In "xdp ebpf SEC("tracepoint/xdp/xdp_devmap_xmit")" what is xdp_devmap_xmit -- is this trace means trap handler code start for some kernel function

Solution 1:

What does the section name refer to?

and what is tracepoint/xdp/xdp_devmap_xmit

tracepoint/xdp/xdp_devmap_xmit is the name of the ELF section for this BPF program. The loader (here libbpf) will use this section name to know which BPF program type it is, and in this case, where to attach it.

The section name for BPF programs of type tracepoint takes the format:

tracepoint/<category>/<name>

name is the name of the tracepoint itself. Tracepoints are organized in categories. You can list all tracepoint for a category with perf list '<category>:*'. For example, for XDP:

$ sudo ./perf list 'xdp:*'

List of pre-defined events (to be used in -e):

  xdp:mem_connect                                    [Tracepoint event]
  xdp:mem_disconnect                                 [Tracepoint event]
  xdp:mem_return_failed                              [Tracepoint event]
  xdp:xdp_bulk_tx                                    [Tracepoint event]
  xdp:xdp_cpumap_enqueue                             [Tracepoint event]
  xdp:xdp_cpumap_kthread                             [Tracepoint event]
  xdp:xdp_devmap_xmit                                [Tracepoint event]
  xdp:xdp_exception                                  [Tracepoint event]
  xdp:xdp_redirect                                   [Tracepoint event]
  xdp:xdp_redirect_err                               [Tracepoint event]
  xdp:xdp_redirect_map                               [Tracepoint event]
  xdp:xdp_redirect_map_err                           [Tracepoint event]

What is this tracepoint?

I like to know in above is this a hook for which kernel function

You can get information on that tracepoint as follows:

$ cat /sys/kernel/debug/tracing/events/xdp/xdp_devmap_xmit/format 
name: xdp_devmap_xmit
ID: 467
format:
    field:unsigned short common_type;   offset:0;   size:2; signed:0;
    field:unsigned char common_flags;   offset:2;   size:1; signed:0;
    field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
    field:int common_pid;   offset:4;   size:4; signed:1;

    field:int map_id;   offset:8;   size:4; signed:1;
    field:u32 act;  offset:12;  size:4; signed:0;
    field:u32 map_index;    offset:16;  size:4; signed:0;
    field:int drops;    offset:20;  size:4; signed:1;
    field:int sent; offset:24;  size:4; signed:1;
    field:int from_ifindex; offset:28;  size:4; signed:1;
    field:int to_ifindex;   offset:32;  size:4; signed:1;
    field:int err;  offset:36;  size:4; signed:1;

print fmt: "ndo_xdp_xmit map_id=%d map_index=%d action=%s sent=%d drops=%d from_ifindex=%d to_ifindex=%d err=%d", REC->map_id, REC->map_index, __print_symbolic(REC->act, { 0, "ABORTED" }, { 1, "DROP" }, { 2, "PASS" }, { 3, "TX" }, { 4, "REDIRECT" }, { -1, ((void *)0) }), REC->sent, REC->drops, REC->from_ifindex, REC->to_ifindex, REC->err

This particular tracepoint will trace executions of function ndo_xdp_xmit.

What's the link to XDP?

does this above SEC elf section makes my ebpf program an XDP program?

No, this section name makes your BPF program a tracepoint program. It's a tracepoint program that will trace the execution of the receive hook for XDP.

How can I trace kernel functions?

can I make custom tracepoint for my some function in kernel

Tracepoints are only defined for specific points in the kernel (such as the XDP receive hook above). To be able to trace most kernel functions, you might want to use kprobes BPF programs.