rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
awesome-awesomeness/html/ebpf.html
rhetenor 5916c5c074 update lists
2025-07-18 22:22:32 +02:00

1168 lines
57 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<h1 id="awesome-ebpf-awesome">Awesome eBPF <a
href="https://github.com/sindresorhus/awesome"><img
src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
<blockquote>
<p>A curated list of awesome projects related to eBPF.</p>
</blockquote>
<p>BPF, as in <em>Berkeley Packet Filter</em>, is an in-kernel virtual
machine running programs passed from user space. Initially implemented
on BSD, then Linux, the (now legacy) “classic BPF” or cBPF machine would
be used with tools like tcpdump for filtering packets in the kernel to
avoid useless copies to user space. More recently, the BPF
infrastructure in Linux has been completely reworked and gave life to
the “extended BPF”, or eBPF, which gained new features (safety and
termination checks, JIT-compiling for programs, persistent maps, a
standard library, hardware offload support, etc.) and is now used for
many tasks. Processing packets at a very low level (XDP), tracing and
monitoring events on the system, or enforcing access control over
cgroups are but a few examples to which eBPF brings performance,
programmability and flexibility.</p>
<p>Recently, <a href="https://cilium.io">Cilium</a> launched a great
website about eBPF called <a href="https://ebpf.io/">ebpf.io</a>. It
serves a similar purpose to this list, with <a
href="https://ebpf.io/what-is-ebpf">an introduction to eBPF</a> and
links to <a href="https://ebpf.io/projects">related projects</a>.</p>
<blockquote>
<p>Note: eBPF is an exciting piece of technology, and its ecosystem is
constantly evolving. Wed love help from <em>you</em> to keep this
awesome list up to date, and improve its signal-to-noise ratio in anyway
we can. Please feel free to leave <a
href="https://github.com/zoidbergwill/awesome-ebpf/issues">any
feedback</a>.</p>
</blockquote>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#reference-documentation">Reference Documentation</a></li>
<li><a href="#articles-and-presentations">Articles and
Presentations</a></li>
<li><a href="#tutorials">Tutorials</a></li>
<li><a href="#examples">Examples</a></li>
<li><a href="#ebpf-workflow-tools-and-utilities">eBPF Workflow: Tools
and Utilities</a></li>
<li><a href="#projects-related-to-ebpf">Projects Related to
eBPF</a></li>
<li><a href="#ebpf-in-security">eBPF in Security</a></li>
<li><a href="#the-code">The Code</a></li>
<li><a href="#development-and-community">Development and
Community</a></li>
<li><a href="#other-lists-of-resources-on-ebpf">Other Lists of Resources
on eBPF</a></li>
<li><a href="#acknowledgement">Acknowledgement</a></li>
</ul>
<h2 id="reference-documentation">Reference Documentation</h2>
<h3 id="ebpf-essentials">eBPF Essentials</h3>
<ul>
<li><a href="https://ebpf.io/">ebpf.io</a> - A gateway to discover all
the basics of eBPF, including a listing of the main related projects and
of community resources.</li>
<li><a href="http://docs.cilium.io/en/latest/bpf/">Ciliums BPF and XDP
Reference Guide</a> - In-depth documentation about most features and
aspects of eBPF.</li>
</ul>
<h3 id="kernel-documentation">Kernel Documentation</h3>
<ul>
<li><a href="https://www.kernel.org/doc/html/latest/bpf/index.html">BPF
Documentation</a> - Index for BPF-related documentation coming with the
Linux kernel.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/filter.rst">linux/Documentation/networking/filter.rst</a>
- eBPF specification (somewhat outdated; information should still be
valid, but not exhaustive).</li>
<li><a
href="https://www.kernel.org/doc/html/latest/bpf/bpf_design_QA.html">BPF
Design Q&amp;A</a> - Frequently Asked Questions on the decisions behind
the BPF infrastructure.</li>
<li><a
href="https://www.kernel.org/doc/html/latest/bpf/bpf_devel_QA.html">HOWTO
interact with BPF subsystem</a> - Frequently Asked Questions about
contributing to eBPF development.</li>
</ul>
<h3 id="manual-pages">Manual Pages</h3>
<ul>
<li><a
href="http://man7.org/linux/man-pages/man2/bpf.2.html"><code>bpf(2)</code></a>
- Manual page about the <code>bpf()</code> system call, used to manage
BPF programs and maps from userspace.</li>
<li><a
href="http://man7.org/linux/man-pages/man8/tc-bpf.8.html"><code>tc-bpf(8)</code></a>
- Manual page about using BPF with tc, including example commands and
samples of code.</li>
<li><a
href="http://man7.org/linux/man-pages/man7/bpf-helpers.7.html"><code>bpf-helpers(7)</code>
man page</a> - Description of the in-kernel helper functions forming the
BPF standard library.</li>
</ul>
<h3 id="other">Other</h3>
<ul>
<li><p><a
href="https://github.com/iovisor/bpf-docs/blob/master/eBPF.md">IO
Visors Unofficial eBPF spec</a> - Summary of eBPF syntax and operation
codes.</p></li>
<li><p><a
href="https://prototype-kernel.readthedocs.io/en/latest/bpf/index.html">Jesper
Dangaard Brouers documentation</a> - Work in progress, contributions
welcome.</p></li>
<li><p>Emails from David Miller to the <a
href="http://vger.kernel.org/vger-lists.html#xdp-newbies">xdp-newbies</a>
mailing list:</p>
<ul>
<li><a
href="https://www.spinics.net/lists/xdp-newbies/msg00179.html">bpf.h and
you…</a></li>
<li><a
href="https://www.spinics.net/lists/xdp-newbies/msg00181.html">Contextually
speaking…</a></li>
<li><a
href="https://www.spinics.net/lists/xdp-newbies/msg00185.html">BPF
Verifier Overview</a></li>
</ul></li>
<li><p><a
href="https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md">List
of BPF features per kernel version</a></p></li>
<li><p><a
href="https://pchaigno.github.io/bpf/2025/01/07/research-papers-bpf.html">A
List of Research Papers</a></p></li>
</ul>
<h2 id="articles-and-presentations">Articles and Presentations</h2>
<h3 id="generic-ebpf-presentations-and-articles">Generic eBPF
Presentations and Articles</h3>
<p>If you are new to eBPF, you may want to try the links described as
“introductions” in this section.</p>
<ul>
<li><p><a
href="https://blogs.igalia.com/dpino/2019/01/07/introduction-to-xdp-and-ebpf/">A
brief introduction to XDP and eBPF</a> - An accessible introduction
providing context, history, and details about the functioning of
eBPF.</p></li>
<li><p>An eBPF Overview - Blog series by Adrian Ratiu, covering many
aspects of the eBPF infrastructure:</p>
<ul>
<li><a
href="https://www.collabora.com/news-and-blog/blog/2019/04/05/an-ebpf-overview-part-1-introduction/">Part
1: Introduction</a></li>
<li><a
href="https://www.collabora.com/news-and-blog/blog/2019/04/15/an-ebpf-overview-part-2-machine-and-bytecode/">Part
2: Machine &amp; Bytecode</a></li>
</ul></li>
<li><p><a href="https://ferrisellis.com/tags/ebpf/">Ferris Elliss blog
posts about eBPF</a> - They have a few posts about eBPF:</p>
<ul>
<li><a
href="https://ferrisellis.com/content/ebpf_past_present_future/">Part 1:
Past, Present, and Future</a></li>
<li><a
href="https://ferrisellis.com/content/ebpf_syscall_and_maps/">Part 2:
Syscall and Map Types</a></li>
</ul></li>
<li><p><a
href="https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md">A
BPF reference guide</a> - About BPF C and bcc Python helpers, from bcc
repository.</p></li>
<li><p><a
href="http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf">Making the
Kernels Networking Data Path Programmable with BPF and XDP</a> - A set
of slides covering all the basics about eBPF and XDP (mostly for network
processing).</p></li>
<li><p><a
href="https://speakerdeck.com/tuxology/the-bsd-packet-filter">The BSD
Packet Filter</a> - An introduction mostly covering the tracing
aspects.</p></li>
<li><p><a
href="http://www.slideshare.net/brendangregg/bpf-tracing-and-more">BPF:
tracing and more</a> - An introduction mostly covering the tracing
aspects.</p></li>
<li><p><a
href="http://www.slideshare.net/brendangregg/linux-bpf-superpowers">Linux
BPF Superpowers</a> - An introduction mostly covering the tracing
aspects, first part with flame graphs.</p></li>
<li><p><a
href="https://www.socallinuxexpo.org/sites/default/files/presentations/Room%20211%20-%20IOVisor%20-%20SCaLE%2014x.pdf">IO
Visor</a> - Also introduces <a href="https://www.iovisor.org/">IO Visor
project</a>.</p></li>
<li><p><a
href="http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf">BPF
in-kernel virtual machine</a> - Presentation by the author of
eBPF.</p></li>
<li><p><a href="https://lwn.net/Articles/603983/">Extending extended
BPF</a> - A blog post from 2014 on the development of BPF and
demonstrating what can be done with it, using an example of stateful
socket filtering by attaching an eBPF program to a socket.</p></li>
<li><p>Greg Marsden made some documentation about eBPF:</p>
<ul>
<li><a href="https://blogs.oracle.com/linux/notes-on-bpf-1">A Tour of
Program Types</a> - A description of all existing hooks for BPF program
types, and of their interest.</li>
<li><a href="https://blogs.oracle.com/linux/notes-on-bpf-2">BPF helper
functions</a> - A review of the kernel functions that can be called from
within eBPF programs.</li>
<li><a
href="https://blogs.oracle.com/linux/notes-on-bpf-3">Communicating with
Userspace</a> - How BPF communicates with userspace - BPF maps, perf
events, bpf_trace_printk.</li>
<li><a href="https://blogs.oracle.com/linux/notes-on-bpf-4">Building BPF
Programs</a> - Setting up your environment to build BPF programs.</li>
<li><a href="https://blogs.oracle.com/linux/notes-on-bpf-5">The BPF
Bytecode and the BPF Verifier</a> - How does BPF ensure that programs
are safe?</li>
<li><a href="https://blogs.oracle.com/linux/notes-on-bpf-6">Using BPF to
do Packet Transformation</a> - One eBPF usage about packet
transformation.</li>
</ul></li>
<li><p><a
href="https://sematext.com/blog/linux-kernel-observability-ebpf/">Linux
Kernel Observability through eBPF</a> - A blog post covering the basics
of eBPF as well as code samples in Go on how to build and load a minimal
eBPF program into the kernel.</p></li>
<li><p><a
href="https://www.researchgate.net/publication/349173667_eBPF_-_From_a_Programmer&#39;s_Perspective">eBPF
- From a Programmers Perspective</a> - A short paper describing the
fundamentals of eBPF and how to get started with writing eBPF
programs.</p></li>
<li><p><a href="https://blog.cloudflare.com/tag/ebpf/">Cloudflares blog
posts on eBPF</a> - Different blog posts about networking use cases and
low-level aspects of eBPF.</p></li>
<li><p><a href="https://www.brendangregg.com/ebpf.html">Linux Extended
BPF (eBPF) Tracing Tools</a> - An in-depth collection of information
around examples of performance analysis tools using eBPF. Contains also
a section at the end of the page about other resources.</p></li>
<li><p><a href="https://github.com/lizrice/ebpf-beginners">Beginners
guide to eBPF</a> - A set of live-coding talks and the accompanying code
examples, introducing eBPF programming using a variety of libraries and
program types.</p></li>
</ul>
<h3 id="bpf-internals">BPF Internals</h3>
<ul>
<li><p>Daniel Borkmann has made several presentations and papers
covering the internals of eBPF, in particular about its use with tc.</p>
<ul>
<li><a href="https://fosdem.org/2017/schedule/event/ebpf_xdp/">eBPF and
XDP walkthrough and recent (2017) updates</a></li>
<li><a
href="http://netdevconf.org/1.2/session.html?daniel-borkmann">Advanced
programmability and recent updates with tcs cls_bpf</a> - Details on
eBPF, its use for tunneling and encapsulation, direct packet access, and
more.</li>
<li><a
href="http://netdevconf.org/1.2/slides/oct5/07_tcws_daniel_borkmann_2016_tcws.pdf">cls_bpf/eBPF
updates since netdev 1.1</a> - Part of <a
href="http://netdevconf.org/1.2/session.html?jamal-tc-workshop">this tc
workshop</a>.</li>
<li><a
href="http://www.netdevconf.org/1.1/proceedings/slides/borkmann-tc-classifier-cls-bpf.pdf">On
getting tc classifier fully programmable with cls_bpf</a> - Introduction
to eBPF, including several features (map management, tail calls,
verifier). The full paper <a
href="http://www.netdevconf.org/1.1/proceedings/papers/On-getting-tc-classifier-fully-programmable-with-cls-bpf.pdf">is
also available here</a>.</li>
<li><a
href="https://archive.fosdem.org/2016/schedule/event/ebpf/attachments/slides/1159/export/events/attachments/ebpf/slides/1159/ebpf.pdf">Linux
tc and eBPF</a></li>
</ul></li>
<li><p><a href="https://www.iovisor.org/resources/blog">IO Visor
blog</a></p></li>
<li><p><a
href="http://www.slideshare.net/ThomasGraf5/linux-networking-explained">Linux
Networking Explained</a> - Linux networking internals, with a part about
eBPF.</p></li>
</ul>
<h3 id="kernel-tracing">Kernel Tracing</h3>
<ul>
<li><a
href="https://www.joyfulbikeshedding.com/blog/2019-01-31-full-system-dynamic-tracing-on-linux-using-ebpf-and-bpftrace.html">Full-system
dynamic tracing on Linux using eBPF and bpftrace</a> - A detailed
introduction to tracing with eBPF, from listing the available trace
points to running bpftrace programs.</li>
<li><a
href="http://www.slideshare.net/vh21/meet-cutebetweenebpfandtracing">Meet-cute
between eBPF and Kernel Tracing</a> - Kprobes, uprobes, ftrace.</li>
<li><a href="http://www.slideshare.net/vh21/linux-kernel-tracing">Linux
Kernel Tracing</a> - Systemtap, Kernelshark, trace-cmd, LTTng,
perf-tool, ftrace, hist-trigger, perf, function tracer, tracepoint,
kprobe/uprobe, and more.</li>
<li>Brendan Greggs blog, and in particular <a
href="http://www.brendangregg.com/blog/2016-03-05/linux-bpf-superpowers.html">Linux
BPF Superpowers</a> article.</li>
</ul>
<h3 id="xdp">XDP</h3>
<ul>
<li><p><a
href="https://blogs.igalia.com/dpino/2019/01/10/the-express-data-path/">The
eXpress Data Path</a> - A very accessible introduction to XDP, providing
sample code to show how to process packets.</p></li>
<li><p>All XDP details in a technical paper: <a
href="https://github.com/tohojo/xdp-paper">The eXpress Data Path: Fast
Programmable Packet Processing in the Operating System Kernel</a>, by
Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John
Fastabend, Tom Herbert, David Ahern and David Miller, all being
essential eBPF and XDP contributors.</p></li>
<li><p><a
href="https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/index.html">Work-in-progress
documentation for XDP</a></p></li>
<li><p><a href="http://docs.cilium.io/en/latest/bpf/">BPF and XDP
Reference Guide</a> - Guide from the Cilium project.</p></li>
<li><p><a href="https://www.iovisor.org/technology/xdp">XDP Project
overview</a></p></li>
<li><p><a
href="https://github.com/iovisor/bpf-docs/raw/master/Express_Data_Path.pdf">eXpress
Data Path (XDP)</a> - The first presentation about XDP.</p></li>
<li><p><a
href="https://events.linuxfoundation.org/sites/events/files/slides/iovisor-lc-bof-2016.pdf">BoF
- What Can BPF Do For You?</a></p></li>
<li><p><a
href="http://www.slideshare.net/IOVisor/express-data-path-linux-meetup-santa-clara-july-2016">eXpress
Data Path</a> - Contains some benchmark results obtained with the mlx4
driver.</p></li>
<li><p>Jesper Dangaard Brouer has several sets of slides describing the
internals of XDP:</p>
<ul>
<li><a
href="http://people.netfilter.org/hawk/presentations/xdp2016/xdp_intro_and_use_cases_sep2016.pdf">XDP
eXpress Data Path, Intro and future use-cases</a> - Linux Kernels
fight against DPDK. Future plans (as of this writing) for XDP and
comparison with DPDK.</li>
<li><a
href="http://netdevconf.org/1.2/session.html?jesper-performance-workshop">Network
Performance Workshop</a> - Additional hints about XDP internals and
expected evolution.</li>
<li><a
href="http://people.netfilter.org/hawk/presentations/OpenSourceDays2017/XDP_DDoS_protecting_osd2017.pdf">XDP
eXpress Data Path, Used for DDoS protection</a> - Details and use
cases about XDP, with benchmark results, and code snippets for
benchmarking as well as for basic DDoS protection with eBPF/XDP (based
on an IP blacklisting scheme).</li>
<li><a
href="http://people.netfilter.org/hawk/presentations/MM-summit2017/MM-summit2017-JesperBrouer.pdf">Memory
vs. Networking, Provoking and fixing memory bottlenecks</a> - Advanced
details about current memory issues faced by XDP developers.</li>
<li><a href="http://netdevconf.org/2.1/session.html?gospodarek">XDP for
the Rest of Us</a> - How to get started with eBPF and XDP for normal
humans. Also summarized by Julia Evans on <a
href="http://jvns.ca/blog/2017/04/07/xdp-bpf-tutorial/">her
blog</a>.</li>
<li><a
href="http://people.netfilter.org/hawk/presentations/LLC2018/XDP_LLC2018_redirect.pdf">XDP
now with REDIRECT</a> - Update on XDP, and in particular on the redirect
actions.</li>
</ul></li>
<li><p><a
href="http://netdevconf.org/1.2/session.html?herbert-xdp-workshop">XDP
workshop Introduction, experience, and future development
(Video)</a></p></li>
<li><p><a
href="https://cdn.shopify.com/s/files/1/0177/9886/files/phv2017-gbertin.pdf">High
Speed Packet Filtering on Linux</a> - About packet filtering on Linux,
DDoS protection, packet processing in the kernel, kernel bypass, XDP and
eBPF.</p></li>
<li><p><a
href="https://blog.cloudflare.com/how-to-drop-10-million-packets/">How
to drop 10 million packets per second</a> - Cloudflares blog post
talking about their move to using XDP for packet filtering.</p></li>
</ul>
<h3 id="af_xdp">AF_XDP</h3>
<ul>
<li><a
href="https://www.kernel.org/doc/html/latest/networking/af_xdp.html">AF_XDP</a>
- Kernel documentation on the AF_XDP address family.</li>
<li><a
href="https://archive.fosdem.org/2018/schedule/event/af_xdp/">Fast
Packet Processing in Linux with AF_XDP</a></li>
</ul>
<h3 id="bpfilter">bpfilter</h3>
<ul>
<li><a
href="https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/">Why
is the kernel community replacing iptables with BPF?</a> - A blog post
by Cilium on the motivations behind eBPF and bpfilter, with a couple
examples and links to other projects using eBPF and bpfilter.</li>
<li><a
href="https://qmo.fr/docs/talk_20180316_frnog_bpfilter.pdf">bpfilter:
Linux firewall with eBPF sauce</a> - Slides from a talk by Quentin
Monnet with a background on eBPF and comparing bpfilter to
iptables.</li>
</ul>
<h3 id="btf">BTF</h3>
<ul>
<li><a href="https://www.kernel.org/doc/html/latest/bpf/btf.html">BPF
Type Format (BTF)</a> - Kernel documentation about BTF, explaining how
to use it.</li>
<li><a
href="https://facebookmicrosites.github.io/bpf/blog/2018/11/14/btf-enhancement.html">Enhancing
the Linux kernel with BTF type information</a> - A description of the
work done with BTF to provide debugging information for BPF
programs.</li>
<li><a
href="https://cloudchirp.substack.com/p/what-is-btf-bpf-type-format">What
is BTF (BPF Type Format)</a> - A community-authored newsletter enriched
with useful code illustrations and hands-on examples.</li>
</ul>
<h3 id="cbpf">cBPF</h3>
<ul>
<li><a href="http://www.tcpdump.org/papers/bpf-usenix93.pdf">The BSD
Packet Filter: A New Architecture for User-level Packet Capture</a> -
The original paper about (classic) BPF.</li>
<li><a
href="https://www.freebsd.org/cgi/man.cgi?query=bpf&amp;sektion=4">The
FreeBSD manual page about BPF</a></li>
<li><a href="http://borkmann.ch/talks/2013_devconf.pdf">Linux packet
mmap(2), BPF, and Netsniff-NG</a></li>
<li><a href="http://borkmann.ch/talks/2014_devconf.pdf">tc and cls bpf:
lightweight packet classifying with BPF</a></li>
<li><a
href="https://blog.cloudflare.com/introducing-the-bpf-tools/">Introducing
Cloudflares BPF Tools</a> - Usage of BPF bytecode with the
<code>xt_bpf</code> module for iptables.</li>
<li><a href="http://biot.com/capstats/bpf.html">Libpcap filters
syntax</a></li>
</ul>
<h3 id="hardware-offload">Hardware Offload</h3>
<ul>
<li><a
href="http://netdevconf.org/1.2/session.html?jakub-kicinski">eBPF/XDP
hardware offload to SmartNICs</a> - Hardware offload for eBPF with TC or
XDP (Linux kernel 4.9+), introduced by Netronome.</li>
<li><a
href="https://www.netdevconf.org/2.2/session.html?viljoen-xdpoffload-talk">Comprehensive
XDP offload—Handling the edge cases</a> - An update on the topic
above.</li>
<li><a href="https://github.com/rprinz08/hBPF">hBPF - eBPF in
hardware</a> - An eBPF CPU written for FPGAs.</li>
<li><a href="https://github.com/Dantali0n/qemu-csd">OpenCSD eBPF SSD
offloading</a> - Computational Storage simulation (QEMU) platform with
FUSE LFS filesystem for Zoned Namespaces NVMe SSDs using uBPF for
compute kernel offloading, all in userspace.</li>
<li><a
href="https://dl.acm.org/doi/pdf/10.1145/3592980.3595319">Delilah:
eBPF-offload on Computational Storage</a> - Delilah is a Computational
Storage Processor (CSP) built for eBPF offload to storage devices.</li>
</ul>
<h2 id="tutorials">Tutorials</h2>
<ul>
<li><a
href="https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md">bcc
Reference Guide</a> - Many incremental steps to start using bcc and
eBPF, mostly centered on tracing and monitoring.</li>
<li><a
href="https://github.com/iovisor/bcc/blob/master/docs/tutorial_bcc_python_developer.md">bcc
Python Developer Tutorial</a> - Comes with bcc, but targets the Python
bits across seventeen “lessons”.</li>
<li><a href="https://nakryiko.com/posts/libbpf-bootstrap/">Building BPF
applications with libbpf-bootstrap</a> - Helps generate minimal or
advanced templates to bootstrap your own applications (kernel side and
user space management for maps and programs) with features like CO-RE,
global variables, and ring buffer.</li>
<li><a href="https://bolinfest.github.io/opensnoop-native/">How I ended
up writing opensnoop in pure C using eBPF</a> - A thorough walk-through
of how to write eBPF programs, first using only bpf() syscall, and then
libbpf library, with reproducible code examples.</li>
<li><a href="https://github.com/goldshtn/linux-tracing-workshop">Linux
Tracing Workshops Materials</a> - Involves the use of several BPF tools
for tracing.</li>
<li><a
href="https://blog.yadutaf.fr/2017/07/28/tracing-a-packet-journey-using-linux-tracepoints-perf-ebpf/">Tracing
a packet journey using Linux tracepoints, perf and eBPF</a> -
Troubleshooting ping requests and replies with perf and bcc
programs.</li>
<li><a
href="https://open-nfp.org/dataplanes-ebpf/technical-papers/">Open NFP
platform</a> - Operated by Netronome: some tutorials for network-related
eBPF use cases, including an eBPF Offload Starting Guide.</li>
<li><a href="http://netdevconf.org/2.1/session.html?gospodarek">XDP for
the Rest of Us</a> - First edition of a workshop to get started with
XDP.</li>
<li><a
href="https://www.netdevconf.org/2.2/session.html?gospodarek-xdp-workshop">XDP
for the Rest of Us</a> - Second edition, with new contents.</li>
<li><a
href="https://medium.com/@fntlnz/load-xdp-programs-using-the-ip-iproute2-command-502043898263">Load
XDP programs using the ip (iproute2) command</a></li>
<li><a href="https://github.com/xdp-project/xdp-tutorial">XDP Hands-On
Tutorial</a> - A progressive (three levels of difficulty) tutorial to
learn how to process packets with XDP.</li>
<li><a
href="https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/">All
your tracing are belong to BPF</a> - A step-by-step walkthrough to
integrate tracing capabilities in your C++ applications with the LLVM
libraries.</li>
<li><a
href="https://arthurchiao.art/blog/firewalling-with-bpf-xdp/">Firewalling
with BPF/XDP: Examples and Deep Dive</a> - A simple guide to build basic
firewalls with TC and XDP.</li>
<li><a
href="https://medium.com/@nurkholish.halim/a-deep-dive-into-ebpf-writing-an-efficient-dns-monitoring-2c9dea92abdf">A
Deep Dive into eBPF: Writing an Efficient DNS Monitoring.</a> - A
detailed explanation of methods used to capture DNS requests at the
socket filter layer.</li>
<li><a href="https://eunomia.dev/tutorials/">eBPF Developer Tutorial -
Learn eBPF by examples</a> - Start with eBPF basics and progress to
advanced topics using 20+ hands-on tutorials and examples. Covers
performance, networking, and security with libbpf and CO-RE. Available
in Chinese and English.</li>
<li><a
href="https://bencher.dev/docs/explanation/talks/#linuxcon-2023-12-may-23">Catch
Performance Regressions in eBPF</a> - A step-by-step guide to
benchmarking both the client and kernel eBPF code written in Rust.</li>
<li><a
href="https://cloudchirp.substack.com/p/loops-and-iterators-in-ebpf">Loops
and Iterators in eBPF</a> - Newsletter about all the ways to loop and
iterate in eBPF.</li>
<li><a
href="https://cloudchirp.substack.com/p/what-insights-can-ebpf-provide-into">What
Insights Can eBPF Provide into Real-Time SSL/TLS Encrypted Traffic and
How?</a> - A step-by-step guide how eBPF can observe encrypted network
traffic.</li>
<li><a
href="https://cloudchirp.substack.com/p/can-ebpf-detect-redis-message-patterns">Can
eBPF Detect Redis Message Patterns Before They Become Problems?</a> - A
step-by-step guide how eBPF can observe Redis communication between
client and server.</li>
<li><a
href="https://cloudchirp.substack.com/p/transparent-proxy-implementation">Transparent
Proxy Implementation using eBPF and Go</a> - A step-by-step guide on how
to implement a transparent proxy using eBPF.</li>
<li><a
href="https://cloudchirp.substack.com/p/ebpf-powered-load-balancing-for-so_reuseport">eBPF-Powered
Load Balancing</a> - Learn how eBPF can infer custom load-balancing for
services listening on the same port, through the SO_REUSEPORT TCP
option.</li>
<li><a
href="https://ebpfchirp.substack.com/p/unit-testing-ebpf-programs">Unit
Testing eBPF Programs</a> - Learn how you can unit test your eBPF
programs using libbpf.</li>
<li><a
href="https://cloudchirp.substack.com/p/optimizing-local-socket-communication">Accelerating
Local Socket Communication using eBPF</a> - Learn how eBPF can speed-up
local socket communication up to 30%.</li>
<li><a
href="https://blog.maxgio.me/posts/unleashing-power-frame-pointers-writing-simple-continuous-profiler/">Writing
a basic continuous profiler</a> - A step-by-step guide to write an
appliation continuous profiler leveraging the eBPF instrumentation, with
a complete project as a reference.</li>
<li><a
href="https://inspektor-gadget.io/docs/latest/gadget-devel/hello-world-gadget">Inspektor
Gadget - Hello world gadget</a> - An introductory guide to writing
image-based eBPF gadgets and sharing them via OCI registries.</li>
<li><a
href="https://inspektor-gadget.io/docs/latest/gadget-devel/hello-world-gadget-wasm">Inspektor
Gadget - Hello world gadget with Wasm</a> - An introductory guide to
writing image-based eBPF gadgets and performing post-processing with
WASM.</li>
</ul>
<h2 id="examples">Examples</h2>
<ul>
<li><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/samples/bpf">linux/samples/bpf/</a>
- In the kernel tree: some sample eBPF programs.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/bpf">linux/tools/testing/selftests/bpf</a>
- In the kernel tree: Linux BPF selftests, with many eBPF programs.</li>
<li><a
href="https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf">prototype-kernel/kernel/samples/bpf</a>
- Jesper Dangaard Brouers prototype-kernel repository contains some
additional examples that can be compiled outside of kernel
infrastructure.</li>
<li><a
href="https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/tree/examples/bpf">iproute2/examples/bpf/</a>
- Some networking programs to attach to the TC interface.</li>
<li><a href="https://github.com/Netronome/bpf-samples/">Netronome sample
network applications</a> - Provides basic but complete examples of eBPF
applications also compatible with hardware offload.</li>
<li><a
href="https://github.com/iovisor/bcc/tree/master/examples">bcc/examples</a>
- Examples coming along with the bcc tools, mostly about tracing.</li>
<li><a
href="https://github.com/iovisor/bcc/tree/master/tools">bcc/tools</a> -
These tools themselves can be seen as example use cases for BPF
programs, mostly for tracing and monitoring. bcc tools have been
packaged for some Linux distributions.</li>
<li><a href="https://github.com/fzakaria/eBPF-mpls-encap-decap">MPLSinIP
sample</a> - A heavily commented sample demonstrating how to encapsulate
&amp; decapsulate MPLS within IP. The code is commented for those new to
BPF development.</li>
<li><a href="https://github.com/vbpf/ebpf-samples">ebpf-samples</a> - A
collection of compiled (as ELF object files) samples gathered from
several projects, primarily intended to serve as test cases for user
space verifiers.</li>
<li><a
href="https://github.com/niclashedam/ebpf-kill-example">ebpf-kill-example</a>
- A fully documented and tested example of an eBPF probe that logs all
force-kills and prints them out in user-space.</li>
<li><a href="https://github.com/foniod/redbpf/tree/main/examples">redbpf
examples</a> - Example programs for using RedBPF to write eBPF programs
in Rust.</li>
<li><a href="https://github.com/netfoundry/zfw">XDP/TC-eBPF example</a>
- Program that uses XDP/TC-eBPF to provide statefull firewalling and
socket redirection.</li>
</ul>
<h2 id="ebpf-workflow-tools-and-utilities">eBPF Workflow: Tools and
Utilities</h2>
<h3 id="bcc">bcc</h3>
<ul>
<li><a href="https://github.com/iovisor/bcc/">bcc</a> - Framework and
set of tools - One way to handle BPF programs, in particular for tracing
and monitoring. Also includes some utilities that may help inspect maps
or programs on the system.</li>
<li><a href="https://github.com/iovisor/bcc/tree/master/src/lua">Lua
front-end for BCC</a> - Another alternative to C, and even to most of
the Python code used in bcc.</li>
</ul>
<h3 id="iproute2">iproute2</h3>
<ul>
<li><a
href="https://git.kernel.org/pub/scm/network/iproute2/iproute2.git">iproute2</a>
- Package containing tools for network management on Linux. In
particular, it contains <code>tc</code>, used to manage eBPF filters and
actions, and <code>ip</code>, used to manage XDP programs. Most of the
code related to BPF is in lib/bpf.c.</li>
<li><a
href="https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git">iproute2-next</a>
- The development tree, synchronised with net-next.</li>
</ul>
<h3 id="llvm">LLVM</h3>
<ul>
<li><p><a href="https://llvm.org/">LLVM</a> - Contains several tools
used in eBPF workflows. Snapshots of the latest versions for
Ubuntu/Debian can be retrieved from <a
href="http://apt.llvm.org/">here</a>.</p>
<ul>
<li>clang is used to compile C to eBPF object file under the ELF format
(clang v3.7.1+). The BPF backend was added with <a
href="https://reviews.llvm.org/D6494">this commit</a>.</li>
<li>llvm-objdump is used to dump the content of an object file in
human-readable format, possibly with the initial C source code
(llvm-objdump v4.0+).</li>
<li>llvm-mc is used to compile from LLVM intermediate representation to
eBPF object file, so that one can compile from C to eBPF assembly,
tinker with assembly, then compile to ELF file.</li>
</ul></li>
</ul>
<h3 id="libbpf">libbpf</h3>
<ul>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/tree/tools/lib/bpf">libbpf</a>
- A C library used for handling BPF objects (programs and maps), and
manipulating ELF object files containing them. It is shipped with the
kernel and <a href="https://github.com/libbpf/libbpf">mirrored on
GitHub</a>.</li>
<li><a
href="https://github.com/libbpf/libbpf-bootstrap">libbpf-bootstrap</a> -
Scaffolding for BPF application development with libbpf and BPF
CO-RE.</li>
</ul>
<h3 id="go-libraries">Go libraries</h3>
<ul>
<li><a href="https://github.com/cilium/ebpf">cilium/ebpf</a> - Pure-Go
library to read, modify and load eBPF programs and attach them to
various hooks in the Linux kernel.</li>
<li><a href="https://github.com/aquasecurity/libbpfgo">libbpfgo</a> -
eBPF library for Go, powered by libbpf.</li>
<li><a href="https://github.com/iovisor/gobpf">gobpf</a> - Go bindings
for BCC for creating eBPF programs.</li>
</ul>
<h3 id="aya">Aya</h3>
<ul>
<li><a href="https://github.com/aya-rs/aya">aya</a> - A pure Rust
library for writing, loading, and managing eBPF objects, with a focus on
developer experience and operability. It supports writing eBPF programs
in Rust and distributing library code over crates.io to share it between
eBPF programs. Aya does not depend on libbpf.</li>
<li><a href="https://github.com/aya-rs/aya-template">aya-template</a> -
Templates for writing BPF applications in Aya that can be used with <a
href="https://github.com/cargo-generate/cargo-generate"><code>cargo generate</code></a>.</li>
<li><a href="https://github.com/deepfence/ebpfguard">Ebpfguard</a> -
Rust library for writing Linux security policies using eBPF.</li>
</ul>
<h3 id="zbpf">zbpf</h3>
<ul>
<li><a href="https://github.com/tw4452852/zbpf">zbpf</a> - A pure Zig
framework for writing cross platform eBPF programs, powered by libbpf
and Zig toolchain.</li>
</ul>
<h3 id="eunomia-bpf">eunomia-bpf</h3>
<ul>
<li><a href="https://github.com/eunomia-bpf/eunomia-bpf">eunomia-bpf</a>
- A compilation framework and runtime library to build, distribute,
dynamically load, and run CO-RE eBPF applications in multiple languages
and WebAssembly. It supports writing eBPF kernel code only (to build
simple CO-RE libbpf eBPF applications), writing the kernel part in both
BCC and libbpf styles, and writing userspace in multiple languages in a
WASM module and distributing it with simple JSON data or WASM OCI
images. The runtime is based on libbpf only and provides CO-RE to
BCC-style eBPF programs without depending on the LLVM library.</li>
</ul>
<h3 id="oxidebpf">oxidebpf</h3>
<ul>
<li><a href="https://github.com/redcanaryco/oxidebpf">oxidebpf</a> - A
pure Rust library for managing eBPF programs, designed for security use
cases. The featureset is more limited than other libraries but
emphasizes stability across a wide range of kernels and
backwards-compatible compile-once-run-most-places.</li>
</ul>
<h3 id="bpftool-and-other-tools-from-the-kernel-tree">bpftool and Other
Tools from the Kernel Tree</h3>
<ul>
<li><p><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/bpf/bpftool">bpftool</a>
- Also some other tools in the kernel tree, under <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/net?h=v4.14">linux/tools/net/</a>
for versions earlier than 4.15, or <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/tree/tools/bpf">linux/tools/bpf/</a>
after that:</p>
<ul>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/bpf/bpftool"><code>bpftool</code></a>
- A generic utility that can be used to interact with eBPF programs and
maps from userspace, for example to show, dump, load, disassemble, pin
programs, or to show, create, pin, update, delete maps, or to attach and
detach programs to cgroups.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/bpf/bpf_asm.c"><code>bpf_asm</code></a>
- A minimal cBPF assembler.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/bpf/bpf_dbg.c"><code>bpf_dbg</code></a>
- A small debugger for cBPF programs.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/bpf/bpf_jit_disasm.c"><code>bpf_jit_disasm</code></a>
- A disassembler for both BPF flavors and could be highly useful for JIT
debugging.</li>
</ul></li>
</ul>
<h3 id="user-space-ebpf">User Space eBPF</h3>
<ul>
<li><a href="https://github.com/iovisor/ubpf/">uBPF</a> - Written in C.
Contains an interpreter, a JIT compiler for x86_64 architecture, an
assembler and a disassembler.</li>
<li><a href="https://github.com/YutaroHayakawa/generic-ebpf">A generic
implementation</a> - With support for FreeBSD kernel, FreeBSD user
space, Linux kernel, Linux user space and macOS user space. Used for the
<a href="https://www.unix.com/man-page/freebsd/4/vale/">VALE software
switch</a>s <a href="https://github.com/YutaroHayakawa/vale-bpf">BPF
extension module</a>.</li>
<li><a href="https://github.com/qmonnet/rbpf">rbpf</a> - Written in
Rust. Interpreter for Linux, macOS and Windows, and JIT-compiler for
x86_64 under Linux.</li>
<li><a href="https://github.com/vbpf/ebpf-verifier">PREVAIL</a> - A user
space verifier for eBPF <a
href="https://elazarg.github.io/pldi19main-final.pdf">using an abstract
interpretation layer</a>, with support for loops.</li>
<li><a href="https://github.com/grantseltzer/oster">oster</a> - Written
in Go. A tool for tracing execution of Go programs by attaching eBPF to
uprobes.</li>
<li><a href="https://rubrikinc.github.io/wachy/">wachy</a> - A tracing
profiler that aims to make eBPF uprobe-based debugging easier to use.
This is done by displaying traces in a UI next to the source code and
allowing interactive drilldown analysis.</li>
</ul>
<h3 id="ebpf-on-other-platforms">eBPF on Other Platforms</h3>
<ul>
<li><a href="https://github.com/microsoft/ebpf-for-windows">eBPF for
Windows</a> - This project is a work-in-progress that allows using
existing eBPF toolchains and APIs familiar in the Linux ecosystem to be
used on top of Windows.</li>
</ul>
<h3 id="testing-in-virtual-environments">Testing in Virtual
Environments</h3>
<ul>
<li><a href="https://github.com/iovisor/xdp-vagrant">A Vagrant setup</a>
- To easily test XDP. Less useful now that generic XDP
(driver-independant, mostly for testing) exists.</li>
<li><a href="https://github.com/zlim/bcc-docker">bcc in a Docker
container</a></li>
</ul>
<h2 id="projects-related-to-ebpf">Projects Related to eBPF</h2>
<h3 id="networking">Networking</h3>
<ul>
<li><p>P4 has some interactions with eBPF:</p>
<ul>
<li><a
href="https://schd.ws/hosted_files/2016p4workshop/1d/Intel%20Fastabend-P4%20on%20the%20Edge.pdf">P4
on the Edge</a> - P4 with eBPF to create high-performance programmable
switches.</li>
<li><a href="https://ovsorbit.org/#e11">OvS Orbit episode (#11), called
P4 on the Edge</a> - Related to the former item. Audio interview of John
Fastabend by Ben Pfaff, one of the core maintainers of Open
vSwitch.</li>
<li><a
href="https://open-nfp.org/m/documents/Open_NFP_P4_EBPF_Linux_TC_Offload_FINAL_5JHLETS.pdf">P4,
EBPF and Linux TC Offload</a> - P4 with some elements related to eBPF
hardware offload on Netronomes NFP (Network Flow Processor)
architecture.</li>
<li><a
href="https://github.com/iovisor/bcc/tree/master/src/cc/frontends/p4">Old
documentation for P4 usage with eBPF</a> - From bcc repository;
deprecated by the P4_16 backend linked below.</li>
<li><a
href="https://github.com/p4lang/p4c/blob/master/backends/ebpf/README.md">P4_16
backend for eBPF</a></li>
</ul></li>
<li><p><a href="https://cilium.io/">Cilium</a> project (<a
href="https://github.com/cilium/cilium">GitHub repository</a>) is a
technology relying on BPF and XDP to provide “fast in-kernel networking
and security policy enforcement for containers based on eBPF programs
generated on the fly”. Many presentations available (with overlap):</p>
<ul>
<li><a
href="http://www.slideshare.net/ThomasGraf5/clium-container-networking-with-bpf-xdp">Cilium:
Networking &amp; Security for Containers with BPF &amp; XDP</a> - Also
featuring a load balancer use case</li>
<li><a
href="http://www.slideshare.net/Docker/cilium-bpf-xdp-for-containers-66969823">Cilium:
Networking &amp; Security for Containers with BPF &amp; XDP</a> - <a
href="https://www.youtube.com/watch?v=TnJF7ht3ZYc&amp;list=PLkA60AVN3hh8oPas3cq2VA9xB7WazcIgs">video</a></li>
<li><a
href="http://www.slideshare.net/ThomasGraf5/cilium-fast-ipv6-container-networking-with-bpf-and-xdp">Cilium:
Fast IPv6 container Networking with BPF and XDP</a></li>
<li><a href="https://fosdem.org/2017/schedule/event/cilium/">Cilium: BPF
&amp; XDP for containers</a></li>
<li><a href="https://ovsorbit.benpfaff.org/">OvS Orbit episode (#4)</a>
- Interview of Thomas Graf by Ben Pfaff.</li>
<li><a
href="https://opensource.googleblog.com/2016/11/cilium-networking-and-security.html">A
generic introduction to Cilium</a></li>
<li><a
href="http://blog.ipspace.net/2016/10/fast-linux-packet-forwarding-with.html">A
podcast interviewing Thomas Graf</a> - Ivan Pepelnjak interviewing
Thomas, October 2016, on eBPF, P4, XDP and Cilium.</li>
</ul></li>
<li><p>Open vSwitch (OvS), and its related project Open Virtual Network
(OVN, an open source network virtualization solution) are considering
using eBPF at various level:</p>
<ul>
<li><a
href="http://openvswitch.org/support/ovscon2016/7/1120-tu.pdf">Offloading
OVS Flow Processing using eBPF</a></li>
<li><a
href="http://openvswitch.org/support/ovscon2016/7/1245-bertrone.pdf">Coupling
the Flexibility of OVN with the Efficiency of IOVisor</a></li>
</ul></li>
<li><p><a
href="https://code.fb.com/open-source/open-sourcing-katran-a-scalable-network-load-balancer/">Katran</a>
- A layer 4 load-balancer based on XDP, open-sourced by
Facebook.</p></li>
<li><p><a href="http://netdevconf.org/2.1/session.html?bertin">XDP in
practice: integrating XDP in our DDoS mitigation pipeline</a> -
Protection against DDoS with XDP at Cloudflare.</p></li>
<li><p><a href="http://netdevconf.org/2.1/session.html?zhou">Droplet:
DDoS countermeasures powered by BPF + XDP</a> - Protection against DDoS
with XDP at Facebook.</p></li>
<li><p><a
href="https://dpdkuserspace2018.sched.com/event/G45Z/dpdk-pmd-for-afxdp">DPDK
has a poll-mode driver (PMD) based on AF_XDP</a></p></li>
<li><p><a
href="http://www.slideshare.net/IOVisor/ceth-for-xdp-linux-meetup-santa-clara-july-2016">CETH
for XDP</a> - Common Ethernet Driver Framework for faster network I/O, a
technology initiated by Mellanox.</p></li>
<li><p>Suricata, an open source intrusion detection system, <a
href="https://www.stamus-networks.com/2016/09/28/suricata-bypass-feature/">relies
on eBPF components</a> for its “capture bypass” features:</p>
<ul>
<li><a
href="http://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html?highlight=XDP#ebpf-and-xdp">“eBPF
and XDP” section of Suricata documentation</a></li>
<li><a href="https://github.com/pevma/SEPTun-Mark-II">SEPTun-Mark-II</a>
- Extreme Performance Tuning guide - Mark II.</li>
<li><a
href="https://www.stamus-networks.com/2016/09/28/suricata-bypass-feature/">A
blog post introducing the feature</a></li>
<li><a
href="http://netdevconf.org/1.2/slides/oct6/10_suricata_ebpf.pdf">The
adventures of a Suricate in eBPF land</a></li>
<li><a
href="https://www.slideshare.net/ennael/kernel-recipes-2017-ebpf-and-xdp-eric-leblond">eBPF
and XDP seen from the eyes of a meerkat</a></li>
</ul></li>
<li><p><a
href="https://projectcalico.docs.tigera.io/about/about-calico">Project
Calico</a> - Calico is an open source networking and network security
solution for containers, virtual machines, and native host-based
workloads. Calicos eBPF data plane delivers a low latency, high
throughput data plane with a rich network security policy model.</p>
<ul>
<li><a
href="https://projectcalico.docs.tigera.io/maintenance/ebpf/enabling-bpf">Enabling
eBPF data plane with Calico</a></li>
</ul></li>
<li><p><a href="https://github.com/merbridge/merbridge/">merbridge</a> -
Use eBPF to speed up your Service Mesh. Merbridge replaces iptables
rules with eBPF to intercept traffic. It also combines msg_redirect to
reduce latency with a shortened datapath between sidecars and
services.</p></li>
<li><p><a href="https://pcapplusplus.github.io/">PcapPlusPlus</a> - An
open-source C++ library for capturing, parsing and crafting network
packets. It features a C++ interface for creating AF_XDP sockets, making
it easy to <a
href="https://pcapplusplus.github.io/docs/next/features#af_xdp-support-beta">send
and receive packets through them</a>.</p></li>
<li><p><a href="https://github.com/liudf0716/apfree-wifidog">ApFree
WiFiDog</a> - A high performance and lightweight captive portal solution
for wireless networks. It leverages eBPF for traffic control and deep
packet inspection capabilities, with plans to gradually replace nftables
firewall functionality with eBPF-based solutions.</p></li>
</ul>
<h3 id="observability">Observability</h3>
<ul>
<li><a
href="https://github.com/iovisor/bpf-docs/blob/master/university/sigcomm-ccr-InKev-2016.pdf">InKeV:
In-Kernel Distributed Network Virtualization for DCN</a></li>
<li><a
href="https://www.slideshare.net/necstlab/deepmon-dynamic-and-energy-efficient-power-monitoring-for-containerbased-infrastructures">DEEP-mon</a>
- Helps with measuring power consumption for servers and uses eBPF
programs for in-kernel aggregation of data.</li>
<li><a href="https://github.com/pixie-io/pixie">pixie</a> -
Observability for Kubernetes using eBPF. Features include protocol
tracing, application profiling, and support for distributed bpftrace
deployments.</li>
<li><a href="https://github.com/apache/skywalking-rover">SkyWalking
Rover</a> - <a href="https://skywalking.apache.org/">Apache
SkyWalking</a> is an open-source Application Performance Monitoring
(APM) platform specially designed for distributed systems with
microservices, cloud-native and container-based (Kubernetes)
architectures. SkyWalking Rover is an eBPF-based profiler and metrics
collector for C, C++, Golang, and Rust applications.</li>
<li><a href="https://github.com/parca-dev/parca-agent">parca-agent</a> -
eBPF based always-on continuous profiler for analysis of CPU and memory
usage, down to the line number and throughout time.</li>
<li><a href="https://github.com/javierhonduco/rbperf">rbperf</a> -
Sampling profiler and tracer for Ruby.</li>
<li><a href="https://github.com/cilium/hubble">Hubble</a> - Network,
service and security observability for Kubernetes using eBPF.</li>
<li><a href="https://github.com/groundcover-com/caretta">Caretta</a> -
Instant Kubernetes service dependency map generated by eBPF, right to a
Grafana instance.</li>
<li><a href="https://github.com/deepflowio/deepflow">DeepFlow</a> -
Instant observability for cloud-native and AI applications based on
eBPF.</li>
<li><a href="https://github.com/coroot/coroot">Coroot</a> - Coroot is an
open-source APM &amp; Observability tool, a DataDog and NewRelic
alternative.</li>
</ul>
<h3 id="security">Security</h3>
<ul>
<li><a href="https://falco.org/">Falco</a> - A cloud-native runtime
security project used as a Kubernetes threat detection engine.</li>
<li><a href="https://github.com/Sysinternals/SysmonForLinux">Sysmon for
Linux</a> - A security monitoring tool. It depends on <a
href="https://github.com/Sysinternals/SysinternalsEBPF">SysinternalsEBPF</a>.</li>
<li><a href="https://redcanary.com/blog/ebpf-for-security">Red Canary
Linux Agent</a> - Red Canary has started to incorporate eBPF to their
Linux security sensor.</li>
<li><a href="https://github.com/aquasecurity/tracee">Tracee</a> - A
runtime security and forensics tool for Linux which uses eBPF technology
to trace the system and applications at runtime, and analyze collected
events to detect suspicious behavioral patterns.</li>
<li><a
href="https://github.com/redcanaryco/redcanary-ebpf-sensor">redcanary-ebpf-sensor</a>
- A set of BPF programs that gather security relevant event data from
the Linux kernel. The BPF programs are combined into a single ELF file
from which individual probes can be selectively loaded, depending on the
running operating system and kernel version.</li>
<li><a href="https://github.com/linux-lock/bpflock">bpflock - Lock Linux
machines</a> - An eBPF driven security tool for locking and auditing
Linux machines.</li>
<li><a href="https://github.com/cilium/tetragon">Tetragon</a> -
Kubernetes-aware, eBPF-based security observability and runtime
enforcement.</li>
<li><a href="https://github.com/alegrey91/harpoon">harpoon</a> - Trace
syscalls from user-space functions, by using eBPF.</li>
</ul>
<h3 id="tools">Tools</h3>
<ul>
<li><a href="https://wkz.github.io/ply/">ply</a> - A small but flexible
open source dynamic tracer for Linux, with features similar to the bcc
tools, but with a simpler language inspired by awk and DTrace.</li>
<li><a href="https://bpftrace.org/">bpftrace</a> - A tool for tracing
with its own high-level tracing language. It is flexible enough to be
envisioned as a Linux replacement for DTrace and SystemTap.
<ul>
<li><a
href="https://www.brendangregg.com/BPF/bpftrace-cheat-sheet.html">bpftrace
Cheat Sheet</a> - Summary and cheat sheet for programming in bpftrace.
Contains information about syntax, probe types, variables and
functions.</li>
</ul></li>
<li><a href="https://github.com/iovisor/kubectl-trace">kubectl trace</a>
- A kubectl plug-in for executing bpftrace programs in a Kubernetes
cluster.</li>
<li><a href="https://inspektor-gadget.io">inspektor-gadget</a> - A
collection tools and framework for data collection and system inspection
on Kubernetes clusters and Linux hosts using eBPF.</li>
<li><a href="https://github.com/genuinetools/bpfd">bpfd</a> - Framework
for running BPF programs with rules on Linux as a daemon. Container
aware.</li>
<li><a href="https://github.com/joelagnel/bpfd">BPFd</a> - A distinct
BPF daemon, trying to leverage the flexibility of the bcc tools to trace
and debug remote targets, and in particular devices running with
Android.</li>
<li><a href="https://github.com/joelagnel/adeb">adeb</a> - A Linux shell
environment for using tracing tools on Android with BPFd.</li>
<li><a href="https://github.com/olcf/greggd">greggd</a> - System daemon
to compile and load eBPF programs into the kernel, and forward program
output to socket for metric aggregation.</li>
<li><a
href="https://events.linuxfoundation.org/wp-content/uploads/2017/11/When-eBPF-Meets-FUSE-Improving-Performance-of-User-File-Systems-Ashish-Bijlani-Georgia-Tech.pdf">FUSE</a>
- Considers using eBPF.</li>
<li><a href="https://github.com/navarrothiago/upf-bpf">upf-bpf</a> - An
in-kernel solution based on XDP for 5G UPF.</li>
<li><a href="https://github.com/foniod/redbpf">redbpf</a> - Tooling and
framework to write eBPF code in Rust efficiently.</li>
<li><a href="https://github.com/ebpfdev/explorer">ebpf-explorer</a> - A
web interface to explore systems maps and programs.</li>
<li><a href="https://github.com/redcanaryco/ebpfmon">ebpfmon</a> - A TUI
(terminal user interface) application for real time monitoring of eBPF
programs.</li>
<li><a href="https://github.com/bpfman/bpfman">bpfman</a> - An eBPF
Manager for Linux and Kubernetes. Includes a built-in program loader
that supports program cooperation for XDP and TC programs, as well as
deployment of eBPF programs from OCI images.</li>
<li><a href="https://github.com/mozillazg/ptcpdump">ptcpdump</a> - A
process-aware, eBPF-based tcpdump-like tool.</li>
</ul>
<h1 id="ebpf-in-security">eBPF in Security</h1>
<ul>
<li><a href="https://embracethered.com/blog/tags/ebpf">Embrace The Red:
Offensive BPF!</a> - A series of posts around the introduction into BPF
with a focus to an offensive setting, and also how its misuse can be
detected. Posts include discussions on the rootkit capabilities of eBPF,
or on which tracing type is needed for different use cases.</li>
<li><a
href="https://djalal.opendz.org/post/ebpf-block-linux-fileless-payload-execution-with-bpf-lsm/">eBPF:
Block Linux Fileless Payload “Malware” Execution with BPF LSM</a> - Blog
post about how BPF can help detection and blocking fileless
malware.</li>
<li><a
href="https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619">Blackhat
2021: With Friends Like eBPF, Who Needs Enemies?</a> - Talk about an
eBPF rootkit and how the capabilities of eBPF could be abused. The
rootkit was also the object of a talk at Defcon, <a
href="https://defcon.org/html/defcon-29/dc-29-speakers.html#fournier">eBPF,
I thought we were friends !</a>.</li>
<li><a href="https://github.com/Gui774ume/ebpfkit">ebpfkit</a> - A
rootkit that leverages multiple eBPF features to implement offensive
security techniques.</li>
<li><a
href="https://github.com/Gui774ume/ebpfkit-monitor">ebpfkit-monitor</a>
- An utility to statically analyze eBPF bytecode or monitor suspicious
eBPF activity at runtime. It was specifically designed to detect
ebpfkit.</li>
<li><a href="https://github.com/pathtofile/bad-bpf">Bad BPF</a> - A
collection of malicious eBPF programs that make use of eBPFs ability to
read and write user data in between the usermode program and the
kernel.</li>
<li><a href="https://github.com/h3xduck/TripleCross">TripleCross</a> - A
Linux eBPF rootkit with a backdoor, C2, library injection, execution
hijacking, persistence and stealth capabilities.</li>
</ul>
<h2 id="the-code">The Code</h2>
<ul>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/bpf.h">linux/include/linux/bpf.h</a>
- with <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h">linux/include/uapi/bpf.h</a>:
definitions related to eBPF, to be used respectively in the kernel and
to interface with userspace programs.</p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/filter.h">linux/include/linux/filter.h</a>
- with <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/filter.h">linux/include/uapi/filter.h</a>:
information used to run the BPF programs themselves.</p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf">linux/kernel/bpf/</a>
- This directory contains most of BPF-related code. In particular, those
files are worth of interest:</p>
<ul>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/syscall.c"><code>syscall.c</code></a>
- Different operations permitted by the system call, such as program
loading or map management.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c"><code>core.c</code></a>
- BPF interpreter.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c"><code>verifier.c</code></a>
- BPF verifier.</li>
</ul></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/filter.c">linux/net/core/filter.c</a>
- Functions and eBPF helpers related to networking (TC, XDP etc.); also
contains the code to migrate cBPF bytecode to eBPF (all cBPF programs
are translated to eBPF in recent kernels).</p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/trace/bpf_trace.c">linux/kernel/trace/bpf_trace.c</a>
- Functions and eBPF helpers related to tracing and monitoring (kprobes,
tracepoints, etc.).</p></li>
<li><p>The JIT compilers are under the directory of their respective
architectures, such as file <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/x86/net/bpf_jit_comp.c">linux/arch/x86/net/bpf_jit_comp.c</a>
for x86. Exception is made for JIT compilers used for hardware offload,
sitting in their drivers, such as <a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/netronome/nfp/bpf/jit.c">linux/drivers/net/ethernet/netronome/nfp/bpf/jit.c</a>
for Netronome NFP.</p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/sched">linux/net/sched/</a>
- and in particular in files <code>act_bpf.c</code> (action) and
<code>cls_bpf.c</code> (filter): code related to BPF actions and filters
with TC.</p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/seccomp.c">linux/kernel/seccomp.c</a></p></li>
<li><p><a
href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/dev.c">linux/net/core/dev.c</a>
- contains the function <code>dev_change_xdp_fd()</code> that is called
through a Netlink command to hook a XDP program to a device, after is
has been loaded into the kernel from user space. This function in turns
uses a callback from the relevant driver.</p></li>
</ul>
<h2 id="development-and-community">Development and Community</h2>
<ul>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/">The
bpf-next tree</a> - BPF patches land in this tree. It is regularly
merged into <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git">net-next</a>,
which is itself merged for each release to Linus tree.</li>
<li><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/tree/Documentation/bpf/bpf_devel_QA.rst">Kernel
documentation</a> - About contributions to BPF.</li>
<li><a href="http://lists.openwall.net/netdev/">The netdev mailing
list</a> - Mailing list for Linux kernel networking stack development.
All patches are sent there for review and inclusion.</li>
<li><a
href="http://vger.kernel.org/vger-lists.html#xdp-newbies">XDP-newbies</a>
- A mailing list specially dedicated to XDP programming (both for
architecture or for asking for help).</li>
<li><a href="http://lists.iovisor.org/pipermail/iovisor-dev/">IO Visor
mailing list</a> - BPF is at the heart of the project, and is regularly
discussed on the mailing list.</li>
<li><a href="https://twitter.com/IOVisor"><span class="citation"
data-cites="IOVisor">@IOVisor</span> Twitter account</a></li>
<li><a href="https://github.com/xdp-project/xdp-project">The XDP
Collaboration Project</a> - A GitHub repository with notes and ideas
regarding the future evolutions of XDP.</li>
</ul>
<h2 id="other-lists-of-resources-on-ebpf">Other Lists of Resources on
eBPF</h2>
<ul>
<li><a href="https://github.com/iovisor/bcc/tree/master/docs">IO Visors
bcc documentation</a></li>
<li><a href="https://github.com/iovisor/bpf-docs/">IO Visors bpf-docs
repository</a></li>
<li><a
href="https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into-bpf/">Dive
into BPF: A List of Reading Material</a></li>
</ul>
<h2 id="acknowledgement">Acknowledgement</h2>
<p>Thank you to Quentin Monnet and Daniel Borkmann for their original
work on <a
href="https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into-bpf/">Dive
into BPF: A List of Reading Material</a> which became the basis for this
list.</p>
<h2 id="contributing">Contributing</h2>
<p>Contributions welcome! Read the <a
href="contributing.md">contribution guidelines</a> first.</p>
<h2 id="license">License</h2>
<p><a href="http://creativecommons.org/publicdomain/zero/1.0"><img
src="http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg"
alt="CC0" /></a></p>
<p>To the extent possible under law, zoidbergwill has waived all
copyright and related or neighboring rights to this work.</p>
<p><a href="https://github.com/zoidbergwill/awesome-ebpf">ebpf.md
Github</a></p>
Reference in New Issue View Git Blame Copy Permalink