eBPF - extended Berkeley Packet Filter¶
Introduction¶
The Berkeley Packet Filter (BPF) started (article 1992) as a special-purpose virtual machine (register based filter evaluator) for filtering network packets, best known for its use in tcpdump. It is documented in the kernel tree, in the first part of: Documentation/networking/filter.txt
The extended BPF (eBPF) variant has become a universal in-kernel virtual machine, that has hooks all over the kernel. The eBPF instruction set is quite different, see description in section “BPF kernel internals” of Documentation/networking/filter.txt or look at this presentation by Alexei.
- Areas using eBPF:
- XDP - eXpress Data Path
- Traffic control
- Sockets
- Firewalling (
xt_bpf
module) - Tracing
- Tracepoints
- kprobe (dynamic tracing of a kernel function call)
- cgroups
Documentation¶
The primary user documentation for extended BPF is in the man-page for the bpf(2) syscall.
An excellent BPF and XDP Reference Guide is being maintained by the Cilium project.
This documentation is focused on the kernel tree’s samples/bpf/ and tools/lib/bpf/. It is worth mentioning that other projects exist, like BCC (BPF Compiler Collection), that has a slightly different user-facing syntax, but is interfacing with the same kernel facilities as those covered by this documentation.