ebpf-go is a pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.
bpf_core_type_matches is now supportedPrograms can now use bpf_core_type_matches() for a stricter compatibility check. See https://github.com/cilium/ebpf/pull/1366.
The library now tries to return a more informative error when loading a program fails due to a failed CO-RE relocation or a missing kfunc. See https://github.com/cilium/ebpf/pull/1402.
asm.Comment in an instruction's Source() are now passed to the kernel in the form of BTF line info. See https://github.com/cilium/ebpf/pull/1417.
A perf Reader can now be configured to be woken up after a specific number of events / samples have been submitted. See https://github.com/cilium/ebpf/pull/1404.
program: fix loading a program which targets a function in a kernel module when CONFIG_DEBUG_INFO_BTF_MODULES is disabled, see #1440.Copy: the transform argument was removed. Use the new btf.As function instead.Transformer: removed. See above.bpf_core_type_matches() by @dylandreimerink in https://github.com/cilium/ebpf/pull/1366
Full Changelog: https://github.com/cilium/ebpf/compare/v0.14.0...v0.15.0
It's now possible to use CO-RE relocations against types defined in kernel modules. See https://github.com/cilium/ebpf/pull/1300 by @brycekahle.
The link package now allows attaching to netkit interfaces. See https://github.com/cilium/ebpf/pull/1257 by @hemanthmalla
The new link.Iterator type allows enumerating all BPF links active. See https://github.com/cilium/ebpf/pull/1392 by @mpastyl.
ringbuf: fixed a bug which can lead to corrupt data on arm64, see https://github.com/cilium/ebpf/pull/1375
ProgramOptions is not comparable anymore due to KernelModuleTypes.CORERelocate had its singature change once again.Full Changelog: https://github.com/cilium/ebpf/compare/v0.13.2...v0.14.0
Full Changelog: https://github.com/cilium/ebpf/compare/v0.13.1...v0.13.2
Full Changelog: https://github.com/cilium/ebpf/compare/v0.13.0...v0.13.1
Obtaining the kernel's BTF used to be very slow and is now very fast. See https://github.com/cilium/ebpf/pull/1235 by @lmb.
It's now possible to attach TC programs using the new bpf_link based TCX API. See https://github.com/cilium/ebpf/pull/1163 by @lmb.
These are the user-space equivalents to KprobeMulti and Kretprobe multi and allow attaching to a large number of symbols quickly. See https://github.com/cilium/ebpf/pull/1269 by @olsajiri.
There is now support to attach Netfilter programs using bpf_links. See https://github.com/cilium/ebpf/pull/1313 by @mehrdadrad.
The list of recognised ELF section names is now automatically generated from libbpf and should be more accurate and easier to keep up to date. See https://github.com/cilium/ebpf/pull/1209 by @lmb.
It's now possible to cut down on allocations by pre-allocating per-CPU values. See https://github.com/cilium/ebpf/pull/1220 by @alxn.
Batch operations like Map.BatchLookup now support per-CPU values. Note that this is not particularly optimised, please check whether it is faster based on your use case. See https://github.com/cilium/ebpf/pull/1192 by @alxn.
This release requires at least Go 1.21.
(*Map).BatchLookup, (*Map).BatchLookupAndDelete: now take a MapBatchCursor.
The previous implementation did not properly account for differences between
map types and was unsafe.Spec.TypeID.*Builder instead of allocating it.
Simply pass NewBuilder().Both of these are considered somewhat internal API of the library.
HaveBoundedLoops: changed from var to funcHaveLargeInstructions: changed from var to funcHaveV2ISA: changed from var to funcHaveV3ISA: changed from var to funcQueryOptions.Path: removed. Instead, pass an fd to the directory via QueryOptions.Target.QueryPrograms: now returns QueryResult to be able to extend the API.RawAttachProgramOptions.Replace: removed. Instead, pass ReplaceProgram() to RawAttachProgramOptions.Anchor.Full Changelog: https://github.com/cilium/ebpf/compare/v0.12.3...v0.13.0
This is a small release to fix an incompatibility with golang.org/x/sys/[email protected]. There is a variety of performance improvements as well.
readTypes and inflateRawTypes by @dylandreimerink in https://github.com/cilium/ebpf/pull/1211
Full Changelog: https://github.com/cilium/ebpf/compare/v0.12.2...v0.12.3
This release fixes unmarshaling from a map operation into a []byte, see #1180. This is a regression in v0.12.0.
We now also properly return an error when the value to unmarshal into is too small, see #1181. This behaviour has existed for a long time.
Full Changelog: https://github.com/cilium/ebpf/compare/v0.12.1...v0.12.2
A recent change to ProgramInfo.Instructions failed to take a difference between kernel and ELF wire format into account. This meant that retrieving the instructions of a program from the kernel failed with a error.
See #1168, fixed by #1169.
The code to determine the kernel version from vdso has been broken on 32-bit platforms. Note that 32-bit arches are not officially supported to the fix is best effort.
See #1133, fixed by #1144.
Full Changelog: https://github.com/cilium/ebpf/compare/v0.12.0...v0.12.1
This release requires at least Go 1.20. It is mainly a bugfix release without any expected breaking changes. Map operations have also been made faster on the Go side.
.rodata maps.rodata maps were frozen after programs referring to them were loaded, preventing the verifier from eliminating dead code based on the contents of the .rodata maps. Upgrade if you're running into odd verifier errors that don't occur on libbpf.
See https://github.com/cilium/ebpf/pull/1159.
The library leaked file descriptors when trying to use non-existent kfuncs.
See https://github.com/cilium/ebpf/pull/1145.
Signed enums with negative values were incorrectly formatted, leading to invalid output from bpf2go.
See https://github.com/cilium/ebpf/pull/1155.
Keys and values used in map operations were indiscriminately passed through the encoding/binary package. There is now a fast path which skips this step when the in-memory layout of a type is equivalent to the output produced by binary.Write. The result is less allocations and CPU usage.
The optimization doesn't apply to per-CPU maps.
See https://github.com/cilium/ebpf/pull/1062.
Full Changelog: https://github.com/cilium/ebpf/compare/v0.11.0...v0.12.0
This release requires at least Go 1.19.
github.com/cilium/ebpf/btf:
Handle.Spec() now takes a base *Spec argument.
nil is accepted if the Handle is for vmlinux. If Handle is for a (split BTF) kernel module, pass the result of LoadKernelSpec().NewHandle() now takes a *Builder instead of a *Spec.
Loading BTF into the kernel now goes via a new Builder type. See the 'Additions' section below.github.com/cilium/ebpf/link:
The kernel erroneously rejects Datasec where a Typedef, Volatile, Const, Restrict or typeTag follows a Pointer, Struct, Union or Array. There is now a workaround in place, see https://github.com/cilium/ebpf/pull/954.
The marshaling code in the library now uses sync.Pool to re-use bytes.Buffer, which makes common map operations cheaper, see https://github.com/cilium/ebpf/pull/1053.
The CO-RE code now does much less copying of BTF types, which makes CO-RE relocation a lot faster, especially against large types such as sk_buff. See https://github.com/cilium/ebpf/pull/1084.
__ksym (kfunc) supportIt's now possible to use new-style BPF helpers aka kfunc with the library. Going forward, all new BPF 'helper' functionality in the kernel will be exposed as kfuncs, and new helpers won't be added. See https://github.com/cilium/ebpf/pull/966 and https://github.com/cilium/ebpf/pull/996.
__kconfig supportTracing programs often need to vary their behaviour based on kernel configuration, such as CONFIG_HZ. Such references to __kconfig variables are now automatically populated from a variety of sources such as /proc/config.gz. Note that if you run your application implementing ebpf-go in a container, it will need access to the host's /boot on some distributions that don't ship /proc/config(.gz). (notably, Debian-based distros)
As a special mention, the LINUX_HAS_SYSCALL_WRAPPER kconfig is also supported. This allows writing portable kprobes using the BPF_KSYSCALL macro from bpf_tracing.h.
See https://github.com/cilium/ebpf/pull/951, https://github.com/cilium/ebpf/pull/960 and https://github.com/cilium/ebpf/pull/995.
The perf reader now allows creating "overwritable" perf buffers, which always contain the most recent events in case the buffer ever gets full. This is in contrast to regular perf buffers which drop recent events if there is no more space. This is useful to implement "flight recorder" type functionality for events sourced from BPF.
See https://github.com/cilium/ebpf/pull/953.
btf.BuilderConstructing custom BTF type blobs is now possible through the new btf.Builder type. Call btf.NewBuilder() to obtain one, Builder.Add(t btf.Type) to add any types you need, followed by btf.NewHandle(b btf.Builder) to load the types into the kernel. Builder also has a Marshal() method for serializing the type collection into the canonical BTF format so it can be stored for later use.
+build Go build tags by @ti-mo in https://github.com/cilium/ebpf/pull/888
platformPrefix list with libbpf values by @paulcacheux in https://github.com/cilium/ebpf/pull/982
LINUX_HAS_SYSCALL_WRAPPER kconfig by @paulcacheux in https://github.com/cilium/ebpf/pull/995
container-all make invocation by @paulcacheux in https://github.com/cilium/ebpf/pull/1021
Full Changelog: https://github.com/cilium/ebpf/compare/v0.10.0...v0.11.0