You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SPEC.md
+61Lines changed: 61 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -877,6 +877,67 @@ fn main() -> i32 {
877
877
|**Scoping**| Shared or local | Always shared | Always shared | Always shared |
878
878
|**Persistence**| No | Yes (filesystem) | Optional (if pinned) | No |
879
879
880
+
#### 3.3.7 Sysctl Variables
881
+
882
+
The `@sysctl` attribute turns a userspace global into a typed handle for a `/proc/sys/...` knob. Reading the variable opens and parses the corresponding `/proc/sys` file; writing it formats the value and writes the file. Userspace code controls when each access happens — there is no auto-apply or auto-restore.
883
+
884
+
**Syntax:**
885
+
886
+
```kernelscript
887
+
@sysctl("net.core.somaxconn") var somaxconn: u32
888
+
@sysctl("net.ipv4.ip_forward") var ip_forward: bool
889
+
@sysctl("kernel.hostname") var hostname: str(64)
890
+
```
891
+
892
+
The attribute argument is the dotted path under `/proc/sys`. The declared type is the wire type after parsing the file's text contents.
893
+
894
+
**Constraints (enforced at compile time):**
895
+
896
+
- Allowed types: `u8/u16/u32/u64`, `i8/i16/i32/i64`, `bool` (rendered as `0`/`1`), `str(N)`. Struct, array, and map types are rejected.
897
+
- The path must be a non-empty dotted string with no `/` and no `..`.
898
+
- No initializer — values come from the kernel.
899
+
- Cannot be combined with `pin` or `local`.
900
+
-**Userspace only.** A sysctl handle referenced from `@xdp`, `@tc`, `@probe`, `@tracepoint`, `@helper`, or `@kfunc` is a compile-time error. Those contexts have no filesystem access.
901
+
902
+
**Semantics:**
903
+
904
+
- Reads happen on every access; writes happen on every assignment. There is no caching.
905
+
- Failures (`EACCES`, `EINVAL`, `ENOENT`, ...) are reported via the standard error path.
906
+
- The eBPF and kernel-module outputs do not contain sysctl globals — they exist only in the userspace binary.
907
+
908
+
**Examples:**
909
+
910
+
Tuning a knob the eBPF program needs:
911
+
912
+
```kernelscript
913
+
@sysctl("net.core.bpf_jit_enable") var bpf_jit: bool
0 commit comments