eBPF for Windows: include/ebpf_structs.h File Reference

This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF API library. More...

Data Structures
struct	_ebpf_map_definition_in_memory
	eBPF Map Definition as it is stored in memory. More...

struct	_ebpf_map_definition_in_file
	eBPF Map Definition as it appears in the maps section of an ELF file. More...

struct	bpf_link_info
	eBPF link information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a link fd. More...

struct	bpf_map_info
	eBPF map information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a map fd. More...

struct	bpf_prog_info
	eBPF program information. This structure can be retrieved by calling bpf_obj_get_info_by_fd on a program fd. More...

Macros
#define	MAX_TAIL_CALL_CNT 33

#define	BPF_ENUM_TO_STRING(X) #X

#define	BPF_MAP_TYPE_PER_CPU(X)

#define	EBPF_ID_NONE 0

#define	XDP_FLAGS_REPLACE 0x01

#define	BPF_OBJ_NAME_LEN 64

#define	BPF_ANY 0x0

#define	BPF_NOEXIST 0x1

#define	BPF_EXIST 0x2

#define	EBPF_MAP_FLAG_INDEX_MASK 0xffffffffULL

#define	EBPF_MAP_FLAG_INDEX_SHIFT 0

#define	EBPF_MAP_FLAG_CURRENT_CPU EBPF_MAP_FLAG_INDEX_MASK

#define	EBPF_MAP_FLAG_CTX_LENGTH_SHIFT 32

#define	EBPF_MAP_FLAG_CTX_LENGTH_MAX (0xfffffULL)

#define	EBPF_MAP_FLAG_CTX_LENGTH_MASK (EBPF_MAP_FLAG_CTX_LENGTH_MAX << EBPF_MAP_FLAG_CTX_LENGTH_SHIFT)

Typedefs
typedef enum bpf_map_type	ebpf_map_type_t

typedef enum ebpf_map_option	ebpf_map_option_t

typedef enum ebpf_pin_type	ebpf_pin_type_t
	Pinning type for eBPF objects. The values should match the LIBBPF_PIN_* pin types defined in libbpf.

typedef uint32_t	ebpf_id_t

typedef struct _ebpf_map_definition_in_memory	ebpf_map_definition_in_memory_t
	eBPF Map Definition as it is stored in memory.

typedef struct _ebpf_map_definition_in_file	ebpf_map_definition_in_file_t
	eBPF Map Definition as it appears in the maps section of an ELF file.

typedef enum bpf_prog_type	bpf_prog_type_t

typedef enum bpf_attach_type	bpf_attach_type_t

typedef ebpf_extension_header_t	ebpf_native_module_header_t
	Header of an eBPF native module data structure. Every eBPF native module data structure must start with this header. This however has an exception for some of the structs that mandatorily require a specific number of starting bytes to be zero. In such cases, the header must be placed after the required zero starting bytes. New fields can be added to the end of the data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible.

Enumerations
enum	bpf_map_type { BPF_MAP_TYPE_UNSPEC = 0 , BPF_MAP_TYPE_HASH = 1 , BPF_MAP_TYPE_ARRAY = 2 , BPF_MAP_TYPE_PROG_ARRAY , BPF_MAP_TYPE_PERCPU_HASH = 4 , BPF_MAP_TYPE_PERCPU_ARRAY = 5 , BPF_MAP_TYPE_HASH_OF_MAPS = 6 , BPF_MAP_TYPE_ARRAY_OF_MAPS = 7 , BPF_MAP_TYPE_LRU_HASH = 8 , BPF_MAP_TYPE_LPM_TRIE = 9 , BPF_MAP_TYPE_QUEUE = 10 , BPF_MAP_TYPE_LRU_PERCPU_HASH = 11 , BPF_MAP_TYPE_STACK = 12 , BPF_MAP_TYPE_RINGBUF = 13 , BPF_MAP_TYPE_PERF_EVENT_ARRAY = 14 }

enum	ebpf_map_option { EBPF_ANY , EBPF_NOEXIST , EBPF_EXIST }

enum	ebpf_pin_type { LIBBPF_PIN_NONE = 0 , LIBBPF_PIN_BY_NAME }
	Pinning type for eBPF objects. The values should match the LIBBPF_PIN_* pin types defined in libbpf. More...

enum	ebpf_helper_id_t { BPF_FUNC_map_lookup_elem = 1 , BPF_FUNC_map_update_elem = 2 , BPF_FUNC_map_delete_elem = 3 , BPF_FUNC_map_lookup_and_delete_elem = 4 , BPF_FUNC_tail_call = 5 , BPF_FUNC_get_prandom_u32 = 6 , BPF_FUNC_ktime_get_boot_ns = 7 , BPF_FUNC_get_smp_processor_id = 8 , BPF_FUNC_ktime_get_ns = 9 , BPF_FUNC_csum_diff = 10 , BPF_FUNC_ringbuf_output = 11 , BPF_FUNC_trace_printk2 = 12 , BPF_FUNC_trace_printk3 = 13 , BPF_FUNC_trace_printk4 = 14 , BPF_FUNC_trace_printk5 = 15 , BPF_FUNC_map_push_elem = 16 , BPF_FUNC_map_pop_elem = 17 , BPF_FUNC_map_peek_elem = 18 , BPF_FUNC_get_current_pid_tgid = 19 , BPF_FUNC_get_current_logon_id = 20 , BPF_FUNC_is_current_admin = 21 , BPF_FUNC_memcpy_s = 22 , BPF_FUNC_memcmp_s = 23 , BPF_FUNC_memset = 24 , BPF_FUNC_memmove_s = 25 , BPF_FUNC_get_socket_cookie = 26 , BPF_FUNC_strncpy_s = 27 , BPF_FUNC_strncat_s = 28 , BPF_FUNC_strnlen_s = 29 , BPF_FUNC_ktime_get_boot_ms = 30 , BPF_FUNC_ktime_get_ms = 31 , BPF_FUNC_perf_event_output = 32 , BPF_FUNC_get_current_process_start_key = 33 , BPF_FUNC_get_current_thread_create_time = 34 }

enum	bpf_prog_type { BPF_PROG_TYPE_UNSPEC , BPF_PROG_TYPE_XDP , BPF_PROG_TYPE_BIND , BPF_PROG_TYPE_CGROUP_SOCK_ADDR , BPF_PROG_TYPE_SOCK_OPS , BPF_PROG_TYPE_NETEVENT , BPF_PROG_TYPE_PROCESS , BPF_PROG_TYPE_SAMPLE = 999 }

enum	bpf_link_type { BPF_LINK_TYPE_UNSPEC , BPF_LINK_TYPE_PLAIN , BPF_LINK_TYPE_CGROUP , BPF_LINK_TYPE_XDP , BPF_LINK_TYPE_MAX }

enum	bpf_attach_type { BPF_ATTACH_TYPE_UNSPEC , BPF_XDP , BPF_ATTACH_TYPE_BIND , BPF_CGROUP_INET4_CONNECT , BPF_CGROUP_INET6_CONNECT , BPF_CGROUP_INET4_RECV_ACCEPT , BPF_CGROUP_INET6_RECV_ACCEPT , BPF_CGROUP_SOCK_OPS , BPF_ATTACH_TYPE_SAMPLE , BPF_ATTACH_TYPE_NETEVENT = 10 , BPF_ATTACH_TYPE_PROCESS = 11 , __MAX_BPF_ATTACH_TYPE }

This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF API library.

◆ BPF_ANY

◆ BPF_ENUM_TO_STRING

#define BPF_ENUM_TO_STRING

(

)

◆ BPF_EXIST

◆ BPF_MAP_TYPE_PER_CPU

#define BPF_MAP_TYPE_PER_CPU

(

)

Value:

@ BPF_MAP_TYPE_PERF_EVENT_ARRAY

Perf event array.

Definition ebpf_structs.h:34

@ BPF_MAP_TYPE_PERCPU_ARRAY

Per-CPU array.

Definition ebpf_structs.h:25

@ BPF_MAP_TYPE_LRU_PERCPU_HASH

Per-CPU least-recently-used hash table.

Definition ebpf_structs.h:31

@ BPF_MAP_TYPE_PERCPU_HASH

Per-CPU hash table.

Definition ebpf_structs.h:24

◆ BPF_NOEXIST

◆ BPF_OBJ_NAME_LEN

#define BPF_OBJ_NAME_LEN 64

◆ EBPF_ID_NONE

◆ EBPF_MAP_FLAG_CTX_LENGTH_MASK

◆ EBPF_MAP_FLAG_CTX_LENGTH_MAX

#define EBPF_MAP_FLAG_CTX_LENGTH_MAX (0xfffffULL)

◆ EBPF_MAP_FLAG_CTX_LENGTH_SHIFT

#define EBPF_MAP_FLAG_CTX_LENGTH_SHIFT 32

◆ EBPF_MAP_FLAG_CURRENT_CPU

◆ EBPF_MAP_FLAG_INDEX_MASK

#define EBPF_MAP_FLAG_INDEX_MASK 0xffffffffULL

◆ EBPF_MAP_FLAG_INDEX_SHIFT

#define EBPF_MAP_FLAG_INDEX_SHIFT 0

◆ MAX_TAIL_CALL_CNT

#define MAX_TAIL_CALL_CNT 33

◆ XDP_FLAGS_REPLACE

#define XDP_FLAGS_REPLACE 0x01

◆ bpf_attach_type_t

◆ bpf_prog_type_t

◆ ebpf_id_t

◆ ebpf_map_definition_in_file_t

eBPF Map Definition as it appears in the maps section of an ELF file.

◆ ebpf_map_definition_in_memory_t

eBPF Map Definition as it is stored in memory.

◆ ebpf_map_option_t

◆ ebpf_map_type_t

◆ ebpf_native_module_header_t

Header of an eBPF native module data structure. Every eBPF native module data structure must start with this header. This however has an exception for some of the structs that mandatorily require a specific number of starting bytes to be zero. In such cases, the header must be placed after the required zero starting bytes. New fields can be added to the end of the data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible.

◆ ebpf_pin_type_t

Pinning type for eBPF objects. The values should match the LIBBPF_PIN_* pin types defined in libbpf.

◆ bpf_attach_type

Enumerator
BPF_ATTACH_TYPE_UNSPEC	Unspecified attach type.
BPF_XDP	Attach type for handling incoming packets as early as possible. Program type: BPF_PROG_TYPE_XDP
BPF_ATTACH_TYPE_BIND	Attach type for handling socket bind() requests. Program type: BPF_PROG_TYPE_BIND
BPF_CGROUP_INET4_CONNECT	Attach type for handling IPv4 TCP connect() or UDP send to a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR
BPF_CGROUP_INET6_CONNECT	Attach type for handling IPv6 TCP connect() or UDP send to a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR
BPF_CGROUP_INET4_RECV_ACCEPT	Attach type for handling IPv4 TCP accept() or on receiving the first unicast UDP packet from a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR
BPF_CGROUP_INET6_RECV_ACCEPT	Attach type for handling IPv6 TCP accept() or on receiving the first unicast UDP packet from a unique remote address/port tuple. Program type: BPF_PROG_TYPE_CGROUP_SOCK_ADDR
BPF_CGROUP_SOCK_OPS	Attach type for handling various socket event notifications. Program type: BPF_PROG_TYPE_SOCK_OPS
BPF_ATTACH_TYPE_SAMPLE	Attach type implemented by eBPF Sample Extension driver, used for testing. Program type: BPF_PROG_TYPE_SAMPLE
BPF_ATTACH_TYPE_NETEVENT	Attach type for handling netevents. Program type: BPF_PROG_TYPE_NETEVENT
BPF_ATTACH_TYPE_PROCESS	Attach type for handling process creation/deletion events. Program type: BPF_PROG_TYPE_PROCESS
__MAX_BPF_ATTACH_TYPE

◆ bpf_link_type

Enumerator
BPF_LINK_TYPE_UNSPEC	Unspecified link type.
BPF_LINK_TYPE_PLAIN	No union members are used in bpf_link_info.
BPF_LINK_TYPE_CGROUP	cgroup struct is present in bpf_link_info.
BPF_LINK_TYPE_XDP	xdp struct is present in bpf_link_info.
BPF_LINK_TYPE_MAX

◆ bpf_map_type

Enumerator
BPF_MAP_TYPE_UNSPEC	Unspecified map type.
BPF_MAP_TYPE_HASH	Hash table.
BPF_MAP_TYPE_ARRAY	Array, where the map key is the array index.
BPF_MAP_TYPE_PROG_ARRAY	Array of program fds usable with bpf_tail_call, where the map key is the array index.
BPF_MAP_TYPE_PERCPU_HASH	Per-CPU hash table.
BPF_MAP_TYPE_PERCPU_ARRAY	Per-CPU array.
BPF_MAP_TYPE_HASH_OF_MAPS	Hash table, where the map value is another map.
BPF_MAP_TYPE_ARRAY_OF_MAPS	Array, where the map value is another map.
BPF_MAP_TYPE_LRU_HASH	Least-recently-used hash table.
BPF_MAP_TYPE_LPM_TRIE	Longest prefix match trie.
BPF_MAP_TYPE_QUEUE	Queue.
BPF_MAP_TYPE_LRU_PERCPU_HASH	Per-CPU least-recently-used hash table.
BPF_MAP_TYPE_STACK	Stack.
BPF_MAP_TYPE_RINGBUF	Ring buffer.
BPF_MAP_TYPE_PERF_EVENT_ARRAY	Perf event array.

◆ bpf_prog_type

Enumerator
BPF_PROG_TYPE_UNSPEC	Unspecified program type.
BPF_PROG_TYPE_XDP	Program type for handling incoming packets as early as possible. eBPF program prototype: xdp_hook_t Attach type(s): BPF_XDP Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_BIND	Program type for handling socket bind() requests. eBPF program prototype: bind_hook_t Attach type(s): BPF_ATTACH_TYPE_BIND Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_CGROUP_SOCK_ADDR	Program type for handling various socket operations such as connect(), accept() etc. eBPF program prototype: sock_addr_hook_t Attach type(s): BPF_CGROUP_INET4_CONNECT BPF_CGROUP_INET6_CONNECT BPF_CGROUP_INET4_RECV_ACCEPT BPF_CGROUP_INET6_RECV_ACCEPT Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_SOCK_OPS	Program type for handling various socket event notifications such as connection established etc. eBPF program prototype: sock_ops_hook_t Attach type(s): BPF_CGROUP_SOCK_OPS Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_NETEVENT	Program type for handling netevents. The github microsoft/ntosebpfext repo has the implementation for this program type. eBPF program prototype: netevent_event_hook_t Attach type(s): BPF_ATTACH_TYPE_NETEVENT Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_PROCESS	Program type for handling process creation/deletion events. The github microsoft/ntosebpfext repo has the implementation for this program type. eBPF program prototype: sock_ops_hook_t Attach type(s): BPF_ATTACH_TYPE_PROCESS Helpers available: all helpers defined in bpf_helpers.h
BPF_PROG_TYPE_SAMPLE	Program type for handling calls from the eBPF sample extension. Used for testing. eBPF program prototype: see the eBPF sample extension. Attach type(s): BPF_ATTACH_TYPE_SAMPLE

◆ ebpf_helper_id_t

◆ ebpf_map_option

Enumerator
EBPF_ANY	Create a new element or update an existing element.
EBPF_NOEXIST	Create a new element only when it does not exist.
EBPF_EXIST	Update an existing element.

◆ ebpf_pin_type