We explain what eBPF is, how it works, and its proud BSD production legacy.
eBPF is a technology that you’re going to be hearing more and more about. It powers low-overhead custom analysis tools, handles network security in a containerized world, and powers tools you use every day.
Links:
- Chris Goes to MeetBSD
- Linus Torvalds talks about coming back to work on Linux | ZDNet -- BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for.
- The Kernel Report - Jonathan Corbet
- BPF - the forgotten bytecode -- All this changed in 1993 when Steven McCanne and Van Jacobson published the paper introducing a better way of filtering packets in the kernel, they called it "The BSD Packet Filter" (BPF)
- The BSD Packet Filter
- eBPF: Past, Present, and Future -- The Extended Berkeley Packet Filter, or eBPF, has rapidly been adopted into a number of Linux kernel systems since its introduction into the Linux kernel in late 2014. Understanding eBPF, however, can be difficult as many try to explain it via a use of eBPF as opposed to its design. Indeed eBPF's name indicates that it is for packet filtering even though it now has uses which have nothing to do with networking.
- Using eBPF in Kubernetes -- Cilium is a networking project that makes heavy use of eBPF superpowers to route and filter network traffic for container-based systems. By using eBPF, Cilium can dynamically generate and apply rules—even at the device level with XDP—without making changes to the Linux kernel itself
- Why is the kernel community replacing iptables with BPF? -- The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.
- bpftrace (DTrace 2.0) for Linux 2018 -- Created by Alastair Robertson, bpftrace is an open source high-level tracing front-end that lets you analyze systems in custom ways. It's shaping up to be a DTrace version 2.0: more capable, and built from the ground up for the modern era of the eBPF virtual machine.
- The bpftrace One-Liner Tutorial
- BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more -- BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples.
- Linux eBPF Tracing Tools -- This page shows examples of performance analysis tools using enhancements to BPF (Berkeley Packet Filter) which were added to the Linux 4.x series kernels, allowing BPF to do much more than just filtering packets. These enhancements allow custom analysis programs to be executed on Linux dynamic tracing, static tracing, and profiling events.
- eBPF Vulnerability (CVE-2017-16995): When the Doorman Becomes the Backdoor
- Ultimate Plumber -- Ultimate Plumber is a tool for writing Linux pipes with instant live preview
- BSD Now 073: Pipe Dreams -- Interview w/ David Maxwell about Pipecut, text processing, and commandline wizardry.