cilium/ebpfPublic

NotificationsYou must be signed in to change notification settings
Fork730
Star6.7k

ebpf-go is a pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.

License

MIT license

6.7k stars 730 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,969 Commits
.github		.github
asm		asm
btf		btf
cmd/bpf2go		cmd/bpf2go
docs		docs
examples		examples
features		features
internal		internal
link		link
perf		perf
pin		pin
ringbuf		ringbuf
rlimit		rlimit
testdata		testdata
.clang-format		.clang-format
.gitattributes		.gitattributes
.gitignore		.gitignore
.golangci.yaml		.golangci.yaml
.vimto.toml		.vimto.toml
CODEOWNERS		CODEOWNERS
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
MAINTAINERS.md		MAINTAINERS.md
Makefile		Makefile
README.md		README.md
attachtype_string.go		attachtype_string.go
collection.go		collection.go
collection_other.go		collection_other.go
collection_test.go		collection_test.go
collection_windows.go		collection_windows.go
collection_windows_test.go		collection_windows_test.go
cpu.go		cpu.go
cpu_other.go		cpu_other.go
cpu_test.go		cpu_test.go
cpu_windows.go		cpu_windows.go
doc.go		doc.go
elf_reader.go		elf_reader.go
elf_reader_test.go		elf_reader_test.go
elf_sections.go		elf_sections.go
example_sock_elf_test.go		example_sock_elf_test.go
example_sock_extract_dist_test.go		example_sock_extract_dist_test.go
fuzz_test.go		fuzz_test.go
go.mod		go.mod
go.sum		go.sum
helpers_test.go		helpers_test.go
info.go		info.go
info_test.go		info_test.go
linker.go		linker.go
linker_test.go		linker_test.go
map.go		map.go
map_test.go		map_test.go
marshaler_example_test.go		marshaler_example_test.go
marshalers.go		marshalers.go
marshalers_test.go		marshalers_test.go
memory.go		memory.go
memory_test.go		memory_test.go
netlify.toml		netlify.toml
prog.go		prog.go
prog_linux_test.go		prog_linux_test.go
prog_test.go		prog_test.go
syscalls.go		syscalls.go
syscalls_test.go		syscalls_test.go
types.go		types.go
types_string.go		types_string.go
variable.go		variable.go
variable_test.go		variable_test.go

Repository files navigation

eBPF

ebpf-go is a pure Go library that provides utilities for loading, compiling, anddebugging eBPF programs. It has minimal external dependencies and is intended tobe used in long running processes.

Seeebpf.io for complementary projects from the wider eBPFecosystem.

Getting Started

Please take a look at ourGetting Started guide.

Contributions are highly encouraged, as they highlight certain use cases ofeBPF and the library, and help shape the future of the project.

Getting Help

The community actively monitors ourGitHub Discussions page.Please search for existing threads before starting a new one. Refrain fromopening issues on the bug tracker if you're just starting out or if you're notsure if something is a bug in the library code.

Alternatively,join the#ebpf-go channel on Slack if youhave other questions regarding the project. Note that this channel is ephemeraland has its history erased past a certain point, which is less helpful forothers running into the same problem later.

Packages

This library includes the following packages:

asm contains a basicassembler, allowing you to write eBPF assembly instructions directlywithin your Go code. (You don't need to use this if you prefer to write your eBPF program in C.)
cmd/bpf2go allowscompiling and embedding eBPF programs written in C within Go code. As well ascompiling the C code, it auto-generates Go code for loading and manipulatingthe eBPF program and map objects.
link allows attaching eBPFto various hooks
perf allows reading from aPERF_EVENT_ARRAY
ringbuf allows reading from aBPF_MAP_TYPE_RINGBUF map
features implements the equivalentofbpftool feature probe for discovering BPF-related kernel features using native Go.
rlimit provides a convenient API to lifttheRLIMIT_MEMLOCK constraint on kernels before 5.11.
btf allows reading the BPF Type Format.
pin provides APIs for working with pinned objects on bpffs.