Program types (Linux)
eBPF programs can be used for a wide variety of purposes that are constantly expanding. To accommodate these different use cases, the kernel provides various types of eBPF programs. Since different types of programs execute in different locations within the kernel, the Linux kernel restricts or allows certain functionalities based on the program type— not all types of programs can perform the same operations. These restrictions are enforced by the eBPF verifier.
Network Program Types
These program types are triggered by network events.
- BPF_PROG_TYPE_SOCKET_FILTER
- BPF_PROG_TYPE_SCHED_CLS
- BPF_PROG_TYPE_SCHED_ACT
- BPF_PROG_TYPE_XDP
- BPF_PROG_TYPE_SOCK_OPS
- BPF_PROG_TYPE_SK_SKB
- BPF_PROG_TYPE_SK_MSG
- BPF_PROG_TYPE_SK_LOOKUP
- BPF_PROG_TYPE_SK_REUSEPORT
- BPF_PROG_TYPE_FLOW_DISSECTOR
- BPF_PROG_TYPE_NETFILTER
Lightweight Tunnel Program Types
These program types are used to implement custom lightweight tunnel protocols.
- BPF_PROG_TYPE_LWT_IN
- BPF_PROG_TYPE_LWT_OUT
- BPF_PROG_TYPE_LWT_XMIT
- BPF_PROG_TYPE_LWT_SEG6LOCAL
cGroup Program Types
These program types are triggered by events attached to cGroups.
- BPF_PROG_TYPE_CGROUP_SKB
- BPF_PROG_TYPE_CGROUP_SOCK
- BPF_PROG_TYPE_CGROUP_DEVICE
- BPF_PROG_TYPE_CGROUP_SOCK_ADDR
- BPF_PROG_TYPE_CGROUP_SOCKOPT
- BPF_PROG_TYPE_CGROUP_SYSCTL
Tracing Program Types
These program types are triggered by tracing events from the kernel or user space.
- BPF_PROG_TYPE_KPROBE
- BPF_PROG_TYPE_TRACEPOINT
- BPF_PROG_TYPE_PERF_EVENT
- BPF_PROG_TYPE_RAW_TRACEPOINT
- BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
- BPF_PROG_TYPE_TRACING
Other Types
These program types have unique purposes that do not neatly fit into any of the above categories.
- BPF_PROG_TYPE_LIRC_MODE2
- BPF_PROG_TYPE_LSM
- BPF_PROG_TYPE_EXT
- BPF_PROG_TYPE_STRUCT_OPS
- BPF_PROG_TYPE_SYSCALL
LIRC: Linux Infrared Remote Control
ELF Sections
The concept of “program type” only exists at the kernel/system call level. Currently, there is no standardized way to mark a specific program in an ELF file as belonging to a certain program type. The industry standard followed by most loaders is to borrow from Libbpf’s approach, which implicitly indicates the program type through the naming pattern in the ELF section names.
Section names supported by Libbpf consist of one or more parts separated by ‘/’. The first part identifies the type of program contained in that section. Subsequent parts (referred to as extras in the Libbpf documentation) can specify the **attach type** or indicate specific events to attach to, where applicable. If extra information exists, it provides details on how to automatically attach the program.
ELF Sections: ELF sections
Section Name Index
| Program Type | Attach Type | ELF Section Name |
|---|---|---|
| BPF_PROG_TYPE_CGROUP_DEVICE | BPF_CGROUP_DEVICE | cgroup/dev |
| BPF_PROG_TYPE_CGROUP_SKB | cgroup/skb | |
| BPF_PROG_TYPE_CGROUP_SKB | BPF_CGROUP_INET_EGRESS | cgroup_skb/egress |
| BPF_PROG_TYPE_CGROUP_SKB | BPF_CGROUP_INET_INGRESS | cgroup_skb/ingress |
| BPF_PROG_TYPE_CGROUP_SOCKOPT | BPF_CGROUP_GETSOCKOPT | cgroup/getsockopt |
| BPF_PROG_TYPE_CGROUP_SOCKOPT | BPF_CGROUP_SETSOCKOPT | cgroup/setsockopt |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET4_BIND | cgroup/bind4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET4_CONNECT | cgroup/connect4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET4_GETPEERNAME | cgroup/getpeername4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET4_GETSOCKNAME | cgroup/getsockname4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET6_BIND | cgroup/bind6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET6_CONNECT | cgroup/connect6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET6_GETPEERNAME | cgroup/getpeername6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_INET6_GETSOCKNAME | cgroup/getsockname6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UDP4_RECVMSG | cgroup/recvmsg4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UDP4_SENDMSG | cgroup/sendmsg4 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UDP6_RECVMSG | cgroup/recvmsg6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UDP6_SENDMSG | cgroup/sendmsg6 |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UNIX_CONNECT | cgroup/connect_unix |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UNIX_SENDMSG | cgroup/sendmsg_unix |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UNIX_RECVMSG | cgroup/recvmsg_unix |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UNIX_GETPEERNAME | cgroup/getpeername_unix |
| BPF_PROG_TYPE_CGROUP_SOCK_ADDR | BPF_CGROUP_UNIX_GETSOCKNAME | cgroup/getsockname_unix |
| BPF_PROG_TYPE_CGROUP_SOCK | BPF_CGROUP_INET4_POST_BIND | cgroup/post_bind4 |
| BPF_PROG_TYPE_CGROUP_SOCK | BPF_CGROUP_INET6_POST_BIND | cgroup/post_bind6 |
| BPF_PROG_TYPE_CGROUP_SOCK | BPF_CGROUP_INET_SOCK_CREATE | cgroup/sock_create |
| BPF_PROG_TYPE_CGROUP_SOCK | BPF_CGROUP_INET_SOCK_CREATE | cgroup/sock |
| BPF_PROG_TYPE_CGROUP_SOCK | BPF_CGROUP_INET_SOCK_RELEASE | cgroup/sock_release |
| BPF_PROG_TYPE_CGROUP_SYSCTL | BPF_CGROUP_SYSCTL | cgroup/sysctl |
| BPF_PROG_TYPE_EXT | freplace or freplace/¹ | |
| BPF_PROG_TYPE_FLOW_DISSECTOR | BPF_FLOW_DISSECTOR | flow_dissector |
| BPF_PROG_TYPE_KPROBE | kprobe or kprobe/or kprobe/+² | |
| BPF_PROG_TYPE_KPROBE | kretprobe or kprobe/or kprobe/+² | |
| BPF_PROG_TYPE_KPROBE | ksyscall or ksyscall/³ | |
| BPF_PROG_TYPE_KPROBE | kretsyscall or ksyscall/³ | |
| BPF_PROG_TYPE_KPROBE | uprobe or uprobe/:or uprobe:/:+⁴ | |
| BPF_PROG_TYPE_KPROBE | uprobe.s or uprobe.s/:or uprobe.s:/:+⁴ | |
| BPF_PROG_TYPE_KPROBE | uretprobe or uretprobe/:or uretprobe:/:+⁴ | |
| BPF_PROG_TYPE_KPROBE | uretprobe.s or uretprobe.s/:or uretprobe.s:/:+⁴ | |
| BPF_PROG_TYPE_KPROBE | usdt or usdt/::⁵ | |
| BPF_PROG_TYPE_KPROBE | BPF_TRACE_KPROBE_MULTI | kprobe.multi or kprobe.multi/⁶ |
| BPF_PROG_TYPE_KPROBE | BPF_TRACE_KPROBE_MULTI | kretprobe.multi or kretprobe.multi/⁶ |
| BPF_PROG_TYPE_LIRC_MODE2 | BPF_LIRC_MODE2 | lirc_mode2 |
| BPF_PROG_TYPE_LSM | BPF_LSM_CGROUP | lsm_cgroup |
| BPF_PROG_TYPE_LSM | BPF_LSM_MAC | lsm or lsm/⁷ |
| BPF_PROG_TYPE_LSM | BPF_LSM_MAC | lsm.s or lsm.s/⁷ |
| BPF_PROG_TYPE_LWT_IN | lwt_in | |
| BPF_PROG_TYPE_LWT_OUT | lwt_out | |
| BPF_PROG_TYPE_LWT_SEG6LOCAL | lwt_seg6local | |
| BPF_PROG_TYPE_LWT_XMIT | lwt_xmit | |
| BPF_PROG_TYPE_NETFILTER | netfilter | |
| BPF_PROG_TYPE_PERF_EVENT | perf_event | |
| BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE | raw_tp.w or raw_tp.w/⁸ | |
| BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE | raw_tracepoint.w or raw_tracepoint.w/ | |
| BPF_PROG_TYPE_RAW_TRACEPOINT | raw_tp or raw_tp.w/⁸ | |
| BPF_PROG_TYPE_RAW_TRACEPOINT | raw_tracepoint or raw_tracepoint/ | |
| BPF_PROG_TYPE_SCHED_ACT | action⁹ | |
| BPF_PROG_TYPE_SCHED_CLS | classifier⁹ | |
| BPF_PROG_TYPE_SCHED_CLS | tc⁹ | |
| BPF_PROG_TYPE_SCHED_CLS | BPF_NETKIT_PRIMARY | netkit/primary |
| BPF_PROG_TYPE_SCHED_CLS | BPF_NETKIT_PEER | netkit/peer |
| BPF_PROG_TYPE_SCHED_CLS | BPF_TCX_INGRESS | tc/ingress |
| BPF_PROG_TYPE_SCHED_CLS | BPF_TCX_EGRESS | tc/egress |
| BPF_PROG_TYPE_SCHED_CLS | BPF_TCX_INGRESS | tcx/ingress |
| BPF_PROG_TYPE_SCHED_CLS | BPF_TCX_EGRESS | tcx/egress |
| BPF_PROG_TYPE_SK_LOOKUP | BPF_SK_LOOKUP | sk_lookup |
| BPF_PROG_TYPE_SK_MSG | BPF_SK_MSG_VERDICT | sk_msg |
| BPF_PROG_TYPE_SK_REUSEPORT | BPF_SK_REUSEPORT_SELECT_OR_MIGRATE | sk_reuseport/migrate |
| BPF_PROG_TYPE_SK_REUSEPORT | BPF_SK_REUSEPORT_SELECT | sk_reuseport |
| BPF_PROG_TYPE_SK_SKB | sk_skb | |
| BPF_PROG_TYPE_SK_SKB | BPF_SK_SKB_STREAM_PARSER | sk_skb/stream_parser |
| BPF_PROG_TYPE_SK_SKB | BPF_SK_SKB_STREAM_VERDICT | sk_skb/stream_verdict |
| BPF_PROG_TYPE_SOCKET_FILTER | socket | |
| BPF_PROG_TYPE_SOCK_OPS | BPF_CGROUP_SOCK_OPS | sockops |
| BPF_PROG_TYPE_STRUCT_OPS | struct_ops or struct_ops/¹⁰ | |
| BPF_PROG_TYPE_STRUCT_OPS | struct_ops.s or struct_ops.s/¹⁰ | |
| BPF_PROG_TYPE_SYSCALL | syscall | |
| BPF_PROG_TYPE_TRACEPOINT | tp or tp//¹¹ | |
| BPF_PROG_TYPE_TRACEPOINT | tracepoint or tracepoint//¹¹ | |
| BPF_PROG_TYPE_TRACING | BPF_MODIFY_RETURN | fmod_ret or fmod_ret/¹ |
| BPF_PROG_TYPE_TRACING | BPF_MODIFY_RETURN | fmod_ret.s or fmod_ret.s/¹ |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_FENTRY | fentry or fentry/¹ |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_FENTRY | fentry.s or fentry.s/¹ |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_FEXIT | fexit or fexit/¹ |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_FEXIT | fexit.s or fexit.s/¹ |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_ITER | iter or iter/¹² |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_ITER | iter.s or iter.s/¹² |
| BPF_PROG_TYPE_TRACING | BPF_TRACE_RAW_TP | tp_btf or tp_btf/¹ |
| BPF_PROG_TYPE_XDP | BPF_XDP_CPUMAP | xdp.frags/cpumap |
| BPF_PROG_TYPE_XDP | BPF_XDP_CPUMAP | xdp/cpumap |
| BPF_PROG_TYPE_XDP | BPF_XDP_DEVMAP | xdp.frags/devmap |
| BPF_PROG_TYPE_XDP | BPF_XDP_DEVMAP | xdp/devmap |
| BPF_PROG_TYPE_XDP | BPF_XDP | xdp.frags |
| BPF_PROG_TYPE_XDP | BPF_XDP | xdp |
The above table is sourced from the “Program Types and ELF Sections” page in the Linux kernel documentation (Copyright (c) 2022 Donald Hunter. All rights reserved).
https://docs.kernel.org/bpf/libbpf/program_types.html
https://docs.kernel.org/index.html
-
<span><function></span>is the symbol name of the function. This may be architecture-specific, such as<span>__x64_sys_getpid</span><span> for the </span><code><span>getpid</span><span> system call on the x86_64 architecture.</span><code><span><function></span>valid characters are<span>a-zA-Z0-9_</span>. -
<span><offset></span>is the address offset relative to the symbol name. It must be a valid non-negative integer. -
<span><syscall></span>is the name of the system call, such as<span>getpid</span><span>. It is not architecture-specific.</span> -
<span><path></span>is the path of the executable or library. -
<span><path></span>is the path of the executable or library providing the USDT probe,<span><provider></span>is the USDT provider, and<span><name></span>is the name of the USDT probe. -
<span><pattern></span>is used to match kernel function names, which may be architecture-specific.<span><pattern></span>supports<span>*</span>and<span>?</span><span> wildcards.</span><code><span><pattern></span>valid characters are<span>a-zA-Z0-9_.*?</span>. -
<span><hook></span>is the name of the LSM (Linux Security Module) hook. For details, refer to the program type<span>BPF_PROG_TYPE_LSM</span>. -
<span><tracepoint></span>is the name of the tracing event. For details, refer to the program type<span>BPF_PROG_TYPE_TRACEPOINT</span>and<span>BPF_PROG_TYPE_RAW_TRACEPOINT</span>. -
<span>tc</span>,<span>classifier</span>, and<span>action</span>attach types are deprecated; please use<span>tcx/*</span>. -
<span><name></span>is the value of the<span>.name</span>member of the structure defined in the<span>.struct_ops</span>section. For details, refer to the program type<span>BPF_PROG_TYPE_STRUCT_OPS</span>. -
<span><category></span>is the name of the subsystem, and<span><name></span>is the event name according to the event tracing convention. -
<span><struct_name></span>is the name of the tracing program iterator. For details, refer to the “Iterator” section in the program type<span>BPF_PROG_TYPE_TRACING</span>.
Last updated: March 29, 2025
Created on: January 25, 2023
Src
https://docs.ebpf.io/linux/program-type/