Lines Matching +full:linux +full:- +full:kernel

1 .TH "BPF classifier and actions in tc" 8 "18 May 2015" "iproute2" "Linux"
3 BPF \- BPF programmable classifier and actions for ingress/egress
9 .B object-file
30 .B object-file
42 .B bytecode-file
55 .B bytecode-file
69 implementing small programs which can safely be loaded into the kernel
70 and thus executed in a tiny virtual machine from kernel space. An in-kernel
72 crashes nor leaks data from the kernel.
74 In Linux, it's generally considered that eBPF is the successor of cBPF.
75 The kernel internally transforms cBPF expressions into eBPF expressions and
77 or at setup time, they can be just-in-time compiled (JIT'ed) to run as
85 achieve a better run-time performance. It is designed to be JIT'ed with
101 highly efficient. It allows for non-linear classification and even merging
104 kernel without reloading a classifier, or it can gather statistics that
109 .SS object-file
150 forces the offload and disables running the eBPF program in the kernel.
151 If hardware offload is not possible and this flag was set kernel will
171 .B -1
175 allows for efficient, non-linear classification with only a single eBPF/cBPF
185 denotes the number of subsequent 4-tuples. One such 4-tuple consists of
198 that ships with the Linux kernel source tree under
203 .B bytecode-file
206 .SS bytecode-file
219 As prerequisites, the kernel needs to have the eBPF system call namely
225 kernel modules for the traffic control subsystem. To enable eBPF/eBPF JIT
235 .B clang -O2 -emit-llvm -c bpf.c -o - | llc -march=bpf -filetype=obj -o bpf.o
245         clang -O2 -emit-llvm -c $1 -o - | \\
246         llc -march=bpf -filetype=obj -o "`basename $1 .c`.o"
253 A minimal, stand-alone unit, which matches on all traffic with the
254 default classid (return code of -1) looks like:
259 #include <linux/bpf.h>
267         return -1;
282 and the license string syntax is the same as with Linux kernel modules.
283 The kernel reserves its right that some eBPF helper functions can be
285 from loading into the kernel when such a license mismatch occurs.
296 objdump -h bpf.o
300 4 action-mark   00000088  0000000000000000  0000000000000000  00000838  2**3
302 5 action-rand   00000098  0000000000000000  0000000000000000  000008c0  2**3
313 in the default ELF section is trivial (note that instead of "object-file"
372 object file within various sections. In that case, non-default section
380 .B                          action bpf obj bpf.o sec action-mark \e
382 .B                          action bpf obj bpf.o sec action-rand ok
411 this fd-owner shell, they can terminate and restart without losing eBPF
421 .B                          action bpf obj bpf.o sec action-mark \e
423 .B                          action bpf obj bpf.o sec action-rand ok
456 sh# ls -la /proc/self/fd
458     lrwx------. 1 root root 64 Apr 14 16:46 5 -> anon_inode:bpf-map
459     lrwx------. 1 root root 64 Apr 14 16:46 6 -> anon_inode:bpf-map
460     lrwx------. 1 root root 64 Apr 14 16:46 7 -> anon_inode:bpf-map
480 .B linux/bpf.h
482 This man page will only provide two minimal, stand-alone examples, have a
493 .B -1
498 non-linear matching
502 .B linux/pkt_cls.h
512 .B TC_ACT_UNSPEC (-1)
514 .B -1
543 #include <linux/bpf.h>
544 #include <linux/pkt_sched.h>
571                 __sync_fetch_and_add(&tu->packets, 1);
572                 __sync_fetch_and_add(&tu->bytes, skb->len);
578         uint32_t mark = skb->mark;
603 #include <linux/bpf.h>
604 #include <linux/filter.h>
605 #include <linux/in.h>
606 #include <linux/if_ether.h>
607 #include <linux/ip.h>
608 #include <linux/tcp.h>
641         off = skb->queue_mapping & 7;
642         set_tcp_dport(skb, nh_off - BPF_LL_OFF, __constant_htons(80),
644         return -1;
651         if (likely(skb->protocol == __constant_htons(ETH_P_IP)))
706 given use-case will be most efficient to run.
723 the kernel log, which can be read via
731 The Linux kernel source tree ships additionally under
735 that reads out the opcode image dump from the kernel log and dumps the
739 .B bpf_jit_disasm -o
742 Other than that, the Linux kernel also contains an extensive eBPF/cBPF
752 the kernel log that can be inspected with
757 Linux kernel and networking mailing lists.
773 but rather in a minimal assembler-like language or with the help of other
785 4-tuples of cBPF opcodes. As mentioned, such a 4-tuple consists of
796 from the program with immediate value of -1.
798 Thus, for egress classification, Willem de Bruijn implemented a minimal stand-alone
823                 if (dlt == -1)
827         ret = pcap_compile_nopcap(-1, dlt, &prog, argv[argc - 1],
835         for (i = 0; i < prog.bf_len - 1; ++ins, ++i)
836                 printf("%u %u %u %u,", ins->code,
837                        ins->jt, ins->jf, ins->k);
839                ins->code, ins->jt, ins->jf, ins->k);
853 .B bpftool EN10MB 'tcp[tcpflags] & tcp-syn != 0' > /var/bpf/tcp-syn
855 .B tc filter add dev em1 parent 1: bpf bytecode-file /var/bpf/tcp-syn flowid 1:1
861 .B tcpdump -iem1 -ddd 'tcp[tcpflags] & tcp-syn != 0' | tr '\\\\n' ',' > /var/bpf/tcp-syn
866 does not support all Linux' specific cBPF extensions in its compiler, the
867 Linux kernel also ships under
889 ret #-1
897 .B bpf_asm foobar > /var/bpf/tcp-syn
899 .B tc filter add dev em1 parent 1: bpf bytecode-file /var/bpf/tcp-syn flowid 1:1
902 For BPF classifiers, the Linux kernel provides additionally under
906 , which can be used to test a classifier against pcap files, single-step
916 in the Linux kernel source tree under
936 Please report corrections or improvements to the Linux kernel networking
938 .B <netdev@vger.kernel.org>