Description

Perform a lookup in map for an entry associated to key.

Return

Map value associated to key, or NULL if no entry was found.

Description

Add or update the value of the entry associated to key in map with value. flags is one of:

Return

0 on success, or a negative error in case of failure.

Description

Delete entry with key from map.

Return

0 on success, or a negative error in case of failure.

Description

For tracing programs, safely attempt to read size bytes from address src and store the data in dst.

Return

0 on success, or a negative error in case of failure.

Description

Return the time elapsed since system boot, in nanoseconds.

Return

Current ktime.

Description

This helper is a "printk()-like" facility for debugging. It prints a message defined by format fmt (of size fmt_size) to file /sys/kernel/debug/tracing/trace from DebugFS, if available. It can take up to three additional u64 arguments (as an eBPF helpers, the total number of arguments is limited to five).

Each time the helper is called, it appends a line to the trace. Lines are discarded while /sys/kernel/debug/tracing/trace is open, use /sys/kernel/debug/tracing/trace_pipe to avoid this. The format of the trace is customizable, and the exact output one will get depends on the options set in /sys/kernel/debug/tracing/trace_options (see also the README file under the same directory). However, it usually defaults to something like:

telnet-470   [001] .N.. 419421.045894: 0x00000001: <formatted msg>

Return

The number of bytes written to the buffer, or a negative error in case of failure.

Description

Get a pseudo-random number.

From a security point of view, this helper uses its own pseudo-random internal state, and cannot be used to infer the seed of other random functions in the kernel. However, it is essential to note that the generator used by the helper is not cryptographically secure.

Return

A random 32-bit unsigned value.

Description

Get the SMP (symmetric multiprocessing) processor id. Note that all programs run with preemption disabled, which means that the SMP processor id is stable during all the execution of the program.

Return

The SMP id of the processor running the program.

Description

Store len bytes from address from into the packet associated to skb, at offset. flags are a combination of BPF_F_RECOMPUTE_CSUM (automatically recompute the checksum for the packet after storing the bytes) and BPF_F_INVALIDATE_HASH (set skb ->hash, skb->swhash and skb->l4hash to 0).

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Recompute the layer 3 (e.g. IP) checksum for the packet associated to skb. Computation is incremental, so the helper must know the former value of the header field that was modified ( from), the new value of this field ( to), and the number of bytes (2 or 4) for this field, stored in size. Alternatively, it is possible to store the difference between the previous and the new values of the header field in to, by setting from and size to 0. For both methods, offset indicates the location of the IP checksum within the packet.

This helper works in combination with bpf_csum_diff(), which does not update the checksum in-place, but offers more flexibility and can handle sizes larger than 2 or 4 for the checksum to update.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Recompute the layer 4 (e.g. TCP, UDP or ICMP) checksum for the packet associated to skb. Computation is incremental, so the helper must know the former value of the header field that was modified ( from), the new value of this field ( to), and the number of bytes (2 or 4) for this field, stored on the lowest four bits of flags. Alternatively, it is possible to store the difference between the previous and the new values of the header field in to, by setting from and the four lowest bits of flags to 0. For both methods, offset indicates the location of the IP checksum within the packet. In addition to the size of the field, flags can be added (bitwise OR) actual flags. With BPF_F_MARK_MANGLED_0, a null checksum is left untouched (unless BPF_F_MARK_ENFORCE is added as well), and for updates resulting in a null checksum the value is set to CSUM_MANGLED_0 instead. Flag BPF_F_PSEUDO_HDR indicates the checksum is to be computed against a pseudo-header.

This helper works in combination with bpf_csum_diff(), which does not update the checksum in-place, but offers more flexibility and can handle sizes larger than 2 or 4 for the checksum to update.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

This special helper is used to trigger a "tail call", or in other words, to jump into another eBPF program. The same stack frame is used (but values on stack and in registers for the caller are not accessible to the callee). This mechanism allows for program chaining, either for raising the maximum number of available eBPF instructions, or to execute given programs in conditional blocks. For security reasons, there is an upper limit to the number of successive tail calls that can be performed.

Upon call of this helper, the program attempts to jump into a program referenced at index index in prog_array_map, a special map of type BPF_MAP_TYPE_PROG_ARRAY, and passes ctx, a pointer to the context.

If the call succeeds, the kernel immediately runs the first instruction of the new program. This is not a function call, and it never returns to the previous program. If the call fails, then the helper has no effect, and the caller continues to run its subsequent instructions. A call can fail if the destination program for the jump does not exist (i.e. index is superior to the number of entries in prog_array_map), or if the maximum number of tail calls has been reached for this chain of programs. This limit is defined in the kernel by the macro MAX_TAIL_CALL_CNT (not accessible to user space), which is currently set to 32.

Return

0 on success, or a negative error in case of failure.

Description

Clone and redirect the packet associated to skb to another net device of index ifindex. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now.

In comparison with bpf_redirect() helper, bpf_clone_redirect() has the associated cost of duplicating the packet buffer, but this can be executed out of the eBPF program. Conversely, bpf_redirect() is more efficient, but it is handled through an action code where the redirection happens only after the eBPF program has returned.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Return

A 64-bit integer containing the current tgid and pid, and created as such: current_task->tgid << 32 | current_task->pid.

Return

A 64-bit integer containing the current GID and UID, and created as such: current_gid << 32 | current_uid.

Description

Copy the comm attribute of the current task into buf of size_of_buf. The comm attribute contains the name of the executable (excluding the path) for the current task. The size_of_buf must be strictly positive. On success, the helper makes sure that the buf is NUL-terminated. On failure, it is filled with zeroes.

Return

0 on success, or a negative error in case of failure.

Description

Retrieve the classid for the current task, i.e. for the net_cls cgroup to which skb belongs.

This helper can be used on TC egress path, but not on ingress.

The net_cls cgroup provides an interface to tag network packets based on a user-provided identifier for all traffic coming from the tasks belonging to the related cgroup. See also the related kernel documentation, available from the Linux sources in file Documentation/admin-guide/cgroup-v1/net_cls.rst.

The Linux kernel has two versions for cgroups: there are cgroups v1 and cgroups v2. Both are available to users, who can use a mixture of them, but note that the net_cls cgroup is for cgroup v1 only. This makes it incompatible with BPF programs run on cgroups, which is a cgroup-v2-only feature (a socket can only hold data for one version of cgroups at a time).

This helper is only available is the kernel was compiled with the CONFIG_CGROUP_NET_CLASSID configuration option set to " y" or to " m".

Return

The classid, or 0 for the default unconfigured classid.

Description

Push a vlan_tci (VLAN tag control information) of protocol vlan_proto to the packet associated to skb, then update the checksum. Note that if vlan_proto is different from ETH_P_8021Q and ETH_P_8021AD, it is considered to be ETH_P_8021Q.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Pop a VLAN header from the packet associated to skb.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Get tunnel metadata. This helper takes a pointer key to an empty struct bpf_tunnel_key of size, that will be filled with tunnel metadata for the packet associated to skb. The flags can be set to BPF_F_TUNINFO_IPV6, which indicates that the tunnel is based on IPv6 protocol instead of IPv4.

The struct bpf_tunnel_key is an object that generalizes the principal parameters used by various tunneling protocols into a single struct. This way, it can be used to easily make a decision based on the contents of the encapsulation header, "summarized" in this struct. In particular, it holds the IP address of the remote end (IPv4 or IPv6, depending on the case) in key->remote_ipv4 or key->remote_ipv6. Also, this struct exposes the key ->tunnel_id, which is generally mapped to a VNI (Virtual Network Identifier), making it programmable together with the bpf_skb_set_tunnel_key() helper.

Let's imagine that the following code is part of a program attached to the TC ingress interface, on one end of a GRE tunnel, and is supposed to filter out all messages coming from remote ends with IPv4 address other than 10.0.0.1:

int ret;
struct bpf_tunnel_key key = {};

ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0);
if (ret < 0)
        return TC_ACT_SHOT;     // drop packet

if (key.remote_ipv4 != 0x0a000001)
        return TC_ACT_SHOT;     // drop packet

return TC_ACT_OK;               // accept packet

Return

0 on success, or a negative error in case of failure.

Description

Populate tunnel metadata for packet associated to skb. The tunnel metadata is set to the contents of key, of size. The flags can be set to a combination of the following values:

struct bpf_tunnel_key key;
     populate key ...
bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0);
bpf_clone_redirect(skb, vxlan_dev_ifindex, 0);

Return

0 on success, or a negative error in case of failure.

Description

Read the value of a perf event counter. This helper relies on a map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY. The nature of the perf event counter is selected when map is updated with perf event file descriptors. The map is an array whose size is the number of available CPUs, and each cell contains a value relative to one CPU. The value to retrieve is indicated by flags, that contains the index of the CPU to look up, masked with BPF_F_INDEX_MASK. Alternatively, flags can be set to BPF_F_CURRENT_CPU to indicate that the value for the current CPU should be retrieved.

Note that before Linux 4.13, only hardware perf event can be retrieved.

Also, be aware that the newer helper bpf_perf_event_read_value() is recommended over bpf_perf_event_read() in general. The latter has some ABI quirks where error and counter value are used as a return code (which is wrong to do since ranges may overlap). This issue is fixed with bpf_perf_event_read_value(), which at the same time provides more features over the bpf_perf_event_read() interface. Please refer to the description of bpf_perf_event_read_value() for details.

Return

The value of the perf event counter read from the map, or a negative error code in case of failure.

Description

Redirect the packet to another net device of index ifindex. This helper is somewhat similar to bpf_clone_redirect(), except that the packet is not cloned, which provides increased performance.

Except for XDP, both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). Currently, XDP only supports redirection to the egress interface, and accepts no flag at all.

The same effect can be attained with the more generic bpf_redirect_map(), which requires specific maps to be used but offers better performance.

Return

For XDP, the helper returns XDP_REDIRECT on success or XDP_ABORTED on error. For other program types, the values are TC_ACT_REDIRECT on success or TC_ACT_SHOT on error.

Description

Retrieve the realm or the route, that is to say the tclassid field of the destination for the skb. The indentifier retrieved is a user-provided tag, similar to the one used with the net_cls cgroup (see description for bpf_get_cgroup_classid() helper), but here this tag is held by a route (a destination entry), not by a task.

Retrieving this identifier works with the clsact TC egress hook (see also tc-bpf(8)), or alternatively on conventional classful egress qdiscs, but not on TC ingress path. In case of clsact TC egress hook, this has the advantage that, internally, the destination entry has not been dropped yet in the transmit path. Therefore, the destination entry does not need to be artificially held via netif_keep_dst() for a classful qdisc until the skb is freed.

This helper is available only if the kernel was compiled with CONFIG_IP_ROUTE_CLASSID configuration option.

Return

The realm of the route for the packet associated to skb, or 0 if none was found.

Description

Write raw data blob into a special BPF perf event held by map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY. This perf event must have the following attributes: PERF_SAMPLE_RAW as sample_type, PERF_TYPE_SOFTWARE as type, and PERF_COUNT_SW_BPF_OUTPUT as config.

The flags are used to indicate the index in map for which the value must be put, masked with BPF_F_INDEX_MASK. Alternatively, flags can be set to BPF_F_CURRENT_CPU to indicate that the index of the current CPU core should be used.

The value to write, of size, is passed through eBPF stack and pointed by data.

The context of the program ctx needs also be passed to the helper.

On user space, a program willing to read the values needs to call perf_event_open() on the perf event (either for one or for all CPUs) and to store the file descriptor into the map. This must be done before the eBPF program can send data into it. An example is available in file samples/bpf/trace_output_user.c in the Linux kernel source tree (the eBPF program counterpart is in samples/bpf/trace_output_kern.c).

bpf_perf_event_output() achieves better performance than bpf_trace_printk() for sharing data with user space, and is much better suitable for streaming data from eBPF programs.

Note that this helper is not restricted to tracing use cases and can be used with programs attached to TC or XDP as well, where it allows for passing data to user space listeners. Data can be:

Return

0 on success, or a negative error in case of failure.

Description

This helper was provided as an easy way to load data from a packet. It can be used to load len bytes from offset from the packet associated to skb, into the buffer pointed by to.

Since Linux 4.7, usage of this helper has mostly been replaced by "direct packet access", enabling packet data to be manipulated with skb->data and skb->data_end pointing respectively to the first byte of packet data and to the byte after the last byte of packet data. However, it remains useful if one wishes to read large quantities of data at once from a packet into the eBPF stack.

Return

0 on success, or a negative error in case of failure.

Description

Walk a user or a kernel stack and return its id. To achieve this, the helper needs ctx, which is a pointer to the context on which the tracing program is executed, and a pointer to a map of type BPF_MAP_TYPE_STACK_TRACE.

The last argument, flags, holds the number of stack frames to skip (from 0 to 255), masked with BPF_F_SKIP_FIELD_MASK. The next bits can be used to set a combination of the following flags:

# sysctl kernel.perf_event_max_stack=<new value>

Return

The positive or null stack id on success, or a negative error in case of failure.

Description

Compute a checksum difference, from the raw buffer pointed by from, of length from_size (that must be a multiple of 4), towards the raw buffer pointed by to, of size to_size (same remark). An optional seed can be added to the value (this can be cascaded, the seed may come from a previous call to the helper).

This is flexible enough to be used in several ways:

Return

The checksum result, or a negative error code in case of failure.

Description

Retrieve tunnel options metadata for the packet associated to skb, and store the raw tunnel option data to the buffer opt of size.

This helper can be used with encapsulation devices that can operate in "collect metadata" mode (please refer to the related note in the description of bpf_skb_get_tunnel_key() for more details). A particular example where this can be used is in combination with the Geneve encapsulation protocol, where it allows for pushing (with bpf_skb_get_tunnel_opt() helper) and retrieving arbitrary TLVs (Type-Length-Value headers) from the eBPF program. This allows for full customization of these headers.

Return

The size of the option data retrieved.

Description

Set tunnel options metadata for the packet associated to skb to the option data contained in the raw buffer opt of size.

See also the description of the bpf_skb_get_tunnel_opt() helper for additional information.

Return

0 on success, or a negative error in case of failure.

Description

Change the protocol of the skb to proto. Currently supported are transition from IPv4 to IPv6, and from IPv6 to IPv4. The helper takes care of the groundwork for the transition, including resizing the socket buffer. The eBPF program is expected to fill the new headers, if any, via skb_store_bytes() and to recompute the checksums with bpf_l3_csum_replace() and bpf_l4_csum_replace(). The main case for this helper is to perform NAT64 operations out of an eBPF program.

Internally, the GSO type is marked as dodgy so that headers are checked and segments are recalculated by the GSO/GRO engine. The size for GSO target is adapted as well.

All values for flags are reserved for future usage, and must be left at zero.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Change the packet type for the packet associated to skb. This comes down to setting skb->pkt_type to type, except the eBPF program does not have a write access to skb->pkt_type beside this helper. Using a helper here allows for graceful handling of errors.

The major use case is to change incoming skb*s to **PACKET_HOST* in a programmatic way instead of having to recirculate via redirect(..., BPF_F_INGRESS), for example.

Note that type only allows certain values. At this time, they are:

Return

0 on success, or a negative error in case of failure.

Description

Check whether skb is a descendant of the cgroup2 held by map of type BPF_MAP_TYPE_CGROUP_ARRAY, at index.

Return

The return value depends on the result of the test, and can be:

Description

Retrieve the hash of the packet, skb->hash. If it is not set, in particular if the hash was cleared due to mangling, recompute this hash. Later accesses to the hash can be done directly with skb->hash.

Calling bpf_set_hash_invalid(), changing a packet prototype with bpf_skb_change_proto(), or calling bpf_skb_store_bytes() with the BPF_F_INVALIDATE_HASH are actions susceptible to clear the hash and to trigger a new computation for the next call to bpf_get_hash_recalc().

Return

The 32-bit hash.

Return

A pointer to the current task struct.

Description

Attempt in a safe way to write len bytes from the buffer src to dst in memory. It only works for threads that are in user context, and dst must be a valid user space address.

This helper should not be used to implement any kind of security mechanism because of TOC-TOU attacks, but rather to debug, divert, and manipulate execution of semi-cooperative processes.

Keep in mind that this feature is meant for experiments, and it has a risk of crashing the system and running programs. Therefore, when an eBPF program using this helper is attached, a warning including PID and process name is printed to kernel logs.

Return

0 on success, or a negative error in case of failure.

Description

Check whether the probe is being run is the context of a given subset of the cgroup2 hierarchy. The cgroup2 to test is held by map of type BPF_MAP_TYPE_CGROUP_ARRAY, at index.

Return

The return value depends on the result of the test, and can be:

Description

Resize (trim or grow) the packet associated to skb to the new len. The flags are reserved for future usage, and must be left at zero.

The basic idea is that the helper performs the needed work to change the size of the packet, then the eBPF program rewrites the rest via helpers like bpf_skb_store_bytes(), bpf_l3_csum_replace(), bpf_l3_csum_replace() and others. This helper is a slow path utility intended for replies with control messages. And because it is targeted for slow path, the helper itself can afford to be slow: it implicitly linearizes, unclones and drops offloads from the skb.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Pull in non-linear data in case the skb is non-linear and not all of len are part of the linear section. Make len bytes from skb readable and writable. If a zero value is passed for len, then the whole length of the skb is pulled.

This helper is only needed for reading and writing with direct packet access.

For direct packet access, testing that offsets to access are within packet boundaries (test on skb->data_end) is susceptible to fail if offsets are invalid, or if the requested data is in non-linear parts of the skb. On failure the program can just bail out, or in the case of a non-linear buffer, use a helper to make the data available. The bpf_skb_load_bytes() helper is a first solution to access the data. Another one consists in using bpf_skb_pull_data to pull in once the non-linear parts, then retesting and eventually access the data.

At the same time, this also makes sure the skb is uncloned, which is a necessary condition for direct write. As this needs to be an invariant for the write part only, the verifier detects writes and adds a prologue that is calling bpf_skb_pull_data() to effectively unclone the skb from the very beginning in case it is indeed cloned.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Add the checksum csum into skb->csum in case the driver has supplied a checksum for the entire packet into that field. Return an error otherwise. This helper is intended to be used in combination with bpf_csum_diff(), in particular when the checksum needs to be updated after data has been written into the packet through direct packet access.

Return

The checksum on success, or a negative error code in case of failure.

Description

Invalidate the current skb->hash. It can be used after mangling on headers through direct packet access, in order to indicate that the hash is outdated and to trigger a recalculation the next time the kernel tries to access this hash or when the bpf_get_hash_recalc() helper is called.

Description

Return the id of the current NUMA node. The primary use case for this helper is the selection of sockets for the local NUMA node, when the program is attached to sockets using the SO_ATTACH_REUSEPORT_EBPF option (see also socket(7)), but the helper is also available to other eBPF program types, similarly to bpf_get_smp_processor_id().

Return

The id of current NUMA node.

Description

Grows headroom of packet associated to skb and adjusts the offset of the MAC header accordingly, adding len bytes of space. It automatically extends and reallocates memory as required.

This helper can be used on a layer 3 skb to push a MAC header for redirection into a layer 2 device.

All values for flags are reserved for future usage, and must be left at zero.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Adjust (move) xdp_md->data by delta bytes. Note that it is possible to use a negative value for delta. This helper can be used to prepare the packet for pushing or popping headers.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Copy a NUL terminated string from an unsafe address unsafe_ptr to dst. The size should include the terminating NUL byte. In case the string length is smaller than size, the target is not padded with further NUL bytes. If the string length is larger than size, just size-1 bytes are copied and the last byte is set to NUL.

On success, the length of the copied string is returned. This makes this helper useful in tracing programs for reading strings, and more importantly to get its length at runtime. See the following snippet:

SEC("kprobe/sys_open")
void bpf_sys_open(struct pt_regs *ctx)
{
        char buf[PATHLEN]; // PATHLEN is defined to 256
        int res = bpf_probe_read_str(buf, sizeof(buf),
                                     ctx->di);

        // Consume buf, for example push it to
        // userspace via bpf_perf_event_output(); we
        // can use res (the string length) as event
        // size, after checking its boundaries.
}

Return

On success, the strictly positive length of the string, including the trailing NUL character. On error, a negative value.

Description

If the struct sk_buff pointed by skb has a known socket, retrieve the cookie (generated by the kernel) of this socket. If no cookie has been set yet, generate a new cookie. Once generated, the socket cookie remains stable for the life of the socket. This helper can be useful for monitoring per socket networking traffic statistics as it provides a global socket identifier that can be assumed unique.

Return

A 8-byte long non-decreasing number on success, or 0 if the socket field is missing inside skb.

Description

Equivalent to bpf_get_socket_cookie() helper that accepts skb, but gets socket from struct bpf_sock_addr context.

Return

A 8-byte long non-decreasing number.

Description

Equivalent to bpf_get_socket_cookie() helper that accepts skb, but gets socket from struct bpf_sock_ops context.

Return

A 8-byte long non-decreasing number.

Return

The owner UID of the socket associated to skb. If the socket is NULL, or if it is not a full socket (i.e. if it is a time-wait or a request socket instead), overflowuid value is returned (note that overflowuid might also be the actual UID value for the socket).

Description

Set the full hash for skb (set the field skb->hash) to value hash.

Return

0

Description

Emulate a call to setsockopt() on the socket associated to bpf_socket, which must be a full socket. The level at which the option resides and the name optname of the option must be specified, see setsockopt(2) for more information. The option value of length optlen is pointed by optval.

This helper actually implements a subset of setsockopt(). It supports the following levels:

Return

0 on success, or a negative error in case of failure.

Description

Grow or shrink the room for data in the packet associated to skb by len_diff, and according to the selected mode.

There are two supported modes at this time:

Return

0 on success, or a negative error in case of failure.

Description

Redirect the packet to the endpoint referenced by map at index key. Depending on its type, this map can contain references to net devices (for forwarding packets through other ports), or to CPUs (for redirecting XDP frames to another CPU; but this is only implemented for native XDP (with driver support) as of this writing).

The lower two bits of flags are used as the return code if the map lookup fails. This is so that the return value can be one of the XDP program return codes up to XDP_TX, as chosen by the caller. Any higher bits in the flags argument must be unset.

When used to redirect packets to net devices, this helper provides a high performance increase over bpf_redirect(). This is due to various implementation details of the underlying mechanisms, one of which is the fact that bpf_redirect_map() tries to send packet as a "bulk" to the device.

Return

XDP_REDIRECT on success, or XDP_ABORTED on error.

Description

Redirect the packet to the socket referenced by map (of type BPF_MAP_TYPE_SOCKMAP) at index key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now.

Return

SK_PASS on success, or SK_DROP on error.

Description

Add an entry to, or update a map referencing sockets. The skops is used as a new value for the entry associated to key. flags is one of:

Return

0 on success, or a negative error in case of failure.

Description

Adjust the address pointed by xdp_md->data_meta by delta (which can be positive or negative). Note that this operation modifies the address stored in xdp_md->data, so the latter must be loaded only after the helper has been called.

The use of xdp_md->data_meta is optional and programs are not required to use it. The rationale is that when the packet is processed with XDP (e.g. as DoS filter), it is possible to push further meta data along with it before passing to the stack, and to give the guarantee that an ingress eBPF program attached as a TC classifier on the same device can pick this up for further post-processing. Since TC works with socket buffers, it remains possible to set from XDP the mark or priority pointers, or other pointers for the socket buffer. Having this scratch space generic and programmable allows for more flexibility as the user is free to store whatever meta data they need.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Read the value of a perf event counter, and store it into buf of size buf_size. This helper relies on a map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY. The nature of the perf event counter is selected when map is updated with perf event file descriptors. The map is an array whose size is the number of available CPUs, and each cell contains a value relative to one CPU. The value to retrieve is indicated by flags, that contains the index of the CPU to look up, masked with BPF_F_INDEX_MASK. Alternatively, flags can be set to BPF_F_CURRENT_CPU to indicate that the value for the current CPU should be retrieved.

This helper behaves in a way close to bpf_perf_event_read() helper, save that instead of just returning the value observed, it fills the buf structure. This allows for additional data to be retrieved: in particular, the enabled and running times (in buf->enabled and buf->running, respectively) are copied. In general, bpf_perf_event_read_value() is recommended over bpf_perf_event_read(), which has some ABI issues and provides fewer functionalities.

These values are interesting, because hardware PMU (Performance Monitoring Unit) counters are limited resources. When there are more PMU based perf events opened than available counters, kernel will multiplex these events so each event gets certain percentage (but not all) of the PMU time. In case that multiplexing happens, the number of samples or counter value will not reflect the case compared to when no multiplexing occurs. This makes comparison between different runs difficult. Typically, the counter value should be normalized before comparing to other experiments. The usual normalization is done as follows.

normalized_counter = counter * t_enabled / t_running

Return

0 on success, or a negative error in case of failure.

Description

For en eBPF program attached to a perf event, retrieve the value of the event counter associated to ctx and store it in the structure pointed by buf and of size buf_size. Enabled and running times are also stored in the structure (see description of helper bpf_perf_event_read_value() for more details).

Return

0 on success, or a negative error in case of failure.

Description

Emulate a call to getsockopt() on the socket associated to bpf_socket, which must be a full socket. The level at which the option resides and the name optname of the option must be specified, see getsockopt(2) for more information. The retrieved value is stored in the structure pointed by opval and of length optlen.

This helper actually implements a subset of getsockopt(). It supports the following levels:

Return

0 on success, or a negative error in case of failure.

Description

Used for error injection, this helper uses kprobes to override the return value of the probed function, and to set it to rc. The first argument is the context regs on which the kprobe works.

This helper works by setting setting the PC (program counter) to an override function which is run in place of the original probed function. This means the probed function is not run at all. The replacement function just returns with the required value.

This helper has security implications, and thus is subject to restrictions. It is only available if the kernel was compiled with the CONFIG_BPF_KPROBE_OVERRIDE configuration option, and in this case it only works on functions tagged with ALLOW_ERROR_INJECTION in the kernel code.

Also, the helper is only available for the architectures having the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing, x86 architecture is the only one to support this feature.

Return

0

Description

Attempt to set the value of the bpf_sock_ops_cb_flags field for the full TCP socket associated to bpf_sock_ops to argval.

The primary use of this field is to determine if there should be calls to eBPF programs of type BPF_PROG_TYPE_SOCK_OPS at various points in the TCP code. A program of the same type can change its value, per connection and as necessary, when the connection is established. This field is directly accessible for reading, but this helper must be used for updates in order to return an error if an eBPF program tries to set a callback that is not supported in the current kernel.

argval is a flag array which can combine these flags:

Return

Code -EINVAL if the socket is not a full TCP socket; otherwise, a positive number containing the bits that could not be set is returned (which comes down to 0 if all bits were set as required).

Description

This helper is used in programs implementing policies at the socket level. If the message msg is allowed to pass (i.e. if the verdict eBPF program returns SK_PASS), redirect it to the socket referenced by map (of type BPF_MAP_TYPE_SOCKMAP) at index key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now.

Return

SK_PASS on success, or SK_DROP on error.

Description

For socket policies, apply the verdict of the eBPF program to the next bytes (number of bytes) of message msg.

For example, this helper can be used in the following cases:

Return

0

Description

For socket policies, prevent the execution of the verdict eBPF program for message msg until bytes (byte number) have been accumulated.

This can be used when one needs a specific number of bytes before a verdict can be assigned, even if the data spans multiple sendmsg() or sendfile() calls. The extreme case would be a user calling sendmsg() repeatedly with 1-byte long message segments. Obviously, this is bad for performance, but it is still valid. If the eBPF program needs bytes bytes to validate a header, this helper can be used to prevent the eBPF program to be called again until bytes have been accumulated.

Return

0

Description

For socket policies, pull in non-linear data from user space for msg and set pointers msg->data and msg->data_end to start and end bytes offsets into msg, respectively.

If a program of type BPF_PROG_TYPE_SK_MSG is run on a msg it can only parse data that the ( data, data_end) pointers have already consumed. For sendmsg() hooks this is likely the first scatterlist element. But for calls relying on the sendpage handler (e.g. sendfile()) this will be the range ( 0, 0) because the data is shared with user space and by default the objective is to avoid allowing user space to modify data while (or after) eBPF verdict is being decided. This helper can be used to pull in data and to set the start and end pointer to given values. Data will be copied if necessary (i.e. if data was not linear and if start and end pointers do not point to the same chunk).

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

All values for flags are reserved for future usage, and must be left at zero.

Return

0 on success, or a negative error in case of failure.

Description

Bind the socket associated to ctx to the address pointed by addr, of length addr_len. This allows for making outgoing connection from the desired IP address, which can be useful for example when all processes inside a cgroup should use one single IP address on a host that has multiple IP configured.

This helper works for IPv4 and IPv6, TCP and UDP sockets. The domain ( addr ->sa_family) must be AF_INET (or AF_INET6). Looking for a free port to bind to can be expensive, therefore binding to port is not permitted by the helper: addr->sin_port (or sin6_port, respectively) must be set to zero.

Return

0 on success, or a negative error in case of failure.

Description

Adjust (move) xdp_md->data_end by delta bytes. It is only possible to shrink the packet as of this writing, therefore delta must be a negative integer.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Retrieve the XFRM state (IP transform framework, see also ip-xfrm(8)) at index in XFRM "security path" for skb.

The retrieved value is stored in the struct bpf_xfrm_state pointed by xfrm_state and of length size.

All values for flags are reserved for future usage, and must be left at zero.

This helper is available only if the kernel was compiled with CONFIG_XFRM configuration option.

Return

0 on success, or a negative error in case of failure.

Description

Return a user or a kernel stack in bpf program provided buffer. To achieve this, the helper needs ctx, which is a pointer to the context on which the tracing program is executed. To store the stacktrace, the bpf program provides buf with a nonnegative size.

The last argument, flags, holds the number of stack frames to skip (from 0 to 255), masked with BPF_F_SKIP_FIELD_MASK. The next bits can be used to set the following flags:

# sysctl kernel.perf_event_max_stack=<new value>

Return

A non-negative value equal to or less than size on success, or a negative error in case of failure.

Description

This helper is similar to bpf_skb_load_bytes() in that it provides an easy way to load len bytes from offset from the packet associated to skb, into the buffer pointed by to. The difference to bpf_skb_load_bytes() is that a fifth argument start_header exists in order to select a base offset to start from. start_header can be one of:

Return

0 on success, or a negative error in case of failure.

Description

Do FIB lookup in kernel tables using parameters in params. If lookup is successful and result shows packet is to be forwarded, the neighbor tables are searched for the nexthop. If successful (ie., FIB lookup shows forwarding and nexthop is resolved), the nexthop address is returned in ipv4_dst or ipv6_dst based on family, smac is set to mac address of egress device, dmac is set to nexthop mac address, rt_metric is set to metric from route (IPv4/IPv6 only), and ifindex is set to the device index of the nexthop from the FIB lookup.

plen argument is the size of the passed in struct. flags argument can be a combination of one or more of the following values:

Return

Description

Add an entry to, or update a sockhash map referencing sockets. The skops is used as a new value for the entry associated to key. flags is one of:

Return

0 on success, or a negative error in case of failure.

Description

This helper is used in programs implementing policies at the socket level. If the message msg is allowed to pass (i.e. if the verdict eBPF program returns SK_PASS), redirect it to the socket referenced by map (of type BPF_MAP_TYPE_SOCKHASH) using hash key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now.

Return

SK_PASS on success, or SK_DROP on error.

Description

This helper is used in programs implementing policies at the skb socket level. If the sk_buff skb is allowed to pass (i.e. if the verdeict eBPF program returns SK_PASS), redirect it to the socket referenced by map (of type BPF_MAP_TYPE_SOCKHASH) using hash key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress otherwise). This is the only flag supported for now.

Return

SK_PASS on success, or SK_DROP on error.

Description

Encapsulate the packet associated to skb within a Layer 3 protocol header. This header is provided in the buffer at address hdr, with len its size in bytes. type indicates the protocol of the header and can be one of:

Return

0 on success, or a negative error in case of failure.

Description

Store len bytes from address from into the packet associated to skb, at offset. Only the flags, tag and TLVs inside the outermost IPv6 Segment Routing Header can be modified through this helper.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Adjust the size allocated to TLVs in the outermost IPv6 Segment Routing Header contained in the packet associated to skb, at position offset by delta bytes. Only offsets after the segments are accepted. delta can be as well positive (growing) as negative (shrinking).

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.

Return

0 on success, or a negative error in case of failure.

Description

Apply an IPv6 Segment Routing action of type action to the packet associated to skb. Each action takes a parameter contained at address param, and of length param_len bytes. action can be one of:

Return

0 on success, or a negative error in case of failure.

Description

This helper is used in programs implementing IR decoding, to report a successfully decoded repeat key message. This delays the generation of a key up event for previously generated key down event.

Some IR protocols like NEC have a special IR message for repeating last button, for when a button is held down.

The ctx should point to the lirc sample as passed into the program.

This helper is only available is the kernel was compiled with the CONFIG_BPF_LIRC_MODE2 configuration option set to " y".

Return

0

Description

This helper is used in programs implementing IR decoding, to report a successfully decoded key press with scancode, toggle value in the given protocol. The scancode will be translated to a keycode using the rc keymap, and reported as an input key down event. After a period a key up event is generated. This period can be extended by calling either bpf_rc_keydown() again with the same values, or calling bpf_rc_repeat().

Some protocols include a toggle bit, in case the button was released and pressed again between consecutive scancodes.

The ctx should point to the lirc sample as passed into the program.

The protocol is the decoded protocol number (see enum rc_proto for some predefined values).

This helper is only available is the kernel was compiled with the CONFIG_BPF_LIRC_MODE2 configuration option set to " y".

Return

0

Description

Return the cgroup v2 id of the socket associated with the skb. This is roughly similar to the bpf_get_cgroup_classid() helper for cgroup v1 by providing a tag resp. identifier that can be matched on or used for map lookups e.g. to implement policy. The cgroup v2 id of a given path in the hierarchy is exposed in user space through the f_handle API in order to get to the same 64-bit id.

This helper can be used on TC egress path, but not on ingress, and is available only if the kernel was compiled with the CONFIG_SOCK_CGROUP_DATA configuration option.

Return

The id is returned or 0 in case the id could not be retrieved.

Return

A 64-bit integer containing the current cgroup id based on the cgroup within which the current task is running.

Description

Get the pointer to the local storage area. The type and the size of the local storage is defined by the map argument. The flags meaning is specific for each map type, and has to be 0 for cgroup local storage.

Depending on the BPF program type, a local storage area can be shared between multiple instances of the BPF program, running simultaneously.

A user should care about the synchronization by himself. For example, by using the BPF_STX_XADD instruction to alter the shared data.

Return

A pointer to the local storage area.

Description

Select a SO_REUSEPORT socket from a BPF_MAP_TYPE_REUSEPORT_ARRAY map. It checks the selected socket is matching the incoming request in the socket buffer.

Return

0 on success, or a negative error in case of failure.

Description

Return id of cgroup v2 that is ancestor of cgroup associated with the skb at the ancestor_level. The root cgroup is at ancestor_level zero and each step down the hierarchy increments the level. If ancestor_level == level of cgroup associated with skb, then return value will be same as that of bpf_skb_cgroup_id().

The helper is useful to implement policies based on cgroups that are upper in hierarchy than immediate cgroup associated with skb.

The format of returned id and helper limitations are same as in bpf_skb_cgroup_id().

Return

The id is returned or 0 in case the id could not be retrieved.

Description

Look for TCP socket matching tuple, optionally in a child network namespace netns. The return value must be checked, and if non- NULL, released via bpf_sk_release().

The ctx should point to the context of the program, such as the skb or socket (depending on the hook in use). This is used to determine the base network namespace for the lookup.

tuple_size must be one of:

Return

Pointer to struct bpf_sock, or NULL in case of failure. For sockets with reuseport option, the struct bpf_sock result is from reuse->socks[] using the hash of the tuple.

Description

Look for UDP socket matching tuple, optionally in a child network namespace netns. The return value must be checked, and if non- NULL, released via bpf_sk_release().

The ctx should point to the context of the program, such as the skb or socket (depending on the hook in use). This is used to determine the base network namespace for the lookup.

tuple_size must be one of:

Return

Pointer to struct bpf_sock, or NULL in case of failure. For sockets with reuseport option, the struct bpf_sock result is from reuse->socks[] using the hash of the tuple.

Description

Release the reference held by sock. sock must be a non- NULL pointer that was returned from bpf_sk_lookup_xxx().

Return

0 on success, or a negative error in case of failure.

Description

Push an element value in map. flags is one of:

Return

0 on success, or a negative error in case of failure.

Description

Pop an element from map.

Return

0 on success, or a negative error in case of failure.

Description

Get an element from map without removing it.

Return

0 on success, or a negative error in case of failure.

Description

For socket policies, insert len bytes into msg at offset start.

If a program of type BPF_PROG_TYPE_SK_MSG is run on a msg it may want to insert metadata or options into the msg. This can later be read and used by any of the lower layer BPF hooks.

This helper may fail if under memory pressure (a malloc fails) in these cases BPF programs will get an appropriate error and BPF programs will need to handle them.

Return

0 on success, or a negative error in case of failure.

Description

Will remove pop bytes from a msg starting at byte start. This may result in ENOMEM errors under certain situations if an allocation and copy are required due to a full ring buffer. However, the helper will try to avoid doing the allocation if possible. Other errors can occur if input parameters are invalid either due to start byte not being valid part of msg payload and/or pop value being to large.

Return

0 on success, or a negative error in case of failure.

Description

This helper is used in programs implementing IR decoding, to report a successfully decoded pointer movement.

The ctx should point to the lirc sample as passed into the program.

This helper is only available is the kernel was compiled with the CONFIG_BPF_LIRC_MODE2 configuration option set to " y".

Return

0

Description

Acquire a spinlock represented by the pointer lock, which is stored as part of a value of a map. Taking the lock allows to safely update the rest of the fields in that value. The spinlock can (and must) later be released with a call to bpf_spin_unlock(lock).

Spinlocks in BPF programs come with a number of restrictions and constraints:

Return

0

Description

Release the lock previously locked by a call to bpf_spin_lock( lock).

Return

0

Description

This helper gets a struct bpf_sock pointer such that all the fields in this bpf_sock can be accessed.

Return

A struct bpf_sock pointer on success, or NULL in case of failure.

Description

This helper gets a struct bpf_tcp_sock pointer from a struct bpf_sock pointer.

Return

A struct bpf_tcp_sock pointer on success, or NULL in case of failure.

Description

Set ECN (Explicit Congestion Notification) field of IP header to CE (Congestion Encountered) if current value is ECT (ECN Capable Transport). Otherwise, do nothing. Works with IPv6 and IPv4.

Return

1 if the CE flag is set (either by the current helper call or because it was already present), 0 if it is not set.

Description

Return a struct bpf_sock pointer in TCP_LISTEN state. bpf_sk_release() is unnecessary and not allowed.

Return

A struct bpf_sock pointer on success, or NULL in case of failure.

Description

Look for TCP socket matching tuple, optionally in a child network namespace netns. The return value must be checked, and if non- NULL, released via bpf_sk_release().

This function is identical to bpf_sk_lookup_tcp(), except that it also returns timewait or request sockets. Use bpf_sk_fullsock() or bpf_tcp_sock() to access the full structure.

This helper is available only if the kernel was compiled with CONFIG_NET configuration option.

Return

Pointer to struct bpf_sock, or NULL in case of failure. For sockets with reuseport option, the struct bpf_sock result is from reuse->socks[] using the hash of the tuple.

Description

Check whether iph and th contain a valid SYN cookie ACK for the listening socket in sk.

iph points to the start of the IPv4 or IPv6 header, while iph_len contains sizeof(struct iphdr) or sizeof( struct ip6hdr).

th points to the start of the TCP header, while th_len contains sizeof(struct tcphdr).

Return

0 if iph and th are a valid SYN cookie ACK, or a negative error otherwise.

Description

Get name of sysctl in /proc/sys/ and copy it into provided by program buffer buf of size buf_len.

The buffer is always NUL terminated, unless it's zero-sized.

If flags is zero, full name (e.g. "net/ipv4/tcp_mem") is copied. Use BPF_F_SYSCTL_BASE_NAME flag to copy base name only (e.g. "tcp_mem").

Return

Number of character copied (not including the trailing NUL).

-E2BIG if the buffer wasn't big enough (buf will contain truncated name in this case).

Description

Get current value of sysctl as it is presented in /proc/sys (incl. newline, etc), and copy it as a string into provided by program buffer buf of size buf_len.

The whole value is copied, no matter what file position user space issued e.g. sys_read at.

The buffer is always NUL terminated, unless it's zero-sized.

Return

Number of character copied (not including the trailing NUL).

-E2BIG if the buffer wasn't big enough (buf will contain truncated name in this case).

-EINVAL if current value was unavailable, e.g. because sysctl is uninitialized and read returns -EIO for it.

Description

Get new value being written by user space to sysctl (before the actual write happens) and copy it as a string into provided by program buffer buf of size buf_len.

User space may write new value at file position > 0.

The buffer is always NUL terminated, unless it's zero-sized.

Return

Number of character copied (not including the trailing NUL).

-E2BIG if the buffer wasn't big enough (buf will contain truncated name in this case).

-EINVAL if sysctl is being read.

Description

Override new value being written by user space to sysctl with value provided by program in buffer buf of size buf_len.

buf should contain a string in same form as provided by user space on sysctl write.

User space may write new value at file position > 0. To override the whole sysctl value file position should be set to zero.

Return

0 on success.

-E2BIG if the buf_len is too big.

-EINVAL if sysctl is being read.

Description

Convert the initial part of the string from buffer buf of size buf_len to a long integer according to the given base and save the result in res.

The string may begin with an arbitrary amount of white space (as determined by isspace(3)) followed by a single optional ' -' sign.

Five least significant bits of flags encode base, other bits are currently unused.

Base must be either 8, 10, 16 or 0 to detect it automatically similar to user space strtol(3).

Return

Number of characters consumed on success. Must be positive but no more than buf_len.

-EINVAL if no valid digits were found or unsupported base was provided.

-ERANGE if resulting value was out of range.

Description

Convert the initial part of the string from buffer buf of size buf_len to an unsigned long integer according to the given base and save the result in res.

The string may begin with an arbitrary amount of white space (as determined by isspace(3)).

Five least significant bits of flags encode base, other bits are currently unused.

Base must be either 8, 10, 16 or 0 to detect it automatically similar to user space strtoul(3).

Return

Number of characters consumed on success. Must be positive but no more than buf_len.

-EINVAL if no valid digits were found or unsupported base was provided.

-ERANGE if resulting value was out of range.

Description

Get a bpf-local-storage from a sk.

Logically, it could be thought of getting the value from a map with sk as the key. From this perspective, the usage is not much different from bpf_map_lookup_elem(map, &sk) except this helper enforces the key must be a full socket and the map must be a BPF_MAP_TYPE_SK_STORAGE also.

Underneath, the value is stored locally at sk instead of the map. The map is used as the bpf-local-storage "type". The bpf-local-storage "type" (i.e. the map) is searched against all bpf-local-storages residing at sk.

An optional flags (BPF_SK_STORAGE_GET_F_CREATE) can be used such that a new bpf-local-storage will be created if one does not exist. value can be used together with BPF_SK_STORAGE_GET_F_CREATE to specify the initial value of a bpf-local-storage. If value is NULL, the new bpf-local-storage will be zero initialized.

Return

A bpf-local-storage pointer is returned on success.

NULL if not found or there was an error in adding a new bpf-local-storage.

Description

Delete a bpf-local-storage from a sk.

Return

0 on success.

-ENOENT if the bpf-local-storage cannot be found.

Description

Send signal sig to the current task.

Return

0 on success or successfully queued.

-EBUSY if work queue under nmi is full.

-EINVAL if sig is invalid.

-EPERM if no permission to send the sig.

-EAGAIN if bpf program can try again.

Description

Try to issue a SYN cookie for the packet with corresponding IP/TCP headers, iph and th, on the listening socket in sk.

iph points to the start of the IPv4 or IPv6 header, while iph_len contains sizeof(struct iphdr) or sizeof( struct ip6hdr).

th points to the start of the TCP header, while th_len contains the length of the TCP header.

Return

On success, lower 32 bits hold the generated SYN cookie in followed by 16 bits which hold the MSS value for that cookie, and the top 16 bits are unused.

On failure, the returned value is one of the following:

-EINVAL SYN cookie cannot be issued due to error

-ENOENT SYN cookie should not be issued (no SYN flood)

-EOPNOTSUPP kernel configuration does not enable SYN cookies

-EPROTONOSUPPORT IP packet version is not 4 or 6

char ____license[] __attribute__((section("license"), used)) = "GPL";