The next bpf() creates the output perf buffer map: bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, , key_size=4, value_size=4, max_entries=4, ... map_name="output", ...}, 128) = 4 You can probably guess from the command name BPF_MAP_CREATE that this call cr...
or a sufficient level of capabilities (CAP_BPFandCAP_PERFMON). Also note that despite all the safety guarantees of BPF technology and careful implementation, kernel tracing is inherently tricky and potentially disruptive to production workloads, so it's always recommended to test whatever you are tr...
// Invoke eBPF program with connection deleted socket event. sock_ops_context = &local_flow_context->context; sock_ops_context = &local_flow_context->context.context; sock_ops_context->op = BPF_SOCK_OPS_CONNECTION_DELETED_CB; if (net_ebpf_extension_hook_invoke_program(attached_client, sock...
(v5.16+) it's possible to capture such LBRs from a BPF program in ad-hoc fashion, which is utilized byretsnoopin the LBR mode. Some non-Intel CPUs have a similar capabilities, which are abstracted away by the kernel's perf subsystem, so you don't necessarily need Intel CPUs to take...