Lines Matching +full:programmable +full:- +full:security

1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
21 #define BPF_DW 0x18 /* double word (64-bit) */
23 #define BPF_ATOMIC 0xc0 /* atomic memory ops - op type in immediate */
24 #define BPF_XADD 0xc0 /* exclusive add - legacy name */
32 #define BPF_TO_LE 0x00 /* convert to little-endian */
33 #define BPF_TO_BE 0x08 /* convert to big-endian */
52 #define BPF_CMPXCHG (0xf0 | BPF_FETCH) /* atomic compare-and-write */
74 /* BPF has 10 general purpose 64-bit registers and stack frame. */
116 BPF_CGROUP_ITER_DESCENDANTS_PRE, /* walk descendants in pre-order. */
117 BPF_CGROUP_ITER_DESCENDANTS_POST, /* walk descendants in post-order. */
128 /* At most one of cgroup_fd and cgroup_id can be non-zero. If
144 /* BPF syscall commands, see bpf(2) man-page for more details. */
159 * map. The close-on-exec file descriptor flag (see **fcntl**\ (2))
166 * A new file descriptor (a nonnegative integer), or -1 if an
178 * Look up the value of a spin-locked map without
183 * Returns zero on success. On error, -1 is returned and *errno*
200 * Update a spin_lock-ed map element.
203 * Returns zero on success. On error, -1 is returned and *errno*
224 * Returns zero on success. On error, -1 is returned and *errno*
234 * Returns zero on success. On error, -1 is returned and *errno*
244 * * If *key* is the last element, returns -1 and *errno* is set
258 * The close-on-exec file descriptor flag (see **fcntl**\ (2)) is
262 * A new file descriptor (a nonnegative integer), or -1 if an
287 * Returns zero on success. On error, -1 is returned and *errno*
296 * A new file descriptor (a nonnegative integer), or -1 if an
342 * Returns zero on success. On error, -1 is returned and *errno*
352 * Returns zero on success. On error, -1 is returned and *errno*
384 * Returns zero on success. On error, -1 is returned and *errno*
399 * remain with ids higher than *start_id*, returns -1 and sets
403 * Returns zero on success. On error, or when no id remains, -1
412 * remain with ids higher than *start_id*, returns -1 and sets
416 * Returns zero on success. On error, or when no id remains, -1
425 * A new file descriptor (a nonnegative integer), or -1 if an
434 * A new file descriptor (a nonnegative integer), or -1 if an
452 * Returns zero on success. On error, -1 is returned and *errno*
498 * Returns zero on success. On error, -1 is returned and *errno*
516 * A new file descriptor (a nonnegative integer), or -1 if an
539 * A new file descriptor (a nonnegative integer), or -1 if an
548 * A new file descriptor (a nonnegative integer), or -1 if an
569 * Returns zero on success. On error, -1 is returned and *errno*
582 * Look up and delete the value of a spin-locked map
601 * Returns zero on success. On error, -1 is returned and *errno*
616 * Returns zero on success. On error, -1 is returned and *errno*
626 * remain with ids higher than *start_id*, returns -1 and sets
630 * Returns zero on success. On error, or when no id remains, -1
658 * Look up the value of a spin-locked map without
670 * Returns zero on success. On error, -1 is returned and *errno*
675 * iteration of a hash-based map type.
692 * Returns zero on success. On error, -1 is returned and *errno*
719 * Update spin_lock-ed map elements. This must be
728 * Returns zero on success. On error, -1 is returned and *errno*
762 * Look up the value of a spin-locked map without
774 * Returns zero on success. On error, -1 is returned and *errno*
784 * A new file descriptor (a nonnegative integer), or -1 if an
793 * Returns zero on success. On error, -1 is returned and *errno*
802 * A new file descriptor (a nonnegative integer), or -1 if an
811 * remain with ids higher than *start_id*, returns -1 and sets
815 * Returns zero on success. On error, or when no id remains, -1
830 * disabled system-wide when all outstanding file descriptors
834 * A new file descriptor (a nonnegative integer), or -1 if an
849 * A new file descriptor (a nonnegative integer), or -1 if an
858 * Returns zero on success. On error, -1 is returned and *errno*
873 * Returns zero on success. On error, -1 is returned and *errno*
879 * BPF-related functionality it allows:
880 * - a set of allowed bpf() syscall commands;
881 * - a set of allowed BPF map types to be created with
883 * - a set of allowed BPF program types and BPF program attach
903 * A new file descriptor (a nonnegative integer), or -1 if an
987 * both cgroup-attached and other progs and supports all functionality
1158 /* cgroup-bpf attach flags used in BPF_PROG_ATTACH command
1162 * BPF_F_ALLOW_OVERRIDE: If a sub-cgroup installs some bpf program,
1163 * the program in this cgroup yields to sub-cgroup program.
1165 * BPF_F_ALLOW_MULTI: If a sub-cgroup installs some bpf program,
1176 * The programs of sub-cgroup are executed first, then programs of
1186 * A cgroup with MULTI or OVERRIDE flag allows any attach flags in sub-cgroups.
1187 * A cgroup with NONE doesn't allow any programs in sub-cgroups.
1189 * cgrp1 (MULTI progs A, B) ->
1190 * cgrp2 (OVERRIDE prog C) ->
1191 * cgrp3 (MULTI prog D) ->
1192 * cgrp4 (OVERRIDE prog E) ->
1233 * Verifier does sub-register def/use analysis and identifies instructions whose
1234 * def only matters for low 32-bit, high 32-bit is never referenced later
1235 * through implicit zero extension. Therefore verifier notifies JIT back-ends
1236 * that it is safe to ignore clearing high 32-bit for these instructions. This
1237 * saves some back-ends a lot of code-gen. However such optimization is not
1238 * necessary on some arches, for example x86_64, arm64 etc, whose JIT back-ends
1244 * 32-bit for those instructions who has been identified as safe to ignore them.
1267 * program becomes device-bound but can access XDP metadata.
1338 /* when bpf_call->src_reg == BPF_PSEUDO_CALL, bpf_call->imm == pc-relative
1342 /* when bpf_call->src_reg == BPF_PSEUDO_KFUNC_CALL,
1343 * bpf_call->imm == btf_id of a BTF_KIND_FUNC in the running kernel
1356 BPF_F_LOCK = 4, /* spin_lock-ed map_lookup/map_update */
1379 /* Zero-initialize hash function seed. This should only be used for testing. */
1389 /* Enable memory-mapping BPF map */
1479 __u32 btf_vmlinux_value_type_id;/* BTF type_id of a kernel-
1483 /* Any per-map-type extra fields
1485 * BPF_MAP_TYPE_BLOOM_FILTER - the lowest 4 bits indicate the
1489 * BPF_MAP_TYPE_ARENA - contains the address where user space
1555 __u32 attach_btf_id; /* in-kernel BTF type id to attach to */
1662 /* output: per-program attach_flags.
1730 /* black box user-provided value passed through
1746 /* black box user-provided value passed through
1837 * --filename include/uapi/linux/bpf.h > /tmp/bpf-helpers.rst
1838 * $ rst2man /tmp/bpf-helpers.rst > /tmp/bpf-helpers.7
1839 * $ man /tmp/bpf-helpers.7
1899 * This helper is a "printk()-like" facility for debugging. It
1917 * telnet-470 [001] .N.. 419421.045894: 0x00000001: <formatted msg>
1942 * helper will return **-EINVAL** (but print nothing) if it
1958 * Get a pseudo-random number.
1960 * From a security point of view, this helper uses its own
1961 * pseudo-random internal state, and cannot be used to infer the
1966 * A random 32-bit unsigned value.
1983 * **BPF_F_INVALIDATE_HASH** (set *skb*\ **->hash**, *skb*\
1984 * **->swhash** and *skb*\ **->l4hash** to 0).
2007 * which does not update the checksum in-place, but offers more
2036 * the checksum is to be computed against a pseudo-header.
2039 * which does not update the checksum in-place, but offers more
2059 * conditional blocks. For security reasons, there is an upper
2112 * A 64-bit integer containing the current tgid and pid, and
2114 * *current_task*\ **->tgid << 32 \|**
2115 * *current_task*\ **->pid**.
2121 * A 64-bit integer containing the current GID and UID, and
2130 * helper makes sure that the *buf* is NUL-terminated. On failure,
2143 * based on a user-provided identifier for all traffic coming from
2146 * *Documentation/admin-guide/cgroup-v1/net_cls.rst*.
2152 * run on cgroups, which is a cgroup-v2-only feature (a socket can
2204 * in *key*\ **->remote_ipv4** or *key*\ **->remote_ipv6**. Also,
2205 * this struct exposes the *key*\ **->tunnel_id**, which is
2207 * it programmable together with the **bpf_skb_set_tunnel_key**\
2336 * identifier retrieved is a user-provided tag, similar to the
2342 * (see also **tc-bpf(8)**), or alternatively on conventional
2410 * manipulated with *skb*\ **->data** and *skb*\ **->data_end**
2441 * generating a variety of graphs (such as flame graphs or off-cpu
2499 * and retrieving arbitrary TLVs (Type-Length-Value headers) from
2545 * comes down to setting *skb*\ **->pkt_type** to *type*, except
2547 * **->pkt_type** beside this helper. Using a helper here allows
2582 * Retrieve the hash of the packet, *skb*\ **->hash**. If it is
2585 * directly with *skb*\ **->hash**.
2594 * The 32-bit hash.
2609 * security mechanism because of TOC-TOU attacks, but rather to
2610 * debug, divert, and manipulate execution of semi-cooperative
2659 * Pull in non-linear data in case the *skb* is non-linear and not
2669 * are within packet boundaries (test on *skb*\ **->data_end**) is
2671 * data is in non-linear parts of the *skb*. On failure the
2672 * program can just bail out, or in the case of a non-linear
2676 * to pull in once the non-linear parts, then retesting and
2696 * Add the checksum *csum* into *skb*\ **->csum** in case the
2708 * Invalidate the current *skb*\ **->hash**. It can be used after
2750 * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that
2786 * A 8-byte long unique number on success, or 0 if the socket
2794 * A 8-byte long unique number.
2801 * A 8-byte long unique number.
2809 * A 8-byte long unique number or 0 if *sk* is NULL.
2817 * time-wait or a request socket instead), **overflowuid** value
2823 * Set the full hash for *skb* (set the field *skb*\ **->hash**)
2978 * Adjust the address pointed by *xdp_md*\ **->data_meta** by
2980 * operation modifies the address stored in *xdp_md*\ **->data**,
2984 * The use of *xdp_md*\ **->data_meta** is optional and programs
2990 * this up for further post-processing. Since TC works with socket
2993 * Having this scratch space generic and programmable allows for
3024 * **->enabled** and *buf*\ **->running**, respectively) are
3102 * This helper has security implications, and thus is subject to
3142 * **bpf_sock->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)**
3153 * Code **-EINVAL** if the socket is not a full TCP socket;
3193 * *bytes* will be sent and the eBPF program will be re-run with
3201 * a non-zero value, this is not a problem because data is not
3216 * 1-byte long message segments. Obviously, this is bad for
3226 * For socket policies, pull in non-linear data from user space
3227 * for *msg* and set pointers *msg*\ **->data** and *msg*\
3228 * **->data_end** to *start* and *end* bytes offsets into *msg*,
3264 * domain (*addr*\ **->sa_family**) must be **AF_INET** (or
3266 * or **sin6_port**) which triggers IP_BIND_ADDRESS_NO_PORT-like
3268 * port as long as 4-tuple is unique. Passing non-zero port might
3275 * Adjust (move) *xdp_md*\ **->data_end** by *delta* bytes. It is
3290 * **ip-xfrm(8)**) at *index* in XFRM "security path" for *skb*.
3327 * adjusted by adding (sh_addr - sh_offset), where
3343 * The non-negative copied *buf* length equal to or less than
3362 * in socket filters where *skb*\ **->data** does not always point
3389 * Use the routing table ID present in *params*->tbid
3395 * Skip the neighbour table lookup. *params*->dmac
3396 * and *params*->smac will not be set as output. A common
3400 * Derive and set source IP addr in *params*->ipv{4,6}_src
3403 * case, *params*->dmac and *params*->smac are not set either.
3405 * Use the mark present in *params*->mark for the fib lookup.
3418 * was exceeded and output params->mtu_result contains the MTU.
3543 * End.X action: Endpoint with Layer-3 cross-connect.
3617 * to the same 64-bit id.
3630 * A 64-bit integer containing the current cgroup id based
3682 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3690 * **sizeof**\ (*tuple*\ **->ipv4**)
3692 * **sizeof**\ (*tuple*\ **->ipv6**)
3695 * If the *netns* is a negative signed 32-bit integer, then the
3699 * If *netns* is any other signed 32-bit value greater than or
3702 * range of 32-bit integers are reserved for future use.
3712 * result is from *reuse*\ **->socks**\ [] using the hash of the
3719 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3727 * **sizeof**\ (*tuple*\ **->ipv4**)
3729 * **sizeof**\ (*tuple*\ **->ipv6**)
3732 * If the *netns* is a negative signed 32-bit integer, then the
3736 * If *netns* is any other signed 32-bit value greater than or
3739 * range of 32-bit integers are reserved for future use.
3749 * result is from *reuse*\ **->socks**\ [] using the hash of the
3755 * non-**NULL** pointer that was returned from
3845 * allowed inside a spinlock-ed region.
3868 * * **bpf_spin_lock** is not allowed in inner maps of map-in-map.
3917 * and if non-**NULL**, released via **bpf_sk_release**\ ().
3929 * result is from *reuse*\ **->socks**\ [] using the hash of the
3953 * The buffer is always NUL terminated, unless it's zero-sized.
3961 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3973 * The buffer is always NUL terminated, unless it's zero-sized.
3977 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3980 * **-EINVAL** if current value was unavailable, e.g. because
3981 * sysctl is uninitialized and read returns -EIO for it.
3991 * The buffer is always NUL terminated, unless it's zero-sized.
3995 * **-E2BIG** if the buffer wasn't big enough (*buf* will contain
3998 * **-EINVAL** if sysctl is being read.
4013 * **-E2BIG** if the *buf_len* is too big.
4015 * **-EINVAL** if sysctl is being read.
4025 * optional '**-**' sign.
4036 * **-EINVAL** if no valid digits were found or unsupported base
4039 * **-ERANGE** if resulting value was out of range.
4059 * **-EINVAL** if no valid digits were found or unsupported base
4062 * **-ERANGE** if resulting value was out of range.
4066 * Get a bpf-local-storage from a *sk*.
4076 * the *map*. The *map* is used as the bpf-local-storage
4077 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4078 * searched against all bpf-local-storages residing at *sk*.
4084 * used such that a new bpf-local-storage will be
4087 * the initial value of a bpf-local-storage. If *value* is
4088 * **NULL**, the new bpf-local-storage will be zero initialized.
4090 * A bpf-local-storage pointer is returned on success.
4093 * a new bpf-local-storage.
4097 * Delete a bpf-local-storage from a *sk*.
4101 * **-ENOENT** if the bpf-local-storage cannot be found.
4102 * **-EINVAL** if sk is not a fullsock (e.g. a request_sock).
4111 * **-EBUSY** if work queue under nmi is full.
4113 * **-EINVAL** if *sig* is invalid.
4115 * **-EPERM** if no permission to send the *sig*.
4117 * **-EAGAIN** if bpf program can try again.
4138 * **-EINVAL** SYN cookie cannot be issued due to error
4140 * **-ENOENT** SYN cookie should not be issued (no SYN flood)
4142 * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
4144 * **-EPROTONOSUPPORT** IP packet version is not 4 or 6
4163 * *ctx* is a pointer to in-kernel struct sk_buff.
4190 * string length is larger than *size*, just *size*-1 bytes are
4205 * ctx->di);
4220 * *current*\ **->mm->arg_start** and *current*\
4221 * **->mm->env_start**: using this helper and the return value,
4238 * Send out a tcp-ack. *tp* is the in-kernel struct **tcp_sock**.
4249 * **-EBUSY** if work queue under nmi is full.
4251 * **-EINVAL** if *sig* is invalid.
4253 * **-EPERM** if no permission to send the *sig*.
4255 * **-EAGAIN** if bpf program can try again.
4277 * **-EINVAL** if arguments invalid or **size** not a multiple
4280 * **-ENOENT** if architecture does not support branch records.
4289 * **-EINVAL** if dev and inum supplied don't match dev_t and inode number
4292 * **-ENOENT** if pidns does not exists for the current task.
4311 * *ctx* is a pointer to in-kernel struct xdp_buff.
4329 * A 8-byte long opaque number.
4368 * **-EINVAL** if specified *flags* are not supported.
4370 * **-ENOENT** if the socket is unavailable for assignment.
4372 * **-ENETUNREACH** if the socket is unreachable (wrong netns).
4374 * **-EOPNOTSUPP** if the operation is not supported, for example
4390 * that are not v6-only can be selected for IPv4 packets.
4403 * load-balancing within reuseport group for the socket
4406 * On success *ctx->sk* will point to the selected socket.
4411 * * **-EAFNOSUPPORT** if socket family (*sk->family*) is
4412 * not compatible with packet family (*ctx->family*).
4414 * * **-EEXIST** if socket has been already selected,
4418 * * **-EINVAL** if unsupported flags were specified.
4420 * * **-EPROTOTYPE** if socket L4 protocol
4421 * (*sk->protocol*) doesn't match packet protocol
4422 * (*ctx->protocol*).
4424 * * **-ESOCKTNOSUPPORT** if socket is not in allowed
4444 * The *data_len* is the size of *data* in bytes - must be a multiple of 8.
4455 * **-EBUSY** if per-CPU memory copy buffer is busy, can try again
4458 * **-EINVAL** if arguments are invalid, or if *fmt* is invalid/unsupported.
4460 * **-E2BIG** if *fmt* contains too many format specifiers.
4462 * **-EOVERFLOW** if an overflow happened: The same object will be tried again.
4472 * **-EOVERFLOW** if an overflow happened: The same object will be tried again.
4478 * *sk* must be a non-**NULL** pointer to a socket, e.g. one
4516 * An adaptive notification is a notification sent whenever the user-space
4517 * process has caught up and consumed all available payloads. In case the user-space
4594 * * **BPF_CSUM_LEVEL_INC**: Increases skb->csum_level for skbs
4596 * * **BPF_CSUM_LEVEL_DEC**: Decreases skb->csum_level for skbs
4598 * * **BPF_CSUM_LEVEL_RESET**: Resets skb->csum_level to 0 and
4600 * * **BPF_CSUM_LEVEL_QUERY**: No-op, returns the current
4601 * skb->csum_level.
4604 * case of **BPF_CSUM_LEVEL_QUERY**, the current skb->csum_level
4605 * is returned or the error code -EACCES in case the skb is not
4642 * the current task; all other tasks will return -EOPNOTSUPP.
4670 * The non-negative copied *buf* length equal to or less than
4679 * *skops*\ **->skb_data**. The comment in **struct bpf_sock_ops**
4681 * *skops*\ **->op**.
4691 * the 2nd byte which is "kind-length" of a TCP
4692 * header option and the "kind-length" also
4693 * includes the first 2 bytes "kind" and "kind-length"
4702 * Note, kind-length must be 0 for regular option.
4704 * Searching for No-Op (0) and End-of-Option-List (1) are
4713 * saved_syn packet or the just-received syn packet.
4720 * **-EINVAL** if a parameter is invalid.
4722 * **-ENOMSG** if the option is not found.
4724 * **-ENOENT** if no syn packet is available when
4727 * **-ENOSPC** if there is not enough space. Only *len* number of
4730 * **-EFAULT** on failure to parse the header options in the
4733 * **-EPERM** if the helper cannot be used under the current
4734 * *skops*\ **->op**.
4742 * includes the kind, kind-length, and the actual
4743 * option data. The *len* must be at least kind-length
4744 * long. The kind-length does not have to be 4 byte
4746 * and setting the 4 bytes aligned value to th->doff.
4757 * **-EINVAL** If param is invalid.
4759 * **-ENOSPC** if there is not enough space in the header.
4762 * **-EEXIST** if the option already exists.
4764 * **-EFAULT** on failure to parse the existing header options.
4766 * **-EPERM** if the helper cannot be used under the current
4767 * *skops*\ **->op**.
4784 * **-EINVAL** if a parameter is invalid.
4786 * **-ENOSPC** if there is not enough space in the header.
4788 * **-EPERM** if the helper cannot be used under the current
4789 * *skops*\ **->op**.
4803 * the *map*. The *map* is used as the bpf-local-storage
4804 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4825 * **-ENOENT** if the bpf_local_storage cannot be found.
4848 * Use BTF to store a string representation of *ptr*->ptr in *str*,
4849 * using *ptr*->type_id. This value should specify the type
4850 * that *ptr*->ptr points to. LLVM __builtin_btf_type_id(type, 1)
4853 * stored in the first *str_size* - 1 bytes of *str*. Safe copy of
4874 * show zero-valued struct/union members; they
4885 * *ptr*->ptr, using *ptr*->type_id as per bpf_snprintf_btf().
4977 * the *map*. The *map* is used as the bpf-local-storage
4978 * "type". The bpf-local-storage "type" (i.e. the *map*) is
4999 * **-ENOENT** if the bpf_local_storage cannot be found.
5017 * **-EINVAL** if invalid *flags* are passed, zero otherwise.
5021 * Return a coarse-grained version of the time elapsed since
5036 * **-EOPNOTSUPP** if IMA is disabled or **-EINVAL** if
5071 * this value is L3 as this correlate to MTU and IP-header tot_len
5090 * possible for the skb packet to get re-segmented
5100 * MTU value in your BPF-code.
5117 * **map**, **callback_ctx** and other map-specific parameters.
5140 * The number of traversed map elements for success, **-EINVAL** for
5146 * based on a format string stored in a read-only map pointed by
5152 * array. The *data_len* is the size of *data* in bytes - must be
5167 * be zero-terminated except when **str_size** is 0.
5169 * Or **-EBUSY** if the per-CPU memory copy buffer is busy.
5199 * **-EBUSY** if *timer* is already initialized.
5200 * **-EINVAL** if invalid *flags* are passed.
5201 * **-EPERM** if *timer* is in a map that doesn't have any user references.
5211 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier.
5212 * **-EPERM** if *timer* is in a map that doesn't have any user references.
5228 * decremented. This is done to make sure that Ctrl-C of a user
5230 * bpffs the callback_fn can re-arm itself indefinitely.
5233 * The map can contain timers that invoke callback_fn-s from different
5248 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier
5257 * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier.
5258 * **-EDEADLK** if callback_fn tried to call bpf_timer_cancel() on its
5281 * - kprobe/uprobe;
5282 * - tracepoint;
5283 * - perf_event.
5311 * **-EINVAL** if *flags* is not zero.
5313 * **-ENOENT** if architecture does not support branch records.
5338 * **-EINVAL** if *flags* is not zero.
5340 * **-EINVAL** if string *name* is not the same size as *name_sz*.
5342 * **-ENOENT** if symbol is not found.
5344 * **-EPERM** if caller does not have permission to obtain kernel address.
5361 * **-ENOENT** if *task->mm* is NULL, or no vma contains *addr*.
5362 * **-EBUSY** if failed to try lock mmap_lock.
5363 * **-EINVAL** for invalid **flags**.
5378 * is zero-indexed.
5386 * The number of loops performed, **-EINVAL** for invalid **flags**,
5387 * **-E2BIG** if **nr_loops** exceeds the maximum number of loops.
5392 * to be null-terminated and **s1_sz** is the maximum storage
5393 * size of **s1**. **s2** must be a read-only string.
5401 * Get **n**-th argument register (zero based) of the traced function (for tracing programs)
5406 * **-EINVAL** if n >= argument register count of traced function.
5415 * **-EOPNOTSUPP** for tracing programs other than BPF_TRACE_FEXIT or BPF_MODIFY_RETURN.
5444 * bpf_set_retval(-EPERM);
5447 * In this case, the BPF program's return value will use helper's -EPERM. This
5487 * Change the __sk_buff->tstamp_type to *tstamp_type*
5488 * and set *tstamp* to the __sk_buff->tstamp together.
5490 * If there is no need to change the __sk_buff->tstamp_type,
5491 * the tstamp value can be directly written to __sk_buff->tstamp
5502 * Only IPv4 and IPv6 skb->protocol are supported.
5505 * mono delivery time to __sk_buff->tstamp and then
5507 * changing the (rcv) timestamp in __sk_buff->tstamp at
5509 * to sch_fq@phy-dev.
5512 * **-EINVAL** for invalid input
5513 * **-EOPNOTSUPP** for unsupported protocol
5522 * **-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
5559 * 0 on success, -E2BIG if the size exceeds DYNPTR_MAX_SIZE,
5560 * -EINVAL if flags is not 0.
5576 * through the dynptr interface. This is a no-op if the dynptr is
5587 * interface. This is a no-op if the dynptr is invalid/null.
5600 * 0 on success, -E2BIG if *offset* + *len* exceeds the length
5601 * of *src*'s data, -EINVAL if *src* is an invalid dynptr or if
5609 * *flags* must be 0 except for skb-type dynptrs.
5611 * For skb-type dynptrs:
5620 * 0 on success, -E2BIG if *offset* + *len* exceeds the length
5621 * of *dst*'s data, -EINVAL if *dst* is an invalid dynptr or if *dst*
5622 * is a read-only dynptr or if *flags* is not correct. For skb-type dynptrs,
5636 * read-only, if the dynptr is invalid, or if the offset and length
5657 * **-EINVAL** if *th_len* is invalid.
5677 * **-EINVAL** if *th_len* is invalid.
5679 * **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
5694 * **-EACCES** if the SYN cookie is not valid.
5709 * **-EACCES** if the SYN cookie is not valid.
5711 * **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
5715 * A nonsettable system-wide clock derived from wall-clock time but
5740 * buffer. If a user-space producer was epoll-waiting on this map,
5750 * **-EBUSY** if the ring buffer is contended, and another calling
5753 * **-EINVAL** if user-space is not properly tracking the ring
5758 * **-E2BIG** if user-space has tried to publish a sample which is
5773 * In reality, the local-storage value is embedded directly inside of the
5775 * **BPF_MAP_TYPE_CGRP_STORAGE** map. When the local-storage value is
5777 * O(n) iteration over all of the live local-storage values for that
5778 * *cgroup* object until the local-storage value for the *map* is found.
5798 * **-ENOENT** if the bpf_local_storage cannot be found.
6015 /* backwards-compatibility macros for users of __BPF_FUNC_MAPPER that don't
6094 BPF_F_CURRENT_NETNS = (-1L),
6213 /* The enum used in skb->tstamp_type. It specifies the clock type
6214 * of the time stored in the skb->tstamp.
6223 * the bpf prog can try to deduce it by ingress/egress/skb->sk->sk_clockid.
6227 /* user accessible mirror of in-kernel sk_buff.
6291 /* user accessible mirror of in-kernel xfrm_state.
6306 * The values are binary compatible with their TC_ACT_* counter-part to
6316 /* 3-6 reserved */
6418 * their TC_ACT_* counter-parts. For compatibility in behavior, unknown
6422 TCX_NEXT = -1,
6455 __u32 ingress_ifindex; /* rxq->dev->ifindex */
6456 __u32 rx_queue_index; /* rxq->queue_index */
6458 __u32 egress_ifindex; /* txq->dev->ifindex */
6461 /* DEVMAP map-value layout
6463 * The struct data-layout of map-value is a configuration interface.
6474 /* CPUMAP map-value layout
6476 * The struct data-layout of map-value is a configuration interface.
6521 * Note that the directly accessible bytes (data_end - data)
6534 /* When reuse->migrating_sk is NULL, it is selecting a sk for the
6536 * the received SYN in the TCP case). reuse->sk is one of the sk
6537 * in the reuseport group. The bpf prog can use reuse->sk to learn
6540 * When reuse->migrating_sk is not NULL, reuse->sk is closed and
6541 * reuse->migrating_sk is the socket that needs to be migrated
6543 * sk that is fully established or a reqsk that is in-the-middle
6544 * of 3-way handshake.
6749 __u32 user_family; /* Allows 4-byte read, but no write. */
6750 __u32 user_ip4; /* Allows 1,2,4-byte read and 4-byte write.
6753 __u32 user_ip6[4]; /* Allows 1,2,4,8-byte read and 4,8-byte write.
6756 __u32 user_port; /* Allows 1,2,4-byte read and 4-byte write.
6759 __u32 family; /* Allows 4-byte read, but no write */
6760 __u32 type; /* Allows 4-byte read, but no write */
6761 __u32 protocol; /* Allows 4-byte read, but no write */
6762 __u32 msg_src_ip4; /* Allows 1,2,4-byte read and 4-byte write.
6765 __u32 msg_src_ip6[4]; /* Allows 1,2,4,8-byte read and 4,8-byte write.
6861 * called under sock_ops->op == BPF_SOCK_OPS_PARSE_HDR_OPT_CB
6869 * mode and required the active side to resend the bpf-written
6870 * options. The active side can keep writing the bpf-options until
6881 * sock_ops->op == BPF_SOCK_OPS_PARSE_HDR_OPT_CB.
6891 * sock_ops->op == BPF_SOCK_OPS_HDR_OPT_LEN_CB. Then
6893 * under sock_ops->op == BPF_SOCK_OPS_WRITE_HDR_OPT_CB.
6912 BPF_SOCK_OPS_TIMEOUT_INIT, /* Should return SYN-RTO value to use or
6913 * -1 if default value should be used
6916 * window (in packets) or -1 if default
6968 * sock_ops->skb_data:
6982 * sock_ops->skb_data:
6986 * sock_ops->skb_tcp_flags:
6997 * sock_ops->skb_data:
7002 * earlier bpf-progs.
7004 * sock_ops->skb_tcp_flags:
7017 * earlier bpf-progs.
7056 * 1. the just-received SYN packet (only available when writing the
7070 * If the bpf-prog does not need the IP[46] header, the
7071 * bpf-prog can avoid parsing the IP header by using
7072 * TCP_BPF_SYN. Otherwise, the bpf-prog can get both
7076 * -ENOSPC: Not enough space in optval. Only optlen number of
7078 * -ENOENT: The SYN skb is not available now and the earlier SYN pkt
7166 /* set if lookup is to consider L4 data - e.g., FIB rules */
7173 __u16 tot_len; /* L3 length from network hdr (iph->tot_len) */
7226 /* 2 4-byte holes for input */
7255 BPF_MTU_CHK_RET_SEGS_TOOBIG, /* GSO re-segmentation needed to fwd */
7351 * Allows 1,2,4-byte read, but no write.
7354 * Allows 1,2,4-byte read an 4-byte write.
7378 __u64 cookie; /* Non-zero if socket was selected in PROG_TEST_RUN */
7396 * via the bpf_snprintf_btf() helper described above. A flags field -
7398 * (rather than its mode of display) - is included for future use.
7399 * Display flags - BTF_F_* - are passed to bpf_snprintf_btf separately.
7409 * - BTF_F_COMPACT: no formatting around type information
7410 * - BTF_F_NONAME: no struct/union member names/types
7411 * - BTF_F_PTR_RAW: show raw (unobfuscated) pointer values;
7413 * - BTF_F_ZERO: show zero-valued struct/union members; they
7431 BPF_CORE_FIELD_SIGNED = 3, /* field signedness (0 - unsigned, 1 - signed) */
7432 BPF_CORE_FIELD_LSHIFT_U64 = 4, /* bitfield-specific left bitshift */
7433 BPF_CORE_FIELD_RSHIFT_U64 = 5, /* bitfield-specific right bitshift */
7447 * CO-RE relocation captures the following data:
7448 * - insn_off - instruction offset (in bytes) within a BPF program that needs
7449 * its insn->imm field to be relocated with actual field info;
7450 * - type_id - BTF type ID of the "root" (containing) entity of a relocatable
7452 * - access_str_off - offset into corresponding .BTF string section. String
7454 * - for field-based relocations, string encodes an accessed field using
7458 * - for type-based relocations, strings is expected to be just "0";
7459 * - for enum value-based relocations, string contains an index of enum
7461 * - kind - one of enum bpf_core_relo_kind;
7472 * int *x = &s->a; // encoded as "0:0" (a is field #0)
7473 * int *y = &s->b[5]; // encoded as "0:1:0:5" (anon struct is field #1,
7475 * int *z = &s[10]->b; // encoded as "10:1" (ptr is used as an array)
7481 * Clang built-in, passing expression that captures field address, e.g.:
7484 * __builtin_preserve_access_index(&src->a.b.c));
7489 * [0] https://llvm.org/docs/LangRef.html#getelementptr-instruction
7500 * - BPF_F_TIMER_ABS: Timeout passed is absolute time, by default it is
7502 * - BPF_F_TIMER_CPU_PIN: Timer will be pinned to the CPU of the caller.
7519 * - BPF_F_PAD_ZEROS: Pad destination buffer with zeros. (See the respective