varun-r-mallya/python-bpf
1
0
Fork 0
mirror of https://github.com/varun-r-mallya/Python-BPF.git synced 2026-02-07 13:40:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c1e90b9d466210d8c25f5bdb8f5fb1997db599e1
python-bpf/docs/user-guide/index.md
copilot-swe-agent[bot] c1e90b9d46 Add comprehensive Sphinx documentation structure and content 
Co-authored-by: r41k0u <76248539+r41k0u@users.noreply.github.com>
2026-01-20 22:06:00 +00:00

2.9 KiB
Raw Blame History

User Guide

This user guide provides comprehensive documentation for all PythonBPF features. Whether you're building simple tracing tools or complex performance monitoring systems, this guide will help you master PythonBPF.

Overview

PythonBPF transforms Python code into eBPF bytecode that runs in the Linux kernel. It provides a Pythonic interface to eBPF features through decorators, type annotations, and familiar programming patterns.

Core Concepts

Decorators

PythonBPF uses decorators to mark code for BPF compilation:

  • @bpf - Mark functions and classes for BPF compilation
  • @map - Define BPF maps for data storage
  • @struct - Define custom data structures
  • @section(name) - Specify attachment points
  • @bpfglobal - Define global variables

Compilation Pipeline

Your Python code goes through several stages:

  1. AST Parsing - Python code is parsed into an Abstract Syntax Tree
  2. IR Generation - The AST is transformed into LLVM IR using llvmlite
  3. BPF Compilation - LLVM IR is compiled to BPF bytecode using llc
  4. Loading - The BPF object is loaded into the kernel using libbpf
  5. Attachment - Programs are attached to kernel hooks (tracepoints, kprobes, etc.)

Guide Contents

:maxdepth: 2

decorators
maps
structs
compilation
helpers

Code Organization

When writing BPF programs with PythonBPF, we recommend:

  1. Keep BPF code in separate files - Easier to manage and test
  2. Use type hints - Required for proper code generation
  3. Follow naming conventions - Use descriptive names for maps and functions
  4. Document your code - Add comments explaining BPF-specific logic
  5. Test incrementally - Verify each component works before adding complexity

Type System

PythonBPF uses Python's ctypes module for type definitions:

  • c_int8, c_int16, c_int32, c_int64 - Signed integers
  • c_uint8, c_uint16, c_uint32, c_uint64 - Unsigned integers
  • c_char, c_bool - Characters and booleans
  • c_void_p - Void pointers
  • str(N) - Fixed-length strings (e.g., str(16) for 16-byte string)

Example Structure

A typical PythonBPF program follows this structure:

from pythonbpf import bpf, map, section, bpfglobal, BPF
from pythonbpf.maps import HashMap
from ctypes import c_void_p, c_int64, c_uint32

# Define maps
@bpf
@map
def my_map() -> HashMap:
    return HashMap(key=c_uint32, value=c_uint64, max_entries=1024)

# Define BPF function
@bpf
@section("tracepoint/...")
def my_function(ctx: c_void_p) -> c_int64:
    # BPF logic here
    return c_int64(0)

# License (required)
@bpf
@bpfglobal
def LICENSE() -> str:
    return "GPL"

# Compile, load, and run
if __name__ == "__main__":
    b = BPF()
    b.load_and_attach()
    # Use the program...

Next Steps

Start with {doc}decorators to learn about all available decorators, then explore the other sections to master specific features.