Program type BPF_PROG_TYPE_LWT_XMIT

v4.10

Extension programs can be used to dynamically extend another BPF program.

Usage

This program type can be attached to route, the program will be called when transmitting to said route. For example

ip route add 192.168.253.2/32 encap bpf out obj {elf file}.o section {prog section} dev veth0

The initial use cases listed for this program type are:

• Collect statistics and generate sampling data for a subset of traffic based on the destination utilized by the packet thus allowing to extend the existing realms.
• Apply additional per route/destination filters to prohibit certain outgoing or incoming packets based on BPF filters. In particular, this allows to maintain per destination custom state across multiple packets in BPF maps and apply filters based on statistics and behaviour observed over time.
• Attachment of L2 headers at transmit where resolving the L2 address is not required.

LWT xmit programs are called after the IP header has been assembled and thus it can safely modify the packet. The program can also prepend a L2 header to the packet using the bpf_skb_change_head helper function.

Context

Socket SKB programs are called by the kernel with a __sk_buff context.

This program type isn't allowed to read from and write to all fields of the context since doing so might break assumptions in the kernel or because data isn't available at the point where the program is hooked into the kernel.

Context fields

Field	Read	Write
len
pkt_type
mark
queue_mapping
protocol
vlan_present
vlan_tci
vlan_proto
priority
ingress_ifindex
ifindex
tc_index
cb
hash
tc_classid
data
data_end
napi_id
family
remote_ip4
local_ip4
remote_ip6
local_ip6
remote_port
local_port
data_meta
flow_keys
tstamp
wire_len
gso_segs
sk
gso_size
tstamp_type
hwtstamp

Attachment

This program type can only be attached via netlink or commands such as ip from (iproute2) which use netlink under the hood:

ip route add 192.168.253.2/32 encap bpf xmit obj {elf file}.o section {prog section} dev veth0

Example

Docs could be improved

This part of the docs is incomplete, contributions are very welcome

Helper functions

Not all helper functions are available in all program types. These are the helper calls available for LWT programs:

Supported helper functions

• bpf_cgrp_storage_delete
• bpf_cgrp_storage_get
• bpf_clone_redirect
• bpf_csum_diff
• bpf_csum_level
• bpf_csum_update
• bpf_dynptr_data
• bpf_dynptr_from_mem
• bpf_dynptr_read
• bpf_dynptr_write
• bpf_for_each_map_elem
• bpf_get_cgroup_classid
• bpf_get_current_ancestor_cgroup_id v6.4
• bpf_get_current_cgroup_id v6.4
• bpf_get_current_pid_tgid v6.10
• bpf_get_current_task
• bpf_get_current_task_btf
• bpf_get_hash_recalc
• bpf_get_ns_current_pid_tgid v6.10
• bpf_get_numa_node_id
• bpf_get_prandom_u32
• bpf_get_route_realm
• bpf_get_smp_processor_id
• bpf_jiffies64
• bpf_kptr_xchg
• bpf_ktime_get_boot_ns
• bpf_ktime_get_ns
• bpf_ktime_get_tai_ns
• bpf_l3_csum_replace
• bpf_l4_csum_replace
• bpf_loop
• bpf_lwt_push_encap
• bpf_map_delete_elem
• bpf_map_lookup_elem
• bpf_map_lookup_percpu_elem
• bpf_map_peek_elem
• bpf_map_pop_elem
• bpf_map_push_elem
• bpf_map_update_elem
• bpf_per_cpu_ptr
• bpf_perf_event_output
• bpf_probe_read_kernel
• bpf_probe_read_kernel_str
• bpf_probe_read_user
• bpf_probe_read_user_str
• bpf_redirect
• bpf_ringbuf_discard
• bpf_ringbuf_discard_dynptr
• bpf_ringbuf_output
• bpf_ringbuf_query
• bpf_ringbuf_reserve
• bpf_ringbuf_reserve_dynptr
• bpf_ringbuf_submit
• bpf_ringbuf_submit_dynptr
• bpf_set_hash_invalid
• bpf_skb_change_head
• bpf_skb_change_tail
• bpf_skb_get_tunnel_key
• bpf_skb_get_tunnel_opt
• bpf_skb_load_bytes
• bpf_skb_pull_data
• bpf_skb_set_tunnel_key
• bpf_skb_set_tunnel_opt
• bpf_skb_store_bytes
• bpf_skb_under_cgroup
• bpf_snprintf
• bpf_snprintf_btf
• bpf_spin_lock
• bpf_spin_unlock
• bpf_strncmp
• bpf_tail_call
• bpf_task_pt_regs
• bpf_this_cpu_ptr
• bpf_timer_cancel
• bpf_timer_init
• bpf_timer_set_callback
• bpf_timer_start
• bpf_trace_printk
• bpf_trace_vprintk
• bpf_user_ringbuf_drain

KFuncs

Supported kfuncs

• __bpf_trap
• bpf_arena_alloc_pages
• bpf_arena_free_pages
• bpf_arena_reserve_pages
• bpf_cast_to_kern_ctx
• bpf_cgroup_read_xattr
• bpf_copy_from_user_dynptr
• bpf_copy_from_user_str
• bpf_copy_from_user_str_dynptr
• bpf_copy_from_user_task_dynptr
• bpf_copy_from_user_task_str
• bpf_copy_from_user_task_str_dynptr
• bpf_dynptr_adjust
• bpf_dynptr_clone
• bpf_dynptr_copy
• bpf_dynptr_from_skb
• bpf_dynptr_is_null
• bpf_dynptr_is_rdonly
• bpf_dynptr_memset
• bpf_dynptr_size
• bpf_dynptr_slice
• bpf_dynptr_slice_rdwr
• bpf_get_kmem_cache
• bpf_iter_bits_destroy
• bpf_iter_bits_new
• bpf_iter_bits_next
• bpf_iter_css_destroy
• bpf_iter_css_new
• bpf_iter_css_next
• bpf_iter_css_task_destroy
• bpf_iter_css_task_new
• bpf_iter_css_task_next
• bpf_iter_dmabuf_destroy
• bpf_iter_dmabuf_new
• bpf_iter_dmabuf_next
• bpf_iter_kmem_cache_destroy
• bpf_iter_kmem_cache_new
• bpf_iter_kmem_cache_next
• bpf_iter_num_destroy
• bpf_iter_num_new
• bpf_iter_num_next
• bpf_iter_task_destroy
• bpf_iter_task_new
• bpf_iter_task_next
• bpf_iter_task_vma_destroy
• bpf_iter_task_vma_new
• bpf_iter_task_vma_next
• bpf_local_irq_restore
• bpf_local_irq_save
• bpf_map_sum_elem_count
• bpf_preempt_disable
• bpf_preempt_enable
• bpf_probe_read_kernel_dynptr
• bpf_probe_read_kernel_str_dynptr
• bpf_probe_read_user_dynptr
• bpf_probe_read_user_str_dynptr
• bpf_rcu_read_lock
• bpf_rcu_read_unlock
• bpf_rdonly_cast
• bpf_res_spin_lock
• bpf_res_spin_lock_irqsave
• bpf_res_spin_unlock
• bpf_res_spin_unlock_irqrestore
• bpf_strchr
• bpf_strchrnul
• bpf_strcmp
• bpf_strcspn
• bpf_stream_vprintk
• bpf_strlen
• bpf_strnchr
• bpf_strnlen
• bpf_strnstr
• bpf_strrchr
• bpf_strspn
• bpf_strstr
• bpf_wq_init
• bpf_wq_set_callback_impl
• bpf_wq_start