mirror of https://github.com/mkerrisk/man-pages
bpf.2: srcfix: wrap source lines at sentence breaks
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
cc7ac21d25
commit
9a5215bfad
71
man2/bpf.2
71
man2/bpf.2
|
@ -35,9 +35,10 @@ bpf - perform a command on an extended BPF map or program
|
|||
.BR bpf()
|
||||
syscall is a multiplexor for a range of different operations on extended
|
||||
Berkeley Packet Filter which can be characterized as
|
||||
"universal in-kernel virtual machine". The extended BPF (or eBPF) is similar to
|
||||
the original BPF (or classic BPF) used to filter network packets. Both
|
||||
statically analyze the programs before loading them into the kernel to
|
||||
"universal in-kernel virtual machine".
|
||||
The extended BPF (or eBPF) is similar to
|
||||
the original BPF (or classic BPF) used to filter network packets.
|
||||
Both statically analyze the programs before loading them into the kernel to
|
||||
ensure that they cannot harm the running system.
|
||||
.P
|
||||
eBPF extends classic BPF in multiple ways including the ability to call
|
||||
|
@ -54,15 +55,19 @@ BPF programs can access maps from inside the kernel in parallel.
|
|||
It's up to the user process and BPF program to decide what they store
|
||||
inside maps.
|
||||
.P
|
||||
BPF programs are similar to kernel modules. They are loaded by the user
|
||||
BPF programs are similar to kernel modules.
|
||||
They are loaded by the user
|
||||
process and automatically unloaded when the process exits.
|
||||
Each BPF program is a set of instructions that is safe to run until
|
||||
its completion. The BPF verifier statically determines that the program
|
||||
terminates and is safe to execute. During
|
||||
verification the program takes hold of maps that it intends to use,
|
||||
so selected maps cannot be removed until the program is unloaded. The program
|
||||
can be attached to different events. These events can be packets, tracing
|
||||
events and other types that may be added in the future. A new event triggers
|
||||
its completion.
|
||||
The BPF verifier statically determines that the program
|
||||
terminates and is safe to execute.
|
||||
During verification the program takes hold of maps that it intends to use,
|
||||
so selected maps cannot be removed until the program is unloaded.
|
||||
The program can be attached to different events.
|
||||
These events can be packets, tracing
|
||||
events and other types that may be added in the future.
|
||||
A new event triggers
|
||||
execution of the program which may store information about the event in the maps.
|
||||
Beyond storing data the programs may call into in-kernel helper functions.
|
||||
The same program can be attached to multiple events and different programs can
|
||||
|
@ -149,7 +154,8 @@ Any map type has the following attributes:
|
|||
. value size in bytes
|
||||
|
||||
The following wrapper functions demonstrate how this syscall can be used to
|
||||
access the maps. The functions use the
|
||||
access the maps.
|
||||
The functions use the
|
||||
.IR cmd
|
||||
argument to invoke different operations.
|
||||
.TP
|
||||
|
@ -172,7 +178,8 @@ bpf() syscall creates a map of
|
|||
.I map_type
|
||||
type and given attributes
|
||||
.I key_size, value_size, max_entries.
|
||||
On success it returns a process-local file descriptor. On error, \-1 is returned and
|
||||
On success it returns a process-local file descriptor.
|
||||
On error, \-1 is returned and
|
||||
.I errno
|
||||
is set to EINVAL or EPERM or ENOMEM.
|
||||
|
||||
|
@ -216,7 +223,8 @@ enum bpf_map_type {
|
|||
};
|
||||
.fi
|
||||
.I map_type
|
||||
selects one of the available map implementations in the kernel. For all map_types
|
||||
selects one of the available map implementations in the kernel.
|
||||
For all map_types
|
||||
programs access maps with the same bpf_map_lookup_elem()/bpf_map_update_elem()
|
||||
helper functions.
|
||||
.TP
|
||||
|
@ -300,7 +308,8 @@ The call deletes an element in a map
|
|||
.I fd
|
||||
with a given
|
||||
.I key.
|
||||
Returns zero on success. If the element is not found it returns \-1 and sets
|
||||
Returns zero on success.
|
||||
If the element is not found it returns \-1 and sets
|
||||
.I errno
|
||||
to ENOENT.
|
||||
.TP
|
||||
|
@ -333,7 +342,8 @@ If
|
|||
.I key
|
||||
is the last element, it returns \-1 and sets
|
||||
.I errno
|
||||
to ENOENT. Other possible
|
||||
to ENOENT.
|
||||
Other possible
|
||||
.I errno
|
||||
values are ENOMEM, EFAULT, EPERM and EINVAL.
|
||||
This method can be used to iterate over all elements in the map.
|
||||
|
@ -404,10 +414,11 @@ bpf_map_update_elem(map_fd, void *key, void *value) // update key/value
|
|||
bpf_map_delete_elem(map_fd, void *key) // delete key in a map_fd
|
||||
.fi
|
||||
|
||||
and bpf_context is a pointer to 'struct sk_buff'. Programs cannot
|
||||
access fields of 'sk_buff' directly.
|
||||
and bpf_context is a pointer to 'struct sk_buff'.
|
||||
Programs cannot access fields of 'sk_buff' directly.
|
||||
|
||||
More program types may be added in the future. Like
|
||||
More program types may be added in the future.
|
||||
Like
|
||||
.B BPF_PROG_TYPE_KPROBE
|
||||
and bpf_context for it may be defined as a pointer to 'struct pt_regs'.
|
||||
|
||||
|
@ -423,19 +434,22 @@ marked gpl_only.
|
|||
|
||||
.B log_buf
|
||||
user supplied buffer that the in-kernel verifier is using to store the
|
||||
verification log. This log is a multi-line string that can be checked by
|
||||
verification log.
|
||||
This log is a multi-line string that can be checked by
|
||||
the program author in order to understand how the verifier came to
|
||||
the conclusion that the BPF program is unsafe.
|
||||
The format of the output can change at any time as the verifier evolves.
|
||||
|
||||
.B log_size
|
||||
size of user buffer. If the size of the buffer is not large enough to store all
|
||||
size of user buffer.
|
||||
If the size of the buffer is not large enough to store all
|
||||
verifier messages, \-1 is returned and
|
||||
.I errno
|
||||
is set to ENOSPC.
|
||||
|
||||
.B log_level
|
||||
verbosity level of the verifier. A value of zero means that the verifier will
|
||||
verbosity level of the verifier.
|
||||
A value of zero means that the verifier will
|
||||
not provide a log.
|
||||
|
||||
.TP
|
||||
|
@ -445,13 +459,16 @@ will unload the BPF program.
|
|||
The maps are accessible from programs and used to exchange data between
|
||||
programs and between them and user space.
|
||||
Programs process various events (like kprobe, packets) and
|
||||
store their data into maps. User space fetches data from the maps.
|
||||
store their data into maps.
|
||||
User space fetches data from the maps.
|
||||
Either the same or a different map may be used by user space as a configuration
|
||||
space to alter program behavior on the fly.
|
||||
.SS Events
|
||||
.P
|
||||
Once a program is loaded, it can be attached to an event. Various kernel
|
||||
subsystems have different ways to do so. For example:
|
||||
Once a program is loaded, it can be attached to an event.
|
||||
Various kernel
|
||||
subsystems have different ways to do so.
|
||||
For example:
|
||||
|
||||
.nf
|
||||
setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd));
|
||||
|
@ -590,7 +607,8 @@ are not set to zero.
|
|||
.B EINVAL
|
||||
For
|
||||
.BR BPF_PROG_LOAD,
|
||||
indicates an attempt to load an invalid program. BPF programs can be deemed
|
||||
indicates an attempt to load an invalid program.
|
||||
BPF programs can be deemed
|
||||
invalid due to unrecognized instructions, the use of reserved fields, jumps
|
||||
out of range, infinite loops or calls of unknown functions.
|
||||
.TP
|
||||
|
@ -598,7 +616,8 @@ out of range, infinite loops or calls of unknown functions.
|
|||
For
|
||||
.BR BPF_PROG_LOAD,
|
||||
even though all program instructions are valid, the program has been
|
||||
rejected because it was deemed unsafe. This may be because it may have
|
||||
rejected because it was deemed unsafe.
|
||||
This may be because it may have
|
||||
accessed a disallowed memory region or an uninitialized stack/register or
|
||||
because the function contraints don't match the actual types or because
|
||||
there was a misaligned memory access.
|
||||
|
|
Loading…
Reference in New Issue