LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

bpf.2: srcfix: wrap source lines at sentence breaks 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2015-05-24 12:00:38 +02:00
parent cc7ac21d25
commit 9a5215bfad
1 changed files with 45 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
man2/bpf.2
View File

@ -35,9 +35,10 @@ bpf - perform a command on an extended BPF map or program
.BR bpf()
syscall is a multiplexor for a range of different operations on extended
Berkeley Packet Filter which can be characterized as
"universal in-kernel virtual machine". The extended BPF (or eBPF) is similar to
the original BPF (or classic BPF) used to filter network packets. Both
statically analyze the programs before loading them into the kernel to
"universal in-kernel virtual machine".
The extended BPF (or eBPF) is similar to
the original BPF (or classic BPF) used to filter network packets.
Both statically analyze the programs before loading them into the kernel to
ensure that they cannot harm the running system.
.P
eBPF extends classic BPF in multiple ways including the ability to call
@ -54,15 +55,19 @@ BPF programs can access maps from inside the kernel in parallel.
It's up to the user process and BPF program to decide what they store
inside maps.
.P
BPF programs are similar to kernel modules. They are loaded by the user
BPF programs are similar to kernel modules.
They are loaded by the user
process and automatically unloaded when the process exits.
Each BPF program is a set of instructions that is safe to run until
its completion. The BPF verifier statically determines that the program
terminates and is safe to execute. During
verification the program takes hold of maps that it intends to use,
so selected maps cannot be removed until the program is unloaded. The program
can be attached to different events. These events can be packets, tracing
events and other types that may be added in the future. A new event triggers
its completion.
The BPF verifier statically determines that the program
terminates and is safe to execute.
During verification the program takes hold of maps that it intends to use,
so selected maps cannot be removed until the program is unloaded.
The program can be attached to different events.
These events can be packets, tracing
events and other types that may be added in the future.
A new event triggers
execution of the program which may store information about the event in the maps.
Beyond storing data the programs may call into in-kernel helper functions.
The same program can be attached to multiple events and different programs can
@ -149,7 +154,8 @@ Any map type has the following attributes:
. value size in bytes
The following wrapper functions demonstrate how this syscall can be used to
access the maps. The functions use the
access the maps.
The functions use the
.IR cmd
argument to invoke different operations.
.TP
@ -172,7 +178,8 @@ bpf() syscall creates a map of
.I map_type
type and given attributes
.I key_size, value_size, max_entries.
On success it returns a process-local file descriptor. On error, \-1 is returned and
On success it returns a process-local file descriptor.
On error, \-1 is returned and
.I errno
is set to EINVAL or EPERM or ENOMEM.
@ -216,7 +223,8 @@ enum bpf_map_type {
};
.fi
.I map_type
selects one of the available map implementations in the kernel. For all map_types
selects one of the available map implementations in the kernel.
For all map_types
programs access maps with the same bpf_map_lookup_elem()/bpf_map_update_elem()
helper functions.
.TP
@ -300,7 +308,8 @@ The call deletes an element in a map
.I fd
with a given
.I key.
Returns zero on success. If the element is not found it returns \-1 and sets
Returns zero on success.
If the element is not found it returns \-1 and sets
.I errno
to ENOENT.
.TP
@ -333,7 +342,8 @@ If
.I key
is the last element, it returns \-1 and sets
.I errno
to ENOENT. Other possible
to ENOENT.
Other possible
.I errno
values are ENOMEM, EFAULT, EPERM and EINVAL.
This method can be used to iterate over all elements in the map.
@ -404,10 +414,11 @@ bpf_map_update_elem(map_fd, void *key, void *value) // update key/value
bpf_map_delete_elem(map_fd, void *key) // delete key in a map_fd
.fi
and bpf_context is a pointer to 'struct sk_buff'. Programs cannot
access fields of 'sk_buff' directly.
and bpf_context is a pointer to 'struct sk_buff'.
Programs cannot access fields of 'sk_buff' directly.
More program types may be added in the future. Like
More program types may be added in the future.
Like
.B BPF_PROG_TYPE_KPROBE
and bpf_context for it may be defined as a pointer to 'struct pt_regs'.
@ -423,19 +434,22 @@ marked gpl_only.
.B log_buf
user supplied buffer that the in-kernel verifier is using to store the
verification log. This log is a multi-line string that can be checked by
verification log.
This log is a multi-line string that can be checked by
the program author in order to understand how the verifier came to
the conclusion that the BPF program is unsafe.
The format of the output can change at any time as the verifier evolves.
.B log_size
size of user buffer. If the size of the buffer is not large enough to store all
size of user buffer.
If the size of the buffer is not large enough to store all
verifier messages, \-1 is returned and
.I errno
is set to ENOSPC.
.B log_level
verbosity level of the verifier. A value of zero means that the verifier will
verbosity level of the verifier.
A value of zero means that the verifier will
not provide a log.
.TP
@ -445,13 +459,16 @@ will unload the BPF program.
The maps are accessible from programs and used to exchange data between
programs and between them and user space.
Programs process various events (like kprobe, packets) and
store their data into maps. User space fetches data from the maps.
store their data into maps.
User space fetches data from the maps.
Either the same or a different map may be used by user space as a configuration
space to alter program behavior on the fly.
.SS Events
.P
Once a program is loaded, it can be attached to an event. Various kernel
subsystems have different ways to do so. For example:
Once a program is loaded, it can be attached to an event.
Various kernel
subsystems have different ways to do so.
For example:
.nf
setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd));
@ -590,7 +607,8 @@ are not set to zero.
.B EINVAL
For
.BR BPF_PROG_LOAD,
indicates an attempt to load an invalid program. BPF programs can be deemed
indicates an attempt to load an invalid program.
BPF programs can be deemed
invalid due to unrecognized instructions, the use of reserved fields, jumps
out of range, infinite loops or calls of unknown functions.
.TP
@ -598,7 +616,8 @@ out of range, infinite loops or calls of unknown functions.
For
.BR BPF_PROG_LOAD,
even though all program instructions are valid, the program has been
rejected because it was deemed unsafe. This may be because it may have
rejected because it was deemed unsafe.
This may be because it may have
accessed a disallowed memory region or an uninitialized stack/register or
because the function contraints don't match the actual types or because
there was a misaligned memory access.