ArthurChiao's Blog

Awesome BPF Resources

Published at 2019-05-06 | Last Update 2022-11-12

Awesome BPF resources that I’ve ever read (and would like to read many times).

1 Introduction & Overview

  1. Matt Fleming, A thorough introduction to eBPF,, 2017

    This article explains how eBPF evolved how it works, and how it is used in the kernel.

  2. Cilium Blog, Why is the kernel community replacing iptables with BPF? — Cilium,, 2018

2 Design & Implementation Details

  1. Jonathan Corbet, A JIT for packet filters,, 2011

    A retrospection to classic BPF (since 1990s) in Linux kernel, and the first eBPF patch for modern kernels.

    Classic BPF is implemented in net/core/filter.c in Linux kernel tree, only thousands lines of code.

  2. Jonathan Corbet, BPF tracing filters,, 2013

    BPF progress for packet filtering. Another interesting topic in this article is the licensing scope of future BPF code.

  3. Jonathan Corbet, BPF: the universal in-kernel virtual machine,, 2014

    Road from a JIT compiler to the universal in-kernel virtual machine.

  4. PLUMgrid, BPF – in-kernel virtual machine, LinuxCon, 2015

    Lots of design and implementation details, and byte code examples.

  5. Linux Programmer’s Manual, bpf(2) system call,, 2019+

    Introduction to eBPF design/architecture and data structures, official definition of BPF terminologies, e.g. BPF maps. Also including code and examples.

  6. Linux source tree, BPF Source Code, 2019+

3 Tools

  1. Matt Fleming, An introduction to the BPF Compiler Collection,, 2017

    One of eBPF’s biggest challenges for newcomers is that writing programs requires compiling and linking to the eBPF library from the kernel source. Kernel developers might always have a copy of the kernel source within reach, but that’s not so for engineers working on production or customer machines. Addressing this limitation is one of the reasons that the BPF Compiler Collection was created.

4 Use Cases

Tracking & Monitoring

eBPF programs can access kernel data structures, developers can write and test new debugging code without recompiling the kernel.

Container Network Security (Cilium)

  1. Thomas Graf, How to Make Linux Microservice-Aware with Cilium and eBPF, InfoQ, 2019

    Chinese translated:如何基于 Cilium 和 eBPF 打造可感知微服务的 Linux

Fast Datapath (XDP)

  1. Facebook, Open-sourcing Katran, a scalable network load balancer,, 2019+

    Facebook’s L4 LB, based on XDP and eBPF. Some talks mentioned that this is 10x faster than their first generation LVS-based L4 LB.

Security Computation (seccomp)

5 Similar Reading Lists

  1. Dive into BPF: a list of reading material

    It was later after I started this list that I found this similar purpose post. It’s great, however, I think it’s more than extensive for me, e.g. including resouces of many unstable, experimenting, or even toy projects. Pick up your own pieces from it.

6 BPF resources in this site