- linux
- l3
- deep-dive
- ebpf
- linux-networking --- Portal | Level: L3: Advanced | Topics: eBPF, Linux Networking Tools | Domain: Linux
eBPF Explained¶
Scope¶
This document explains eBPF as a Linux capability you can actually reason about, instead of mystical conference smoke.
It covers:
- what eBPF is
- why it exists
- verifier model
- program types and attach points
- maps
- tracing, networking, and security uses
- operational risks and limits
Reference anchors: - https://docs.kernel.org/bpf/ - https://docs.kernel.org/bpf/verifier.html - https://docs.kernel.org/userspace-api/ebpf/index.html - https://docs.kernel.org/userspace-api/ebpf/syscall.html
Big Picture¶
eBPF is a sandboxed in-kernel execution mechanism.
That means you can run constrained programs inside the kernel without writing and loading a traditional kernel module for many use cases.
That is why it is such a big deal.
It enables: - tracing - observability - packet processing - policy enforcement - security hooks - performance analysis
without always recompiling or patching the kernel.
What eBPF Is Not¶
It is not: - arbitrary native code execution in kernel space - a free-for-all scripting engine - a replacement for every module/driver - magic with no safety checks
The verifier exists precisely because unrestricted kernel execution would be insane.
Core Model¶
You typically have:
- eBPF program
- verifier checks safety
- program loaded into kernel
- attached to an event/hook
- maps used for state exchange
- userspace tool reads/writes maps or loads programs
This gives a split model: - kernel executes the fast/safe hook logic - userspace orchestrates and interprets results
Why eBPF Exists¶
Traditional kernel instrumentation/control options had problems: - patch kernel code - load full kernel modules - static tracing only - weaker flexibility
eBPF gives a safer and more dynamic extension point.
In plain English: it lets Linux grow runtime instrumentation and policy muscles without handing everybody a chainsaw.
Verifier¶
The verifier is central.
It checks things like: - control-flow sanity - bounded behavior - safe memory access - type/state tracking - helper call validity - register and stack correctness
If the verifier cannot prove the program is safe enough, it rejects it.
This is why eBPF programming often feels like negotiating with a paranoid compiler that distrusts your ancestry.
Maps¶
Maps are kernel objects used to store/share state.
Examples conceptually: - hash maps - arrays - per-CPU maps - ring buffers - LPM tries - program arrays for tail calls
Maps let programs: - count events - share state with userspace - maintain policy tables - publish telemetry efficiently
Without maps, eBPF would be much less useful.
Common Program Families¶
Tracing / observability¶
Attach to: - kprobes - uprobes - tracepoints - perf events
Use cases: - syscall tracing - latency measurement - profiling - scheduler insight - filesystem/network introspection
Networking¶
Attach to: - XDP - tc hooks - socket filters - cgroup networking hooks
Use cases: - packet filtering - load balancing - drops/redirects - traffic accounting
Security¶
Attach to: - LSM hooks - cgroup controls - policy events
Use cases: - audit - enforcement - visibility into suspicious behavior
XDP Intuition¶
XDP is very early packet processing, near the driver receive path. It is used for very fast packet decision-making: - drop - pass - redirect - transmit
This is why people use eBPF for high-performance network filtering and load-balancing work.
Tracing Intuition¶
eBPF tracing is one of the highest-value practical uses.
You can ask: - which syscalls are hot? - where is latency introduced? - which process is causing IO storms? - which kernel path is slow? - what is the distribution, not just the average?
That is gold for production debugging.
Relationship to Containers and Modern Ops¶
eBPF is heavily used in modern cloud-native stacks for: - networking - observability - security policy - service mesh-adjacent capabilities - low-overhead tracing
This is why it keeps showing up around Kubernetes, Cilium, performance tooling, and security products.
Limits and Risks¶
Verifier complexity¶
Useful programs may still be painful to get accepted.
Kernel-version nuances¶
Capabilities and helper availability vary.
Operational misuse¶
Just because you can attach deep hooks does not mean you should spray them everywhere.
Performance overhead¶
Usually good when done right, but not free.
Security model¶
Loading eBPF is privileged/sensitive for a reason.
Useful Userland Tools / Concepts¶
bpftool- BCC/BPFtrace style tooling
- perf integration
- tracing toolkits built on eBPF
- Cilium ecosystem concepts
Interview-Level Things to Explain¶
You should be able to explain:
- what eBPF is
- why verifier exists
- what maps are for
- tracing vs networking use cases
- why eBPF is safer than random kernel hacks, but not "safe by default forever"
- why cloud-native systems care about it
Fast Mental Model¶
eBPF is a verified, sandboxed mechanism for running specialized programs inside the Linux kernel at well-defined hook points, with maps providing shared state and userspace orchestration.
Wiki Navigation¶
Prerequisites¶
- Linux Ops (Topic Pack, L0)
Related Content¶
- Case Study: API Latency Spike — BGP Route Leak, Fix Is Network ACL (Case Study, L2) — Linux Networking Tools
- Case Study: ARP Flux Duplicate IP (Case Study, L2) — Linux Networking Tools
- Case Study: DHCP Relay Broken (Case Study, L1) — Linux Networking Tools
- Case Study: Duplex Mismatch Symptoms (Case Study, L1) — Linux Networking Tools
- Case Study: IPTables Blocking Unexpected (Case Study, L2) — Linux Networking Tools
- Case Study: Jumbo Frames Partial (Case Study, L2) — Linux Networking Tools
- Case Study: Service Mesh 503s — Envoy Misconfigured, RBAC Policy (Case Study, L2) — Linux Networking Tools
- Case Study: Source Routing Policy Miss (Case Study, L2) — Linux Networking Tools
- Case Study: Stuck NFS Mount (Case Study, L2) — Linux Networking Tools
- Cilium & eBPF Networking (Topic Pack, L2) — eBPF