ebpf-for-windows/docs/eBpfExtensions.md

# eBPF extensions

## Overview

The eBPF for Windows project is designed to permit anyone to add new hooks, program types or helper functions,
without the need to modify either the eBPF execution context or the eBPF verifier.  We use the term "eBPF extension"
to mean a driver or component that exposes new eBPF hooks or helper functions.
The eBPF for Windows project uses the
[Network Module Registrar (NMR)](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/network-module-registrar2)
to decouple the eBPF extensions from the core eBPF for Windows framework.  In the NMR architecture,
[Network Programming Interface (NPI)](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/network-programming-interface)
contracts are identified by a GUID.

## NPI Contract for eBPF Program Information

The eBPF program information NPI contract is used to provide information about an eBPF program type. Program types
are defined as the ABI contracts that eBPF programs are written to conform to.
This information is consumed by the eBPF verifier to ensure that any eBPF programs of a given type are safe to load
and execute. The ABI contract includes both a description of the &quot;context&quot; parameter passed to the eBPF
program as well as the list of specific helper functions that are available to such eBPF programs. eBPF extensions
should not unload until the last NMR client detaches, signifying that no eBPF programs are using helper functions
it provides.

## NPI Contract for Attach Type

Attach type NPI contracts are the mechanism that extensions use to invoke eBPF programs when events occur. The
eBPF extension registers as an NMR provider and supplies callback functions that are invoked when a NMR client
attaches or detaches. To invoke an eBPF program, the extension uses the NpiSpecificCharacteristics as well as the
supplied dispatch table. The first entry in the dispatch table is a pointer to the function that invokes the eBPF
program and has the signature:

```
ebpf_error_code_t (*invoke_hook)(void* bind_context, void* context, uint32_t* result);
```
Add proposal for FS filter hook (#196) * Add proposal for FS filter hook * Document ebpf ext model Signed-off-by: Alan Jowett <alanjo@microsoft.com> 2021-05-13 22:36:24 +03:00			`# eBPF extensions`

			`## Overview`

Improve clarify of eBPF extensions doc (#199) Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-05-18 22:53:56 +03:00			`The eBPF for Windows project is designed to permit anyone to add new hooks, program types or helper functions,`
			`without the need to modify either the eBPF execution context or the eBPF verifier. We use the term "eBPF extension"`
			`to mean a driver or component that exposes new eBPF hooks or helper functions.`
			`The eBPF for Windows project uses the`
			`[Network Module Registrar (NMR)](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/network-module-registrar2)`
			`to decouple the eBPF extensions from the core eBPF for Windows framework. In the NMR architecture,`
			`[Network Programming Interface (NPI)](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/network-programming-interface)`
			`contracts are identified by a GUID.`

			`## NPI Contract for eBPF Program Information`

			`The eBPF program information NPI contract is used to provide information about an eBPF program type. Program types`
			`are defined as the ABI contracts that eBPF programs are written to conform to.`
			`This information is consumed by the eBPF verifier to ensure that any eBPF programs of a given type are safe to load`
			`and execute. The ABI contract includes both a description of the "context" parameter passed to the eBPF`
			`program as well as the list of specific helper functions that are available to such eBPF programs. eBPF extensions`
			`should not unload until the last NMR client detaches, signifying that no eBPF programs are using helper functions`
			`it provides.`

			`## NPI Contract for Attach Type`

			`Attach type NPI contracts are the mechanism that extensions use to invoke eBPF programs when events occur. The`
			`eBPF extension registers as an NMR provider and supplies callback functions that are invoked when a NMR client`
			`attaches or detaches. To invoke an eBPF program, the extension uses the NpiSpecificCharacteristics as well as the`
			`supplied dispatch table. The first entry in the dispatch table is a pointer to the function that invokes the eBPF`
			`program and has the signature:`
Add proposal for FS filter hook (#196) * Add proposal for FS filter hook * Document ebpf ext model Signed-off-by: Alan Jowett <alanjo@microsoft.com> 2021-05-13 22:36:24 +03:00
			```
			`ebpf_error_code_t (invoke_hook)(void bind_context, void* context, uint32_t* result);`
Improve clarify of eBPF extensions doc (#199) Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-05-18 22:53:56 +03:00			```