From b48135deac642302fe25a1770dbfc89c5406a9cf Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 20 Aug 2023 09:46:13 +0000
Subject: [PATCH 01/20] update docs

---
 README.md | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 238 insertions(+)

diff --git a/README.md b/README.md
index 02ef647..aa76cbf 100644
--- a/README.md
+++ b/README.md
@@ -12,3 +12,241 @@ https://mozillazg.com/tag/libbpf.html
 ```
 $ vagrant up
 ```
+
+## Program Types
+
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| Program Type                            | Attach Type                          | ELF Section Name        | Examples  | Sleepable |
++=========================================+======================================+=========================+===========+===========+
+| `BPF_PROG_TYPE_CGROUP_DEVICE`           | `BPF_CGROUP_DEVICE`                  | `cgroup/dev`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_CGROUP_SKB`              |                                      | `cgroup/skb`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET_EGRESS`             | `cgroup_skb/egress`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET_INGRESS`            | `cgroup_skb/ingress`    |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_CGROUP_SOCKOPT`          | `BPF_CGROUP_GETSOCKOPT`              | `cgroup/getsockopt`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_SETSOCKOPT`              | `cgroup/setsockopt`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_CGROUP_SOCK_ADDR`        | `BPF_CGROUP_INET4_BIND`              | `cgroup/bind4`          |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET4_CONNECT`           | `cgroup/connect4`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET4_GETPEERNAME`       | `cgroup/getpeername4`   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET4_GETSOCKNAME`       | `cgroup/getsockname4`   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET6_BIND`              | `cgroup/bind6`          |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET6_CONNECT`           | `cgroup/connect6`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET6_GETPEERNAME`       | `cgroup/getpeername6`   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET6_GETSOCKNAME`       | `cgroup/getsockname6`   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_UDP4_RECVMSG`            | `cgroup/recvmsg4`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_UDP4_SENDMSG`            | `cgroup/sendmsg4`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_UDP6_RECVMSG`            | `cgroup/recvmsg6`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_UDP6_SENDMSG`            | `cgroup/sendmsg6`       |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_CGROUP_SOCK`             | `BPF_CGROUP_INET4_POST_BIND`         | `cgroup/post_bind4`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET6_POST_BIND`         | `cgroup/post_bind6`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET_SOCK_CREATE`        | `cgroup/sock_create`    |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `cgroup/sock`           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_CGROUP_INET_SOCK_RELEASE`       | `cgroup/sock_release`   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_CGROUP_SYSCTL`           | `BPF_CGROUP_SYSCTL`                  | `cgroup/sysctl`         |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_EXT`                     |                                      | `freplace+`[^1]         |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_FLOW_DISSECTOR`          | `BPF_FLOW_DISSECTOR`                 | `flow_dissector`        |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_KPROBE`                  |                                      | `kprobe+`[^2]           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `kretprobe+`[^3]        |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `ksyscall+`[^4]         |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | > `kretsyscall+`[^5]    |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `uprobe+`[^6]           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `uprobe.s+`[^7]         |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `uretprobe+`[^8]        |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `uretprobe.s+`[^9]      |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `usdt+`[^10]            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_TRACE_KPROBE_MULTI`             | `kprobe.multi+`[^11]    |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `kretprobe.multi+`[^12] |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LIRC_MODE2`              | `BPF_LIRC_MODE2`                     | `lirc_mode2`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LSM`                     | `BPF_LSM_CGROUP`                     | `lsm_cgroup+`           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_LSM_MAC`                        | `lsm+`[^13]             |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `lsm.s+`[^14]           |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LWT_IN`                  |                                      | `lwt_in`                |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LWT_OUT`                 |                                      | `lwt_out`               |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LWT_SEG6LOCAL`           |                                      | `lwt_seg6local`         |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_LWT_XMIT`                |                                      | `lwt_xmit`              |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_PERF_EVENT`              |                                      | `perf_event`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE` |                                      | `raw_tp.w+`[^15]        |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `raw_tracepoint.w+`     |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_RAW_TRACEPOINT`          |                                      | `raw_tp+`[^16]          |[e12] [e13]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `raw_tracepoint+`       |[e12] [e13]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SCHED_ACT`               |                                      | `action`                |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SCHED_CLS`               |                                      | `classifier`            |[e21] [e25]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `tc`                    |[e21] [e25]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SK_LOOKUP`               | `BPF_SK_LOOKUP`                      | `sk_lookup`             |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SK_MSG`                  | `BPF_SK_MSG_VERDICT`                 | `sk_msg`                |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SK_REUSEPORT`            | `BPF_SK_REUSEPORT_SELECT_OR_MIGRATE` | `sk_reuseport/migrate`  |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_SK_REUSEPORT_SELECT`            | `sk_reuseport`          |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SK_SKB`                  |                                      | `sk_skb`                |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_SK_SKB_STREAM_PARSER`           | `sk_skb/stream_parser`  |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_SK_SKB_STREAM_VERDICT`          | `sk_skb/stream_verdict` |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SOCKET_FILTER`           |                                      | `socket`                |[e18] [e19] |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SOCK_OPS`                | `BPF_CGROUP_SOCK_OPS`                | `sockops`               |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_STRUCT_OPS`              |                                      | `struct_ops+`           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_SYSCALL`                 |                                      | `syscall`               |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_TRACEPOINT`              |                                      | `tp+`[^17]              |  [e04] [e07] [e14]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `tracepoint+`[^18]      | [e04] [e07] [e14] |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_TRACING`                 | `BPF_MODIFY_RETURN`                  | `fmod_ret+`[^19]        |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `fmod_ret.s+`[^20]      |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_TRACE_FENTRY`                   | `fentry+`[^21]          |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `fentry.s+`[^22]        |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_TRACE_FEXIT`                    | `fexit+`[^23]           |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `fexit.s+`[^24]         |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_TRACE_ITER`                     | `iter+`[^25]            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `iter.s+`[^26]          |           | Yes       |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_TRACE_RAW_TP`                   | `tp_btf+`[^27]          |[e16] [e17]|           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+| `BPF_PROG_TYPE_XDP`                     | `BPF_XDP_CPUMAP`                     | `xdp.frags/cpumap`      |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `xdp/cpumap`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_XDP_DEVMAP`                     | `xdp.frags/devmap`      |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `xdp/devmap`            |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         | `BPF_XDP`                            | `xdp.frags`             |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+|                                         |                                      | `xdp`                   |           |           |
++-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
+
+**Footnotes**
+
+[^1]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^2]: The `kprobe` attach format is `kprobe/<function>[+<offset>]`. Valid characters for `function` are `a-zA-Z0-9_.` and `offset` must be a valid non-negative integer.
+
+[^3]: The `kprobe` attach format is `kprobe/<function>[+<offset>]`. Valid characters for `function` are `a-zA-Z0-9_.` and `offset` must be a valid non-negative integer.
+
+[^4]: The `ksyscall` attach format is `ksyscall/<syscall>`.
+
+[^5]: The `ksyscall` attach format is `ksyscall/<syscall>`.
+
+[^6]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
+
+[^7]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
+
+[^8]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
+
+[^9]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
+
+[^10]: The `usdt` attach format is `usdt/<path>:<provider>:<name>`.
+
+[^11]: The `kprobe.multi` attach format is `kprobe.multi/<pattern>` where `pattern` supports `*` and `?` wildcards. Valid characters for pattern are `a-zA-Z0-9_.*?`.
+
+[^12]: The `kprobe.multi` attach format is `kprobe.multi/<pattern>` where `pattern` supports `*` and `?` wildcards. Valid characters for pattern are `a-zA-Z0-9_.*?`.
+
+[^13]: The `lsm` attachment format is `lsm[.s]/<hook>`.
+
+[^14]: The `lsm` attachment format is `lsm[.s]/<hook>`.
+
+[^15]: The `raw_tp` attach format is `raw_tracepoint[.w]/<tracepoint>`.
+
+[^16]: The `raw_tp` attach format is `raw_tracepoint[.w]/<tracepoint>`.
+
+[^17]: The `tracepoint` attach format is `tracepoint/<category>/<name>`.
+
+[^18]: The `tracepoint` attach format is `tracepoint/<category>/<name>`.
+
+[^19]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^20]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^21]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^22]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^23]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^24]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[^25]: The `iter` attach format is `iter[.s]/<struct-name>`.
+
+[^26]: The `iter` attach format is `iter[.s]/<struct-name>`.
+
+[^27]: The `fentry` attach format is `fentry[.s]/<function>`.
+
+[e04]: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
+[e07]: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
+[e12]: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
+[e13]: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
+[e14]: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
+[e16]: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
+[e17]: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
+[e18]: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
+[e19]: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
+[e20]: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
+[e21]: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
+[e25]: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
+

From 465135ed48e48d805d6f2ac085e149b70ed74e53 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 20 Aug 2023 10:12:10 +0000
Subject: [PATCH 02/20] update README

---
 README.md  | 252 -----------------------------------------------------
 README.rst | 225 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 225 insertions(+), 252 deletions(-)
 delete mode 100644 README.md
 create mode 100644 README.rst

diff --git a/README.md b/README.md
deleted file mode 100644
index aa76cbf..0000000
--- a/README.md
+++ /dev/null
@@ -1,252 +0,0 @@
-# hello-libbpfgo
-
-[![Build examples](https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml)
-
-Examples for libbpf and libbpfgo.
-
-https://mozillazg.com/tag/libbpf.html
-
-
-## setup develop env
-
-```
-$ vagrant up
-```
-
-## Program Types
-
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| Program Type                            | Attach Type                          | ELF Section Name        | Examples  | Sleepable |
-+=========================================+======================================+=========================+===========+===========+
-| `BPF_PROG_TYPE_CGROUP_DEVICE`           | `BPF_CGROUP_DEVICE`                  | `cgroup/dev`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_CGROUP_SKB`              |                                      | `cgroup/skb`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET_EGRESS`             | `cgroup_skb/egress`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET_INGRESS`            | `cgroup_skb/ingress`    |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_CGROUP_SOCKOPT`          | `BPF_CGROUP_GETSOCKOPT`              | `cgroup/getsockopt`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_SETSOCKOPT`              | `cgroup/setsockopt`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_CGROUP_SOCK_ADDR`        | `BPF_CGROUP_INET4_BIND`              | `cgroup/bind4`          |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET4_CONNECT`           | `cgroup/connect4`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET4_GETPEERNAME`       | `cgroup/getpeername4`   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET4_GETSOCKNAME`       | `cgroup/getsockname4`   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET6_BIND`              | `cgroup/bind6`          |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET6_CONNECT`           | `cgroup/connect6`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET6_GETPEERNAME`       | `cgroup/getpeername6`   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET6_GETSOCKNAME`       | `cgroup/getsockname6`   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_UDP4_RECVMSG`            | `cgroup/recvmsg4`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_UDP4_SENDMSG`            | `cgroup/sendmsg4`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_UDP6_RECVMSG`            | `cgroup/recvmsg6`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_UDP6_SENDMSG`            | `cgroup/sendmsg6`       |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_CGROUP_SOCK`             | `BPF_CGROUP_INET4_POST_BIND`         | `cgroup/post_bind4`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET6_POST_BIND`         | `cgroup/post_bind6`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET_SOCK_CREATE`        | `cgroup/sock_create`    |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `cgroup/sock`           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_CGROUP_INET_SOCK_RELEASE`       | `cgroup/sock_release`   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_CGROUP_SYSCTL`           | `BPF_CGROUP_SYSCTL`                  | `cgroup/sysctl`         |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_EXT`                     |                                      | `freplace+`[^1]         |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_FLOW_DISSECTOR`          | `BPF_FLOW_DISSECTOR`                 | `flow_dissector`        |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_KPROBE`                  |                                      | `kprobe+`[^2]           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `kretprobe+`[^3]        |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `ksyscall+`[^4]         |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | > `kretsyscall+`[^5]    |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `uprobe+`[^6]           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `uprobe.s+`[^7]         |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `uretprobe+`[^8]        |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `uretprobe.s+`[^9]      |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `usdt+`[^10]            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_TRACE_KPROBE_MULTI`             | `kprobe.multi+`[^11]    |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `kretprobe.multi+`[^12] |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LIRC_MODE2`              | `BPF_LIRC_MODE2`                     | `lirc_mode2`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LSM`                     | `BPF_LSM_CGROUP`                     | `lsm_cgroup+`           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_LSM_MAC`                        | `lsm+`[^13]             |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `lsm.s+`[^14]           |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LWT_IN`                  |                                      | `lwt_in`                |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LWT_OUT`                 |                                      | `lwt_out`               |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LWT_SEG6LOCAL`           |                                      | `lwt_seg6local`         |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_LWT_XMIT`                |                                      | `lwt_xmit`              |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_PERF_EVENT`              |                                      | `perf_event`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE` |                                      | `raw_tp.w+`[^15]        |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `raw_tracepoint.w+`     |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_RAW_TRACEPOINT`          |                                      | `raw_tp+`[^16]          |[e12] [e13]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `raw_tracepoint+`       |[e12] [e13]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SCHED_ACT`               |                                      | `action`                |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SCHED_CLS`               |                                      | `classifier`            |[e21] [e25]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `tc`                    |[e21] [e25]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SK_LOOKUP`               | `BPF_SK_LOOKUP`                      | `sk_lookup`             |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SK_MSG`                  | `BPF_SK_MSG_VERDICT`                 | `sk_msg`                |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SK_REUSEPORT`            | `BPF_SK_REUSEPORT_SELECT_OR_MIGRATE` | `sk_reuseport/migrate`  |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_SK_REUSEPORT_SELECT`            | `sk_reuseport`          |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SK_SKB`                  |                                      | `sk_skb`                |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_SK_SKB_STREAM_PARSER`           | `sk_skb/stream_parser`  |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_SK_SKB_STREAM_VERDICT`          | `sk_skb/stream_verdict` |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SOCKET_FILTER`           |                                      | `socket`                |[e18] [e19] |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SOCK_OPS`                | `BPF_CGROUP_SOCK_OPS`                | `sockops`               |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_STRUCT_OPS`              |                                      | `struct_ops+`           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_SYSCALL`                 |                                      | `syscall`               |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_TRACEPOINT`              |                                      | `tp+`[^17]              |  [e04] [e07] [e14]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `tracepoint+`[^18]      | [e04] [e07] [e14] |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_TRACING`                 | `BPF_MODIFY_RETURN`                  | `fmod_ret+`[^19]        |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `fmod_ret.s+`[^20]      |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_TRACE_FENTRY`                   | `fentry+`[^21]          |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `fentry.s+`[^22]        |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_TRACE_FEXIT`                    | `fexit+`[^23]           |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `fexit.s+`[^24]         |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_TRACE_ITER`                     | `iter+`[^25]            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `iter.s+`[^26]          |           | Yes       |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_TRACE_RAW_TP`                   | `tp_btf+`[^27]          |[e16] [e17]|           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-| `BPF_PROG_TYPE_XDP`                     | `BPF_XDP_CPUMAP`                     | `xdp.frags/cpumap`      |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `xdp/cpumap`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_XDP_DEVMAP`                     | `xdp.frags/devmap`      |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `xdp/devmap`            |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         | `BPF_XDP`                            | `xdp.frags`             |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-|                                         |                                      | `xdp`                   |           |           |
-+-----------------------------------------+--------------------------------------+-------------------------+-----------+-----------+
-
-**Footnotes**
-
-[^1]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^2]: The `kprobe` attach format is `kprobe/<function>[+<offset>]`. Valid characters for `function` are `a-zA-Z0-9_.` and `offset` must be a valid non-negative integer.
-
-[^3]: The `kprobe` attach format is `kprobe/<function>[+<offset>]`. Valid characters for `function` are `a-zA-Z0-9_.` and `offset` must be a valid non-negative integer.
-
-[^4]: The `ksyscall` attach format is `ksyscall/<syscall>`.
-
-[^5]: The `ksyscall` attach format is `ksyscall/<syscall>`.
-
-[^6]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
-
-[^7]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
-
-[^8]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
-
-[^9]: The `uprobe` attach format is `uprobe[.s]/<path>:<function>[+<offset>]`.
-
-[^10]: The `usdt` attach format is `usdt/<path>:<provider>:<name>`.
-
-[^11]: The `kprobe.multi` attach format is `kprobe.multi/<pattern>` where `pattern` supports `*` and `?` wildcards. Valid characters for pattern are `a-zA-Z0-9_.*?`.
-
-[^12]: The `kprobe.multi` attach format is `kprobe.multi/<pattern>` where `pattern` supports `*` and `?` wildcards. Valid characters for pattern are `a-zA-Z0-9_.*?`.
-
-[^13]: The `lsm` attachment format is `lsm[.s]/<hook>`.
-
-[^14]: The `lsm` attachment format is `lsm[.s]/<hook>`.
-
-[^15]: The `raw_tp` attach format is `raw_tracepoint[.w]/<tracepoint>`.
-
-[^16]: The `raw_tp` attach format is `raw_tracepoint[.w]/<tracepoint>`.
-
-[^17]: The `tracepoint` attach format is `tracepoint/<category>/<name>`.
-
-[^18]: The `tracepoint` attach format is `tracepoint/<category>/<name>`.
-
-[^19]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^20]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^21]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^22]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^23]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^24]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[^25]: The `iter` attach format is `iter[.s]/<struct-name>`.
-
-[^26]: The `iter` attach format is `iter[.s]/<struct-name>`.
-
-[^27]: The `fentry` attach format is `fentry[.s]/<function>`.
-
-[e04]: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
-[e07]: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
-[e12]: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
-[e13]: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
-[e14]: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
-[e16]: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
-[e17]: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
-[e18]: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
-[e19]: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
-[e20]: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
-[e21]: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
-[e25]: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
-
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..541a2b1
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,225 @@
+hello-libbpfgo
+==================
+
+|Build examples|
+
+
+Examples for libbpf, `aquasecurity/libbpfgo <https://github.com/aquasecurity/libbpfgo>`__ and `cilium/ebpf <https://github.com/cilium/ebpf>`__.
+
+https://mozillazg.com/tag/libbpf.html
+
+
+setup develop env
+--------------------
+
+.. code-block:: shell
+
+    $ vagrant up
+
+
+Program Types
+------------------
+
+
+
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| Program Type                              | Attach Type                            | ELF Section Name                 | Examples  | Sleepable |
++===========================================+========================================+==================================+===========+===========+
+| ``BPF_PROG_TYPE_CGROUP_DEVICE``           | ``BPF_CGROUP_DEVICE``                  | ``cgroup/dev``                   |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SKB``              |                                        | ``cgroup/skb``                   |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET_EGRESS``             | ``cgroup_skb/egress``            |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET_INGRESS``            | ``cgroup_skb/ingress``           |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCKOPT``          | ``BPF_CGROUP_GETSOCKOPT``              | ``cgroup/getsockopt``            |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_SETSOCKOPT``              | ``cgroup/setsockopt``            |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK_ADDR``        | ``BPF_CGROUP_INET4_BIND``              | ``cgroup/bind4``                 |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET4_CONNECT``           | ``cgroup/connect4``              |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET4_GETPEERNAME``       | ``cgroup/getpeername4``          |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET4_GETSOCKNAME``       | ``cgroup/getsockname4``          |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET6_BIND``              | ``cgroup/bind6``                 |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET6_CONNECT``           | ``cgroup/connect6``              |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET6_GETPEERNAME``       | ``cgroup/getpeername6``          |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET6_GETSOCKNAME``       | ``cgroup/getsockname6``          |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_UDP4_RECVMSG``            | ``cgroup/recvmsg4``              |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_UDP4_SENDMSG``            | ``cgroup/sendmsg4``              |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_UDP6_RECVMSG``            | ``cgroup/recvmsg6``              |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_UDP6_SENDMSG``            | ``cgroup/sendmsg6``              |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK``             | ``BPF_CGROUP_INET4_POST_BIND``         | ``cgroup/post_bind4``            |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET6_POST_BIND``         | ``cgroup/post_bind6``            |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET_SOCK_CREATE``        | ``cgroup/sock_create``           |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``cgroup/sock``                  |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_CGROUP_INET_SOCK_RELEASE``       | ``cgroup/sock_release``          |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+`` [#fentry]_         |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+`` [#kprobe]_           |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``kretprobe+`` [#kprobe]_        |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``ksyscall+`` [#ksyscall]_       |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        |  ``kretsyscall+`` [#ksyscall]_   |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``uprobe+`` [#uprobe]_           |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``uprobe.s+`` [#uprobe]_         |           | Yes       |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``uretprobe+`` [#uprobe]_        |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``uretprobe.s+`` [#uprobe]_      |           | Yes       |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``usdt+`` [#usdt]_               |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+`` [#kpmulti]_    |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``kretprobe.multi+`` [#kpmulti]_ |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``lsm.s+`` [#lsm]_               |           | Yes       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LWT_OUT``                 |                                        | ``lwt_out``                      |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LWT_SEG6LOCAL``           |                                        | ``lwt_seg6local``                |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_LWT_XMIT``                |                                        | ``lwt_xmit``                     |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+`` [#rawtp]_          |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``raw_tracepoint.w+``            |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+`` [#rawtp]_            |`e12`_ `e13`_ |           |
++                                           +                                        +----------------------------------+           +-----------+
+|                                           |                                        | ``raw_tracepoint+``              |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SCHED_ACT``               |                                        | ``action``                       |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SCHED_CLS``               |                                        | ``classifier``                   |`e21`_ `e25`_ |           |
++                                           +                                        +----------------------------------+           +-----------+
+|                                           |                                        | ``tc``                           |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SK_LOOKUP``               | ``BPF_SK_LOOKUP``                      | ``sk_lookup``                    |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SK_MSG``                  | ``BPF_SK_MSG_VERDICT``                 | ``sk_msg``                       |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SK_REUSEPORT``            | ``BPF_SK_REUSEPORT_SELECT_OR_MIGRATE`` | ``sk_reuseport/migrate``         |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_SK_REUSEPORT_SELECT``            | ``sk_reuseport``                 |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SK_SKB``                  |                                        | ``sk_skb``                       |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_SK_SKB_STREAM_PARSER``           | ``sk_skb/stream_parser``         |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_SK_SKB_STREAM_VERDICT``          | ``sk_skb/stream_verdict``        |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SOCKET_FILTER``           |                                        | ``socket``                       |`e18`_ `e19`_ `e20`_ |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SOCK_OPS``                | ``BPF_CGROUP_SOCK_OPS``                | ``sockops``                      |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_STRUCT_OPS``              |                                        | ``struct_ops+``                  |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |           | Yes       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+`` [#tp]_                   |`e04`_ `e07`_ `e14`_ |           |
++                                           +                                        +----------------------------------+           +-----------+
+|                                           |                                        | ``tracepoint+`` [#tp]_           |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+`` [#fentry]_         |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``fmod_ret.s+`` [#fentry]_       |           | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+`` [#fentry]_           |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``fentry.s+`` [#fentry]_         |           | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+`` [#fentry]_            |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``fexit.s+`` [#fentry]_          |           | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_TRACE_ITER``                     | ``iter+`` [#iter]_               |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``iter.s+`` [#iter]_             |           | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+`` [#fentry]_           |`e16`_ `e17`_ |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+| ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``xdp/cpumap``                   |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_XDP_DEVMAP``                     | ``xdp.frags/devmap``             |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``xdp/devmap``                   |           |           |
++                                           +----------------------------------------+----------------------------------+-----------+-----------+
+|                                           | ``BPF_XDP``                            | ``xdp.frags``                    |           |           |
++                                           +                                        +----------------------------------+-----------+-----------+
+|                                           |                                        | ``xdp``                          |           |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
+
+
+.. rubric:: Footnotes
+
+.. [#fentry] The ``fentry`` attach format is ``fentry[.s]/<function>``.
+.. [#kprobe] The ``kprobe`` attach format is ``kprobe/<function>[+<offset>]``. Valid
+             characters for ``function`` are ``a-zA-Z0-9_.`` and ``offset`` must be a valid
+             non-negative integer.
+.. [#ksyscall] The ``ksyscall`` attach format is ``ksyscall/<syscall>``.
+.. [#uprobe] The ``uprobe`` attach format is ``uprobe[.s]/<path>:<function>[+<offset>]``.
+.. [#usdt] The ``usdt`` attach format is ``usdt/<path>:<provider>:<name>``.
+.. [#kpmulti] The ``kprobe.multi`` attach format is ``kprobe.multi/<pattern>`` where ``pattern``
+              supports ``*`` and ``?`` wildcards. Valid characters for pattern are
+              ``a-zA-Z0-9_.*?``.
+.. [#lsm] The ``lsm`` attachment format is ``lsm[.s]/<hook>``.
+.. [#rawtp] The ``raw_tp`` attach format is ``raw_tracepoint[.w]/<tracepoint>``.
+.. [#tp] The ``tracepoint`` attach format is ``tracepoint/<category>/<name>``.
+.. [#iter] The ``iter`` attach format is ``iter[.s]/<struct-name>``.
+
+
+.. |Build examples| image:: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master
+   :target: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml
+
+.. _e04: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
+.. _e07: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
+.. _e12: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
+.. _e13: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
+.. _e14: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
+.. _e16: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
+.. _e17: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
+.. _e18: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
+.. _e19: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
+.. _e20: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
+.. _e21: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
+.. _e25: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
+

From 93cb4b33748a251d98655e8a240d81e8615d4cc8 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 20 Aug 2023 10:28:48 +0000
Subject: [PATCH 03/20] fix table

---
 README.rst | 358 ++++++++++++++++++++++++++---------------------------
 1 file changed, 178 insertions(+), 180 deletions(-)

diff --git a/README.rst b/README.rst
index 541a2b1..b1653df 100644
--- a/README.rst
+++ b/README.rst
@@ -22,174 +22,172 @@ Program Types
 
 
 
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| Program Type                              | Attach Type                            | ELF Section Name                 | Examples  | Sleepable |
-+===========================================+========================================+==================================+===========+===========+
-| ``BPF_PROG_TYPE_CGROUP_DEVICE``           | ``BPF_CGROUP_DEVICE``                  | ``cgroup/dev``                   |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SKB``              |                                        | ``cgroup/skb``                   |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET_EGRESS``             | ``cgroup_skb/egress``            |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET_INGRESS``            | ``cgroup_skb/ingress``           |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCKOPT``          | ``BPF_CGROUP_GETSOCKOPT``              | ``cgroup/getsockopt``            |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_SETSOCKOPT``              | ``cgroup/setsockopt``            |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCK_ADDR``        | ``BPF_CGROUP_INET4_BIND``              | ``cgroup/bind4``                 |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET4_CONNECT``           | ``cgroup/connect4``              |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET4_GETPEERNAME``       | ``cgroup/getpeername4``          |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET4_GETSOCKNAME``       | ``cgroup/getsockname4``          |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET6_BIND``              | ``cgroup/bind6``                 |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET6_CONNECT``           | ``cgroup/connect6``              |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET6_GETPEERNAME``       | ``cgroup/getpeername6``          |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET6_GETSOCKNAME``       | ``cgroup/getsockname6``          |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_UDP4_RECVMSG``            | ``cgroup/recvmsg4``              |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_UDP4_SENDMSG``            | ``cgroup/sendmsg4``              |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_UDP6_RECVMSG``            | ``cgroup/recvmsg6``              |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_UDP6_SENDMSG``            | ``cgroup/sendmsg6``              |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCK``             | ``BPF_CGROUP_INET4_POST_BIND``         | ``cgroup/post_bind4``            |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET6_POST_BIND``         | ``cgroup/post_bind6``            |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET_SOCK_CREATE``        | ``cgroup/sock_create``           |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``cgroup/sock``                  |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_CGROUP_INET_SOCK_RELEASE``       | ``cgroup/sock_release``          |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+`` [#fentry]_         |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+`` [#kprobe]_           |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``kretprobe+`` [#kprobe]_        |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``ksyscall+`` [#ksyscall]_       |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        |  ``kretsyscall+`` [#ksyscall]_   |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``uprobe+`` [#uprobe]_           |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``uprobe.s+`` [#uprobe]_         |           | Yes       |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``uretprobe+`` [#uprobe]_        |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``uretprobe.s+`` [#uprobe]_      |           | Yes       |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``usdt+`` [#usdt]_               |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+`` [#kpmulti]_    |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``kretprobe.multi+`` [#kpmulti]_ |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``lsm.s+`` [#lsm]_               |           | Yes       |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LWT_OUT``                 |                                        | ``lwt_out``                      |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LWT_SEG6LOCAL``           |                                        | ``lwt_seg6local``                |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_LWT_XMIT``                |                                        | ``lwt_xmit``                     |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+`` [#rawtp]_          |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``raw_tracepoint.w+``            |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+`` [#rawtp]_            |`e12`_ `e13`_ |           |
-+                                           +                                        +----------------------------------+           +-----------+
-|                                           |                                        | ``raw_tracepoint+``              |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SCHED_ACT``               |                                        | ``action``                       |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SCHED_CLS``               |                                        | ``classifier``                   |`e21`_ `e25`_ |           |
-+                                           +                                        +----------------------------------+           +-----------+
-|                                           |                                        | ``tc``                           |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SK_LOOKUP``               | ``BPF_SK_LOOKUP``                      | ``sk_lookup``                    |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SK_MSG``                  | ``BPF_SK_MSG_VERDICT``                 | ``sk_msg``                       |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SK_REUSEPORT``            | ``BPF_SK_REUSEPORT_SELECT_OR_MIGRATE`` | ``sk_reuseport/migrate``         |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_SK_REUSEPORT_SELECT``            | ``sk_reuseport``                 |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SK_SKB``                  |                                        | ``sk_skb``                       |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_SK_SKB_STREAM_PARSER``           | ``sk_skb/stream_parser``         |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_SK_SKB_STREAM_VERDICT``          | ``sk_skb/stream_verdict``        |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SOCKET_FILTER``           |                                        | ``socket``                       |`e18`_ `e19`_ `e20`_ |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SOCK_OPS``                | ``BPF_CGROUP_SOCK_OPS``                | ``sockops``                      |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_STRUCT_OPS``              |                                        | ``struct_ops+``                  |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |           | Yes       |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+`` [#tp]_                   |`e04`_ `e07`_ `e14`_ |           |
-+                                           +                                        +----------------------------------+           +-----------+
-|                                           |                                        | ``tracepoint+`` [#tp]_           |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+`` [#fentry]_         |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``fmod_ret.s+`` [#fentry]_       |           | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+`` [#fentry]_           |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``fentry.s+`` [#fentry]_         |           | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+`` [#fentry]_            |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``fexit.s+`` [#fentry]_          |           | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_TRACE_ITER``                     | ``iter+`` [#iter]_               |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``iter.s+`` [#iter]_             |           | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+`` [#fentry]_           |`e16`_ `e17`_ |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-| ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``xdp/cpumap``                   |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_XDP_DEVMAP``                     | ``xdp.frags/devmap``             |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``xdp/devmap``                   |           |           |
-+                                           +----------------------------------------+----------------------------------+-----------+-----------+
-|                                           | ``BPF_XDP``                            | ``xdp.frags``                    |           |           |
-+                                           +                                        +----------------------------------+-----------+-----------+
-|                                           |                                        | ``xdp``                          |           |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------+-----------+
-
-
-.. rubric:: Footnotes
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| Program Type                              | Attach Type                            | ELF Section Name                 | Examples              | Sleepable |
++===========================================+========================================+==================================+=======================+===========+
+| ``BPF_PROG_TYPE_CGROUP_DEVICE``           | ``BPF_CGROUP_DEVICE``                  | ``cgroup/dev``                   |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SKB``              |                                        | ``cgroup/skb``                   |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET_EGRESS``             | ``cgroup_skb/egress``            |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET_INGRESS``            | ``cgroup_skb/ingress``           |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCKOPT``          | ``BPF_CGROUP_GETSOCKOPT``              | ``cgroup/getsockopt``            |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_SETSOCKOPT``              | ``cgroup/setsockopt``            |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK_ADDR``        | ``BPF_CGROUP_INET4_BIND``              | ``cgroup/bind4``                 |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET4_CONNECT``           | ``cgroup/connect4``              |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET4_GETPEERNAME``       | ``cgroup/getpeername4``          |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET4_GETSOCKNAME``       | ``cgroup/getsockname4``          |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET6_BIND``              | ``cgroup/bind6``                 |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET6_CONNECT``           | ``cgroup/connect6``              |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET6_GETPEERNAME``       | ``cgroup/getpeername6``          |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET6_GETSOCKNAME``       | ``cgroup/getsockname6``          |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_UDP4_RECVMSG``            | ``cgroup/recvmsg4``              |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_UDP4_SENDMSG``            | ``cgroup/sendmsg4``              |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_UDP6_RECVMSG``            | ``cgroup/recvmsg6``              |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_UDP6_SENDMSG``            | ``cgroup/sendmsg6``              |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK``             | ``BPF_CGROUP_INET4_POST_BIND``         | ``cgroup/post_bind4``            |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET6_POST_BIND``         | ``cgroup/post_bind6``            |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET_SOCK_CREATE``        | ``cgroup/sock_create``           |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``cgroup/sock``                  |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_CGROUP_INET_SOCK_RELEASE``       | ``cgroup/sock_release``          |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+`` [#fentry]_         |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+`` [#kprobe]_           |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``kretprobe+`` [#kprobe]_        |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``ksyscall+`` [#ksyscall]_       |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        |  ``kretsyscall+`` [#ksyscall]_   |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``uprobe+`` [#uprobe]_           |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``uprobe.s+`` [#uprobe]_         |                       | Yes       |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``uretprobe+`` [#uprobe]_        |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``uretprobe.s+`` [#uprobe]_      |                       | Yes       |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``usdt+`` [#usdt]_               |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+`` [#kpmulti]_    |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``kretprobe.multi+`` [#kpmulti]_ |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``lsm.s+`` [#lsm]_               |                       | Yes       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LWT_OUT``                 |                                        | ``lwt_out``                      |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LWT_SEG6LOCAL``           |                                        | ``lwt_seg6local``                |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_LWT_XMIT``                |                                        | ``lwt_xmit``                     |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+`` [#rawtp]_          |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``raw_tracepoint.w+``            |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+`` [#rawtp]_            |`12`_ `13`_            |           |
++                                           +                                        +----------------------------------+                       +-----------+
+|                                           |                                        | ``raw_tracepoint+``              |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SCHED_ACT``               |                                        | ``action``                       |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SCHED_CLS``               |                                        | ``classifier``                   |`21`_ `25`_            |           |
++                                           +                                        +----------------------------------+                       +-----------+
+|                                           |                                        | ``tc``                           |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SK_LOOKUP``               | ``BPF_SK_LOOKUP``                      | ``sk_lookup``                    |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SK_MSG``                  | ``BPF_SK_MSG_VERDICT``                 | ``sk_msg``                       |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SK_REUSEPORT``            | ``BPF_SK_REUSEPORT_SELECT_OR_MIGRATE`` | ``sk_reuseport/migrate``         |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_SK_REUSEPORT_SELECT``            | ``sk_reuseport``                 |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SK_SKB``                  |                                        | ``sk_skb``                       |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_SK_SKB_STREAM_PARSER``           | ``sk_skb/stream_parser``         |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_SK_SKB_STREAM_VERDICT``          | ``sk_skb/stream_verdict``        |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SOCKET_FILTER``           |                                        | ``socket``                       |`18`_ `19`_ `20`_      |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SOCK_OPS``                | ``BPF_CGROUP_SOCK_OPS``                | ``sockops``                      |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_STRUCT_OPS``              |                                        | ``struct_ops+``                  |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |                       | Yes       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+`` [#tp]_                   |`04`_ `07`_ `14`_      |           |
++                                           +                                        +----------------------------------+                       +-----------+
+|                                           |                                        | ``tracepoint+`` [#tp]_           |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+`` [#fentry]_         |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``fmod_ret.s+`` [#fentry]_       |                       | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+`` [#fentry]_           |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``fentry.s+`` [#fentry]_         |                       | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+`` [#fentry]_            |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``fexit.s+`` [#fentry]_          |                       | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_TRACE_ITER``                     | ``iter+`` [#iter]_               |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``iter.s+`` [#iter]_             |                       | Yes       |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+`` [#fentry]_           |`16`_ `17`_            |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+| ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``xdp/cpumap``                   |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_XDP_DEVMAP``                     | ``xdp.frags/devmap``             |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``xdp/devmap``                   |                       |           |
++                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
+|                                           | ``BPF_XDP``                            | ``xdp.frags``                    |                       |           |
++                                           +                                        +----------------------------------+-----------------------+-----------+
+|                                           |                                        | ``xdp``                          |                       |           |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
+
 
 .. [#fentry] The ``fentry`` attach format is ``fentry[.s]/<function>``.
 .. [#kprobe] The ``kprobe`` attach format is ``kprobe/<function>[+<offset>]``. Valid
@@ -210,16 +208,16 @@ Program Types
 .. |Build examples| image:: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master
    :target: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml
 
-.. _e04: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
-.. _e07: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
-.. _e12: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
-.. _e13: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
-.. _e14: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
-.. _e16: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
-.. _e17: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
-.. _e18: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
-.. _e19: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
-.. _e20: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
-.. _e21: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
-.. _e25: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
+.. _04: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
+.. _07: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
+.. _12: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
+.. _13: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
+.. _14: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
+.. _16: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
+.. _17: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
+.. _18: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
+.. _19: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
+.. _20: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
+.. _21: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
+.. _25: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
 

From ecd7b56b6c87524786e29421ec6a3358ff959def Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Mon, 21 Aug 2023 15:24:37 +0000
Subject: [PATCH 04/20] add 26-lsm-path_chmod

---
 26-lsm-path_chmod/Makefile                 |   1 +
 26-lsm-path_chmod/README.md                |  20 ++++
 26-lsm-path_chmod/cilium-ebpf/Makefile     |   1 +
 26-lsm-path_chmod/cilium-ebpf/README.md    |  20 ++++
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.go | 115 +++++++++++++++++++++
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o  | Bin 0 -> 4784 bytes
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.go | 115 +++++++++++++++++++++
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o  | Bin 0 -> 4784 bytes
 26-lsm-path_chmod/cilium-ebpf/main.go      |  36 +++++++
 26-lsm-path_chmod/main.bpf.c               |  21 ++++
 26-lsm-path_chmod/main.go                  |  34 ++++++
 11 files changed, 363 insertions(+)
 create mode 120000 26-lsm-path_chmod/Makefile
 create mode 100644 26-lsm-path_chmod/README.md
 create mode 120000 26-lsm-path_chmod/cilium-ebpf/Makefile
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/README.md
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.go
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o
 create mode 100644 26-lsm-path_chmod/cilium-ebpf/main.go
 create mode 100644 26-lsm-path_chmod/main.bpf.c
 create mode 100644 26-lsm-path_chmod/main.go

diff --git a/26-lsm-path_chmod/Makefile b/26-lsm-path_chmod/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/26-lsm-path_chmod/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/26-lsm-path_chmod/README.md b/26-lsm-path_chmod/README.md
new file mode 100644
index 0000000..c5fe283
--- /dev/null
+++ b/26-lsm-path_chmod/README.md
@@ -0,0 +1,20 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+touch /tmp/a.txt
+chmod 600 /tmp/a.txt
+
+$ make cat
+```
diff --git a/26-lsm-path_chmod/cilium-ebpf/Makefile b/26-lsm-path_chmod/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/26-lsm-path_chmod/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/26-lsm-path_chmod/cilium-ebpf/README.md b/26-lsm-path_chmod/cilium-ebpf/README.md
new file mode 100644
index 0000000..c5fe283
--- /dev/null
+++ b/26-lsm-path_chmod/cilium-ebpf/README.md
@@ -0,0 +1,20 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+touch /tmp/a.txt
+chmod 600 /tmp/a.txt
+
+$ make cat
+```
diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.go b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..ff60f45
--- /dev/null
+++ b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	LsmPathChmod *ebpf.ProgramSpec `ebpf:"lsm_path_chmod"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	LsmPathChmod *ebpf.Program `ebpf:"lsm_path_chmod"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.LsmPathChmod,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..d1abb7140b01c692a0cf1b3744bacc7cfa6e3eb3
GIT binary patch
literal 4784
zcmbtXO^h5@5q{m{tP^|v6Y_%t0UGCrUB}GYi7}2%$as@=9O00~1VlK{?w#rNG~3fN
z+dq!Yk60lh5h0`?K;i^Z#K8xIIDjmH#4Zw?Ad(M3;>Lm^1SAIzNPqw>-&e2RY)=zQ
zNR(8szN%MM@2}pQo-Zt%JLCJF8Ix!J23#|YdjR&0MC)j~$4svu6>P5U7kTqO)z{x<
z?K@%L+S=N@7TEsht$9`bgDWSuHfb8iecC$gydZJc*YC8t#_xCWSB{&T*|R?BzuE8)
z)W0}j=Vz0l)qJ<CAGap;o4TeR-&EP{4~D(qzQR1Qc+R~39od%ywr}cHW5_#hrS4lJ
zg}1}19C8ZWvR!5uB)Uw8y81s|!?K_~cJmp>!N|AjY3zUupx-fV?Kc7MLPCzS0e%U5
z3z&2j%<%&7_rZI?9q^C9oWlnAr(n!ovi}13Zs0Y@SHSN8-hliy_+6MS@o&Ko>T+HK
zJ_g)@{1f<nz-y3y0b@&B8<3>;+u_VVfKLFgAuk66z6rwHjphTuwC|Id*nj}~-LfIZ
zz{fj+Nwb?`9uiwX@;;<K+_w3e&&ScJd*Ow!bGxxm-T-nR806(>xOW|}I}h%Y!|?Mi
zZ^yF7yhU2$eID{IaECfp!u&cFa~o}l{UVw>1)|YB@bSI^^>%CbUQ`^w{tZoV2k^HP
zV-4Q76~7huWyPpL@2c(>O&zeCw_H6QKIrZ6TUS2{3Fl-%PqA^u2?$^FPH=#jS2PCG
z7X5bs<9KUB3))`0$2!0q$MkN8YHR;1YzM8~V@<Hm1Ek*4b=`wiu%<Z{$0prtg^Z<k
zpL=|twflE%`}_C9Mh5wFn)5xtk8b-&=Zv&yFn?|Vy8S01XPq7Lff{aG>_4SB4^iLF
z>9gLr79l1B0Q;YUJZ!CgtQaZ$f#!KH@JKQD-_;3IR8Z$=1O5^kV$`eug8Cl;{;Fa;
zyZ+a?IUtVBx_0&O5V6+7xtjgM@OW8cn5I+fBXnoWF@FdZcb4S;7|lt6#{ZeF6+Uve
z9#;D=A&EQGIU$h5D?SD5b)EYnJM|nm*6*P{LL2a((a4<y{wHt;3~JThSQ+<&)-HGY
zQQ!`B9ZPa4hF@#CG3V3tg`M|i9^3)D*gAfUc0M$eN)oGkyMP?_7Xm(TlI7Lz*W-xc
z{lcAYeODKC#wDuxA&>ZBnysIx-&xp@vh{O5N*eQoO6L1j&CWU|G5*z^7Nc$bp@!e6
z;lFR=9o`s^qOxxWS!sH4R_0es0+<$qkoHi17OBqF)b?DvJvWGwti3c^Zg&|GOh(KU
zWnOj5fI-0_wzI)!&5@HwO#td;(I5^U3Fa5igpWOaejz-+aQg8XdL0hzBp^dN&7Ly7
za5;@G7LY}}inbpWeTY$%W4ZuzgGjPr&q}MO!|qBRFQaETLQ^cEDHCyBE_zWJLGSjH
zw8zeBsh8v&qB2!hBp0)|7jPReVs}_&Wmt@oj2Xi>v5mdPz<O12){RX+O^PyHN<*1n
z7GEySXq3m7%qq6X$mF@AFpV=KOCzWrdeDR++v@l+BDCo+yBJ6_F~zac?MFFWPoF=3
z`q}WKPkwSCeCFB3g)l^*-3gh$EJsYn!urZ|ktV0B$)o4S>lQ_<QQqy3%~<HFOJFWV
zsfo(rAnC#^$>Ur`ihE`hXT2o5XsQ!j%?UM!&Rj-GYO15h*@<?%rlLR0QH)&q*v50|
zg=t=)eJ)DS%?<9y5k}#@(iW~(aTSXZbLoXqnnXO_Bn#8waHSf#D$2W+o{$_*H%il`
z2*)hxmaD9bnmr~pi%Jhi`EV%?a|{)(#CaB{A<l5-ez_Syhl3*dOgvncN@mwA%9tnI
z)>3Be+dNpr%FIFc&3W*!Toeg8C8OnWS>;)9<dl(PoxEJ_5VSlfO_(O#I4fe)&WBRc
zPPdl`l^^F(nGCZ6SCrSIs9-@c@^~*T7X#LIbHm)nZ=ml9KVZn;18;!w5hoAcy^!vK
z;#-0TU4FpzjWql*!b3_o6M*H%i3(^2Onr!NOT4q@6RJZ9T|is!zijo^J@{?m!~JFL
zhY)%ZE&Qb)zc2DpOnn7!JoW3^|21RIQg?IZTg=CszZviq;*S?>Eqn|MacqA0yMAkZ
zv-Wnr+l>x9*<$1f|3z?a`qSrO42LIuf~e2qo3xo{Q@yT2GMApn6nBKWp2igW>pA(U
zQqR?C=!*^gLPH-l^tFc0@$30tYUn>`=o=0FdP9Gsq5o@A_okgb?e8}2lFw{AkJI-2
zGiTaVZg7LzX?kf8M!jB+SAY9HO?pcvm?nM#alOlE$+U|r1Ce?I-JqDx|4lqgJ<sh=
zPR-i6LH7C?f9!vV-)!XJZE#cqxbf>}NppaPB=v2fw9cOjKOLRksB>>tyeDgtCg)GQ
z*3fBF^6)uL+VyWM$89}+H>`Di?1X=nhpgh^ukZxb{ZsTb*6n=voK?g+XYILtcl&n$
zwvT|D`vVhc&u^@hmx!;Y8^^`(hwXFV8^!-o;{!;>^Hn3&<7vM^{9fm`2_O2ozckLy
m@gEp&os)B0gEC2b-S~}jo!IXlVw(M$X7B3?o}bLS9seJZ06(z+

literal 0
HcmV?d00001

diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.go b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..865f5c9
--- /dev/null
+++ b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	LsmPathChmod *ebpf.ProgramSpec `ebpf:"lsm_path_chmod"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	LsmPathChmod *ebpf.Program `ebpf:"lsm_path_chmod"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.LsmPathChmod,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..256e42c514eb28459770da11b445353ca1b9a066
GIT binary patch
literal 4784
zcmbVPTWl0n7(Tmgr9u(#iik3zVvDc^L_`o-3Pp)kD=HBm9HzTdcGB6|?OeEciH(s&
zV@xn=;*%g6!-FwCXh<}%HPI(E;XxDMti~7-9(*uSqNaY|ng493L-oNwd(Qv;-}(P@
zzsx?<Kd`e{C@3QZ^}Cw3469Ug!89&wSXT2@mm0q;<xe4~6L5jp<8P+?9PpD<Q&Xpk
zY55V*qe%3(pbx(_IR!Nx_YN(k=3J!IX~c~?sm=I>fF}NMg{>(yp7CcpS$_-V^pB7h
zqrI%KzKcPOS5lUKXi}X@P4$}SO0C|gS~o@N?!f_d>})|TmV&S0&9tap2&IasQ%@dr
zJ3Gq?+oX6dG+oPLLlqy$;B+`Tem>*aU#3N=Pl2%(s4JkscXdFsPPEfL0eu{a1EQQn
zVwr{X9?~U9Wuy<0SkDB~CrG+(RQ5UWQlv59ub{6*ngIR=dKobW^d0m%Bo63DsP#x?
z;4{#-A&mk53cUeoLI!<1FdIA%wGn9yn0t*_VF2@h?<5br02pG%sg|a8=RA;WfbnZ*
z-}?Z%=n1)3eC7j_H$Hm+%v{*O=)PW$I<VQtAu!jdj3iRzJQ+;CLz!6emrCK&;I9TQ
zi;em_%=*dxSI@%dN-3veAL#QU_{)VqD%gVkDlnvz>-)N3j^Pc#R{@_8%sqHA#Rb+`
zMiMD5F$i1W8sKs9qcVL2EZ#Tmr&o)<*CAO*Ur7w-oA&px@zec>sX1zj8T%PHu#ZNr
zHvrm<{Wth57ydjj_ql~M1q|uD0ohzQ!_;d{@<wJN;5*o-%iwd9a93yiR{*aNz84tM
zc{8%D86T3}%tSDFUFR<N^cWKQmJBWlzEA30DYoh79`GEC5t!|CeH_^;Azi^-gE|Y*
zx7Em+f;s;bn0o99KyON^=LB=Vz99Z<fL{{47WkDE7pUkbQoPk5OzprlF5VA(LSpiJ
z$he`ngLQoXpwBGuN5GrJ;ZtDzT4(DH;lBV$ToxOuXyS=CBRdTrNavtd`dZO#{Q!Q8
zaK8YXGx;ZQS@;4L4Q8v|yM*VN-U@8|0E?zBV)}LEVz+^#ECJsKU8a#ru`B?pxLq)s
z;B}+L#KM@{kL(!gfavEGa|%~2n%x1&^Tjj$cItP@PF>u}G|PJE$9?{>_}v4{%07b)
zt*@}VVN+P&ml=MSX4Cku)A%{0e#+o;8T>~E>&q8!udbr$#5Gk9VpVm6I6SO8KtHP6
z<Zb;d((KKcrQTAhx9)gBX{b3|sxZQu8POfZVN!`L23aea_gGJ=HJjEd3sMc7x@&E*
z`UZE}+aK87Z}0BkwxgR~tE{vW&^DcVHmj;V>^u7-=*S&KUUQ-vRMQF3T>!d4c|oI^
z>eTidm66aLMoFWIEE+-<d)jq4syeX)yHfM~DhrdLsu!|}L?uDw?GN0l#c4o`l|~Z8
zcGUC&)@aYdwY*v&^-A2J;;NeOMX^2P+q!>&dni`TX6PPJqnIM4JI@i>z8fe#G=k*T
zb;`DxCmYriA@>`>eoJRFy4W%*H7A7Yw%xn8?X@4;^;p0C@ZQ0G+eTnI6T1I;IGR!^
z%#KV3sY1G{&^g!|w>C8Egq2#0#z03+1?qs~D<^K$y$Wbuxf|-1+^TB2LDdWPt7Icb
zvr%Z<(6QtBDp|XMg~(fDifWAzn~@`Laa@<G?S~2SgN}z{PH@e2&<f|3oIRSjiK|KU
zrD{9A=Wuzw!1f!Bk)&yMQCLZ2h4k`N9N!;uu*|x;;UuVF&#u>d7CYT;hK(WD4$+i7
z;)a3i+gQWy75ZcVt+FET3AZt<cQT85u#LIGCE3c{`)NHG#7OsY^Ub+@l|CpsWV3E9
zbmJrptTmgJUe=k1t7Jol>#?$Zui^%gt4d)*Z)szvhX_004V~C)1QCuXk4Kb%!Di(0
z9vF`5+}rsH(;vT<z8TUF7=FaOi!_16k2pRee5}o_$6JJt2RVL>Qur8cCje<dWgaK}
zDAR5r&Bxc}qq*{ZVw>_qV&8xZtPiit^Ev;cneq;lpA>rp{vBmJKw`g48#k=!D@;8W
zJTPhmiGpy=En^{sZS&*Vl#`oXI7<a3VZgkujkNI*n?>3({-&7E=_36oqzs=23ZJY?
zGxbc8gmAPJt_E8_D&Hqu3EC$!-z%)ke5L^E+R6kX?B$>_plR>R+0C3ima~uM?BhB6
z{hU3Kvrp&jb2<C3oZV%%A$az;t2j@UVqUYQ(Dh4w5AQ6|_?Ht@^8EvK+o@JV-1^h!
zX{NWX3Dk@y5XU=qhEyp!T-RDoplLMI%l`*CET+uz>59razc4fV#FRV&@L%zh#!+-<
z&W>R-o^zTNizFnwziA6isD+=7<fczV%J+z4zQ6hSF^Ny3rt{U}__w)gq$nTHzms{6
zt}DCJ0QuXQ8p!j$KDhkY>3olT6q<d`>NplNe~ak^c@QZ-N94bi_=Pkeygk{Di8uUH
z;AV^eS>i2}Qy7nb)fdE*pDn&qzOyG$PN5(7SiXJ!EovK>;w3zW)RLbiKEJN{`Kux#
R@54&YO8k*ljVZ{-{{z88Kt=!n

literal 0
HcmV?d00001

diff --git a/26-lsm-path_chmod/cilium-ebpf/main.go b/26-lsm-path_chmod/cilium-ebpf/main.go
new file mode 100644
index 0000000..417213a
--- /dev/null
+++ b/26-lsm-path_chmod/cilium-ebpf/main.go
@@ -0,0 +1,36 @@
+package main
+
+import (
+	"log"
+	"time"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	tp, err := link.AttachLSM(link.LSMOptions{
+		Program: objs.LsmPathChmod,
+	})
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer tp.Close()
+
+	log.Println("Waiting for events...")
+	time.Sleep(time.Minute * 1024)
+}
diff --git a/26-lsm-path_chmod/main.bpf.c b/26-lsm-path_chmod/main.bpf.c
new file mode 100644
index 0000000..f53b49c
--- /dev/null
+++ b/26-lsm-path_chmod/main.bpf.c
@@ -0,0 +1,21 @@
+#include "vmlinux.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+
+SEC("lsm/path_chmod")
+int lsm_path_chmod(struct path *path) {
+    char path_str[32];
+    struct qstr dname;
+
+    dname = BPF_CORE_READ(path, dentry, d_name);
+    bpf_probe_read_kernel_str(&path_str, sizeof(path_str), dname.name);
+
+    bpf_printk("chmod %s", path_str);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/26-lsm-path_chmod/main.go b/26-lsm-path_chmod/main.go
new file mode 100644
index 0000000..7640889
--- /dev/null
+++ b/26-lsm-path_chmod/main.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"log"
+	"time"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+)
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		log.Println(err)
+		return
+	}
+	prog, err := bpfModule.GetProgram("lsm_path_chmod")
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if _, err := prog.AttachLSM(); err != nil {
+		log.Println(err)
+		return
+	}
+
+	log.Println("waiting for events")
+	time.Sleep(time.Minute * 1024)
+}

From c2fec7a6f94d6c9a70bae2306af5b119b43cb63f Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Tue, 22 Aug 2023 00:42:43 +0000
Subject: [PATCH 05/20] 26: update docs

---
 26-lsm-path_chmod/README.md             | 6 ++++++
 26-lsm-path_chmod/cilium-ebpf/README.md | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/26-lsm-path_chmod/README.md b/26-lsm-path_chmod/README.md
index c5fe283..284dc80 100644
--- a/26-lsm-path_chmod/README.md
+++ b/26-lsm-path_chmod/README.md
@@ -1,5 +1,11 @@
 
 
+## Ensure that BPF LSM is enabled
+
+...
+
+
+
 ## Usage
 
 build:
diff --git a/26-lsm-path_chmod/cilium-ebpf/README.md b/26-lsm-path_chmod/cilium-ebpf/README.md
index c5fe283..284dc80 100644
--- a/26-lsm-path_chmod/cilium-ebpf/README.md
+++ b/26-lsm-path_chmod/cilium-ebpf/README.md
@@ -1,5 +1,11 @@
 
 
+## Ensure that BPF LSM is enabled
+
+...
+
+
+
 ## Usage
 
 build:

From 2f6f95f148026fb106646dd3f0f3cd8ef264faca Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Wed, 23 Aug 2023 01:25:26 +0000
Subject: [PATCH 06/20] 26: fix the path is empth

---
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o | Bin 4784 -> 4832 bytes
 26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o | Bin 4784 -> 4832 bytes
 26-lsm-path_chmod/main.bpf.c              |   2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o
index d1abb7140b01c692a0cf1b3744bacc7cfa6e3eb3..cec19d1d0919ae4a6c50d83e091adf67617d0aef 100644
GIT binary patch
literal 4832
zcmb_fO^h5@5q{lcuN}P3nj{1h3^XP`>tJT>#291aFl%SmL~`(INkj~XcJEB@PUD`Q
z+3p_4izQfzAi)ixpd1h)ASAdT`GPDYkXIl?E)kZJ13wa4DYxVhi%TLDY5Bf-^=5k-
z3>QkOS6|hus`pp#P0u&y&d>Y4XGY|icYrH~Q4he>%c8Zk-D@Uq1cG<39TjP&9<%c1
z16J<ZXUx{t)~56Owl%NbfE^U9o!r_an9}&0U!!Ksu1gYk>*oEU8jauQ;@6Iw-R!CP
zZ`S++^)L3@@oX}*n(wZg$E`{ICT^(54^*C8IB(kBUcVDORG7DZEc>$G_D#HQ40*=~
zsQcDP;py&if-Rc&+6~<S$XIqCP@f%;0rX(f+8e-6z>#@4<+I>jVA478D5s8hfgOtP
zq7Pyjw*meG_<dl~tKdE00Q?$w3fuz!70jF);5Wec*lCzIfe!$$L;eH&5#SBTe}X@T
z5rI9f2gl7RdmQ^1a0~cu;7<du19NY%#f=R}(r2(=5Z*`8oB&=2e%Ruj5Z)0qpEG7B
z?Z-SQAO-}`XXV6=;Z{8hBfBY9AhE?HZ=gPygSS%gxrR>N3-1Nkb$`9@!>*;_y#)Mz
za0~4Al>6i`{JbA+$Fj%VE3NT<3i%;$i#k@q{5lnLA8m;JIhqd&M5B4&<6Va;H3a-C
z#R2fIHNpMBzg3Jic)wSSTJrv=nB%#5%GJ}wei%Nl>ONA4yEq&3G-G&rO7Jy2mjE$;
z(-=%s^tS;<@z#bGw7pjE9jJOYr0e6-qS;=n&!G=myT8kJF~7f8*YOG9{W=!MCOv3{
zjKw)H9dkcq?fxU%{yu8Zu%1BvY0dcv@YCBq(m5?H8qA+tz?@%(Jml<<pRC}f#r{_{
z=cClObNU^tS}!I80{bcCVQcjZ#Yo{_(>$L7{)S@izuPOO_!iU|+JIT7#Hd04CG|f7
z{6ocfKK-9?b3hy$eilGHPOSBCo|q1xF9KcH7^Z2_sC|U)Y&qudpyIxg{8!MN6lnZE
z>003<cj>cg{|h8>i@N5Nc*Un+{kzV6fj)W;9P2jJ)3gD<i$?Asj)`wf3k+&Z)y93o
z+T{*^9=Jta$C6x%;n#Se7CTE{*r(B)0k^;|wu;Zvj)z9KjG94g!~QD3jt*H83rgup
zNZu(7+4vbBM$jBsa_E`Rr+N?1L1hfq+xVr%e1SgDU%_U$@t?9b@w-*A&#Rqd{+XA|
zQsd1EzFooZZQ~s~M>y?gD}gk_tVmX}xDzB<Y1-vgLzx!6a1fQ<P<|b$&Qw%F(}P<l
z&dPkv965Q^G-sO4nO>A+&85L|v&}5QnT7dqVe!Jb>G5=jgQCob?J{7V;8C`Rf@>xK
zb+V`z2d5?S?1ja-aB*(-$!U5V4(wo%A)OALGM#WajaCZCB3?z?jfyVBAj&Z<0J=dW
zS-)eY)zg0aavm?Er$0bbETJhAaa}GtQ5ivRcayZk&f!ug$vMQ(jBOM~Z1;y*85V;i
zW5%#F|7IImM!<Rv<E$N<ZkiNjxRi!6zbw95n!zBCub5SAkCDl9MPV9eMwUh}eEcyJ
zhHQt&j}f6AO|0FGa@b}U7iTYqUwY~*bKx@=7v{pyxFyR(W!_>k7FL&_t1&rUO&&cz
zTA(Omjq-MPWX6hCT>^6@N=;Pudr2E+Ngn4iQrt0vIO`<YiW#2Zv`?rxbmlTjQZqby
zoSkS#Ybv_^9QDX@9obl+oiNRZXrGS~baN-WafDI0fwYCI!+02r5p(H;QJO?N$0Q5W
ze*f}t;L0U$5A`VI9NJNuE=4#`Nw+-A+9>a1Qk*F4aFF+x;xNZh;pI5b;xxozO+U;E
zB|>Q@Uyu9CQnEB0LcQ`Rn_9Cha+?Q>xIBH(eSIE0EVn^IPT`xB2bm`AI4ff8NEnXa
zpe9Yrz0x%EzErGpwRZ%C9p_P*^s@r@kkwxdVL`3&P_HZ(J(g~Lo7@L*pf3tPY{<U>
z-vZ;qO&&o0P`O76@4EaL(Z&x@(js_Cf7kh7I-S0O>JUPFl-d6xzAyQa_nhhwLYL51
z`>$HPfgi*Ze9XV2{SZRmLkoZD=Xk$ReGTtEb*`g2pMB6dclV}G0ON;Kh(Bn2r12vz
z#If%IyMAlEQ+pq_2v77F@h6T$`D0d9V6XeL=QO@q-RxW#{pK;1dY(;n;Hnv;r!>J`
zp{~D36YQ^!#ZQ=Ou2xN7sOgt#`k<z-*L03w&Hr*uzh2WfYWl63zFE`X8`r(bnts6P
zlY4yAEcwzl^Ehpud1k&z<-c99G`-RbqfRHsujKZX9KVi|t@az)#N{ueCDSa{dLs3v
zx`8pJ{|oVq^_&f>w@R(5Qo+@;zX<#Pir=in67H_({4{g%wL0|z^{b9Ylk+F$t#W#`
zMreMJ4j{QV7E0^<sk{KL>f&G<PjBv?dVf{tt5wx2@smx>qo4SruBv~%_D4?mn7pJ4
z>z_60_QCDne%PJ`*VhLVY42?-<%Q*!o7*23zYn%`@EzjsMwd{4mhpT6N!57T?-U=<
x8N_+e&(&8oex|>5Ue0|T4&yY%`H^aMF}B~`|IjZ%_-CMhzs+~m;KXSE{{_`)L8Jfx

literal 4784
zcmbtXO^h5@5q{m{tP^|v6Y_%t0UGCrUB}GYi7}2%$as@=9O00~1VlK{?w#rNG~3fN
z+dq!Yk60lh5h0`?K;i^Z#K8xIIDjmH#4Zw?Ad(M3;>Lm^1SAIzNPqw>-&e2RY)=zQ
zNR(8szN%MM@2}pQo-Zt%JLCJF8Ix!J23#|YdjR&0MC)j~$4svu6>P5U7kTqO)z{x<
z?K@%L+S=N@7TEsht$9`bgDWSuHfb8iecC$gydZJc*YC8t#_xCWSB{&T*|R?BzuE8)
z)W0}j=Vz0l)qJ<CAGap;o4TeR-&EP{4~D(qzQR1Qc+R~39od%ywr}cHW5_#hrS4lJ
zg}1}19C8ZWvR!5uB)Uw8y81s|!?K_~cJmp>!N|AjY3zUupx-fV?Kc7MLPCzS0e%U5
z3z&2j%<%&7_rZI?9q^C9oWlnAr(n!ovi}13Zs0Y@SHSN8-hliy_+6MS@o&Ko>T+HK
zJ_g)@{1f<nz-y3y0b@&B8<3>;+u_VVfKLFgAuk66z6rwHjphTuwC|Id*nj}~-LfIZ
zz{fj+Nwb?`9uiwX@;;<K+_w3e&&ScJd*Ow!bGxxm-T-nR806(>xOW|}I}h%Y!|?Mi
zZ^yF7yhU2$eID{IaECfp!u&cFa~o}l{UVw>1)|YB@bSI^^>%CbUQ`^w{tZoV2k^HP
zV-4Q76~7huWyPpL@2c(>O&zeCw_H6QKIrZ6TUS2{3Fl-%PqA^u2?$^FPH=#jS2PCG
z7X5bs<9KUB3))`0$2!0q$MkN8YHR;1YzM8~V@<Hm1Ek*4b=`wiu%<Z{$0prtg^Z<k
zpL=|twflE%`}_C9Mh5wFn)5xtk8b-&=Zv&yFn?|Vy8S01XPq7Lff{aG>_4SB4^iLF
z>9gLr79l1B0Q;YUJZ!CgtQaZ$f#!KH@JKQD-_;3IR8Z$=1O5^kV$`eug8Cl;{;Fa;
zyZ+a?IUtVBx_0&O5V6+7xtjgM@OW8cn5I+fBXnoWF@FdZcb4S;7|lt6#{ZeF6+Uve
z9#;D=A&EQGIU$h5D?SD5b)EYnJM|nm*6*P{LL2a((a4<y{wHt;3~JThSQ+<&)-HGY
zQQ!`B9ZPa4hF@#CG3V3tg`M|i9^3)D*gAfUc0M$eN)oGkyMP?_7Xm(TlI7Lz*W-xc
z{lcAYeODKC#wDuxA&>ZBnysIx-&xp@vh{O5N*eQoO6L1j&CWU|G5*z^7Nc$bp@!e6
z;lFR=9o`s^qOxxWS!sH4R_0es0+<$qkoHi17OBqF)b?DvJvWGwti3c^Zg&|GOh(KU
zWnOj5fI-0_wzI)!&5@HwO#td;(I5^U3Fa5igpWOaejz-+aQg8XdL0hzBp^dN&7Ly7
za5;@G7LY}}inbpWeTY$%W4ZuzgGjPr&q}MO!|qBRFQaETLQ^cEDHCyBE_zWJLGSjH
zw8zeBsh8v&qB2!hBp0)|7jPReVs}_&Wmt@oj2Xi>v5mdPz<O12){RX+O^PyHN<*1n
z7GEySXq3m7%qq6X$mF@AFpV=KOCzWrdeDR++v@l+BDCo+yBJ6_F~zac?MFFWPoF=3
z`q}WKPkwSCeCFB3g)l^*-3gh$EJsYn!urZ|ktV0B$)o4S>lQ_<QQqy3%~<HFOJFWV
zsfo(rAnC#^$>Ur`ihE`hXT2o5XsQ!j%?UM!&Rj-GYO15h*@<?%rlLR0QH)&q*v50|
zg=t=)eJ)DS%?<9y5k}#@(iW~(aTSXZbLoXqnnXO_Bn#8waHSf#D$2W+o{$_*H%il`
z2*)hxmaD9bnmr~pi%Jhi`EV%?a|{)(#CaB{A<l5-ez_Syhl3*dOgvncN@mwA%9tnI
z)>3Be+dNpr%FIFc&3W*!Toeg8C8OnWS>;)9<dl(PoxEJ_5VSlfO_(O#I4fe)&WBRc
zPPdl`l^^F(nGCZ6SCrSIs9-@c@^~*T7X#LIbHm)nZ=ml9KVZn;18;!w5hoAcy^!vK
z;#-0TU4FpzjWql*!b3_o6M*H%i3(^2Onr!NOT4q@6RJZ9T|is!zijo^J@{?m!~JFL
zhY)%ZE&Qb)zc2DpOnn7!JoW3^|21RIQg?IZTg=CszZviq;*S?>Eqn|MacqA0yMAkZ
zv-Wnr+l>x9*<$1f|3z?a`qSrO42LIuf~e2qo3xo{Q@yT2GMApn6nBKWp2igW>pA(U
zQqR?C=!*^gLPH-l^tFc0@$30tYUn>`=o=0FdP9Gsq5o@A_okgb?e8}2lFw{AkJI-2
zGiTaVZg7LzX?kf8M!jB+SAY9HO?pcvm?nM#alOlE$+U|r1Ce?I-JqDx|4lqgJ<sh=
zPR-i6LH7C?f9!vV-)!XJZE#cqxbf>}NppaPB=v2fw9cOjKOLRksB>>tyeDgtCg)GQ
z*3fBF^6)uL+VyWM$89}+H>`Di?1X=nhpgh^ukZxb{ZsTb*6n=voK?g+XYILtcl&n$
zwvT|D`vVhc&u^@hmx!;Y8^^`(hwXFV8^!-o;{!;>^Hn3&<7vM^{9fm`2_O2ozckLy
m@gEp&os)B0gEC2b-S~}jo!IXlVw(M$X7B3?o}bLS9seJZ06(z+

diff --git a/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o b/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o
index 256e42c514eb28459770da11b445353ca1b9a066..e9e92a6bb3f809e5b73b2f98b4b561162e882f93 100644
GIT binary patch
literal 4832
zcmbVPU2Ggz6+XMMYbUkiG$jy9DbqAfo#Jeg)`ZXySSNKtrIc8v6$Bn8<Jqxyl-b$!
z{G>6Fz!F7*x2gj50im{lpf5;yK@k!t76{Roib(LlkAy7oRvw6WDMFRZ_uYH$W-^WP
zz|r1&zw@1Q?*Gs1H|NitX*L?-q#^IgZOySFZ%p0BZ3EjfDHC$NDKZXy?Lljwdd!wL
z-n8WyD%;%J+H!v12EB@O9lVEf?Z=y2C}c|GZ~T;+$k=@%HxYLuusY*+0lN6LkgbYT
z{n<{{--Dh0InrLVR~6Q`9mI{$vh+ifa^0%(eJ#%}oRhHI>vz1zb9w!r4cV)PKf#-6
z&xjHtP1NZoufguM)r7Vu>Bd<0<6+A;$a$cU$WLrT`8g!iGs3~1MjAt+oJFeE3AK5i
z1}jYthCYZJ*+BU_q#a0<caZK!@{s<B#I<ZA{S}FIZXo>wX*Uu(@-7PYaUJ;IC_j$0
z0sLQ-pCD!jp+5yI==65rS->{%PT)@guLJJ^J_fu2O!+i34Eho9#{t)Y4=9#Vkt4vL
zB@a9c3~_TLb5<Xp0Qn*?ej}W}6@W>4LI&!y6PUd7xeDOs;$>hrzpnywo++;ZKY+4L
z#Y(fX=bQBVVI`I>x@YA_;6DnzO%j6oNA30$`H-dLXYl!mV)YrJ&o%ISl>dcd5Be{G
zA>$uL_G`r)!*3OHFa2II+H=x;$RP~*W5DlNA9KWApFlUCzwKvMhrW*>c}RcL7~P-p
zFX;H0{=#g0SW?_r--ClY8{{8lrUD-m%LB4cxiON!9?~Q*Wc)E?dx24vSzD6(nW=yu
zWz3`Sd0e?CD*m&;2b4bv3>kj{+4B`2lGDsoFnCkvm*I2Jktjb|!7asK(>kA2-Sx8r
zp8aw{m97c086|VYT!X7LqHl+geM2$lp90m4{aXNsEhVoi<{o@a{f_|uK=D!FH!W_k
zaC;iC`7|<>9p@YZ|3%<y8pA%dD>esV9%Ws>0pNM1ybb(}h4Ker{LEd&v-BC|{{oV@
ztvZUPizhyT?C<b_j4znNTqCBfTi{PB_a9()2Df9O+R9G>!!&G{cP52r`12^+RID^z
zT~M3!d#DyWr;gL$PXV`8N6~B}Q)!-7fF|5^BaD3=aS(UDU^ZgdX90PpxHo=c{dUd+
zJ14*$^ieS$yu%s8`~2q`^96Ny8#-dmlsu;#{ccwHGs?5gKil{*QtwvqtqOj>g3Up2
zPfpTLS3HxIX&$enQOAqZLc-#TuuSrvKM0DhZ(c{Lhbt<f^x)Qs(jr@vBhMU_*5Ov`
za4(3{*3w|P6|xrZ)WR8mVe$Og={u{N@$w=o!@^@d-jmD^dRN7Rbkd*~c_&Te>GO;8
z{^I=Hv(xmL@oZx#eL5XHAsv4?3088Hd9;eW8{}OSgCIk<0O*DyPWv5OT0QB9m$GOX
zmi_=)zJ#oZjq7sW35o!E*o~78jpb4&&e%jLcT5yo4EtqT`1v4CS)*Ub2e=_K1lFsJ
z(lC;466b}#l=!B9X>_HK!61t+%POWvOy@ZwKZ#N?LnA1keoB0wd3kJ>2>GyMVK>OY
z%`Gm@UGTs3+*jxQ7cMN!`@Xm#n~s`(8%iv!4napF8C@j{UK$S2D25HPusftNqE%Oc
zTn-WmiheH+L7U2>%(N7BWDupDI9-wQIJ<pZY2VRB5GPU|Jw_w);h6GnKf`|Hb{%ru
zp&dWTO5`sEG0dFFZWN#uP9QmdwT#NhkmyUt50W_GI>xD=^!t~}f!i)wSn5)kbqIqb
zSqiY8rn==a4Y9pv&E~|$_6J#iDe^Nk<zI@jG)jCd*7O1HP$F#Y`0G)B*=$)72eDtd
zlr7z}+~l?%4C2!CKKJ#xZ^oPk6LJFIq+G}(4x==WFeAQy=Lu?&TJ9Cn%KB!<I#+u}
zu(6{oDB^ya;~aAL=Oq~IH7@Gq<-EtOTc0NL0qpTMf$+nI=~qZMk@(@phlG!oyWsF0
zXC5PR`~amaA}tZ@xBgBah3<i-?qnK(`uC6~XGOlEItn8fkyq_kR6mMK?G#>|@2HN#
z$ScU{Px~nBZ>hdUy=})qJNw7}@bP2c?Hy_VA@Jd(AlzKiht$ZncOyAF;5~#h*Qk6n
z@EUirjgQ-1WLw4GnfbguFzlawYG~s#u)9*vCP@fKOyLT#<FDLD&3+zJe@k_8d_vsk
z3w8FYO`t;EJ>R6LUnEeWK5z<3>gzR~E8>LqH=Kf!`n8(AQPXeM^v#<7eodcnTN6C%
zf4HVk+~1T|!JD>~MM>+_3ujtX?sdSD<Z{msI-Lx!<n1GQ=W#T()!xV!4u26WNh@FL
znNm-xYq-+${~vOAOqFFdm9<U&!HjEOl?zbr6~9?^1|F~J{N!T19+IKeBMGUur?fR9
z=cyvcwW`W~b*!En+UxNz--V;!A$4rHYl$SJ9#3<fqhE{vLm@LYV@);tzutGoUDS_A
zxBpok=fch3UOGWuM5>RG{4I^&MFqldJhtQF9ls9lZt=1c28d^J8_(Oi9?yF37Vl~N
ttx7!iSUuj{p69muFs-YrDRxa+t-den^Vfx2-G`A6YW#O?HN(6f|34A<LOB2c

literal 4784
zcmbVPTWl0n7(Tmgr9u(#iik3zVvDc^L_`o-3Pp)kD=HBm9HzTdcGB6|?OeEciH(s&
zV@xn=;*%g6!-FwCXh<}%HPI(E;XxDMti~7-9(*uSqNaY|ng493L-oNwd(Qv;-}(P@
zzsx?<Kd`e{C@3QZ^}Cw3469Ug!89&wSXT2@mm0q;<xe4~6L5jp<8P+?9PpD<Q&Xpk
zY55V*qe%3(pbx(_IR!Nx_YN(k=3J!IX~c~?sm=I>fF}NMg{>(yp7CcpS$_-V^pB7h
zqrI%KzKcPOS5lUKXi}X@P4$}SO0C|gS~o@N?!f_d>})|TmV&S0&9tap2&IasQ%@dr
zJ3Gq?+oX6dG+oPLLlqy$;B+`Tem>*aU#3N=Pl2%(s4JkscXdFsPPEfL0eu{a1EQQn
zVwr{X9?~U9Wuy<0SkDB~CrG+(RQ5UWQlv59ub{6*ngIR=dKobW^d0m%Bo63DsP#x?
z;4{#-A&mk53cUeoLI!<1FdIA%wGn9yn0t*_VF2@h?<5br02pG%sg|a8=RA;WfbnZ*
z-}?Z%=n1)3eC7j_H$Hm+%v{*O=)PW$I<VQtAu!jdj3iRzJQ+;CLz!6emrCK&;I9TQ
zi;em_%=*dxSI@%dN-3veAL#QU_{)VqD%gVkDlnvz>-)N3j^Pc#R{@_8%sqHA#Rb+`
zMiMD5F$i1W8sKs9qcVL2EZ#Tmr&o)<*CAO*Ur7w-oA&px@zec>sX1zj8T%PHu#ZNr
zHvrm<{Wth57ydjj_ql~M1q|uD0ohzQ!_;d{@<wJN;5*o-%iwd9a93yiR{*aNz84tM
zc{8%D86T3}%tSDFUFR<N^cWKQmJBWlzEA30DYoh79`GEC5t!|CeH_^;Azi^-gE|Y*
zx7Em+f;s;bn0o99KyON^=LB=Vz99Z<fL{{47WkDE7pUkbQoPk5OzprlF5VA(LSpiJ
z$he`ngLQoXpwBGuN5GrJ;ZtDzT4(DH;lBV$ToxOuXyS=CBRdTrNavtd`dZO#{Q!Q8
zaK8YXGx;ZQS@;4L4Q8v|yM*VN-U@8|0E?zBV)}LEVz+^#ECJsKU8a#ru`B?pxLq)s
z;B}+L#KM@{kL(!gfavEGa|%~2n%x1&^Tjj$cItP@PF>u}G|PJE$9?{>_}v4{%07b)
zt*@}VVN+P&ml=MSX4Cku)A%{0e#+o;8T>~E>&q8!udbr$#5Gk9VpVm6I6SO8KtHP6
z<Zb;d((KKcrQTAhx9)gBX{b3|sxZQu8POfZVN!`L23aea_gGJ=HJjEd3sMc7x@&E*
z`UZE}+aK87Z}0BkwxgR~tE{vW&^DcVHmj;V>^u7-=*S&KUUQ-vRMQF3T>!d4c|oI^
z>eTidm66aLMoFWIEE+-<d)jq4syeX)yHfM~DhrdLsu!|}L?uDw?GN0l#c4o`l|~Z8
zcGUC&)@aYdwY*v&^-A2J;;NeOMX^2P+q!>&dni`TX6PPJqnIM4JI@i>z8fe#G=k*T
zb;`DxCmYriA@>`>eoJRFy4W%*H7A7Yw%xn8?X@4;^;p0C@ZQ0G+eTnI6T1I;IGR!^
z%#KV3sY1G{&^g!|w>C8Egq2#0#z03+1?qs~D<^K$y$Wbuxf|-1+^TB2LDdWPt7Icb
zvr%Z<(6QtBDp|XMg~(fDifWAzn~@`Laa@<G?S~2SgN}z{PH@e2&<f|3oIRSjiK|KU
zrD{9A=Wuzw!1f!Bk)&yMQCLZ2h4k`N9N!;uu*|x;;UuVF&#u>d7CYT;hK(WD4$+i7
z;)a3i+gQWy75ZcVt+FET3AZt<cQT85u#LIGCE3c{`)NHG#7OsY^Ub+@l|CpsWV3E9
zbmJrptTmgJUe=k1t7Jol>#?$Zui^%gt4d)*Z)szvhX_004V~C)1QCuXk4Kb%!Di(0
z9vF`5+}rsH(;vT<z8TUF7=FaOi!_16k2pRee5}o_$6JJt2RVL>Qur8cCje<dWgaK}
zDAR5r&Bxc}qq*{ZVw>_qV&8xZtPiit^Ev;cneq;lpA>rp{vBmJKw`g48#k=!D@;8W
zJTPhmiGpy=En^{sZS&*Vl#`oXI7<a3VZgkujkNI*n?>3({-&7E=_36oqzs=23ZJY?
zGxbc8gmAPJt_E8_D&Hqu3EC$!-z%)ke5L^E+R6kX?B$>_plR>R+0C3ima~uM?BhB6
z{hU3Kvrp&jb2<C3oZV%%A$az;t2j@UVqUYQ(Dh4w5AQ6|_?Ht@^8EvK+o@JV-1^h!
zX{NWX3Dk@y5XU=qhEyp!T-RDoplLMI%l`*CET+uz>59razc4fV#FRV&@L%zh#!+-<
z&W>R-o^zTNizFnwziA6isD+=7<fczV%J+z4zQ6hSF^Ny3rt{U}__w)gq$nTHzms{6
zt}DCJ0QuXQ8p!j$KDhkY>3olT6q<d`>NplNe~ak^c@QZ-N94bi_=Pkeygk{Di8uUH
z;AV^eS>i2}Qy7nb)fdE*pDn&qzOyG$PN5(7SiXJ!EovK>;w3zW)RLbiKEJN{`Kux#
R@54&YO8k*ljVZ{-{{z88Kt=!n

diff --git a/26-lsm-path_chmod/main.bpf.c b/26-lsm-path_chmod/main.bpf.c
index f53b49c..8841c80 100644
--- a/26-lsm-path_chmod/main.bpf.c
+++ b/26-lsm-path_chmod/main.bpf.c
@@ -6,7 +6,7 @@
 
 
 SEC("lsm/path_chmod")
-int lsm_path_chmod(struct path *path) {
+int BPF_PROG(lsm_path_chmod, struct path *path) {
     char path_str[32];
     struct qstr dname;
 

From b69530c32cd55fdc3afa13353e8f1654d41c0a54 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Tue, 29 Aug 2023 15:25:02 +0000
Subject: [PATCH 07/20] update docs

---
 README.rst | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.rst b/README.rst
index b1653df..c1b31bf 100644
--- a/README.rst
+++ b/README.rst
@@ -103,7 +103,7 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |                       |           |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |                       |           |
+|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |`26`_                  |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
 |                                           |                                        | ``lsm.s+`` [#lsm]_               |                       | Yes       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
@@ -208,16 +208,18 @@ Program Types
 .. |Build examples| image:: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master
    :target: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml
 
-.. _04: https://github.com/mozillazg/hello-libbpfgo/tree/master/04-tracepoint
-.. _07: https://github.com/mozillazg/hello-libbpfgo/tree/master/07-tracepoint-args
-.. _12: https://github.com/mozillazg/hello-libbpfgo/tree/master/12-raw-tracepoint-args
-.. _13: https://github.com/mozillazg/hello-libbpfgo/tree/master/13-raw-tracepoint-args-sched_switch
-.. _14: https://github.com/mozillazg/hello-libbpfgo/tree/master/14-tracepoint-args-sched_switch
-.. _16: https://github.com/mozillazg/hello-libbpfgo/tree/master/16-btf-raw-tracepoint-args
-.. _17: https://github.com/mozillazg/hello-libbpfgo/tree/master/17-btf-raw-tracepoint-args-sched_switch
-.. _18: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse
-.. _19: https://github.com/mozillazg/hello-libbpfgo/tree/master/19-socket-filter-capture-icmp-traffic-userspace-parse
-.. _20: https://github.com/mozillazg/hello-libbpfgo/tree/master/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
-.. _21: https://github.com/mozillazg/hello-libbpfgo/tree/master/21-tc-parse-packet-with-bpf_skb_load_bytes
-.. _25: https://github.com/mozillazg/hello-libbpfgo/tree/master/25-tc-parse-packet-with-direct-memory-access
+.. _04: 04-tracepoint
+.. _07: 07-tracepoint-args
+.. _12: 12-raw-tracepoint-args
+.. _13: 13-raw-tracepoint-args-sched_switch
+.. _14: 14-tracepoint-args-sched_switch
+.. _16: 16-btf-raw-tracepoint-args
+.. _17: 17-btf-raw-tracepoint-args-sched_switch
+.. _18: 18-socket-filter-capture-icmp-traffic-kernel-parse
+.. _19: 19-socket-filter-capture-icmp-traffic-userspace-parse
+.. _20: 20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load
+.. _21: 21-tc-parse-packet-with-bpf_skb_load_bytes
+.. _25: 25-tc-parse-packet-with-direct-memory-access
+.. _26: 26-lsm-path_chmod
+
 

From 691030b64fa1a4942abd8be2a519e30cfcbb0164 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Fri, 8 Sep 2023 01:26:58 +0000
Subject: [PATCH 08/20] add 27-attach-tracepoint-with-syscall

---
 27-attach-tracepoint-with-syscall/.gitignore |   2 +
 27-attach-tracepoint-with-syscall/Makefile   | 128 ++++++++++
 27-attach-tracepoint-with-syscall/README.md  |  15 ++
 27-attach-tracepoint-with-syscall/bpf_insn.h | 234 +++++++++++++++++++
 27-attach-tracepoint-with-syscall/main.bpf.c |  16 ++
 27-attach-tracepoint-with-syscall/main.c     | 153 ++++++++++++
 6 files changed, 548 insertions(+)
 create mode 100644 27-attach-tracepoint-with-syscall/.gitignore
 create mode 100644 27-attach-tracepoint-with-syscall/Makefile
 create mode 100644 27-attach-tracepoint-with-syscall/README.md
 create mode 100644 27-attach-tracepoint-with-syscall/bpf_insn.h
 create mode 100644 27-attach-tracepoint-with-syscall/main.bpf.c
 create mode 100644 27-attach-tracepoint-with-syscall/main.c

diff --git a/27-attach-tracepoint-with-syscall/.gitignore b/27-attach-tracepoint-with-syscall/.gitignore
new file mode 100644
index 0000000..b74312c
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/.gitignore
@@ -0,0 +1,2 @@
+test.c
+test
diff --git a/27-attach-tracepoint-with-syscall/Makefile b/27-attach-tracepoint-with-syscall/Makefile
new file mode 100644
index 0000000..53b6951
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/Makefile
@@ -0,0 +1,128 @@
+OUTPUT = ./output
+LIBBPF = ../libbpf
+
+LIBBPF_SRC = $(abspath $(LIBBPF)/src)
+LIBBPF_OBJ = $(abspath $(OUTPUT)/libbpf.a)
+
+CC = gcc
+CLANG = clang
+
+ARCH := $(shell uname -m)
+ARCH := $(subst x86_64,amd64,$(ARCH))
+GOARCH := $(ARCH)
+
+BPFTOOL = $(shell which bpftool || /bin/false)
+BTFFILE = /sys/kernel/btf/vmlinux
+DBGVMLINUX = /usr/lib/debug/boot/vmlinux-$(shell uname -r)
+GIT = $(shell which git || /bin/false)
+VMLINUXH = vmlinux.h
+
+# libbpf
+
+LIBBPF_OBJDIR = $(abspath ./$(OUTPUT)/libbpf)
+LIBBPF_DESTDIR = $(abspath ./$(OUTPUT))
+
+CFLAGS = -ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function
+LDFLAGS =
+
+BPF_CFLAGS_STATIC = "-I$(abspath $(OUTPUT))"
+BPF_LDFLAGS_STATIC = "-lelf -lz $(LIBBPF_OBJ)"
+
+CGO_CFLAGS_STATIC = "-I$(abspath $(OUTPUT))"
+CGO_LDFLAGS_STATIC = "-lelf -lz $(LIBBPF_OBJ)"
+CGO_EXTLDFLAGS_STATIC = '-w -extldflags "-static"'
+
+CGO_CFGLAGS_DYN = "-I. -I/usr/include/"
+CGO_LDFLAGS_DYN = "-lelf -lz -lbpf"
+CGO_EXTLDFLAGS_DYN = '-w'
+
+## program
+
+.PHONY: $(PROGRAM)
+.PHONY: $(PROGRAM).bpf.c
+
+PROGRAM = main
+
+all:
+	$(MAKE) -C . $(PROGRAM)
+
+# vmlinux header file
+
+.PHONY: vmlinuxh
+vmlinuxh: $(VMLINUXH)
+
+$(VMLINUXH): $(OUTPUT)
+ifeq ($(wildcard $(BPFTOOL)),)
+	@echo "ERROR: could not find bpftool"
+	@exit 1
+endif
+	@if [ -f $(DBGVMLINUX) ]; then \
+		echo "INFO: found dbg kernel, generating $(VMLINUXH) from $(DBGVMLINUX)"; \
+		$(BPFTOOL) btf dump file $(DBGVMLINUX) format c > $(VMLINUXH); \
+	fi
+	@if [ ! -f $(BTFFILE) ] && [ ! -f $(DBGVMLINUX) ]; then \
+		echo "ERROR: kernel does not seem to support BTF"; \
+		exit 1; \
+	fi
+	@if [ ! -f $(VMLINUXH) ]; then \
+		echo "INFO: generating $(VMLINUXH) from $(BTFFILE)"; \
+		$(BPFTOOL) btf dump file $(BTFFILE) format c > $(VMLINUXH); \
+	fi
+
+# static libbpf generation for the git submodule
+
+.PHONY: libbpf
+libbpf: $(LIBBPF_OBJ)
+
+$(LIBBPF_OBJ): $(LIBBPF_SRC) $(wildcard $(LIBBPF_SRC)/*.[ch]) | $(OUTPUT)/libbpf
+	CC="$(CC)" CFLAGS="$(CFLAGS)" LD_FLAGS="$(LDFLAGS)" \
+	   $(MAKE) -C $(LIBBPF_SRC) \
+		BUILD_STATIC_ONLY=1 \
+		OBJDIR=$(LIBBPF_OBJDIR) \
+		DESTDIR=$(LIBBPF_DESTDIR) \
+		INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= install
+	$(MAKE) -C $(LIBBPF_SRC) UAPIDIR=$(LIBBPF_DESTDIR) install_uapi_headers
+
+$(LIBBPF_SRC):
+ifeq ($(wildcard $@), )
+	echo "INFO: updating submodule 'libbpf'"
+	$(GIT) submodule update --init --recursive
+endif
+
+# output dir
+
+$(OUTPUT):
+	mkdir -p $(OUTPUT)
+
+$(OUTPUT)/libbpf:
+	mkdir -p $(OUTPUT)/libbpf
+
+## program bpf dependency
+
+$(PROGRAM).bpf.o: $(PROGRAM).bpf.c | vmlinuxh
+	$(CLANG) $(CFLAGS) -target bpf -D__TARGET_ARCH_x86 -I. -I$(OUTPUT) -c $< -o $@
+
+## GO example
+
+.PHONY: $(PROGRAM)
+
+$(PROGRAM): libbpf | $(PROGRAM).bpf.o
+	gcc ./main.c -o main
+
+.PHONE: run
+run:
+	sudo ./main
+
+.PHONE: cat
+cat:
+	sudo cat /sys/kernel/debug/tracing/trace_pipe
+
+## clean
+
+.PHONY: clean
+clean:
+	$(MAKE) -C $(LIBBPF_SRC) clean
+	rm -rf $(OUTPUT)
+	rm -rf $(VMLINUXH)
+	rm -rf $(PROGRAM) $(PROGRAM)-*static $(PROGRAM)-*dynamic
+	rm -rf $(PROGRAM).bpf.o $(PROGRAM).o
diff --git a/27-attach-tracepoint-with-syscall/README.md b/27-attach-tracepoint-with-syscall/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/27-attach-tracepoint-with-syscall/bpf_insn.h b/27-attach-tracepoint-with-syscall/bpf_insn.h
new file mode 100644
index 0000000..cbd8f7d
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/bpf_insn.h
@@ -0,0 +1,234 @@
+/* copy from https://github.com/torvalds/linux/blob/master/samples/bpf/bpf_insn.h */
+/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */
+/* eBPF instruction mini library */
+#ifndef __BPF_INSN_H
+#define __BPF_INSN_H
+
+struct bpf_insn;
+
+/* ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg */
+
+#define BPF_ALU64_REG(OP, DST, SRC)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_X,	\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = 0,					\
+		.imm   = 0 })
+
+#define BPF_ALU32_REG(OP, DST, SRC)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU | BPF_OP(OP) | BPF_X,		\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = 0,					\
+		.imm   = 0 })
+
+/* ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 */
+
+#define BPF_ALU64_IMM(OP, DST, IMM)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,	\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = IMM })
+
+#define BPF_ALU32_IMM(OP, DST, IMM)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU | BPF_OP(OP) | BPF_K,		\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = IMM })
+
+/* Short form of mov, dst_reg = src_reg */
+
+#define BPF_MOV64_REG(DST, SRC)					\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU64 | BPF_MOV | BPF_X,		\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = 0,					\
+		.imm   = 0 })
+
+#define BPF_MOV32_REG(DST, SRC)					\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU | BPF_MOV | BPF_X,		\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = 0,					\
+		.imm   = 0 })
+
+/* Short form of mov, dst_reg = imm32 */
+
+#define BPF_MOV64_IMM(DST, IMM)					\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU64 | BPF_MOV | BPF_K,		\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = IMM })
+
+#define BPF_MOV32_IMM(DST, IMM)					\
+	((struct bpf_insn) {					\
+		.code  = BPF_ALU | BPF_MOV | BPF_K,		\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = IMM })
+
+/* BPF_LD_IMM64 macro encodes single 'load 64-bit immediate' insn */
+#define BPF_LD_IMM64(DST, IMM)					\
+	BPF_LD_IMM64_RAW(DST, 0, IMM)
+
+#define BPF_LD_IMM64_RAW(DST, SRC, IMM)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_LD | BPF_DW | BPF_IMM,		\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = 0,					\
+		.imm   = (__u32) (IMM) }),			\
+	((struct bpf_insn) {					\
+		.code  = 0, /* zero is reserved opcode */	\
+		.dst_reg = 0,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = ((__u64) (IMM)) >> 32 })
+
+#ifndef BPF_PSEUDO_MAP_FD
+# define BPF_PSEUDO_MAP_FD	1
+#endif
+
+/* pseudo BPF_LD_IMM64 insn used to refer to process-local map_fd */
+#define BPF_LD_MAP_FD(DST, MAP_FD)				\
+	BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
+
+
+/* Direct packet access, R0 = *(uint *) (skb->data + imm32) */
+
+#define BPF_LD_ABS(SIZE, IMM)					\
+	((struct bpf_insn) {					\
+		.code  = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS,	\
+		.dst_reg = 0,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = IMM })
+
+/* Memory load, dst_reg = *(uint *) (src_reg + off16) */
+
+#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)			\
+	((struct bpf_insn) {					\
+		.code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,	\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = 0 })
+
+/* Memory store, *(uint *) (dst_reg + off16) = src_reg */
+
+#define BPF_STX_MEM(SIZE, DST, SRC, OFF)			\
+	((struct bpf_insn) {					\
+		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,	\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = 0 })
+
+/*
+ * Atomic operations:
+ *
+ *   BPF_ADD                  *(uint *) (dst_reg + off16) += src_reg
+ *   BPF_AND                  *(uint *) (dst_reg + off16) &= src_reg
+ *   BPF_OR                   *(uint *) (dst_reg + off16) |= src_reg
+ *   BPF_XOR                  *(uint *) (dst_reg + off16) ^= src_reg
+ *   BPF_ADD | BPF_FETCH      src_reg = atomic_fetch_add(dst_reg + off16, src_reg);
+ *   BPF_AND | BPF_FETCH      src_reg = atomic_fetch_and(dst_reg + off16, src_reg);
+ *   BPF_OR | BPF_FETCH       src_reg = atomic_fetch_or(dst_reg + off16, src_reg);
+ *   BPF_XOR | BPF_FETCH      src_reg = atomic_fetch_xor(dst_reg + off16, src_reg);
+ *   BPF_XCHG                 src_reg = atomic_xchg(dst_reg + off16, src_reg)
+ *   BPF_CMPXCHG              r0 = atomic_cmpxchg(dst_reg + off16, r0, src_reg)
+ */
+
+#define BPF_ATOMIC_OP(SIZE, OP, DST, SRC, OFF)			\
+	((struct bpf_insn) {					\
+		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_ATOMIC,	\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = OP })
+
+/* Legacy alias */
+#define BPF_STX_XADD(SIZE, DST, SRC, OFF) BPF_ATOMIC_OP(SIZE, BPF_ADD, DST, SRC, OFF)
+
+/* Memory store, *(uint *) (dst_reg + off16) = imm32 */
+
+#define BPF_ST_MEM(SIZE, DST, OFF, IMM)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM,	\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = OFF,					\
+		.imm   = IMM })
+
+/* Conditional jumps against registers, if (dst_reg 'op' src_reg) goto pc + off16 */
+
+#define BPF_JMP_REG(OP, DST, SRC, OFF)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_JMP | BPF_OP(OP) | BPF_X,		\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = 0 })
+
+/* Like BPF_JMP_REG, but with 32-bit wide operands for comparison. */
+
+#define BPF_JMP32_REG(OP, DST, SRC, OFF)			\
+	((struct bpf_insn) {					\
+		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_X,	\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = 0 })
+
+/* Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 */
+
+#define BPF_JMP_IMM(OP, DST, IMM, OFF)				\
+	((struct bpf_insn) {					\
+		.code  = BPF_JMP | BPF_OP(OP) | BPF_K,		\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = OFF,					\
+		.imm   = IMM })
+
+/* Like BPF_JMP_IMM, but with 32-bit wide operands for comparison. */
+
+#define BPF_JMP32_IMM(OP, DST, IMM, OFF)			\
+	((struct bpf_insn) {					\
+		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_K,	\
+		.dst_reg = DST,					\
+		.src_reg = 0,					\
+		.off   = OFF,					\
+		.imm   = IMM })
+
+/* Raw code statement block */
+
+#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM)			\
+	((struct bpf_insn) {					\
+		.code  = CODE,					\
+		.dst_reg = DST,					\
+		.src_reg = SRC,					\
+		.off   = OFF,					\
+		.imm   = IMM })
+
+/* Program exit */
+
+#define BPF_EXIT_INSN()						\
+	((struct bpf_insn) {					\
+		.code  = BPF_JMP | BPF_EXIT,			\
+		.dst_reg = 0,					\
+		.src_reg = 0,					\
+		.off   = 0,					\
+		.imm   = 0 })
+
+#endif
diff --git a/27-attach-tracepoint-with-syscall/main.bpf.c b/27-attach-tracepoint-with-syscall/main.bpf.c
new file mode 100644
index 0000000..ed920d5
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/main.bpf.c
@@ -0,0 +1,16 @@
+#include "vmlinux.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int tracepoint_openat(struct trace_event_raw_sys_enter *ctx) {
+    char fmt[] = "hello world:\n";
+    bpf_trace_printk(fmt, sizeof(fmt));
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/27-attach-tracepoint-with-syscall/main.c b/27-attach-tracepoint-with-syscall/main.c
new file mode 100644
index 0000000..5dd407c
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/main.c
@@ -0,0 +1,153 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <linux/bpf.h>
+#include <linux/perf_event.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include "./bpf_insn.h"
+
+
+#define ptr_to_u64(x) ((uint64_t)x)
+#define LOG_BUF_SIZE 0x1000
+
+char bpf_log_buf[LOG_BUF_SIZE];
+
+
+int bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size) {
+    return syscall(__NR_bpf, cmd, attr, size);
+}
+
+int bpf_prog_load(enum bpf_prog_type type, const struct bpf_insn* insns, int insn_cnt, const char* license) {
+    union bpf_attr attr = {
+        .prog_type = type,
+        .insns = ptr_to_u64(insns),
+        .insn_cnt = insn_cnt,
+        .license = ptr_to_u64(license),
+        .log_buf = ptr_to_u64(bpf_log_buf),
+        .log_size = LOG_BUF_SIZE,
+        .log_level = 2,
+    };
+
+    return bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+}
+
+static int perf_event_open(struct perf_event_attr *evt_attr, pid_t pid, int cpu, int group_fd, unsigned long flags) {
+    int ret = syscall(__NR_perf_event_open, evt_attr, pid, cpu, group_fd, flags);
+    return ret;
+}
+
+static int create_link(int prog_fd, int target_fd) {
+    union bpf_attr attr;
+    memset(&attr, 0, sizeof(attr));
+
+    attr.link_create.prog_fd = prog_fd;
+    attr.link_create.target_fd = target_fd;
+    attr.link_create.attach_type = BPF_PERF_EVENT;
+    attr.link_create.flags = 0;
+
+    return bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
+}
+
+int open_perf_event(int prog_fd, int event_id) {
+    struct perf_event_attr attr = {};
+    memset(&attr, 0, sizeof(attr));
+
+    attr.type = PERF_TYPE_TRACEPOINT;
+    attr.sample_type = PERF_SAMPLE_RAW;
+    attr.sample_period = 1;
+    attr.wakeup_events = 1;
+    attr.config = event_id;
+
+    return perf_event_open(&attr, -1, 0, -1, PERF_FLAG_FD_CLOEXEC);
+}
+
+int attach_tracepoint(int prog_fd, int perf_fd) {
+    // attach via link
+    int link_fd = create_link(prog_fd, perf_fd);
+    if (link_fd < 0) {
+        perror("create link error");
+        return -1;
+    }
+
+    // ioctl(perf_fd, PERF_EVENT_IOC_RESET, 0);
+    ioctl(perf_fd, PERF_EVENT_IOC_ENABLE, 0);
+    // attach without link
+    // if(ioctl(perf_fd, PERF_EVENT_IOC_SET_BPF, prog_fd) < 0) {
+    //    perror("ioctl event set bpf error");
+    //    return -1;
+    // }
+
+    return link_fd;
+}
+
+
+// got via
+// * `llvm-objdump-12 -S main.bpf.o`
+// or
+// 1. `bpftool prog load ./main.bpf.o /sys/fs/bpf/hello`
+// 2. `bpftool prog dump xlated id XX`
+struct bpf_insn bpf_prog[] = {
+    BPF_MOV64_IMM(BPF_REG_1, 10),        // r1 = 10
+
+    // char fmt[] = "hello world:\n";
+    BPF_STX_MEM(BPF_H, BPF_REG_10, BPF_REG_1, -4), // *(u16 *)(r10 - 4) = r1
+    BPF_MOV64_IMM(BPF_REG_1, 979659890), // r1 = 979659890
+    BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_1, -8), // *(u32 *)(r10 - 8) = r1
+    BPF_LD_IMM64(BPF_REG_1, 0x6f77206f6c6c6568), // r1 = 0x6f77206f6c6c6568
+    BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -16), // *(u64 *)(r10 - 16) = r1
+    BPF_MOV64_REG(BPF_REG_1, 10),        // r1 = 10
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16), // r1 += -16
+
+    // bpf_trace_printk(fmt, sizeof(fmt));
+    BPF_MOV64_IMM(BPF_REG_2, 14),         // r2 = 14
+    BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk), // call bpf_trace_printk#-66304
+
+                                           // return 0;
+    BPF_MOV64_IMM(BPF_REG_0, 0),          // r0 = 0
+    BPF_EXIT_INSN(),                      // exit
+};
+
+int main(void){
+    int prog_fd, perf_fd, link_fd;
+
+    // load
+    prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACEPOINT, bpf_prog, sizeof(bpf_prog)/sizeof(bpf_prog[0]), "GPL");
+    printf("%s\n", bpf_log_buf);
+    if (prog_fd < 0) {
+        perror("bpf load prog failed");
+        exit(-1);
+    }
+
+    // open perf event
+    // from /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/id
+    int exec_id = 721;
+    perf_fd = open_perf_event(prog_fd, exec_id);
+    if (perf_fd < 0) {
+        perror("perf event open error");
+        exit(-1);
+    }
+
+    // attach
+    link_fd = attach_tracepoint(prog_fd, perf_fd);
+    if (link_fd < 0) {
+        perror("bpf attach prog failed");
+        exit(-1);
+    }
+
+
+    printf("you can get the message via `sudo cat /sys/kernel/debug/tracing/trace_pipe`\n");
+
+    // hold on
+    getchar();
+
+    close(prog_fd);
+    close(perf_fd);
+    close(link_fd);
+
+    return 0;
+}

From 3e0de84af7dcd2252d1681cedf607de83e415189 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Fri, 8 Sep 2023 15:09:40 +0000
Subject: [PATCH 09/20] 27: improve comment

---
 27-attach-tracepoint-with-syscall/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/27-attach-tracepoint-with-syscall/main.c b/27-attach-tracepoint-with-syscall/main.c
index 5dd407c..54fba23 100644
--- a/27-attach-tracepoint-with-syscall/main.c
+++ b/27-attach-tracepoint-with-syscall/main.c
@@ -107,7 +107,7 @@ struct bpf_insn bpf_prog[] = {
     BPF_MOV64_IMM(BPF_REG_2, 14),         // r2 = 14
     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk), // call bpf_trace_printk#-66304
 
-                                           // return 0;
+    // return 0;
     BPF_MOV64_IMM(BPF_REG_0, 0),          // r0 = 0
     BPF_EXIT_INSN(),                      // exit
 };

From 9773a55aff1ca74710bbfc1917c7549870fdf20e Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Tue, 26 Sep 2023 03:39:23 +0000
Subject: [PATCH 10/20] 27: add cilium/ebpf example

---
 27-attach-tracepoint-with-syscall/README.md   |   3 +
 .../cilium-ebpf/Makefile                      | 120 ++++++++++++++++++
 .../cilium-ebpf/README.md                     |  15 +++
 .../cilium-ebpf/main.go                       |  68 ++++++++++
 27-attach-tracepoint-with-syscall/main.bpf.c  |   4 +-
 5 files changed, 208 insertions(+), 2 deletions(-)
 create mode 100644 27-attach-tracepoint-with-syscall/cilium-ebpf/Makefile
 create mode 100644 27-attach-tracepoint-with-syscall/cilium-ebpf/README.md
 create mode 100644 27-attach-tracepoint-with-syscall/cilium-ebpf/main.go

diff --git a/27-attach-tracepoint-with-syscall/README.md b/27-attach-tracepoint-with-syscall/README.md
index 1adac9e..ad92a09 100644
--- a/27-attach-tracepoint-with-syscall/README.md
+++ b/27-attach-tracepoint-with-syscall/README.md
@@ -1,5 +1,8 @@
 
 
+Tracepoint using eBPF assembler and syscall without C eBPF codes.
+
+
 ## Usage
 
 build:
diff --git a/27-attach-tracepoint-with-syscall/cilium-ebpf/Makefile b/27-attach-tracepoint-with-syscall/cilium-ebpf/Makefile
new file mode 100644
index 0000000..e8c27d4
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/cilium-ebpf/Makefile
@@ -0,0 +1,120 @@
+OUTPUT = ../output
+LIBBPF = ../../libbpf
+
+LIBBPF_SRC = $(abspath $(LIBBPF)/src)
+LIBBPF_OBJ = $(abspath $(OUTPUT)/libbpf.a)
+
+CC = gcc
+CLANG = clang
+
+ARCH := $(shell uname -m)
+ARCH := $(subst x86_64,amd64,$(ARCH))
+GOARCH := $(ARCH)
+
+BPFTOOL = $(shell which bpftool || /bin/false)
+BTFFILE = /sys/kernel/btf/vmlinux
+DBGVMLINUX = /usr/lib/debug/boot/vmlinux-$(shell uname -r)
+GIT = $(shell which git || /bin/false)
+VMLINUXH = $(abspath ../vmlinux.h)
+
+# libbpf
+
+LIBBPF_OBJDIR = $(abspath ./$(OUTPUT)/libbpf)
+LIBBPF_DESTDIR = $(abspath ./$(OUTPUT))
+
+CFLAGS = -ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function
+LDFLAGS =
+
+## program
+
+.PHONY: $(PROGRAM)
+.PHONY: $(PROGRAM).bpf.c
+
+PROGRAM = main
+
+all:
+	$(MAKE) -C . $(PROGRAM)
+
+# vmlinux header file
+
+.PHONY: vmlinuxh
+vmlinuxh: $(VMLINUXH)
+
+$(VMLINUXH): $(OUTPUT)
+ifeq ($(wildcard $(BPFTOOL)),)
+	@echo "ERROR: could not find bpftool"
+	@exit 1
+endif
+	@if [ -f $(DBGVMLINUX) ]; then \
+		echo "INFO: found dbg kernel, generating $(VMLINUXH) from $(DBGVMLINUX)"; \
+		$(BPFTOOL) btf dump file $(DBGVMLINUX) format c > $(VMLINUXH); \
+	fi
+	@if [ ! -f $(BTFFILE) ] && [ ! -f $(DBGVMLINUX) ]; then \
+		echo "ERROR: kernel does not seem to support BTF"; \
+		exit 1; \
+	fi
+	@if [ ! -f $(VMLINUXH) ]; then \
+		echo "INFO: generating $(VMLINUXH) from $(BTFFILE)"; \
+		$(BPFTOOL) btf dump file $(BTFFILE) format c > $(VMLINUXH); \
+	fi
+
+# static libbpf generation for the git submodule
+
+.PHONY: libbpf
+libbpf: $(LIBBPF_OBJ)
+
+$(LIBBPF_OBJ): $(LIBBPF_SRC) $(wildcard $(LIBBPF_SRC)/*.[ch]) | $(OUTPUT)/libbpf
+	CC="$(CC)" CFLAGS="$(CFLAGS)" LD_FLAGS="$(LDFLAGS)" \
+	   $(MAKE) -C $(LIBBPF_SRC) \
+		BUILD_STATIC_ONLY=1 \
+		OBJDIR=$(LIBBPF_OBJDIR) \
+		DESTDIR=$(LIBBPF_DESTDIR) \
+		INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= install
+	$(MAKE) -C $(LIBBPF_SRC) UAPIDIR=$(LIBBPF_DESTDIR) install_uapi_headers
+
+$(LIBBPF_SRC):
+ifeq ($(wildcard $@), )
+	echo "INFO: updating submodule 'libbpf'"
+	$(GIT) submodule update --init --recursive
+endif
+
+# output dir
+
+$(OUTPUT):
+	mkdir -p $(OUTPUT)
+
+$(OUTPUT)/libbpf:
+	mkdir -p $(OUTPUT)/libbpf
+
+## program bpf dependency
+
+
+BPF_CFLAGS = -target bpf -D__TARGET_ARCH_x86
+
+generate: libbpf ../$(PROGRAM).bpf.c | vmlinuxh
+	BPF_CLANG="$(CLANG)" BPF_CFLAGS="$(BPF_CFLAGS)" go generate -x ./...
+
+## GO example
+
+.PHONY: $(PROGRAM)
+
+$(PROGRAM):
+	go build -o main ./...
+
+.PHONE: run
+run:
+	sudo ./main
+
+.PHONE: cat
+cat:
+	sudo cat /sys/kernel/debug/tracing/trace_pipe
+
+## clean
+
+.PHONY: clean
+clean:
+	$(MAKE) -C $(LIBBPF_SRC) clean
+	rm -rf $(OUTPUT)
+	rm -rf $(VMLINUXH)
+	rm -rf $(PROGRAM) $(PROGRAM)-*static $(PROGRAM)-*dynamic
+	rm -rf $(PROGRAM).bpf.o $(PROGRAM).o
diff --git a/27-attach-tracepoint-with-syscall/cilium-ebpf/README.md b/27-attach-tracepoint-with-syscall/cilium-ebpf/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/cilium-ebpf/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/27-attach-tracepoint-with-syscall/cilium-ebpf/main.go b/27-attach-tracepoint-with-syscall/cilium-ebpf/main.go
new file mode 100644
index 0000000..03b82c5
--- /dev/null
+++ b/27-attach-tracepoint-with-syscall/cilium-ebpf/main.go
@@ -0,0 +1,68 @@
+package main
+
+import (
+	"errors"
+	"log"
+	"time"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/asm"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	var progSpec = &ebpf.ProgramSpec{
+		Name:    "hello_world",
+		Type:    ebpf.TracePoint,
+		License: "GPL",
+	}
+	progSpec.Instructions = asm.Instructions{
+		asm.Mov.Imm(asm.R1, 10),
+
+		// char fmt[] = "hello world:\n";
+		asm.StoreMem(asm.R10, -4, asm.R1, asm.Half),
+		asm.Mov.Imm(asm.R1, 979659890),
+		asm.StoreMem(asm.R10, -8, asm.R1, asm.Word),
+		asm.LoadImm(asm.R1, 0x6f77206f6c6c6568, asm.DWord),
+		asm.StoreMem(asm.R10, -16, asm.R1, asm.DWord),
+		asm.Mov.Reg(asm.R1, 10),
+		asm.ALUOp.Imm(asm.Add, asm.R1, -16),
+
+		// bpf_trace_printk(fmt, sizeof(fmt));
+		asm.Mov.Imm(asm.R2, 14),
+		asm.FnTracePrintk.Call(),
+
+		// return 0;
+		asm.Mov.Imm(asm.R0, 0),
+		asm.Return(),
+	}
+
+	prog, err := ebpf.NewProgram(progSpec)
+	if err != nil {
+		var ve *ebpf.VerifierError
+		if errors.As(err, &ve) {
+			// Using %+v will print the whole verifier error, not just the last
+			// few lines.
+			log.Printf("Verifier error: %+v\n", ve)
+		}
+		log.Printf("creating ebpf program: %+v", err)
+		return
+	}
+	defer prog.Close()
+
+	tp, err := link.Tracepoint("syscalls", "sys_enter_execve", prog, nil)
+	if err != nil {
+		log.Printf("opening tracepoint: %+v", err)
+		return
+	}
+	defer tp.Close()
+
+	log.Println("you can get the message via `sudo cat /sys/kernel/debug/tracing/trace_pipe`")
+	time.Sleep(time.Minute)
+
+}
diff --git a/27-attach-tracepoint-with-syscall/main.bpf.c b/27-attach-tracepoint-with-syscall/main.bpf.c
index ed920d5..4f5db70 100644
--- a/27-attach-tracepoint-with-syscall/main.bpf.c
+++ b/27-attach-tracepoint-with-syscall/main.bpf.c
@@ -5,8 +5,8 @@
 #include <bpf/bpf_tracing.h>
 
 
-SEC("tracepoint/syscalls/sys_enter_openat")
-int tracepoint_openat(struct trace_event_raw_sys_enter *ctx) {
+SEC("tracepoint/syscalls/sys_enter_execve")
+int tracepoint_execve(struct trace_event_raw_sys_enter *ctx) {
     char fmt[] = "hello world:\n";
     bpf_trace_printk(fmt, sizeof(fmt));
 

From 08e0b899c164c1c05a7724953c2ead8888a55e20 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Tue, 26 Sep 2023 03:39:30 +0000
Subject: [PATCH 11/20] update docs

---
 README.rst | 70 +++++++++++++++++++++---------------------------------
 1 file changed, 27 insertions(+), 43 deletions(-)

diff --git a/README.rst b/README.rst
index c1b31bf..8a20942 100644
--- a/README.rst
+++ b/README.rst
@@ -73,39 +73,39 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+`` [#fentry]_         |                       |           |
+| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+``                    |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+`` [#kprobe]_           |                       |           |
+| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+``                      |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``kretprobe+`` [#kprobe]_        |                       |           |
+|                                           |                                        | ``kretprobe+``                   |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``ksyscall+`` [#ksyscall]_       |                       |           |
+|                                           |                                        | ``ksyscall+``                    |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        |  ``kretsyscall+`` [#ksyscall]_   |                       |           |
+|                                           |                                        |  ``kretsyscall+``                |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uprobe+`` [#uprobe]_           |                       |           |
+|                                           |                                        | ``uprobe+``                      |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uprobe.s+`` [#uprobe]_         |                       | Yes       |
+|                                           |                                        | ``uprobe.s+``                    |                       | Yes       |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uretprobe+`` [#uprobe]_        |                       |           |
+|                                           |                                        | ``uretprobe+``                   |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uretprobe.s+`` [#uprobe]_      |                       | Yes       |
+|                                           |                                        | ``uretprobe.s+``                 |                       | Yes       |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``usdt+`` [#usdt]_               |                       |           |
+|                                           |                                        | ``usdt+``                        |                       |           |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+`` [#kpmulti]_    |                       |           |
+|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+``                |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``kretprobe.multi+`` [#kpmulti]_ |                       |           |
+|                                           |                                        | ``kretprobe.multi+``             |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |                       |           |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_LSM_MAC``                        | ``lsm+`` [#lsm]_                 |`26`_                  |           |
+|                                           | ``BPF_LSM_MAC``                        | ``lsm+``                         |`26`_                  |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``lsm.s+`` [#lsm]_               |                       | Yes       |
+|                                           |                                        | ``lsm.s+``                       |                       | Yes       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
@@ -117,11 +117,11 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+`` [#rawtp]_          |                       |           |
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+``                    |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
 |                                           |                                        | ``raw_tracepoint.w+``            |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+`` [#rawtp]_            |`12`_ `13`_            |           |
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+``                      |`12`_ `13`_            |           |
 +                                           +                                        +----------------------------------+                       +-----------+
 |                                           |                                        | ``raw_tracepoint+``              |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
@@ -153,27 +153,27 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |                       | Yes       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+`` [#tp]_                   |`04`_ `07`_ `14`_      |           |
+| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+``                          |`04`_ `07`_ `14`_      |           |
 +                                           +                                        +----------------------------------+                       +-----------+
-|                                           |                                        | ``tracepoint+`` [#tp]_           |                       |           |
+|                                           |                                        | ``tracepoint+``                  |                       |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+`` [#fentry]_         |                       |           |
+| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+``                    |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fmod_ret.s+`` [#fentry]_       |                       | Yes       |
+|                                           |                                        | ``fmod_ret.s+``                  |                       | Yes       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+`` [#fentry]_           |                       |           |
+|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+``                      |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fentry.s+`` [#fentry]_         |                       | Yes       |
+|                                           |                                        | ``fentry.s+``                    |                       | Yes       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+`` [#fentry]_            |                       |           |
+|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+``                       |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fexit.s+`` [#fentry]_          |                       | Yes       |
+|                                           |                                        | ``fexit.s+``                     |                       | Yes       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_ITER``                     | ``iter+`` [#iter]_               |                       |           |
+|                                           | ``BPF_TRACE_ITER``                     | ``iter+``                        |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``iter.s+`` [#iter]_             |                       | Yes       |
+|                                           |                                        | ``iter.s+``                      |                       | Yes       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+`` [#fentry]_           |`16`_ `17`_            |           |
+|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+``                      |`16`_ `17`_            |           |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 | ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |                       |           |
 +                                           +                                        +----------------------------------+-----------------------+-----------+
@@ -189,22 +189,6 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
 
 
-.. [#fentry] The ``fentry`` attach format is ``fentry[.s]/<function>``.
-.. [#kprobe] The ``kprobe`` attach format is ``kprobe/<function>[+<offset>]``. Valid
-             characters for ``function`` are ``a-zA-Z0-9_.`` and ``offset`` must be a valid
-             non-negative integer.
-.. [#ksyscall] The ``ksyscall`` attach format is ``ksyscall/<syscall>``.
-.. [#uprobe] The ``uprobe`` attach format is ``uprobe[.s]/<path>:<function>[+<offset>]``.
-.. [#usdt] The ``usdt`` attach format is ``usdt/<path>:<provider>:<name>``.
-.. [#kpmulti] The ``kprobe.multi`` attach format is ``kprobe.multi/<pattern>`` where ``pattern``
-              supports ``*`` and ``?`` wildcards. Valid characters for pattern are
-              ``a-zA-Z0-9_.*?``.
-.. [#lsm] The ``lsm`` attachment format is ``lsm[.s]/<hook>``.
-.. [#rawtp] The ``raw_tp`` attach format is ``raw_tracepoint[.w]/<tracepoint>``.
-.. [#tp] The ``tracepoint`` attach format is ``tracepoint/<category>/<name>``.
-.. [#iter] The ``iter`` attach format is ``iter[.s]/<struct-name>``.
-
-
 .. |Build examples| image:: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master
    :target: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml
 

From 64750723e7cd16be1b600a56a0957cb2c20f0469 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 19 Nov 2023 09:10:24 +0000
Subject: [PATCH 12/20] 21: improve code with bpf_skb_pull_data

---
 21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c b/21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c
index b5e27c9..bc896ee 100644
--- a/21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c
+++ b/21-tc-parse-packet-with-bpf_skb_load_bytes/main.bpf.c
@@ -9,8 +9,8 @@
 #define ETH_HLEN 14 /* Total octets in header.	 */
 
 #define TC_ACT_UNSPEC -1
-#define TC_ACT_SHOT 2
-#define TC_ACT_SHOT 2
+#define TC_ACT_OK      0
+#define TC_ACT_SHOT    2
 
 #define DATA_LEN 1024
 struct payload_t {
@@ -26,6 +26,8 @@ struct {
 
 SEC("tc")
 int handle_ingress(struct __sk_buff *skb) {
+    bpf_skb_pull_data(skb, 0);
+
     u16 h_proto;
     if (bpf_skb_load_bytes(skb, offsetof(struct ethhdr, h_proto), &h_proto,
                            sizeof(h_proto)) < 0)

From 0857c17642c08f49561ff9cb981ae7c30b95e7ef Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 19 Nov 2023 12:57:36 +0000
Subject: [PATCH 13/20] 25: send data to userspace via bpf_perf_event_output

---
 .../README.md                                 |   1 -
 .../cilium-ebpf/README.md                     |   1 -
 .../cilium-ebpf/bpf_bpfeb.go                  |   8 +--
 .../cilium-ebpf/bpf_bpfeb.o                   | Bin 6120 -> 4712 bytes
 .../cilium-ebpf/bpf_bpfel.go                  |   8 +--
 .../cilium-ebpf/bpf_bpfel.o                   | Bin 6128 -> 4712 bytes
 .../cilium-ebpf/main.go                       |  45 ++++++++++++-
 .../main.bpf.c                                |  63 ++++++++++--------
 .../main.go                                   |  42 +++++++++++-
 go.mod                                        |   1 +
 go.sum                                        |   9 +++
 11 files changed, 133 insertions(+), 45 deletions(-)

diff --git a/25-tc-parse-packet-with-direct-memory-access/README.md b/25-tc-parse-packet-with-direct-memory-access/README.md
index 633e033..ca081ef 100644
--- a/25-tc-parse-packet-with-direct-memory-access/README.md
+++ b/25-tc-parse-packet-with-direct-memory-access/README.md
@@ -18,5 +18,4 @@ $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
 
 $ curl http://127.0.0.1:9090
 
-$ make cat
 ```
diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md
index 633e033..ca081ef 100644
--- a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md
+++ b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md
@@ -18,5 +18,4 @@ $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
 
 $ curl http://127.0.0.1:9090
 
-$ make cat
 ```
diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.go b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.go
index e4afdec..f9b07fe 100644
--- a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.go
+++ b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.go
@@ -12,8 +12,6 @@ import (
 	"github.com/cilium/ebpf"
 )
 
-type bpfPayloadT struct{ Data [1024]int8 }
-
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
@@ -62,7 +60,7 @@ type bpfProgramSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+	Events *ebpf.MapSpec `ebpf:"events"`
 }
 
 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -84,12 +82,12 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+	Events *ebpf.Map `ebpf:"events"`
 }
 
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.TmpMap,
+		m.Events,
 	)
 }
 
diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.o b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.o
index c37469e7b54dc48710b4a016d23078aed54633ab..deaf5cbe98ff05342021e89058f1d8c05d9220e3 100644
GIT binary patch
literal 4712
zcmb_fO^h5z6@D|bo5l9}2M8of0#s~Bc7i<~|73~(ma&cF1Qxt<HV9jYp5B?BnPz&r
zd%Jsfz5Iw#6r@~$<q#xJEK-0RAhO_KKp?LK2MZy=3333*5(f@QC<;O#gcQE7x_Y+V
zvK0<Isrr5I)qAh1UcIWC`SOK@r^@A$jHx951kNeOJpg-WwbU@*-7;;Tl|@SS5m_L=
zd4OM$DW%!|Lm!a)iEcitWtq~}GIwZ6-cHSphSu-cdt7r_IVO9Eo~z4lu>0KoQr5DP
zT_Ojb$2gk0b<Na+O5{yYsuj6(G(|T*mh!2F?*A9<@^mAehkPYf&fGAaFXfHyf-f#E
z$X~y$)AL~3J-H#mHnBokPgbM?STaeR09Wjz(h$uiOq<N?AS*O>(3J6K&`h_y&)^35
zV+N1FkLrYB5=NKJ;cbvlAeI9E3EFwI9cZMBXv7MQnILYUJ!fzeyk+nR+%tF+eBIzJ
z@aGM_4gS>>>*;>eU<Lj?gB#$l8r%eD%CV=V5%|y0Fo&`NziDs-{MQCI!GCM;2>dmJ
zH^FZkyaoOjgKvYskz%G&{)0A+v?`1@W$-32YY^j3Q2$<o8^Ek{>YLys)Z)YldREt7
z;4R=2z_8J2KWDH4Cn4@+12!KArp*X=i5mji34B#&34tIhD)lT0w7u3d@ZI$E;iwFO
zkfkoTDS>hQJqrDb8E+r(ni-F(23p?#YY^W-9jTnM$H=f~x<OU?2KW^COGqMh?}Ym6
zFX*-Ke3yA_-mNDl<!>1bvHTrkG>lvRE;wr%^C|z(U<G{L;5zV6fob1BWBn074gD{`
zA3|G1BR!1Pg#MRijSm3dGHWE`c)vG&Gr)f`_&vaXHg;Sp=kmt3oz4sOMkTBXQ2F2Z
zykA3nxG*r-=w0Kv1Xb?Chgbnmn*iAR|H=LV<dU_BTvix^c>+~Fh>yux<#FIFe$C(p
zZ03MxFsCN)DTCX<=#v?&wFmrBgI(aK4gMT3?`+!iftg!kob}3*!2{q=8|(vr#^3<B
z3Cy{LNJq9mBj{O=)Nf$r^N2^{U8qx{GnVQe0mHP}CeE7z-cMV|3pixPRhU;2VoqGn
z=?|o8?SB=;nTfqIcKt*w>+I#rXRlb#K6CYgwRC0if@Mjv9y-!@)~(q6yd$f&H*`|y
ztU7)Y!zb=r%fn7bJja)?pIF*sU`Ksf89J~Y*kS1UT?wNg30i?CtDfy!VdTUJkP1o5
z&9tzAr5i+UvMz9gS!}r-*Ka%5B;!fTN)@eT>Dh5lplEq^9J_64+lj3|mgBd@w?o&0
zwqp-mZ(Sm15G0P}hR4MVTDGUrSUERV&SjQi5G6*dA){LZ2SX%rVh=)Db0f#%(z|hB
z#ZEU)0h47}!(&Hf=*Mo?ciM^>?s&nPg={i!!#PgE?<)Pd!z}Jg+~?B#wujlKS->Kt
ze)7ni)DG8bhX=On*OtRhttASy8n|usxSk!Bt<I>~R8yU0^eUnqn$LPqG0YPMw|l#s
z(w1&V&1Ny((CW1#^&!QY2s*QI5)E64azkjVYF=dnRn-^9zNycl`K$`mBWKhzi;I^p
zEnTvf&M(4L9X_o5AW=yx6dg+39*V_@VmI(531YNFr<(g2*<C9@)g_51t)A2BGow##
zXS>z2BdC@gBn&<Hjx!whxTz@I;Q(s8-Hu|3$xt@@(hD0`Klx##oNJOe7)C8e+D@EE
z?5v30>SM20P$cmYX>%GVP>I)liC__;AYmcHs4EWKT5A!?#BT>{R9RsXaRbJg!5B;@
z_6Oma7VN6kO9DThJyAbVuU50fP*S=I>nH2l9VMh<do?|g+(9U+vwE{plGSwQI-cE)
z)fdm?EKi?S$Bw4G94vIAj-}7D6%3Pbm@vda^=Nv;4=NoYlMiOQu6wH(<V)B9Cfjpc
zjvqTx!-<b2lQ_V3*;9%GB**+PROTkaWv+kx{t^6jG+v&#1WPZ2XO|mo_8A@CTT<x<
zXg|ljU4=k<%74eb%*TMXkjr?OuJMvpIhl{mlSaNG@&e^%Dpz8Wm-)!|ax(ivBmYR`
zSMP#+&B%WcxyAS!IT=6JWHXh4QhLSo|3l<AlTh7C<%!c$Qe0!UHujOYp6{nnKM0in
zX5<Dq=1{?p3r$UY6=Xa%nlM-TR9-dmTQI&ue5Xm6);8e{%Jkbxk$F78e2?-(`F`kg
z&zA0HY92y9i*a5v&aZ&e*KG47r=E*F`6A?e%!82gu^I(=u^=}KGUMm{M+JGKAa54r
z>jinMApfo)-!90n-zn>5=jKy-xX@o%Z|QWQf1x1r=;(O6cJ7c`;#^Cl7CBz++|pAu
z3g+Q1JTB>>t$E(+z|vQu+s&P5_~Z4d;i6CMW$^WZ<|eExoI6*yp1`>OFJe+mJ&b?T
zWU(6=DDYg(2>(mGm48-$Sr{CbG4c0f=AW-Us#(vZjHi-5ZW)x10Nu;KZmjb2r7E*0
zUM|Sg87du5!A|^Ezk~Arynga>&T!W!QlaGKl!STvPeIPrWZrUm%SapG(`Z?KvivbG
z7twfS-i3BA8s$E4{`}0w$^5DREZV*No9H7cH2UYROGx?})%tt+kF=GP>frRxelzFC
puLo}~=ye(6)J1>yTsK0t?yN7LzfVG0>^F9Mer$lBIT}9p|1Z?GMKAyW

literal 6120
zcmb_gU2Ggz6+XNEY1*bCAqk{~(wn3SyJ@^xr>UEtrroA(XeFbVG$rZ}jK{lUd+_eg
zWM&-4lomr1Q64G<BqTsWqynjxc!`7r2&f!EAM(IMRPlsBvc!)Nv{DeQibN#yeRs~R
z$CE~V;YxST_nmvrx%ZxXcIMh&eQfk-xm=Q7E6Mx7IYn;-VAHf^4SlYY+uUIpC382(
z80BJ<Pm!C(t=Kl?$}rL5cFW}^W97P2N91Oro9dR23=PX}qLU5Fm!E3LE}%hwM9S1W
zRhNp$_OFAlB|n+^t>0Xi9pwJD)GiyJOUDP*?t!~>{w)oW<>lqK>BIJsyH)DCr;O!h
zPUYf=j_*w+*7<RwpRZ4O^VQ{RM2lQ48uy3z*S6@mRpN0j1*OF>1)D=zN3>|8A)X=Y
zmux<@KgD@&*%1ro`424^H*i}Ai9>h3{rs!TSBV$z;1ly>9P?jI<H_2^`%}Hf8{7hl
z@#R!2@|_HPh~!+HmuvaV*r@#Thqgo*4sCFgcDo9DU?P1OC}|<}LmFCAsf}j+=!573
znH{h}PY*L4yL}B6*c$qsiYd0=z~>f>)e#uO3@^-;tr^IN)Q9V`p>pfF72|NQKH2>C
zjB+;Fnr#?0Ht>5CT|>(gzys(F^v|NR&KJ<1M86IF61rmpqx^uapXThN;8TceAb){=
z3Z46An?)x!=r1a6K)$4S9P(R=7a+f{_yXi>iZ4N4RJ;WFs}$QMys6kg{$6nd@{fwg
zA^(cL5ldcx{5v|<Q#O$AC~iP9-_(yovSx`F;KNCXF90(q#Fv0ku@)}@e<H=qcxeY7
zsH;8$TvvPnSmXCoe-wJe>2CmkPVqP-+h*t&pnnz^zq0;Iz!Si*AAl&$C^nF6w?p56
zJ^`l90%X2kp|iz7=MU23*lc9(6SY-(0rF$ivFZ5^LH`X~c=#y;zd~a)su~0cp85Y6
z^bYFS)W1fIBBBjcrPm-gK>h>;P95@B4$k700gT+0Su>xq3zPD^V$kx}h|w```5dG{
z$2pW=Q4C%_uNb*6e-D`U4RqER@#E0{0CGF}7&_bC=;P4;NcVUb@atR{8U^S3nT~A*
zenas#;NPkpx5~A=wPI)ULcOZecRp<X0Ntn2ZR5rOU{hX#+-a3k{+nV0{o5LVXUW6-
z5c|HNvo^oB4)?(YG1&SJ;bG9R&b|gD=Q6;LDsBLe0&m3}<G`#<;ui4diAy5Wz|Sc5
zfxoEuOTZI~QKNm6irc^#v%VeRu42f(NO1ss8rYzR*j{!%3(&J3sXvdNuU~!dF&zVM
z>wBpR6D)DyJ-nbGZNpw|GtmDxr{AS|_z(8k#9GDRh9362i8#)~$B#e!wDaT>&phUw
zczWzH$C254_d?I-Y&Z6&x?aoBRKGP&A}u#@r8(_JlFWym%y{#1+HKEz(s9o?UN?z+
zFP5YeIvqDeq<F@en4O%Iw%3(#CULA&$Bky>)T}q_(JJ)2QxZl&5;TLhoNl{aCycxp
zu~L#W{Y(oRSo%TaC-VX~n8l7i>33V+8OdbQbW%lgLZ;n#TA*mQ-8lAJcJ)|gOS*38
zJ5Wrz9lt#<k=F?l&+)^3(hiz#+oGOwq^BIoEW;p5RBIvA;&eRZCW#Zb6Uv+)c@B3y
z6$ei2O~onjzwF6mJD78jxR{w9;f&oWV;`$>9?wWT!!2}MZ7eO_EjA<dgTwbpZBMPX
zr{ntF+C(^6Yl=ZT9r!J?i%T(wO(kX33L{q$Y3M<Y9HRS3!JH|%u?t5JSr32GRI<2!
z=uEdFbB~F!r(m)YC(&#(F@6Yb)jViyM&MaB&x=)xKaJz{qSz0*k_4!dAh8+ZF+}c^
z6QE9#q>bwGnlsGJ{*@xM73Vk;9@dT#JbSr{r+F4Awb>5TZmSi=5>w!``J@->xqk5e
z-X7Am4?UPwo!NTWJTW$Q{Md<O&WT6Huw=7mkLd=9Ntz*2&OJ#S%tlR5T3(z;?41&~
zIfH{eg^GxWrNzag5G9`PN(74#g$E0nji$tdTXQZ#O>|qq992%3L_CPziZBP$i8DfY
zE(fRTOeaA%t{kWzs8_4mg2;?5x%$Ba*Slj{bNH~StG&@5F6O$|8uzjmxpPkTtL6#f
z_*bUP@}nnIHAAMdvO;Xt>@xeP{h+gFh23W-<Dr>dxtVe`rr}UO*9AUweX-?Z++%Xg
zv1?ylZ3Yc*FoPchGLZ(;>dbbWm|Y5W-*^u>?I4($4IQuTbt*gc6}H>#^jp=H1#MNg
zs@)(nh8mjioXB%q_)SM$uU*-xHt7#;cb248+UoB7E_4E$ugOmG>=&@AZEAn;x$cg5
zTe<?ymqc#U!>o8M&s1RCiw}&bt7kbRFNo9jn_f5eq=rq#k}<|wc@vSv0qRx%ioh4e
zHr!bFr7is${R;3`(DA`8{Sq?!3Vjk7Um~mHZ4s^X8}zqC&g=l8JvjfQP52d~E&077
zXZhEP$#LF7D=7y`+kPE?A0JANkEguvo47dhc8;$$<5|w}Q2AwC*g1YC$9el($Z^`g
zto%KZ-)#jypYr|*k;}Ycd^g7rfWMxzKMsz0IKQ>8f?rX70q{=nt2vJOm^N$wCy^!c
z^(lwiwi0q;$KMh83)WN8{SOS|f=~NKIzI4-$h*9pPAmVm$Ti$DOS*myCna6~z)vwX
z?JuhRKcuvli{bn{&+Kx5oR!{C?=_I**OX%|f<2Z0t$ZA^g4~}|9x8uR`OA>7@B5c>
ztc~{lyjgvCn}$g_HRGyRT3=7Uq62zpgT0on(%}vyo3I6qlZ}-w165&<P^+3r8Bc-P
z%Bp<eUFGSp4D#>Syzg%C{2Yw}A1m<j0%zv({tE@p%;m=~6gcyfAHP)KR|<Toz^|_6
zER1|S`!``Oe#sQZ>jmB@@Ua3PFYvIy7Yh7*fnO-_iv@nEz^@eeQh~F=bNegveDj=d
zxjZkNclm+B_-KJYm+@O}y;*9BcP5cq<h5%@P8_X~6z+NH%R0MA*V^sV9mn2n{Hfd<
z9RYA5tl{gHxD$}`9V<1ij2<~sclKkRfVVN44cG7%`M)*$D${6#g{X}J&nSP7S!0fD
zp+Vlj-~LWBd&)IAvK=_{&;J&oE@yToXHS^viSf5t&wno!E3I5n%sR-oY(B~cdd7?M
z^UJ}O-!FM)PuwhU>a>;lrbSzOG?l$)-k*Ob=6TOZWZjD?DYtV<!o2-S@LWyjE!SUF
z#@`+Oz0rHuW%=X#@o{u~kv^zxSWxYHNcv>+Wd77U=r{7`yle)YK3RR_{rSbZk^e=E
wp_S`+&?o!4<^6|)<xzWX3ouySHZCbIoa?Im9fM7AT-`SQS%IE|vRwZE2MIbhtN;K2

diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.go b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.go
index 4ab4521..baf97ed 100644
--- a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.go
+++ b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.go
@@ -12,8 +12,6 @@ import (
 	"github.com/cilium/ebpf"
 )
 
-type bpfPayloadT struct{ Data [1024]int8 }
-
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
@@ -62,7 +60,7 @@ type bpfProgramSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+	Events *ebpf.MapSpec `ebpf:"events"`
 }
 
 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -84,12 +82,12 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+	Events *ebpf.Map `ebpf:"events"`
 }
 
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.TmpMap,
+		m.Events,
 	)
 }
 
diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.o b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.o
index 883353d13aaaa1fbf3424d02a8f8e36ea4ea1f30..fc02f3cfff302bb507ac94a764c8a46a4016e010 100644
GIT binary patch
literal 4712
zcmbtXU2Ggz6+U*HCT^UxNm}YcQ>KYpyusOQlh!nUX6ulqRSmI%gGdxHJKmk$9lSd;
zo|&~{euPyOi5DO|1c@h%6rc}KMeq<npjd*33L(K0^Z}$uJn(>osv-nJNag$PoV#9+
z((=HO&z$d^d(OFc&OP_e`b+0#Ul<-55=%q!PubM0Rb=9UO<XmwD!XM&yoctD=Ix&~
z^3E|MWXG_`LBJz359Rh})xKS1iuQARjp6o)$SBYQXY=u;<9iIav~9QC2NWDcBG9Gb
zU2^CZ5pTayrL|4O0UXEhJD}Vua^X;p?%d4f4&?tA#_2amx3Lb=m%)#MZ&Lx?$i=%p
z&(F=uxBogM<LYr8dB{tcM`;*Kvo#!|+3BmoA>mSJC+jk-A1p$r5$5N*>|Q*sxC;3p
z#cPmS?mf(7eF2Ae;&B4(AlFYI&w^QJ(s?kk1Lp1#SHYJQ*C6YP*C0EJ*CAIGZ$Q4H
z_%7sE6>|~aRO|qMPjMCab;UJc)_WIt4ftnjcTku+imSlCR$K%At>QJ{Hx;h~-&MQ;
z{1?S{f!|ilV*Uqs4D0~!z<k8(z<YsB9k3Ax6jy;K6xX;xpxxj#;A61!7;FHaP#<pK
zjABPOlbu}!ep&5n!1KVMo%iE$CC6L#9A>O2Uk|6%R5Wd|>yiX1wsVhL0QrfbtD)hi
zAeMB#2Z2{~KKfU|Bpd%VfPJ~iK8M*~Bn<6FDdiggJ0NdB;%|&c@aq`ByS&QNeFOM?
zkf4!oDaJZSzN47)eixWM&Gr0Hu>*WdaRvCN>R$z}gPHS1@GoHh03>^r^cc7X{w3_7
zosZ!0Mvl!*#`%7)V?0BDQv814KdT=F*Yfs&A5?*A>Pmco57571{9q2v6Y2=(;Lh+|
zlI~ON0FMEKcG~myzx*G8KYGU0@^N6+iS(pmuJbT3=W@Vh#Z}-bV7_AwYdWR40bEtw
z#+H3daRB_H;?DxlDqaMhQ;f4dG_SY|{AtA@@KwbTa1EI2jKOw))_{30(|#R1oj0r9
z6SR&Yc!)d!<}mqe?ziV4Fr8+hLz*uRzX2rXyf|P#WUP7ol{}s;D(wL*L70i_K7aAz
z^OxOEzI5fBJAZlZoa;)q8vC;7uexdQIbW8&PS4MwzwC!uikNiKUFbEN((yxy7c<vH
zbiHIzmU=$CyIvdzVN2p9%A$JIk>!pTx^d#CNRTU8J+M~zz%z)FAX~+vT5wC<pc#Y>
z|C(5t)!p1sUy!z!wgrZI$4k?oAq_9{%)|A=hJ;=mxUe?8ZqQkk#P3F#?*{QR(uwL`
z$DqD(s&AaKo^h09YBiAA-L8)*vNZF$v8)7%@AB1KY2>DUE6o9m<+{D&$D|jgK`Znd
z4lCU3L@O?;$-4EXxQMXjn8y~kbWzepzFOGmV6}M_@RCwF`Sg^OkCw|vyIv5M7vg5Q
zE)Hlp3L4H~vpT%CbH<s-Eu{%&FCp8JX*+s~X`U^Fy?e+h;~6xa37a#B-F72!KJ2h3
zqUJ=JCB1s)1Tm~7XWFq7m7LG_WAm6J)3ytoC(bx8&COlBFn__FKRX9k=jc%<j4~&y
z$6``R&_=WPNg70<WKjyvOsTn_iPv%?bX}Hpq~7-Hi>&B#o7Jwjy#%HO9|gk*p8X1^
zZEh+Wx7UT)Yc!HnQVO&UpNzuBRZe~cCFeUy8ugO8FAYD<B=wiXt1n`&m(V2X)6(EF
z(4dm8hLXS|Mnl3wdPz%sgw<CPv`N^AR%mkLEa3+9D}y;$PV5iTvn<$Ex1B{{I&q?M
zqEaf^!ccQe7gkPIOgLJ|NxkL#L~;jVC{38nMoX6RoojZyR_c7=%z)?V)6Vf@`6wrg
z{iNxd^Xx{wEbe7YG3h*&AMr`YWU%_A-E}is!X#hB2C&$jpzepMFJ+wgRIJ7cHrt+B
z8lgD+Vd&_^#1A9+kKnh!SHb*f+{DesOOC{GUhcH<M+WH!z&{6<aC6h2`rpA%;%25V
z^#k~#j9<$?238-1{+y0q#`x%~=A&TzQ(U?GZsKy(aq6ScW7U5I{o!AUAcgV&1N8AX
z@=KigsqccmuHz7fUc-~)|G@b6-{2#x`soq8qchZhH~V8|C&s@Ie-bhIZ>m>;9|rG7
zE>aEbfFsqpR{FoLI^cUz%M1>iB^CX)@he}TY3O^+*C-#r8yMmi?Ul_r$JNf?Bl`yO
zys7rrRPwEuBew6Z`d0>YW}O6E;;O1vfuufH&}#*qWwAv6HLE~Uzh2PS3;L~szERMB
zSJ3Yk^tTFnzqeuM{EzAO(vA9LK|fv4XAAn(g1+niQ7LEswM@#1-zm?`zfh*4AMV1(
zB|o&~PG`C6nkzAA4V-Ai<Lgt#MW1;KkgHuIHLc9f%v4<cua&F+|A?<aw!dd=wyFgM
zY5UKbUj}%uc-w#0pGReo4ntx5W+&&P<1~V7U*}qW)GVg_DEMCS6^$>hSIzwt3mV@y
zD0oI4ALTzr15}LX|B6K$-9OF&P^U0hP~}tbVgD6rV=TAWb3&Chvh}ldIS-rtJ)cM9
z&pExfA5<fMgmNAmZ|$Ff?OyRUjdw6kVmz;iVm$5lieJ-syASkZj}_x9ux*=t2S44n
eToH0h|9LF-MX`RLU_7`;Kh}8sf3Ss$@&5%NsY5^j

literal 6128
zcmbtYU5piH8Gd(J++Dg*ehMOO?FSUx1MFcb6k#cNN()M|hAl-&f9&k+IkUUd^E1QD
z9G11Bt1XHbP0+-oni$ugq$b{wm{_7VY_u1>@Pag67*i82)DTM(jBQFH2|mv^@0>k5
zpj`N7zxkf${rP_0@137LUpq8>xU-`}GU<?yWS(VOk?_8GT(Ynv%VepztA;IeSB%*H
z(r(*H_s2vw01m8qB-N*#bax8kL{2{3YxUiWL>Mx#YQXXnT_U%DzR<N*FogJJ1duN(
z$i{Dw_gQ`dand8QdeLUf{SB$#yXclflle`-j~4nrhW;U4$6CyD?ba<$W#!(3+Uxo!
z5M-d5(*9Ce?Hkj6VAaPhctev_UU$=ub?GOmo%_6r@z>^(c@}1>E_J7VtGk&E@RKQj
z195`2W%JRWCeE{DQ!M3mH|#tdH*}|Kj0)V!&`ayCr}O`q8j)_;uVa3W$BbQyty(x9
z^STxd=GOkdmzwW-<(!<4Yx(TRu>9z~4m%bD@58`s>o`Fwok)9DPaW8nm=+b9?AcJy
zki}HMu6`+l3vHiBSr60ppkf@q=yBW@vjnz5G^C-6`5XdHD@Wurzz|#Y7y~X=?0W72
z<oxNy>O0dDvUtIovq1QF8JM3$%XCM8xt|i+=h0a0GiXnvEk&C{bI>5m?!_gG1MFOh
z%LJOixEIm${Iy)9sTel-s^Sv*mlcnq|Bm7r^gmEMi~e=RbLcN9zJmTYin)ll6dT|_
zDlP%Pt9TUnZ@{b2W`M7%-k{FjS6l*SzPaX6;2Vl(fSGjaXMuYa&jBx2d<FP^#jKD`
zz<l%=;6cT+z(eX|ko?1nOTbSl9tEbXMw<bC4tn0PbHHQj!vm@+Hasi{>#PKvsD4KE
zP-E6~?Hqbuy-=^y3c?q&KF<KGVc@)U@=5nC=pjA44_{4j2mMQElq~*d0P9j!cI_-G
zf@vwzC9ealK>rK$`0KkLIDi57z$?sM6Zn(pAzjmovCgiqE9Sgsfem^-J6}~yeqJ%}
zrSGeM379p;F+Yd)L+Cf6A3>u$j5dn)Q|KW*58?9j6leFG{7P->VS7{Y2H@YTA3Lt)
z9ktPq0&4S0yondcpP~Fz3hfoNi+f@%ZC3r?6&vttz!3W^A-J3W08SqHwYl5{Y#0RD
zr<m(30dp>c_N3wx@GvmfK8iIxrMLq8Ma7divS$_hz%M9%5qL~-6?j}R9{3$EDy{=J
z6gPk)#R2dsV1s!>wCsFlfX}G@Jg^EhBH43~^?NNX?qvnw4zv%!(ep87&xE}}`*)ju
z3zZPYFX97RA6YBfu=tHc9Ov<4#~y#idHTq+hn(Zjj2v<tY3_UkdS082*q>;46+>5j
z*Eoq(+{Bggq#H>x9ePsrrsb4dYkE?5Pdi>CiF_}Xq#inTH^fMB)fsD!k4w#KNLWoA
z8&r3rs+??kO^;ro-<Xgv3X-54)Z|pnZ8%}%#TY9kN!ib|@PVfvM1C@jElj{IcKmU_
zQSnYo)+c2rRg}kM(v2qtigL}3W4~fok5yKr;fB5g#kgDdYts^W^&s&aKinm?pzPKx
zYAJWOl)E#}Fo+V>TFA6Gbq~2o;>4|oGUZ2}!(C6rffIWZaSHq|doo@NrW_<LW~O&@
z#>RxPmjyYGs}fhag+`@@rKP*YW@K<^$D>l*UMy~}yMCiM7LFIoVj!mizhbs<DQ3Uv
zPg$X#BNs5zzyVtJF?@H<ohkY6A++wZ5&pR8&&KsbXR;ERttQ5vg7N-1iJIla_#w0f
zbHLb)AhKXy5~~z{636RBu^%)f2~Z_LVl%{Jh};P$K%FE>4b|n9tIW-w`69Fx=Qv{?
z)(#7<tz5;EJPVXsvktXesYJ2F>~Pw=G79xPIP~e(9@4cB9LTE9tlw{rjEo#Rdi<z!
z{D~1P*=*l#8bM-`a)^|3PZ9^ssO(9_ixY{xlj4@EIM|b@h<JxoxOfzz#M2Fl;1Qzm
z;33UuLOg_(ry|ruqY_L}<%CJZgJ`V?b1<DaBMi^w;8dN-BxuC_dk6Op77E#d$c!zy
z!J)mkhhti^f4>=2f1@`p=GtkUTUm?TDJQ$Dd4f3p`6;vf=m{0ffa#xKA+~C^m|fJ~
z>FilykJ`z2Xl6^>Ol>u$!=Zj|8+hOC#nwK?R@25DyY_|EW*~Ti8QcuWL^_yOXSU<S
zY*DED#&gK21wpkLI$q7I_ixrm*fz7-uN3ANv|hssc7x0qYG}-JBG0Yho{kz`t$(xn
zq&M8QEJ+Krg>CJ-&<Sk5#_P#*U&5+3sQ=LOjZN`}bOoF*iQKY>S@Bq|_QSa~J}^dI
zILkgcBTmgPdyUwWA~qRI#yHmelZY%1P_O(i!q}Ha`nAWemfzx)a~bU`z<itk8W?|8
z9>A4vUF!I?L-`%>J7}9ur~c#}c(oUj)R%lG_}W*}w^zn{!TUAd4us1d<sZSn7q7}u
z<=@7;a^(dPytVCo<h|gb^0#TfD1s$eJNX*$nKs@Feopy^u&@7v$ZN{S@cP{Kw#aN7
z-wTc@?0ED)2LH=#_5$pGQa+3L2VuO?#(Tkguy^kFFR=GsK@OC|&5BX}KJ4rNimw^v
zJMf0@y^60q<xhYw{s8+`{$21TH?e-@*?6<ce@TDokc-Oy0p8Kq(K<W+CqUtUJa58>
z(t}2RQ~4fX{>S$(oCReRtsm_yazP2v$lp?a4w(M`RL<Pe{sQ)PcbT*<op!}}??wDl
z%nAROT!B4il1;)2UfJf)N~Z9eYK7?1fDIbOsGS{0`(S=Z%lp#rD7xC{Z5E{$uBw#d
zBRM{r<IGwnjGxH}dh+u*KAYnga(phwFX#A`9KW99D3X?N{^dEI<%dqR59aKp93RQ?
z(HswRd?v@w=lE=nU&!&f9KW37S8_b7?rcAO+>{F813A7e#~;h_;T(TH$CupGE5*b+
zok%hAYQ=-c4;M*t-+Af7I{T0=)@rBfj{UarC)%Fq7yuuHMZDb-cMSb>-S#@J3?Do=
z=<LBf0l&uRwxhTs+uQ%!GmUI*w}TzBWUsehvimW!3<LbH`1W&SOivc5{YLbRpTC1s
z!*b2HNonhvkH`OJHeP>*Z21jpd|ykG0?tLr`jX=O{8>HZ_nXCW3`!X-ucN-C^B>MF
zAn(in6Z1O8e^Y-XtF_e~^?BbD(B)j{CO4MbuJzpEZ)DtKmcO;B+5X<Z-_r7Ojz54v
zbQl}Qd9wIS&)?kc6#tsW8`vp~V~yqG`Nq0a{6&q=&XIBS&ByabSTuZ#WiW%*lB@hd
Z4U#|CeEyE!!H040X*_=uY?plee*pJ%G?oAW

diff --git a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/main.go b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/main.go
index 5ac3468..f28d481 100644
--- a/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/main.go
+++ b/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"log"
 	"net"
@@ -12,9 +13,12 @@ import (
 	"unsafe"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/perf"
 	"github.com/cilium/ebpf/rlimit"
 	"github.com/florianl/go-tc"
 	"github.com/florianl/go-tc/core"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
 	"golang.org/x/sys/unix"
 )
 
@@ -92,6 +96,18 @@ func attachTc(devID *net.Interface, prog *ebpf.Program) (func(), error) {
 
 }
 
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
 func main() {
 	if err := rlimit.RemoveMemlock(); err != nil {
 		log.Fatal(err)
@@ -119,6 +135,12 @@ func main() {
 		return
 	}
 	defer closeFunc()
+	reader, err := perf.NewReader(objs.Events, 4096)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
 
 	ctx, stop := signal.NotifyContext(
 		context.Background(), syscall.SIGINT, syscall.SIGTERM,
@@ -126,6 +148,27 @@ func main() {
 	defer stop()
 
 	log.Println("...")
-	<-ctx.Done()
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			break loop
+		default:
+		}
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, perf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		if record.LostSamples > 0 {
+			log.Printf("lost %d events", record.LostSamples)
+			continue
+		}
+		parseEvent(record.RawSample)
+	}
 	log.Println("bye bye")
 }
diff --git a/25-tc-parse-packet-with-direct-memory-access/main.bpf.c b/25-tc-parse-packet-with-direct-memory-access/main.bpf.c
index ddc088a..86eb69a 100644
--- a/25-tc-parse-packet-with-direct-memory-access/main.bpf.c
+++ b/25-tc-parse-packet-with-direct-memory-access/main.bpf.c
@@ -9,20 +9,17 @@
 #define ETH_HLEN 14 /* Total octets in header.	 */
 
 #define TC_ACT_UNSPEC -1
-#define TC_ACT_SHOT 2
-#define TC_ACT_SHOT 2
+#define TC_ACT_OK      0
+#define TC_ACT_SHOT    2
 
-#define DATA_LEN 1024
-struct payload_t {
-    char data[DATA_LEN];
+struct event_t {
 };
 
 struct {
-    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
-    __type(key, u32);
-    __type(value, struct payload_t);
-    __uint(max_entries, 1);
-} tmp_map SEC(".maps");
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} events SEC(".maps");
 
 SEC("tc")
 int handle_ingress(struct __sk_buff *skb) {
@@ -31,39 +28,47 @@ int handle_ingress(struct __sk_buff *skb) {
 
     struct iphdr *ip_hdr = data + ETH_HLEN;
     if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) {
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
     if (ip_hdr->protocol != IPPROTO_TCP) { // not tcp
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
 
     struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr);
     if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) {
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
     }
     if (tcp_hdr->dest != bpf_htons(9090)) // not 9090 port
-        return TC_ACT_UNSPEC;
-    if (tcp_hdr->psh == 0) // no payload
-        return TC_ACT_UNSPEC;
+        return TC_ACT_OK;
+    // if (tcp_hdr->psh == 0) // no payload
+    //     return TC_ACT_OK;
+
+    struct event_t event = {};
+
+    u64 flags = BPF_F_CURRENT_CPU;
+    u64 save_size = (u64)(skb->len);
+    flags |= save_size << 32;
+    bpf_perf_event_output(skb, &events, flags, &event, sizeof(event));
 
     // parse tcp payload
-    char *raw_payload = (void *)tcp_hdr + tcp_hdr->doff * 4;;
-    unsigned raw_payload_size = bpf_htons(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - sizeof(struct iphdr);
-    if ((void *)raw_payload + raw_payload_size > data_end) {
-        return TC_ACT_UNSPEC;
-    }
+    // char *raw_payload = (void *)tcp_hdr + tcp_hdr->doff * 4;;
+    // unsigned raw_payload_size = bpf_htons(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - sizeof(struct iphdr);
+    // if ((void *)raw_payload + raw_payload_size > data_end) {
+    //     return TC_ACT_OK;
+    // }
 
-    u32 id = 0;
-    struct payload_t *payload = bpf_map_lookup_elem(&tmp_map, &id);
-    if (!payload)
-        return TC_ACT_UNSPEC;
+    // u32 id = 0;
+    // struct payload_t *payload = bpf_map_lookup_elem(&tmp_map, &id);
+    // if (!payload)
+    //     return TC_ACT_OK;
 
-    bpf_probe_read_kernel(&payload->data, sizeof(payload->data), raw_payload);
+    // __builtin_memset(payload->data, 0, sizeof(payload->data));
+    // bpf_probe_read_kernel(&payload->data, sizeof(payload->data), raw_payload);
 
-    char fmt[] = "payload:\n%s";
-    bpf_trace_printk(fmt, sizeof(fmt), payload->data);
+    // char fmt[] = "payload:\n%s";
+    // bpf_trace_printk(fmt, sizeof(fmt), payload->data);
 
-    return TC_ACT_UNSPEC;
+    return TC_ACT_OK;
 }
 
 char _license[] SEC("license") = "GPL";
diff --git a/25-tc-parse-packet-with-direct-memory-access/main.go b/25-tc-parse-packet-with-direct-memory-access/main.go
index 56aae2a..2942d76 100644
--- a/25-tc-parse-packet-with-direct-memory-access/main.go
+++ b/25-tc-parse-packet-with-direct-memory-access/main.go
@@ -7,8 +7,22 @@ import (
 	"syscall"
 
 	bpf "github.com/aquasecurity/libbpfgo"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
 )
 
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
 func main() {
 	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
 	if err != nil {
@@ -28,6 +42,7 @@ func main() {
 	hook.SetAttachPoint(bpf.BPFTcIngress)
 	err = hook.Create()
 	if err != nil {
+		log.Println(err)
 		if errno, ok := err.(syscall.Errno); ok && errno != syscall.EEXIST {
 			log.Fatalf("tc hook create: %v", err)
 		}
@@ -46,12 +61,33 @@ func main() {
 		log.Fatal(err)
 	}
 
+	eventsChannel := make(chan []byte)
+	lostChannel := make(chan uint64)
+	pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
+	if err != nil {
+		return
+	}
 	ctx, stop := signal.NotifyContext(
 		context.Background(), syscall.SIGINT, syscall.SIGTERM,
 	)
-	defer stop()
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+		stop()
+	}()
 
 	log.Println("...")
-	<-ctx.Done()
-	log.Println("bye bye")
+loop:
+	for {
+		select {
+		case data := <-eventsChannel:
+			parseEvent(data)
+		case n := <-lostChannel:
+			log.Printf("lost %d events", n)
+		case <-ctx.Done():
+			break loop
+		}
+	}
+	log.Println("bye bye~")
 }
diff --git a/go.mod b/go.mod
index 0eec76e..7116114 100644
--- a/go.mod
+++ b/go.mod
@@ -12,6 +12,7 @@ require (
 
 require (
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/mdlayher/netlink v1.6.0 // indirect
 	github.com/mdlayher/socket v0.1.1 // indirect
diff --git a/go.sum b/go.sum
index 17d1443..a607dd4 100644
--- a/go.sum
+++ b/go.sum
@@ -23,6 +23,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -67,11 +69,15 @@ github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
 golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -86,6 +92,7 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -121,6 +128,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

From cbb1354699e6568b2c6acd8ab00a527237329cd9 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 26 Nov 2023 05:42:08 +0000
Subject: [PATCH 14/20] 28: add 28-kprobe-hello

---
 28-kprobe-hello/Makefile                 |   1 +
 28-kprobe-hello/README.md                |  15 +
 28-kprobe-hello/cilium-ebpf/Makefile     |   1 +
 28-kprobe-hello/cilium-ebpf/README.md    |  15 +
 28-kprobe-hello/cilium-ebpf/bpf_bpfeb.go | 131 +++++++++
 28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o  | Bin 0 -> 6352 bytes
 28-kprobe-hello/cilium-ebpf/bpf_bpfel.go | 131 +++++++++
 28-kprobe-hello/cilium-ebpf/bpf_bpfel.o  | Bin 0 -> 6352 bytes
 28-kprobe-hello/cilium-ebpf/main.go      |  75 +++++
 28-kprobe-hello/common.h                 |   5 +
 28-kprobe-hello/main.bpf.c               |  67 +++++
 28-kprobe-hello/main.go                  |  91 +++++++
 README.rst                               | 331 ++++++++++++-----------
 13 files changed, 698 insertions(+), 165 deletions(-)
 create mode 120000 28-kprobe-hello/Makefile
 create mode 100644 28-kprobe-hello/README.md
 create mode 120000 28-kprobe-hello/cilium-ebpf/Makefile
 create mode 100644 28-kprobe-hello/cilium-ebpf/README.md
 create mode 100644 28-kprobe-hello/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 28-kprobe-hello/cilium-ebpf/bpf_bpfel.go
 create mode 100644 28-kprobe-hello/cilium-ebpf/bpf_bpfel.o
 create mode 100644 28-kprobe-hello/cilium-ebpf/main.go
 create mode 100644 28-kprobe-hello/common.h
 create mode 100644 28-kprobe-hello/main.bpf.c
 create mode 100644 28-kprobe-hello/main.go

diff --git a/28-kprobe-hello/Makefile b/28-kprobe-hello/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/28-kprobe-hello/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/28-kprobe-hello/README.md b/28-kprobe-hello/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/28-kprobe-hello/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/28-kprobe-hello/cilium-ebpf/Makefile b/28-kprobe-hello/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/28-kprobe-hello/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/28-kprobe-hello/cilium-ebpf/README.md b/28-kprobe-hello/cilium-ebpf/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/28-kprobe-hello/cilium-ebpf/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.go b/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..f834d05
--- /dev/null
+++ b/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	KprobeDoSysOpenat2    *ebpf.ProgramSpec `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	KprobeDoSysOpenat2    *ebpf.Program `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.Program `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.KprobeDoSysOpenat2,
+		p.KretprobeDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o b/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..b8d2430d3dfa22b9072499f8c7cac4091e650379
GIT binary patch
literal 6352
zcmb`LZD?Fs8ONVHlWyb7HtE`~-SuT}Marafr_&eL+OBolHQf}d9nyYi7vW|ybCV32
zncU1voNRY-)G8JBLxmL!3L9}@3%(T<TR+H*pcq7<AV@zf62T8eR|tNwAC|=b^PJ~Q
z?wlsO`@ut>`+t7tJm>w+JtzIj=(#hAgh##P(SPB`GI}L&b`J|>^*KadCoewTHYIfB
z2kQ?w2fC_yUv)+Gp6XrIW!0|g9o1W^H&vHZZ>U~Zy{6h$ZK+18GpZA+msE4AW2#xz
zW2za|l&Y_~M|D_rP?ZJqUVFg$4So>qC@ihL#g64KGZ6V#mey9;(RG^{(sk@S$+<+^
z(fa!O+RANTaIo`?sBLF{@%Y*b=k&*~lZp3iT&=U;)Z6Y$dvA4)D`R$Oe|3+{!sPMu
zc2;~($D6n<Nc0`m&R30N=Tlf(f17jq`&ob6ZCB&H&V;GIdxBnI&yCaZ58uZ4IBC7F
zcOt{PBf7wzu3K(M$K$NSs%eJ?JF=U-cIFqK)c10pWZxDaH|<`THwu;&0gHmoe$N{P
z`y7dKQLuSG=8b}7<R}*f%Lu@t;H=gc1&=9<f^*8E;7iJ);0a|>@Qku3I8qh`x0FS}
zZDmpLHDyuob!AcT4P{aAlCmiHrm`sbma-`Lj<P7Yt1Jp$Ru%={RTc%`Qx*lUD2syc
zD~p0xl|{i1ltmXG_ZYE%M!|#1qMZ**vHp&F@6FZs_<kqd--~JOy+5DNouhxfCS%)U
zY9;Rwu?<{hPG}~?Gc%w8sL$C+ewf5z127KRX5--dFx$o>>_1#5#o0E7*W?LV7^3&V
ze@cBBhK}U}$WNm)H02G$KMMOGjMFjL5G)IO7Pb@ChK*`FkHSBz{to!(b*!9~g-u$9
zGMANk?our_e(oE?FcEO@k9-*avb7p5z~2VT!oCLE4r{}{341@R3wwnJg7g?n>Lmne
zH%qKP&gMQo!uc8_Z_h(99EAkoFdiq5X%~zWkBPrRS=g)EH}8GCZ|>uJsLx}#3Hu@J
zqcBcyz}U~iex!aI`ZM*r&|er|n*5deS?I6TZ$p2hei!;%<IAjmr+yat2ld;~KdRq_
z{@M64^SkP2p?^`o4gIV7UFhG8FAMW`^|R1_sNaVEQ~fUV-^S;yqg9!O+5aqO;3eWL
z9_$(nC#aXe3&?pNgKbit_=%Q3#pSX6(szirYM`Qfu@@m|YhVE{vMdPrLtGEZhdsd#
z66y}Tgc$CZ(<h9etx~l?L2zn({M6;(!r2!_gNv7Qqd`DXsTgp{Y*?#?<-lOL5F#8t
z)xri%mC9i?UkR!C%uz)0vstZ|rmJDmFV9t{<v|->VJ2Ur#$pswCEp6rQmqu$X*OJ>
zg?zagQlk<Dm3&0fOP!)dPz$H)R6F!3*iqOK*kPKCXtD+G5G+Hr&rt0c<y%x}QL#n!
z5*14{S1U~i$SXxusMAzAk7nu-)$9EOq(Y-bvr%nsG7N&^Tu@)E2XhhT)Htl!2c6vX
z!F2jyC10whC!?u!fmhGpyn$4`QEL_&zRtqmkG@9yE94_-k<8N%{m=SWGB5ilq)67;
zZ<LD2O$m&kr(im41chd;hD9@5F<mOAMog73jW~pF9p|4s=^r_Kf-=Xkggk($Y7jMQ
z+y(E6zkeimF&H0x{z8yDHU5Re!E@)wM^ijr(*ZYJn5%`@j(jm_*27wW8Km}wY5N8o
z@av@)!?~%{M%Ksy?IqR-HaBQS#e5?S!g5$i?b97U;P1nX@eB|6r*mh5FP<O0boRnU
zt%+ByS*!Y)6Eq8Vi`}v%?uN+**+O@d-)WC9G+k33b$M=Xwi#_UY8_;0%1`Y@9lOQ6
ztGsTtQgwQ=2@SDq3n3Pbe?s-%g6$8nP?>lmAvb}Y%E(TIPoKo-d8hby)Z3@==iE&~
zpm_~22yxBc1;J#qRBn{2K_#pdqD2hg>607VCcztMcX1<RB({BaF7@VQrPN4av+Tfm
zro2o=Z0qKmi)LP?pj;}1)p|&21lP%u-YI<jCVdhLOW>?dT!PPMHqKLzzh(CO^>LK(
z_ujG(AKy5M;WHh{I|%z6nJX%nG2?9e63$K!XPEFSL`C-f7~{_1rIb53*7*~ji7}TQ
zi!sMzoZOyG-h`I_hp2_~(`z~0R<`50ZaCo+y@Z3r!#Ud5URTRQqN`lKqWl`J1YlVU
z{qA$U1j@fpNW5-5Z_M*1<|%7rneRrvDTim0&O3>-{FhulX3CSFC%VITteo;iqGjf`
z^0$co#JuFRr}Ic+FmLjmqO0+imt%}$kMGw!-sJCzR(L-5V$9_$%5UO0=6Nd*;C)#I
z^Jy7hx8$JVfzw0}xZGEsC6BMBy>|w_mj&Z4<MDZp)O)|K0g#{ku4KQ<10&!;Jd}`$
z{vS%0k)!!MwqAM>FR9axw~EreJI%eY7YN6PO(5QBKbb-Pu2?+BaT<nw8u?h8zBFLS
z>q5CLULQ^=Se$d<?JzCpHIA1jUsu-llD9P8@-mp~DANJ>+?M5M;U{9u{l&{C9F81r
zJAB>YC5L%@@%Fn8-*tG!;njYYWr?*Xe|N;$cj7Y+kAY+J=Wk0N&p3>4OJDglhi^E1
z)8RV~FFSnC;rk9h=;y?s!+RV~Ieg6FF^4ZXJmc_HaBO`O__mn!*fBh`^D#;{!d8RQ
zwXmE%eeq11K`)r*6v7cGx6X9Ayif`9#bOOt*w|5pt4<?7N$L7xMN}K2bEi)q3XZ(f
zon-T?3Xi0Bk#VmpQYiJ@5=`p<kg{mQ`L5Vjca5sIY;#oQg^u}_A93Qc4qLRpYv!NB
z-le{L=WJcp!5I7$KA$t3vhwUbc1G$BL;24mJ5O7m^ZCCDx9C5?ze6PXZW`A-ZGEP1
z!?x<b%>hW<4)<@r$F@HA&wnf1{_XgX#cA7wh^eoxh^^1Szm=`(Uzg~O@2Fxgo*CzM
zAKMt{wpR@da!fqM_b-Qnt>%AAD`lWOe;a4VKa4!SQ`qstji*QN8%q2*o(n(TKc73c
z-E4o{&K1Ln2`Kl^eQ}ESKQgy|PS(9GMe)b3tdiX~TNoej7&7_Wyh$3qp_%ufT*r>v
H_P^(U9U592

literal 0
HcmV?d00001

diff --git a/28-kprobe-hello/cilium-ebpf/bpf_bpfel.go b/28-kprobe-hello/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..c87c501
--- /dev/null
+++ b/28-kprobe-hello/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	KprobeDoSysOpenat2    *ebpf.ProgramSpec `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	KprobeDoSysOpenat2    *ebpf.Program `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.Program `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.KprobeDoSysOpenat2,
+		p.KretprobeDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/28-kprobe-hello/cilium-ebpf/bpf_bpfel.o b/28-kprobe-hello/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..b6644e4dbeb27a9ad9315f1e2e321ceb60025b6a
GIT binary patch
literal 6352
zcmbtYU1(g#6&}fQtoT=U>{xOCu1hd0<E+;|ZPhw;*G}cg;MPLcgB%K1quncM(e7$<
zcURSo5-M7^xR3`IQfi1HPF<*>No(3tyAMSww8WGa429x{P*li+X%i5AsUJez@0&TZ
zx|(cEN)I~sJKvczzh~~;S$%8Z%&E?f4&|gn{YR}b=T)j_*Q%X2W?pSW<l^Jje^V;W
z@45egp7}j1g7*ZM1@8*p5xgz9BzQ~khTwI<tAdvWF9}{0To9ZStO-sDjtPzm4haql
z<^}r&bAlPcK(JS^N3dH^3EuyJ^Zzb%E3~lj-8KB1@CDHMjVs2_b(;d;ChNHPItXL~
z{L3FacyO~*sc!Jaf^nO6pNE-TTQ>F6@#=w%X9C%O%z8hz^){fLchTPBHR0=&S^@7x
zY+7!1DU*NJM-_Eb3V$fL*lUf|`Mq!Eo$lv-jKgo2@$72x5nF%PBhMMbkK=rM5O@>g
zqp;q0po<&Gl-jl7oI$SJ5Ug!7p7c7b$U2yHV`T{2G3)mFip|q*mSP>X0X4tdVxoJD
zF~8elqHPEByDcU<kaCNO&Iq@d=$vqiiS8F}G0}P9785-v++w1Kgj-DXsBnvk9usac
z(Nn@LCb}lvVxs4STTJwVaEpn)DBNPAFA2Ap=*z+_Ci<#yi;2E2++w0{2)CH%Tf!|S
zdP%s&MBf%}G0}H~TTJv_;T99UEZkzE?+Le<=oR4>6MbK}MdX{?koh*4=x*T_7r99w
z+=mqIn+wp7v%k4z{r3f~|4E)5I-_3uSBL7ATDQ<B^#a~Ykxuqw1`VJ)Xi>!?^WM_W
znDun5##x3Cc@4?e)KM81qB^@_K4EG1qrlIIElWezxe1Rf6peK8y*&zhGnCQ~-3HA=
zpN4LSE<gvMknSyboHnNF=2>~x+8yjS4;^32JIca2FT@ZiX8b)c%o2$gc2@u&)9C_d
zVRJq5&~HO|q%1(c2i*u=g1!ueY~6u}s|T|)_4!+~UY}sJl}<TA$kxQj$e5Qdj+0~B
z$tVcN#G^kCeFX~H%G{^>W*@IYF@~<|z-!P?LMcCm(#}JFCiVjG7h*2~e<d~>{f*dp
z*uNEf0rv02UV{C57moq|!NtRV%f-X~lZ%J_7Z;CN-*NG<|LWpl|INk2{=17ulK$c1
zVZY<zVgJ*`!+y`jBYF0%R;@jPB2H@yhN1XD+ym`|1Am)81)JiRzlmU$%YJ4EMuqPV
z6x|uE&_FKs;(=H-3yx~s&gwBfAOTd~4^#I=#30the3k(a(@d$_P+@ptc=*Km@Z9O=
z2Evi^Ljz%`YNcYxlIbX}M&;1bXf{GPY!ychHBl-@Rb7cx^Ycd$$!D`#FHKgXVo;u`
zPMU{WwF*-@R*j?<sfwNp(NbKB>S{Vl)T}NyBh{$X!V10-rkA>^HNrTWtgHCY=b%TS
zN1%t*cukGZ!8!!ZsrZX3?pOGd6y{WMPSs1QSW+`_X)=VbR8xhznkZ{DQ?IFdeeD2M
zp)seXYw^r@6o$o_u%6VznHuKQI4tgio;Q0in>|?3rD}G(HjynTtX|N*flR#-Hw%qG
zW)bX1Uwy&63LsKs<{3o6mxKA-OTjTyWY#%ol#1|X4CzBp;bhbZ3(YvjqS;hTmWr7^
zTP4aO4&fgi7aTtx965YU<-UX^<NzkBVXYCf3+5!)-#0W84i7wgE*v^B{I$d3GiQef
zG90h%fDIRB;t1)`#jshA;t(^)?2EE)2OJ3Mr5B=^iOj02?|}4@Y6Qs*o3)~DL}65p
zDw%zf@dLp=%oxw;KyY&CRQUC?1EZ(UjYv&wwPsuma>vv(%#X;HEAbO%666Z~BtI-i
z7@DjpM_rzonQqqFjamj-ng}v`QOBj2S>?LLrRwB(6BuFHW+N;bU!i(y!S+X3s9d^{
zh)p0<Ig_dAspA+uGsX9)m8aon{3IdJZUYR$m^OD|INmIk8>MPki7JI!f&n~rd^K$*
zc$K;=u7>ob(&y$<Z;n?=jSQ0I2F{ssnTkkj`{bgTmsD6T6{2cAQdtDom1De91m;9i
z>PaB=C=RqyD8Jd}TaUvFe?~ry=UXUqJOJnU_yip0fP;My_E#7%YRkx<hwk`>QoPrb
zzYOgy;;c;ZP2d^fi@+`Tu;)@d1KywFo4`kfqc<aC!v76?d`_u3k1q&!<GCa}z?{~<
zsMK}guDvDU5z8;&x0mqO$Z;v)TDWtc^I8U1SM0jA=82Cp*U0fr;DK;}kqn+J--R#E
zre7;HDEzD7kKVGsX;?l&e%szp$iGkiXQi%6JirLLFzsDI`OdfP9ft9aqls4eW|ZF%
z{zt?=wyf0M6yFSvKNJ5p%GbYR=gIb->;hjwA^hY{x`m%)`F+e+_%wJ&S4V5luu2{e
z-eumC`fh(+gpd9oq3*|#b@p@pq0n{iwwo$BZ|wDETq(DD0c1z2ofR3=Uih~w-VCh-
zf@8oPsrGX+)}8P(J^)gff65o2+s#{LsJ#ckT#|kWyo+XRv2uJU#W@PDFU6JrL^zh$
z)W4D9jK7`Y-QWkH6vnfSr%52>+`_IuS3U+G#qpY@ExzFKOCG=K@f#jr^7tK(FME8&
z<7N`@x$*UIQYjvIoaaiqd@#j1f1WF@oP5gTJXg}?7d?L2<2+Z=@wYsF+v9gVe$V6g
zJ>JbhLR|iOJ)ZG+zsCnX&htOr-jv5Lq&SCiCB<oO?b)_{hsrjhxrWNdQ8{~Z<W!bK
zE|~T!gioNkb!N-u*-EI3#TZxE)TatporWG)*?LkjC=IDICr=&<k38&7(*CN#k+d!{
z{&mF^ntFbTS&9Gekw<lT1=ln*z=Hz9^EfS%-j<7;n)-ci%JSy<;Rp9YT7C)gu=?(t
zb9Hz|q~+%z{H>o)J7L%O;~mmt!TfKN^K|u{pZ_Op*MCm-jXO7`nO1$re*mLh{|nN8
zP6GM=0-m3K|NM@ye?JFf42HP+maW!zydOrp`j@1>zut^Z%Ls_?WBDsmf5Z(~D*5dV
z!QXEFH`>gfajrSH{``MTyZ-O-pDmC#BoCI^bHv$1enZ;zzbyTaNqw$A`||tmgKyoL
o2Qz>LXiM_4|796ket)ckDDj49VlT@Cd0(Nh9@ozG-%BUtzoJG&#sB~S

literal 0
HcmV?d00001

diff --git a/28-kprobe-hello/cilium-ebpf/main.go b/28-kprobe-hello/cilium-ebpf/main.go
new file mode 100644
index 0000000..428c36c
--- /dev/null
+++ b/28-kprobe-hello/cilium-ebpf/main.go
@@ -0,0 +1,75 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"log"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/rlimit"
+	"golang.org/x/sys/unix"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	kp, err := link.Kprobe("do_sys_openat2", objs.KprobeDoSysOpenat2, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer kp.Close()
+	krp, err := link.Kretprobe("do_sys_openat2", objs.KretprobeDoSysOpenat2, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer krp.Close()
+
+	reader, err := ringbuf.NewReader(objs.Events)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
+
+	log.Println("Waiting for events...")
+
+	for {
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, ringbuf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		var event Event
+		if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil {
+			log.Printf("parse event: %s", err)
+			continue
+		}
+		log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+
+	}
+}
diff --git a/28-kprobe-hello/common.h b/28-kprobe-hello/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/28-kprobe-hello/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/28-kprobe-hello/main.bpf.c b/28-kprobe-hello/main.bpf.c
new file mode 100644
index 0000000..c89792b
--- /dev/null
+++ b/28-kprobe-hello/main.bpf.c
@@ -0,0 +1,67 @@
+#include "vmlinux.h"
+
+#include "common.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+/* BPF ringbuf map */
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024 /* 256 KB */);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, pid_t);
+    __type(value, struct event);
+} tmp_map SEC(".maps");
+
+SEC("kprobe/do_sys_openat2")
+int kprobe__do_sys_openat2(struct pt_regs *ctx) {
+    struct event e = {0} ;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+
+    char *fn_ptr;
+    fn_ptr = (char *)PT_REGS_PARM2_CORE(ctx);
+    bpf_core_read_user_str(&e.filename, sizeof(e.filename), fn_ptr);
+
+    bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
+
+    return 0;
+}
+
+SEC("kretprobe/do_sys_openat2")
+int kretprobe__do_sys_openat2(struct pt_regs *ctx) {
+    struct event *e;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    struct event *tmp;
+    tmp = bpf_map_lookup_elem(&tmp_map, &tid);
+    if (!tmp) {
+        return 0;
+    }
+
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e) {
+        return 0;
+    }
+
+    e->ret = (long)PT_REGS_RC_CORE(ctx);
+    e->pid = tmp->pid;
+    __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
+
+
+    bpf_ringbuf_submit(e, 0);
+
+    bpf_map_delete_elem(&tmp_map, &tid);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/28-kprobe-hello/main.go b/28-kprobe-hello/main.go
new file mode 100644
index 0000000..4839ecd
--- /dev/null
+++ b/28-kprobe-hello/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"log"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"golang.org/x/sys/unix"
+)
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func goString(s []byte) string {
+	return string(bytes.Split(s, []byte("\x00"))[0])
+}
+
+func resizeMap(module *bpf.Module, name string, size uint32) error {
+	m, err := module.GetMap(name)
+	if err != nil {
+		return err
+	}
+
+	if err = m.Resize(size); err != nil {
+		return err
+	}
+
+	if actual := m.GetMaxEntries(); actual != size {
+		return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual)
+	}
+
+	return nil
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+	if err := resizeMap(bpfModule, "events", 8192); err != nil {
+		panic(err)
+	}
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog1, err := bpfModule.GetProgram("kprobe__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog1.AttachKprobe("do_sys_openat2"); err != nil {
+		panic(err)
+	}
+	prog2, err := bpfModule.GetProgram("kretprobe__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog2.AttachKretprobe("do_sys_openat2"); err != nil {
+		panic(err)
+	}
+
+	eventsChannel := make(chan []byte)
+	pb, err := bpfModule.InitRingBuf("events", eventsChannel)
+	if err != nil {
+		panic(err)
+	}
+
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+	}()
+
+	for {
+		select {
+		case data := <-eventsChannel:
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event); err != nil {
+				log.Printf("parse event: %s", err)
+				continue
+			}
+			log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+		}
+	}
+}
diff --git a/README.rst b/README.rst
index 8a20942..8a923ad 100644
--- a/README.rst
+++ b/README.rst
@@ -22,171 +22,171 @@ Program Types
 
 
 
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| Program Type                              | Attach Type                            | ELF Section Name                 | Examples              | Sleepable |
-+===========================================+========================================+==================================+=======================+===========+
-| ``BPF_PROG_TYPE_CGROUP_DEVICE``           | ``BPF_CGROUP_DEVICE``                  | ``cgroup/dev``                   |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SKB``              |                                        | ``cgroup/skb``                   |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET_EGRESS``             | ``cgroup_skb/egress``            |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET_INGRESS``            | ``cgroup_skb/ingress``           |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCKOPT``          | ``BPF_CGROUP_GETSOCKOPT``              | ``cgroup/getsockopt``            |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_SETSOCKOPT``              | ``cgroup/setsockopt``            |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCK_ADDR``        | ``BPF_CGROUP_INET4_BIND``              | ``cgroup/bind4``                 |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET4_CONNECT``           | ``cgroup/connect4``              |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET4_GETPEERNAME``       | ``cgroup/getpeername4``          |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET4_GETSOCKNAME``       | ``cgroup/getsockname4``          |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET6_BIND``              | ``cgroup/bind6``                 |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET6_CONNECT``           | ``cgroup/connect6``              |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET6_GETPEERNAME``       | ``cgroup/getpeername6``          |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET6_GETSOCKNAME``       | ``cgroup/getsockname6``          |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_UDP4_RECVMSG``            | ``cgroup/recvmsg4``              |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_UDP4_SENDMSG``            | ``cgroup/sendmsg4``              |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_UDP6_RECVMSG``            | ``cgroup/recvmsg6``              |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_UDP6_SENDMSG``            | ``cgroup/sendmsg6``              |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SOCK``             | ``BPF_CGROUP_INET4_POST_BIND``         | ``cgroup/post_bind4``            |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET6_POST_BIND``         | ``cgroup/post_bind6``            |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET_SOCK_CREATE``        | ``cgroup/sock_create``           |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``cgroup/sock``                  |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_CGROUP_INET_SOCK_RELEASE``       | ``cgroup/sock_release``          |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+``                    |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+``                      |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``kretprobe+``                   |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``ksyscall+``                    |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        |  ``kretsyscall+``                |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uprobe+``                      |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uprobe.s+``                    |                       | Yes       |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uretprobe+``                   |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``uretprobe.s+``                 |                       | Yes       |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``usdt+``                        |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+``                |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``kretprobe.multi+``             |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_LSM_MAC``                        | ``lsm+``                         |`26`_                  |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``lsm.s+``                       |                       | Yes       |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LWT_OUT``                 |                                        | ``lwt_out``                      |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LWT_SEG6LOCAL``           |                                        | ``lwt_seg6local``                |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_LWT_XMIT``                |                                        | ``lwt_xmit``                     |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+``                    |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``raw_tracepoint.w+``            |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+``                      |`12`_ `13`_            |           |
-+                                           +                                        +----------------------------------+                       +-----------+
-|                                           |                                        | ``raw_tracepoint+``              |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SCHED_ACT``               |                                        | ``action``                       |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SCHED_CLS``               |                                        | ``classifier``                   |`21`_ `25`_            |           |
-+                                           +                                        +----------------------------------+                       +-----------+
-|                                           |                                        | ``tc``                           |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SK_LOOKUP``               | ``BPF_SK_LOOKUP``                      | ``sk_lookup``                    |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SK_MSG``                  | ``BPF_SK_MSG_VERDICT``                 | ``sk_msg``                       |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SK_REUSEPORT``            | ``BPF_SK_REUSEPORT_SELECT_OR_MIGRATE`` | ``sk_reuseport/migrate``         |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_SK_REUSEPORT_SELECT``            | ``sk_reuseport``                 |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SK_SKB``                  |                                        | ``sk_skb``                       |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_SK_SKB_STREAM_PARSER``           | ``sk_skb/stream_parser``         |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_SK_SKB_STREAM_VERDICT``          | ``sk_skb/stream_verdict``        |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SOCKET_FILTER``           |                                        | ``socket``                       |`18`_ `19`_ `20`_      |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SOCK_OPS``                | ``BPF_CGROUP_SOCK_OPS``                | ``sockops``                      |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_STRUCT_OPS``              |                                        | ``struct_ops+``                  |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |                       | Yes       |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+``                          |`04`_ `07`_ `14`_      |           |
-+                                           +                                        +----------------------------------+                       +-----------+
-|                                           |                                        | ``tracepoint+``                  |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+``                    |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fmod_ret.s+``                  |                       | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+``                      |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fentry.s+``                    |                       | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+``                       |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``fexit.s+``                     |                       | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_ITER``                     | ``iter+``                        |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``iter.s+``                      |                       | Yes       |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+``                      |`16`_ `17`_            |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
-| ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``xdp/cpumap``                   |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_XDP_DEVMAP``                     | ``xdp.frags/devmap``             |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``xdp/devmap``                   |                       |           |
-+                                           +----------------------------------------+----------------------------------+-----------------------+-----------+
-|                                           | ``BPF_XDP``                            | ``xdp.frags``                    |                       |           |
-+                                           +                                        +----------------------------------+-----------------------+-----------+
-|                                           |                                        | ``xdp``                          |                       |           |
-+-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+-----------+
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| Program Type                              | Attach Type                            | ELF Section Name                 | Examples              |
++===========================================+========================================+==================================+=======================+
+| ``BPF_PROG_TYPE_CGROUP_DEVICE``           | ``BPF_CGROUP_DEVICE``                  | ``cgroup/dev``                   |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_CGROUP_SKB``              |                                        | ``cgroup/skb``                   |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET_EGRESS``             | ``cgroup_skb/egress``            |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET_INGRESS``            | ``cgroup_skb/ingress``           |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_CGROUP_SOCKOPT``          | ``BPF_CGROUP_GETSOCKOPT``              | ``cgroup/getsockopt``            |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_SETSOCKOPT``              | ``cgroup/setsockopt``            |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK_ADDR``        | ``BPF_CGROUP_INET4_BIND``              | ``cgroup/bind4``                 |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET4_CONNECT``           | ``cgroup/connect4``              |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET4_GETPEERNAME``       | ``cgroup/getpeername4``          |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET4_GETSOCKNAME``       | ``cgroup/getsockname4``          |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET6_BIND``              | ``cgroup/bind6``                 |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET6_CONNECT``           | ``cgroup/connect6``              |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET6_GETPEERNAME``       | ``cgroup/getpeername6``          |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET6_GETSOCKNAME``       | ``cgroup/getsockname6``          |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_UDP4_RECVMSG``            | ``cgroup/recvmsg4``              |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_UDP4_SENDMSG``            | ``cgroup/sendmsg4``              |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_UDP6_RECVMSG``            | ``cgroup/recvmsg6``              |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_UDP6_SENDMSG``            | ``cgroup/sendmsg6``              |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_CGROUP_SOCK``             | ``BPF_CGROUP_INET4_POST_BIND``         | ``cgroup/post_bind4``            |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET6_POST_BIND``         | ``cgroup/post_bind6``            |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET_SOCK_CREATE``        | ``cgroup/sock_create``           |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``cgroup/sock``                  |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_CGROUP_INET_SOCK_RELEASE``       | ``cgroup/sock_release``          |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_CGROUP_SYSCTL``           | ``BPF_CGROUP_SYSCTL``                  | ``cgroup/sysctl``                |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_EXT``                     |                                        | ``freplace+``                    |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+``                      |`28`_                  |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``kretprobe+``                   |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``ksyscall+``                    |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        |  ``kretsyscall+``                |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``uprobe+``                      |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``uprobe.s+``                    |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``uretprobe+``                   |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``uretprobe.s+``                 |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``usdt+``                        |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_TRACE_KPROBE_MULTI``             | ``kprobe.multi+``                |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``kretprobe.multi+``             |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LIRC_MODE2``              | ``BPF_LIRC_MODE2``                     | ``lirc_mode2``                   |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LSM``                     | ``BPF_LSM_CGROUP``                     | ``lsm_cgroup+``                  |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_LSM_MAC``                        | ``lsm+``                         |`26`_                  |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``lsm.s+``                       |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LWT_IN``                  |                                        | ``lwt_in``                       |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LWT_OUT``                 |                                        | ``lwt_out``                      |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LWT_SEG6LOCAL``           |                                        | ``lwt_seg6local``                |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_LWT_XMIT``                |                                        | ``lwt_xmit``                     |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_PERF_EVENT``              |                                        | ``perf_event``                   |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`` |                                        | ``raw_tp.w+``                    |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``raw_tracepoint.w+``            |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_RAW_TRACEPOINT``          |                                        | ``raw_tp+``                      |`12`_ `13`_            |
++                                           +                                        +----------------------------------+                       +
+|                                           |                                        | ``raw_tracepoint+``              |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SCHED_ACT``               |                                        | ``action``                       |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SCHED_CLS``               |                                        | ``classifier``                   |`21`_ `25`_            |
++                                           +                                        +----------------------------------+                       +
+|                                           |                                        | ``tc``                           |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SK_LOOKUP``               | ``BPF_SK_LOOKUP``                      | ``sk_lookup``                    |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SK_MSG``                  | ``BPF_SK_MSG_VERDICT``                 | ``sk_msg``                       |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SK_REUSEPORT``            | ``BPF_SK_REUSEPORT_SELECT_OR_MIGRATE`` | ``sk_reuseport/migrate``         |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_SK_REUSEPORT_SELECT``            | ``sk_reuseport``                 |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SK_SKB``                  |                                        | ``sk_skb``                       |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_SK_SKB_STREAM_PARSER``           | ``sk_skb/stream_parser``         |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_SK_SKB_STREAM_VERDICT``          | ``sk_skb/stream_verdict``        |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SOCKET_FILTER``           |                                        | ``socket``                       |`18`_ `19`_ `20`_      |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SOCK_OPS``                | ``BPF_CGROUP_SOCK_OPS``                | ``sockops``                      |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_STRUCT_OPS``              |                                        | ``struct_ops+``                  |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_SYSCALL``                 |                                        | ``syscall``                      |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_TRACEPOINT``              |                                        | ``tp+``                          |`04`_ `07`_ `14`_      |
++                                           +                                        +----------------------------------+                       +
+|                                           |                                        | ``tracepoint+``                  |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_TRACING``                 | ``BPF_MODIFY_RETURN``                  | ``fmod_ret+``                    |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``fmod_ret.s+``                  |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+``                      |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``fentry.s+``                    |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+``                       |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``fexit.s+``                     |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_TRACE_ITER``                     | ``iter+``                        |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``iter.s+``                      |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_TRACE_RAW_TP``                   | ``tp_btf+``                      |`16`_ `17`_            |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
+| ``BPF_PROG_TYPE_XDP``                     | ``BPF_XDP_CPUMAP``                     | ``xdp.frags/cpumap``             |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``xdp/cpumap``                   |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_XDP_DEVMAP``                     | ``xdp.frags/devmap``             |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``xdp/devmap``                   |                       |
++                                           +----------------------------------------+----------------------------------+-----------------------+
+|                                           | ``BPF_XDP``                            | ``xdp.frags``                    |                       |
++                                           +                                        +----------------------------------+-----------------------+
+|                                           |                                        | ``xdp``                          |                       |
++-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 
 
 .. |Build examples| image:: https://github.com/mozillazg/hello-libbpfgo/actions/workflows/build.yml/badge.svg?branch=master
@@ -205,5 +205,6 @@ Program Types
 .. _21: 21-tc-parse-packet-with-bpf_skb_load_bytes
 .. _25: 25-tc-parse-packet-with-direct-memory-access
 .. _26: 26-lsm-path_chmod
+.. _28: 28-kprobe-hello
 
 

From 78915e173eadf9b768580cfe19a9a1eda5dc0d1b Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 26 Nov 2023 06:17:22 +0000
Subject: [PATCH 15/20] 29: add 29-kprobe-hello-with-macro

---
 29-kprobe-hello-with-macro/Makefile           |   1 +
 29-kprobe-hello-with-macro/README.md          |  15 ++
 .../cilium-ebpf/Makefile                      |   1 +
 .../cilium-ebpf/README.md                     |  15 ++
 .../cilium-ebpf/bpf_bpfeb.go                  | 131 ++++++++++++++++++
 .../cilium-ebpf/bpf_bpfeb.o                   | Bin 0 -> 5976 bytes
 .../cilium-ebpf/bpf_bpfel.go                  | 131 ++++++++++++++++++
 .../cilium-ebpf/bpf_bpfel.o                   | Bin 0 -> 5976 bytes
 .../cilium-ebpf/main.go                       |  75 ++++++++++
 29-kprobe-hello-with-macro/common.h           |   5 +
 29-kprobe-hello-with-macro/main.bpf.c         |  65 +++++++++
 29-kprobe-hello-with-macro/main.go            |  91 ++++++++++++
 12 files changed, 530 insertions(+)
 create mode 120000 29-kprobe-hello-with-macro/Makefile
 create mode 100644 29-kprobe-hello-with-macro/README.md
 create mode 120000 29-kprobe-hello-with-macro/cilium-ebpf/Makefile
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/README.md
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.go
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.o
 create mode 100644 29-kprobe-hello-with-macro/cilium-ebpf/main.go
 create mode 100644 29-kprobe-hello-with-macro/common.h
 create mode 100644 29-kprobe-hello-with-macro/main.bpf.c
 create mode 100644 29-kprobe-hello-with-macro/main.go

diff --git a/29-kprobe-hello-with-macro/Makefile b/29-kprobe-hello-with-macro/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/29-kprobe-hello-with-macro/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/29-kprobe-hello-with-macro/README.md b/29-kprobe-hello-with-macro/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/29-kprobe-hello-with-macro/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/Makefile b/29-kprobe-hello-with-macro/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/29-kprobe-hello-with-macro/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/README.md b/29-kprobe-hello-with-macro/cilium-ebpf/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/29-kprobe-hello-with-macro/cilium-ebpf/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.go b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..f834d05
--- /dev/null
+++ b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	KprobeDoSysOpenat2    *ebpf.ProgramSpec `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	KprobeDoSysOpenat2    *ebpf.Program `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.Program `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.KprobeDoSysOpenat2,
+		p.KretprobeDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.o b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..a1745d3a8fb1a25dad12ef34e664f8e133db28f7
GIT binary patch
literal 5976
zcmb_geQ0D?6+ds1HS0%r)9r`x`>m8^vSeqoAGT?=VH(XgrNJGy`6DaJ%Vg#yd1Stv
zd9%)JDh^m71(g*o1pLE@6$6Sc3MPV*DHIGsVZkCnL{{*RpcV3;K}zE9oO|x%<t6b0
zyzIHZ^E>z4bI-l!&ATuA<<aqLiG)L)=FmT&M+}`2C=V?OOKX3coMx8hn637TjTXMQ
zx5FB6TX9SAzT&3hJ;e>hw&I%NUBwl}WktyW@$V>KRBS0W6f25zic^Y{iW$W*#kAs(
z;-F$u(N*kI>{UFe$bfzC?l69pJEBv$<=wYfvHXinh}?zc-ECIZ-_Jc!52Eeu?a`{s
z%%Szi89Vc;>*o#caoKP8t@WprBTMk@KFP+|xL-|+?&!LSRiQ+$C^o-98CGpxx#hjL
znIBwd@9lV8^>@~%*qi8)Df$d!+)ww>yNdj{>AbHzLi9ZIg&vY~Yd*>hT%R~_*$KEH
zxH)gfAh@gkg5ah;jzMr)5%UGXO+6ih;Ax#N2tKA<5Imz?5PVX(Ao!GWLGU@{g5VY9
zg5VA1g5WLXg5ZnF1;Otq7X)8YE(pG?To8Okxghvm<$~aA$_2sO$_2qUlna92Q!WU;
zsaz2JzH&kEE#-pX+sXyOca#e@A2o$ua14T<G~))>dzs<+bp`Bm^U{C$Tz18u^Jg>T
zCeZ)b|LwbyU!R%QwMN9!EzfR3jR4&Rb;H|ba~F4}v0FFf1CSGDx58a;(irbx{m>kq
zg$7_ZK9To9Gz5JZ`UyxHa{d%Lv>u3zYutCS@lf1@KJPi&C&^};ABVpr1tK~P{R!1&
z8C~l^*smd1Eaz~peBfsw+%gdS<R#Y$;Cmr0$mccAL(sFTKMZ|VH_4_n<hJEN<}WGd
zbC+q6J@T6bX&4VE_(v{;&+eTNZhUs{hNK}cLmq&%AYX@Y?rq4o^h~+-5-b4)jqCUw
z1m*p#K)w(8AcWfwA*`n%KT^E~{Hf|~;LnXNA%CHI8u&}qTfkqd-UhyAbXom%)ziS=
zsNMqpR`oXU4WrA6+*3Ub{GIA8;O|v$1OH@nJ|_CJ>S^F#RBr+Qs(Ksvccb&8N87Rs
zQ-d@caFA@`WOpIB)tm$#Ft&XNa>RJzWgY(rj~}ih*RT7k*5WK&5UcxXJcL>fQ-9dG
zZd_w-E_^--A6}Q+M-3oWPzuTOp1E=3nVa4V&wX~(o4A=7^*joj6`zXPhUb^UYT(z%
zzXh#El_2l&jCsFW@(Z4!GR8wx^+TEo3VtbD^r`;%Rd{k=FV%wClAm`A<<hKlw6Epn
zvQ?V*n{+E%sQVNaD_${Mp-Sjg{n;8-FMSMh6><e~nWif=-GFupGDy`YsX9d22IU%*
zZ%{3ud_d)DFzdk<R47-YnL-v}Y89&04kkjmutD>cYI)lCynNZKHEUkEg51N)YQ7k=
z4nBn>QWsOHi^XhEN=;X0QaL_CcO-Modp>jH`p9VV=zs$*yX9x{18%Nds)a7^+C6X2
zs^4887p)dn>$%XC19g4(X?J1pOYX;INRHYKgFLKBA^lk2oApC4SFcu49aD|jAfN0v
zQ~VVC;C{THJ3Q=Oxoo`ID_5@iIQDGbtJnOhhjfzX{FKddz^w(h{qjt5-_$?g+EHDU
z!=Qd%y^_y{zULSGV)C38b-+D`4WRc2<j6jKeRT4<7bY-s9#76Om9Qg66k~Az@NbMx
z==od!cufb)(}!Vu+Q>>zhZ8Q8%k%ZhQ3>nLf*Ch?7IW-$t`G0F8kA<I>p&l8cFV_!
z$#11|TIYS7(qJ@*-wAPH82KO$dac=oVN*0LB&soc-gG@Egh9zG`o&zOiA639+mjz~
z#d)9FGVQzcN2+7<t<|TCL6}4>Y;v}Cc~tG_+98Zr2y%X@=2Hr%RwK(uzYSb{w>$=f
zIB!CBpkIaHZgOIGc7pE<`(ARP<Gm$5at}ktJm*tHll+3^G3H+*`W)_32X~Qh+%tLB
z-3Z5h<|LK>fvCW*;=u^#v7rcO|Fm)&KVx_Td52ivsTfY$oJAeKPV^#=uNZFgmAxTn
zZk%W0HKK3xJ`m65y^Op&`@%k!`5t!7I5g9eI{%+UKj!f<!@K&4?(!Y3d3HUCtD1R3
z$4f-7GjAz>k?2i6*G1*uAll?_jXM#}<4ekaK=eoCo3I>r-4^pTGY(H_iMHY0$Zea)
zHx2LX7iVyw?)YYKF6!K9{b5i1%Gi(ZaVO&6;RYktKGbf)qIS-!({AGdip6oTFFK14
zH`GU(){g5zQ}B<)Pi(>daKv9Gq2qZ^z}{mGirohJxsh1*xlhJ;2At>WIG=CSzw1>U
z*LYobb=>j|@RJbbGyt7rS^f#={Jmf~uNNJkit$Q}w_^NGj4#JH=NFCNj`4djem};y
z4{|w{NIZTIMEAqL`vZI^#>ZlOGREg(yb<GzF}@VzD>1$n;~O!)8RJ_qzH^ZC`zX4<
z#AD!*^GI~+d#d-$gQqDK`i+oMRlkrLnYfl>qMvi-6^`3OKDknb!mXm0&F8E5T#LNt
z@fi?irzury76mmBjgO36@~-^5yZh)XoipiN`0;C924!A+1e^Rnv@~MGe)l%&nKxA9
z`b3*NaB5)Pa``(o;+T%;QPuv=*!DBXf0!@tq3C?Bw{1Ux!tZo$Y3Vy%@1&}|K>icK
z?$gd^JO5YLG3(1cjbVAO0XxmkXTvuk$E`o7GX{aYzI|WX`MmxR#IA4igNa-BeS!V=
zlG2VpbN+ktxcOT;f!B{VyFS|{Aa;J#2l|OVV>rocL|e3e84Mh^|0SJd_iz2|`n-R>
zzmHk}0emBHON<-r^wIVCUa)b~9S>1@Hw>3Q1^N7WEpE~E`^$Uda_%h|igssoey47B
aFq-cejIw|o+{e=`)i;4W$L4L<@B0_V$QE4y

literal 0
HcmV?d00001

diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.go b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..c87c501
--- /dev/null
+++ b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	KprobeDoSysOpenat2    *ebpf.ProgramSpec `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	KprobeDoSysOpenat2    *ebpf.Program `ebpf:"kprobe__do_sys_openat2"`
+	KretprobeDoSysOpenat2 *ebpf.Program `ebpf:"kretprobe__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.KprobeDoSysOpenat2,
+		p.KretprobeDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.o b/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..c745db09afb9502fa86907f8ceffe0345c724d00
GIT binary patch
literal 5976
zcmbtYZ)jv!6+g))-E_0v&8FQp-TLRPlx4DHXS2IeQ*FaEnl)vEJ8ttKE6UrOnU`e9
z{A1?LI=53XV1+HHtf&z1gR84FplDDq5tO7*FbIVOiv$r_!4E-O$Tx$O#^1U3+?kix
zX;nPryx;lVbMC$8o_pV)$yX+(E_ZfxkdqGjC$*SsC0c&CWv7gpqT`6vk1iOtCY>6m
z_V&4<acWm^NASMjw%|R%Ex}E}b-`7^6~Q}#%YwHBZwW35)&<Lg3xYQUX9UxNlY%M1
zQNdxsgrFxlAlN6^BS?aK@9_G+20aGN9C`Bq{}S3fXyeGPY2Ww(2;?x=Z-0M(trG})
zBg3tBoC<K`hlbK&_}_eIe}Chy@Iyqq-~-%0B5Pe{7?TGNxhB5v3hKww#%ksHw#h#_
z&)di+J}$@eR2vW2flfZ~Ib+1*cpZHRTtj{=-0!Q<lXQhCHOf5(wK71BK8speqtRzk
zs{!L^^jXx(6K+wfgm8;m4GXuZ)u?cbTBU?r)M`?=MXl1pEowC*+@e-Dgj>{VLAXV&
z%EB#bRTpkit0mzUwYnwTqE@$sThwY<xJ9k*2)C%!ig1fstqQlO)w*ztT5SrqsMVHm
zi(1_iZc(dk;TE;JFWjP5JHjn$wJY4BR(rxNV!zEv#eN&qsz<oR4a0D5_|QW5+`I(+
zZ_XtjwfH&zOnM5f|GRwuA00Fx-PSQM>lNHnBAq;!q}svFUXv2Lh|}lxC!pO>h>Nof
zA#w{bKhVeaG-Gu2!TC5;=AsY5=J8U{vrx#f!?-v<%+4d+YURMV(U_wyB0hJb>FDI=
z*9A*^jsrg~wrmZv&J(y?hGL>FzTdgp{ZN)P^dvL|orXRJU4niQ3hCijiZUkkJOZ4z
zc1I5|1%2Tl?|4Z#uLCh|IcANIqK)hAT48s2pj^8Lp)6dxUT6yXGV~$n67(BTuJb1J
z+fc|c-g`Fz%ue3N??JJit`*>2=m(%IuRz&OL4P9l67c6@ZvuZQHV^tMu~V>rE%p-Z
z--^8n`&Ad;N%WeFhy6Pj5Bv8n9`@@l9@V(#;$i>6#l!xii--Le7mq^y)y2d9n~R72
zcNY))Ef<f&w+kE6+$Td&PNYHnQac6h#2WB-^n>h#z&_xA8NuxTuyyklSrNH?#FR9`
z7wpApTo6mofTJ59Mc#iSyl=e6EFSbzh(WB0`3N^c%rLoPNWTB<wQJ8__n&|6^ArB`
z_4I`AQ>e=U6;$01ieV)eR4KR#t4ifu*5@9JL8TbveM^mxT~rA|n#<*bqACPb``8E~
z`C2PhbMwU@>*Y(ud2^wbm03^~S`0MZRQXy!VWI37@VY36ekGW%Qsu%&p(D^s(2F!%
zrrA2I3(#SzJVljJ!rLTMr)-_7Im+g!RLRZzXv>u;Q>D4Q!Z6h`RjUURp-fn(#d4)I
z8~A><<X3goFO`vdcu|_q$6AL!fh3aWlgaZ1l`AG^%X7&Lp@iOe`m%o|eeLS_M56tG
zLmr1^=dwdyrc|tk9<SOv>uNRVHOPZh!%8g^dZwUW;639thQI86(zr~iy)c(WYr>F0
z%<s<!p`WQ$D%c&n8}qqrV$gO8l88h2d&hZWW8S5UHkzX{rAmOZtE^wE1{ELaB+dj$
zm*tRG&Akwm<`S)@!6DCiWl|mn`{&onSrrC;kPixpGqR~e-We<a*I>w$?6X%VW}bU~
z8a)?ra^7PnoTtrZ47ZAZZDLyL@8aWoI%H2D+^*WlN~*&N=S!u<TDe`qva;NqmpF|+
zt~>7!ueOpa&d=6>0cv(LK*h|x(yZ3m096`}4iYqnI5&oTFb=M=XXnQ3rePvu+GgLM
zt>yAzuILwnLZ+-S$+<CC`615)x2W5uR>)vvcU->J+H4^gCa@PSIk$IN>{|Q1!!Uk6
zmkEm1fRd<Ml^i4fHt@`oh3H8j>l=9J>_JCh^Rwx3*!VNT@148$d1ttXt9foAz`ch@
zV1F9gJ!5^$zYgvH0ug^(Gk*m-ki~N@!h69J!v6$(C{HvT;R*232=4_?33ubCh4&!G
z?vSV~+$4+3E#X($|02<faF;Kyjn~7%dA`bV-?4RQ=6$ENE?!43xF_)dBMDqN{$J?d
z`%|Jx;e&WHJh*DVC)ocK^G%|<_>0V6v+r{DzX*Qx4dgBUZ-PI(O>{fLkAg1?|1tdC
ze+I|A-2W}+JNV`kjxZye!h5^m-zC}>?$*mSi0(UoGn~hGEYbbv_TQlIf09G?mH4i(
zL+*<*;<;|@Zj)1_*?dFwN5)x~d`=_i1WqdF%;K3V(G6gKWc(e;^AWUjyc5@tzX?we
ze}P&-X^ilhVPW9!)dUlW<7rC`=iXdf7U%yF_JD=QWB+P|^LSek&RGpXSva1@c$x`>
zIS=jTbN(A>V{yD}X_GI-`0W_K6XUBfz8T~9V*GxL@5Z=U1lnAF{0v}m>*0Go%K09T
z^2r#ViSdOPugAFCKR4fU%)b)j>oL9+<J&R56XSa^&d;LgdY+7M4t+Yp**w<Qf8sbL
z!=N5gvJ&Kz<I|UuOyqOUKEm<#FrQq>eEw#^SJ`X@pKFolJU#<LHA~5=E*O-7Xli`?
zf`94#-renA>6}UPg&%*d8>i_P_n4Lcf0q=x%Pn$Xpx5Qc+17zpd(T9hxW=rJ->Al&
zGS_!s_?$%L7a;G~-<=oNr}bp9Ek6VB@3xes&Ff5`H3iK7*m#|;zia3JbG4h_oiq1b
za|65nj(-bAyZIMnf?)~d-^lzta{b->qiEy#<9l#l3Kg#x$3}(U5$*c#NJlrn>*MBk
zd|LWD?r?yUg**}K5YH!#n0D)5mIb=`dHo#ch7-5>ogH5j!f1qlbVH`({<X|L*PPAB
z&-`}tZ@CGiKhMv<>ErVcqV3SsehIJyZOWFMe<?$=J)Y|%Jh2o_?2`FqiFd#B<bGT`
JH~)aN{~OB04zB<J

literal 0
HcmV?d00001

diff --git a/29-kprobe-hello-with-macro/cilium-ebpf/main.go b/29-kprobe-hello-with-macro/cilium-ebpf/main.go
new file mode 100644
index 0000000..428c36c
--- /dev/null
+++ b/29-kprobe-hello-with-macro/cilium-ebpf/main.go
@@ -0,0 +1,75 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"log"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/rlimit"
+	"golang.org/x/sys/unix"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	kp, err := link.Kprobe("do_sys_openat2", objs.KprobeDoSysOpenat2, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer kp.Close()
+	krp, err := link.Kretprobe("do_sys_openat2", objs.KretprobeDoSysOpenat2, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer krp.Close()
+
+	reader, err := ringbuf.NewReader(objs.Events)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
+
+	log.Println("Waiting for events...")
+
+	for {
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, ringbuf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		var event Event
+		if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil {
+			log.Printf("parse event: %s", err)
+			continue
+		}
+		log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+
+	}
+}
diff --git a/29-kprobe-hello-with-macro/common.h b/29-kprobe-hello-with-macro/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/29-kprobe-hello-with-macro/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/29-kprobe-hello-with-macro/main.bpf.c b/29-kprobe-hello-with-macro/main.bpf.c
new file mode 100644
index 0000000..9958fc1
--- /dev/null
+++ b/29-kprobe-hello-with-macro/main.bpf.c
@@ -0,0 +1,65 @@
+#include "vmlinux.h"
+
+#include "common.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+/* BPF ringbuf map */
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024 /* 256 KB */);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, pid_t);
+    __type(value, struct event);
+} tmp_map SEC(".maps");
+
+SEC("kprobe/do_sys_openat2")
+int BPF_KPROBE(kprobe__do_sys_openat2, int dfd, const char *filename) {
+    struct event e = {0} ;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+
+    bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename);
+
+    bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
+
+    return 0;
+}
+
+SEC("kretprobe/do_sys_openat2")
+int BPF_KRETPROBE(kretprobe__do_sys_openat2, long ret) {
+    struct event *e;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    struct event *tmp;
+    tmp = bpf_map_lookup_elem(&tmp_map, &tid);
+    if (!tmp) {
+        return 0;
+    }
+
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e) {
+        return 0;
+    }
+
+    e->ret = ret;
+    e->pid = tmp->pid;
+    __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
+
+
+    bpf_ringbuf_submit(e, 0);
+
+    bpf_map_delete_elem(&tmp_map, &tid);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/29-kprobe-hello-with-macro/main.go b/29-kprobe-hello-with-macro/main.go
new file mode 100644
index 0000000..4839ecd
--- /dev/null
+++ b/29-kprobe-hello-with-macro/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"log"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"golang.org/x/sys/unix"
+)
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func goString(s []byte) string {
+	return string(bytes.Split(s, []byte("\x00"))[0])
+}
+
+func resizeMap(module *bpf.Module, name string, size uint32) error {
+	m, err := module.GetMap(name)
+	if err != nil {
+		return err
+	}
+
+	if err = m.Resize(size); err != nil {
+		return err
+	}
+
+	if actual := m.GetMaxEntries(); actual != size {
+		return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual)
+	}
+
+	return nil
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+	if err := resizeMap(bpfModule, "events", 8192); err != nil {
+		panic(err)
+	}
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog1, err := bpfModule.GetProgram("kprobe__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog1.AttachKprobe("do_sys_openat2"); err != nil {
+		panic(err)
+	}
+	prog2, err := bpfModule.GetProgram("kretprobe__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog2.AttachKretprobe("do_sys_openat2"); err != nil {
+		panic(err)
+	}
+
+	eventsChannel := make(chan []byte)
+	pb, err := bpfModule.InitRingBuf("events", eventsChannel)
+	if err != nil {
+		panic(err)
+	}
+
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+	}()
+
+	for {
+		select {
+		case data := <-eventsChannel:
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event); err != nil {
+				log.Printf("parse event: %s", err)
+				continue
+			}
+			log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+		}
+	}
+}

From d5f74b5b2743b25f2fb355c760712cd2bb402fd6 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 26 Nov 2023 08:14:11 +0000
Subject: [PATCH 16/20] 30: add 30-ksyscall-hello

---
 30-ksyscall-hello/Makefile   |  1 +
 30-ksyscall-hello/README.md  | 15 ++++++
 30-ksyscall-hello/common.h   |  5 ++
 30-ksyscall-hello/main.bpf.c | 68 +++++++++++++++++++++++++++
 30-ksyscall-hello/main.go    | 91 ++++++++++++++++++++++++++++++++++++
 5 files changed, 180 insertions(+)
 create mode 120000 30-ksyscall-hello/Makefile
 create mode 100644 30-ksyscall-hello/README.md
 create mode 100644 30-ksyscall-hello/common.h
 create mode 100644 30-ksyscall-hello/main.bpf.c
 create mode 100644 30-ksyscall-hello/main.go

diff --git a/30-ksyscall-hello/Makefile b/30-ksyscall-hello/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/30-ksyscall-hello/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/30-ksyscall-hello/README.md b/30-ksyscall-hello/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/30-ksyscall-hello/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/30-ksyscall-hello/common.h b/30-ksyscall-hello/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/30-ksyscall-hello/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/30-ksyscall-hello/main.bpf.c b/30-ksyscall-hello/main.bpf.c
new file mode 100644
index 0000000..417f991
--- /dev/null
+++ b/30-ksyscall-hello/main.bpf.c
@@ -0,0 +1,68 @@
+#include "vmlinux.h"
+
+#include "common.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+/* BPF ringbuf map */
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024 /* 256 KB */);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, pid_t);
+    __type(value, struct event);
+} tmp_map SEC(".maps");
+
+SEC("ksyscall/openat")
+int ksyscall__openat(struct pt_regs *ctx) {
+    struct event e = {0} ;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+
+    struct pt_regs *regs = (struct pt_regs *)PT_REGS_PARM1_CORE(ctx);
+    char *fn_ptr;
+    fn_ptr = (char *)PT_REGS_PARM2_CORE(regs);
+    bpf_core_read_user_str(&e.filename, sizeof(e.filename), fn_ptr);
+
+    bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
+
+    return 0;
+}
+
+SEC("kretsyscall/openat")
+int kretsyscall__openat(struct pt_regs *ctx) {
+    struct event *e;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    struct event *tmp;
+    tmp = bpf_map_lookup_elem(&tmp_map, &tid);
+    if (!tmp) {
+        return 0;
+    }
+
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e) {
+        return 0;
+    }
+
+    e->ret = (long)PT_REGS_RC_CORE(ctx);
+    e->pid = tmp->pid;
+    __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
+
+
+    bpf_ringbuf_submit(e, 0);
+
+    bpf_map_delete_elem(&tmp_map, &tid);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/30-ksyscall-hello/main.go b/30-ksyscall-hello/main.go
new file mode 100644
index 0000000..dd4cf06
--- /dev/null
+++ b/30-ksyscall-hello/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"log"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"golang.org/x/sys/unix"
+)
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func goString(s []byte) string {
+	return string(bytes.Split(s, []byte("\x00"))[0])
+}
+
+func resizeMap(module *bpf.Module, name string, size uint32) error {
+	m, err := module.GetMap(name)
+	if err != nil {
+		return err
+	}
+
+	if err = m.Resize(size); err != nil {
+		return err
+	}
+
+	if actual := m.GetMaxEntries(); actual != size {
+		return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual)
+	}
+
+	return nil
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+	if err := resizeMap(bpfModule, "events", 8192); err != nil {
+		panic(err)
+	}
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog1, err := bpfModule.GetProgram("ksyscall__openat")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog1.AttachGeneric(); err != nil {
+		panic(err)
+	}
+	prog2, err := bpfModule.GetProgram("kretsyscall__openat")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog2.AttachGeneric(); err != nil {
+		panic(err)
+	}
+
+	eventsChannel := make(chan []byte)
+	pb, err := bpfModule.InitRingBuf("events", eventsChannel)
+	if err != nil {
+		panic(err)
+	}
+
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+	}()
+
+	for {
+		select {
+		case data := <-eventsChannel:
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event); err != nil {
+				log.Printf("parse event: %s", err)
+				continue
+			}
+			log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+		}
+	}
+}

From 138878bd8f7095457404e7e1efc9ca99618929ed Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Sun, 26 Nov 2023 08:21:47 +0000
Subject: [PATCH 17/20] 31: add 31-ksyscall-hello-with-macro

---
 31-ksyscall-hello-with-macro/Makefile   |  1 +
 31-ksyscall-hello-with-macro/README.md  | 15 ++++
 31-ksyscall-hello-with-macro/common.h   |  5 ++
 31-ksyscall-hello-with-macro/main.bpf.c | 65 ++++++++++++++++++
 31-ksyscall-hello-with-macro/main.go    | 91 +++++++++++++++++++++++++
 README.rst                              | 11 +--
 6 files changed, 184 insertions(+), 4 deletions(-)
 create mode 120000 31-ksyscall-hello-with-macro/Makefile
 create mode 100644 31-ksyscall-hello-with-macro/README.md
 create mode 100644 31-ksyscall-hello-with-macro/common.h
 create mode 100644 31-ksyscall-hello-with-macro/main.bpf.c
 create mode 100644 31-ksyscall-hello-with-macro/main.go

diff --git a/31-ksyscall-hello-with-macro/Makefile b/31-ksyscall-hello-with-macro/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/31-ksyscall-hello-with-macro/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/31-ksyscall-hello-with-macro/README.md b/31-ksyscall-hello-with-macro/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/31-ksyscall-hello-with-macro/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/31-ksyscall-hello-with-macro/common.h b/31-ksyscall-hello-with-macro/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/31-ksyscall-hello-with-macro/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/31-ksyscall-hello-with-macro/main.bpf.c b/31-ksyscall-hello-with-macro/main.bpf.c
new file mode 100644
index 0000000..bdfd689
--- /dev/null
+++ b/31-ksyscall-hello-with-macro/main.bpf.c
@@ -0,0 +1,65 @@
+#include "vmlinux.h"
+
+#include "common.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+/* BPF ringbuf map */
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024 /* 256 KB */);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, pid_t);
+    __type(value, struct event);
+} tmp_map SEC(".maps");
+
+SEC("ksyscall/openat")
+int BPF_KSYSCALL(ksyscall__openat, int dfd, const char *filename) {
+    struct event e = {0} ;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+
+    bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename);
+
+    bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
+
+    return 0;
+}
+
+SEC("kretsyscall/openat")
+int BPF_KRETPROBE(kretsyscall__openat, long ret) {
+    struct event *e;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    struct event *tmp;
+    tmp = bpf_map_lookup_elem(&tmp_map, &tid);
+    if (!tmp) {
+        return 0;
+    }
+
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e) {
+        return 0;
+    }
+
+    e->ret = ret;
+    e->pid = tmp->pid;
+    __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
+
+
+    bpf_ringbuf_submit(e, 0);
+
+    bpf_map_delete_elem(&tmp_map, &tid);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/31-ksyscall-hello-with-macro/main.go b/31-ksyscall-hello-with-macro/main.go
new file mode 100644
index 0000000..dd4cf06
--- /dev/null
+++ b/31-ksyscall-hello-with-macro/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"log"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"golang.org/x/sys/unix"
+)
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func goString(s []byte) string {
+	return string(bytes.Split(s, []byte("\x00"))[0])
+}
+
+func resizeMap(module *bpf.Module, name string, size uint32) error {
+	m, err := module.GetMap(name)
+	if err != nil {
+		return err
+	}
+
+	if err = m.Resize(size); err != nil {
+		return err
+	}
+
+	if actual := m.GetMaxEntries(); actual != size {
+		return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual)
+	}
+
+	return nil
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+	if err := resizeMap(bpfModule, "events", 8192); err != nil {
+		panic(err)
+	}
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog1, err := bpfModule.GetProgram("ksyscall__openat")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog1.AttachGeneric(); err != nil {
+		panic(err)
+	}
+	prog2, err := bpfModule.GetProgram("kretsyscall__openat")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog2.AttachGeneric(); err != nil {
+		panic(err)
+	}
+
+	eventsChannel := make(chan []byte)
+	pb, err := bpfModule.InitRingBuf("events", eventsChannel)
+	if err != nil {
+		panic(err)
+	}
+
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+	}()
+
+	for {
+		select {
+		case data := <-eventsChannel:
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event); err != nil {
+				log.Printf("parse event: %s", err)
+				continue
+			}
+			log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+		}
+	}
+}
diff --git a/README.rst b/README.rst
index 8a923ad..3e7bb4b 100644
--- a/README.rst
+++ b/README.rst
@@ -77,13 +77,13 @@ Program Types
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 | ``BPF_PROG_TYPE_FLOW_DISSECTOR``          | ``BPF_FLOW_DISSECTOR``                 | ``flow_dissector``               |                       |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
-| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+``                      |`28`_                  |
+| ``BPF_PROG_TYPE_KPROBE``                  |                                        | ``kprobe+``                      |`28`_ `29`_            |
 +                                           +                                        +----------------------------------+-----------------------+
-|                                           |                                        | ``kretprobe+``                   |                       |
+|                                           |                                        | ``kretprobe+``                   |`28`_ `29`_            |
 +                                           +                                        +----------------------------------+-----------------------+
-|                                           |                                        | ``ksyscall+``                    |                       |
+|                                           |                                        | ``ksyscall+``                    |`30`_ `31`_            |
 +                                           +                                        +----------------------------------+-----------------------+
-|                                           |                                        |  ``kretsyscall+``                |                       |
+|                                           |                                        |  ``kretsyscall+``                |`30`_ `31`_            |
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``uprobe+``                      |                       |
 +                                           +                                        +----------------------------------+-----------------------+
@@ -206,5 +206,8 @@ Program Types
 .. _25: 25-tc-parse-packet-with-direct-memory-access
 .. _26: 26-lsm-path_chmod
 .. _28: 28-kprobe-hello
+.. _29: 29-kprobe-hello-with-macro
+.. _30: 30-ksyscall-hello
+.. _31: 31-ksyscall-hello-with-macro
 
 

From fe03454de173f7faba88faad39eac538a73124e9 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Thu, 30 Nov 2023 14:41:01 +0000
Subject: [PATCH 18/20] 32: add 32-fentry-hello

---
 32-fentry-hello/Makefile                 |   1 +
 32-fentry-hello/README.md                |  15 +++
 32-fentry-hello/cilium-ebpf/Makefile     |   1 +
 32-fentry-hello/cilium-ebpf/README.md    |  15 +++
 32-fentry-hello/cilium-ebpf/bpf_bpfeb.go | 131 +++++++++++++++++++++++
 32-fentry-hello/cilium-ebpf/bpf_bpfeb.o  | Bin 0 -> 5552 bytes
 32-fentry-hello/cilium-ebpf/bpf_bpfel.go | 131 +++++++++++++++++++++++
 32-fentry-hello/cilium-ebpf/bpf_bpfel.o  | Bin 0 -> 5552 bytes
 32-fentry-hello/cilium-ebpf/main.go      |  82 ++++++++++++++
 32-fentry-hello/common.h                 |   5 +
 32-fentry-hello/main.bpf.c               |  66 ++++++++++++
 32-fentry-hello/main.go                  |  91 ++++++++++++++++
 README.rst                               |   5 +-
 13 files changed, 541 insertions(+), 2 deletions(-)
 create mode 120000 32-fentry-hello/Makefile
 create mode 100644 32-fentry-hello/README.md
 create mode 120000 32-fentry-hello/cilium-ebpf/Makefile
 create mode 100644 32-fentry-hello/cilium-ebpf/README.md
 create mode 100644 32-fentry-hello/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 32-fentry-hello/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 32-fentry-hello/cilium-ebpf/bpf_bpfel.go
 create mode 100644 32-fentry-hello/cilium-ebpf/bpf_bpfel.o
 create mode 100644 32-fentry-hello/cilium-ebpf/main.go
 create mode 100644 32-fentry-hello/common.h
 create mode 100644 32-fentry-hello/main.bpf.c
 create mode 100644 32-fentry-hello/main.go

diff --git a/32-fentry-hello/Makefile b/32-fentry-hello/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/32-fentry-hello/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/32-fentry-hello/README.md b/32-fentry-hello/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/32-fentry-hello/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/32-fentry-hello/cilium-ebpf/Makefile b/32-fentry-hello/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/32-fentry-hello/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/32-fentry-hello/cilium-ebpf/README.md b/32-fentry-hello/cilium-ebpf/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/32-fentry-hello/cilium-ebpf/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/32-fentry-hello/cilium-ebpf/bpf_bpfeb.go b/32-fentry-hello/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..e5e5437
--- /dev/null
+++ b/32-fentry-hello/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	FentryDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"fentry__do_sys_openat2"`
+	FexitDoSysOpenat2  *ebpf.ProgramSpec `ebpf:"fexit__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	FentryDoSysOpenat2 *ebpf.Program `ebpf:"fentry__do_sys_openat2"`
+	FexitDoSysOpenat2  *ebpf.Program `ebpf:"fexit__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.FentryDoSysOpenat2,
+		p.FexitDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/32-fentry-hello/cilium-ebpf/bpf_bpfeb.o b/32-fentry-hello/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..0c8ce926c8f9e38c43eb4e8a4828e5d3a882efae
GIT binary patch
literal 5552
zcmb`LOK4rk8OOhKCC6%$>X9a?`aXeTu7rH8ByFO;#Erp^P?Ox+TF9m4=<41h>Eiq9
zeb`b&si0|5p#_&x5Ofh00yT8wMX0=!7Abg9iWjA5(S;UW2<n9vff^dD{{P>6BOM<}
z^g##D{O33G&3xa?oIB^pKfG||VkQ&FK?>v_s3#f@dQchKQ_5R8Ai+{m`bZmt+9u1t
z*?+_uRBfTV#yh6lrVmW-n{JujGreni$8_Cv&GfeEs_Ba9qG{7~!F0xS+O%ML*)(rD
zVLEP_H4RONO$SZ;Oet9R<44pVvk>Votv`OqisxGdk#Kqa@g6IipJ6F-8nf;1@5@F=
z3S{$D>cP0y=BVS-A?+SN-29p`q6F^^Yc#Hn<wjoXf%(mBD2n{bbm{w|>+o@v*7rYR
z*OPwsKT6MQ_QB?io9Ou&`8I25J6p%#2I6C~aX)%q<XhzB)9$%hdVvJCCl0JD0jq-D
zeg{s$q1mf~-T4Gg!Ris?RlyTxuL{l^tAgG62Ts8S>sJL&8>@n6j8(x4#;V|^u_}1c
zSQWfttO{N=Rt4WSRt2vatAf{!Rl#?RRl#?SRl)a+Rl!@vs^I&^s^AC4s^D#7Rq&3n
zDtOme6})Gx3Vvj)y7YoO=;gpExX<-F-5ez0`3+V4bMwxB_+0j+pYuzFD{i9yvi$qI
z8sD%RmRT2J?$xI?;~IM)whHNmb;xEmTB2Dm@@J7xxz#F%V6i!#V*SV%jzWUaj63pa
zWSc_1fch!qJo0Ei3Z&D>+HdoIoQ+53ebVNc<888R_VIE0m-K){22g*^>gvXP4Wa!a
zVuibav2w$oMP@1><0r4NPC-9~yn_5ao9C0L7p?vr>hrcpHsz7u_6#MzW6XWmVTm>J
zY!HUCKn4FKMCRUo44H|0_cU@I`KQRAKwd%qIWlA4LjI-gDbHRf%b<e9_&9)VZ2C1a
zZ|`@pk!<5RAJd=tiuHe<{YT?voIU&I^NTRST)lnRY;)_@iFW@SaGDS{{ji~5rcg_+
zxl->)6uo}+>g(5|Yj1q#LNs-~a3PAMv(${GR$PqYdZ$&1+Y;YItu4(;IpT;LajPCz
zBZu0@E@{ObnX6Reda)Ku_th`Ml4ZBvuFTita#(HD=e3Z-T4|x!k{j`o+$>hRv2<$9
zs8(!Bsk10^^u82D<wn$AYDbMGChoj!&F50BxpTSPxmvMO&&@XHawRS;JYTpN6|TN@
zDSP}(V<C;obLFwH)Tp;RA!7+g{R+mycBj=XbwWCh78<w0Q4}NLvV=(1r;88c@SEZC
z_z%LbYnN_I*r}A!npGG<OwoMYiAvp83#)QFH(x1dN8FG&2RoRbY!^;WhOfNrtZ7wh
zwBo207t2w%9k(KclRXpX60uj_jvI5?!={n3(D#~CPJ_LUy3KO26Gw41u4T{I0gQ!b
zumF_tm~P{nZ(W#v<JuHP&c%zB&M}9A*7TXA&fu7F|I-nSxd#bPn?DQ$ZJWpSR2z*O
z-R5!Yv4vOW!t9F}<A?M3xEZZVeSWqJjj^RSV{E8C_IME7W{$?##PQ@L@xc^lClL?k
zL1{;NcG8_G9BI`xN6~DzQtedgQ7x{OnoDqUcG4frSg6K_XpR#mBZ<TF@wU6OwMr+8
zqw>M|qb=i5k3U*W6ICmvxZaK>hh1xnClPy}`Fr9^xG#`{KO^gV8O;0i_sITE`5dkw
zeye%r-N`$MHu~;>{t@}FBGY^yu@4+fh<q3Kf57{bd`+Z`dJrZUcW{t3{)tGH*XnqJ
z(Z_joJo{;%H}>-vjNcdOz<<zmj8apu3Zegh;)-Yg9mhUiT^nO&f?Z}tWR2_SbIiEk
z;~HpV>v)gvj?ghmmk_It|AWX~_Fp#sP~?5ScP!2x-18rh7hQkPS4HlVSBx)-Y(Ing
zs_}JfE#Hr~6U_cK<EF^p5O2owJ&}iGDC6-dvxOSC=Px23vVYt0!Fs*n5yiVI@wz(f
zMkD4qk`S+NS0CPB1`k7Oo`5mFhz|$uH52!kDMY>n`_%lIU9>-!um@`5xYy9m@1JDC
zUNh-4z_|iN(Z3OrTtNH5w-fee3!LcB{LK1oKHY2fd%lZ0*I+DTsMD9{Z=lZixM%uH
z_Rplanc|fc-%jy*iWyIG{;d>0NbydJ_nu_kw#0n;n@+4pf5S<h!1yFzPVsb#7gD^K
z;?)$drT9*Y@1^*Dinmj|o8m`La;DF7|KPJj1Cr~+iyg_e;%e^v)WsaZKBL@yi>qEg
zb#m3}&016}ms|KuN?gi#rFV+6l4~#3RBa-;a{l~F(JLo^9Ub$U)hOIYQ2HIs`1F;Y
z?!aRH4=Im1Qom<E>(E)NZTS{ceUK7$&-(XI!Zx3%C#(MV!?s@_|C{l8za+==9DU-q
zKJQ(oyp{(=Kc5e#L1ccC`*r&9Z2ukd3I6@NRPQU89V9=V4ZlS`$^Wj67>Ck7?;0jQ
zp8hA0y?-AcZIF6*R1WVO!vlLV|4un+eA2%kOZEO)pF;NI$%%Ao*uhhON;I;XJih|?
zg!K>Dc>TW{uHV~v|6D)cu_yR{+Tzdnd0?t3>7Vz#pEvKieK~O1)q));{nHmy(*H<f
m|BCMWigqQ7p{$WVH{Y3zmp*t$9+T)&(>6+u@o{_q!~X&?k@zG4

literal 0
HcmV?d00001

diff --git a/32-fentry-hello/cilium-ebpf/bpf_bpfel.go b/32-fentry-hello/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..6252211
--- /dev/null
+++ b/32-fentry-hello/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,131 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfEvent struct {
+	Pid      uint64
+	Ret      int64
+	Filename [256]int8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	FentryDoSysOpenat2 *ebpf.ProgramSpec `ebpf:"fentry__do_sys_openat2"`
+	FexitDoSysOpenat2  *ebpf.ProgramSpec `ebpf:"fexit__do_sys_openat2"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+	TmpMap *ebpf.MapSpec `ebpf:"tmp_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+	TmpMap *ebpf.Map `ebpf:"tmp_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+		m.TmpMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	FentryDoSysOpenat2 *ebpf.Program `ebpf:"fentry__do_sys_openat2"`
+	FexitDoSysOpenat2  *ebpf.Program `ebpf:"fexit__do_sys_openat2"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.FentryDoSysOpenat2,
+		p.FexitDoSysOpenat2,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/32-fentry-hello/cilium-ebpf/bpf_bpfel.o b/32-fentry-hello/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..16082cf4212ac238c1732d450e786b05dc4ed03c
GIT binary patch
literal 5552
zcmbtYO=w)#6~2<CShi$&tkjO`{=GmkBO{NMq(3fg#l&D+A*PwyTF4>g>1yUl8a#i@
zys>pNlnR;_7g}&B1w$8cn?eoUXb~#yq(uu}l;TAxT6CdB7lL@9MIeHPsNZ+*xzf|~
zr1a;&x!?WHJ@=k-f8Kp><_A}<U+wMbQC@n~N9urit5Q3s4(fSZ&8w5}G-n1ZTa`|o
zv%7mVbk6PwZVPS+ZVEmTd@Q&jxF)zF_(<@f-~++?g7*ZM1(yUHf{TK)f-`~z!70JK
z;3dHc!K`2)I4YPC91v83yPt6WKY|WJi^rcH;&)*Spq=A8*1rC05Xe!k-`?KdYA+D=
z^&+iqoF;JnH<qfSXn*?2-ro9q!jE8Yz(?6XA*+3M7@G%&T$Q$83Yr&2ZS5e>k8S?R
zI3FXQ^tkkAsP*UEK&PMkuC1i~IFAe*SCJou{eB2NtzIWporXI%Mq8>n8HYx@N+;vc
zXqRUv<Iw29I(9M+jm`>pX!L||helr#?$GGGaEC@u33q68LAXPsXM{U6dRDkYqZfrc
zG`b<&q0vji9U8qX+@aC;ggZ3)zHo;|KM?NF=!e1`8vRJPL!(!OJ2ZMtxI?2iggZ3)
zv2ce*KN0TG=uP1cjouRO(CBU94vpRs?$GF6;SRCi_M~FJEgC%_+~K-qI5#}B5T2WN
zp#RCa<WWnX^J|6cu>SY*?gu?;RJuJxF4Qx4rbK!fOH%EjIoPL)O^WH${yAtr6yp6H
zgNr;u<cIpWo_37B3>rTRm00SFsB^qL^gI+Yd=!OmN457jtxgV&oAep-9_iTG{f1uN
zUoSa2a1!`+sdH{3y?iZPg(6TNpLeeIh%^>}r=fZ1H1q}NGW2^;$iVX`w5_Uv&j1%(
zy=MTJhrWH7_q-#V^MH?^j-BHf*tp)_ih5rF%C$QNrEu*Ap?T;}peLZq(4RrM&KuBQ
zKq152dmjMRUgk%E?F8rlE9hD1yUsSmeWs+_zY1sAhQ8pMSsu!lIqzAE8vYXMj5z=!
zx^c-lPb>Z$kOa_S_`uitkW)C8D%WBahOgeZ@#?Mc=4)?W38!xru7shAO(RlOy%a{Z
zxLJ-`D!PMOOEt=+kUefk&016m9kp$2Qq3q<^W{oZ)740|zxEY)vTWB{<%L>Q3M%#5
zf-TfRt+=S0>ULz*9bIWhDy}xdDz3$1yrkwC-GpJO9=1#?tT!-l{IZxYrmVS(x!lF7
zF4uB%jrm-WQwuH^u7-shZ(PfEA89<GQ)#|59u(`fRva*w;Jlx~c+iTQ?P44-aJX2%
z8=OZm7Iahqkv2Q|APT-6bSAzZeA71BWeMVP3D&G7W5_97h~lu=ZZ<J1w{i>RQg+OB
ziE{9R`=|Q_las+KFFS8~73<9?Y(}~iwp&p%L^|1XQ7(~t`R%AapFJ>*jR(F}f^rzF
zb=Yo{bR30IC8}o6$p(xE=P&`3(YRg4@4Rtk=CzyC=s6!PmE$g(0&99tQhU&)-~Y4)
z<L)5gwE4|I(z1A*Po-YJ-EMT7k4(HgA7o!dAK#tZ$Hi!tYYTI2V1y;T6JbH^vByDh
zi+Mi6B2FX+iS~!MFo}FH4ocb53zKe75y)1ZISl98<w{(xh1IB9Y#0Q&FzGjDJh09O
zR01bl#uA(7^KG@~s^vI~t@6qFtu0|wyKgOq2`lAdRBJ^lhgEAS&u~xSeHQS3fP7i>
zued;Vp%mUTe}D>ApGW<5cXy%Y?oQr8^zrYGKcoJ4X#b46Kglm)fRVS9;`bo=P2gw=
zcUFQAf@g*Q7<i(h)I@@3!8s25vwaXeFWiq`5dJ=}KUS(C99^v36aG)OFDvy(xX+h!
z<9sNLGYj7Tz^wzh&HJ|p^CBMv55yl}C5w{&e?tGk6{V(xe+Yi;eWeP*`*6n}`=e4z
z!oNZO*u8(){~Gwvrc(E${TBH1NcMh$4}l{^8?S-({(pcY4*Rc>KLrYh$;yWCzp?#8
zr8b58`Fg)@c*MP`o@qMbzi1LIw`{%Nj-N2AS&)&$IBQr(%8SrbICXvx0vaKAp(Ba$
zw~;S}?_c_R@%{Ksa!T<F$Vs0d_n$)G_fnPw;yL$)LeAb?CyH<Xsc??RcCIspoa3z|
zII|juQrONhzC{8dr>l?W+h<{;c;0YypD(BQ{S<$g;wve>k>XEMd@IFwQru1gHlH7#
zXNsQ>pWh_sbD88*DL#|piz&X8;(q^pya%cFM=8FR;*V2&GsU-4d^g1h68p>QaAxGx
zNtKJErC8;fQ6+bI`f83uKBL@yi>uy#>f|bwJJnE^N=<wwB`#&W(qlcRaxGJ}C<CeM
zmoL8*zVhi`M_pdCHVgL=lzvAuKl@5gH@GeOzsfv%<0^SZF7Sr{WW$yRg)Hm7ft;H7
z?PJ^WwtTkW{wL+<ApfqvKL@_g!HwZ8{MP61fxM&p<tBgZKr#;Oe>a?`@9*uuhpk(D
ze}4RZCBy9Z_xyLLbc??&@h8NQl=n<J{w3HLKfMQAvQX*uqHj|8JEdFyZRzOa`#wIt
z=hM>PbC07;7V?+W#-{Trz^B{%N9`{ed<WQ3@VtqikDn1cf4`;Y#HMXFKt|=cb<EvY
zzE0#_-Yx!=#NU#^8J|O@<B!31<oaG6ungUotek&YhJAZF*D185Qgptu|M&#3!hT#k
KAAi)D)xQ9~G4OT(

literal 0
HcmV?d00001

diff --git a/32-fentry-hello/cilium-ebpf/main.go b/32-fentry-hello/cilium-ebpf/main.go
new file mode 100644
index 0000000..9cb6231
--- /dev/null
+++ b/32-fentry-hello/cilium-ebpf/main.go
@@ -0,0 +1,82 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"log"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/rlimit"
+	"golang.org/x/sys/unix"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	t1, err := link.AttachTracing(link.TracingOptions{
+		Program:    objs.FentryDoSysOpenat2,
+		AttachType: ebpf.AttachTraceFEntry,
+	})
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer t1.Close()
+	t2, err := link.AttachTracing(link.TracingOptions{
+		Program:    objs.FexitDoSysOpenat2,
+		AttachType: ebpf.AttachTraceFExit,
+	})
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer t2.Close()
+
+	reader, err := ringbuf.NewReader(objs.Events)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
+
+	log.Println("Waiting for events...")
+
+	for {
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, ringbuf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		var event Event
+		if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil {
+			log.Printf("parse event: %s", err)
+			continue
+		}
+		log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+
+	}
+}
diff --git a/32-fentry-hello/common.h b/32-fentry-hello/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/32-fentry-hello/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/32-fentry-hello/main.bpf.c b/32-fentry-hello/main.bpf.c
new file mode 100644
index 0000000..48b6fd7
--- /dev/null
+++ b/32-fentry-hello/main.bpf.c
@@ -0,0 +1,66 @@
+#include "vmlinux.h"
+
+#include "common.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+/* BPF ringbuf map */
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024 /* 256 KB */);
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, pid_t);
+    __type(value, struct event);
+} tmp_map SEC(".maps");
+
+SEC("fentry/do_sys_openat2")
+int BPF_PROG(fentry__do_sys_openat2, int dfd, const char *filename, struct open_how *how) {
+    struct event e = {0} ;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+
+    bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename);
+
+
+    bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
+
+    return 0;
+}
+
+SEC("fexit/do_sys_openat2")
+int BPF_PROG(fexit__do_sys_openat2, int dfd, const char *filename, struct open_how *how, long ret) {
+    struct event *e;
+
+    pid_t tid = (pid_t)bpf_get_current_pid_tgid();
+
+    struct event *tmp;
+    tmp = bpf_map_lookup_elem(&tmp_map, &tid);
+    if (!tmp) {
+        return 0;
+    }
+
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e) {
+        return 0;
+    }
+
+    e->ret = ret;
+    e->pid = tmp->pid;
+
+    __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
+
+    bpf_ringbuf_submit(e, 0);
+
+    bpf_map_delete_elem(&tmp_map, &tid);
+
+    return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/32-fentry-hello/main.go b/32-fentry-hello/main.go
new file mode 100644
index 0000000..9272b69
--- /dev/null
+++ b/32-fentry-hello/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"log"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"golang.org/x/sys/unix"
+)
+
+type Event struct {
+	Pid      uint64
+	Ret      int64
+	FileName [256]byte
+}
+
+func goString(s []byte) string {
+	return string(bytes.Split(s, []byte("\x00"))[0])
+}
+
+func resizeMap(module *bpf.Module, name string, size uint32) error {
+	m, err := module.GetMap(name)
+	if err != nil {
+		return err
+	}
+
+	if err = m.Resize(size); err != nil {
+		return err
+	}
+
+	if actual := m.GetMaxEntries(); actual != size {
+		return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual)
+	}
+
+	return nil
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+	if err := resizeMap(bpfModule, "events", 8192); err != nil {
+		panic(err)
+	}
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog1, err := bpfModule.GetProgram("fentry__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog1.AttachGeneric(); err != nil {
+		panic(err)
+	}
+	prog2, err := bpfModule.GetProgram("fexit__do_sys_openat2")
+	if err != nil {
+		panic(err)
+	}
+	if _, err := prog2.AttachGeneric(); err != nil {
+		panic(err)
+	}
+
+	eventsChannel := make(chan []byte)
+	pb, err := bpfModule.InitRingBuf("events", eventsChannel)
+	if err != nil {
+		panic(err)
+	}
+
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+	}()
+
+	for {
+		select {
+		case data := <-eventsChannel:
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event); err != nil {
+				log.Printf("parse event: %s", err)
+				continue
+			}
+			log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret)
+		}
+	}
+}
diff --git a/README.rst b/README.rst
index 3e7bb4b..5e305e3 100644
--- a/README.rst
+++ b/README.rst
@@ -161,11 +161,11 @@ Program Types
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``fmod_ret.s+``                  |                       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+
-|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+``                      |                       |
+|                                           | ``BPF_TRACE_FENTRY``                   | ``fentry+``                      |`32`_                  |
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``fentry.s+``                    |                       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+
-|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+``                       |                       |
+|                                           | ``BPF_TRACE_FEXIT``                    | ``fexit+``                       |`32`_                  |
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``fexit.s+``                     |                       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+
@@ -209,5 +209,6 @@ Program Types
 .. _29: 29-kprobe-hello-with-macro
 .. _30: 30-ksyscall-hello
 .. _31: 31-ksyscall-hello-with-macro
+.. _32: 32-fentry-hello
 
 

From c296efdfcd8bc148171b0d34aec19e82b71b6ed4 Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Fri, 1 Dec 2023 03:54:56 +0000
Subject: [PATCH 19/20] 33: add 33-xdp-hello

---
 33-xdp-hello/Makefile                 |   1 +
 33-xdp-hello/README.md                |  21 +++++
 33-xdp-hello/cilium-ebpf/Makefile     |   1 +
 33-xdp-hello/cilium-ebpf/README.md    |  21 +++++
 33-xdp-hello/cilium-ebpf/bpf_bpfeb.go | 119 ++++++++++++++++++++++++++
 33-xdp-hello/cilium-ebpf/bpf_bpfeb.o  | Bin 0 -> 4032 bytes
 33-xdp-hello/cilium-ebpf/bpf_bpfel.go | 119 ++++++++++++++++++++++++++
 33-xdp-hello/cilium-ebpf/bpf_bpfel.o  | Bin 0 -> 4032 bytes
 33-xdp-hello/cilium-ebpf/main.go      |  96 +++++++++++++++++++++
 33-xdp-hello/main.bpf.c               |  54 ++++++++++++
 33-xdp-hello/main.go                  |  76 ++++++++++++++++
 11 files changed, 508 insertions(+)
 create mode 120000 33-xdp-hello/Makefile
 create mode 100644 33-xdp-hello/README.md
 create mode 120000 33-xdp-hello/cilium-ebpf/Makefile
 create mode 100644 33-xdp-hello/cilium-ebpf/README.md
 create mode 100644 33-xdp-hello/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 33-xdp-hello/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 33-xdp-hello/cilium-ebpf/bpf_bpfel.go
 create mode 100644 33-xdp-hello/cilium-ebpf/bpf_bpfel.o
 create mode 100644 33-xdp-hello/cilium-ebpf/main.go
 create mode 100644 33-xdp-hello/main.bpf.c
 create mode 100644 33-xdp-hello/main.go

diff --git a/33-xdp-hello/Makefile b/33-xdp-hello/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/33-xdp-hello/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/33-xdp-hello/README.md b/33-xdp-hello/README.md
new file mode 100644
index 0000000..ca081ef
--- /dev/null
+++ b/33-xdp-hello/README.md
@@ -0,0 +1,21 @@
+
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+$ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
+
+$ curl http://127.0.0.1:9090
+
+```
diff --git a/33-xdp-hello/cilium-ebpf/Makefile b/33-xdp-hello/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/33-xdp-hello/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/33-xdp-hello/cilium-ebpf/README.md b/33-xdp-hello/cilium-ebpf/README.md
new file mode 100644
index 0000000..ca081ef
--- /dev/null
+++ b/33-xdp-hello/cilium-ebpf/README.md
@@ -0,0 +1,21 @@
+
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+
+$ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 &
+
+$ curl http://127.0.0.1:9090
+
+```
diff --git a/33-xdp-hello/cilium-ebpf/bpf_bpfeb.go b/33-xdp-hello/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..4ff97b8
--- /dev/null
+++ b/33-xdp-hello/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,119 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	HandleXdp *ebpf.ProgramSpec `ebpf:"handle_xdp"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	HandleXdp *ebpf.Program `ebpf:"handle_xdp"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.HandleXdp,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/33-xdp-hello/cilium-ebpf/bpf_bpfeb.o b/33-xdp-hello/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..43d505b9ecb20fe151e34e2feeb37062d1666986
GIT binary patch
literal 4032
zcmb_fON<m%6usTeM{xKlDrlk)zthSz%}3;)W^fdA0v#BPA52Y8clC5hPgPS@Jq!qO
zqDa)Rz^Dl>6c#4BU}54yO-x|n!sV=7xghS0F)=RGg$bVX>b;(tLc+$I+;`8t@4ox)
zeZT5{V`%u9d_E^V%E@2ADMPOZpl@1h71J(}Ty4F~qgGp^ZE|HWkqawYJ~*&P?jriS
zs`W)z@><HW`H4JMm8C?7tFjzo!IguFePQCidEk&Np~ZVz^vJ^%xn1O;Hy_xL_>Gsf
zRI8N8bx>jzIbiy)JeOFQ54!)RUz$u_@^)fe{dFSqAEllC13z0GmR~RGWm=VV7cPrv
zexJH2vjCVgi#ZQcv5!VWbmRJw=UYEu1*Va%jK3Oey5)X@E0B*FJPo-)FC^j^o6X@i
z=vxtM0VHEpz>C17AuzE5?>D#t`J%z2kS&9!A&(n;3GyrhgBF9&Wpl@-(Zu>b1}_AE
z(wEq<f4L)Pl5s16$I!Qw3jo|S7;4TZ24k9B2+8vS&Yd(^0iQM)ryzG0nEn;u_YB?(
z`~mQt;3}AeIb{^~k4^r|fIl_)Q*ge^rf&uCR|ek!{H^h0UCiZ&SwFq-v>Q`$?%^{7
z+dW`SD9rfeeuUxf#G3obU<Lo5O#r<|xAxB;I3t2QSy%oANaRJzzlw$!oF9YaTnd<L
zOk4rx8n3_{qrj2D4d5wa)Y<|*Wv~Z4ZSZTrm{$871%AiiHt;!vCxFizjCt}O8XN#$
z0A_9-)NA)=8up9Ej&X&qS!>=Oy(Fo7!~1}=^%XhEO$XfzhHK$1Zm6~-XPyw}zVL3!
zexK=|C!QaR<Lo|oaQ92jp?xn8IU_Gsha5-Z6CGEMx+k2-JL$?~t=)AK=uWzR9LZFp
z<4iQ9QHyK3aa=#qoCy~u&mRxnC~~}}=QrFb38$Q6T^BJD)t%exINgmKr0YlCxbHR;
zbE?Nv(yIB5w(DRjPABDU>!q}=R9ZJt^Ze3Sr&+3t0!;>9Lp{z+n1tG?`V&jBza9AF
zMMN6dWqY?HN;xy?<|DRiPp_%^ZAh=<v>Ks$LUCDwW`7ii-FmFN4y;ABOWApf>UGgZ
z@mg(}bi>FCe2Iey96N2-7q21Bur}@l&8Eb0TRLG72lb#W^_E*diaqIWnO%{3s}{mE
z=C0q&9<;s1idsR)EsVMoFxMK5Fp`J@+rpNku(;)IPw8UP39H9VIXiXUsA_0rud{b}
zX#Z^CiO0Y$o1R*;Q|+r(4;~mf;Ee34qE5ALo$`ZN#r2MWu@Djk-LURT!;NBz++$L!
zA9W~kB-TrV72{Y)bi$Vq9-XK~59x;E;$m3+cqqqlPJ-h!Ih{D{Z3E(S{jr}2%~Ws-
zoK_t8QUBKR)^f3ElcA<MTp0!GZr-G#+GKKqx!o`n`|Vz-0bPDEDZ1INjYsO#&eVV%
zJJiMvNiXN?xM9=L*T4z7ai<&i<A|+Qk0v)`t<n*!zSf=;-CM*Yr?JD_&9+x}{m7Nl
zM6DBv)o?M*cU74?%J-W553V)ejA1a}gD=4Lp5xP^-xJz!%{6_A_NvH{A|(B(|B0vW
z5lF^?o>L-iybS``)A{a}js6>+z%{^?M9<^hnc`c!H>K0RW%SQQF5o-Cca8D#)Y;GX
zl={yi-#iRFo#+KTT~|5(g_Mr(qpl79Jt77d){1=3@B56=@n+9(4VHshJKsbS>%FW|
zf~o&u^nOTwo_{fV3z9ile`CH;;QdWK!M*+lkhL=}OGPY%wOiXYfR$K4){rL7KM4DR
zv=P|WgW5GV`(60V=%&B$9dyRD{#Yk{HmqLB=+%rqn$bHMeLAC`&*+yjI`d_&cK)jw
zeI}z{%jmz))pgmac={fsb(Qhok<o`U`jL#@wtC-^rBaIBsaQ&(+b#``JX4}#K6=Sj
zWe>kcsn1iX-JYCq^yBM|r>-_$+qgC+rRc<jmL{eQ4-S@{Co$>&K+hva_MDlpef-@=
z!f%v0q!-j!h^?MIf0a3-W)-`yw3NZO8h?$BDdK&!v<8501gWCiUbFa;fy*KLz_w01
zo_7A0vGd!0m`FK=hQ#}oCOe+CJ>Z*--(m)(>!r#16FV85HbXg{L(sy*iR`uMc(1^E
zv--a@BNQa-=l=+j&7bx2y-erBenYqMHzz1}Dv`Z5JwIdKZ2p;KM6LqK`K@1i{!PL4
nVZH9taF|Pd%#W1WmpS<!LVsR+-Owzy<IkguHQG3K{#E}1+*#e-

literal 0
HcmV?d00001

diff --git a/33-xdp-hello/cilium-ebpf/bpf_bpfel.go b/33-xdp-hello/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..984140b
--- /dev/null
+++ b/33-xdp-hello/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,119 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	HandleXdp *ebpf.ProgramSpec `ebpf:"handle_xdp"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	Events *ebpf.MapSpec `ebpf:"events"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	Events *ebpf.Map `ebpf:"events"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.Events,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	HandleXdp *ebpf.Program `ebpf:"handle_xdp"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.HandleXdp,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/33-xdp-hello/cilium-ebpf/bpf_bpfel.o b/33-xdp-hello/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..70d7a583b60178c71bf8ad181f3992587299c669
GIT binary patch
literal 4032
zcmbtXO>9(E6h1Ajv;w7oKSdM02xte}>F_K68NnjN1{x?v6!SWrdDD3^eKWlGrauU=
zQ6y?uV8jF#3JVflupn`PCMK|O;gXdr7lfTLCdP%jFv0J;@80(H@#DgioOi$PoOACz
z_jm5R*FUhQxv5F4G|68w%dAyodf_b2YnYcsh%78?(X6mE_TN|)m-AtM4zPE_<Jxe&
zRiqv0hSF3P560#3)(#C0w|2@SKsQ#$_W6k41lYTAkv4d*H0$zk%K};XzR0sH<G9gz
zA_}kz?z@oKDssU1Z(NBj%;#_T8J861MfniA9C{tfkk6qHlUD}^<kGKA(q)3KA`j}P
zP$SKRW-go1J@d3vtE1Qt?NpP7je|u5K`m^bdD)837@SA>g2B@$*Fhm2Y{$j|Hn-uk
z1&X=VZRLTv4wQZ<v4ZY5IFIrTgNIR844y_gVen;?XP}U_NAWqUq0Gr0IV|G%E<)!+
zzktHFZ~@Ar0H}BRG2jv4cn3&J*<j2^i*GRV4}d#SQcoDHfKM5m13qKo^T3}NychU0
z;AJSyb`$nF47~_Dq-`-iU&dIU0`_;+_?7^FV=%Y(cP5VGVlF=>;y}4?T3MeG?|PA2
zh<P$L=`Uhh81obCPZ;~p1}pG8rcJv>{}q1#0mxI&<?F!Ai}JR?<RifBOF_#9=Yf4-
zj&T?{g$9>^Ck?J($xa&V0Z$wJ4)AG%j{$#Va25Eh!DGPZ4EBM~8(agv0L;AVP`f_U
zz?Y2u9B@OQ5V30#&x$@0@p-W4=0qIV@f7MX=mT(+TvmObu;dx~IAMR9MhM#w&yU1$
zUOss6<s;6aeQ)+VLq`Vt9Y><6x+}-rDJS$!xH4X-HryDx<E|ftGFhrSV<jmSqJsW7
zt{*dJ%!SGGM*}wu9k1;9C3jMSN#}UOMH?}7=XxEdv3{L2{LmZq-I8KX#b{D01;12v
z9dyO+B)4^~Wc#w&zOjPmXGiMgY*7?syylhE8fL;I)DG1hTQc3%nm?LBOT9a-cN<#C
zrD{F6#x@=4l~uQG(yKd_QlMT`oR(U-JB)%xF;ZR~){NSzY(E+Gu4topm8y)pLFm<d
ziE1G<a;mN`UP;P9VbrOW%MwLZsRy;FR;*Q}SaFNTuqKVovolhx6att=+_jtN!FOh|
z!b&aR5{8X2m<y#+5K71b%fc^fVRCa@U($m~Cal(&;q1_PV^sY^d!4-l{rhJJ9!K=<
zwCSl8JJi0x!Gi~e4md-*2Qg07*Qfkiq@rS7pqK~=YmK1jO34i)3EksTC?0cIVoR)*
z5=V?}A>ouS0V3*Qg%Q#SM#V+7;zS@5*eA6Knw)wR%q#=i=lo+m(KJ)RE^sPQ%@4b`
z<hJB88Ji55s&i%(q_Js(3Jc@$4(4*hkm<H-rF!-7Gx4Cy)xv0~PVPul*uGt@Ul)7X
zU)>GLjy?uXtr685Q8%_&k9s~n89hq3V0n+-DcYMsC#SH&T+OOibp6nk>{y{5ie)&G
z{9RQ%n-JdD)PJCzIM@Ryd4GNl<$0&@X~O%2Hhu6>UW49*W{$@3<bOg}567|O3JrAO
z(o(>dw}a;l{|){XxCHZtFXtULDY7@g+rbf{>wg9R(hKpu#`ehD!4abUcfePDi?@{F
z9k`RaZi*m8`^gu8a~!O1g_zm{f9ntUO))&=od(hg&N})&L)iws3Z)QJ{~&>ML;0fm
z#Y|oWxC?6I0Us#y_##P3N%MI+r=%+bvNREY+c>$FOYCb0n0-@rL6^+j*t28dxG7AR
z<GW%~Af|qw;C%b^Kq>UGP993Jd@!and^pAHDL$Rz=TiJ~irai`e>YS9TPc1!#eYw6
zJqXxrdprXa%T<bRPw{~i=i4h;znbC;7j;NBawj9n25vRGYiLiF#Qf;RN0lD_9wmOB
zveoMNn4>RWZ!~eVaoa|P5y^&AW4bhL%D}E&IcH;>%K!SlhT8Y;O1$|N#?9h=GDpmC
zXKdtDypQKdeh!-@ocE;UKps~Ab}|^4XE7-&K={_nCyl_D`LKp`#)ZD)I8IyN+WD4Y
z|LHlf`@)_t)67hL%XdGZ{$@4`Nsrf<V<)~2G;O2P?!&`;{3j&c-dph9Z~WKH_?4;4
z<z!Ro@$>)0{rW#|0#Bx#>HgW~{rbOU`p=vC?4NPz{x`rjZ{RMTwK5HzkxsM!((95+
YM-HI|eirVLPSgK6<6*tz`rCE=7gOllNB{r;

literal 0
HcmV?d00001

diff --git a/33-xdp-hello/cilium-ebpf/main.go b/33-xdp-hello/cilium-ebpf/main.go
new file mode 100644
index 0000000..0f0b57b
--- /dev/null
+++ b/33-xdp-hello/cilium-ebpf/main.go
@@ -0,0 +1,96 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"log"
+	"net"
+	"os/signal"
+	"syscall"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/perf"
+	"github.com/cilium/ebpf/rlimit"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	xdpIface := "lo"
+	devID, err := net.InterfaceByName(xdpIface)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	l, err := link.AttachXDP(link.XDPOptions{
+		Program:   objs.HandleXdp,
+		Interface: devID.Index,
+	})
+	if err != nil {
+		log.Fatalf("could not attach XDP program: %s", err)
+	}
+	defer l.Close()
+
+	reader, err := perf.NewReader(objs.Events, 4096)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
+
+	ctx, stop := signal.NotifyContext(
+		context.Background(), syscall.SIGINT, syscall.SIGTERM,
+	)
+	defer stop()
+
+	log.Println("...")
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			break loop
+		default:
+		}
+		record, err := reader.Read()
+		if err != nil {
+			if errors.Is(err, perf.ErrClosed) {
+				log.Println("Received signal, exiting...")
+				return
+			}
+			log.Printf("reading from reader: %s", err)
+			continue
+		}
+		if record.LostSamples > 0 {
+			log.Printf("lost %d events", record.LostSamples)
+			continue
+		}
+		parseEvent(record.RawSample)
+	}
+	log.Println("bye bye")
+}
diff --git a/33-xdp-hello/main.bpf.c b/33-xdp-hello/main.bpf.c
new file mode 100644
index 0000000..95d4171
--- /dev/null
+++ b/33-xdp-hello/main.bpf.c
@@ -0,0 +1,54 @@
+#include "vmlinux.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_endian.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+#define ETH_P_IP 0x0800 /* Internet Protocol packet	*/ // ipv4
+#define ETH_HLEN 14 /* Total octets in header.	 */
+
+
+struct event_t {
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} events SEC(".maps");
+
+SEC("xdp")
+int handle_xdp(struct xdp_md *ctx) {
+    void *data_end = (void *)(long)ctx->data_end;
+    void *data = (void *)(long)ctx->data;
+
+    struct iphdr *ip_hdr = data + ETH_HLEN;
+    if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) {
+        return XDP_PASS;
+    }
+    if (ip_hdr->protocol != IPPROTO_TCP) { // not tcp
+        return XDP_PASS;
+    }
+
+    struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr);
+    if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) {
+        return XDP_PASS;
+    }
+    if (tcp_hdr->dest != bpf_htons(9090)) // not 9090 port
+        return XDP_PASS;
+    // if (tcp_hdr->psh == 0) // no payload
+    //     return XDP_PASS;
+
+    struct event_t event = {};
+
+    u64 flags = BPF_F_CURRENT_CPU;
+    u64 save_size = (u64)(data_end - data);
+    // save_size = min(save_size, 1024);
+    flags |= save_size << 32;
+    bpf_perf_event_output(ctx, &events, flags, &event, sizeof(event));
+
+    return XDP_PASS;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/33-xdp-hello/main.go b/33-xdp-hello/main.go
new file mode 100644
index 0000000..0d87e33
--- /dev/null
+++ b/33-xdp-hello/main.go
@@ -0,0 +1,76 @@
+package main
+
+import (
+	"context"
+	"log"
+	"os/signal"
+	"syscall"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+func parseEvent(data []byte) {
+	// Decode a packet
+	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default)
+	// Get the TCP layer from this packet
+	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		log.Println("This is a TCP packet!")
+		// Get actual TCP data from this layer
+		tcp, _ := tcpLayer.(*layers.TCP)
+		log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort)
+	}
+}
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+
+	xdpProg, err := bpfModule.GetProgram("handle_xdp")
+	if xdpProg == nil {
+		log.Fatal(err)
+	}
+	link, err := xdpProg.AttachXDP("lo")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer link.Destroy()
+
+	eventsChannel := make(chan []byte)
+	lostChannel := make(chan uint64)
+	pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
+	if err != nil {
+		return
+	}
+	ctx, stop := signal.NotifyContext(
+		context.Background(), syscall.SIGINT, syscall.SIGTERM,
+	)
+	pb.Start()
+	defer func() {
+		pb.Stop()
+		pb.Close()
+		stop()
+	}()
+
+	log.Println("...")
+loop:
+	for {
+		select {
+		case data := <-eventsChannel:
+			parseEvent(data)
+		case n := <-lostChannel:
+			log.Printf("lost %d events", n)
+		case <-ctx.Done():
+			break loop
+		}
+	}
+	log.Println("bye bye~")
+}

From af1a344ab6098633cf2681f619f46cfc064b400e Mon Sep 17 00:00:00 2001
From: mozillazg <mozillazg101@gmail.com>
Date: Fri, 1 Dec 2023 03:56:35 +0000
Subject: [PATCH 20/20] 34: add 34-iter-task-hello

---
 34-iter-task-hello/Makefile                 |   1 +
 34-iter-task-hello/README.md                |  15 +++
 34-iter-task-hello/cilium-ebpf/Makefile     |   1 +
 34-iter-task-hello/cilium-ebpf/README.md    |  15 +++
 34-iter-task-hello/cilium-ebpf/bpf_bpfeb.go | 115 ++++++++++++++++++++
 34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o  | Bin 0 -> 29688 bytes
 34-iter-task-hello/cilium-ebpf/bpf_bpfel.go | 115 ++++++++++++++++++++
 34-iter-task-hello/cilium-ebpf/bpf_bpfel.o  | Bin 0 -> 29688 bytes
 34-iter-task-hello/cilium-ebpf/main.go      |  61 +++++++++++
 34-iter-task-hello/common.h                 |   5 +
 34-iter-task-hello/main.bpf.c               |  22 ++++
 34-iter-task-hello/main.go                  |  40 +++++++
 README.rst                                  |   9 +-
 13 files changed, 396 insertions(+), 3 deletions(-)
 create mode 120000 34-iter-task-hello/Makefile
 create mode 100644 34-iter-task-hello/README.md
 create mode 120000 34-iter-task-hello/cilium-ebpf/Makefile
 create mode 100644 34-iter-task-hello/cilium-ebpf/README.md
 create mode 100644 34-iter-task-hello/cilium-ebpf/bpf_bpfeb.go
 create mode 100644 34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o
 create mode 100644 34-iter-task-hello/cilium-ebpf/bpf_bpfel.go
 create mode 100644 34-iter-task-hello/cilium-ebpf/bpf_bpfel.o
 create mode 100644 34-iter-task-hello/cilium-ebpf/main.go
 create mode 100644 34-iter-task-hello/common.h
 create mode 100644 34-iter-task-hello/main.bpf.c
 create mode 100644 34-iter-task-hello/main.go

diff --git a/34-iter-task-hello/Makefile b/34-iter-task-hello/Makefile
new file mode 120000
index 0000000..d981720
--- /dev/null
+++ b/34-iter-task-hello/Makefile
@@ -0,0 +1 @@
+../common/Makefile
\ No newline at end of file
diff --git a/34-iter-task-hello/README.md b/34-iter-task-hello/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/34-iter-task-hello/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/34-iter-task-hello/cilium-ebpf/Makefile b/34-iter-task-hello/cilium-ebpf/Makefile
new file mode 120000
index 0000000..97ab7f0
--- /dev/null
+++ b/34-iter-task-hello/cilium-ebpf/Makefile
@@ -0,0 +1 @@
+../../common/cilium-ebpf.Makefile
\ No newline at end of file
diff --git a/34-iter-task-hello/cilium-ebpf/README.md b/34-iter-task-hello/cilium-ebpf/README.md
new file mode 100644
index 0000000..1adac9e
--- /dev/null
+++ b/34-iter-task-hello/cilium-ebpf/README.md
@@ -0,0 +1,15 @@
+
+
+## Usage
+
+build:
+
+```
+$ make
+```
+
+run:
+
+```
+$ make run
+```
diff --git a/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.go b/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.go
new file mode 100644
index 0000000..4f6e951
--- /dev/null
+++ b/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	IterTask *ebpf.ProgramSpec `ebpf:"iter__task"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	IterTask *ebpf.Program `ebpf:"iter__task"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.IterTask,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
diff --git a/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o b/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o
new file mode 100644
index 0000000000000000000000000000000000000000..2e40e4df474631f5651c054ec6cac686cc4a3017
GIT binary patch
literal 29688
zcmcJYdAuA|nfFiMY$RlZ><iG@LzIw&T@;JNu!ayqSX7{I-|oKmHtE~l^m3B`YKbU{
z;-KItjAB?s)K>=`6=!h9l0jv3a2fYyW&*y5Gos_Dqc}S9et*w7)m;htdH;FeW2(;g
zJoVIBpR-n9e9hKvXAKPGT+ij)Z{Uoe_XKEu%0f}N&v3bY%iLiK&C9#_^7kE~d*6R(
zgF=UY>NA_=J2z{K_xEj@`W;d6gsF-A5z}+|F9iR(d!PHU<i+Lw`E~a__pIsVbw@Aw
z*WL5n&n5WGdAd6{C35b$=broV!n{I#=kwvFJ+#AQ3t#Uaz51b`@{ZuIDo@qF_B40)
zj%~<(@?NWoh5m7Lz&Twnu;73f%F9i3PX25!aub3tZxUA&K#{4wq{l1Xg?OeZgmS7g
zkKkml;UkAF{uzCp#mJ<8wB?dG@$-b2PxtaE@ZXV;@)OG74u|Fbk&CD-Z{H3a<7e~m
zuLOz8JD<<o+X(&88r`{>@Y8{3!9NZ8kSJ0XZglP!&aD<Jo?sn0<wfO7kmsF~?dZ+i
zYHkbgBd!<1=;Q{uHU*C1(_rGy?dOW%CHM)~`7rte5qx3bLHL#Mk;r4X0aK>~34AR~
zJgS=9&4KgqZGj{Bj=+QPU4dixgMs(MpM*(wLIOVmFZWHG`!c-JH(~B;@Oocexo^N5
z=m|0Us&~pfU;G42J{LsrPhsL*Ao>5m$QC5zTlKx!H|4;hz&sns!!L7A<}jc-+-liy
z1E<2ovphn+CGa4u-a^@z$M7rQv*83T!8}`mH*gKNbKwZS4yKK^h;M<H!7;o)@U8HJ
zFmY}{Ht_d>6ZoIt3y>dxpMq%{vg!t&<+c`%sJp4~MQ{So_42J^6=<h(XGQR_Fl9SC
zhEIntcJ3U>&j>8}Iq)vz2~2!$*oxyOsEp+8y#2^4ffHEvAo&4UWrSr$6W+v)wm3h6
zDVyr>{1|?>IOopa539W5yWuYez6btp;Ctbp2TrhwiGe>0s~z?3Be3-am^z!dHpm}^
zPY(P!SnVbK&%-L0_zUn=fggjf4*U;r7bgGP@Fw2CZ4{1Rm1UoE+a<p}a2}SOqrW|Z
z?}sPDG5oQ>3H;YE`J?&VMDlGM!zw%aJ0zDqqq8G|HFk&-_!*e`y-4!kz^{g5Mw%Rq
z&c$NY2~6|3Nox1kz>=?m@pmQg37#*(o3w=+HhD<|EAbg{3||^Jfv@l^(WD`6uXXOy
z2v)mO-peEpb#<BK*CQaF%VPMZzzO{4F#4C{P0~0Zj$qXlwsLt4e-i#P=U$07=}X*r
z=ZXaWj^`^Se==|cKMlXjxhrG%_wb!?LRG3x{=&JdBKUCl-Ea)gfl2$S1YQD@he8A&
z7dVE`fZvNefzO2ZJ2!|o`D|`?!x5~yx(AM76$m>WOyB~1A2TlA<PmP~gCkgVC63|i
z11Ip!@B_}NS|`7q8~GWMocy{EI9HOK=juD92>t~8HaLb8=iL8-@h5*7{;+dpyvg6@
zhJHB@KLLLfj^KZT{|Zjv|AuL!3Or@1=V81l^SP16a0D-dZ-58kW8qK1F}wkO3!K2G
z!;@KgM6l}TZ{Qfd1SSt7349eyyrXzic5{0ej^GabX*h=W!G8-U@J;aFIakG-Lfg8}
zz!7{eoWL<mIaF6w!c!iBKkMApcvHT@?eF0T{sv4QYLfp8H_BU+{F%Tp{M*0@!xrUm
zk2*JocbM$t3(j35Ua1?L$9r+$2v!-f(Q9H@hPf6_;0nz9tq4});z3xE{UaR1uYw<k
z6Zlq`ciVV}-NlWzY{&42;oIQ^ran}bj#y*GH=XO^9ritL=yYTFCou7hi+=|XIkyLI
z>LhO8f+LtZFx~+#g(=sbL3kZZ{Ci?pZ7SXmqh~q^T!N|dy?9f{xe?di2!3tg7``)b
z0zU{-HZ|>3?80G}`(pTW@OR(@{u)f2*Wyk6A-C_s5&W!|UxznsI=AmJ^dX;i1WbKi
z7sHET-n}k?mH+QMcRilDf2PYv$Ttz9?cbfiXTbmJ+<Wk*ox|-3IEF8TsfYI@@GAlz
zfMu)1e;3}gS8=1fcSZ190>`jyl6UV);Ex490Ar8tNgGDoG;GApf+OTVfEU3r{O^JH
z!+(HD>%9r<{E40syTj*lqh9t$@G|&+!!dj!OuGB`!!Ltrul)&pC5-;vc!yuj?I}2d
z_rX7cWB4^N`gbSrErAcf?}eYXVa*->0hsvj!8`oZ+~^zkL@@U2ehkO(Kf}*3^d+!t
zZ-EVc?(qMHdH23N%U<47-@h+{sRQ>@IEI(NKZ6r^1&q%7@TMQfZ6+MSr^3|v`(pS^
z$#d>~34C7Q&%!SkpW)v32s{d7Z};O(?{Fgz_s8(7;s1aW`0X${@5h_2O8U7CzpSgN
z^a+F)vQ~T{K5Zd4{Q+*`2>t{<w&!B_(>VY~8usjq0vzo%{mX%=<LTcBdPMK?QW((9
z-1H}c9%)X01_i0&P5(VUHX=787j$IndKh$OOd}W`%{US{|Fo}}u?l}FSL%)iBIGZ?
zKZa`%K0a_0J|V<OTr<u<eiWCvkWY(ilFv4(Gq&)Ma>>m&pIe&Gi$iAe$S(`L48Bqs
z#wj}T*DL=Du?j(v-ilt0$gvM;&ycOE9Jm>3yVYDVd=vg!bRw?XVDgbmkgH9x6D2X@
zJ%J<mBY|W1p}-0JxaSG-7&BCl6C$ecWAHjSM*aj$olQvKAA2T;ZpKf!VGk1{_<vw*
zWisB(%-(e-c}eYOruwgJCPL>JVo;*A_sli;vMb!o)3_-d!J7le_*No3%0Kfw-c<qB
z#%d?c$GDlhxQQdKRG&KP@yb5uhR}aG@k~V)!6kg<6*p7;MI6De3LL{X!^(dGtIov-
z;Ct}NzuIf&hXP0Nrvk_DXW`>~8_oP|$Uk*G^NYxX4bA*|;5_p0pfiQ=23U1&<$(Va
zR$ayLZv!Wo3vrnZ;F&!v!_OmE9>v5nOXCdoE}QAq$$I4Z8@)XqAWroQ>R4_T?^rz~
z@adja##v_vj^K*|$M9u=6PWsS8+|IXuJ-bQh_p4HP~L$UowhjV2KK{*jqirv9GH5Y
zB^#E`z3>C@iM*S@AN4#@%;jE+?cvY*yea~>2~NkM6X35Z=eWc0Bf{UKex)jY68|JF
z+^na$olHK(zv6a^udi9MZ|WcyQ&j`-i{S)T9OB1d`mFI+Va9*s@4&Kky^{}Vh5DVX
zv4^x|PqR-6`KHdiGTy0T3{ja;zmR(ox-XsVRfu->g<d?nh%Y@$2#<P7IoCk%nh^g>
z;7(xr&g^~ml7H94$|z24AL7cr1HGGW^y8}1d>fDE9WDho`<-GsGQrt*i;0gpYxV<y
zRVUWb<>Sue+QLOLvp*5iCQg?p{0{&&D(UR+aSQ!%_EUi)<Ub1>!?J(rBpd@N+o7tC
zP@3Whx#kLS46EM739Rx3`#fT^mk&h9w+D{l%L6BH(K97=N9+z9!5Wi^b3zQ?890F-
z@~omAfjvlPVg!e>OpM{52YC{PKXfJ`I#PXB9KkCC$FOWg@&rD|GnU|vECr6>@xU?s
z22xjL(ym9U&CcR77uxuG1p+I+FbC<3=E!&QlHB>a1s%!n_Hn9QM}C0YHa(Y9%><|M
zX$x13&POPbUgw1){{~<6i#zhu+*D3;JXC~SlSlCBPjW~89XGM^|M|eP;jaW<2!A`|
za|iqb6&9!Y2l0fdA>KUCo<y#E$@@2MvXKb>W#BkuNAd(t*FbBD?ha%jnK|m$$n@@<
zWq}j?P)E7Fq<aqOs?6xkc>z9cCO3yM$yK-_uAuKOMScqUa}i-DbJRv5pK~q@93e-~
zUBVT^R|QVsVR*G~<~cQ(cV*vmu7fZ3smysTd>I@ee=Cg6Kn$zzz5-6*yI}G=LHuF(
zmEK<Gd=kC_j*<T@%)1j4`13INkiE|Na^ML54m=-u4F4D|czd1mdw9sN59UsWvDwKH
z#a?t60UUj8?sDouO^9gja{QO;0eo!Gv3fyg0AU`v#%#(iH}_O-dY*8Fy3N`9QpR1W
z+ce#Ld!{;7-aRM8KL}qMxG2qjer%0tW3%Kw&fFgKC--&iu(Yh_azW=^;!NLA8>(;c
z+T0>HsnPax8~7pVx#O_<L7pr7uAYZ?C*Hujik5QEy&m7{27UufnOwvrH^vnUe17a;
zKnAIL);K1I-OPQH1h_Ci_Vh<3q?MJ{TJ&T;b;;n{xit;lT-gux;T?HX8%zIQe3cD1
zSL22Hd_?kE2Z#re%ihE>{BeA;r*@qC*Z92aa~AS1Jyjn6w04}E;9tXqoBJ5IHdmfY
zuEP~EPaKc0IAe4kKMcUN;B@RjH22@hu*yihbDuR0zbqs1c`_SIo_dgv{yf^u4ju63
zE#js&Gw1V}yIg_5Y9B?c&XPxe75-i>+`M(%l%)t(KE;DDYYl7D7~UK>!B69SBl7d4
zjJp=z5!k$t?v2O`q^ls~rmdCFvNzm3t;t@+6)EiX{rsRx2u}Il!bKFRPOjW%<#o~!
z5A_Odk)D}KBRw-!{PScZH*m#pH{|nm@Qu8y#>Jbb`RPV3+`K!3&g<b1_I2#x8|==F
z%2c{MHoH<Ar0%8^@ZXp+iYg}8JlWWbz1+?m#g=5y!JGFmGOdMi^S;PUOdU?TpNC3!
z2lB7rt3Tl8eN#80kMMpNco6>25GVCBU+phD#LbugX08aHi;n7n_~)<0e+w6G{tLsq
zsr;58mu;-!iliUjCI7Z|m)x8(8QjhITeuKS`Xu^#bSm$jjejc_ZvHlIw{yktPJGIe
z6JOEKgV~ST2{&K%^LDO?OO+~TaRt6j0t%^erH*&!ZzDebsUOUzZ)<*#o8RSj16KsU
z2LByggYfI{*K)=1Exef8i`t~u<{?eZXXzMU5qo)#abW(vAtO0_Yim_PaChKu;i8^<
z@9g892SR%2&;KZo-lOMoAzsQm|KXs+yYnCAk@9LT=-3z=Sap`Z%lOk{`frb|-hw{$
zJ3l=?xnDY&{Cu0>`z4dhl;uc*DhtJ&|9$iom2B@v_#tn0M*lv-G4h{SWjOai_!ogc
z#PQWYV8xf_nYF@#IYIsr$wPkdtPlRBWaumoIuFA6z}VB|Cs0&YsjCGW@x!A9C&OyX
zJaXmzV_Xqen(m(=*Pfq$rZb4IK8#zSxlVbE;AY?$rp@icQi31iakTS-I3)T>_{~H}
zJz2a`dq_7qI%<$FP@j063EhG_gFaDMU-)Y;@5TQqg+tp}Uk!XkMsDknAb(Rv&U&l&
z?ll=M_Sro`p6~bh&oR#}c!>N=;W>SIf%=2S6x@QZauY}Jw*trT4+1Cflb%(~1wRcO
z!M_b0V>WiEK=^Z9X<H+=b^qrjlT(8Rm)aifyD+tZ$Kdt-dR`cz`ww1!;kltL$os-5
zqqB?W*o$|eu7(u~tZ_5tQig3^;&rr^UU(&O9z|0sKTY($CS9Ty-@p}N^O<pPp=@R?
z`Z4-9!vEw`S@`zAlHUWPqf#&YaA3(bUmzz%xA05cDB8pr{$}9)@V^F5;C~Bz0RB(U
zSe;v_`sdwAdAbC?aRe`d7a$+RSKUm8WBT34VcL39g3fZ!JaUV)zCu1Zf=_{&t0u?r
z<{(et3p~q&7G2Jb^rl4cP~bs$44#iX#*-c23Ma^~gTKxz5q{bhHzC)aa{v)_zUW=}
zx9B;nv6K9`2)<VZ!+k?H^ksyI7BTLm^T9!OMc!>pBi=<HmNHJiFd~g!+R9JJhhGb;
zg@Q}%(nQJ}NixSS`YX~#Hc@FmhEV+jx9D+h7dn?0OD2}iQ$DZU*#~nwpUWIAmzMcC
z1hkXf;;G!IFYiLSZ$Li7r>p!gmhJ(sVPn}`I6}S@Up&Ya%9VRnhHuZX+9=f-=iOyw
zR?hlRNcUz50>6{vn)j*{-Ys4OE4Y?-H{oCJ<+g5C-NoT7Og5WPce1THzS+_^-M=GK
z1Bd2O$o)h&pQgT(q@24m!`jQH`5GksQ^|<ppa^zmLI0IoyyZr#k0T=ZA_TvX6xO(@
zJSMQ>TIOG0Tnwx_E(gxTwZI$T4$Ql`2$ubbWB3OA)3_4&7B3$V-{DziwD`Wj5&S^l
z7=AEt0zXU~FY;Bp_;X%9F+whT=A3L|41YK9YvE^L>UH9Nm@y%Dx^;86_`fJSRjWE#
zlEXiS3%7)Dx-MNZQ;Z-_H9aPtXzgj|EXVK?ZMH=AbPVlr9K2AB{CIeA(5Ft8EDQ1z
z;Z=c8g4YB-89p{J<I0j3h)I_@=%7BUF>OmK3O4X7^f!{P^C;t|;1~0JEf;RdIo!lC
ze2Hgr=f88TrY<BeN`SRQ@EDB#Kn$zxuvxXs62>6OCrExfe3-BQCHn*Ck!zfhJmUHy
z{7d|pv9}3-4NlPcB+R%s3D3@Z{|k<gKZ1aMHEED~rmwkQ!!dHTDY8ik{C${wPR3jE
zv%nFbqO3rE99~NL?pZiNj;`8qnpoq!_^UAGFg^fpg8yL0tQZGOdPm^dyikB6bZ95#
z;fNUC9yozVVCq8MWNDil@nUBF8xLil6C-~$0`fE`p{_Nqi4P#h^rSx*&(`Y{YHp1D
zRs_U3H-Y~GCg1a5oyp`5x2khX??=wN^CNWr5+(!l(OLR1O#B-9mVN>K>2L%;4r9kM
z&86SqHV>Bkhk*y-p9hY^=Q-)@hi4-v{)Gw5n30=hS#n3oR>|uk$xnvSUmU?(VDh|p
z5WWz7Dr9jCUjb9tCDLi2L!3(_=aQW)Nnpm(9Pungl+KAuBjj&KPN9}c=N&wxT{V0i
z^)BQT>L}^l1=D_t?<my?Hg;6P^_Z6*jp(R<f!Fa9%m`N5iRb7T#+GvQx1$s4i~MUG
zK8D9f{RTb`j(A2_%bm*41kp*qH>(>TJ%t->u}V6#Xhaz&UGeBVzis_J{>k|NgTD>`
z5BMeg=kWKUhdY|GX<R<~gEX8RX<7ubX+$=6e_b+kK913x4#e04<uc>J>&<C-bRI=O
zTf2x$?zdbq@-N{_p1|MstR#+BJ@Cyt7s1a2J`?^`;LY&w0#i4~sN+iiWiV}MycJ#+
z_$-+EGx^!@X@Sq74^tl|KNtBKff=)oAzqWyKaSZEcpE;pVDbx)7XojGtKtFs?dUO`
zAioIts{`+Z-xBy@_>RE4;P(f<1Wp293R|5}uFK$m4)V+4rvtwn#!f9iuV6aB9*kcJ
zYrs&QTmdf)d?max@Kx~oz?37O*2y3o1$hysE-aoQn0y<TV8X^__?o~Kc%OK&%MIhp
z{Wqo*BYy)-U(4;sm!ti1iIH=(fwG=|D>v+6AcF4>9K#=jd3PYe<8s*Uzyais!st)H
z%YTy_Iuj!JhZ4Ypc)xO<n=BV{uykTr^&{R79}O#>1Yfg&GJ~BjTZ4~WZrMrP0{3(#
zB0m#3@yIP>Y)RR4cy93w;-~S9X1J5#xX%Z@`^LU}*`H<jFEac<h94y3a(K&h{xcm;
zB*4+f<(8@5CR1KKjfWbSRB!1RsQR&akT_H)%hXSQZ6koM6UL~C=*#8MnHZz<Edt1?
zJ-6(sz!CiOz%joO22Cdsph+IwpqO~P=UMe1TuzxxS@oH+5=wbWN+?W&2N@q!M)D)K
zTx~6mV8&yO^Dc&02TtIPFlA9bmTwN6htCQe@l0cgbOw=AZ#rJe#W4L)JP^TU^1we$
zYzO5*W2?pv>0FObJj!R9mhxjSDgzN~@bBTD$YqWQC7+G{4ft!l)bs~}{AT>Lyl)R2
z;VU!J;hp90BpTH@Zuz^pDV_wr4;}s~&&waeSN-6Ye}<blVh*DJ*g0y9i9Z(jjre*|
zZJ~D`4RXBYUkQ8|tg;-#rTjmMpSH!*fn$6{63U`bZmRCy<<zF;NGs?p|0#mByuXF9
zPvx^$Uea2jd<C5qDo04yM?xAgI!BX1T#jceHiY;oi=7*M!XCL55&l{(`IZ6nN73Kf
z*SFslEYWki)73mDeHSaF3=@_ODg$cA;Br>a;rT4$+fID4chb+E;q}fiVst7zmmTfr
zO5@fXlQMnz&~&tx={<jah8KxLo>Vu%tqAA#IV(@dpXLzhX8NO#mm(eIU(9L!mF9yn
zb%oAw7x*HtxXZsTjTQGIlRZT6`{BH^x?1rdzVeYUTq;}3xCpM0O)4D0596=kih~_W
zo*;kJ>nOJ?zJP2MIf>BuI0AGAV#c?31WwTTnr9Vf#rM%)P0=FwDR>PW!~YR<68Kr<
z*Z?JRD@nu{os}A2iGPyhsv~ja{Cp~okrTJc6Zj<0lks|W^|}nd2A!7?n+k$yuDlGt
zH}8<{a_PziTanHc1j8J(vJB__wQ_gh4d}G`aoYK9HqMpknY+=CpNbQ7GgT`1&0=04
zxbikJFb95*n2chtEAJOiVc`e=rFbHPKTLaRouJ>ft^9n@r#@Dy{%2DA)alCaiZSXJ
z;HzAr>=SP#NIG&WpX4Uab7gdF|B~wbh(|pgMM8bOmUsUn#7UoAsj(uIeI@G%v)M?R
zLEpyQz=e$b&oextbvSVzjtrZ%{=Qz%Y34JCQ*%j#ulYiKJf`@HQhhUl8P9U)Q!8#2
z#m-?9xd_hVpF&Qgv(C$9pQ}#bMm!T^nD~v8{urTFTD6@<!{v_GJ>;KuH^U>VJ!fMM
zq2OCy3FbCQBfNK9hDm#sz6&X{4^V%qvoJ5M8bwb2C12IV4{@&Q1dfpJ4IIPQ2TowZ
z(ziO0{fi^yZwMU2HwRAOw|Z6%SG_H81m7MwhTj=Df$#Ke^(Q+e{s|HC{effn-oOd{
z`%%xTs#PBf9FeEch7)5<`;|eSpz{&WR`(y}EhR*Kulg+SoDAbueK~LhYYtRiW3IHG
zYZ=A{dh#2@iZHle;&0(n=F)em@5TDwIGJfRW?nsuM`{b)s;9WAEh6~W<l)6|4F4f;
z!cQp}n{qGV;?Zi=J$B_=-`^Epy_EQsjoGmJChy3tK9!r&ir}q*2bI>1Hh#=TZu`HG
zpVb<}#Ci0K_=+cjcL$E)YXc|nt6|Q}EN^cNOklOzU2?Lx`tHEw&usFgKL4v9phfsc
zmfh-4P_78Tt=7D;Iq)O!d4azGZwvf5yd&_pDZADn)br{e;%i*Nt$v!DI1m3Ma0F|v
zkbDqUdx>NCH-Y!VzYCne&ym)dgb%PpC!f-vFo>URcg3-VYc8LF4<kQ^hcYTZ$8g~+
zKVr3!@*~cpulg2m;KJn;PlQ}^zT!<_Jr^Gc`N4*A1lMTnIoqny)^53TdQI<g=Q4c8
zD5;WZ2dij2?Y&c%lTDZ-&p~I+i3o!Itdac$8!)3r&GMhtA;Df9=HavsBRH+YL6rVj
zUFH9TJo*#z>5_-CP*-c{D=M$t8p_e*i^wE(tlt>?|F(xUSCJ0+m@r5lN`XgV^%u#T
za5pgH>zdaDj^P^ulTTakpO1cm{7uMdYgM&x6v{>%Yi>g_0Z9bE7ujYW<JQ~<U*L<p
z=0os>en?sK8L#gm>Y<2Y+NO^OM!xb#=x-++b7k8|y0XK`hsZTPNp6nJq%O!+?S5f`
zcZayIle>tZ-kru$;`Et%=yE&F<JQ-+_oPSm*Ip3xc1fA=rL)Y}Te*vM$0@$6GV)8j
z*xnzW5&~4|hx<G^>GPDEGQ7LbYxidOwHdxG!|(3%lzaO;<B2}6eIUb`bSFKTk$)+}
zU(fJ?4F4>{zwGm|F2mC@JU_#0GJJBM7eCzRDevm@vFB#^vJ7YH^Vq91@=RSF_PdPy
zb$y<k%kYjqPyL%dAA3um7cc1Zv6*^4_OCMX&t>>)8U9g*f6?cOxAuA6K!#`cd1159
z>+*e`vaiqUGWEIcq`rLG^ggdUtIxSd`n>Ma3|BJT&hYgaeshNJ$nXa;{P7HD>SSG}
zPS#~?a^0_c`a{j(LbX$A6$+hVd$${_bc)WX)Y<E*^^VIt6drF6H@s-$i#E9R$FE<1
z{8+JCUr#LSOD>OVcUs+2Coio+;B^Y*Uy>)r<IWJDZkpBM{96CyCHd`_Y}<CM+wda(
zmyM-exu!5&tyS{tpfm<$@whV(obGy=w`{j7?RK?MFI3A;FV?$b@?H1j6J4R8d$-=M
zj?^pVe63L*v6~e&<kNLVTa{wDP^}L)c%j`Xb}Ej0X}9aPiz5{`Tq};WU9;0FmMV^P
zO3kj@Q`}uCRO+49K9>e7h2dJY*|tZX3*}0wxUbM@yIQf`Dd?SwYgJ0TSLn7Y<$g?x
zgP2>_xMr)`Q0kp(sbE}hw8n}x&#jL6t!ihVYnMh912MNLu4{E%x#miZR;5sHlq;S}
zjmGY3;6|y`Z4zyx9$vMk8fi7UP1hxwv1XyAS~Ij9Q07*pGS=)6W2ZV?t+d*1$ZDaW
z`fWC9)zUs!Z>bpVLa|nB?5UJh9qj^@Mde{#y^z6}nOb$EW%(#HEA?`<KH|oDl5(|O
z9I6pZU*v1Q(<+g@VwouGm3BvONmOlC3!R45V@9Lhtdy$7nrVcWsI1a%;+58DqgHNo
zJB3=c-3fJJZLbQU%-!~=@?iZU6D-$)WNge8OP%U?r2vhO6-z}Tcdd5YOvhFBRy)Cn
z3`=SaFT@DRRkK_vc18;_NkUgQhDsfTRBnTCzhzsMcBNCmD25xY-Dzt#u(;|_w^M1W
z*tJFxlQ%o?^+f@Fu-UGfxv5FJl`i&dTCK`hqf@abw0gB(sO+tj#w(&~V^6W#!8+R=
z*$}z2#^Q;!<8ZNC>$o~qZ5C7LwT~NaHLk7H)!K!z%2>HlEACT#FjicvSt{dL{BYS7
zJB=~S+PA1uDq_$>wFW({N$2g1s0XX#6-vc=k*-DKVfn=tue;!tMys_l0@tn%)no=f
zKQ*(B&`Ha|4;?i0ZzaJ+v)5_nAoTVh0@iWHRo{hjqfVvK0G3{%!@DKYz@U}Bg*AXS
z3VYD5VC<dhm_`lVN9<1D8JA&Npgvw|?{W32dA{7?1*?KaqhrA_DsGs19xGmLezVc8
z?oA`1_Z<?p#6wxhS&Qbk8Z+`Y*=E^WLAwL(t}tLVFx+}^tWqr(8TH%y+T-mCW2XGk
zF+Wzd_f$Kj(L$-wrRr_;3KGlbaNB8kZaXTV+fpmk+s#&EFQbyTYP`{6z3i-U(`==I
zc5$4Xq!yMA0_`Flh<{C&QuSJD)Jwx4KnJxlw_UMYrkj=M50$-SurX4tcV#_(DljTh
zP9odaE@6fRMixfD(rB<FvwS~e)P{QjjbSCal^LY>ZJ=kcQ-9JtNF!*-Y5Hjs4yB@}
z%GA3<?P8ry-EGmC{gg69CD~BZtaV2;{MU-ru`ogmVeC{N6UDe!MmH@~so3mv>52-s
z8VnJB=pCbonw5N`R4F*qR<%(qIdytpQN>cJQ_zS+FWkszMQD616Hp`WZ8FNzNqYl#
zHedt1hHQEOa#}^>Xra|$aIg^`dAn8|I^==%rnW1M_yU(|*e^CYrdwmE%N%GGp@u1v
z!HkHCq+2jH`I<^Yerz3Pz}rhB(c)u5=LPnHMot<~BTRvXMl&1s${7WVobrUJtEy?W
zGOlTE*k(;X*0O*o7O<MS)j~f+MAb&w9V#e{7593f;;FRghJ`vMHoY(|(*w0s&;X-y
zVwcu@HU*nrv&Q0LOyity*Y21%$`<`kV~QzhtnuWBEfd<v%y`ydwAI?DSO}5~%ar}x
zV!|f&gKgNXtIny}TsQSe557Ka2I$m=u<DX)H<|7$g=V!`@vEodR&m7Hc;D6{pj>Tr
zs>IeuMs5tq>A^nF<-(p(hHjOpCHrBdueXWAa?GH5khs)swN!7aFgj!}SgtfXqx7Tn
z!LaWadfQj64>!hXiY|$<Y*QCw(a{_YSuzcKQXvIm*7{Ms0n4QmHyUFh02M}tn>4Yl
zk@Z}nMvH|=P@%lOK9yi$l!33eJWza^Xc*mDPxy(rt2WpAv`b^NNMQ~+I8-Q(kGS1q
z#U|$5qSw<_zIu9VBjteZh&lS+k_lTChB=fT&&<jAZZj&T=?8Ng1;g;uR@t@W(1KbM
zzXleuHUVR__IR;erl8PnKe7mWvR1V@ZV&gcq{1}xcA+2@EnZrT^8VE-<1aR>2R;wG
zX+7qPp$fH4_Ua|3lG?^HqZf;>!fy1#{M;M9&Gb?2blV3n=Uw-NO<Lx2?=ADSeM!q(
z$e`bs=n)f$UyF2@4e4UEW`RWq`D|k=l*N_;H5)J5t&%IVQnZkNP}ii>O$XcHcQ>A_
zjBxK|q&?bTUGCRjYHn)U)@<0NkH{}xEHN#`)GT`8(B40u4g(sl3eS6t3HH`w>Q3q(
zrQx==6Jz@d^zClFZcExd70k2aWMRrjA%ufht&gXY){xI%p#b@n7fn}V@F(1|NPt>p
zm}+4aT^MC{&@eh43Tr87&(m$P#$YY2G0c)A^ZooNzygU{2mJ8rr@QKq*H%2e+$&((
zJ)pz8O5HkE*;V$8VeEdr)6vpT)vcPgR#XmH^s_r-5m0W7sHz!;C1xaIWYhl3G&LuO
zcv$m?c%ZZmKvwW&mXVBY%piVNfQI%cT&}R&^eJ1Zv%2Y6P?qApYNb}Di-2|QDz%pJ
z`ynLh=mjd47Hf;J>F`0#m#mI#i>rHoXFJL;tQX9v3hl-)6K1nYhh)~Qvu|Ob8!GBu
z+virXk_wA-7G7w|A1$_6iYp4MS8oSt6ub3+E)^0{KR1g#XXmbSFW9=Xu>HcFTQA;q
z=FVL%m89YBsp=f3_WMSOgwl;C*%>d^*rp71*`;-~F7u`Jn@A=ID!WVsXYSm2=F1Bg
zpZkifg<UV-v9(YL4W+_hht-m{-+uo^KQh$pY~Y6;{}^-g8=f#Ag@DYkU8_`@X-70x
z3_QV1^dvO{TlWP$&(gDAY%kbsDLSZksu$TDIb37`UC#8|LUCB7l=}0ZsSnsP`;R>w
zZLl-rL8DbVC`JjjeC={5(Z@o2U%iwKhjl<!WXpxDz;7J0l74PO5+VPEVyB}sgM*T6
za!A33Is1OKT&uXz{@^iOZPA%oa%!r@!UDOWDp9pcT~?ZYQ$NHXmDVd1^qMxc-DJjP
zv^T-nkQ-{SP%doNz3JOq1AyO@+QO>XYE>~czsd>&2MZfUD(f#gaq**of}WVGSv6^=
z-{xj>D$TCbE(N{)1N2>mZEC=`!4SVSq#?82<=~`JDU1}GQnG^sn=jF$^$_{#m7@pk
z;))s&NRZtor)<5T^cplKUUQ@|JZ$e_MkZ)!N9KtVGUoct-5wSaTDuoDMEgC4UiW7=
zkaqXBz8K~(iCMonq8!lx9)d@eX(BzSEUM3R8rATFf}d1RJ`uE~ZU0b2>vJ{+ww)}t
z*jZZchU+$P`Sm<o(t5-Cn2wfeu50TIHI{6kLX?a>Ub>0RIGZ$viOxQjqai@51va>?
zdZos>m_1iUcuTfZFx6eV7^Ajtb@I>Lb?&7`TQ0m{$C<m>r*xXy9NXSR+#N1sYr2iH
z4OK*%K|0L9m6E)=d>tud681rF*xsbf5|ka+D(=CIt91o<CmXbYDOv4gw5~~+s<I<2
z@AVGPIt(N>qO%7ehb=aAb~>fbQElx@LkAxn6l@BRtyab<(KR-I+v|SNx3H#qP9|*1
z$7g+{$yGs3{9_H8-<D;5n`JX^S7&!xM`;rEs{+kBuCb@ilw@PC6|&L3CWPpEuF)iE
z8@{c2!b;gD2pvjL-7FL8<<K*|h=U3aD`;m$z`jL0RRaamGllT*T1{C!(`a+9kPUZ(
z@$TjT0lB~Tv<aTD3GtYY@#tbYGWTZe1HBchI#U0Xp<Ss}O4=;bO=Y_^wmtOe-YG=d
zsKlJ2YgyI!0|!4G1!JZ}+U28by^0}<Exo#urUW_@6X~9`wn{C_(H>U0^!K5C92L4f
ztnn*>+18dSHBCKPsVp@NybO01ch*v$C)1Y2*Fp*^h;3?ENwFmAZOOw4O>?Z9Zi^UY
z{J=_2U{+^i#t}5DlNuX*ox6sx--22T2E}04J;e}aYBOD%ae|C>O#i7C2by|@b-vBu
zW`m<YXikH54&^yku_MQ@Pf~B-&9Fuc&6qBQHBj2IWMPDc<*N82ZAJsF<aB68g8r<O
zeyJ%<#kN6@2dRB#Dk_v(vjl6sGKU;kgN?c@YHb_AM%?d@x^?XihwL;<qXku`ZIh0A
zS?86lxwYJPHkAC)*EFHZU~Ou(JtnoocHXvd>L5<LUO#w-T_yuK)#Eooez@?TO~O>z
zsZr&v7Kgu_;9+wNn#1g+RFIM254Ua98S!2?&KlBu#tA`}vX)yXr>9)y)+w&k+N3>t
zvrun2_VNvNJUSuf&xAk~Kus3tV_nv-qCLfyj)mExa}Gxjp+yV4=bF1)T{p}ZmU5-7
zEtXB)HAbAy1{*m2eWNQkSv9bq;Q@zc<17+fng8;KGQBBd)6QF_ua9sF?G4(SoM*qY
z^A(UD0{K_`+~7I9;R6^(h>n$wKhP>tJ3b~(137ve>*@oLrg!FA_Vs*5uw}eImG*|`
zPl9B=tV#UWl#D1{Np`$#6HCjfIT^gH-5CS3K^sNv!RQ_r&c5xW>7e+Z_aIHhKkyTT
zXY0_7I?FphDQJU*U5&}4y`G^j3R8`LEPFMB$Fjs}2hxmkjT<i7nl=d2&l_pbjuX;A
zI7Fd2ZL6gdFPT^`Y-^76VO8Jbf}$PUqyd}u(g6x{ae7T(EbV|e6DYKbb<WxjdTv8T
zvCDy`+E_-(@h)eBoTlp|gBA+f{SEUujm=n{buzQaAp&}WKlyI38Mn>iLFz2wuv?wu
z_z!@cW=JfYm1z;l;Kb=TbGata%s}J~YRA@{XBD<yx^?@m0{gjLTMIASdgjaA^Q2oZ
zKX=z3k?!1i;m+raFFfn4=L^r>e&!ZihdnRuAh%)AmXw)Hn%PnZ!yH()8KaptY<Xwq
z%0_665x;j{R;`b+N2icB->@z!F<xprV#G3EBVjM#=iFX!bi9YQWs!CA&5M~NL~A{e
zQwTd?VdT*ckhKk#FjnNamepUW%D1s<)7!XTmHRBy*H|j`;vdzDD$UbK*A6$7S8}K&
zmF)$>`nIRme_(}B?pPf2fyd_qVY(DXY9>?gA9B(~0qZozO}3<b58?}nPU3dA_l*s)
zgOUMx8<n-P^yOog%tl{~_1T48#BOcb^+62NP3yydOk@2qhSh2;wi-!08YfEOY_PDA
z6nwJ{(M>d#Wm+<Dt1{B|?Gpr;Co4-UY*vL$V2h7Jd+GdX&4<Tq!PP|cs!Y<GOgD{E
z^IhiQ2{wsj8w$(Q$$!wd*7v*Kbmb93{lqDm4JEt%F{dqpyPnxza6D(WYc-&yVNmm<
zj~$GL1&7zu31^!V&e1(OZc1B)la~>emfBy0H3zkzLvME9_UWP@G>f$zjOv0ljmqF(
z3WD%GVkG3uZxH+tXR~%63$1c<ti)i&5=BRR8p^STR*{xv)bULzJSewV0V-I<h{Ki}
z?4O!p=-JcKa+Zm|O{DsmMcvt;WXl&K8KPJ3ZZ@>fR|PSx^MRB@^eSeqX`!BCNk-5_
zN9$tMoZUA1Y=$=Uo<F+uA0qh;Nvq2D4gXcL)?lA%8<qY}h=tH05}Ps|^F#Oqt42}Y
z(mB9yeYECeQ=SU_DEqvjJdD1<xXkR#4%i-2o56NN?mK(yP8tOrN;9PJT{_H=Od^%y
znED~@5oEo=!CSk`yx*UUtlRXvlwSfgNB6Oo)4{(br8S{{pyii8wXhX|nPSLxI6@xo
zGM<eWTN?}IJ@Pjd%sT<kwDm2qmwyEs42yU*R$KDh^+qbuJZS1HU{f9YZI6WEJgWB!
zUn`If)%+{1_PCBP*{Y_WAuMr~*cFGWRta<)zmD?lZXMLGxY_Hoq-NL3><e*T=K=Gz
z4~Lx5_0d;Mm{#qjjte16jvvpM-`aSRYi&G{>jbV%*ti?o3vJ}u;994-)~SxO!qQ$x
zw`y0Jyqrz#lJWZ<7Sp83_Y-DrpBsLXV*;OBzb`c=IX;%!GNL%X_oR(%UVA&4;U;a(
z+R^{$tB?k%oiSu-kfpM$jxA$&@J9k>037IQ)9W9b#D`^Qdx!az3!ks~TqB)+a4$au
zVSC28jz$5<&vbx|bsV4Tvlt_RB4^pI>hnpkp`eet;l1YBd9}v^M(H~}!&*<fw1*L!
ztHU)+Um2z%hZ_wpDwL0hn(T-y^Tx1jZ*Qs17cbrYSHHc?rCyiMU5>FY9bq;Sdv7v>
zvk~zF0anXe`<2<pHFn$Sn|?myzlU(t#3-nZ1`7w4zl91>XLC|L;nY*YvRq>;Yfv`I
zzMk!y-d@jsrSA6X(5f&r&JXD}Za9tmDW}=5={D~;t8nqwiwZk-p1Xb5S!>y!zc9ai
zRr!jJUF|FC%U_t+y7ss;{AL!vTJDMZsP)9Lrz_r*_^;IUe;ByFfYFR`w4$?a4#V8~
zR>Q`xG~7EyF%#qvjvs{VF4*rNw7Bs7E&JWEw{X?5t&Stp<GB7$1^mz|d97k!GfMi^
z2=kzyp~9(*-x5$|w%OAt?0>P+lgOt0vur=|ocXqFzdT5PoY4F1VXJgMMY0>UU%>d^
zgB*Nd<MeAAmZGEDr24a04O3wWCA;!j&=8Z>5VO1uR+-tvZz8-nT`Adu#uSIT!~E#L
zKkW_pVFECPkesoO99fX^{o2kgdy76oO?`~j0B>`!PGIS%I#XaB8cyUgKiKfCz|XgA
z&&H}tR>297{pco4cmz3L?w{L*A9ZSVrF~6WdV>0`OsESxE3pH6pAid(HKz@DzL`~0
z7Zy~uHPa}QJ;%1A@^C8CYioodnehMnl@C7?=kGW4Hyrlg`rD6xJ=bAe$8qToF68vL
zCi<bfWO^pY-{<K6`)I=|e908v!=DAGx(eUMf9_=&{=)EF;We=S#)9W-p5V_u`11z)
zZxdzp-*w3I#D~|O=G->rDa}jzlV1HD$0=NLdZzF#3gDDBznAZY^DsJVzJ)KRyeRww
z3y~ooUaP+eksIXVc`q#4pLG1DKl8Kxo*MPilP5hX^-f__{;X48rF^Jd;??{y)S>Zz
z75N26guh#mQgHk&fjQNsSoMZ`$;Y`V9O8M&Kf?N(hgAQCuyoUKbVzu|A>qM8!p%d%
z@gd<`4+-x-B>dnZVdXEIAGK39{LCTY-ya;d|8KU8es1X@&wJ&aHF36Eugx7}d8M{~
z^RBbjEAad=zb`RO1^rLN*Vk%vGYwyK?99|a$Lkb_+<G>b=7*^wO~!58ym>=m6Z!go
z<t`<nL+vEQ-8><H{*Eo{R7a^3r(yehnDhaDl;JF<_9EFyT>rQCznXm+PRA9AH*#ql
zk&Eo!yERgp4NT`s%bC6}`7l?SzQ%%#v%h^;*!o%aL5B7BLFxNx{Nb_wn>psP<&_}S
z7q<=xOBP%%?_u||L6Cac`05D%RQXjtxjdK3pN@gq@*j>on;(Ly8`F4*v%kCa=<nI|
z73ZHye}h-I=#_q|mrehrjpw#my~SQRb8m+Cd+nA!%jQ>qV|GZprE2xd13iGRchYe(
IO@HD40rKMMzW@LL

literal 0
HcmV?d00001

diff --git a/34-iter-task-hello/cilium-ebpf/bpf_bpfel.go b/34-iter-task-hello/cilium-ebpf/bpf_bpfel.go
new file mode 100644
index 0000000..d39666a
--- /dev/null
+++ b/34-iter-task-hello/cilium-ebpf/bpf_bpfel.go
@@ -0,0 +1,115 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	IterTask *ebpf.ProgramSpec `ebpf:"iter__task"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose()
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	IterTask *ebpf.Program `ebpf:"iter__task"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.IterTask,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
diff --git a/34-iter-task-hello/cilium-ebpf/bpf_bpfel.o b/34-iter-task-hello/cilium-ebpf/bpf_bpfel.o
new file mode 100644
index 0000000000000000000000000000000000000000..dc6741f40784ee08bc76bccd1c4e3885b9b6d636
GIT binary patch
literal 29688
zcmcJYcbsHZnfFf@GuW_X6C!GZgdq(xLl(sg!;F9k0}Me$s;jH2yNj-_Dk}8!2;vnn
zi%W71YZ%3V`l_r6cX733O^XRvS4_JO@S^UT!y4AW`~5xVIn{R>-u>tOyvMn9zUR5m
zJ@<s?JSS8&zHr0Y8%twjA%(H<yRei>(hxr0S>ntv3%jGab)RudJ-YN5i?{A=QAqLa
zJMrvah486^qI}O|{r;1`wTq~7%+TT)^d?Au-s3Bu@}mds{(<rSm1q6l(laI3^Z3fc
ze_`@Zy+hg|JYq!%KYH-N2lwTEF{m87BDj5J2>TMhgzIXhxfEU-qi}F-7yaw)8lJJ~
zY-Df!@tEoB_Vz4Z;RvNHl=K?47x9X{qAc*LQQ&nU^Avh3)mqY{n8i?1*%Xq_qv4%R
zGWsZ`{L$H6`RvD~cRw+zj496vL<bTh-|Z2^pX8!ED^zC%y28Sj_}rZ<<GRN=CsyED
zE9dv&-Apq2DBZx#`(tu^58@v>?@9dA$YUy7CPw#HAzYgsLO!sYM%Wit{f1l<uvrfA
zAzY6|mJuJxC7ns)b<R2QNnFZ*8?p2r4-bi-$tC@)6vDaAlkjuleURsH8&;bR;pfB3
zM~(AJ=Lz^G=L~*>^CbKh=Nx{o^EUWnu+;^=6FyLR(h*;Q4-)gjufeOuG}t%bHDFGI
z-2>A!A*TWEg;mas2KXtgJahQZa0U<IJt+5Sunh8X&KW!bpDsBDaR|IYd|(JC!qz76
zdgn>_ELe5V;pf25fQN7uK1<I&IfN_VGr<hL5>_8&>qEE>J^;?)ZO+%jx53sg@IN^Z
z;eUajh5mN<0r*^4h5bFe3e4bLb_(G<cnCiVmV8Jh_Jhxt&c+Z9gRQM7?8)#2lAjU6
zDb6{32E19%!so%$uqyN%cpTgY*PVxO+j%>DrE_>@2(N&xFW~E8>kIfz&fA_D#%^<d
z8+@1Z+u?6J-va-_c?hpq5%c*pyod9h@V?If1g~=b41B!vXW_G)KL?-Z{CW5?=P$sQ
zJO490fK~p01G@&E1vB`1c&p^+gmAO-1pEfq&)|2#JEM}rA95bTe-E$HvvlB{&N+OS
z>x50%v&%F1`_4o7C-9X#n$gL>gXMQ~cns&LJaam84`+4Ye((z=hYyBxcnBZk94^G3
zVY5ki6D(hr!xuRZ;Y*#vMIlVVFG44S+px9I#UTuwGx#dk&*7Ij58=N_`j_Abl0N({
z_!W9D{4w~i;qcrLz6k#fIJ`83Z#jqOg>av92LBL#y`F{t1iw-G@EDE%w{UhDz8Zd$
zbl^wAZ;=lCc-ZW-9Kun~IeZHIR_VZ}!rS05$@qrf24?Uk`0a2GUjp9(58*QW4meao
zn1SC3W^mg%hp%!T!mosHmHt!+H^M5<5PlQ<9?7fRhaU}Q@JHbr;2a*p{|g?%UxD8b
zhZ^?d`V;WI@ZTZM;QxR>EPeRDVfFQ}j^AK{6KkM92L33R!3V(Cz?1M{@W<gCUIV`x
z9>OQXJ4=6t_JRLFI`D<C$~=TGgJokHKy&aNU<UW$Pry0675+zf2)_*eBpe#_E&M4k
zgKvR{a1MVMwzh)rgg=cuTpq$#;eP@%_#3dw5Sk(UJFGfp@K2m`_z%uQc<1pDJ|q2k
z>;(S2_zLD9n15jceyVc@UkHB@c@94hUIh=~I{ZjD>+)*nN%#u*OVWp50DoEf@b&O2
zIP|bh_$$(Z-w)p`9r%;5wPzn+0spJ?2O)gNb#nN}@G3pK5W*i}%qWB{EJAh(;hSIv
z@9w+_-XBISOu~o5%0GuscHRbWa-AVuh4(=xEQYWETYJJUa?as5IuGI7;OnK2v-}76
z9x#VL3x5k9!e4_e&*!rqg1?PCgMXjoIK16<rJj<*d&6qm9NrJsvqSiB_`7hpN*^Ko
z8&}4lUx)nP;URnq{C(YgGjkk#FPOvU!fJ;h{2b@)@EmMq!(qGtw)(=acFy5jTz?3E
z$ay>bY4|?93rF%rcuz2czXv}K&f))b-Uj~#wz|M8{>tCGjd>itU(dn^!2es%!pFiY
z^EUW&SbaBypXd5=RF}gKAkW~f@DJb|eqqvwuXElGzZL!=I&y69ftA1b6R?eO_)GAQ
z5a;l}!9RhAw_tnlW2OHNd<(2+C*YlT^Z5nd6aFdk9DY3fGk6F;*>&VBkAn9=p1~)=
zYV#aE)#bx?GLJid8h*C(o$m~%%)(}G@4~mhDnkxm4gXy4f^SSZ@5YzIzd$YrtabHH
zzP{I*+4^0#&=F@`ABD~K;7`DWF})+>x+|u~9|eEKS$*;i*INNkaCs;xzSs5kg?|F`
zS}kwFpJ3UD!k8L>s_bXclFqKk^=^fIV4kym)4}lmQEZ=2<TK+s0{N4OC%KMx?!d>u
zdav?21%3i?A(T>H6nLe|wjLeTOW~PtD(3|-VSIv*i=7XEpBH&d72b=>L+Qzh*iOEN
z0yNQMjI2;$w!#Pd{j1?a;GFAa@G9aA9qlj7=811a&Oh5czS%kBg&%Ov;oF^u@Ryy{
z;opU=4`Hp-4kw!&z8Cos@DToyvl{uQu-OCrXZT3HcW2rVqa|zWgWcg|KaYZCGa1*D
zV6wA4<e>$fli)*L=QQV>w1<-Fe-`qTzxwGgzquK?IP)}7Np0kzbWkGXQ?%8y(Z{u}
z$dFfIva-;3&Pct$Ifq{ftNcT*o1C}9Z-=dp<oP~l^~=YdbNJKnQRohxRerVgUC5IS
zecgEi`M2OlptA=45uEDrOIYv9x&GihgvT)$%ZL1B4+kKdAbuor@f!H?@X>Gvdnm02
zCXi!~*KUW^FKT0jHOSQ_L#~sZ1J6FgS^1pjoWmC<eRv99%X8|e%acBw_TV|(L#{G!
zD}^!bUBz#MU*-IE_|49@z_-H3qBG>#ze|km4dJItzH<nlg9+p7__)jY82IkU$w!TS
zhcxZKBIDkD@NvWnKZK7LP>0{ZCxEKwpW%~X)l-KiPlbo@xbqj_J)Q4{AM5-r_(?ED
zUNONldRJ=Sqmk=fL#`8G!nn1WVJMv#V-;ohlboMI{PdXL&Qv{|8=ngmV)RldshvEO
zbVhN7=l?W>edkl)t&zv{tnAT4X-y)E{#tIn3_ad=t=@S9Y_`UB;&skUb347w850`2
z)tTz1VlmvAySUbK(H`NW=n&EwQ}}1nkJoE>;yZ8}j}JI!DF4hkhyUO_giCw7KF{vy
zoWc7!=kOuULwF6mmgiKE(_Egx=Q!u^CC)>*;w+~%m-OMQlRo^$qz~Vo^l7lWlRo@F
z(uaSM^wp>gYOC)`#;kJ&ALN|F$2$+<Gm<_wUrqY(Lehs{3R6|{GdI8+Ro|shx~jlu
zEb*>q!mmT0F#b%7?4u<4+dNMh!+YSfm+p(GdGt@~iF2+GphNT7eEARXImi?~0n3-B
zKz26YYoDmGrSM5~#InoJIn(9gtIk?0+yfKFH}Ubk$jO#h=nP2tPH^u&?#0{e{Q&GT
zWL&>?&S4cu@*&r5upVCpr!zY+JQlfR8P@^ML)b%Ukp|b95p}j_k3c8c@jAGUVwSW~
zy9ho3IcudAcf%XuRL*mqrGF88A#u)inez~yh7TcDM>kzx_I)LMf#ekAMexO72EWF2
za`<)dbC3_=x4^2`kg~rYey;RsypO?`!a4kpu*x=sKL=k12W;^x&KdkI_%YIle*~AM
z5B~|Cl0N;rGnK7^8T>eyFn$Ri2g1o-#m}}|%;~O^+J)k-nBd-V$gS@1iLjN;pCKwe
zo6J0vo|lL<mijZv8}J#P|0KeToGY%tZ5uyYW3F|XN2M*?R9%ve)}^&&I<M!Z2U<4v
z;d)}4FjRO}b<r!^e8|of7T_7;2_<5%XLUb4t1~!+D>O%3g??(Am%<HX8JEI5S1yR5
zbh!h?+I`NsN&E_)BaG%pOHsU82i~<(_VF6@S}wa8?l`{%-r}r?t~L9=1$o=$?}0G`
zE1T8<;z_ReyF7<K0&Bbsx&A&qyVQmyJ)=PNZS6Qj=ZYu_Ux0h?gs1z&8JFf+<(YGR
z86CoSmydg#)vo^uQ%9Rqe;?&G$?4U*GTG5j7Km3$|53;WE_)oj;OtT9l0uoUa%LEq
z-5!koqAMN_E5D5EXy-}zWLSNgbDicqggumAPM&8WCyYOzk4?_X%R}i}bjrvnv#rIo
zR^I40FGv0YIP)}7Dcyr<ig<jmo|v{yp;Rl>OYhPdD9Y9s>C9Bh>C7~PJG|=};+$*X
z<$N)GElhUi_iuo&MW*mZ*Ley2-hz(qy;L6_c(2VXva7WB(yf;z1>%<%Sna?SK0=;p
zj?tN8nq#CY9o6>^bhJlQxXT$cvh!KhcN6?o<gbwe;a_3?nUB5Sd6LY22`f*{RV#6f
zvO|U4;a3r7T#tg)4$A)^_|?P;N5XnG$*+sza5D0=N0PptRbOcBE_oqPRQ4@g>$#NB
znX<|+zwr#7y`EU%Z1`s4oa=m8b;-&2QaF`C_HzSrh0BrONSrAVLn-A&vUHOR$s$$R
zp4EG3UmFK)So4Fz0KSGe<9Z?dTH;Br7sIQFbFS-P)m8nYJ}LG&qSEX5@UUwgMGvJu
zd<)MK(%K;1Rg;7_aINQ3J9{W?MdMa~pW62C;5VncF)m$?&K<6!XFmh0tc6gTOK+ll
zmlwEOV0~}sp`^WA;v3<wkSAgMT`ojqeSHt|ce~6ZtBZVw>Y{AEi;ntEw)cZV*>pz#
zPGmXPk3IkQ!oPBUA6$AYAG}xjc_=-HOdsj;54cd}QGaL*e$Zw6xz25*C!A$Z_wrr}
zY4*Gpx!P6XcvyWo!L=U#5OK!kq4d|h<SgX8$LwYj{)pdfz$#<L)p5?@K720mkjq0!
z{hT8wjDL)eSHY?L65g&456I28+>FkPUG_%TSGhG7{yr(kxb*R*bm=-W@KCz6z|Sl2
zD+;Xdl#~7y1+EnMP88ln83^M&<hR3*piMNE?}F1nyW2TK{!Ql`{+{y?zAx#M&rg#+
z{D-6u?<vFKU7ximwp9*m-Tyh4d9;J=X)NsL&wc@34U?VOiN0I@XMgBS*SU+d<Vj~U
zEPE-0(lj?clwMWfYJpn?z8mG|k<Sx&?_S6|@Yg(pG#_Q8i+-<<j>d0}{<ZMGNS^_8
zqjL_w-F0Nh?@#*h9Z8Onei4?9<nX^bZ-c+@JcR$lc{}_|=dhCYcb<U985GJVgC7Ue
zHDMA~+c1=DjXhc~AwLiuvjJ`%>72nQz+aU<e45LL@UxOWMsx{m?}DeCC*gTmZXt&?
z7hDey;VY4U9nSPn45gRRZZAbnGuaq_J$#+td^4=FWn8zwgz;}!6#HG-ybpPr5B!$d
zmCC-Ji+scT<Fn}uHT8Ju%0#HiA9%3mmDcl?h&M{FM*qX)g>1z*eeebNd;ZXuVfl_Q
zfy{XvegNjN75vZk!G*oC%C=H={~$W*Cxu<u5U9Nhq4ZKR*d4jvEB(j9+g(Av3^!_R
zv_Eq3q~9Ydy?|#ulx{BYe1R9>19+A&UKm3q{T{_b>2<Ka-yl#E)(q$awq9QcUnL<y
z>t?lG&ZV=k{~#W6rM0^n!$avm9S|iq6n>oUQuZGe_>G0<E-UaPd?N2BvN=v?7K~pD
z>ygtQ*JgWj<_Q1F<<Esx#v#{b@BxyOLB&~PzvesvH=WnOeOS+C@RiOvd<}dO@sR5}
zmk;USH#n>F-r=0Vw>szWZAl-#1AYp5sBu4=^x?0<>YJRCu5UZP2>uDI{mnLXehHtf
zXBnse1=Fb4YK)9=K$g~}<Ib|9J)9@#ckP3uvx+zCoJGvp{Me&h=P3GPU+1Hd@8`S*
z{R5njMSigJaqywe$HRv?p8y}>d}4GTyh*J?`MK7ogao|vH+-x`|193~aq9R~m@-;8
z!#O8)VUkmSea~?SGWAOZxr{5LFXodzd?jo)%bQ=8<nYa~+AQ#{ZO#+$`<ydazcu-_
z@+VGn#1Q@%I`Vq~zpC@z{{l1kPUPylNm%>z-@-ZkRpgWK5dJQ#a;oos=A6M}`$u^W
zkHf#0KD;}uJ{s<dpLf0+Ugf+UUI+h0c`|M>2lMCp@tfv_GHH#A<ItIebNC$RAv^=$
zj9kXvgRRXmG=0Zob%(D;uC^M&`rVs&JA7@@r><JBQ{0fl*L$8r_-|o~5r#C3&Sd^d
zc8l)2{MiitAZ+6lz5}*?!QXuz-VOZ>{xZCWo@EaF2CR10y5N52N%$AeIV|TOoo(=5
zu;mXw0p3&jP^iP;>%k#>yz6H);CfhPo`lbZABlbrUkX1;<)Po&u=32|99CNm;a9?s
zR{oSF&50R&Bl5>0AHuJN%?5~H&$X}eBz_Cmez5ZUAQ#OMhQwcRxqf*0@9^Q$hwq1#
zPY(YKK0^7!S|`g7%W!^&{3z+eCGMRlorCDB-Q0!`W}S#!{hq;l!t|q^bxgp2;<v5G
z6aSg`Y~sHVSBZ%pTqIVwkyx*LZ%mK>&ZH(YU#+?O>n{5UIwxZ~IcfPK{#i(K+61Z3
zpu=|6<~rT{16R)VMVAlZdz|&+`;-0{e$x3=_&3g{!GCmK53i&xl>h1QKF%B91DrR)
zM>;<PKFRqESihapvuDDmxcn@5y))xuY?JfZuxwEJ&w|S?KL>6&pF0*xedqI#U+sK8
z{A%Y5;5RsLhTrXcAv|=x2)@VpV));jIcpmGp)+TmW50H0zcyByh-G7cF}Ale`;oEz
zo!O6!9pubhJhs}o44>pY31`miN5;-_<~!7}3!GVpk4-sqMl^PXGyCwdt<J3B<+{Ru
zbIG5-6uE3;n+%KaN3NmspCrJyzh)wqKZD=qoWmc2_3RLq5Bf8_9sZ2#gq>J>yG{n*
z5A!cf!oP9uz+(r*d~$ei=WXy4VfE<{Rv>FT_dC?(k{wszq=QQhr+Pk;om*g~xo`PQ
z7M`6gaKFHLfs4<+ydeMU0{?A+Z!Pd`FkxIi_hT?_VZ~4q!h<mipFu9)9;mPUq5M(?
zk9;7kc~E(%O}>c!Z>3L#)Fw7BtMY{LG5Qz&rpp84>4BsJ|H3(k!-4VHp_o7!R!$o6
zK|U#z3cOQ+R}^?<fge#|rq30VWF((sJ{jKI-<!ev!RF`TL!5{3TG-|(@;c3V0^aDH
z!Scb<nIt|J`51A|^=#*?#QGDaIqV#!ScXO9HplV&Rj}m)r+4MB0@<y|i1nTIu@ZQY
zoGuC1@a(E2Brdu9mB>?lZ*<OFPda+$b;x%nBZW7?k`1}u0jDzG4y%0>KINRjI&XO@
zan2<_FMc_f0^J$wi@xLvUv(abzXRi@?9A;x*zAY&51n&Zp+r`yqrxs;PVue<M#tLW
zr~a(&{{fbLW=ar}&dMh*waGrtnQ7QZNqzT3<b?6v;We<HWm#e8*dMi9<cnNwm3f+|
zG>iU*g1)}%XSrZO=cU?<<enxf?M+&ND0NfV$7P61TEm<}emnX5i)VQ03?oOej*jeT
z8<&UD)rEW><4iPqkJd6t_az10#}#x($|w$a2Vwm21>OCfDc?vn<@*G`cUVFHiSTvg
zgW0g#VJ!rw2XBF&ge>DF?}jJf9KOwUhOmB1bO3Tad%Mds_zw8V(&v&LD$gPO8P`z<
zejYv;Sq7&wlN?U#v?2Vpq`wnuc=!<M!w<lR!a4kN*z$*e53fQ_ZGwJWB+lX8V5=8{
zV1MTf)_f{?4j<z3A$(lY$N70Ey;%9iP<kPJIyw~5=8lVD%}psBxTI^gqVaVpIy8la
z8ax5%nsZ(Qcj1($&Tor(9#qH^|7m;AYteU|m9KK9_<P*s{7B08W@pAr>0QoD`j7aa
z^8vKh9nJ^Slb>@w1pTi$Gp=^}w(}9uv{g=9XX@__c#nnq&=F6><VZ*Rm!$K9Wjd&q
zUc~*MBUhgCEq{Ph-Tw^BW;4%I`p1&?P-0z_Lg{Y`JOgVT&h~7@ZD?q`ulD;oD_#p{
z$TeT2xu!$|pl1GdSJ?Eq|7iF)>2poMClC)Q?BOm~Cm#b_J}Wqjb{@hbAF&eOft)aY
zG|zh|>D)sBRWng>^6e>BSryh5p40xqL+Kd!Qt~ERaVtW#S!$zM<oF_!ci@y~-#J5n
z(K&~&avs8Y(kJ5=Cw=&(NgsY?(uZG@^l6(Ll0JNM(uZG{^x-!qecJEMNgv*p^x<2Q
zJ}m!X<)^XUm-OLLAHt*aC-?)d6ISwl5lj~L`@K)Y$5UQ~uQ+G$ci@|eb1o01rt6U|
z$p(`Ank6RNxEEbd%xhC9b<okd5pHBfj$vz^qIp5#0p6v$WL&?6pNeh{|HXL-@6I56
zn%={;4}6N4cJokDdVl1qm&VNza5AD3VZAHk+Tc71>s|6684qaxm&$Xo>r9|i@q99P
z&N+vl?>vOBc74h=_Ht*|T4OgjvpyVqn=|XfG1=tPz5KT#U#WkT;iGUSIpGfYH0L{E
z_IMUP51;M)Wq6bGJ@78ny@S^MaPl!fbe=%|W9JP1x$`9aYv&yPo%1&MkIqB*LHJbO
zwH;2sub#BtMqtez->H6=Zy!H2`Wy9;%A@s^g36QDRw|Epg6q-fi`Q@|tmj=B@#B!I
zE<>&-Id6wmo{g$I*Wt+7CtE{m?RJLPJO4~LcLz#QM(efHrQ=~kfzdJhIhH&}_T!wn
zK6Y(7sSPDgZ8!m^Hq7AEhLf-dYc<tLZ8hOSq8;Sf|3%LJ$b#ykwt6aMv--jt3Va@n
zNv(J}^8erVa2fB?I$HKnb)JRioVAx7I4{C4bk5;xoL>%Wy|4Lk2)_ck+3=DRDGj)H
z6LM~^$Y_AK!fA}W1LlmwD*Zl~a}9GUpGx{9E7(lx(=Q_zXIz?x&p|(jJ@ATne?9Te
zE+jI!>MD65>?o(<J?#31ME>k~yhqRCcf!dmCJ1|Q)=~_Xm!6ZJs{bt4<LpJ|9xftH
z%nF|0(fPB=@3MmYLYM3L>G=F3q_5x45sZhiV#fMgt|ZsrekEQkJo};o-&Ei?6<B}!
zm7dja^Aq1%&>0r^KAd0D`C>u-^#X4%@XreT>jL`^?d|Qm9=4R{V+wp|fsZe+z6(iZ
z(BH8oKC_^6ae=1`e0hNv3#`BEO8LCFARjBVx&AgW>FDpS5?@!)*LQG9{-%Qb!v+3q
zfxlMZ9~Agk1=cz><yks>iT5h7zHdl669u{c{x8W7Ey#~6u>KA#>1-^>?~FESIb2kb
z*9+V$@KptVRe|47;P({xBL)6!fxlMZdkg&A0*9&2bh**5cgy8|r8gJm>-|bFs`eK{
zqty?Eo5G{*=9;Iheaf1!`smfGkDjkITC2%rbu~;7dj0O8+MkeC+4*oKCZ0Ayjz^s$
zKG`%I(-W)Wou^HlbK%)%9~Ra;h5r?E>D8|&PdA$NiNm3kgNk_6DF{wpD!diDSMT*2
z?N+%_3wp3Mm{%MI#~&NYWql4>y~a$dUYlsPTQl}yRrPX){%p5isg)b8={67a`jvh?
z@L8P;gI;B(9;Ta>nO^AhyOnA^@SbXC5Vln2>g9T?-`yHgvR<BUHab1K6}eoiS1Vh~
z{a$ERdi}DVsfTX8%5&vGuU=cqNqLZS_lnTzHrjf7zfmn4x7ywLN;7h|Z*jNL-x_+=
zS>-^^J*peJ{ZMO$YP(x6x7xLOq-wi8*KlrEtAh^Nwp;$Fb=6F_J?Ml1+01v!UA3B_
zm4G^T>-G6gpB(#*=|;WV3scq#Wwmdo-E361hE`YA=#?wYW_wG$rsn9CX)GEK>l&pD
z=FQX^GhHi3xl?b|8m*ZyKa$iMy~<RRT$V(!_50l_#jDiFvQ_W(^^`=7PNUp!TRRps
zdYyW;QE8fnKSX0y=g3!Dv+ZWBJ?NL4jb7i|!unnfLY)V_S(U-YMIl*hx@3MnRI2^P
zLcI(v%vY)vG7sHe&rB!O7aM&yBEzbBBMLD>O4X^=EB)EBOp?^)?Wt-XA&uK6z0|Ya
zdavFuV-(Zv?p*5aHWt^I8uaTuRlC`)VDe@MvAw8ZOm=z=GdFeVpgzE!O{-g<Z};nV
zhhA^A%Js#1b)hb5w6|0meXO(Bmkm)m>n!eAKTcN$&3<Un)Mhc|QU8SLZu|N5mU_E9
zU!Sklo0YA~55|g{O?%4%7C&7Jm4163vyMHgH&rm`sb-sz)?x7WXEcH}@XFOntHRKt
z^RWC%m&b!g)!9a~h9LABQ%#vcEKk#H!v|^2V;`VCzV!+&y1hj=yD-|nCv4y>sJ+Xz
zc8f-%1MGd}KF?Np2L`S8TUrjZUEYFr9b@k|=H)f?Ib)xUodp@DC0YyB-j>j6SQP8+
z4_Fhl+kH#U({R(Y^L*uUi#zRJV=-mI=v$VymwR0)S(om&7Bh+;vdvnwf?gk*tK+cR
z7;dXFUvJbZc>Uhi-a@aA&s01+AAMDCOQT<%EmzwEn%=yZORSvJy&(783pBu>t6pgJ
zI^FgnUMX5N(QKtv3)Z=*SSit~EKrhUVaW;fDhwe0bwZ-X^J&p2btk|8wL14gWl&?7
zRT&TUMGDxSX|x8io;Vd4RjDVLZS7St!!n))?^m65J2K0UGe&cIl#marGOWxXV{DEd
zXQ%O`d5}(!%jv{v6ZTp$Qf2Ccsa~bUpdNG?%yCMYqLIwibee-1x&LORG4CE?3S+1F
zm?##aGP<c!)k>#7U??ixZQ~-M>z${Hnw4UwG^jY!R-;|11`YbyP?c)6UzSH=6t2Zv
zky@B9B-DwE9lR`qbmX{;33Kpr*^B_>^osmwx!cA$n1@H+YgVR~-LTQr3)Pue;c656
z#U|(V(ViMG2U<g@V=5G|Afh1|7Wk&vQYjUE>og8;kxrt==Y=5(>;ZXBI#3>_%tE76
zOh@H{f@My9eCldwTCFc=nwz#+Gx}N<5S21k)3R1rN|8~cT?@+v<@w5D6e^#3mtk0L
zQDf6{zsv~KQb7(z^~5f%`)mp}y-t(G#k~An?AO73G|DdHPd>$z<ZB{Dw`D@}%=oi5
z-d1a$O4%g^mMO=%#e^N~2ive&SA$ctxjr-|BgFQ!8KB>s!m6vG*I~M^mphG4J+7Xn
zyOo(>{=TP0K&{d3H^^-X@!S|t(2cE;YvnDoxNg;`EBnFIw|eAZCB~`lAg&I&UA3DU
zi~%`H*6N-9EaNEMn2zH@PsgT>>GlF$G2mq^+cd;jbaZCDNTy+T>b!xRwSLrSz;YSH
z?e@GUpz_Rghc31?vhGXN?y?YZ73v$?Q!gyf;`m0(1LdcQ2Jg;#B2L5u^|{uk13H^U
z3UkPgsd8muCd|!OI+$~pQBPmR<{7PxR04)0<`_pyA#F|Qb0{O8nG^qRGb*MTow<2I
zcRxMVT}uw_1~l=@v52(^n5VZFDzzFFh32AX5sqZtMrXlpZedA<Y3S*4St?q*bn)`>
z(FXn(8`h0jhB<nV`C_V0Yg4>dm8qn;wubj&@l~Ef-{<F%`!>@@wLj?XxSS7zW7cVz
z&*x~FukA~!Z@GYRU!q$~AaO0yXEtPr(VJx!9h9?&txy+R3N+1M^t#nhW2I=Rc%!9B
zXONt&$Ah)Us~~)i3euZxvo4QoFLgI9ZEH5{GG-JPFZMDm#ndf&VEO1@NNzyxs{D}K
znBZtVrs1UVQJwB-J2Aht%-9~ZTDGL!QpY^|K^CTRls)ZHqqUGE-Kki<av6#%FS@RY
z^C#W4On_#6nr2}YU7lrjkQ-g_%Gw*W=NWWZW3ZN%53^TN_@(kF!2*d^2cmn8(_LdK
zYAc^n>6I|;5isCGy=4Qd7V2B(G4{CL>1*ky=2lBvFRBDA`q`ba2&lDZ)YQ0PiSa~u
zHtoMmQ**NC!<ygofl?oUtl(=bBk^s_AaPcJrnV?utFzmTZ?;+&b(1fsNpWkV-mEc1
zz?OEETFb=!5R&A*K;_b9ZQ+}anACj9>d3aZ`dr%C&f<pkfEiV}*Pdp=>@*mV%$hCs
zEjYTVik`K7ZUZZ+vq)#*g{I=!N|&X$vaoiIc961|(+!4{zeMBQEcT4^H=p^e4d<87
zIrsbx7i>QD{LLXrQhIQr2FHm@W24H8(#DhGEL56oQ>F&&()wDL#oESABohRUT_b~2
z&p-dvXO}NH^En&Jo1eXDL%Hl7rOIH3jjFcaasS0QGSuvB5M58ajk(1Qk2@q!$P9bU
zdcBhdqOo$|4rZb|$qa1W=X#N)XQS92u-Q_y!|2o~vN>|P!UDQh7`Nrhv}!5!hu+f|
zux0kc-JET+Gvh|PTiqc?3AKD3a44~a<=)m-wV3vGKv87Ng`yyC9E*~r()ugB{N+l&
zuQP)kUfJQ0f(>)=`9`f-53@_oW4h60Ftg;;REvc<g{cNvb*lqbnsHM<#ov{->QwZK
z9<AMB#>Ly4V16o0wOJ^aPt#{7_O~2B+?3kFs?zN?FtxbKa>v2K22W+<MJF!N3n&?h
zxtdjzcKSU&Y)+-yb=sw5w10rHtF%oG#O4f%yHj$Ry#WU&^?G@x(vgxK9N2t`9=(Ss
zPOlt2Xct$JL*Rw%HaTS*C8gJ<Gl@Dg?dfTI4l^=AS39yu)DWK=H+NfDNNDX|k&BLd
z3_TvtZXoUMZGAD#VG^@`XGSHW10r}tlW8K|p)P9AG>yvrpb#h3<BtVxX}feNqV+i&
z1KUnky6h~ibki+!TyZ_mmbBHjF{Y!XW*FEyL!BiXsFNkWCra0`8E2D*o9J(4IqC`C
zT4saWZPlBci`jh@gr{UXWmDa}86S1dhM@S=&1YU@wEo;@Z8~)``;>l1n`7IXhzHX(
zY)v1tY(tfiW{^HJaJ{OirC3J_g%`(UH0)?nW(g`z=vKC1#*LN|JX1_s!j!Ca3R+hr
zrm5@*D@LQkvp$Z*JUV*-O4wyXXQxvd9F6YQl-lv=plnlsY_+~Xjjpiy+a8Zj-_n}u
zIhn92pP2QLCRZgj@z1yEep{BsZI;cv1D)Mz9i>S$t_n2kg!YyeQ<C{!t7N-(g{K&L
zq21xt=Dw|Ye5Gs?gbpQWZk7qHnvcvV;-G@V3i??Yuy4^$)j)}Krr<Z9uPJL}8a>Vx
zis^wH?;HmR$m8coo8&R;5YOuvk0GWb^JvB~F<PN&AT6CT^y<xeRhwmoscg5&wudo2
zI)zA`O3n#G*P13CI7D~k#!QX0%SYEn6)uV`y@rye1O^im>6X-5)vlFj3#(kl`_xvB
z3d0uG_;qKtwbgo4Q%_MUOLfPKyR*EDmiiExwk)v~5~w1!sbM9>l4!Ig_Y<1V{2*<M
z@G{Y{G7^~8*_d$z&FZAd24Cl{o{n2k>p@p^yB;ZenyJlnZN_mK>zJjxS{!KVnb!F>
z&dr=-JZMhI7Kid2tJsmF?~^ndc+%I1-i>J~EJta_lI0mXma86*wDAU7$?4FH7sj(v
z#-*k-Rok2%H<Eo88p>;}S%S4*jYAHs!MrYuTH8jj5s&+$K});CDLc)Qx1i~?ZPHOM
z>%5wEx0d_CT*<>erU_LBYg4Q3F=-vP^R|W4014XlM(63fOdL4P6E{K8UBs_Vd@AfW
zY4UED!(UGDusNLOG<zvkWX9v^o_U>_82NG5l;$%|2nN)();&I*a@D#gglc!4_UN5*
zs~gzMw>9t>gqS}Q0!;vQSfI}jSig$4RJuAAW{b`_93zAtE%RLH%ykE0nr~QY^`5p^
zHgz}gIQ=!|IOFHqQ0uU2U_ZkR4$T%=B=DaQnK6}h1)C1hGGlxADReaGXmXL`&Mr1U
zIs}T3#JM4|KM@lchG)mhCLU;2Xq}i7r-2+j&JXkjkfwL$TK4sPjbO|8cq$zYFP;R+
zd|8vkZ&M1Qw36&c+a{N8P<P_Itl#m0#iV%=yD_^Z_}RCeH0_Z8LvEzE#2ayfh-?G8
z-C}tcCk1V=u&a5QbksA9Rbi@$w`H$p@K}~O4Is@ZSA^+`t!Z7DzTQYlJ5ERmKSZHB
zZL6gdFPYdVZEKEnv!U<fT+xngQo^Ra<e)H@pvUx$r5z9#66J2C#aY`9_swNg1{`Rr
zk7bk`?{YTCX}Z2-&_Y4GziGZsV>8xboy;t<Ou$HpC*N&0<F;AcL7gQWcB^xo_yu6U
z<1h2GGA$x;PMnT2mumtoIHG7!n>L)kvAp4;4d-kwv!C0%p?vy=Q%?^Mk#4x;%*_uY
zJ^%c3&wr@++>IL_Dm?R?Q`g%%>>+u(+}xloDGP-(v!xBDIk4>EqnS2rd1vOzMra<7
zKRPdKv}W0(Q%Rd|SQl0Cm)edPvCNkz93|qMJ4((jjL^0$vQED9VkYryZ3J=(VFxUD
z9_;{G+h7Uv6^?6J{Z$)$H`eGx8;`5<SY*Z;OQli%vszK5GR+L^a6@IKgj!PBUclG4
zBekU)Rtc4k#W7#-#Bv}^OJSsDGUfP1PFfVOPQ!1qCFT1dz9G>`++1(#{1iJV8BnxQ
zSu0ClzRZ%@=o@2w?ZPf%PFr?;A%^Lu_K07mvHqCHYUPWqMbbdyM9I$v%WHW<?6xU}
ziF{e1C!M?XnO^K47hs;OEUmId6*hrgz7$$y@TZpd+ibzrMU1M#tJj%s%2M-P;pQ<m
zi4;2u%hSof>s#-~U2j@>cxvh8)XZGTTs-EqMerap+Y658%yz8>v@~?J=zZ*9)E694
zPbZu`PB>?`=(s8M3MVf!EG@Oa@HGdmphItV-}cqTQqnBeb}(uS)-<X^e8>g<eZ-8H
zEN&2@i?dmK3CrDDXTFNFVu_+7KDlzNp<AJ6@j9_9g*%iMD?kOSm<iZ&oBdPAUC)-T
zma|O!Ju=moS+t!wC0o9b$rPh{uG7{&Uk${x&KIN{qBk&eO$)7rRT)7C9j%Mia`v${
z7SsDMM)Bw}ei6xUNV*Na--zEzHrwn|ZKJZZ6JjB>Okz`JV1DqgVAUxqTbcvn)<<hj
zHswhez3f9=xqDwXE;Bo`1Ga~>rrWNUzQ5QC(kSat8kfTN(mq2niPS6e8i(|U%SO&2
zTD#1AX*?O(uvr>XaS70w-O5@{2mkgetqJ1|Ex+Qag{=t86usDfggiaKpDk3nYs<AQ
zir1AbI)=!!^<Cnq{7STOi$qOUTZ((Fc9LiwG<6oRNymQMBcY#1jUM6K3Zzrb_(-?6
zpd(DSs_AP8d%0>HDpL(>1cpsqN5y`(0UB4_?DbhvvukDcg*dN^fce@Nhn&$ZVQd(m
zR_&pF@RYrdAJ16aU3*;Uu059P7_N2Lc$iv*)^e>0-IGH1#K2i$bulokdJQJ8U{kwf
z{Jw|9H1Fj56K3vM8h(;vf>_$PFE!?Md|7JCh|0p^ackMUj&?HB9r~KJWBk!qIVEYG
zd1NWcQdw5VmeFrKOu`I+16^%;<870~v<z)=nqRr_^)+ADNM|Xz$PYo-o^h@tF95}v
z4lrNG@wvVh!xJcTmhEc3_zE@@jL|T?Xpx;)M=WEManR$|M%vXacx<jd*EC~gnueTi
zx4CFgzC6@qM`nd5re%AJ)gIq?=`()ox5!)?b@{q0;QNw?SxfGt$qX)L#18~mEo<#p
zV;|R^v(q>Id?tP$!ch}mP#X;v4lIAmb+Rs&q;brNC-|~lzLhm78|B!}_MP5h<hW7~
zi#oI_Pc866y0vRg;`4-)?ALUsZQ5AAV8eOkP3NC^&gPA)*q<Lcap1wVOZ#^9E^Qrn
z<b>9>N1YNkv&4<sNVJ4nPaJl#@;#3KP~FlG16P+Znt6^^bk@ybSXkX{oBvAb(J6|V
zAct`LAY`s=zk|@?B96D>_l~25tB!4T9GQ;emVPP_U905Hx_z5b)vrdF2jdLor!sL%
zK$F>KPhL3wVr3+eO~re~aTK}m-Ln1iApJOD^tFer(&H4#Zq$AO6Mqk~<AF`kuWeY0
z&T5ky&tB!Gd<iAHibar%NiD=IZ_cVPo5W2-6sMJvEoe+}YB0@@4&vRB!}kfm6#R9@
zI&x$|%J<iHZaG@?k?QEnSUGr`gLMMSK-HN7>rg+DEBs(1_5wfOvOOECE?EU9K=z{>
zpYTX>zPxm9=RfMy>Pq{XRC|*8t&F#Yot4;ueJqHjea&eOFLtwP8hk-zTQhl?;yJb*
zmHVm8sIL+FYxMv7HDN#7jeozPzu|Z_*EX)Jxb$=8qqzKM<@#F_{e6MS;!mCV`yA5G
z;yRc=Opr|JEnK@C8+DbwiR*wP<NqgFN*_x4MC3}}dnkX{kcDu)r<4Bcm)#$F`lMBq
z>FlMl#Gfa}KMgto9R-z>KNlGN_n!3A=3NWv30OMc<lPD?i_+iobmr+}d6&W@m+q%D
z_&<i7;-3xdprdxtp9BmoUiwhGkA?W7cu7^x6m}}elk5;+pF;k3`wjKO-i5zhh(Gz}
zzxUzy)sK>WM2$|+9~~(DB~Od>^K`n#g3@{>vsBbodegG><g#>USvp^qzJ6JH+p_d+
z%hF$3mj2$d^iP(h|FkT<n;USdPx?FIl-A$RDWvqC{H4!oZSL^p_2%l+Hg8<5#6x}l
zlEgHXj6V@y-E1<<<h~f#g{gso*RM>4)od;;_NgMhCY*iRX=}>sVrl;0KQAH+`@@oD
zSsmjYboDa1H^WG(w66Fk3nTH!9+o7L)PBWq9Etzw`MZnCaPlchycUqp$&w(&?Ff5$
zdN*R#Gd-W=)5!FG`GI2COF}|%oGI;Mp@nn!lx%q$>c5wxu)My@pYNixT&CwHT=@Gr
zrIy0-{94?4xccwq^`G!ZRe$-w<@M)pe;@Y!`_9J)^*5Kru>AeX^WomV#^0YZ*ZZZn
x{QXZyw$s@UN;~Hog*9$}%iDEXaqPe6y}a*~$t7wS!mTl~V#s@@_siES{2x4&=HCDS

literal 0
HcmV?d00001

diff --git a/34-iter-task-hello/cilium-ebpf/main.go b/34-iter-task-hello/cilium-ebpf/main.go
new file mode 100644
index 0000000..a8e7969
--- /dev/null
+++ b/34-iter-task-hello/cilium-ebpf/main.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"bufio"
+	"log"
+	"strings"
+	"syscall"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+// $BPF_CLANG and $BPF_CFLAGS are set by the Makefile
+//
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output
+
+type RawLinkReader struct {
+	l *link.RawLink
+}
+
+func (r *RawLinkReader) Read(p []byte) (n int, err error) {
+	return syscall.Read(r.l.FD(), p)
+}
+
+func (r *RawLinkReader) Close() error {
+	return syscall.Close(r.l.FD())
+}
+
+func main() {
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatal(err)
+	}
+	defer objs.Close()
+
+	iter, err := link.AttachIter(link.IterOptions{
+		Program: objs.IterTask,
+	})
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	reader, err := iter.Open()
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer reader.Close()
+
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		fields := strings.Split(scanner.Text(), "\t")
+		log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2])
+	}
+
+}
diff --git a/34-iter-task-hello/common.h b/34-iter-task-hello/common.h
new file mode 100644
index 0000000..fbc150b
--- /dev/null
+++ b/34-iter-task-hello/common.h
@@ -0,0 +1,5 @@
+struct event {
+    u64 pid;
+    long long ret;
+    char filename[256];
+};
diff --git a/34-iter-task-hello/main.bpf.c b/34-iter-task-hello/main.bpf.c
new file mode 100644
index 0000000..f96e718
--- /dev/null
+++ b/34-iter-task-hello/main.bpf.c
@@ -0,0 +1,22 @@
+#include "vmlinux.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+
+SEC("iter/task")
+// int BPF_PROG(iter__task) {
+int iter__task(struct bpf_iter__task *ctx) {
+    struct seq_file *seq = ctx->meta->seq;
+    struct task_struct *task = ctx->task;
+    if (task == NULL)
+        return 0;
+
+    BPF_SEQ_PRINTF(seq, "%d\t%d\t%s\n", task->parent->pid, task->pid, task->comm);
+
+    return 0;
+}
+
+
+char _license[] SEC("license") = "GPL";
diff --git a/34-iter-task-hello/main.go b/34-iter-task-hello/main.go
new file mode 100644
index 0000000..e46d3fb
--- /dev/null
+++ b/34-iter-task-hello/main.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+	"bufio"
+	"log"
+	"strings"
+
+	bpf "github.com/aquasecurity/libbpfgo"
+)
+
+func main() {
+	bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
+	if err != nil {
+		panic(err)
+	}
+	defer bpfModule.Close()
+
+	if err := bpfModule.BPFLoadObject(); err != nil {
+		panic(err)
+	}
+	prog, err := bpfModule.GetProgram("iter__task")
+	if err != nil {
+		panic(err)
+	}
+	link, err := prog.AttachIter(bpf.IterOpts{})
+	if err != nil {
+		panic(err)
+	}
+	reader, err := link.Reader()
+	if err != nil {
+		panic(err)
+	}
+	defer reader.Close()
+
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		fields := strings.Split(scanner.Text(), "\t")
+		log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2])
+	}
+}
diff --git a/README.rst b/README.rst
index 5e305e3..67dee79 100644
--- a/README.rst
+++ b/README.rst
@@ -6,7 +6,6 @@ hello-libbpfgo
 
 Examples for libbpf, `aquasecurity/libbpfgo <https://github.com/aquasecurity/libbpfgo>`__ and `cilium/ebpf <https://github.com/cilium/ebpf>`__.
 
-https://mozillazg.com/tag/libbpf.html
 
 
 setup develop env
@@ -21,6 +20,7 @@ Program Types
 ------------------
 
 
+Examples by program type:
 
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 | Program Type                              | Attach Type                            | ELF Section Name                 | Examples              |
@@ -169,7 +169,7 @@ Program Types
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``fexit.s+``                     |                       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+
-|                                           | ``BPF_TRACE_ITER``                     | ``iter+``                        |                       |
+|                                           | ``BPF_TRACE_ITER``                     | ``iter+``                        |`34`_                  |
 +                                           +                                        +----------------------------------+-----------------------+
 |                                           |                                        | ``iter.s+``                      |                       |
 +                                           +----------------------------------------+----------------------------------+-----------------------+
@@ -185,7 +185,7 @@ Program Types
 +                                           +----------------------------------------+----------------------------------+-----------------------+
 |                                           | ``BPF_XDP``                            | ``xdp.frags``                    |                       |
 +                                           +                                        +----------------------------------+-----------------------+
-|                                           |                                        | ``xdp``                          |                       |
+|                                           |                                        | ``xdp``                          |`33`_                  |
 +-------------------------------------------+----------------------------------------+----------------------------------+-----------------------+
 
 
@@ -210,5 +210,8 @@ Program Types
 .. _30: 30-ksyscall-hello
 .. _31: 31-ksyscall-hello-with-macro
 .. _32: 32-fentry-hello
+.. _33: 33-xdp-hello
+.. _34: 34-iter-task-hello
 
 
+https://mozillazg.com/tag/libbpf.html