eBPF

eBPF, short for extended Berkeley Packet Filter, is a sandboxed in-kernel virtual machine and instruction set that lets user-supplied programs run inside the Linux kernel in a safe, controlled way. It extends the classic BPF to support packet processing, tracing, performance monitoring, and policy enforcement without kernel recompilation or modules. Programs run in kernel space but are verified before execution to ensure safety and resource limits.

When loaded, a program is compiled to eBPF bytecode (often from C/C++) using LLVM/Clang, then submitted via

eBPF programs can run in interpreted form or be Just-In-Time compiled to native code for performance. They

Use cases span networking, security, observability, and performance monitoring. Tools such as bpftrace, BCC, libbpf, and

Overall, eBPF provides a flexible, low-overhead method to extend kernel functionality at runtime, enabling custom networking,