Assume you get a new ebpf program type BPF_PROG_TYPE_SOCKET_FILTER, i want to get knowledge for this program type, for example:
There is no documents describing this information, should i read kernel source code? where should i start?
There is a great blog https://blogs.oracle.com/linux/post/bpf-a-tour-of-program-types , but i'm interesting at how to get this information by myself, because there are always new program type exists.
Unfortunately, there's no simple answer. There's an effort beginning in the BPF community to bring documentation and standardisation for eBPF, but it's not there yet. In the meantime, if you want to dig the info by yourself, this means one thing: reading kernel code.
- what do I do with this program type?
This is usually introduced in the commit description for the commit (or the patchset) that added the feature. You can usually find the relevant commit by git blame-ing the new type in the UAPI header, include/uapi/linux/bpf.h. It's also worth looking at the samples (samples/bpf/) or tests (tools/testing/selftests/bpf/) using the programs of a given type to see how and what they do with it.
- how do I attach my BPF program for this program type?
In many cases, libbpf or other libraries will handle this for you. Otherwise, looking at the tests and samples would tell.
- when does the attached program get run?
You need to look at the code. This is generally added in the commit that brought the new type as well. The name of the macro or function used to call the BPF programs has changed over time.
- what context is provided to my program?
Again, you can usually tell from the description of the feature and/or the examples.