Unlocking Linux Performance: A Practical Guide to eBPF and BPF Maps

BPF

The core of BPF (Berkeley Packet Filter) is a lightweight virtual machine residing in the kernel, originally designed for efficient network packet filtering.

The diagram shows BPF's placement and framework: the kernel and user space communicate via buffers to avoid frequent context switches. The BPF VM consists of an accumulator, index registers, storage, and an implicit program counter.

Example: Filtering all IP packets

Compile a filter with:

tcpdump -d ip

Resulting bytecode (four instructions):

<code>(000) ldh      [12]   // Load Ethernet type field
(001) jeq      #0x800 jt 2 jf 3   // Jump if IP
(002) ret      #65535 // Accept
(003) ret      #0     // Reject</code>

Another example for TCP over IPv6:

<code>(000) ldh      [12]   // Load Ethernet type
(001) jeq      #0x86dd jt 2 jf 7   // IPv6?
(002) ldb      [20]   // Load next header
(003) jeq      #0x6   jt 10 jf 4   // TCP?
(004) jeq      #0x2c  jt 5 jf 11   // Possible IPv6 fragment
(005) ldb      [54]   // (truncated)
(006) jeq      #0x6   jt 10 jf 11   // TCP?
(007) jeq      #0x800 jt 8 jf 11   // IP?
(008) ldb      [23]   // Load next protocol
(009) jeq      #0x6   jt 10 jf 11   // TCP?
(010) ret      #65535 // Accept
(011) ret      #0     // Reject</code>

eBPF Overview

eBPF was introduced in Linux kernel 3.18, improving efficiency (via JIT compilation), expanding use cases beyond networking, and replacing sockets with maps for high‑performance data storage.

Within a few years, developers built network monitoring, traffic shaping, and system tracing solutions on top of eBPF.

eBPF workflow consists of three steps:

Create eBPF programs as bytecode (compile C code with LLVM into ELF‑embedded eBPF bytecode).

Load the program into the kernel and create the required eBPF maps (used for socket filters, kprobes, XDP, tracing, cgroup limits, lightweight tunnels, etc.).

Attach the loaded program to the appropriate kernel subsystem (e.g., network stack, cgroup, tracepoint) where it begins filtering, analyzing, or capturing data.

eBPF System‑call Commands

Linux provides ten BPF system‑call commands; six are documented in the man page:

BPF_PROG_LOAD

– Validate and load an eBPF program, returning a new file descriptor.

BPF_MAP_CREATE

– Create a map and return its file descriptor.

BPF_MAP_LOOKUP_ELEM

– Look up an element by key in a map.

BPF_MAP_UPDATE_ELEM

– Create or update a key/value pair in a map.

BPF_MAP_DELETE_ELEM

– Delete an element by key from a map.

BPF_MAP_GET_NEXT_KEY

– Retrieve the next key in a map.

Additional commands added in later kernel versions include:

BPF_OBJ_PIN

– Persist eBPF programs or maps in

/sys/fs/bpf

.

BPF_OBJ_GET

– Retrieve a pinned object.

BPF_PROG_ATTACH

– Attach an eBPF program to a cgroup (useful for containers).

BPF_PROG_DETACH

– Detach a program.

eBPF Map Types

BPF_MAP_TYPE_UNSPEC

BPF_MAP_TYPE_HASH

– Standard hash table.

BPF_MAP_TYPE_ARRAY

– Array‑indexed storage.

BPF_MAP_TYPE_PROG_ARRAY

– Stores file descriptors of eBPF programs for indirect jumps.

BPF_MAP_TYPE_PERF_EVENT_ARRAY

– Used with perf events, tracepoints, kprobes, and uprobes.

BPF_MAP_TYPE_PERCPU_HASH

– Per‑CPU hash tables.

BPF_MAP_TYPE_PERCPU_ARRAY

– Per‑CPU arrays.

BPF_MAP_TYPE_STACK_TRACE

– Stores stack traces.

BPF_MAP_TYPE_CGROUP_ARRAY

– Checks skb cgroup membership.

BPF_MAP_TYPE_LRU_HASH

BPF_MAP_TYPE_LRU_PERCPU_HASH

BPF_MAP_TYPE_LPM_TRIE

– Longest Prefix Match trie.

BPF_MAP_TYPE_ARRAY_OF_MAPS

BPF_MAP_TYPE_HASH_OF_MAPS

BPF_MAP_TYPE_DEVMAP

– Directs packets to a device.

BPF_MAP_TYPE_SOCKMAP

– Associates sockets with maps.

Source: https://zhaozhanxu.com/2018/04/01/Linux/2018-04-01-Linux-eBPF/