Awesome eBPF

A curated list of awesome projects related to eBPF.

BPF, as in Berkeley Packet Filter, is an in-kernel virtual machine running programs passed from user space. Initially implemented on BSD, then Linux, the (now legacy) "classic BPF" or cBPF machine would be used with tools like tcpdump for filtering packets in the kernel to avoid useless copies to user space. More recently, the BPF infrastructure in Linux has been completely reworked and gave life to the "extended BPF", or eBPF, which gained new features (safety and termination checks, JIT-compiling for programs, persistent maps, a standard library, hardware offload support, etc.) and is now used for many tasks. Processing packets at a very low level (XDP), tracing and monitoring events on the system, or enforcing access control over cgroups are but a few examples to which eBPF brings performance, programmability and flexibility.

Recently Cilium launched a great website about eBPF called ebpf.io. It serves a similar purpose to this list, with an introduction to eBPF and links to related projects.

Note: eBPF is an exciting piece of technology, and its ecosystem is constantly evolving. We'd love help from you to keep this awesome list up to date, and improve its signal-to-noise ratio in anyway we can. Please feel free to leave any feedback.

Contents

• Reference Documentation
• Articles and Presentations
• Tutorials
• Examples
• eBPF Workflow: Tools and Utilities
• Projects Related to eBPF
• eBPF in Security
• The Code
• Development and Community
• Other Lists of Resources on eBPF
• Acknowledgement

Reference Documentation

eBPF Essentials

• ebpf.io - A gateway to discover all the basics of eBPF, including a listing of the main related projects and of community resources.
• Cilium's BPF and XDP Reference Guide - In-depth documentation about most features and aspects of eBPF.

Kernel Documentation

• BPF Documentation - Index for BPF-related documentation coming with the Linux kernel.
• linux/Documentation/networking/filter.rst - eBPF specification (somewhat outdated; information should still be valid, but not exhaustive).
• BPF Design Q&A - Frequently Asked Questions on the decisions behind the BPF infrastructure.
• HOWTO interact with BPF subsystem - Frequently Asked Questions about contributing to eBPF development.

Manual Pages

• bpf(2) - Manual page about the bpf() system call, used to manage BPF programs and maps from userspace.
• tc-bpf(8) - Manual page about using BPF with tc, including example commands and samples of code.
• bpf-helpers(7) man page - Description of the in-kernel helper functions forming the BPF standard library.

Other

• IO Visor's Unofficial eBPF spec - Summary of eBPF syntax and operation codes.

• Jesper Dangaard Brouer's documentation - Work in progress, contributions welcome.

• Emails from David Miller to the xdp-newbies mailing list:

  • bpf.h and you...
  • Contextually speaking...
  • BPF Verifier Overview

• List of BPF features per kernel version

Articles and Presentations

Generic eBPF Presentations and Articles

If you are new to eBPF, you may want to try the links described as "introductions" in this section.

• A brief introduction to XDP and eBPF - An accessible introduction providing context, history, and details about the functioning of eBPF.

• An eBPF Overview - Blog series by Adrian Ratiu, covering many aspects of the eBPF infrastructure:

  • Part 1: Introduction
  • Part 2: Machine & Bytecode

• Ferris Ellis's blog posts about eBPF - They have a few posts about eBPF:

  • Part 1: Past, Present, and Future
  • Part 2: Syscall and Map Types

• A BPF reference guide - About BPF C and bcc Python helpers, from bcc repository.

• Making the Kernel's Networking Data Path Programmable with BPF and XDP - A set of slides covering all the basics about eBPF and XDP (mostly for network processing).

• The BSD Packet Filter - An introduction mostly covering the tracing aspects.

• BPF: tracing and more - An introduction mostly covering the tracing aspects.

• Linux BPF Superpowers - An introduction mostly covering the tracing aspects, first part with flame graphs.

• IO Visor - Also introduces IO Visor project.

• BPF -- in-kernel virtual machine - Presentation by the author of eBPF.

• Extending extended BPF - A blog post from 2014 on the development of BPF and demonstrating what can be done with it, using an example of stateful socket filtering by attaching an eBPF program to a socket.

• Greg Marsden made some documentation about eBPF:

  • A Tour of Program Types - A description of all existing hooks for BPF program types, and of their interest.
  • BPF helper functions - A review of the kernel functions that can be called from within eBPF programs.
  • Communicating with Userspace - How BPF communicates with userspace - BPF maps, perf events, bpf_trace_printk.
  • Building BPF Programs - Setting up your environment to build BPF programs.
  • The BPF Bytecode and the BPF Verifier - How does BPF ensure that programs are safe?
  • Using BPF to do Packet Transformation - One eBPF usage about packet transformation.

• Linux Kernel Observability through eBPF - A blog post covering the basics of eBPF as well as code samples in Go on how to build and load a minimal eBPF program into the kernel.

• eBPF - From a Programmer's Perspective - A short paper describing the fundamentals of eBPF and how to get started with writing eBPF programs.

• Cloudflare's blog posts on eBPF - Different blog posts about networking use cases and low-level aspects of eBPF.

• Linux Extended BPF (eBPF) Tracing Tools - An in-depth collection of information around examples of performance analysis tools using eBPF. Contains also a section at the end of the page about other resources.

• Beginner's guide to eBPF - A set of live-coding talks and the accompanying code examples, introducing eBPF programming using a variety of libraries and program types.

BPF Internals

• Daniel Borkmann has made several presentations and papers covering the internals of eBPF, in particular about its use with tc.

  • eBPF and XDP walkthrough and recent (2017) updates
  • Advanced programmability and recent updates with tc's cls_bpf - Details on eBPF, its use for tunneling and encapsulation, direct packet access, and more.
  • cls_bpf/eBPF updates since netdev 1.1 - Part of this tc workshop.
  • On getting tc classifier fully programmable with cls_bpf - Introduction to eBPF, including several features (map management, tail calls, verifier). The full paper is also available here.
  • Linux tc and eBPF

• IO Visor blog

• Linux Networking Explained - Linux networking internals, with a part about eBPF.

Kernel Tracing

• Full-system dynamic tracing on Linux using eBPF and bpftrace - A detailed introduction to tracing with eBPF, from listing the available trace points to running bpftrace programs.
• Meet-cute between eBPF and Kernel Tracing - Kprobes, uprobes, ftrace.
• Linux Kernel Tracing - Systemtap, Kernelshark, trace-cmd, LTTng, perf-tool, ftrace, hist-trigger, perf, function tracer, tracepoint, kprobe/uprobe, and more.
• Brendan Gregg's blog, and in particular Linux BPF Superpowers article.

XDP

• The eXpress Data Path - A very accessible introduction to XDP, providing sample code to show how to process packets.

• All XDP details in a technical paper: The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel, by Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern and David Miller, all being essential eBPF and XDP contributors.

• Work-in-progress documentation for XDP

• BPF and XDP Reference Guide - Guide from the Cilium project.

• XDP Project overview

• eXpress Data Path (XDP) - The first presentation about XDP.

• BoF - What Can BPF Do For You?

• eXpress Data Path - Contains some benchmark results obtained with the mlx4 driver.

• Jesper Dangaard Brouer has several sets of slides describing the internals of XDP:

  • XDP − eXpress Data Path, Intro and future use-cases - Linux Kernel's fight against DPDK. Future plans (as of this writing) for XDP and comparison with DPDK.
  • Network Performance Workshop - Additional hints about XDP internals and expected evolution.
  • XDP – eXpress Data Path, Used for DDoS protection - Details and use cases about XDP, with benchmark results, and code snippets for benchmarking as well as for basic DDoS protection with eBPF/XDP (based on an IP blacklisting scheme).
  • Memory vs. Networking, Provoking and fixing memory bottlenecks - Advanced details about current memory issues faced by XDP developers.
  • XDP for the Rest of Us - How to get started with eBPF and XDP for normal humans. Also summarized by Julia Evans on her blog.
  • XDP now with REDIRECT - Update on XDP, and in particular on the redirect actions.

• XDP workshop -- Introduction, experience, and future development (Video)

• High Speed Packet Filtering on Linux - About packet filtering on Linux, DDoS protection, packet processing in the kernel, kernel bypass, XDP and eBPF.

• How to drop 10 million packets per second - Cloudflare's blog post talking about their move to using XDP for packet filtering.

AF_XDP

• AF_XDP - Kernel documentation on the AF_XDP address family.
• Fast Packet Processing in Linux with AF_XDP

bpfilter

• [Why is the kernel community replacing iptables with