1.. SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) 2 3================ 4bpftool-prog 5================ 6------------------------------------------------------------------------------- 7tool for inspection and simple manipulation of eBPF progs 8------------------------------------------------------------------------------- 9 10:Manual section: 8 11 12.. include:: substitutions.rst 13 14SYNOPSIS 15======== 16 17**bpftool** [*OPTIONS*] **prog** *COMMAND* 18 19*OPTIONS* := { |COMMON_OPTIONS| | 20{ **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } | 21{ **-L** | **--use-loader** } } 22 23*COMMANDS* := 24{ **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** | 25**loadall** | **help** } 26 27PROG COMMANDS 28============= 29 30| **bpftool** **prog** { **show** | **list** } [*PROG*] 31| **bpftool** **prog dump xlated** *PROG* [{ **file** *FILE* | [**opcodes**] [**linum**] [**visual**] }] 32| **bpftool** **prog dump jited** *PROG* [{ **file** *FILE* | [**opcodes**] [**linum**] }] 33| **bpftool** **prog pin** *PROG* *FILE* 34| **bpftool** **prog** { **load** | **loadall** } *OBJ* *PATH* [**type** *TYPE*] [**map** { **idx** *IDX* | **name** *NAME* } *MAP*] [{ **offload_dev** | **xdpmeta_dev** } *NAME*] [**pinmaps** *MAP_DIR*] [**autoattach**] [**kernel_btf** *BTF_FILE*] 35| **bpftool** **prog attach** *PROG* *ATTACH_TYPE* [*MAP*] 36| **bpftool** **prog detach** *PROG* *ATTACH_TYPE* [*MAP*] 37| **bpftool** **prog tracelog** 38| **bpftool** **prog tracelog** [ { **stdout** | **stderr** } *PROG* ] 39| **bpftool** **prog run** *PROG* **data_in** *FILE* [**data_out** *FILE* [**data_size_out** *L*]] [**ctx_in** *FILE* [**ctx_out** *FILE* [**ctx_size_out** *M*]]] [**repeat** *N*] 40| **bpftool** **prog profile** *PROG* [**duration** *DURATION*] *METRICs* 41| **bpftool** **prog help** 42| 43| *MAP* := { **id** *MAP_ID* | **pinned** *FILE* | **name** *MAP_NAME* } 44| *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* | **name** *PROG_NAME* } 45| *TYPE* := { 46| **socket** | **kprobe** | **kretprobe** | **classifier** | **action** | 47| **tracepoint** | **raw_tracepoint** | **xdp** | **perf_event** | **cgroup/skb** | 48| **cgroup/sock** | **cgroup/dev** | **lwt_in** | **lwt_out** | **lwt_xmit** | 49| **lwt_seg6local** | **sockops** | **sk_skb** | **sk_msg** | **lirc_mode2** | 50| **cgroup/bind4** | **cgroup/bind6** | **cgroup/post_bind4** | **cgroup/post_bind6** | 51| **cgroup/connect4** | **cgroup/connect6** | **cgroup/connect_unix** | 52| **cgroup/getpeername4** | **cgroup/getpeername6** | **cgroup/getpeername_unix** | 53| **cgroup/getsockname4** | **cgroup/getsockname6** | **cgroup/getsockname_unix** | 54| **cgroup/sendmsg4** | **cgroup/sendmsg6** | **cgroup/sendmsg_unix** | 55| **cgroup/recvmsg4** | **cgroup/recvmsg6** | **cgroup/recvmsg_unix** | **cgroup/sysctl** | 56| **cgroup/getsockopt** | **cgroup/setsockopt** | **cgroup/sock_release** | 57| **struct_ops** | **fentry** | **fexit** | **freplace** | **sk_lookup** 58| } 59| *ATTACH_TYPE* := { 60| **sk_msg_verdict** | **sk_skb_verdict** | **sk_skb_stream_verdict** | 61| **sk_skb_stream_parser** | **flow_dissector** 62| } 63| *METRICs* := { 64| **cycles** | **instructions** | **l1d_loads** | **llc_misses** | 65| **itlb_misses** | **dtlb_misses** 66| } 67 68 69DESCRIPTION 70=========== 71bpftool prog { show | list } [*PROG*] 72 Show information about loaded programs. If *PROG* is specified show 73 information only about given programs, otherwise list all programs 74 currently loaded on the system. In case of **tag** or **name**, *PROG* may 75 match several programs which will all be shown. 76 77 Output will start with program ID followed by program type and zero or more 78 named attributes (depending on kernel version). 79 80 Since Linux 5.1 the kernel can collect statistics on BPF programs (such as 81 the total time spent running the program, and the number of times it was 82 run). If available, bpftool shows such statistics. However, the kernel does 83 not collect them by defaults, as it slightly impacts performance on each 84 program run. Activation or deactivation of the feature is performed via the 85 **kernel.bpf_stats_enabled** sysctl knob. 86 87 Since Linux 5.8 bpftool is able to discover information about processes 88 that hold open file descriptors (FDs) against BPF programs. On such kernels 89 bpftool will automatically emit this information as well. 90 91bpftool prog dump xlated *PROG* [{ file *FILE* | [opcodes] [linum] [visual] }] 92 Dump eBPF instructions of the programs from the kernel. By default, eBPF 93 will be disassembled and printed to standard output in human-readable 94 format. In this case, **opcodes** controls if raw opcodes should be printed 95 as well. 96 97 In case of **tag** or **name**, *PROG* may match several programs which 98 will all be dumped. However, if **file** or **visual** is specified, 99 *PROG* must match a single program. 100 101 If **file** is specified, the binary image will instead be written to 102 *FILE*. 103 104 If **visual** is specified, control flow graph (CFG) will be built instead, 105 and eBPF instructions will be presented with CFG in DOT format, on standard 106 output. 107 108 If the programs have line_info available, the source line will be 109 displayed. If **linum** is specified, the filename, line number and line 110 column will also be displayed. 111 112bpftool prog dump jited *PROG* [{ file *FILE* | [opcodes] [linum] }] 113 Dump jited image (host machine code) of the program. 114 115 If *FILE* is specified image will be written to a file, otherwise it will 116 be disassembled and printed to stdout. *PROG* must match a single program 117 when **file** is specified. 118 119 **opcodes** controls if raw opcodes will be printed. 120 121 If the prog has line_info available, the source line will be displayed. If 122 **linum** is specified, the filename, line number and line column will also 123 be displayed. 124 125bpftool prog pin *PROG* *FILE* 126 Pin program *PROG* as *FILE*. 127 128 Note: *FILE* must be located in *bpffs* mount. It must not contain a dot 129 character ('.'), which is reserved for future extensions of *bpffs*. 130 131bpftool prog { load | loadall } *OBJ* *PATH* [type *TYPE*] [map { idx *IDX* | name *NAME* } *MAP*] [{ offload_dev | xdpmeta_dev } *NAME*] [pinmaps *MAP_DIR*] [autoattach] [kernel_btf *BTF_FILE*] 132 Load bpf program(s) from binary *OBJ* and pin as *PATH*. **bpftool prog 133 load** pins only the first program from the *OBJ* as *PATH*. **bpftool prog 134 loadall** pins all programs from the *OBJ* under *PATH* directory. **type** 135 is optional, if not specified program type will be inferred from section 136 names. By default bpftool will create new maps as declared in the ELF 137 object being loaded. **map** parameter allows for the reuse of existing 138 maps. It can be specified multiple times, each time for a different map. 139 *IDX* refers to index of the map to be replaced in the ELF file counting 140 from 0, while *NAME* allows to replace a map by name. *MAP* specifies the 141 map to use, referring to it by **id** or through a **pinned** file. If 142 **offload_dev** *NAME* is specified program will be loaded onto given 143 networking device (offload). If **xdpmeta_dev** *NAME* is specified program 144 will become device-bound without offloading, this facilitates access to XDP 145 metadata. Optional **pinmaps** argument can be provided to pin all maps 146 under *MAP_DIR* directory. 147 148 If **autoattach** is specified program will be attached before pin. In that 149 case, only the link (representing the program attached to its hook) is 150 pinned, not the program as such, so the path won't show in **bpftool prog 151 show -f**, only show in **bpftool link show -f**. Also, this only works 152 when bpftool (libbpf) is able to infer all necessary information from the 153 object file, in particular, it's not supported for all program types. If a 154 program does not support autoattach, bpftool falls back to regular pinning 155 for that program instead. 156 157 The **kernel_btf** option allows specifying an external BTF file to replace 158 the system's own vmlinux BTF file for CO-RE relocations. Note that any 159 other feature relying on BTF (such as fentry/fexit programs, struct_ops) 160 requires the BTF file for the actual kernel running on the host, often 161 exposed at /sys/kernel/btf/vmlinux. 162 163 Note: *PATH* must be located in *bpffs* mount. It must not contain a dot 164 character ('.'), which is reserved for future extensions of *bpffs*. 165 166bpftool prog attach *PROG* *ATTACH_TYPE* [*MAP*] 167 Attach bpf program *PROG* (with type specified by *ATTACH_TYPE*). Most 168 *ATTACH_TYPEs* require a *MAP* parameter, with the exception of 169 *flow_dissector* which is attached to current networking name space. 170 171bpftool prog detach *PROG* *ATTACH_TYPE* [*MAP*] 172 Detach bpf program *PROG* (with type specified by *ATTACH_TYPE*). Most 173 *ATTACH_TYPEs* require a *MAP* parameter, with the exception of 174 *flow_dissector* which is detached from the current networking name space. 175 176bpftool prog tracelog 177 Dump the trace pipe of the system to the console (stdout). Hit <Ctrl+C> to 178 stop printing. BPF programs can write to this trace pipe at runtime with 179 the **bpf_trace_printk**\ () helper. This should be used only for debugging 180 purposes. For streaming data from BPF programs to user space, one can use 181 perf events (see also **bpftool-map**\ (8)). 182 183bpftool prog tracelog { stdout | stderr } *PROG* 184 Dump the BPF stream of the program. BPF programs can write to these streams 185 at runtime with the **bpf_stream_vprintk**\ () kfunc. The kernel may write 186 error messages to the standard error stream. This facility should be used 187 only for debugging purposes. 188 189bpftool prog run *PROG* data_in *FILE* [data_out *FILE* [data_size_out *L*]] [ctx_in *FILE* [ctx_out *FILE* [ctx_size_out *M*]]] [repeat *N*] 190 Run BPF program *PROG* in the kernel testing infrastructure for BPF, 191 meaning that the program works on the data and context provided by the 192 user, and not on actual packets or monitored functions etc. Return value 193 and duration for the test run are printed out to the console. 194 195 Input data is read from the *FILE* passed with **data_in**. If this *FILE* 196 is "**-**", input data is read from standard input. Input context, if any, 197 is read from *FILE* passed with **ctx_in**. Again, "**-**" can be used to 198 read from standard input, but only if standard input is not already in use 199 for input data. If a *FILE* is passed with **data_out**, output data is 200 written to that file. Similarly, output context is written to the *FILE* 201 passed with **ctx_out**. For both output flows, "**-**" can be used to 202 print to the standard output (as plain text, or JSON if relevant option was 203 passed). If output keywords are omitted, output data and context are 204 discarded. Keywords **data_size_out** and **ctx_size_out** are used to pass 205 the size (in bytes) for the output buffers to the kernel, although the 206 default of 32 kB should be more than enough for most cases. 207 208 Keyword **repeat** is used to indicate the number of consecutive runs to 209 perform. Note that output data and context printed to files correspond to 210 the last of those runs. The duration printed out at the end of the runs is 211 an average over all runs performed by the command. 212 213 Not all program types support test run. Among those which do, not all of 214 them can take the **ctx_in**/**ctx_out** arguments. bpftool does not 215 perform checks on program types. 216 217bpftool prog profile *PROG* [duration *DURATION*] *METRICs* 218 Profile *METRICs* for bpf program *PROG* for *DURATION* seconds or until 219 user hits <Ctrl+C>. *DURATION* is optional. If *DURATION* is not specified, 220 the profiling will run up to **UINT_MAX** seconds. 221 222bpftool prog help 223 Print short help message. 224 225OPTIONS 226======= 227.. include:: common_options.rst 228 229-f, --bpffs 230 When showing BPF programs, show file names of pinned programs. 231 232-m, --mapcompat 233 Allow loading maps with unknown map definitions. 234 235-n, --nomount 236 Do not automatically attempt to mount any virtual file system (such as 237 tracefs or BPF virtual file system) when necessary. 238 239-L, --use-loader 240 Load program as a "loader" program. This is useful to debug the generation 241 of such programs. When this option is in use, bpftool attempts to load the 242 programs from the object file into the kernel, but does not pin them 243 (therefore, the *PATH* must not be provided). 244 245 When combined with the **-d**\ \|\ **--debug** option, additional debug 246 messages are generated, and the execution of the loader program will use 247 the **bpf_trace_printk**\ () helper to log each step of loading BTF, 248 creating the maps, and loading the programs (see **bpftool prog tracelog** 249 as a way to dump those messages). 250 251EXAMPLES 252======== 253**# bpftool prog show** 254 255:: 256 257 10: xdp name some_prog tag 005a3d2123620c8b gpl run_time_ns 81632 run_cnt 10 258 loaded_at 2017-09-29T20:11:00+0000 uid 0 259 xlated 528B jited 370B memlock 4096B map_ids 10 260 pids systemd(1) 261 262**# bpftool --json --pretty prog show** 263 264:: 265 266 [{ 267 "id": 10, 268 "type": "xdp", 269 "tag": "005a3d2123620c8b", 270 "gpl_compatible": true, 271 "run_time_ns": 81632, 272 "run_cnt": 10, 273 "loaded_at": 1506715860, 274 "uid": 0, 275 "bytes_xlated": 528, 276 "jited": true, 277 "bytes_jited": 370, 278 "bytes_memlock": 4096, 279 "map_ids": [10 280 ], 281 "pids": [{ 282 "pid": 1, 283 "comm": "systemd" 284 } 285 ] 286 } 287 ] 288 289| 290| **# bpftool prog dump xlated id 10 file /tmp/t** 291| **$ ls -l /tmp/t** 292 293:: 294 295 -rw------- 1 root root 560 Jul 22 01:42 /tmp/t 296 297**# bpftool prog dump jited tag 005a3d2123620c8b** 298 299:: 300 301 0: push %rbp 302 1: mov %rsp,%rbp 303 2: sub $0x228,%rsp 304 3: sub $0x28,%rbp 305 4: mov %rbx,0x0(%rbp) 306 307| 308| **# mount -t bpf none /sys/fs/bpf/** 309| **# bpftool prog pin id 10 /sys/fs/bpf/prog** 310| **# bpftool prog load ./my_prog.o /sys/fs/bpf/prog2** 311| **# ls -l /sys/fs/bpf/** 312 313:: 314 315 -rw------- 1 root root 0 Jul 22 01:43 prog 316 -rw------- 1 root root 0 Jul 22 01:44 prog2 317 318**# bpftool prog dump jited pinned /sys/fs/bpf/prog opcodes** 319 320:: 321 322 0: push %rbp 323 55 324 1: mov %rsp,%rbp 325 48 89 e5 326 4: sub $0x228,%rsp 327 48 81 ec 28 02 00 00 328 b: sub $0x28,%rbp 329 48 83 ed 28 330 f: mov %rbx,0x0(%rbp) 331 48 89 5d 00 332 333| 334| **# bpftool prog load xdp1_kern.o /sys/fs/bpf/xdp1 type xdp map name rxcnt id 7** 335| **# bpftool prog show pinned /sys/fs/bpf/xdp1** 336 337:: 338 339 9: xdp name xdp_prog1 tag 539ec6ce11b52f98 gpl 340 loaded_at 2018-06-25T16:17:31-0700 uid 0 341 xlated 488B jited 336B memlock 4096B map_ids 7 342 343**# rm /sys/fs/bpf/xdp1** 344 345| 346| **# bpftool prog profile id 337 duration 10 cycles instructions llc_misses** 347 348:: 349 350 51397 run_cnt 351 40176203 cycles (83.05%) 352 42518139 instructions # 1.06 insns per cycle (83.39%) 353 123 llc_misses # 2.89 LLC misses per million insns (83.15%) 354 355| 356| Output below is for the trace logs. 357| Run in separate terminals: 358| **# bpftool prog tracelog** 359| **# bpftool prog load -L -d file.o** 360 361:: 362 363 bpftool-620059 [004] d... 2634685.517903: bpf_trace_printk: btf_load size 665 r=5 364 bpftool-620059 [004] d... 2634685.517912: bpf_trace_printk: map_create sample_map idx 0 type 2 value_size 4 value_btf_id 0 r=6 365 bpftool-620059 [004] d... 2634685.517997: bpf_trace_printk: prog_load sample insn_cnt 13 r=7 366 bpftool-620059 [004] d... 2634685.517999: bpf_trace_printk: close(5) = 0 367