eBPF
eBPF (extended Berkeley Packet Filter) is a system for running user code in a verified and sandboxed way inside the Linux kernel. Unlike the original BPF, it’s no longer just a way to filter packets.
eBPF programs are triggered by various kernel events such as syscalls, network IO, function calls and returns, and tracepoints. It’s also possible to set up kernel and user probes (kprobe
and uprobe
) for custom events.
The Linux kernel accepts eBPF programs as compiled bytecode, however, most eBPF programs are not written directly but use technologies like Cilium or bpftrace.
To load the bytecode, it is passed to the bpf
system call, which causes the code to be verified to ensure it cannot crash the kernel and just-in-time (JIT) compiled.
eBPF also provides helper functions with additional system functionality (like process information and packet manipulation) as well as data structures to store data and share it with user space code (either at a per-CPU and global level). These data structures include:
- Hash tables
- LRU caches
- Ring buffers
- Stack traces
- Longest-prefix match
Tail calls allow programs to initiate another eBPF program as it’s completing, which replaces the current context.
Question: How would using eBPF for network observability differ from using tracing tools like
strace
andtcpdump
?