Program types (Linux)

eBPF programs can be used for large and ever growing variety of different purposes. Different types of eBPF programs exist to accommodate these different use-cases. The Linux kernel may restrict or allow certain features depending on the program type, not all types of programs can do the same things because of where they are executed in the kernel. The verifier will enforce such restrictions.

Network program types

These program types are triggered by network events

Light weight tunnel program types

These program types are used to implement custom light weight tunneling protocols

cGroup program types

These program types are triggered by events of cGroups to which the program is attached

Tracing program types

These program types are triggered by tracing events from the kernel or userspace

Misc

These program types have unique purposes and do not fit neatly in any of the larger categories

BPF_PROG_TYPE_LIRC_MODE2
BPF_PROG_TYPE_LSM
BPF_PROG_TYPE_EXT
BPF_PROG_TYPE_STRUCT_OPS
BPF_PROG_TYPE_SYSCALL

ELF sections

The concept of a program type only exists at the kernel/syscall level. There is no standardized way of marking which program type a particular program within an ELF is. The industry standard that most loaders follow the example set out by LibBPF which is to patterns in the ELF section names to convey the program type.

Index of section names

Docs could be improved

This part of the docs is incomplete, contributions are very welcome