Lines Matching +full:packet +full:- +full:verification +full:- +full:low +full:- +full:power
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
21 #define BPF_DW 0x18 /* double word (64-bit) */
23 #define BPF_ATOMIC 0xc0 /* atomic memory ops - op type in immediate */
24 #define BPF_XADD 0xc0 /* exclusive add - legacy name */
32 #define BPF_TO_LE 0x00 /* convert to little-endian */
33 #define BPF_TO_BE 0x08 /* convert to big-endian */
52 #define BPF_CMPXCHG (0xf0 | BPF_FETCH) /* atomic compare-and-write */
74 /* BPF has 10 general purpose 64-bit registers and stack frame. */
116 BPF_CGROUP_ITER_DESCENDANTS_PRE, /* walk descendants in pre-order. */
117 BPF_CGROUP_ITER_DESCENDANTS_POST, /* walk descendants in post-order. */
128 /* At most one of cgroup_fd and cgroup_id can be non-zero. If
144 /* BPF syscall commands, see bpf(2) man-page for more details. */
159 * map. The close-on-exec file descriptor flag (see **fcntl**\ (2))
166 * A new file descriptor (a nonnegative integer), or -1 if an
178 * Look up the value of a spin-locked map without
183 * Returns zero on success. On error, -1 is returned and *errno*
200 * Update a spin_lock-ed map element.
203 * Returns zero on success. On error, -1 is returned and *errno*
224 * Returns zero on success. On error, -1 is returned and *errno*
234 * Returns zero on success. On error, -1 is returned and *errno*
244 * * If *key* is the last element, returns -1 and *errno* is set
258 * The close-on-exec file descriptor flag (see **fcntl**\ (2)) is
262 * A new file descriptor (a nonnegative integer), or -1 if an
287 * Returns zero on success. On error, -1 is returned and *errno*
296 * A new file descriptor (a nonnegative integer), or -1 if an
342 * Returns zero on success. On error, -1 is returned and *errno*
352 * Returns zero on success. On error, -1 is returned and *errno*
360 * *ctx_out*, *data_out* (for example, packet data), result of the
384 * Returns zero on success. On error, -1 is returned and *errno*
399 * remain with ids higher than *start_id*, returns -1 and sets
403 * Returns zero on success. On error, or when no id remains, -1
412 * remain with ids higher than *start_id*, returns -1 and sets
416 * Returns zero on success. On error, or when no id remains, -1
425 * A new file descriptor (a nonnegative integer), or -1 if an
434 * A new file descriptor (a nonnegative integer), or -1 if an
452 * Returns zero on success. On error, -1 is returned and *errno*
498 * Returns zero on success. On error, -1 is returned and *errno*
516 * A new file descriptor (a nonnegative integer), or -1 if an
536 * output regarding the BTF verification process.
539 * A new file descriptor (a nonnegative integer), or -1 if an
548 * A new file descriptor (a nonnegative integer), or -1 if an
569 * Returns zero on success. On error, -1 is returned and *errno*
582 * Look up and delete the value of a spin-locked map
601 * Returns zero on success. On error, -1 is returned and *errno*
616 * Returns zero on success. On error, -1 is returned and *errno*
626 * remain with ids higher than *start_id*, returns -1 and sets
630 * Returns zero on success. On error, or when no id remains, -1
658 * Look up the value of a spin-locked map without
670 * Returns zero on success. On error, -1 is returned and *errno*
675 * iteration of a hash-based map type.
692 * Returns zero on success. On error, -1 is returned and *errno*
719 * Update spin_lock-ed map elements. This must be
728 * Returns zero on success. On error, -1 is returned and *errno*
762 * Look up the value of a spin-locked map without
774 * Returns zero on success. On error, -1 is returned and *errno*
784 * A new file descriptor (a nonnegative integer), or -1 if an
793 * Returns zero on success. On error, -1 is returned and *errno*
802 * A new file descriptor (a nonnegative integer), or -1 if an
811 * remain with ids higher than *start_id*, returns -1 and sets
815 * Returns zero on success. On error, or when no id remains, -1
830 * disabled system-wide when all outstanding file descriptors
834 * A new file descriptor (a nonnegative integer), or -1 if an
849 * A new file descriptor (a nonnegative integer), or -1 if an
858 * Returns zero on success. On error, -1 is returned and *errno*
873 * Returns zero on success. On error, -1 is returned and *errno*
879 * BPF-related functionality it allows:
880 * - a set of allowed bpf() syscall commands;
881 * - a set of allowed BPF map types to be created with
883 * - a set of allowed BPF program types and BPF program attach
903 * A new file descriptor (a nonnegative integer), or -1 if an
987 * both cgroup-attached and other progs and supports all functionality
1155 /* cgroup-bpf attach flags used in BPF_PROG_ATTACH command
1159 * BPF_F_ALLOW_OVERRIDE: If a sub-cgroup installs some bpf program,
1160 * the program in this cgroup yields to sub-cgroup program.
1162 * BPF_F_ALLOW_MULTI: If a sub-cgroup installs some bpf program,
1173 * The programs of sub-cgroup are executed first, then programs of
1183 * A cgroup with MULTI or OVERRIDE flag allows any attach flags in sub-cgroups.
1184 * A cgroup with NONE doesn't allow any programs in sub-cgroups.
1186 * cgrp1 (MULTI progs A, B) ->
1187 * cgrp2 (OVERRIDE prog C) ->
1188 * cgrp3 (MULTI prog D) ->
1189 * cgrp4 (OVERRIDE prog E) ->
1230 * Verifier does sub-register def/use analysis and identifies instructions whose
1231 * def only matters for low 32-bit, high 32-bit is never referenced later
1232 * through implicit zero extension. Therefore verifier notifies JIT back-ends
1233 * that it is safe to ignore clearing high 32-bit for these instructions. This
1234 * saves some back-ends a lot of code-gen. However such optimization is not
1235 * necessary on some arches, for example x86_64, arm64 etc, whose JIT back-ends
1241 * 32-bit for those instructions who has been identified as safe to ignore them.
1264 * program becomes device-bound but can access XDP metadata.
1286 * BPF_PROG_TYPE_NETFILTER to enable IP packet defragmentation.
1335 /* when bpf_call->src_reg == BPF_PSEUDO_CALL, bpf_call->imm == pc-relative
1339 /* when bpf_call->src_reg == BPF_PSEUDO_KFUNC_CALL,
1340 * bpf_call->imm == btf_id of a BTF_KIND_FUNC in the running kernel
1353 BPF_F_LOCK = 4, /* spin_lock-ed map_lookup/map_update */
1376 /* Zero-initialize hash function seed. This should only be used for testing. */
1386 /* Enable memory-mapping BPF map */
1474 __u32 btf_vmlinux_value_type_id;/* BTF type_id of a kernel-
1478 /* Any per-map-type extra fields
1480 * BPF_MAP_TYPE_BLOOM_FILTER - the lowest 4 bits indicate the
1484 * BPF_MAP_TYPE_ARENA - contains the address where user space
1550 __u32 attach_btf_id; /* in-kernel BTF type id to attach to */
1657 /* output: per-program attach_flags.
1725 /* black box user-provided value passed through
1741 /* black box user-provided value passed through
1832 * --filename include/uapi/linux/bpf.h > /tmp/bpf-helpers.rst
1833 * $ rst2man /tmp/bpf-helpers.rst > /tmp/bpf-helpers.7
1834 * $ man /tmp/bpf-helpers.7
1894 * This helper is a "printk()-like" facility for debugging. It
1912 * telnet-470 [001] .N.. 419421.045894: 0x00000001: <formatted msg>
1937 * helper will return **-EINVAL** (but print nothing) if it
1953 * Get a pseudo-random number.
1956 * pseudo-random internal state, and cannot be used to infer the
1961 * A random 32-bit unsigned value.
1974 * Store *len* bytes from address *from* into the packet
1977 * checksum for the packet after storing the bytes) and
1978 * **BPF_F_INVALIDATE_HASH** (set *skb*\ **->hash**, *skb*\
1979 * **->swhash** and *skb*\ **->l4hash** to 0).
1982 * packet buffer. Therefore, at load time, all checks on pointers
1985 * direct packet access.
1991 * Recompute the layer 3 (e.g. IP) checksum for the packet
1999 * indicates the location of the IP checksum within the packet.
2002 * which does not update the checksum in-place, but offers more
2007 * packet buffer. Therefore, at load time, all checks on pointers
2010 * direct packet access.
2017 * packet associated to *skb*. Computation is incremental, so the
2025 * location of the IP checksum within the packet. In addition to
2031 * the checksum is to be computed against a pseudo-header.
2034 * which does not update the checksum in-place, but offers more
2039 * packet buffer. Therefore, at load time, all checks on pointers
2042 * direct packet access.
2079 * Clone and redirect the packet associated to *skb* to another
2088 * duplicating the packet buffer, but this can be executed out of
2094 * packet buffer. Therefore, at load time, all checks on pointers
2097 * direct packet access.
2107 * A 64-bit integer containing the current tgid and pid, and
2109 * *current_task*\ **->tgid << 32 \|**
2110 * *current_task*\ **->pid**.
2116 * A 64-bit integer containing the current GID and UID, and
2125 * helper makes sure that the *buf* is NUL-terminated. On failure,
2138 * based on a user-provided identifier for all traffic coming from
2141 * *Documentation/admin-guide/cgroup-v1/net_cls.rst*.
2147 * run on cgroups, which is a cgroup-v2-only feature (a socket can
2159 * *vlan_proto* to the packet associated to *skb*, then update
2165 * packet buffer. Therefore, at load time, all checks on pointers
2168 * direct packet access.
2174 * Pop a VLAN header from the packet associated to *skb*.
2177 * packet buffer. Therefore, at load time, all checks on pointers
2180 * direct packet access.
2188 * filled with tunnel metadata for the packet associated to *skb*.
2199 * in *key*\ **->remote_ipv4** or *key*\ **->remote_ipv6**. Also,
2200 * this struct exposes the *key*\ **->tunnel_id**, which is
2217 * return TC_ACT_SHOT; // drop packet
2220 * return TC_ACT_SHOT; // drop packet
2222 * return TC_ACT_OK; // accept packet
2237 * Populate tunnel metadata for packet associated to *skb.* The
2250 * packet should not be fragmented.
2254 * sending the packet. This flag was added for GRE
2306 * Redirect the packet to another net device of index *ifindex*.
2308 * (), except that the packet is not cloned, which provides
2331 * identifier retrieved is a user-provided tag, similar to the
2337 * (see also **tc-bpf(8)**), or alternatively on conventional
2348 * The realm of the route for the packet associated to *skb*, or 0
2391 * * Only the packet payload, or
2399 * packet. It can be used to load *len* bytes from *offset* from
2400 * the packet associated to *skb*, into the buffer pointed by
2404 * by "direct packet access", enabling packet data to be
2405 * manipulated with *skb*\ **->data** and *skb*\ **->data_end**
2406 * pointing respectively to the first byte of packet data and to
2407 * the byte after the last byte of packet data. However, it
2409 * at once from a packet into the eBPF stack.
2436 * generating a variety of graphs (such as flame graphs or off-cpu
2469 * checksum, it can be used when removing data from a packet.
2484 * Retrieve tunnel options metadata for the packet associated to
2494 * and retrieving arbitrary TLVs (Type-Length-Value headers) from
2502 * Set tunnel options metadata for the packet associated to *skb*
2530 * packet buffer. Therefore, at load time, all checks on pointers
2533 * direct packet access.
2539 * Change the packet type for the packet associated to *skb*. This
2540 * comes down to setting *skb*\ **->pkt_type** to *type*, except
2542 * **->pkt_type** beside this helper. Using a helper here allows
2554 * Packet is for us.
2556 * Send packet to all.
2558 * Send packet to group.
2560 * Send packet to someone else.
2577 * Retrieve the hash of the packet, *skb*\ **->hash**. If it is
2580 * directly with *skb*\ **->hash**.
2582 * Calling **bpf_set_hash_invalid**\ (), changing a packet
2589 * The 32-bit hash.
2604 * security mechanism because of TOC-TOU attacks, but rather to
2605 * debug, divert, and manipulate execution of semi-cooperative
2630 * Resize (trim or grow) the packet associated to *skb* to the
2635 * change the size of the packet, then the eBPF program rewrites
2645 * packet buffer. Therefore, at load time, all checks on pointers
2648 * direct packet access.
2654 * Pull in non-linear data in case the *skb* is non-linear and not
2661 * packet access.
2663 * For direct packet access, testing that offsets to access
2664 * are within packet boundaries (test on *skb*\ **->data_end**) is
2666 * data is in non-linear parts of the *skb*. On failure the
2667 * program can just bail out, or in the case of a non-linear
2671 * to pull in once the non-linear parts, then retesting and
2682 * packet buffer. Therefore, at load time, all checks on pointers
2685 * direct packet access.
2691 * Add the checksum *csum* into *skb*\ **->csum** in case the
2692 * driver has supplied a checksum for the entire packet into that
2696 * written into the packet through direct packet access.
2703 * Invalidate the current *skb*\ **->hash**. It can be used after
2704 * mangling on headers through direct packet access, in order to
2724 * Grows headroom of packet associated to *skb* and adjusts the
2736 * packet buffer. Therefore, at load time, all checks on pointers
2739 * direct packet access.
2745 * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that
2747 * can be used to prepare the packet for pushing or popping
2751 * packet buffer. Therefore, at load time, all checks on pointers
2754 * direct packet access.
2781 * A 8-byte long unique number on success, or 0 if the socket
2789 * A 8-byte long unique number.
2796 * A 8-byte long unique number.
2804 * A 8-byte long unique number or 0 if *sk* is NULL.
2812 * time-wait or a request socket instead), **overflowuid** value
2818 * Set the full hash for *skb* (set the field *skb*\ **->hash**)
2861 * Grow or shrink the room for data in the packet associated to
2909 * packet buffer. Therefore, at load time, all checks on pointers
2912 * direct packet access.
2918 * Redirect the packet to the endpoint referenced by *map* at
2931 * With BPF_F_BROADCAST the packet will be broadcasted to all the
2943 * Redirect the packet to the socket referenced by *map* (of type
2973 * Adjust the address pointed by *xdp_md*\ **->data_meta** by
2975 * operation modifies the address stored in *xdp_md*\ **->data**,
2979 * The use of *xdp_md*\ **->data_meta** is optional and programs
2981 * packet is processed with XDP (e.g. as DoS filter), it is
2985 * this up for further post-processing. Since TC works with socket
2993 * packet buffer. Therefore, at load time, all checks on pointers
2996 * direct packet access.
3019 * **->enabled** and *buf*\ **->running**, respectively) are
3137 * **bpf_sock->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)**
3143 * * When a packet is retransmitted.
3145 * * When a packet is sent.
3146 * * When a packet is received.
3148 * Code **-EINVAL** if the socket is not a full TCP socket;
3188 * *bytes* will be sent and the eBPF program will be re-run with
3196 * a non-zero value, this is not a problem because data is not
3211 * 1-byte long message segments. Obviously, this is bad for
3221 * For socket policies, pull in non-linear data from user space
3222 * for *msg* and set pointers *msg*\ **->data** and *msg*\
3223 * **->data_end** to *start* and *end* bytes offsets into *msg*,
3240 * packet buffer. Therefore, at load time, all checks on pointers
3243 * direct packet access.
3259 * domain (*addr*\ **->sa_family**) must be **AF_INET** (or
3261 * or **sin6_port**) which triggers IP_BIND_ADDRESS_NO_PORT-like
3263 * port as long as 4-tuple is unique. Passing non-zero port might
3270 * Adjust (move) *xdp_md*\ **->data_end** by *delta* bytes. It is
3271 * possible to both shrink and grow the packet tail.
3275 * packet buffer. Therefore, at load time, all checks on pointers
3278 * direct packet access.
3285 * **ip-xfrm(8)**) at *index* in XFRM "security path" for *skb*.
3322 * adjusted by adding (sh_addr - sh_offset), where
3338 * The non-negative copied *buf* length equal to or less than
3345 * from the packet associated to *skb*, into the buffer pointed
3355 * In general, "direct packet access" is the preferred method to
3356 * access packet data, however, this helper is in particular useful
3357 * in socket filters where *skb*\ **->data** does not always point
3358 * to the start of the mac header and where "direct packet access"
3366 * If lookup is successful and result shows packet is to be
3384 * Use the routing table ID present in *params*->tbid
3390 * Skip the neighbour table lookup. *params*->dmac
3391 * and *params*->smac will not be set as output. A common
3395 * Derive and set source IP addr in *params*->ipv{4,6}_src
3398 * case, *params*->dmac and *params*->smac are not set either.
3400 * Use the mark present in *params*->mark for the fib lookup.
3408 * * 0 on success (packet is forwarded, nexthop neighbor exists)
3410 * packet is not forwarded or needs assist from full stack
3413 * was exceeded and output params->mtu_result contains the MTU.
3464 * Encapsulate the packet associated to *skb* within a Layer 3
3474 * Only works if *skb* contains an IPv6 packet. Insert a
3492 * packet buffer. Therefore, at load time, all checks on pointers
3495 * direct packet access.
3501 * Store *len* bytes from address *from* into the packet
3507 * packet buffer. Therefore, at load time, all checks on pointers
3510 * direct packet access.
3517 * Segment Routing Header contained in the packet associated to
3523 * packet buffer. Therefore, at load time, all checks on pointers
3526 * direct packet access.
3533 * packet associated to *skb*. Each action takes a parameter
3538 * End.X action: Endpoint with Layer-3 cross-connect.
3552 * packet buffer. Therefore, at load time, all checks on pointers
3555 * direct packet access.
3612 * to the same 64-bit id.
3625 * A 64-bit integer containing the current cgroup id based
3677 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3685 * **sizeof**\ (*tuple*\ **->ipv4**)
3687 * **sizeof**\ (*tuple*\ **->ipv6**)
3690 * If the *netns* is a negative signed 32-bit integer, then the
3694 * If *netns* is any other signed 32-bit value greater than or
3697 * range of 32-bit integers are reserved for future use.
3707 * result is from *reuse*\ **->socks**\ [] using the hash of the
3714 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3722 * **sizeof**\ (*tuple*\ **->ipv4**)
3724 * **sizeof**\ (*tuple*\ **->ipv6**)
3727 * If the *netns* is a negative signed 32-bit integer, then the
3731 * If *netns* is any other signed 32-bit value greater than or
3734 * range of 32-bit integers are reserved for future use.
3744 * result is from *reuse*\ **->socks**\ [] using the hash of the
3750 * non-**NULL** pointer that was returned from
3840 * allowed inside a spinlock-ed region.
3858 * networking packet (it can only be inside of a map values).
3863 * * **bpf_spin_lock** is not allowed in inner maps of map-in-map.
3912 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3924 * result is from *reuse*\ **->socks**\ [] using the hash of the
3948 * The buffer is always NUL terminated, unless it's zero-sized.
3956 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3968 * The buffer is always NUL terminated, unless it's zero-sized.
3972 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3975 * **-EINVAL** if current value was unavailable, e.g. because
3976 * sysctl is uninitialized and read returns -EIO for it.
3986 * The buffer is always NUL terminated, unless it's zero-sized.
3990 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3993 * **-EINVAL** if sysctl is being read.
4008 * **-E2BIG** if the *buf_len* is too big.
4010 * **-EINVAL** if sysctl is being read.
4020 * optional '**-**' sign.
4031 * **-EINVAL** if no valid digits were found or unsupported base
4034 * **-ERANGE** if resulting value was out of range.
4054 * **-EINVAL** if no valid digits were found or unsupported base
4057 * **-ERANGE** if resulting value was out of range.
4061 * Get a bpf-local-storage from a *sk*.
4071 * the *map*. The *map* is used as the bpf-local-storage
4072 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4073 * searched against all bpf-local-storages residing at *sk*.
4079 * used such that a new bpf-local-storage will be
4082 * the initial value of a bpf-local-storage. If *value* is
4083 * **NULL**, the new bpf-local-storage will be zero initialized.
4085 * A bpf-local-storage pointer is returned on success.
4088 * a new bpf-local-storage.
4092 * Delete a bpf-local-storage from a *sk*.
4096 * **-ENOENT** if the bpf-local-storage cannot be found.
4097 * **-EINVAL** if sk is not a fullsock (e.g. a request_sock).
4106 * **-EBUSY** if work queue under nmi is full.
4108 * **-EINVAL** if *sig* is invalid.
4110 * **-EPERM** if no permission to send the *sig*.
4112 * **-EAGAIN** if bpf program can try again.
4116 * Try to issue a SYN cookie for the packet with corresponding
4133 * **-EINVAL** SYN cookie cannot be issued due to error
4135 * **-ENOENT** SYN cookie should not be issued (no SYN flood)
4137 * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
4139 * **-EPROTONOSUPPORT** IP packet version is not 4 or 6
4158 * *ctx* is a pointer to in-kernel struct sk_buff.
4185 * string length is larger than *size*, just *size*-1 bytes are
4200 * ctx->di);
4215 * *current*\ **->mm->arg_start** and *current*\
4216 * **->mm->env_start**: using this helper and the return value,
4233 * Send out a tcp-ack. *tp* is the in-kernel struct **tcp_sock**.
4244 * **-EBUSY** if work queue under nmi is full.
4246 * **-EINVAL** if *sig* is invalid.
4248 * **-EPERM** if no permission to send the *sig*.
4250 * **-EAGAIN** if bpf program can try again.
4272 * **-EINVAL** if arguments invalid or **size** not a multiple
4275 * **-ENOENT** if architecture does not support branch records.
4284 * **-EINVAL** if dev and inum supplied don't match dev_t and inode number
4287 * **-ENOENT** if pidns does not exists for the current task.
4306 * *ctx* is a pointer to in-kernel struct xdp_buff.
4324 * A 8-byte long opaque number.
4351 * routing configuration to receive the packet towards the socket,
4363 * **-EINVAL** if specified *flags* are not supported.
4365 * **-ENOENT** if the socket is unavailable for assignment.
4367 * **-ENETUNREACH** if the socket is unreachable (wrong netns).
4369 * **-EOPNOTSUPP** if the operation is not supported, for example
4380 * with the packet description provided by the *ctx* object.
4385 * that are not v6-only can be selected for IPv4 packets.
4398 * load-balancing within reuseport group for the socket
4401 * On success *ctx->sk* will point to the selected socket.
4406 * * **-EAFNOSUPPORT** if socket family (*sk->family*) is
4407 * not compatible with packet family (*ctx->family*).
4409 * * **-EEXIST** if socket has been already selected,
4413 * * **-EINVAL** if unsupported flags were specified.
4415 * * **-EPROTOTYPE** if socket L4 protocol
4416 * (*sk->protocol*) doesn't match packet protocol
4417 * (*ctx->protocol*).
4419 * * **-ESOCKTNOSUPPORT** if socket is not in allowed
4439 * The *data_len* is the size of *data* in bytes - must be a multiple of 8.
4450 * **-EBUSY** if per-CPU memory copy buffer is busy, can try again
4453 * **-EINVAL** if arguments are invalid, or if *fmt* is invalid/unsupported.
4455 * **-E2BIG** if *fmt* contains too many format specifiers.
4457 * **-EOVERFLOW** if an overflow happened: The same object will be tried again.
4467 * **-EOVERFLOW** if an overflow happened: The same object will be tried again.
4473 * *sk* must be a non-**NULL** pointer to a socket, e.g. one
4511 * An adaptive notification is a notification sent whenever the user-space
4512 * process has caught up and consumed all available payloads. In case the user-space
4566 * power heuristics and for reporting, not to make 100% correct
4589 * * **BPF_CSUM_LEVEL_INC**: Increases skb->csum_level for skbs
4591 * * **BPF_CSUM_LEVEL_DEC**: Decreases skb->csum_level for skbs
4593 * * **BPF_CSUM_LEVEL_RESET**: Resets skb->csum_level to 0 and
4595 * * **BPF_CSUM_LEVEL_QUERY**: No-op, returns the current
4596 * skb->csum_level.
4599 * case of **BPF_CSUM_LEVEL_QUERY**, the current skb->csum_level
4600 * is returned or the error code -EACCES in case the skb is not
4637 * the current task; all other tasks will return -EOPNOTSUPP.
4665 * The non-negative copied *buf* length equal to or less than
4674 * *skops*\ **->skb_data**. The comment in **struct bpf_sock_ops**
4676 * *skops*\ **->op**.
4686 * the 2nd byte which is "kind-length" of a TCP
4687 * header option and the "kind-length" also
4688 * includes the first 2 bytes "kind" and "kind-length"
4697 * Note, kind-length must be 0 for regular option.
4699 * Searching for No-Op (0) and End-of-Option-List (1) are
4708 * saved_syn packet or the just-received syn packet.
4715 * **-EINVAL** if a parameter is invalid.
4717 * **-ENOMSG** if the option is not found.
4719 * **-ENOENT** if no syn packet is available when
4722 * **-ENOSPC** if there is not enough space. Only *len* number of
4725 * **-EFAULT** on failure to parse the header options in the
4726 * packet.
4728 * **-EPERM** if the helper cannot be used under the current
4729 * *skops*\ **->op**.
4737 * includes the kind, kind-length, and the actual
4738 * option data. The *len* must be at least kind-length
4739 * long. The kind-length does not have to be 4 byte
4741 * and setting the 4 bytes aligned value to th->doff.
4752 * **-EINVAL** If param is invalid.
4754 * **-ENOSPC** if there is not enough space in the header.
4757 * **-EEXIST** if the option already exists.
4759 * **-EFAULT** on failure to parse the existing header options.
4761 * **-EPERM** if the helper cannot be used under the current
4762 * *skops*\ **->op**.
4779 * **-EINVAL** if a parameter is invalid.
4781 * **-ENOSPC** if there is not enough space in the header.
4783 * **-EPERM** if the helper cannot be used under the current
4784 * *skops*\ **->op**.
4798 * the *map*. The *map* is used as the bpf-local-storage
4799 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4820 * **-ENOENT** if the bpf_local_storage cannot be found.
4843 * Use BTF to store a string representation of *ptr*->ptr in *str*,
4844 * using *ptr*->type_id. This value should specify the type
4845 * that *ptr*->ptr points to. LLVM __builtin_btf_type_id(type, 1)
4848 * stored in the first *str_size* - 1 bytes of *str*. Safe copy of
4869 * show zero-valued struct/union members; they
4880 * *ptr*->ptr, using *ptr*->type_id as per bpf_snprintf_btf().
4896 * Redirect the packet to another net device of index *ifindex*
4946 * Redirect the packet to another net device of index *ifindex*.
4972 * the *map*. The *map* is used as the bpf-local-storage
4973 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4994 * **-ENOENT** if the bpf_local_storage cannot be found.
5012 * **-EINVAL** if invalid *flags* are passed, zero otherwise.
5016 * Return a coarse-grained version of the time elapsed since
5031 * **-EOPNOTSUPP** if IMA is disabled or **-EINVAL** if
5044 * Check packet size against exceeding MTU of net device (based
5046 * with helpers that adjust/change the packet size.
5049 * size change. This allows to check MTU prior to changing packet
5051 * actual packet size (resulting in negative packet size) will in
5055 * a negative packet size belongs in those helpers.
5063 * zero then the ctx packet size is use. When value *mtu_len* is
5066 * this value is L3 as this correlate to MTU and IP-header tot_len
5082 * If packet context contains extra packet segment buffers
5085 * possible for the skb packet to get re-segmented
5095 * MTU value in your BPF-code.
5112 * **map**, **callback_ctx** and other map-specific parameters.
5135 * The number of traversed map elements for success, **-EINVAL** for
5141 * based on a format string stored in a read-only map pointed by
5147 * array. The *data_len* is the size of *data* in bytes - must be
5162 * be zero-terminated except when **str_size** is 0.
5164 * Or **-EBUSY** if the per-CPU memory copy buffer is busy.
5194 * **-EBUSY** if *timer* is already initialized.
5195 * **-EINVAL** if invalid *flags* are passed.
5196 * **-EPERM** if *timer* is in a map that doesn't have any user references.
5206 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier.
5207 * **-EPERM** if *timer* is in a map that doesn't have any user references.
5223 * decremented. This is done to make sure that Ctrl-C of a user
5225 * bpffs the callback_fn can re-arm itself indefinitely.
5228 * The map can contain timers that invoke callback_fn-s from different
5243 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier
5252 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier.
5253 * **-EDEADLK** if callback_fn tried to call bpf_timer_cancel() on its
5276 * - kprobe/uprobe;
5277 * - tracepoint;
5278 * - perf_event.
5306 * **-EINVAL** if *flags* is not zero.
5308 * **-ENOENT** if architecture does not support branch records.
5333 * **-EINVAL** if *flags* is not zero.
5335 * **-EINVAL** if string *name* is not the same size as *name_sz*.
5337 * **-ENOENT** if symbol is not found.
5339 * **-EPERM** if caller does not have permission to obtain kernel address.
5356 * **-ENOENT** if *task->mm* is NULL, or no vma contains *addr*.
5357 * **-EBUSY** if failed to try lock mmap_lock.
5358 * **-EINVAL** for invalid **flags**.
5373 * is zero-indexed.
5381 * The number of loops performed, **-EINVAL** for invalid **flags**,
5382 * **-E2BIG** if **nr_loops** exceeds the maximum number of loops.
5387 * to be null-terminated and **s1_sz** is the maximum storage
5388 * size of **s1**. **s2** must be a read-only string.
5396 * Get **n**-th argument register (zero based) of the traced function (for tracing programs)
5401 * **-EINVAL** if n >= argument register count of traced function.
5410 * **-EOPNOTSUPP** for tracing programs other than BPF_TRACE_FEXIT or BPF_MODIFY_RETURN.
5439 * bpf_set_retval(-EPERM);
5442 * In this case, the BPF program's return value will use helper's -EPERM. This
5482 * Change the __sk_buff->tstamp_type to *tstamp_type*
5483 * and set *tstamp* to the __sk_buff->tstamp together.
5485 * If there is no need to change the __sk_buff->tstamp_type,
5486 * the tstamp value can be directly written to __sk_buff->tstamp
5497 * Only IPv4 and IPv6 skb->protocol are supported.
5500 * mono delivery time to __sk_buff->tstamp and then
5502 * changing the (rcv) timestamp in __sk_buff->tstamp at
5504 * to sch_fq@phy-dev.
5507 * **-EINVAL** for invalid input
5508 * **-EOPNOTSUPP** for unsupported protocol
5517 * **-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
5553 * 0 on success, -E2BIG if the size exceeds DYNPTR_MAX_SIZE,
5554 * -EINVAL if flags is not 0.
5570 * through the dynptr interface. This is a no-op if the dynptr is
5581 * interface. This is a no-op if the dynptr is invalid/null.
5594 * 0 on success, -E2BIG if *offset* + *len* exceeds the length
5595 * of *src*'s data, -EINVAL if *src* is an invalid dynptr or if
5603 * *flags* must be 0 except for skb-type dynptrs.
5605 * For skb-type dynptrs:
5609 * underlying packet buffer.
5614 * 0 on success, -E2BIG if *offset* + *len* exceeds the length
5615 * of *dst*'s data, -EINVAL if *dst* is an invalid dynptr or if *dst*
5616 * is a read-only dynptr or if *flags* is not correct. For skb-type dynptrs,
5630 * read-only, if the dynptr is invalid, or if the offset and length
5635 * Try to issue a SYN cookie for the packet with corresponding
5651 * **-EINVAL** if *th_len* is invalid.
5655 * Try to issue a SYN cookie for the packet with corresponding
5671 * **-EINVAL** if *th_len* is invalid.
5673 * **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
5688 * **-EACCES** if the SYN cookie is not valid.
5703 * **-EACCES** if the SYN cookie is not valid.
5705 * **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
5709 * A nonsettable system-wide clock derived from wall-clock time but
5734 * buffer. If a user-space producer was epoll-waiting on this map,
5744 * **-EBUSY** if the ring buffer is contended, and another calling
5747 * **-EINVAL** if user-space is not properly tracking the ring
5752 * **-E2BIG** if user-space has tried to publish a sample which is
5767 * In reality, the local-storage value is embedded directly inside of the
5769 * **BPF_MAP_TYPE_CGRP_STORAGE** map. When the local-storage value is
5771 * O(n) iteration over all of the live local-storage values for that
5772 * *cgroup* object until the local-storage value for the *map* is found.
5792 * **-ENOENT** if the bpf_local_storage cannot be found.
6009 /* backwards-compatibility macros for users of __BPF_FUNC_MAPPER that don't
6093 BPF_F_CURRENT_NETNS = (-1L),
6215 * and try to deduce it by ingress, egress or skb->sk->sk_clockid.
6219 /* user accessible mirror of in-kernel sk_buff.
6283 /* user accessible mirror of in-kernel xfrm_state.
6298 * The values are binary compatible with their TC_ACT_* counter-part to
6308 /* 3-6 reserved */
6410 * their TC_ACT_* counter-parts. For compatibility in behavior, unknown
6414 TCX_NEXT = -1,
6429 * result in packet drops and a warning via bpf_warn_invalid_xdp_action().
6439 /* user accessible metadata for XDP packet hook
6447 __u32 ingress_ifindex; /* rxq->dev->ifindex */
6448 __u32 rx_queue_index; /* rxq->queue_index */
6450 __u32 egress_ifindex; /* txq->dev->ifindex */
6453 /* DEVMAP map-value layout
6455 * The struct data-layout of map-value is a configuration interface.
6466 /* CPUMAP map-value layout
6468 * The struct data-layout of map-value is a configuration interface.
6484 /* user accessible metadata for SK_MSG packet hook, new fields must
6512 * Total length of packet (starting from the tcp/udp header).
6513 * Note that the directly accessible bytes (data_end - data)
6525 __u32 hash; /* A hash of the packet 4 tuples */
6526 /* When reuse->migrating_sk is NULL, it is selecting a sk for the
6528 * the received SYN in the TCP case). reuse->sk is one of the sk
6529 * in the reuseport group. The bpf prog can use reuse->sk to learn
6532 * When reuse->migrating_sk is not NULL, reuse->sk is closed and
6533 * reuse->migrating_sk is the socket that needs to be migrated
6535 * sk that is fully established or a reqsk that is in-the-middle
6536 * of 3-way handshake.
6741 __u32 user_family; /* Allows 4-byte read, but no write. */
6742 __u32 user_ip4; /* Allows 1,2,4-byte read and 4-byte write.
6745 __u32 user_ip6[4]; /* Allows 1,2,4,8-byte read and 4,8-byte write.
6748 __u32 user_port; /* Allows 1,2,4-byte read and 4-byte write.
6751 __u32 family; /* Allows 4-byte read, but no write */
6752 __u32 type; /* Allows 4-byte read, but no write */
6753 __u32 protocol; /* Allows 4-byte read, but no write */
6754 __u32 msg_src_ip4; /* Allows 1,2,4-byte read and 4-byte write.
6757 __u32 msg_src_ip6[4]; /* Allows 1,2,4,8-byte read and 4,8-byte write.
6815 * BPF_SOCK_OPS_PARSE_HDR_OPT_CB: The packet received
6829 __u32 skb_len; /* The total length of a packet.
6853 * called under sock_ops->op == BPF_SOCK_OPS_PARSE_HDR_OPT_CB
6861 * mode and required the active side to resend the bpf-written
6862 * options. The active side can keep writing the bpf-options until
6863 * it received a valid packet from the server side to confirm
6864 * the earlier packet (and options) has been received. The later
6873 * sock_ops->op == BPF_SOCK_OPS_PARSE_HDR_OPT_CB.
6881 * outgoing packet. The bpf prog will first be called
6883 * sock_ops->op == BPF_SOCK_OPS_HDR_OPT_LEN_CB. Then
6885 * under sock_ops->op == BPF_SOCK_OPS_WRITE_HDR_OPT_CB.
6904 BPF_SOCK_OPS_TIMEOUT_INIT, /* Should return SYN-RTO value to use or
6905 * -1 if default value should be used
6908 * window (in packets) or -1 if default
6960 * sock_ops->skb_data:
6974 * sock_ops->skb_data:
6978 * sock_ops->skb_tcp_flags:
6989 * sock_ops->skb_data:
6994 * earlier bpf-progs.
6996 * sock_ops->skb_tcp_flags:
7009 * earlier bpf-progs.
7046 * syn packet from:
7048 * 1. the just-received SYN packet (only available when writing the
7050 * save the SYN packet for latter use. It is also the only way
7052 * packet cannot be saved during syncookie.
7060 * SYN packet is obtained.
7062 * If the bpf-prog does not need the IP[46] header, the
7063 * bpf-prog can avoid parsing the IP header by using
7064 * TCP_BPF_SYN. Otherwise, the bpf-prog can get both
7068 * -ENOSPC: Not enough space in optval. Only optlen number of
7070 * -ENOENT: The SYN skb is not available now and the earlier SYN pkt
7143 BPF_FIB_LKUP_RET_NOT_FWDED, /* packet is not forwarded */
7157 /* set if lookup is to consider L4 data - e.g., FIB rules */
7164 __u16 tot_len; /* L3 length from network hdr (iph->tot_len) */
7217 /* 2 4-byte holes for input */
7246 BPF_MTU_CHK_RET_SEGS_TOOBIG, /* GSO re-segmentation needed to fwd */
7342 * Allows 1,2,4-byte read, but no write.
7345 * Allows 1,2,4-byte read an 4-byte write.
7369 __u64 cookie; /* Non-zero if socket was selected in PROG_TEST_RUN */
7387 * via the bpf_snprintf_btf() helper described above. A flags field -
7389 * (rather than its mode of display) - is included for future use.
7390 * Display flags - BTF_F_* - are passed to bpf_snprintf_btf separately.
7400 * - BTF_F_COMPACT: no formatting around type information
7401 * - BTF_F_NONAME: no struct/union member names/types
7402 * - BTF_F_PTR_RAW: show raw (unobfuscated) pointer values;
7404 * - BTF_F_ZERO: show zero-valued struct/union members; they
7422 BPF_CORE_FIELD_SIGNED = 3, /* field signedness (0 - unsigned, 1 - signed) */
7423 BPF_CORE_FIELD_LSHIFT_U64 = 4, /* bitfield-specific left bitshift */
7424 BPF_CORE_FIELD_RSHIFT_U64 = 5, /* bitfield-specific right bitshift */
7438 * CO-RE relocation captures the following data:
7439 * - insn_off - instruction offset (in bytes) within a BPF program that needs
7440 * its insn->imm field to be relocated with actual field info;
7441 * - type_id - BTF type ID of the "root" (containing) entity of a relocatable
7443 * - access_str_off - offset into corresponding .BTF string section. String
7445 * - for field-based relocations, string encodes an accessed field using
7449 * - for type-based relocations, strings is expected to be just "0";
7450 * - for enum value-based relocations, string contains an index of enum
7452 * - kind - one of enum bpf_core_relo_kind;
7463 * int *x = &s->a; // encoded as "0:0" (a is field #0)
7464 * int *y = &s->b[5]; // encoded as "0:1:0:5" (anon struct is field #1,
7466 * int *z = &s[10]->b; // encoded as "10:1" (ptr is used as an array)
7472 * Clang built-in, passing expression that captures field address, e.g.:
7475 * __builtin_preserve_access_index(&src->a.b.c));
7480 * [0] https://llvm.org/docs/LangRef.html#getelementptr-instruction
7491 * - BPF_F_TIMER_ABS: Timeout passed is absolute time, by default it is
7493 * - BPF_F_TIMER_CPU_PIN: Timer will be pinned to the CPU of the caller.