Expand description
eBPF program types.
eBPF programs are loaded inside the kernel and attached to one or more hook points. Whenever the hook points are reached, the programs are executed.
Loading and attaching programs
When you call Bpf::load_file
or Bpf::load
, all the programs included
in the object code are parsed and relocated. Programs are not loaded
automatically though, since often you will need to do some application
specific setup before you can actually load them.
In order to load and attach a program, you need to retrieve it using Bpf::program_mut
,
then call the load()
and attach()
methods, for example:
use aya::{Bpf, programs::KProbe};
use std::convert::TryInto;
let mut bpf = Bpf::load_file("ebpf_programs.o")?;
// intercept_wakeups is the name of the program we want to load
let program: &mut KProbe = bpf.program_mut("intercept_wakeups").unwrap().try_into()?;
program.load()?;
// intercept_wakeups will be called every time try_to_wake_up() is called
// inside the kernel
program.attach("try_to_wake_up", 0)?;
The signature of the attach()
method varies depending on what kind of
program you’re trying to attach.
Re-exports
pub use perf_event::PerfEvent;
pub use perf_event::PerfEventScope;
pub use perf_event::PerfTypeId;
pub use perf_event::SamplePolicy;
pub use tc::SchedClassifier;
pub use tc::TcAttachType;
pub use tc::TcError;
Modules
Perf event programs.
Network traffic control programs.
Structs
Marks a function as a BTF-enabled raw tracepoint eBPF program that can be attached at a pre-defined kernel trace point.
A program used to inspect or filter network activity for a given cgroup.
A program used to extend existing BPF programs
A program that can be attached to the entry point of (almost) any kernel function.
A program that can be attached to the exit point of (almost) anny kernel function.
A kernel probe.
The return type of program.attach(...)
.
A program used to decode IR into key events for a lirc device.
A program that attaches to Linux LSM hooks. Used to implement security policy and audit logging.
Provides information about a loaded program, like name, id and statistics
A program that can be attached at a pre-defined kernel trace point, but also has an access to kernel internal arguments of trace points, which differentiates them from traditional tracepoint eBPF programs.
A program used to intercept messages sent with sendmsg()
/sendfile()
.
A program used to intercept ingress socket buffers.
A program used to work with sockets.
A program used to inspect and filter incoming packets on a socket.
A program that can be attached at a pre-defined kernel trace point.
An user space probe.
An XDP program.
Flags passed to Xdp::attach()
.
Enums
Defines where to attach a CgroupSkb
program.
The type returned when loading or attaching an Extension
fails
The type returned when attaching a KProbe
fails.
Kind of probe program
eBPF program type.
Error type returned when working with programs.
The type returned when attaching a SocketFilter
fails.
The type returned when attaching a TracePoint
fails.
The type returned when attaching an UProbe
fails.