跳过正文

Hanshal Mehta

https://hanshal101.github.io/hanshal101/blog/ebpf/a-comprehensive-guide-to-libbpf-functions/

https://docs.google.com/document/d/1ZgRbRbFUFqVlhRi7jPir8cwVJ1i7Gw_YY1rJ-TLNPSY/edit?tab=t.0#heading=h.3ly4m9gygkmz

|

Home
Blog
Experience
Open Source
Search

Home » Blogs »

Unlocking Linux Superpowers: A DEEP guide to eBPF The Complete eBPF Function Reference: A Comprehensive Guide to libbpf Functions 30th June 2025 ‎ Table of Contents

Motivation

The extended Berkeley Packet Filter (eBPF) has rapidly evolved from a low-level packet filtering mechanism to a powerful framework for building high-performance, programmable applications within the Linux kernel. As its ecosystem has grown, so too has the complexity of its supporting libraries. One of the famous and most reliable library developers uses is libbpf.

For developers diving into eBPF, libbpf serves as the essential user-space library to interact with BPF objects, manage maps and programs, handle kernel integration, and access advanced features like BTF (BPF Type Format). However, despite its critical role, libbpf’s documentation remains fragmented, and many of its functions are poorly understood or underutilized.

I am writting this post to change that.

In this comprehensive reference guide, you’ll find categorized, structured documentation of libbpf functions, complete with parameters, return types, use cases, and practical explanations. Whether you’re building observability tools, network filters, or system profilers, this guide is designed to help you quickly locate and understand the exact function you need.

For reference I have taken the following libraries into consideration: libbpf (C/C++) and libbpf-rs (Rust - I Code a lot here) the two most widely used APIs for managing eBPF programs, maps, links, and metadata.

On top of that I’ll be attaching a Google Doc at the end, just incase you wish to download this guide and modify according to your preferences.

  1. BTF (BPF Type Format) Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_btf_get_fd_by_id Get BTF file descriptor by ID __u32 id int When you need to access BTF object with known ID Returns file descriptor for BTF object with given ID. Useful for introspection tools to examine type information of loaded programs bpf_btf_get_fd_by_id_opts Get BTF file descriptor by ID with options __u32 id, const struct bpf_get_fd_by_id_opts *opts int When you need BTF access with specific options Extended version with options like token_fd for permission delegation bpf_btf_get_info_by_fd Get BTF information by file descriptor int btf_fd, struct bpf_btf_info *info, __u32 *info_len int When you need metadata about BTF object Populates BTF object information structure with metadata like name, BTF data size, etc. bpf_btf_get_next_id Get next BTF ID __u32 start_id, __u32 *next_id int For iterating through all BTF objects Used by introspection tools to enumerate all loaded BTF objects in the system bpf_btf_load Load BTF data into kernel const void *btf_data, size_t btf_size, struct bpf_btf_load_opts *opts int When loading BTF type information Loads BTF blob into kernel, returns BTF file descriptor for use with maps and programs btf__new Create new BTF object from raw data const void *data, __u32 size struct btf * When parsing BTF from ELF or raw bytes Creates BTF object instance from raw BTF section data, used during program loading btf__free Free BTF object struct btf *btf void When cleaning up BTF resources Frees all memory associated with BTF object, should be called for every btf__new() btf__load_into_kernel Load BTF into kernel struct btf *btf int When making BTF available to kernel Uploads BTF object to kernel, making it available for program verification and map creation btf__parse Parse BTF from file const char *path, struct btf_ext **btf_ext struct btf * When loading BTF from ELF file Parses BTF section from ELF file, commonly used with compiled BPF programs

  2. BPF Link Management Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_link__destroy Destroy BPF link struct bpf_link *link int When detaching and cleaning up program Detaches program from kernel hook and frees all associated resources bpf_link__detach Detach BPF link struct bpf_link *link int When you want to detach but keep link object Detaches program from hook point but preserves link object for potential reuse bpf_link__disconnect Disconnect BPF link struct bpf_link *link void When severing link connection Disconnects link from underlying kernel attachment without destroying the object bpf_link__fd Get link file descriptor const struct bpf_link *link int When you need raw FD for operations Returns underlying file descriptor for direct syscall operations bpf_link__open Open existing link from filesystem const char *path struct bpf_link * When loading pinned link Opens previously pinned link from BPF filesystem bpf_link__pin Pin link to filesystem struct bpf_link *link, const char *path int When persisting link beyond process lifetime Pins link to BPF filesystem, allowing it to persist after process exits bpf_link__pin_path Get pin path of link const struct bpf_link *link const char * When checking where link is pinned Returns filesystem path where link is pinned, NULL if not pinned bpf_link__unpin Unpin link from filesystem struct bpf_link *link int When removing persisted link Removes link from filesystem, decrementing reference count bpf_link__update_map Update map associated with link struct bpf_link *link, const struct bpf_map *map int When changing map for struct_ops Updates the map associated with struct_ops link to different map bpf_link__update_program Update program in link struct bpf_link *link, struct bpf_program *prog int When hot-swapping programs Atomically replaces program in existing link without recreating attachment bpf_link_create Create new BPF link int prog_fd, int target_fd, enum bpf_attach_type attach_type, const struct bpf_link_create_opts *opts int When you need low-level link control Low-level wrapper around BPF_LINK_CREATE syscall for precise control bpf_link_detach Detach link by FD int link_fd int When detaching using raw file descriptor Detaches link using its file descriptor directly bpf_link_get_fd_by_id Get link FD by ID __u32 id int When accessing link with known ID Returns file descriptor for link with specified ID bpf_link_get_fd_by_id_opts Get link FD by ID with options __u32 id, const struct bpf_get_fd_by_id_opts *opts int When accessing link with options Extended version with additional options like token_fd bpf_link_get_info_by_fd Get link information int link_fd, struct bpf_link_info *info, __u32 *info_len int When querying link metadata Retrieves link information including type, program ID, and attach information bpf_link_get_next_id Get next link ID __u32 start_id, __u32 *next_id int For enumerating all links Used by introspection tools to iterate through all links in system bpf_link_update Update existing link int link_fd, int new_prog_fd, const struct bpf_link_update_opts *opts int When replacing program in link Updates link to use different program, useful for program hot-swapping

  3. BPF Map Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_map__attach_struct_ops Attach struct_ops map const struct bpf_map *map struct bpf_link * When using struct_ops maps Attaches struct_ops map to kernel subsystem, enabling callback function registration bpf_map__autoattach Check if map auto-attaches const struct bpf_map *map bool When checking map attachment behavior Returns whether map will automatically attach during skeleton attach phase bpf_map__autocreate Check if map auto-creates const struct bpf_map *map bool When checking map creation behavior Returns whether map will be automatically created during object load bpf_map__btf_key_type_id Get BTF key type ID const struct bpf_map *map __u32 When working with typed maps Returns BTF type ID for map key, enabling type-aware operations bpf_map__btf_value_type_id Get BTF value type ID const struct bpf_map *map __u32 When working with typed maps Returns BTF type ID for map value, used for type verification bpf_map__delete_elem Delete map element const struct bpf_map *map, const void *key, size_t key_sz, __u64 flags int When removing key-value pairs High-level wrapper for deleting map elements with size validation bpf_map__fd Get map file descriptor const struct bpf_map *map int When you need raw FD for operations Returns underlying file descriptor for direct map operations bpf_map__get_next_key Get next key in map const struct bpf_map *map, const void *cur_key, void *next_key, size_t key_sz int When iterating through map keys Retrieves next key for map iteration, returns -ENOENT when reaching end bpf_map__get_pin_path Get map pin path const struct bpf_map *map const char * When checking map persistence Returns filesystem path where map is pinned, NULL if not pinned bpf_map__ifindex Get map network interface index const struct bpf_map *map __u32 When working with device maps Returns network interface index for device-specific maps bpf_map__initial_value Get map initial value const struct bpf_map *map, size_t *psize void * When accessing global data Returns pointer to initial data for global variable maps (bss, data, rodata) bpf_map__inner_map Get inner map template struct bpf_map *map struct bpf_map * When working with map-in-map Returns template map for map-in-map types (array of maps, hash of maps) bpf_map__is_internal Check if map is internal const struct bpf_map *map bool When filtering map types Returns true for internal maps created by libbpf (global vars, externs) bpf_map__is_pinned Check if map is pinned const struct bpf_map *map bool When checking map persistence Returns whether map is currently pinned to filesystem bpf_map__key_size Get map key size const struct bpf_map *map __u32 When validating key sizes Returns size in bytes of map keys bpf_map__lookup_and_delete_elem Lookup and delete atomically const struct bpf_map *map, const void *key, size_t key_sz, void *value, size_t value_sz, __u64 flags int When implementing queues/stacks Atomically retrieves and removes element, useful for FIFO/LIFO operations bpf_map__lookup_elem Lookup map element const struct bpf_map *map, const void *key, size_t key_sz, void *value, size_t value_sz, __u64 flags int When reading map values High-level wrapper for map lookups with size validation bpf_map__map_extra Get map extra parameters const struct bpf_map *map __u64 When accessing map-specific data Returns map-specific extra data (bloom filter hash count, etc.) bpf_map__map_flags Get map flags const struct bpf_map *map __u32 When checking map properties Returns map creation flags (NO_PREALLOC, NUMA_NODE, etc.) bpf_map__max_entries Get maximum entries const struct bpf_map *map __u32 When checking map capacity Returns maximum number of entries the map can hold bpf_map__name Get map name const struct bpf_map *map const char * When identifying maps Returns name of the map as defined in BPF program bpf_map__numa_node Get NUMA node const struct bpf_map *map __u32 When checking NUMA placement Returns NUMA node where map memory is allocated bpf_map__pin Pin map to filesystem struct bpf_map *map, const char *path int When persisting maps Pins map to BPF filesystem for persistence beyond process lifetime bpf_map__pin_path Get pin path const struct bpf_map *map const char * When checking pin location Returns filesystem path where map is pinned bpf_map__reuse_fd Reuse existing map FD struct bpf_map *map, int fd int When sharing maps between processes Makes map object use existing file descriptor instead of creating new map bpf_map__set_autoattach Set auto-attach behavior struct bpf_map *map, bool autoattach int When controlling attachment Sets whether map automatically attaches during skeleton attach phase bpf_map__set_autocreate Set auto-create behavior struct bpf_map *map, bool autocreate int When controlling creation Sets whether map is automatically created during object load bpf_map__set_ifindex Set network interface index struct bpf_map *map, __u32 ifindex int When binding to specific device Sets network interface for device-specific maps bpf_map__set_initial_value Set initial map value struct bpf_map *map, const void *data, size_t size int When initializing global data Sets initial data for global variable maps bpf_map__set_inner_map_fd Set inner map FD struct bpf_map *map, int fd int When configuring map-in-map Sets template map for map-in-map types bpf_map__set_key_size Set key size struct bpf_map *map, __u32 size int When configuring map before load Sets size of map keys, must be called before object load bpf_map__set_map_extra Set map extra parameters struct bpf_map *map, __u64 map_extra int When setting map-specific options Sets map-specific extra parameters bpf_map__set_map_flags Set map flags struct bpf_map *map, __u32 flags int When configuring map behavior Sets map creation flags before load bpf_map__set_max_entries Set maximum entries struct bpf_map *map, __u32 max_entries int When sizing maps Sets maximum number of entries, must be called before load bpf_map__set_numa_node Set NUMA node struct bpf_map *map, __u32 numa_node int When optimizing memory placement Sets NUMA node for map memory allocation bpf_map__set_pin_path Set pin path struct bpf_map *map, const char *path int When configuring persistence Sets filesystem path for map pinning bpf_map__set_type Set map type struct bpf_map *map, enum bpf_map_type type int When changing map type Changes map type, must be called before object load bpf_map__set_value_size Set value size struct bpf_map *map, __u32 size int When configuring value size Sets size of map values, can resize global data sections bpf_map__type Get map type const struct bpf_map *map enum bpf_map_type When checking map type Returns the type of the map (HASH, ARRAY, etc.) bpf_map__unpin Unpin map from filesystem struct bpf_map *map, const char *path int When removing persistence Removes map from filesystem, decrementing reference count bpf_map__update_elem Update map element const struct bpf_map *map, const void *key, size_t key_sz, const void *value, size_t value_sz, __u64 flags int When writing to maps High-level wrapper for map updates with size validation bpf_map__value_size Get value size const struct bpf_map *map __u32 When validating value sizes Returns size in bytes of map values bpf_map_create Create new map enum bpf_map_type map_type, const char *map_name, __u32 key_size, __u32 value_size, __u32 max_entries, const struct bpf_map_create_opts *opts int When creating maps programmatically Low-level map creation with precise control over all parameters

  4. BPF Object Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_object__attach_skeleton Attach skeleton programs struct bpf_object_skeleton *s int When using skeleton-based loading Attaches all programs in skeleton to their respective hook points bpf_object__btf Get object’s BTF const struct bpf_object *obj struct btf * When accessing type information Returns BTF object associated with BPF object for type introspection bpf_object__btf_fd Get BTF file descriptor const struct bpf_object *obj int When you need BTF FD Returns file descriptor of BTF object associated with BPF object bpf_object__close Close BPF object struct bpf_object *obj void When cleaning up Frees all resources associated with BPF object bpf_object__destroy_skeleton Destroy skeleton struct bpf_object_skeleton *s void When cleaning up skeleton Frees all skeleton resources including maps, programs, and links bpf_object__destroy_subskeleton Destroy subskeleton struct bpf_object_subskeleton *s void When cleaning up subskeleton Frees subskeleton resources for partial object access bpf_object__detach_skeleton Detach skeleton programs struct bpf_object_skeleton *s void When detaching all programs Detaches all programs in skeleton from their hook points bpf_object__find_map_by_name Find map by name const struct bpf_object *obj, const char *name struct bpf_map * When accessing specific maps Locates map within object by name, returns NULL if not found bpf_object__find_map_fd_by_name Find map FD by name const struct bpf_object *obj, const char *name int When you need map FD directly Returns file descriptor of named map, -1 if not found bpf_object__find_program_by_name Find program by name const struct bpf_object *obj, const char *name struct bpf_program * When accessing specific programs Locates program within object by name bpf_object__gen_loader Generate loader program struct bpf_object *obj, struct gen_loader_opts *opts int When creating loader programs Generates BPF program that can load the object at runtime bpf_object__kversion Get kernel version const struct bpf_object *obj unsigned int When checking version requirements Returns kernel version the object was compiled for bpf_object__load Load object into kernel struct bpf_object *obj int When loading all programs and maps Loads all programs and maps in object into kernel bpf_object__load_skeleton Load skeleton struct bpf_object_skeleton *s int When using skeleton loading Loads all skeleton components into kernel bpf_object__name Get object name const struct bpf_object *obj const char * When identifying objects Returns name of the BPF object bpf_object__next_map Get next map const struct bpf_object *obj, const struct bpf_map *map struct bpf_map * When iterating through maps Iterates through all maps in object, NULL to start bpf_object__next_program Get next program const struct bpf_object *obj, struct bpf_program *prog struct bpf_program * When iterating through programs Iterates through all programs in object, NULL to start bpf_object__open Open BPF object file const char *path struct bpf_object * When loading from ELF file Opens and parses BPF ELF object file bpf_object__open_file Open with options const char *path, const struct bpf_object_open_opts *opts struct bpf_object * When you need open options Extended open with options like BTF custom path bpf_object__open_mem Open from memory const void *obj_buf, size_t obj_buf_sz, const struct bpf_object_open_opts *opts struct bpf_object * When loading from memory buffer Opens BPF object from memory buffer instead of file bpf_object__open_skeleton Open skeleton struct bpf_object_skeleton *s, const struct bpf_object_open_opts *opts int When using skeleton loading Opens skeleton object with specified options bpf_object__open_subskeleton Open subskeleton struct bpf_object_subskeleton *s int When accessing partial object Opens subskeleton for accessing subset of object components bpf_object__pin Pin entire object struct bpf_object *object, const char *path int When persisting entire object Pins all maps and programs in object to filesystem directory bpf_object__pin_maps Pin all maps struct bpf_object *obj, const char *path int When persisting maps only Pins all maps in object to specified directory bpf_object__pin_programs Pin all programs struct bpf_object *obj, const char *path int When persisting programs Pins all programs in object to filesystem directory bpf_object__prev_map Get previous map const struct bpf_object *obj, const struct bpf_map *map struct bpf_map * When reverse-iterating maps Reverse iteration through maps in object bpf_object__prev_program Get previous program const struct bpf_object *obj, struct bpf_program *prog struct bpf_program * When reverse-iterating programs Reverse iteration through programs in object bpf_object__set_kversion Set kernel version struct bpf_object *obj, __u32 kern_version int When targeting specific kernel Sets target kernel version for compatibility bpf_object__token_fd Get token file descriptor const struct bpf_object *obj int When using delegation tokens Returns BPF token FD for permission delegation bpf_object__unpin Unpin entire object struct bpf_object *object, const char *path int When removing object persistence Unpins all object components from filesystem bpf_object__unpin_maps Unpin all maps struct bpf_object *obj, const char *path int When removing map persistence Unpins all maps from filesystem directory bpf_object__unpin_programs Unpin all programs struct bpf_object *obj, const char *path int When removing program persistence Unpins all programs from filesystem directory

  5. BPF Program Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_program__attach Generic program attachment const struct bpf_program *prog struct bpf_link * When using auto-detection Automatically detects program type and attaches appropriately bpf_program__attach_cgroup Attach to cgroup const struct bpf_program *prog, int cgroup_fd struct bpf_link * When filtering cgroup operations Attaches program to cgroup for network or process filtering bpf_program__attach_freplace Attach as function replacement const struct bpf_program *prog, int target_fd, const char *attach_func_name struct bpf_link * When replacing kernel functions Replaces existing BPF program function with new implementation bpf_program__attach_iter Attach to iterator const struct bpf_program *prog, const struct bpf_iter_attach_opts *opts struct bpf_link * When creating BPF iterators Attaches program to BPF iterator for custom data traversal bpf_program__attach_kprobe Attach to kernel probe const struct bpf_program *prog, bool retprobe, const char *func_name struct bpf_link * When tracing kernel functions Attaches to kernel function entry or exit for tracing bpf_program__attach_kprobe_multi_opts Attach to multiple kprobes const struct bpf_program *prog, const char *pattern, const struct bpf_kprobe_multi_opts *opts struct bpf_link * When tracing multiple functions Attaches to multiple kernel functions matching pattern bpf_program__attach_kprobe_opts Attach kprobe with options const struct bpf_program *prog, const char *func_name, const struct bpf_kprobe_opts *opts struct bpf_link * When you need kprobe options Extended kprobe attachment with custom options like offset, cookie bpf_program__attach_ksyscall Attach to system call const struct bpf_program *prog, const char *syscall_name, const struct bpf_ksyscall_opts *opts struct bpf_link * When tracing system calls Attaches to kernel system call handlers with arch-independence bpf_program__attach_lsm Attach to LSM hook const struct bpf_program *prog struct bpf_link * When implementing security policies Attaches to Linux Security Module hooks for security enforcement bpf_program__attach_netfilter Attach to netfilter const struct bpf_program *prog, const struct bpf_netfilter_opts *opts struct bpf_link * When filtering network packets Attaches to netfilter hooks for packet filtering bpf_program__attach_netkit Attach to netkit device const struct bpf_program *prog, int ifindex, const struct bpf_netkit_opts *opts struct bpf_link * When working with netkit devices Attaches program to netkit virtual network device bpf_program__attach_netns Attach to network namespace const struct bpf_program *prog, int netns_fd struct bpf_link * When filtering per-netns Attaches program to specific network namespace bpf_program__attach_perf_event Attach to perf event const struct bpf_program *prog, int pfd struct bpf_link * When monitoring performance Attaches to perf event for performance monitoring bpf_program__attach_perf_event_opts Attach to perf event with options const struct bpf_program *prog, int pfd, const struct bpf_perf_event_opts *opts struct bpf_link * When you need perf options Extended perf event attachment with custom options bpf_program__attach_raw_tracepoint Attach to raw tracepoint const struct bpf_program *prog, const char *tp_name struct bpf_link * When you need low-latency tracing Attaches to raw kernel tracepoints for minimal overhead bpf_program__attach_raw_tracepoint_opts Attach raw tracepoint with options const struct bpf_program *prog, const char *tp_name, struct bpf_raw_tracepoint_opts *opts struct bpf_link * When you need raw tracepoint options Extended raw tracepoint with additional options bpf_program__attach_sockmap Attach to socket map const struct bpf_program *prog, int map_fd struct bpf_link * When redirecting sockets Attaches program to socket map for socket redirection bpf_program__attach_tcx Attach to TC express const struct bpf_program *prog, int ifindex, const struct bpf_tcx_opts *opts struct bpf_link * When using TC express datapath Attaches to traffic control express path for high-performance packet processing bpf_program__attach_trace Attach tracing program const struct bpf_program *prog struct bpf_link * When tracing with fentry/fexit Attaches tracing programs like fentry, fexit, fmod_ret bpf_program__attach_trace_opts Attach trace with options const struct bpf_program *prog, const struct bpf_trace_opts *opts struct bpf_link * When you need trace options Extended tracing attachment with additional options bpf_program__attach_tracepoint Attach to tracepoint const struct bpf_program *prog, const char *tp_category, const char *tp_name struct bpf_link * When tracing specific events Attaches to kernel tracepoints for event monitoring bpf_program__attach_tracepoint_opts Attach tracepoint with options const struct bpf_program *prog, const char *tp_category, const char *tp_name, const struct bpf_tracepoint_opts *opts struct bpf_link * When you need tracepoint options Extended tracepoint attachment with custom options bpf_program__attach_uprobe Attach to user probe const struct bpf_program *prog, bool retprobe, pid_t pid, const char *binary_path, size_t func_offset struct bpf_link * When tracing userspace functions Attaches to userspace function for application tracing bpf_program__attach_uprobe_multi Attach to multiple uprobes const struct bpf_program *prog, pid_t pid, const char *binary_path, const char *func_pattern, const struct bpf_uprobe_multi_opts *opts struct bpf_link * When tracing multiple user functions Attaches to multiple userspace functions matching pattern bpf_program__attach_uprobe_opts Attach uprobe with options const struct bpf_program *prog, pid_t pid, const char *binary_path, size_t func_offset, const struct bpf_uprobe_opts *opts struct bpf_link * When you need uprobe options Extended uprobe attachment with custom options bpf_program__attach_usdt Attach to USDT probe const struct bpf_program *prog, pid_t pid, const char *binary_path, const char *usdt_provider, const char *usdt_name, const struct bpf_usdt_opts *opts struct bpf_link * When tracing USDT probes Attaches to User Statically Defined Tracepoints bpf_program__attach_xdp Attach to XDP const struct bpf_program *prog, int ifindex struct bpf_link * When processing packets at driver level Attaches XDP program to network interface for early packet processing bpf_program__autoattach Check auto-attach status const struct bpf_program *prog bool When checking attachment behavior Returns whether program will auto-attach during skeleton attach bpf_program__autoload Check auto-load status const struct bpf_program *prog bool When checking load behavior Returns whether program will be loaded automatically bpf_program__expected_attach_type Get expected attach type const struct bpf_program *prog enum bpf_attach_type When querying attach requirements Returns the expected attachment type for the program bpf_program__fd Get program file descriptor const struct bpf_program *prog int When you need raw FD Returns underlying file descriptor for direct operations bpf_program__flags Get program flags const struct bpf_program *prog __u32 When checking program properties Returns program load flags bpf_program__get_expected_attach_type Get expected attach type const struct bpf_program *prog enum bpf_attach_type When querying attachment requirements Alias for bpf_program__expected_attach_type bpf_program__get_type Get program type const struct bpf_program *prog enum bpf_prog_type When checking program type Returns the BPF program type bpf_program__insn_cnt Get instruction count const struct bpf_program *prog size_t When analyzing program size Returns number of BPF instructions in program bpf_program__insns Get program instructions const struct bpf_program *prog const struct bpf_insn * When analyzing program code Returns pointer to BPF instruction array bpf_program__log_buf Get program log buffer const struct bpf_program *prog, size_t *log_size const char * When debugging program loading Returns verifier log buffer for debugging bpf_program__log_level Get log level const struct bpf_program *prog __u32 When checking debug settings Returns current verifier log level bpf_program__name Get program name const struct bpf_program *prog const char * When identifying programs Returns name of the BPF program bpf_program__pin Pin program to filesystem struct bpf_program *prog, const char *path int When persisting programs Pins program to BPF filesystem for persistence bpf_program__section_name Get section name const struct bpf_program *prog const char * When checking program source Returns ELF section name where program was defined bpf_program__set_attach_target Set attach target struct bpf_program *prog, int attach_prog_fd, const char *attach_func_name int When setting BTF attach targets Sets target for BTF-aware programs (fentry, fexit, etc.) bpf_program__set_autoattach Set auto-attach behavior struct bpf_program *prog, bool autoattach void When controlling attachment Sets whether program auto-attaches during skeleton attach bpf_program__set_autoload Set auto-load behavior struct bpf_program *prog, bool autoload int When controlling loading Sets whether program loads automatically bpf_program__set_expected_attach_type Set expected attach type struct bpf_program *prog, enum bpf_attach_type type int When configuring attachment Sets expected attachment type for program bpf_program__set_flags Set program flags struct bpf_program *prog, __u32 flags int When configuring load behavior Sets program loading flags bpf_program__set_ifindex Set interface index struct bpf_program *prog, __u32 ifindex void When targeting specific interfaces Sets network interface index for device-specific programs bpf_program__set_insns Set program instructions struct bpf_program *prog, struct bpf_insn *new_insns, size_t new_insn_cnt int When modifying program code Replaces program instructions (advanced use only) bpf_program__set_log_buf Set log buffer struct bpf_program *prog, char *log_buf, size_t log_size int When capturing verifier output Sets buffer for verifier log messages bpf_program__set_log_level Set log level struct bpf_program *prog, __u32 log_level int When configuring debug output Sets verifier log verbosity level bpf_program__set_type Set program type struct bpf_program *prog, enum bpf_prog_type type int When changing program type Sets BPF program type, must be called before load bpf_program__type Get program type const struct bpf_program *prog enum bpf_prog_type When checking program type Returns the BPF program type bpf_program__unload Unload program struct bpf_program *prog void When removing from kernel Removes program from kernel, making it loadable again bpf_program__unpin Unpin program struct bpf_program *prog, const char *path int When removing persistence Removes program from filesystem

  6. Ring Buffer Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation ring_buffer__new Create ring buffer manager int map_fd, ring_buffer_sample_fn sample_cb, void *ctx, const struct ring_buffer_opts *opts struct ring_buffer * When setting up efficient data transfer Creates ring buffer manager for high-performance data streaming from kernel to userspace ring_buffer__free Free ring buffer struct ring_buffer *rb void When cleaning up Frees all resources associated with ring buffer manager ring_buffer__add Add ring buffer struct ring_buffer *rb, int map_fd, ring_buffer_sample_fn sample_cb, void *ctx int When managing multiple ring buffers Adds additional ring buffer to existing manager ring_buffer__poll Poll for data struct ring_buffer *rb, int timeout_ms int When waiting for data Polls ring buffer for new data with timeout ring_buffer__consume Consume available data struct ring_buffer *rb int When processing all available data Consumes all available data without blocking ring_buffer__consume_n Consume N records struct ring_buffer *rb, size_t n int When limiting processing Consumes up to N records from ring buffer ring_buffer__epoll_fd Get epoll file descriptor const struct ring_buffer *rb int When integrating with event loops Returns FD for epoll integration in event-driven applications ring_buffer__ring Get individual ring struct ring_buffer *rb, unsigned int idx struct ring * When accessing specific rings Returns specific ring buffer instance from manager user_ring_buffer__new Create user ring buffer int map_fd, const struct user_ring_buffer_opts *opts struct user_ring_buffer * When userspace needs to send data to kernel Creates ring buffer for userspace-to-kernel communication user_ring_buffer__reserve Reserve buffer space struct user_ring_buffer *rb, __u32 size void * When writing to ring buffer Reserves space in ring buffer for writing data user_ring_buffer__reserve_blocking Reserve with blocking struct user_ring_buffer *rb, __u32 size, int timeout_ms void * When blocking until space available Blocks until space becomes available in ring buffer user_ring_buffer__submit Submit reserved data struct user_ring_buffer *rb, void *sample void When finalizing data write Submits previously reserved data to ring buffer user_ring_buffer__discard Discard reserved data struct user_ring_buffer *rb, void *sample void When canceling write operation Discards previously reserved space without writing user_ring_buffer__free Free user ring buffer struct user_ring_buffer *rb void When cleaning up Frees user ring buffer resources

  7. Performance Buffer Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation perf_buffer__new Create performance buffer int map_fd, size_t page_cnt, perf_buffer_sample_fn sample_cb, perf_buffer_lost_fn lost_cb, void *ctx, const struct perf_buffer_opts *opts struct perf_buffer * When using perf events for data transfer Creates performance event buffer for kernel-to-userspace communication perf_buffer__new_raw Create raw performance buffer int map_fd, size_t page_cnt, struct perf_event_attr *attr, perf_buffer_event_fn event_cb, void *ctx, const struct perf_buffer_raw_opts *opts struct perf_buffer * When you need custom perf event attributes Creates perf buffer with custom performance event configuration perf_buffer__free Free performance buffer struct perf_buffer *pb void When cleaning up Frees all performance buffer resources perf_buffer__epoll_fd Get epoll file descriptor const struct perf_buffer *pb int When integrating with event loops Returns FD for epoll integration perf_buffer__poll Poll for events struct perf_buffer *pb, int timeout_ms int When waiting for perf events Polls performance buffer for new events perf_buffer__consume Consume all events struct perf_buffer *pb int When processing all available events Consumes all available events without blocking perf_buffer__consume_buffer Consume specific buffer struct perf_buffer *pb, size_t buf_idx int When processing specific CPU buffer Consumes events from specific per-CPU buffer perf_buffer__buffer_cnt Get buffer count const struct perf_buffer *pb size_t When checking buffer configuration Returns number of per-CPU buffers perf_buffer__buffer_fd Get buffer file descriptor const struct perf_buffer *pb, size_t buf_idx int When accessing specific buffer FD Returns FD for specific per-CPU buffer perf_buffer__buffer Get raw buffer data struct perf_buffer *pb, int buf_idx, void **buf, size_t *buf_size int When implementing custom event processing Returns raw mmap’d buffer for custom processing

  8. Utility Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation libbpf_get_error Extract error from pointer const void *ptr long When checking libbpf API errors Extracts error code from libbpf function pointers (deprecated in 1.0) libbpf_major_version Get major version void __u32 When checking libbpf version Returns major version number of libbpf library libbpf_minor_version Get minor version void __u32 When checking libbpf version Returns minor version number of libbpf library libbpf_version_string Get version string void const char * When displaying version info Returns human-readable version string libbpf_strerror Get error string int err, char *buf, size_t size int When formatting error messages Converts error code to human-readable string libbpf_set_print Set print callback libbpf_print_fn_t fn libbpf_print_fn_t When customizing debug output Sets custom function for libbpf debug/error messages libbpf_num_possible_cpus Get CPU count void int When sizing per-CPU data structures Returns number of possible CPUs for per-CPU map sizing libbpf_find_kernel_btf Find kernel BTF void struct btf * When accessing kernel type info Locates and loads kernel BTF for type information libbpf_find_vmlinux_btf_id Find kernel function BTF ID const char *name, enum bpf_attach_type attach_type int When working with kernel functions Finds BTF ID for kernel function by name libbpf_attach_type_by_name Get attach type by name const char *name, enum bpf_attach_type *attach_type int When parsing attach type strings Converts attach type name to enum value libbpf_prog_type_by_name Get program type by name const char *name, enum bpf_prog_type *prog_type, enum bpf_attach_type *expected_attach_type int When parsing program type strings Converts program type name to enum values libbpf_bpf_attach_type_str Get attach type string enum bpf_attach_type t const char * When displaying attach types Converts attach type enum to string representation libbpf_bpf_link_type_str Get link type string enum bpf_link_type t const char * When displaying link types Converts link type enum to string representation libbpf_bpf_map_type_str Get map type string enum bpf_map_type t const char * When displaying map types Converts map type enum to string representation libbpf_bpf_prog_type_str Get program type string enum bpf_prog_type t const char * When displaying program types Converts program type enum to string representation libbpf_probe_bpf_helper Probe helper availability enum bpf_prog_type prog_type, enum bpf_func_id helper_id, const void *opts int When checking feature support Tests if specific helper is available for program type libbpf_probe_bpf_map_type Probe map type support enum bpf_map_type map_type, const void *opts int When checking map support Tests if specific map type is supported by kernel libbpf_probe_bpf_prog_type Probe program type support enum bpf_prog_type prog_type, const void *opts int When checking program support Tests if specific program type is supported libbpf_set_memlock_rlim Set memory lock limit size_t memlock_bytes int When configuring memory limits Sets RLIMIT_MEMLOCK for BPF memory allocation libbpf_set_strict_mode Set strict mode enum libbpf_strict_mode mode int When enabling strict error handling Enables strict mode for cleaner error handling libbpf_register_prog_handler Register program handler const char *sec, enum bpf_prog_type prog_type, enum bpf_attach_type exp_attach_type, const struct libbpf_prog_handler_opts *opts int When extending libbpf Registers custom program section handler libbpf_unregister_prog_handler Unregister program handler int handler_id int When cleaning up handlers Removes previously registered program handler

  9. BPF Linker Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_linker__new Create new linker const char *filename, struct bpf_linker_opts *opts struct bpf_linker * When linking multiple BPF objects Creates linker for combining multiple BPF object files bpf_linker__add_file Add file to linker struct bpf_linker *linker, const char *filename, const struct bpf_linker_file_opts *opts int When adding object files Adds BPF object file to linker for combination bpf_linker__finalize Finalize linking struct bpf_linker *linker int When completing link process Finalizes linking process and generates output bpf_linker__free Free linker struct bpf_linker *linker void When cleaning up linker Frees all linker resources

  10. Low-Level BPF System Call Wrappers Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_enable_stats Enable BPF statistics enum bpf_stats_type type int When enabling runtime statistics Enables BPF runtime statistics collection bpf_iter_create Create BPF iterator int link_fd int When creating custom iterators Creates iterator from BPF link for data traversal bpf_obj_get Get object from filesystem const char *pathname int When loading pinned objects Loads pinned BPF object from filesystem bpf_obj_get_info_by_fd Get object info by FD int bpf_fd, void *info, __u32 *info_len int When querying object metadata Generic object information retrieval bpf_obj_get_opts Get object with options const char *pathname, const struct bpf_obj_get_opts *opts int When loading with specific options Extended object loading with options bpf_obj_pin Pin object to filesystem int fd, const char *pathname int When persisting objects Pins BPF object to filesystem for persistence bpf_obj_pin_opts Pin object with options int fd, const char *pathname, const struct bpf_obj_pin_opts *opts int When pinning with options Extended pinning with additional options bpf_prog_attach Attach program int prog_fd, int attachable_fd, enum bpf_attach_type type, unsigned int flags int When attaching with raw FDs Low-level program attachment using file descriptors bpf_prog_attach_opts Attach program with options int prog_fd, int target, enum bpf_attach_type type, const struct bpf_prog_attach_opts *opts int When you need attach options Extended program attachment with additional options bpf_prog_bind_map Bind program to map int prog_fd, int map_fd, const struct bpf_prog_bind_opts *opts int When pre-binding programs to maps Associates program with map for optimization bpf_prog_detach Detach program int attachable_fd, enum bpf_attach_type type int When detaching by type Detaches program from attachment point by type bpf_prog_detach2 Detach specific program int prog_fd, int attachable_fd, enum bpf_attach_type type int When detaching specific program Detaches specific program by file descriptor bpf_prog_detach_opts Detach with options int prog_fd, int target, enum bpf_attach_type type, const struct bpf_prog_detach_opts *opts int When you need detach options Extended program detachment with options bpf_prog_get_fd_by_id Get program FD by ID __u32 id int When accessing program by ID Returns file descriptor for program with specified ID bpf_prog_get_fd_by_id_opts Get program FD with options __u32 id, const struct bpf_get_fd_by_id_opts *opts int When you need access options Extended FD retrieval with options bpf_prog_get_info_by_fd Get program info int prog_fd, struct bpf_prog_info *info, __u32 *info_len int When querying program metadata Retrieves detailed program information bpf_prog_get_next_id Get next program ID __u32 start_id, __u32 *next_id int When enumerating programs Iterates through all loaded programs bpf_prog_load Load program into kernel enum bpf_prog_type prog_type, const char *prog_name, const char *license, const struct bpf_insn *insns, size_t insn_cnt, struct bpf_prog_load_opts *opts int When loading with precise control Low-level program loading with full control over parameters bpf_prog_query Query attached programs int target_fd, enum bpf_attach_type type, __u32 query_flags, __u32 *attach_flags, __u32 *prog_ids, __u32 *prog_cnt int When listing attached programs Queries programs attached to specific target bpf_prog_query_opts Query with options int target, enum bpf_attach_type type, struct bpf_prog_query_opts *opts int When you need query options Extended program querying with options bpf_prog_test_run_opts Test program execution int prog_fd, struct bpf_test_run_opts *opts int When testing programs Runs program in test mode with provided input bpf_raw_tracepoint_open Open raw tracepoint const char *name, int prog_fd int When using raw tracepoints Opens raw tracepoint for minimal-overhead tracing bpf_raw_tracepoint_open_opts Open raw tracepoint with options int prog_fd, struct bpf_raw_tp_opts *opts int When you need raw tracepoint options Extended raw tracepoint opening bpf_task_fd_query Query task file descriptor int pid, int fd, __u32 flags, char *buf, __u32 *buf_len, __u32 *prog_id, __u32 *fd_type, __u64 *probe_offset, __u64 *probe_addr int When debugging attachments Queries information about BPF programs attached to task bpf_token_create Create BPF token int bpffs_fd, struct bpf_token_create_opts *opts int When delegating permissions Creates token for permission delegation to non-privileged processes

  11. Traffic Control Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_tc_attach Attach TC program const struct bpf_tc_hook *hook, struct bpf_tc_opts *opts int When attaching to traffic control Attaches BPF program to traffic control hook for packet processing bpf_tc_detach Detach TC program const struct bpf_tc_hook *hook, const struct bpf_tc_opts *opts int When removing TC attachment Detaches BPF program from traffic control hook bpf_tc_hook_create Create TC hook struct bpf_tc_hook *hook int When setting up TC infrastructure Creates traffic control hook for program attachment bpf_tc_hook_destroy Destroy TC hook struct bpf_tc_hook *hook int When cleaning up TC hooks Destroys traffic control hook bpf_tc_query Query TC programs const struct bpf_tc_hook *hook, struct bpf_tc_opts *opts int When listing TC programs Queries programs attached to traffic control hook

  12. XDP Functions Function Name Purpose Parameters Return Type When to Use Detailed Explanation bpf_xdp_attach Attach XDP program int ifindex, int prog_fd, __u32 flags, const struct bpf_xdp_attach_opts *opts int When attaching to network interface Attaches XDP program to network interface for early packet processing bpf_xdp_detach Detach XDP program int ifindex, __u32 flags, const struct bpf_xdp_attach_opts *opts int When removing XDP attachment Detaches XDP program from network interface bpf_xdp_query Query XDP programs int ifindex, int flags, struct bpf_xdp_query_opts *opts int When checking XDP status Queries XDP programs attached to interface bpf_xdp_query_id Query XDP program ID int ifindex, int flags, __u32 *prog_id int When getting attached program ID Returns ID of XDP program attached to interface Google Doc Link : https://docs.google.com/document/d/1ZgRbRbFUFqVlhRi7jPir8cwVJ1i7Gw_YY1rJ-TLNPSY/edit?usp=sharing

    Libbpf EBPF Linux Kernel

© 2025 Hanshal Mehta