github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/reference/program-types.md

github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/reference/program-types.md (about)

     1  ---
     2  title: 'eBPF Program Types'
     3  weight: 50
     4  description: 'Reference documentation for different eBPF programs supported by Inspektor Gadget'
     5  ---
     6  
     7  Inspektor Gadget automatically loads and attaches the eBPF programs contained in a gadget. This
     8  document describes the different types that are supported and specific details about them.
     9  The section name specifies the type of the program and the target they should be attached to.
    10  
    11  ### Kprobes / Kretprobes
    12  
    13  The section name must use the `kprobe/<function_name>` or `kretprobe/<function_name>` formats.
    14  `<function_name>` is the kernel function that the kprobe will be attached to.
    15  
    16  ### Tracepoints
    17  
    18  The section name must use the `tracepoint/<tracepoint_name>`. `<tracepoint_name>` is one of the
    19  available tracepoints on `/sys/kernel/debug/tracing/events`.
    20  
    21  ### Socket Filter
    22  
    23  The section name must start with `socket`. Socket programs are attached to all network namespaces
    24  matching the filter configuration when running the gadget.
    25  
    26  ### Tracing
    27  
    28  Currently we support some iterators and fentry/fexit programs.
    29  
    30  #### Iterators
    31  
    32  The section name must use `iter/<iter_type>`. `<iter_type>` is one of `task`, `tcp` or `udp`. `tcp`
    33  and `udp` iterators are invoked in different network namespaces matching the filter configuration
    34  when running the gadget.
    35  
    36  #### Fentry / Fexit
    37  
    38  The section name must use the `fentry/<function_name` or `fexit/<function_name>`. As in kprobes,
    39  `<function_name>` is the kernel function that the kprobe will be attached to.
    40  
    41  ### Raw Tracepoints
    42  
    43  TODO!
    44  
    45  ### SchedCLS
    46  
    47  The section name must use the `classifier/<ingress|egress>/<program_name>` format. SchedCLS programs
    48  are attached to the peer of the networking interface of the containers on the host according to the
    49  filtering configuration.
    50  
    51  Inspektor Gadget supports running multiple gadgets that use SchedCLS programs at the same time.
    52  Programs must return `TC_ACT_UNSPEC` in order to allow the packet to be processed by other gadgets.
    53  The order of execution of the programs is not deterministic, this is something we could visit later
    54  on.
    55  
    56  ### Uprobes / Uretprobes
    57  
    58  The section name must use the `<prog_type>/<file_path>:<symbol>` format.
    59  `<prog_type>` must be either `uprobe` or `uretprobe`.
    60  `<file_path>` is the absolute path of an executable or a library, that the uprobe will be attached to.
    61  For common libraries, `<file_path>` can also be the library's name, such as `libc`.
    62  `<symbol>` is a debugging symbol that can be found in the file mentioned above.
    63  
    64  ### User-Level Statically Defined Tracing (USDT)
    65  The section name must use the `usdt/<file_path>:<providerName>:<probeName>` format.
    66  `<file_path>` can be either an absolute path or a library name, same as the field in Uprobe.
    67  `<providerName>` and `<probeName>` are two fields that can jointly identify a USDT trace point.
    68  
    69  ### Tracing with Linux Security Modules (LSM)
    70  The section name must use the `lsm/<hook>` format.
    71  The hook points could be found in [`<include/linux/lsm_hook_defs.h>`](https://elixir.bootlin.com/linux/latest/source/include/linux/lsm_hook_defs.h).