eBPF: BPF kernel infrastructure

T K Sourabh (~sourabhtk37)


BPF is a fairly important in-kernel technology that is enabling a lot of innovation in networking, tracing, security etc

BPF let's you run userspace code in kernel in a safe manner without having to reboot kernel. It opens up a lot of possibilities for end-user to interact with kernel components safely. BPF can hook onto various parts of the system(user-space,kernel) and provides functionality. For networking, BPF attaches to various hooks in kernel networking subsystem to provide various features such as high performance networking filtering(XDP), traffic classification etc For tracing, BPF allows you to hook onto kernel functions using kprobes, tracepoint and even user-space applications using uprobes to trace the application/kernel and understand what's happening.

  • Introduction to eBPF
    • Tracing applications
    • tcpdump: Beginning of BPF
  • What is eBPF?
    • Features
    • Use-cases
  • How does eBPF works?
    • BPF syscall, maps, prog types
    • How is BPF safe?
    • Overview of eBPF verfier
  • How to use eBPF?
    • System requirements
    • Writing eBPF program in python using BCC(BPF compiler collection)
    • frontends, DSL etc
  • XDP
    • Overview
    • XDP real life-scenario
    • Test setup
    • Benchmark comparison between iptables and XDP
  • Takeaways
  • Q&A


  • Understand what context-switch is
  • Familiarity with network OSI layers

Content URLs:


Speaker Info:

Performance engineer at Red Hat. Currently working on improving kernel networking performance.

Id: 1154
Section: Networking and Security
Type: Talks
Target Audience: Intermediate
Last Updated: