eBPF

BPF is at the heart of the project, and is regularly discussed on the mailing list.

About contributions to BPF.

BPF patches land in this tree. It is regularly merged into net-next, which is itself merged for each release to Linus' tree.

Mailing list for Linux kernel networking stack development. All patches are sent there for review and inclusion.

A GitHub repository with notes and ideas regarding the future evolutions of XDP.

A mailing list specially dedicated to XDP programming (both for architecture or for asking for help).

Examples coming along with the bcc tools, mostly about tracing.

These tools themselves can be seen as example use cases for BPF programs, mostly for tracing and monitoring. bcc tools have been packaged for some Linux distributions.

A fully documented and tested example of an eBPF probe that logs all force-kills and prints them out in user-space.

A collection of compiled (as ELF object files) samples gathered from several projects, primarily intended to serve as test cases for user space verifiers.

Some networking programs to attach to the TC interface.

In the kernel tree: some sample eBPF programs.

In the kernel tree: Linux BPF selftests, with many eBPF programs.

A heavily commented sample demonstrating how to encapsulate & decapsulate MPLS within IP. The code is commented for those new to BPF development.

Provides basic but complete examples of eBPF applications also compatible with hardware offload.

Jesper Dangaard Brouer's prototype-kernel repository contains some additional examples that can be compiled outside of kernel infrastructure.

Example programs for using RedBPF to write eBPF programs in Rust.

Program that uses XDP/TC-eBPF to provide statefull firewalling and socket redirection.

Ivan Pepelnjak interviewing Thomas, October 2016, on eBPF, P4, XDP and Cilium.

A Linux shell environment for using tracing tools on Android with BPFd.

A high performance and lightweight captive portal solution for wireless networks. It leverages eBPF for traffic control and deep packet inspection capabilities, with plans to gradually replace nftables firewall functionality with eBPF-based solutions.

A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the kernel.

Talk about an eBPF rootkit and how the capabilities of eBPF could be abused. The rootkit was also the object of a talk at Defcon, eBPF, I thought we were friends !.

Framework for running BPF programs with rules on Linux as a daemon. Container aware.

A distinct BPF daemon, trying to leverage the flexibility of the bcc tools to trace and debug remote targets, and in particular devices running with Android.

An eBPF driven security tool for locking and auditing Linux machines.

An eBPF Manager for Linux and Kubernetes. Includes a built-in program loader that supports program cooperation for XDP and TC programs, as well as deployment of eBPF programs from OCI images.

A tool for tracing with its own high-level tracing language. It is flexible enough to be envisioned as a Linux replacement for DTrace and SystemTap.

Summary and cheat sheet for programming in bpftrace. Contains information about syntax, probe types, variables and functions.

Instant Kubernetes service dependency map generated by eBPF, right to a Grafana instance.

Common Ethernet Driver Framework for faster network I/O, a technology initiated by Mellanox.

project (GitHub repository) is a technology relying on BPF and XDP to provide "fast in-kernel networking and security policy enforcement for containers based on eBPF programs generated on the fly". Many presentations available (with overlap):

Also featuring a load balancer use case

video

Coroot is an open-source APM & Observability tool, a DataDog and NewRelic alternative.

Helps with measuring power consumption for servers and uses eBPF programs for in-kernel aggregation of data.

Instant observability for cloud-native and AI applications based on eBPF.

Protection against DDoS with XDP at Facebook.

A web interface to explore system's maps and programs.

Blog post about how BPF can help detection and blocking fileless malware.

A rootkit that leverages multiple eBPF features to implement offensive security techniques.

An utility to statically analyze eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit.

A TUI (terminal user interface) application for real time monitoring of eBPF programs.

A series of posts around the introduction into BPF with a focus to an offensive setting, and also how its misuse can be detected. Posts include discussions on the rootkit capabilities of eBPF, or on which tracing type is needed for different use cases.

A cloud-native runtime security project used as a Kubernetes threat detection engine.

Considers using eBPF.

System daemon to compile and load eBPF programs into the kernel, and forward program output to socket for metric aggregation.

Trace syscalls from user-space functions, by using eBPF.

Network, service and security observability for Kubernetes using eBPF.

A collection tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF.

A layer 4 load-balancer based on XDP, open-sourced by Facebook.

A kubectl plug-in for executing bpftrace programs in a Kubernetes cluster.

Use eBPF to speed up your Service Mesh. Merbridge replaces iptables rules with eBPF to intercept traffic. It also combines msg_redirect to reduce latency with a shortened datapath between sidecars and services.

From bcc repository; deprecated by the P4_16 backend linked below.

Related to the former item. Audio interview of John Fastabend by Ben Pfaff, one of the core maintainers of Open vSwitch.

Interview of Thomas Graf by Ben Pfaff.

P4 with eBPF to create high-performance programmable switches.

P4 with some elements related to eBPF hardware offload on Netronome's NFP (Network Flow Processor) architecture.

eBPF based always-on continuous profiler for analysis of CPU and memory usage, down to the line number and throughout time.

An open-source C++ library for capturing, parsing and crafting network packets. It features a C++ interface for creating AFXDP sockets, making it easy to send and receive packets through them.

Observability for Kubernetes using eBPF. Features include protocol tracing, application profiling, and support for distributed bpftrace deployments.

A small but flexible open source dynamic tracer for Linux, with features similar to the bcc tools, but with a simpler language inspired by awk and DTrace.

Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico's eBPF data plane delivers a low latency, high throughput data plane with a rich network security policy model.

A process-aware, eBPF-based tcpdump-like tool.

Sampling profiler and tracer for Ruby.

Red Canary has started to incorporate eBPF to their Linux security sensor.

Tooling and framework to write eBPF code in Rust efficiently.

A set of BPF programs that gather security relevant event data from the Linux kernel. The BPF programs are combined into a single ELF file from which individual probes can be selectively loaded, depending on the running operating system and kernel version.

Suricata, an open source intrusion detection system, for its "capture bypass" features

Extreme Performance Tuning guide - Mark II.

Apache SkyWalking is an open-source Application Performance Monitoring (APM) platform specially designed for distributed systems with microservices, cloud-native and container-based (Kubernetes) architectures. SkyWalking Rover is an eBPF-based profiler and metrics collector for C, C++, Golang, and Rust applications.

A security monitoring tool. It depends on SysinternalsEBPF.

Kubernetes-aware, eBPF-based security observability and runtime enforcement.

A runtime security and forensics tool for Linux which uses eBPF technology to trace the system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

An in-kernel solution based on XDP for 5G UPF.

Protection against DDoS with XDP at Cloudflare.

Frequently Asked Questions on the decisions behind the BPF infrastructure.

Index for BPF-related documentation coming with the Linux kernel.

In-depth documentation about most features and aspects of eBPF.

A gateway to discover all the basics of eBPF, including a listing of the main related projects and of community resources.

Frequently Asked Questions about contributing to eBPF development.

Summary of eBPF syntax and operation codes.

Work in progress, contributions welcome.

eBPF specification (somewhat outdated; information should still be valid, but not exhaustive).

Emails from David Miller to the mailing list

Manual page about the `bpf()` system call, used to manage BPF programs and maps from userspace.

Description of the in-kernel helper functions forming the BPF standard library.

Manual page about using BPF with tc, including example commands and samples of code.

The JIT compilers are under the directory of their respective architectures, such as file for x86\. Exception is made for JIT compilers used for hardware offload, sitting in their drivers, such as for Netronome NFP.

The JIT compilers are under the directory of their respective architectures, such as file for x86\. Exception is made for JIT compilers used for hardware offload, sitting in their drivers, such as for Netronome NFP.

with linux/include/uapi/bpf.h: definitions related to eBPF, to be used respectively in the kernel and to interface with userspace programs.

with linux/include/uapi/filter.h: information used to run the BPF programs themselves.

This directory contains most of BPF-related code. In particular, those files are worth of interest:

Functions and eBPF helpers related to tracing and monitoring (kprobes, tracepoints, etc.).

contains the function `devchangexdp_fd()` that is called through a Netlink command to hook a XDP program to a device, after is has been loaded into the kernel from user space. This function in turns uses a callback from the relevant driver.

Functions and eBPF helpers related to networking (TC, XDP etc.); also contains the code to migrate cBPF bytecode to eBPF (all cBPF programs are translated to eBPF in recent kernels).

and in particular in files `actbpf.c` (action) and `clsbpf.c` (filter): code related to BPF actions and filters with TC.

BPF interpreter.

Different operations permitted by the system call, such as program loading or map management.

BPF verifier.

A detailed explanation of methods used to capture DNS requests at the socket filter layer.

Learn how eBPF can speed-up local socket communication up to 30%.

A step-by-step walkthrough to integrate tracing capabilities in your C++ applications with the LLVM libraries.

Comes with bcc, but targets the Python bits across seventeen "lessons".

Many incremental steps to start using bcc and eBPF, mostly centered on tracing and monitoring.

Helps generate minimal or advanced templates to bootstrap your own applications (kernel side and user space management for maps and programs) with features like CO-RE, global variables, and ring buffer.

A step-by-step guide how eBPF can observe Redis communication between client and server.

A step-by-step guide to benchmarking both the client and kernel eBPF code written in Rust.

Start with eBPF basics and progress to advanced topics using 20+ hands-on tutorials and examples. Covers performance, networking, and security with libbpf and CO-RE. Available in Chinese and English.

Learn how eBPF can infer custom load-balancing for services listening on the same port, through the SO_REUSEPORT TCP option.

A simple guide to build basic firewalls with TC and XDP.

A thorough walk-through of how to write eBPF programs, first using only bpf() syscall, and then libbpf library, with reproducible code examples.

An introductory guide to writing image-based eBPF gadgets and sharing them via OCI registries.

An introductory guide to writing image-based eBPF gadgets and performing post-processing with WASM.

Involves the use of several BPF tools for tracing.

Newsletter about all the ways to loop and iterate in eBPF.

Operated by Netronome: some tutorials for network-related eBPF use cases, including an eBPF Offload Starting Guide.

Troubleshooting ping requests and replies with perf and bcc programs.

A step-by-step guide on how to implement a transparent proxy using eBPF.

Learn how you can unit test your eBPF programs using libbpf.

A step-by-step guide how eBPF can observe encrypted network traffic.

A step-by-step guide to write an appliation continuous profiler leveraging the eBPF instrumentation, with a complete project as a reference.

First edition of a workshop to get started with XDP.

Second edition, with new contents.

A progressive (three levels of difficulty) tutorial to learn how to process packets with XDP.

With support for FreeBSD kernel, FreeBSD user space, Linux kernel, Linux user space and macOS user space. Used for the VALE software switch's BPF extension module.

To easily test XDP. Less useful now that generic XDP (driver-independant, mostly for testing) exists.

A pure Rust library for writing, loading, and managing eBPF objects, with a focus on developer experience and operability. It supports writing eBPF programs in Rust and distributing library code over crates.io to share it between eBPF programs. Aya does not depend on libbpf.

Templates for writing BPF applications in Aya that can be used with `cargo generate`.

Framework and set of tools - One way to handle BPF programs, in particular for tracing and monitoring. Also includes some utilities that may help inspect maps or programs on the system.

Also some other tools in the kernel tree, under linux/tools/net/ for versions earlier than 4.15, or linux/tools/bpf/ after that:

Pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.

This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows.

Rust library for writing Linux security policies using eBPF.

A compilation framework and runtime library to build, distribute, dynamically load, and run CO-RE eBPF applications in multiple languages and WebAssembly. It supports writing eBPF kernel code only (to build simple CO-RE libbpf eBPF applications), writing the kernel part in both BCC and libbpf styles, and writing userspace in multiple languages in a WASM module and distributing it with simple JSON data or WASM OCI images. The runtime is based on libbpf only and provides CO-RE to BCC-style eBPF programs wi...

Go bindings for BCC for creating eBPF programs.

Package containing tools for network management on Linux. In particular, it contains `tc`, used to manage eBPF filters and actions, and `ip`, used to manage XDP programs. Most of the code related to BPF is in lib/bpf.c.

The development tree, synchronised with net-next.

A C library used for handling BPF objects (programs and maps), and manipulating ELF object files containing them. It is shipped with the kernel and mirrored on GitHub.

Scaffolding for BPF application development with libbpf and BPF CO-RE.

eBPF library for Go, powered by libbpf.

Contains several tools used in eBPF workflows. Snapshots of the latest versions for Ubuntu/Debian can be retrieved from here.

Another alternative to C, and even to most of the Python code used in bcc.

Written in Go. A tool for tracing execution of Go programs by attaching eBPF to uprobes.

A pure Rust library for managing eBPF programs, designed for security use cases. The featureset is more limited than other libraries but emphasizes stability across a wide range of kernels and backwards-compatible compile-once-run-most-places.

A user space verifier for eBPF using an abstract interpretation layer, with support for loops.

Written in Rust. Interpreter for Linux, macOS and Windows, and JIT-compiler for x86_64 under Linux.

clang is used to compile C to eBPF object file under the ELF format (clang v3.7.1+). The BPF backend was added with .

Written in C. Contains an interpreter, a JIT compiler for x86_64 architecture, an assembler and a disassembler.

A tracing profiler that aims to make eBPF uprobe-based debugging easier to use. This is done by displaying traces in a UI next to the source code and allowing interactive drilldown analysis.

A pure Zig framework for writing cross platform eBPF programs, powered by libbpf and Zig toolchain.

A generic utility that can be used to interact with eBPF programs and maps from userspace, for example to show, dump, load, disassemble, pin programs, or to show, create, pin, update, delete maps, or to attach and detach programs to cgroups.

A minimal cBPF assembler.

A small debugger for cBPF programs.

A disassembler for both BPF flavors and could be highly useful for JIT debugging.