On Thu, 14 Mar 2019 08:27:48 -0400 Joel Fernandes <joel@xxxxxxxxxxxxxxxxx> wrote: > > But the eBPF is based on kprobe-events. What kind of usage would you > > expected? (with macros??) > > eBPF C programs are compiled with kernel headers. They can execute inline > functions or refer to macros in the kernel headers. They are similar to > kernel modules where you build a C program that then later is executed in > kernel context. It goes through the whole compiler pipeline. This is slightly > different usage from pure kprobe-events. Also eBPF kprobe programs need > LINUX_VERSION_CODE (or similarly named) macro which it provides to the bpf(2) > syscall when loading kprobe programs. This is because eBPF implementation in > the kernel checks if the eBPF programs that use kprobes are being loaded > against the right kernel. Ah, I got it. It's similar to SystemTap. :) Thank you, -- Masami Hiramatsu <mhiramat@xxxxxxxxxx>