### AttachFreplace Examples (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf/link Illustrative examples of using the AttachFreplace function. These examples demonstrate how to provide the target program and name either directly or by relying on program load time settings. ```go AttachFreplace(dispatcher, "function", replacement) AttachFreplace(nil, "", replacement) ``` -------------------------------- ### Run eBPF Examples Source: https://pkg.go.dev/github.com/cilium/ebpf/examples%40v0.10.0 Instructions for executing the compiled eBPF example binaries. Requires root privileges via sudo as eBPF programs interact with kernel internals. ```bash cd ebpf/examples/ go run -exec sudo [./kprobe, ./uretprobe, ./ringbuffer, ...] ``` -------------------------------- ### Run eBPF Examples with Go Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This command demonstrates how to run the eBPF examples using the `go run` command with `sudo` privileges. It allows executing various eBPF programs like kprobe, uretprobe, and ringbuffer. ```bash cd ebpf/examples/ go run -exec sudo [./kprobe, ./uretprobe, ./ringbuffer, ...] ``` -------------------------------- ### Kprobe Example with Per-CPU Array Map Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example showcases the use of a `BPF_MAP_TYPE_PERCPU_ARRAY` map with kprobes. Per-CPU maps are efficient for collecting data that is specific to each CPU core, reducing contention and improving performance. ```go // Example for kprobe using a per-CPU array map // ... (actual code would be here) ``` -------------------------------- ### Recompile eBPF Examples with Make Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This command shows how to recompile the eBPF examples using the `make` utility. It navigates to the parent directory and executes the make command, which is typically used for building C/C++ code and related assets. ```bash make -C .. ``` -------------------------------- ### Kprobe Example using bpf2go Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example demonstrates attaching an eBPF program to the entry or exit of an arbitrary kernel symbol (function) using kprobes and the bpf2go tool. bpf2go simplifies the process of compiling eBPF programs written in C and loading them into the kernel from Go. ```go // Example for kprobe using bpf2go // ... (actual code would be here) ``` -------------------------------- ### Uretprobe Example using bpf2go Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example demonstrates using uretprobes with bpf2go. Uretprobes are used to trace the return of functions in userspace programs. bpf2go simplifies the integration of eBPF programs written in C into Go applications. ```go // Example for uretprobe using bpf2go // ... (actual code would be here) ``` -------------------------------- ### Tracepoint Example using bpf2go Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example shows how to attach an eBPF program to kernel tracepoints using bpf2go. Tracepoints are predefined points in the kernel code that can be used for debugging and performance analysis. ```go // Example for tracepoint using bpf2go // ... (actual code would be here) ``` -------------------------------- ### Retrieve Full Verifier Log Example (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf An example demonstrating how to retrieve the full verifier log when loading a program fails. This is crucial for diagnosing issues during program loading. ```go // Example (RetrieveFullLog) // Print the full verifier log when loading a program fails. ``` -------------------------------- ### Recompile eBPF Examples Source: https://pkg.go.dev/github.com/cilium/ebpf/examples%40v0.10.0 Command to trigger the build process for the examples. This utilizes the project's Makefile to invoke go generate for BPF object compilation. ```makefile make -C ../ ``` -------------------------------- ### Kprobe Example with Pinned Map Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This kprobe example demonstrates reusing a pinned map. It assumes the eBPF File System (BPF FS) is mounted at `/sys/fs/bpf`. Pinned maps allow persistent storage and retrieval of eBPF maps across reboots or program reloads. ```go // Example for kprobe using a pinned map // ... (actual code would be here) ``` -------------------------------- ### Tracepoint Example using Go Assembler Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example demonstrates attaching an eBPF program to a tracepoint using the `ebpf.NewProgram` API and Go's eBPF assembler. This approach allows writing eBPF programs directly in Go, offering a more integrated development experience. ```go // Example for tracepoint using Go eBPF assembler // ... (actual code would be here) ``` -------------------------------- ### TCP Connect Example with Fentry Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example uses the fentry mechanism (available in Linux kernel 5.5+) to trace outgoing IPv4 TCP connections. Fentry provides a more performant and user-friendly alternative to kprobes for tracing kernel function entry points. ```go // Example for tracing TCP connections using fentry // ... (actual code would be here) ``` -------------------------------- ### eBPF Examples: kprobepin, map_in_map, ringbuffer, tcprtt, tcprtt_sockops, tracepoint_in_c, tracepoint_in_go, uretprobe Source: https://pkg.go.dev/github.com/cilium/ebpf/rlimit?tab=importedby This snippet covers various eBPF examples including kprobe pinning, map-in-map, ring buffers, TCP RTT measurement, tracepoints in C and Go, and uretprobes. These examples showcase fundamental eBPF programming techniques. ```Go package main import ( "fmt" "log" "github.com/cilium/ebpf" "github.com/cilium/ebpf/link" "github.com/cilium/ebpf/perf" "github.com/cilium/ebpf/rlimit" "github.com/cilium/ebpf/syscall" "golang.org/x/sys/unix" ) // $GOFILE is a collection of eBPF examples. // This file is generated by go generate. func main() { // Name to identify the eBPF object file. const progObjName = "kprobe_prog" // Load the eBPF program. objs := make(map[string]*ebpf.Program) if err := loadMyEbpfProgram(objs, progObjName); err != nil { log.Fatalf("loading eBPF object file: %v", err) } defer close(objs) prog := objs[progObjName] // Attach the eBPF program to the kernel. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Increase rlimit to allow more maps. if err := rlimit.RemoveMemlock(); err != nil { log.Fatal(err) } // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel kprobe. // For kprobe, we can attach to any kernel function. // Here we attach to sys_enter_openat. // Open a link to the kernel tracepoint. ``` -------------------------------- ### VerifierLog Formatting Examples (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf Demonstrates various formatting flags for VerifierLog, showing how to display specific parts of the verifier output. This is useful for debugging and understanding verifier rejections. ```go With %s: catastrophe: no space left on device: third (2 line(s) omitted) All log lines: catastrophe: no space left on device: first second third First line: catastrophe: no space left on device: first (2 line(s) omitted) Last two lines: catastrophe: no space left on device: (1 line(s) omitted) second third ``` -------------------------------- ### Ring Buffer Example Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example utilizes a `BPF_MAP_TYPE_RINGBUF` map for communication between the eBPF program and userspace. Ring buffers are a modern and efficient mechanism for sending events from the kernel to userspace applications. ```go // Example for using a ring buffer map // ... (actual code would be here) ``` -------------------------------- ### XDP Example for Packet Counting Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example demonstrates attaching an eBPF program to a network interface using XDP (eXpress Data Path) to process incoming packets. It specifically prints packet counts categorized by IPv4 source address. ```go // Example for XDP to count packets by IPv4 source address // ... (actual code would be here) ``` -------------------------------- ### Install and Configure bpf2go Source: https://pkg.go.dev/github.com/cilium/ebpf/cmd/bpf2go%40v0.21.0 Instructions for adding bpf2go as a tool dependency and invoking it via go generate to compile C files into Go-compatible eBPF bytecode. ```bash go get -tool github.com/cilium/ebpf/cmd/bpf2go ``` ```go //go:generate go tool bpf2go foo path/to/src.c -- -I/path/to/include ``` -------------------------------- ### Cgroup SKB Example Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This program demonstrates attaching an eBPF program to a control group (cgroup) to count packets egressing the current cgroup. This is useful for network monitoring and traffic control at the cgroup level. ```go // Example for cgroup_skb to count egressing packets // ... (actual code would be here) ``` -------------------------------- ### Get System Name (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/unix Retrieves system information, such as the operating system name and version, into a `Utsname` structure. ```go func Uname(buf *Utsname) (err error) ``` -------------------------------- ### Filesystem and Cgroup Helpers Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/testutils%40v0.16.0 Utilities for interacting with the BPF filesystem, creating temporary cgroups, and performing file globbing. These functions simplify setup and cleanup tasks during testing. ```go func CreateCgroup(tb testing.TB) *os.File func GetCgroupIno(t *testing.T, cgroup *os.File) uint64 func Glob(tb testing.TB, pattern string, excludes ...string) []string func TempBPFFS(tb testing.TB) string func Files(t *testing.T, files []string, fn func(*testing.T, string)) ``` -------------------------------- ### Go: Get Windows GUID from eBPF Attach Type Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/efw Converts a uint32 representation of an eBPF attach type to its corresponding Windows GUID. This is the inverse operation of EbpfGetBpfAttachType and is used when the eBPF runtime expects a GUID for attach types. ```go func EbpfGetEbpfAttachType(attachType uint32) (windows.GUID, error) ``` -------------------------------- ### Go: Get eBPF Attach Type from GUID Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/efw Converts a Windows GUID representing an eBPF attach type to its corresponding uint32 representation. This is necessary for interacting with the eBPF runtime on Windows, which uses specific GUIDs for different attachment points. ```go func EbpfGetBpfAttachType(attachType windows.GUID) (uint32, error) ``` -------------------------------- ### Go: Get eBPF Program Type from GUID Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/efw Converts a Windows GUID representing an eBPF program type to its corresponding uint32 representation. This function is used to correctly identify the type of an eBPF program when interacting with the Windows eBPF subsystem. ```go func EbpfGetBpfProgramType(programType windows.GUID) (uint32, error) ``` -------------------------------- ### BPF Map Get Next ID Attributes Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/sys?tab=versions Defines the structure `MapGetNextIdAttr` used to iterate through BPF map IDs. Starting with a given map ID, it returns the ID of the next available map. ```go type MapGetNextIdAttr struct { Id uint32 NextId uint32 } ``` -------------------------------- ### Go: Get Next Pinned eBPF Object Path Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/efw Retrieves the path of the next pinned eBPF object of a specified type, starting from a given path. This function is useful for iterating through pinned eBPF objects in the system. ```go func EbpfGetNextPinnedObjectPath(startPath string, objectType ObjectType) (string, ObjectType, error) ``` -------------------------------- ### Map in Map Example Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example illustrates the concept and usage of maps within maps in eBPF. This feature allows for more complex data structures and efficient lookups by nesting maps. ```go // Example demonstrating maps within maps // ... (actual code would be here) ``` -------------------------------- ### Load and Manage BPF Links Source: https://pkg.go.dev/github.com/cilium/ebpf/link Utilities for loading existing BPF links from the filesystem or creating them from raw file descriptors and IDs. ```go func LoadPinnedLink(fileName string, opts *ebpf.LoadPinOptions) (Link, error) func NewFromFD(fd int) (Link, error) func NewFromID(id ID) (Link, error) ``` -------------------------------- ### Raw Attach Program (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf/link Provides a low-level wrapper around the BPF_PROG_ATTACH ioctl. It's recommended to use higher-level abstractions when possible. ```Go func RawAttachProgram(opts RawAttachProgramOptions) error { } ``` -------------------------------- ### Map Initialization and Loading Source: https://pkg.go.dev/github.com/cilium/ebpf Methods for instantiating eBPF maps from various sources including pinned files, existing file descriptors, or map specifications. ```Go func LoadPinnedMap(fileName string, opts *LoadPinOptions) (*Map, error) func NewMap(spec *MapSpec) (*Map, error) func NewMapFromFD(fd int) (*Map, error) func NewMapFromID(id MapID) (*Map, error) func NewMapWithOptions(spec *MapSpec, opts MapOptions) (*Map, error) ``` -------------------------------- ### Handle BPF Line Information Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/btf Structures for mapping BPF instructions back to source code lines, with methods to marshal the information into binary format for kernel consumption. ```go type LineInfo struct { InsnOff uint32 FileNameOff uint32 LineOff uint32 LineCol uint32 } func (li LineInfo) Marshal(w io.Writer, offset uint64) error type LineInfos []LineInfo func (li LineInfos) Marshal(w io.Writer, off uint64) error ``` -------------------------------- ### KprobeOptions Structure (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf/link Defines options for loading Kprobes. It includes fields for cookie, offset, maximum active kretprobes, and a tracefs prefix. Note the warning about RetprobeMaxActive using an outdated kernel API. ```go type KprobeOptions struct { // Arbitrary value that can be fetched from an eBPF program // via `bpf_get_attach_cookie()`. // // Needs kernel 5.15+. Cookie uint64 // Offset of the kprobe relative to the traced symbol. // Can be used to insert kprobes at arbitrary offsets in kernel functions, // e.g. in places where functions have been inlined. Offset uint64 // Increase the maximum number of concurrent invocations of a kretprobe. // Required when tracing some long running functions in the kernel. // // Warning: this setting forces the use of an outdated kernel API and is // not portable across kernel versions. On supported kernels, consider using // fexit programs instead, as they don't have this MaxActive limitation. RetprobeMaxActive int // Prefix used for the event name if the kprobe must be attached using tracefs. // The group name will be formatted as `_`. // The default empty string is equivalent to "ebpf" as the prefix. TraceFSPrefix string } ``` -------------------------------- ### Get Translated Instructions of a BPF Program Source: https://pkg.go.dev/github.com/cilium/ebpf Instructions returns the kernel-verified and rewritten instruction stream of a BPF program. These instructions are primarily for inspection and troubleshooting, not for reloading. Map accesses are represented by kernel map IDs. Availability of metadata like line and function information depends on CAP_SYS_ADMIN privileges and kernel version. Requires CAP_BPF for plain instructions and CAP_SYS_ADMIN for instructions with metadata. Available from kernel 4.13. ```go func (pi *ProgramInfo) Instructions() (asm.Instructions, error) ``` -------------------------------- ### TCP Close Example with CO-RE Helpers Source: https://pkg.go.dev/github.com/cilium/ebpf/examples This example logs the Round-Trip Time (RTT) of IPv4 TCP connections when they close, utilizing eBPF CO-RE (Compile Once - Run Everywhere) helpers. CO-RE enhances the portability of eBPF programs across different kernel versions. ```go // Example for logging TCP connection RTT using CO-RE helpers // ... (actual code would be here) ``` -------------------------------- ### BPF Program Loading and Map Creation (Go) Source: https://pkg.go.dev/github.com/cilium/ebpf/internal%40v0.3.0?tab=versions Demonstrates how to load BPF programs and create BPF maps using the cilium/ebpf library. It utilizes BPFProgLoadAttr and BPFMapCreateAttr structs for configuration. Requires appropriate kernel privileges. ```Go package main import ( "fmt" "github.com/cilium/ebpf" "github.com/cilium/ebpf/internal/unix" ) func main() { // Example of loading a BPF program progAttr := &ebpf.BPFProgLoadAttr{ Instructions: nil, // Replace with actual program instructions License: 0, // Replace with appropriate license ProgType: uint32(unix.BPF_PROG_TYPE_SOCKET_FILTER), } fd, err := ebpf.BPFProgLoad(progAttr) if err != nil { fmt.Printf("Error loading BPF program: %v\n", err) return } defer fd.Close() // Example of creating a BPF map mapAttr := &ebpf.BPFMapCreateAttr{ MapType: uint32(unix.BPF_MAP_TYPE_HASH), KeySize: 4, ValueSize: 8, MaxEntries: 1024, } mapFd, err := ebpf.BPFMapCreate(mapAttr) if err != nil { fmt.Printf("Error creating BPF map: %v\n", err) return } defer mapFd.Close() fmt.Println("BPF program loaded and map created successfully.") } ``` -------------------------------- ### Configure bpf2go compilation flags using environment variables Source: https://pkg.go.dev/github.com/cilium/ebpf/cmd/bpf2go%40v0.17.0 This example demonstrates how to set compilation flags for `bpf2go` using the `BPF2GO_FLAGS` environment variable. This allows for project-wide configuration of C flags, such as optimization levels and warning settings. The flags are passed to the underlying C compiler during the `go generate` process. This method is useful for managing build configurations consistently across a project. ```bash BPF2GO_FLAGS="-O2 -g -Wall -Werror $(CFLAGS)" go generate "./..." ``` -------------------------------- ### BPF Header Start Offset Constants Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/sys?tab=versions Defines constants for specifying the starting offset of headers within BPF programs. These are used in conjunction with functions that operate on packet headers. ```go const BPF_HDR_START_MAC uint32 = 0 const BPF_HDR_START_NET uint32 = 1 ``` -------------------------------- ### Select Platform-Appropriate Version String in Go Source: https://pkg.go.dev/github.com/cilium/ebpf/internal/platform Selects the platform-appropriate version string from a slice of strings. Versions are expected in formats like `linux:6.1` or `windows:0.20.0`. It returns an empty string and nil if no matching version is found, or an error if the input slice is empty. ```go func SelectVersion(versions []string) (string, error) ``` -------------------------------- ### Manage eBPF Program Compatibility and Copying Source: https://pkg.go.dev/github.com/cilium/ebpf Methods to verify program compatibility against kernel tags and create deep copies of program specifications. ```go func (ps *ProgramSpec) Compatible(info *ProgramInfo) error func (ps *ProgramSpec) Copy() *ProgramSpec ``` -------------------------------- ### GET /programs/{id}/info Source: https://pkg.go.dev/github.com/cilium/ebpf Retrieves detailed information and metadata about a loaded eBPF program. ```APIDOC ## GET /programs/{id}/info ### Description Fetches metadata including BTF ID, load time, and memory usage for the specified program. ### Method GET ### Endpoint /programs/{id}/info ### Parameters #### Path Parameters - **id** (string) - Required - The unique identifier of the program. ### Response #### Success Response (200) - **info** (ProgramInfo) - Object containing program metadata. #### Response Example { "id": 123, "load_time": "10ms", "memlock": 4096 } ``` -------------------------------- ### GET /handle/new Source: https://pkg.go.dev/github.com/cilium/ebpf/btf?tab=versions Creates a new eBPF handle from a loaded specification or an existing ID. ```APIDOC ## GET /handle/new ### Description Initializes a new handle for an eBPF program, allowing for interaction with the eBPF subsystem. ### Method GET ### Endpoint /handle/new ### Parameters #### Query Parameters - **id** (uint32) - Optional - The existing eBPF ID to wrap. ### Response #### Success Response (200) - **handle** (object) - The initialized eBPF handle. #### Response Example { "fd": 3, "spec_id": 1024 } ```