module data structure. Every eBPF native module data structure must start with this header. This however has an exception for some of the structs that mandatorily require a specific number of starting bytes to be zero. In such cases, the header must be placed after the required zero starting bytes. New fields can be added to the end of the data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible. | |
This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF API library.
| #define BPF_ANY 0x0 |
| #define BPF_ENUM_TO_STRING | ( | X | ) | #X |
| #define BPF_EXIST 0x2 |
| #define BPF_MAP_TYPE_PER_CPU | ( | X | ) |
| #define BPF_NOEXIST 0x1 |
| #define BPF_OBJ_NAME_LEN 64 |
| #define EBPF_ID_NONE 0 |
| #define EBPF_MAP_FLAG_CTX_LENGTH_MASK (EBPF_MAP_FLAG_CTX_LENGTH_MAX << EBPF_MAP_FLAG_CTX_LENGTH_SHIFT) |
| #define EBPF_MAP_FLAG_CTX_LENGTH_MAX (0xfffffULL) |
| #define EBPF_MAP_FLAG_CTX_LENGTH_SHIFT 32 |
| #define EBPF_MAP_FLAG_CURRENT_CPU EBPF_MAP_FLAG_INDEX_MASK |
| #define EBPF_MAP_FLAG_INDEX_MASK 0xffffffffULL |
| #define EBPF_MAP_FLAG_INDEX_SHIFT 0 |
| #define MAX_TAIL_CALL_CNT 33 |
| #define XDP_FLAGS_REPLACE 0x01 |
| typedef enum bpf_attach_type bpf_attach_type_t |
| typedef enum bpf_prog_type bpf_prog_type_t |
| typedef uint32_t ebpf_id_t |
| typedef struct _ebpf_map_definition_in_file ebpf_map_definition_in_file_t |
eBPF Map Definition as it appears in the maps section of an ELF file.
| typedef struct _ebpf_map_definition_in_memory ebpf_map_definition_in_memory_t |
eBPF Map Definition as it is stored in memory.
| typedef enum ebpf_map_option ebpf_map_option_t |
| typedef enum bpf_map_type ebpf_map_type_t |
Header of an eBPF native module data structure. Every eBPF native module data structure must start with this header. This however has an exception for some of the structs that mandatorily require a specific number of starting bytes to be zero. In such cases, the header must be placed after the required zero starting bytes. New fields can be added to the end of the data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible.
| typedef enum ebpf_pin_type ebpf_pin_type_t |
Pinning type for eBPF objects. The values should match the LIBBPF_PIN_* pin types defined in libbpf.
| enum bpf_attach_type |
| Enumerator | |
|---|---|
| BPF_ATTACH_TYPE_UNSPEC | Unspecified attach type. |
| BPF_XDP | Attach type for handling incoming packets as early as possible. Program type: BPF_PROG_TYPE_XDP |
| BPF_ATTACH_TYPE_BIND | Attach type for handling socket bind() requests. Program type: BPF_PROG_TYPE_BIND |
| BPF_CGROUP_INET4_CONNECT | Attach type for handling IPv4 TCP connect() or UDP send to a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR |
| BPF_CGROUP_INET6_CONNECT | Attach type for handling IPv6 TCP connect() or UDP send to a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR |
| BPF_CGROUP_INET4_RECV_ACCEPT | Attach type for handling IPv4 TCP accept() or on receiving the first unicast UDP packet from a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR |
| BPF_CGROUP_INET6_RECV_ACCEPT | Attach type for handling IPv6 TCP accept() or on receiving the first unicast UDP packet from a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR |
| BPF_CGROUP_SOCK_OPS | Attach type for handling various socket event notifications. Program type: BPF_PROG_TYPE_SOCK_OPS |
| BPF_ATTACH_TYPE_SAMPLE | Attach type implemented by eBPF Sample Extension driver, used for testing. Program type: BPF_PROG_TYPE_SAMPLE |
| BPF_XDP_TEST | Attach type for handling incoming packets as early as possible. Program type: BPF_PROG_TYPE_XDP_TEST |
| BPF_ATTACH_TYPE_NETEVENT | Attach type for handling netevents. Program type: BPF_PROG_TYPE_NETEVENT |
| BPF_ATTACH_TYPE_PROCESS | Attach type for handling process creation/deletion events. Program type: BPF_PROG_TYPE_PROCESS |
| __MAX_BPF_ATTACH_TYPE | |
| enum bpf_link_type |
| Enumerator | |
|---|---|
| BPF_LINK_TYPE_UNSPEC | Unspecified link type. |
| BPF_LINK_TYPE_PLAIN | No union members are used in bpf_link_info. |
| BPF_LINK_TYPE_CGROUP | cgroup struct is present in bpf_link_info. |
| BPF_LINK_TYPE_XDP | xdp struct is present in bpf_link_info. |
| BPF_LINK_TYPE_MAX | |
| enum bpf_map_type |
| enum bpf_prog_type |
| Enumerator | |
|---|---|
| BPF_PROG_TYPE_UNSPEC | Unspecified program type. |
| BPF_PROG_TYPE_XDP | Program type for handling incoming packets as early as possible. eBPF program prototype: xdp_hook_t Attach type(s): BPF_XDP Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_BIND | Program type for handling socket bind() requests. eBPF program prototype: bind_hook_t Attach type(s): BPF_ATTACH_TYPE_BIND Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | Program type for handling various socket operations such as connect(), accept() etc. eBPF program prototype: sock_addr_hook_t Attach type(s): BPF_CGROUP_INET4_CONNECT BPF_CGROUP_INET6_CONNECT BPF_CGROUP_INET4_RECV_ACCEPT BPF_CGROUP_INET6_RECV_ACCEPT Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_SOCK_OPS | Program type for handling various socket event notifications such as connection established etc. eBPF program prototype: sock_ops_hook_t Attach type(s): BPF_CGROUP_SOCK_OPS Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_NETEVENT | Program type for handling netevents. The github microsoft/ntosebpfext repo has the implementation for this program type. eBPF program prototype: netevent_event_hook_t Attach type(s): BPF_ATTACH_TYPE_NETEVENT Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_PROCESS | Program type for handling process creation/deletion events. The github microsoft/ntosebpfext repo has the implementation for this program type. eBPF program prototype: sock_ops_hook_t Attach type(s): BPF_ATTACH_TYPE_PROCESS Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_XDP_TEST | Program type for handling incoming packets as early as possible. eBPF program prototype: xdp_hook_t Attach type(s): BPF_XDP_TEST Helpers available: all helpers defined in bpf_helpers.h |
| BPF_PROG_TYPE_SAMPLE | Program type for handling calls from the eBPF sample extension. Used for testing. eBPF program prototype: see the eBPF sample extension. Attach type(s): BPF_ATTACH_TYPE_SAMPLE |
| enum ebpf_helper_id_t |
| Enumerator | |
|---|---|
| BPF_FUNC_map_lookup_elem | |
| BPF_FUNC_map_update_elem | |
| BPF_FUNC_map_delete_elem | |
| BPF_FUNC_map_lookup_and_delete_elem | |
| BPF_FUNC_tail_call | |
| BPF_FUNC_get_prandom_u32 | |
| BPF_FUNC_ktime_get_boot_ns | |
| BPF_FUNC_get_smp_processor_id | |
| BPF_FUNC_ktime_get_ns | |
| BPF_FUNC_csum_diff | |
| BPF_FUNC_ringbuf_output | |
| BPF_FUNC_trace_printk2 | bpf_trace_printk2 (but use bpf_printk instead) |
| BPF_FUNC_trace_printk3 | bpf_trace_printk3 (but use bpf_printk instead) |
| BPF_FUNC_trace_printk4 | bpf_trace_printk4 (but use bpf_printk instead) |
| BPF_FUNC_trace_printk5 | bpf_trace_printk5 (but use bpf_printk instead) |
| BPF_FUNC_map_push_elem | |
| BPF_FUNC_map_pop_elem | |
| BPF_FUNC_map_peek_elem | |
| BPF_FUNC_get_current_pid_tgid | |
| BPF_FUNC_get_current_logon_id | |
| BPF_FUNC_is_current_admin | |
| BPF_FUNC_memcpy | |
| BPF_FUNC_memcmp | |
| BPF_FUNC_memset | |
| BPF_FUNC_memmove | |
| BPF_FUNC_get_socket_cookie | |
| BPF_FUNC_strncpy_s | |
| BPF_FUNC_strncat_s | |
| BPF_FUNC_strnlen_s | |
| BPF_FUNC_ktime_get_boot_ms | |
| BPF_FUNC_ktime_get_ms | |
| BPF_FUNC_perf_event_output | |
| enum ebpf_map_option |
| enum ebpf_pin_type |
1.9.8