Chapter 7. eBPF Program and Attachment Types
In the preceding chapters you saw lots of examples of eBPF programs, and you probably spotted the fact that they are attached to different types of events. Some of the examples I’ve shown attach to kprobes, but in other examples I’ve demonstrated XDP programs that handle a newly arrived network packet. These are just two of the many attachment points within the kernel. In this chapter we’ll take a deeper look at different program types and how they can be attached to different events.
Note
You can build and run the examples from this chapter using the code and instructions at github.com/lizrice/learning-ebpf. The code for this chapter is in the chapter7 directory.
At the time of this writing, some of the examples are not supported on ARM processors. Check out the README file in the chapter7 directory for more details and advice.
There are currently around 30 program types enumerated in uapi/linux/bpf.h, and more than 40 attachment types. The attachment type defines more specifically where the program gets attached; for lots of program types, the attachment type can be inferred from the program type, but some program types can be attached to multiple different points in the kernel, so an attachment type has to be specified as well.
As you know, this book isn’t intended to be a reference manual, so I won’t cover every single eBPF program type. There’s a good chance that new types will have been added by the time you read this book anyway! ...
Get Learning eBPF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
