Home

eBPF

eBPF, short for extended Berkeley Packet Filter, is a sandboxed in-kernel virtual machine and instruction set that lets user-supplied programs run inside the Linux kernel in a safe, controlled way. It extends the classic BPF to support packet processing, tracing, performance monitoring, and policy enforcement without kernel recompilation or modules. Programs run in kernel space but are verified before execution to ensure safety and resource limits.

When loaded, a program is compiled to eBPF bytecode (often from C/C++) using LLVM/Clang, then submitted via

eBPF programs can run in interpreted form or be Just-In-Time compiled to native code for performance. They

Use cases span networking, security, observability, and performance monitoring. Tools such as bpftrace, BCC, libbpf, and

Overall, eBPF provides a flexible, low-overhead method to extend kernel functionality at runtime, enabling custom networking,

the
bpf
system
call
to
the
kernel.
The
in-kernel
verifier
checks
type
safety,
bounds,
and
control
flow,
rejecting
unsafe
programs.
Valid
programs
attach
to
hooks
and
access
in-kernel
maps
shared
with
user
space;
helper
functions
provide
kernel
services
such
as
tracing,
socket
operations,
and
map
updates.
attach
to
various
hooks,
including
kprobes,
uprobes,
tracepoints,
cgroups,
and
XDP
for
fast
packet
processing.
XDP
enables
early,
low-latency
filtering,
shaping,
and
load
balancing
directly
in
the
network
path
or
NIC
driver.
bpftool
help
write,
load,
and
debug
eBPF
programs;
maps
and
perf
buffers
enable
kernel-user
communication.
The
ecosystem
emphasizes
safety,
portability,
and
incremental
deployment,
with
ongoing
kernel
improvements
expanding
helpers,
map
types,
and
attachment
options.
tracing,
and
policy
enforcement
without
kernel
modules.