eBPF - extended Berkeley Packet Filter

Introduction

The Berkeley Packet Filter (BPF) started (article 1992) as a special-purpose virtual machine (register based filter evaluator) for filtering network packets, best known for its use in tcpdump. It is documented in the kernel tree, in the first part of: Documentation/networking/filter.txt

The extended BPF (eBPF) variant has become a universal in-kernel virtual machine, that has hooks all over the kernel. The eBPF instruction set is quite different, see description in section “BPF kernel internals” of Documentation/networking/filter.txt or look at this presentation by Alexei.

Areas using eBPF:

Documentation

The primary user documentation for extended BPF is in the man-page for the bpf(2) syscall.

An excellent BPF and XDP Reference Guide is being maintained by the Cilium project.

This documentation is focused on the kernel tree’s samples/bpf/ and tools/lib/bpf/. It is worth mentioning that other projects exist, like BCC (BPF Compiler Collection), that has a slightly different user-facing syntax, but is interfacing with the same kernel facilities as those covered by this documentation.