Introduction

eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability. This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects as submodules and adds the layer in between to make them run on top of Windows.

For more info, see the Architectural Overview.

eBPF Program Reference

A number of hooks are currently exposed to eBPF programs that include ebpf_nethooks.h. Refer to the list of bpf_prog_type values for details.

eBPF programs can also call helper APIs to do additional processing. There are two types of helpers:

Helpers that are accessible to all program types, defined in bpf_helper_defs.h.
Helpers specific to a given program type and declared in other headers, such as ebpf_nethooks.h.

The documentation for each program type will list which helper header files can be used for that program type. Similarly such documentation for each bpf_prog_type value will give the API prototype to implement, and the list of supported attach types that can be used when attaching an eBPF program. Most program types have only a single attach type, but some may support multiple places to which the same type of program can be attached.

eBPF User-Mode API Reference

User-mode applications have access to three types of APIs:

Libbpf APIs defined in libbpf.h.
Libbpf APIs defined in bpf.h.
Additional APIs defined in ebpf_api.h. Many of these are temporary and will be replaced as more Libbpf APIs are supported directly.