Unlocking Kernel Power: How eBPF Transforms Observability and Networking

eBPF (extended Berkeley Packet Filter) brings programmable kernel processing, allowing custom handling of traditionally inflexible kernel parts, which enhances observability for kernel monitoring, network fault analysis, and filesystem analysis.

1. eBPF Development History and Principles

eBPF evolved from the classic BPF packet filter, adding JIT compilation to translate user‑defined instructions into machine code executed in the kernel, improving flexibility and performance. Unlike traditional kernel modules, eBPF programs are verified for safety before execution.

1992: BPF created for custom packet filtering.

2011: Kernel 3.2 adds BPF JIT.

2014: Kernel 3.15 introduces eBPF with verification and high‑level language support.

2016: Kernel 4.8 adds XDP support.

2018: Kernel 4.18 introduces BTF.

2020: Kernel 4.20 adds CO‑RE; kernel 5.2 adds debug_btf.

2. eBPF Use Cases and Features

Why Use eBPF?

Kernel Programmability : Enables custom processing of kernel operations, greatly increasing flexibility.

Broad Application Scenarios : Provides a foundation for observing invisible kernel behavior, useful in monitoring, network fault analysis, and filesystem analysis.

eBPF programs can attach to various kernel subsystems such as networking, tracing, and Linux Security Modules. Notable projects built on eBPF include Facebook's Katran, Isovalent's Cilium, and tracing tools BCC and bpftrace.

3. eBPF Workflow

The eBPF hook mechanism allows attaching custom logic at defined points (hooks) in the kernel, such as system calls, function entry/exit, and network events. If a predefined hook is unavailable, kprobe or uprobe can be used to attach eBPF programs.

The loading and execution process includes:

Writing a C eBPF program, compiled to eBPF bytecode.

Loading the bytecode via a high‑level language library (Go, Python, C/C++, Rust).

Kernel verification to ensure safety, then JIT compilation to native instructions.

Execution when the associated hook point triggers.

4. Limitations of eBPF

eBPF is constrained by kernel version support, instruction set, and virtual machine architecture, so it cannot solve every problem. The community works to overcome these limits, for example by back‑porting newer kernel features or using CO‑RE for portable binaries.

eBPF Development Tools

BCC

bpftrace

eBPF Go Library

libbpf C/C++ Library

References

eBPF.io website: https://ebpf.io

eBPF Core Technologies and Practice: https://time.geekbang.org/column/article/479384

Linux kernel netfilter hook mechanism: https://blog.csdn.net/wangquan1992/article/details/109352908

Linux kernel hooks: https://www.cnblogs.com/likaiming/p/10970543.html