What is eBPF?

eBPF — The Extended Berkeley Packet Filter (eBPF) is a kernel technology that runs programs while reducing the need to alter kernel source code. eBPF simplifies a software’s ability to exploit existing layers in order to deliver services including networking, observability, and security. The kernel technology has been fully available since Linux 4.4.

While eBPF’s initial use aimed at increasing observability and security while filtering network packets, its functionality today has been extended to various use cases. Some of eBPF’s capabilities include:

  • Extracting granular security observability data

  • Assisting application developers in tracing applications

  • Performance insight for troubleshooting and security enforcement

eBPF allows programmers to execute custom sandboxed bytecode by unlocking access to kernel-led events. It does this by:

  • Verifying programs being loaded at the hook points within the kernel that are triggered by specific events. This verification phase makes sure resources aren’t clogged up by programs that operate autonomously. 

  • Calling helper functions to manipulate program data at optimum efficiency. The process of packet processing is optimized without adding additional parsers and logic layers.

  • Using key-value pairs mappings to share data between the user and kernel space.