bpftool-map - tool for inspection and simple manipulation of eBPF maps

Description

bpftoolmap{show|list}[MAP]
Show information about loaded maps. If MAP is specified show information only about given maps,
otherwise list all maps currently loaded on the system. In case of name, MAP may match several
maps which will all be shown.

Output will start with map ID followed by map type and zero or more named attributes (depending on
kernel version).

Since Linux 5.8 bpftool is able to discover information about processes that hold open file
descriptors (FDs) against BPF maps. On such kernels bpftool will automatically emit this
information as well.

bpftoolmapcreateFILEtypeTYPEkeyKEY_SIZEvalueVALUE_SIZEentriesMAX_ENTRIESnameNAME[flagsFLAGS][inner_mapMAP][offload_devNAME]
Create a new map with given parameters and pin it to bpffs as FILE.

FLAGS should be an integer which is the combination of desired flags, e.g. 1024 for BPF_F_MMAPABLE
(see bpf.h UAPI header for existing flags).

To create maps of type array-of-maps or hash-of-maps, the inner_map keyword must be used to pass
an inner map. The kernel needs it to collect metadata related to the inner maps that the new map
will work with.

Keyword offload_dev expects a network interface name, and is used to request hardware offload for
the map.

bpftoolmapdumpMAP
Dump all entries in a given MAP. In case of name, MAP may match several maps which will all be
dumped.

bpftoolmapupdateMAP[keyDATA][valueVALUE][UPDATE_FLAGS]
Update map entry for a given KEY.

UPDATE_FLAGS can be one of: any update existing entry or add if doesn't exit; exist update only if
entry already exists; noexist update only if entry doesn't exist.

If the hex keyword is provided in front of the bytes sequence, the bytes are parsed as hexadecimal
values, even if no "0x" prefix is added. If the keyword is not provided, then the bytes are parsed
as decimal values, unless a "0x" prefix (for hexadecimal) or a "0" prefix (for octal) is provided.

bpftoolmaplookupMAP[keyDATA]
Lookup key in the map.

bpftoolmapgetnextMAP[keyDATA]
Get next key. If key is not specified, get first key.

bpftoolmapdeleteMAPkeyDATA
Remove entry from the map.

bpftoolmappinMAPFILE
Pin map MAP as FILE.

Note: FILE must be located in bpffs mount. It must not contain a dot character ('.'), which is
reserved for future extensions of bpffs.

bpftoolmapevent_pipeMAP[cpuNindexM]
Read events from a BPF_MAP_TYPE_PERF_EVENT_ARRAY map.

Install perf rings into a perf event array map and dump output of any bpf_perf_event_output() call
in the kernel. By default read the number of CPUs on the system and install perf ring for each CPU
in the corresponding index in the array.

If cpu and index are specified, install perf ring for given cpu at index in the array (single
ring).

Note that installing a perf ring into an array will silently replace any existing ring. Any other
application will stop receiving events if it installed its rings earlier.

bpftoolmappeekMAP
Peek next value in the queue or stack.

bpftoolmappushMAPvalueVALUE
Push VALUE onto the stack.

bpftoolmappopMAP
Pop and print value from the stack.

bpftoolmapenqueueMAPvalueVALUE
Enqueue VALUE into the queue.

bpftoolmapdequeueMAP
Dequeue and print value from the queue.

bpftoolmapfreezeMAP
Freeze the map as read-only from user space. Entries from a frozen map can not longer be updated
or deleted with the bpf() system call. This operation is not reversible, and the map remains
immutable from user space until its destruction. However, read and write permissions for BPF
programs to the map remain unchanged.

bpftoolmaphelp
Print short help message.

Examples

#bpftoolmapshow

          10: hash  name some_map  flags 0x0
                key 4B  value 8B  max_entries 2048  memlock 167936B
                pids systemd(1)

       The following three commands are equivalent:

       #bpftoolmapupdateid10keyhex20c4b700valuehex0fffffab0102034c#bpftoolmapupdateid10key0x200xc40xb70x00value0x0f0xff0xff0xab0x010x020x030x4c#bpftoolmapupdateid10key321961830value1525525517112376#bpftoolmaplookupid10key0123

          key: 00 01 02 03 value: 00 01 02 03 04 05 06 07

       #bpftoolmapdumpid10

          key: 00 01 02 03  value: 00 01 02 03 04 05 06 07
          key: 0d 00 07 00  value: 02 00 00 00 01 02 03 04
          Found 2 elements

       #bpftoolmapgetnextid10key0123

          key:
          00 01 02 03
          next key:
          0d 00 07 00

       #mount-tbpfnone/sys/fs/bpf/#bpftoolmappinid10/sys/fs/bpf/map#bpftoolmapdelpinned/sys/fs/bpf/mapkey13000700

       Note  that  map update can also be used in order to change the program references hold by a program array
       map. This can be used, for example, to change the programs used for tail-call jumps at  runtime,  without
       having  to  reload  the  entry-point  program.  Below  is an example for this use case: we load a program
       defining a prog array map, and with a main function that contains a tail call to other programs that  can
       be used either to "process" packets or to "debug" processing. Note that the prog array map MUST be pinned
       into  the  BPF  virtual file system for the map update to work successfully, as kernel flushes prog array
       maps when they have no more references from user space (and the update would be lost as soon  as  bpftool
       exits).

       #bpftoolprogloadalltail_calls.o/sys/fs/bpf/footypexdp#bpftoolprog--bpffs

          545: xdp  name main_func  tag 674b4b5597193dc3  gpl
                  loaded_at 2018-12-12T15:02:58+0000  uid 0
                  xlated 240B  jited 257B  memlock 4096B  map_ids 294
                  pinned /sys/fs/bpf/foo/xdp
          546: xdp  name bpf_func_process  tag e369a529024751fc  gpl
                  loaded_at 2018-12-12T15:02:58+0000  uid 0
                  xlated 200B  jited 164B  memlock 4096B
                  pinned /sys/fs/bpf/foo/process
          547: xdp  name bpf_func_debug  tag 0b597868bc7f0976  gpl
                  loaded_at 2018-12-12T15:02:58+0000  uid 0
                  xlated 200B  jited 164B  memlock 4096B
                  pinned /sys/fs/bpf/foo/debug

       #bpftoolmap

          294: prog_array  name jmp_table  flags 0x0
                  key 4B  value 4B  max_entries 1  memlock 4096B
                  owner_prog_type xdp  owner jited

       #bpftoolmappinid294/sys/fs/bpf/bar#bpftoolmapdumppinned/sys/fs/bpf/bar

          Found 0 elements

       #bpftoolmapupdatepinned/sys/fs/bpf/barkey0000valuepinned/sys/fs/bpf/foo/debug#bpftoolmapdumppinned/sys/fs/bpf/bar

          key: 00 00 00 00  value: 22 02 00 00
          Found 1 element

Map Commands

bpftoolmap { show | list }   [MAP]
       bpftoolmapcreateFILEtypeTYPEkeyKEY_SIZEvalueVALUE_SIZEentriesMAX_ENTRIESnameNAME [flagsFLAGS] [inner_mapMAP]
         [offload_devNAME]
       bpftoolmapdumpMAPbpftoolmapupdateMAP [keyDATA] [valueVALUE] [UPDATE_FLAGS]
       bpftoolmaplookupMAP [keyDATA]
       bpftoolmapgetnextMAP [keyDATA]
       bpftoolmapdeleteMAPkeyDATAbpftoolmappinMAPFILEbpftoolmapevent_pipeMAP [cpuNindexM]
       bpftoolmappeekMAPbpftoolmappushMAPvalueVALUEbpftoolmappopMAPbpftoolmapenqueueMAPvalueVALUEbpftoolmapdequeueMAPbpftoolmapfreezeMAPbpftoolmaphelpMAP := { idMAP_ID | pinnedFILE | nameMAP_NAME }
       DATA := { [hex] BYTES }
       PROG := { idPROG_ID | pinnedFILE | tagPROG_TAG | namePROG_NAME }
       VALUE := { DATA | MAP | PROG }
       UPDATE_FLAGS := { any | exist | noexist }
       TYPE := { hash | array | prog_array | perf_event_array | percpu_hash
         | percpu_array | stack_trace | cgroup_array | lru_hash
         | lru_percpu_hash | lpm_trie | array_of_maps | hash_of_maps
         | devmap | devmap_hash | sockmap | cpumap | xskmap | sockhash
         | cgroup_storage | reuseport_sockarray | percpu_cgroup_storage
         | queue | stack | sk_storage | struct_ops | ringbuf | inode_storage
         | task_storage | bloom_filter | user_ringbuf | cgrp_storage | arena }

Name

       bpftool-map - tool for inspection and simple manipulation of eBPF maps

Options

-h, --help
              Print short help message (similar to bpftoolhelp).

       -V, --version
              Print bpftool's version number (similar to bpftoolversion), the number of the libbpf  version  in
              use, and optional features that were included when bpftool was compiled. Optional features include
              linking against LLVM or libbfd to provide the disassembler for JIT-ted programs (bpftoolprogdumpjited)  and  usage  of  BPF  skeletons  (some  features  like bpftoolprogprofile or showing pids
              associated to BPF objects may rely on it).

       -j, --json
              Generate JSON output. For commands that cannot produce JSON, this option has no effect.

       -p, --pretty
              Generate human-readable JSON output. Implies -j.

       -d, --debug
              Print all logs available, even debug-level information. This includes logs from libbpf as well  as
              from the verifier, when attempting to load programs.

       -f, --bpffs
              Show file names of pinned maps.

       -n, --nomount
              Do not automatically attempt to mount any virtual file system (such as tracefs or BPF virtual file
              system) when necessary.

Synopsis

bpftool [OPTIONS] mapCOMMANDOPTIONS := { { -j | --json } [{ -p | --pretty }] | { -d | --debug } | { -f | --bpffs } | { -n | --nomount
       } }

       COMMANDS := { show | list | create | dump | update | lookup | getnext | delete | pin | help }