Awesome eBPF

Generic documentation about most features of eBPF.

Index for BPF-related documentation coming with the Linux kernel.

eBPF specification (somewhat outdated; information should still be valid, but not exhaustive).

Frequently Asked Questions on the decisions behind the BPF infrastructure.

Frequently Asked Questions about contributing to eBPF development.

Manual page about the bpf() system call, used to manage BPF programs and maps from userspace.

Manual page about using BPF with tc, including example commands and samples of code.

Description of the in-kernel helper functions forming the BPF standard library.

Work in progress, contributions welcome.

mailing list:

An accessible introduction providing context, history, and details about the functioning of eBPF.

They have a few posts about eBPF:

A set of slides covering all the basics about eBPF and XDP (mostly for network processing).

An introduction mostly covering the tracing aspects.

An introduction mostly covering the tracing aspects.

An introduction mostly covering the tracing aspects, first part with flame graphs.

Also introduces IO Visor project.

Presentation by the author of eBPF.

A blog post from 2014 on the development of BPF and demonstrating what can be done with it, using an example of stateful socket filtering by attaching an eBPF program to a socket.

A description of all existing hooks for BPF program types, and of their interest.

A review of the kernel functions that can be called from within eBPF programs.

How BPF communicates with userspace - BPF maps, perf events, bpf_trace_printk.

Setting up your environment to build BPF programs.

How does BPF ensure that programs are safe?

One eBPF usage about packet transformation.

A blog post covering the basics of eBPF as well as code samples in Go on how to build and load a minimal eBPF program into the kernel.

Details on eBPF, its use for tunneling and encapsulation, direct packet access, and more.

Part of this tc workshop.

Introduction to eBPF, including several features (map management, tail calls, verifier). The full paper is also available here.

Linux networking internals, with a part about eBPF.

A detailed introduction to tracing with eBPF, from listing the available trace points to running bpftrace programs.

Kprobes, uprobes, ftrace.

Systemtap, Kernelshark, trace-cmd, LTTng, perf-tool, ftrace, hist-trigger, perf, function tracer, tracepoint, kprobe/uprobe, and more.

article.

A very accessible introduction to XDP, providing sample code to show how to process packets.

Generic documentation about most features of eBPF.

Contains some benchmark results obtained with the mlx4 driver.

Linux Kernel's fight against DPDK. Future plans (as of this writing) for XDP and comparison with DPDK.

Additional hints about XDP internals and expected evolution.

Details and use cases about XDP, with benchmark results, and code snippets for benchmarking as well as for basic DDoS protection with eBPF/XDP (based on an IP blacklisting scheme).

Advanced details about current memory issues faced by XDP developers.

How to get started with eBPF and XDP for normal humans. Also summarized by Julia Evans on her blog.

Update on XDP, and in particular on the redirect actions.

About packet filtering on Linux, DDoS protection, packet processing in the kernel, kernel bypass, XDP and eBPF.

Cloudflare's blog post talking about their move to using XDP for packet filtering.

Kernel documentation on the AF_XDP address family.

A blog post by Cilium on the the motivations behind eBPF and bpfilter, with a couple examples and links to other projects using eBPF and bpfilter.

Slides from a talk by Quentin Monnet with a background on eBPF and comparing bpfilter to iptables.

Kernel documentation about BTF, explaining how to use it.

A description of the work done with BTF to provide debugging information for BPF programs.

The original paper about (classic) BPF.

Usage of BPF bytecode with the xt_bpf module for iptables.

Hardware offload for eBPF with TC or XDP (Linux kernel 4.9+), introduced by Netronome.

An update on the topic above.

Troubleshooting ping requests and replies with perf and bcc programs.

Operated by Netronome: some tutorials for network-related eBPF use cases, including an eBPF Offload Starting Guide.

How to get started with eBPF and XDP for normal humans. Also summarized by Julia Evans on her blog.

Second edition, with new contents.

In the kernel tree: some sample eBPF programs.

In the kernel tree: Linux BPF selftests, with many eBPF programs.

Some networking programs to attach to the TC interface.

Package containing tools for network management on Linux. In particular, it contains tc, used to manage eBPF filters and actions, and ip, used to manage XDP programs. Most of the code related to BPF is in lib/bpf.c.

The development tree, synchronised with net-next.

Contains several tools used in eBPF workflows. Snapshots of the latest versions for Ubuntu/Debian can be retrieved from here.

A C library used for handling BPF objects (programs and maps), and manipulating ELF object files containing them. It is shipped with the kernel and mirrored on GitHub.

Also some other tools in the kernel tree, under linux/tools/net/ for versions earlier than 4.15, or linux/tools/bpf/ after that:

A minimal cBPF assembler.

A small debugger for cBPF programs.

A disassembler for both BPF flavors and could be highly useful for JIT debugging.

P4 with eBPF to create high-performance programmable switches.

Related to the former item. Audio interview of John Fastabend by Ben Pfaff, one of the core maintainers of Open vSwitch.

P4 with some elements related to eBPF hardware offload on Netronome's NFP (Network Flow Processor) architecture.

Also featuring a load balancer use case

video](https://www.youtube.com/watch?v=TnJF7ht3ZYc&list=PLkA60AVN3hh8oPas3cq2VA9xB7WazcIgs)

Interview of Thomas Graf by Ben Pfaff.

Ivan Pepelnjak interviewing Thomas, October 2016, on eBPF, P4, XDP and Cilium.

A layer 4 load-balancer based on XDP, open-sourced by Facebook.

Protection against DDoS with XDP at Cloudflare.

Protection against DDoS with XDP at Facebook.

Common Ethernet Driver Framework for faster network I/O, a technology initiated by Mellanox.

A library to create, load and use eBPF programs from Go.

A small but flexible open source dynamic tracer for Linux, with features similar to the bcc tools, but with a simpler language inspired by awk and DTrace.

Considers using eBPF.

Helps with measuring power consumption for servers and uses eBPF programs for in-kernel aggregation of data.

with linux/include/uapi/bpf.h: definitions related to eBPF, to be used respectively in the kernel and to interface with userspace programs.

with linux/include/uapi/filter.h: information used to run the BPF programs themselves.

This directory contains most of BPF-related code. In particular, those files are worth of interest:

Different operations permitted by the system call, such as program loading or map management.

BPF interpreter.

BPF verifier.

Functions and eBPF helpers related to networking (TC, XDP etc.); also contains the code to migrate cBPF bytecode to eBPF (all cBPF programs are translated to eBPF in recent kernels).

Functions and eBPF helpers related to tracing and monitoring (kprobes, tracepoints, etc.).

for x86. Exception is made for JIT compilers used for hardware offload, sitting in their drivers, such as linux/drivers/net/ethernet/netronome/nfp/bpf/jit.c for Netronome NFP.

and in particular in files act_bpf.c (action) and cls_bpf.c (filter): code related to BPF actions and filters with TC.

contains the function dev_change_xdp_fd() that is called through a Netlink command to hook a XDP program to a device, after is has been loaded into the kernel from user space. This function in turns uses a callback from the relevant driver.

BPF patches land in this tree. It is regularly merged into net-next, which is itself merged for each release to Linus' tree.

About contributions to BPF.

Mailing list for Linux kernel networking stack development. All patches are sent there for review and inclusion.

mailing list:

BPF is at the heart of the project, and is regularly discussed on the mailing list.