Overview and Implementation of eBPF for Android Network Statistics and Control

With each new Android release the kernel version has moved to 4.x and later 5.x, bringing the Linux eBPF (extended Berkeley Packet Filter) framework into the Android ecosystem. The article first encourages readers to read introductory material on eBPF before diving into its evolution, especially the networking‑related parts.

BPF was originally created as a high‑performance packet‑filtering mechanism, predating iptables which was the primary firewall and packet‑filtering solution in the Linux kernel.

Compared with iptables, BPF has two main advantages: (1) its filtering logic is compiled to bytecode and runs directly in kernel space, avoiding user‑space round‑trips; (2) the matching process is a single bytecode execution rather than a chain of rule checks, resulting in higher efficiency.

Linux later extended BPF beyond networking, adding hooks for the file system, CPU scheduler, system calls and other subsystems, thereby enriching the eBPF detection capabilities. A complete system‑call interface was also added to load BPF code, create and read BPF maps, making eBPF programming more generic and easier to understand.

In eBPF programming, developers mainly write the eBPF program code and define MAP storage structures. The kernel source file system/bpf/progs/include/bpf_helpers.h already provides several helper macros, for example:

DEFINE_BPF_PROG(SECTION_NAME, prog_uid, prog_gid, the_prog)

This macro defines a program segment that is loaded into the kernel via the libbpf_android.so library and the bpf system call. At runtime the corresponding kernel hook invokes the eBPF program and returns results to user space through MAPs.

Another macro expands to the full definition used for creating MAPs and three additional interfaces for query, update and delete operations:

#define DEFINE_BPF_PROG(SECTION_NAME,prog_uid, prog_gid, the_prog)

Android’s network statistics and traffic control (from Android 9 onward) rely on the skfilter and cgroupskb program types, implemented in system/netd/bpf_progs/netd.c . The Netd module creates eBPF programs and MAP files under /sys/fs/bpf (e.g., /sys/fs/bpf/prog_FILENAME_PROGTYPE_PROGNAME and /sys/fs/bpf/map_FILENAME_MAPNAME ).

When data packets are transmitted, the kernel’s cgroup BPF hook function __cgroup_bpf_run_filter_skb invokes the appropriate cgroupskb program, handling inbound and outbound traffic differently.

The function bpf_traffic_account performs packet accounting. If a packet is marked for drop (e.g., due to Doze idle policy) it is discarded without accounting; otherwise, statistics are updated in maps such as map_netd_app_uid_stats_map based on UID.

In parallel, the HAL layer’s BandwidthController.cpp creates xt_bpf filters in the kernel Netfilter chains bw_raw_PREROUTING and bw_mangle_POSTROUTING , ensuring that all traffic passes through the eBPF filter.

When the device enters Doze idle mode, non‑whitelisted applications have their network traffic filtered out by eBPF logic that checks the uid_owner_map and the DOZABLE_MATCH configuration. This effectively disables network access for those apps, demonstrating eBPF’s role in power‑saving network control.

The article concludes that, although iptables is still present in current Android versions, eBPF provides a more efficient and programmable way to implement traffic statistics and filtering, and developers can extend this approach to custom matching rules for broader use cases.