Have you ever wondered how we can look inside a computer to understand what it’s doing? There’s a special tool called Extended Berkeley Packet Filter (eBPF), which helps us do just that. It’s like having a magnifying glass that lets us see the minute details of a computer’s work.
EBPF is particularly powerful because it runs inside the Linux Kernel, the core part of the operating system. The Linux Kernel manages everything from hardware interactions to system processes. Generally, inspecting or modifying the Kernel deals with complex and risky code changes. But with eBPF, developers and system administrators can safely and efficiently run custom programs within the Linux Kernel without altering its source code, greatly enhancing Linux Kernel Observability.
Without further ado, we shall explore what is eBPF, its functioning, use cases, and generation of XDP program using this modern technique.
Think of your computer as a bustling, busy city. To keep the city running smoothly, city officials need to know what’s happening on the streets, at the busy junctions, in the park, buildings and so forth. Similarly, to keep a computer running well, experts need to see what’s happening inside it. eBPF is very useful for tasks like managing networks, keeping the computer safe, and ensuring it works efficiently.
This special tool allows us to run small programs directly within the Linux Kernel, the core part of the computer’s operating system. These programs can be triggered by various events, such as data packets arriving or specific system calls being made. The traditional methods require changing the Kernel’s code and risk system stability. eBPF, however, enables a much safer approach to extending kernel functionality, improving Linux Kernel Observability and offering advanced packet monitoring techniques.
Here’s a breakdown of the key components of how the Extended Berkeley Packet Filter works:
1. eBPF programs
These are small sets of instructions that tell the computer to do specific tasks. They can be written in simple programming languages and are designed to run safely inside the computer’s control center. For example, an Extended Berkeley Packet Filter program might be set up to watch every time a file is opened or saved, helping us understand how the computer’s storage is being used.
2. Loading Extended Berkeley Packet Filter programs into the kernel
Once we’ve written an eBPF program, we need to introduce it to the computer’s control center. This is done using special tools that load the program into the kernel. Before the program starts working, the eBPF verifier reviews it to ensure it won’t cause any problems, like getting stuck in a never-ending loop or using too much memory. If the program passes this check, the kernel gets the green light to read and execute it in response to events that happen in the kernel.
3. Maps for storing data
Sometimes, the programs need to remember information or share it with other parts of the computer. For this purpose, they use maps to store this data. Maps act as notebooks where the eBPF program can take note of important details. For instance, the program monitoring network traffic might use a map to monitor the data packets sent and received.
It also uses the maps to track and store details about which users are making specific system calls. The eBPF program updates these maps, and user-space applications can later read them for analysis and further processing.
Maps are created using the ‘bpf_cmd’ syscall with the BPF_MAP_CREATE parameter. Like other resources in the Linux environment, they are accessed via a File Descriptor. Likewise, interactions with a map, such as looking up, updating, or deleting entries, are performed through specific syscalls, as demonstrated here.
These maps are critical in enabling eBPF Packet Analysis and facilitating user-space application access.
4. Hooking into Kernel Events
EBPF programs can be set to activate when certain events happen on the computer. These events are like signals that something specific is occurring. For example, there are:
Imagine your computer is like a big machine with many buttons and levers. Tracepoints are special spots on this machine where we can attach eBPF programs to see what’s happening inside without opening it up. Tracepoints are commonly used for performance monitoring and debugging. Furthermore, it allow developers to observe specific kernel activities in real-time, useful for network packet filtering techniques.
This is a high-performance packet processing framework that enables eBPF programs to filter and process network packets as soon as they enter the kernel, reducing latency and improving network performance.
This mechanism allows eBPF programs to be attached to control and manage network traffic. With TC, eBPF can filter, manipulate, or even redirect network packets. It acts as a powerful tool for traffic shaping and management.
eBPF can hook into system calls, providing the ability to track and monitor specific interactions between user applications and the kernel. This helps in analyzing application behaviour and system-level activity.
5. Helper Functions
Extended Berkeley Packet Filter programs have access to special helper functions that extend their capabilities. These are special functions that add significant functionality to programs. These helpers are essential for extending the program’s capabilities. Additionally, it enables a wide range of tasks. These functions can perform tasks like:
Helper functions enable Extended Berkeley Packet Filter programs to interact with maps, which are data structures that store and retrieve key-value pairs. It allows for efficient data sharing between the program and other parts of the system.
Extended Berkeley Packet Filter programs can generate pseudo-random numbers using helper functions. These random numbers are useful for operations requiring randomness, for example load balancing or security mechanisms.
Helper functions allow the programs to process network data by examining, modifying, or redirecting packets when they pass through the system. This feature is crucial for implementing network monitoring, traffic filtering, and performance optimization.
Extended Berkeley Packet Filter programs can use helper functions to perform tail calls, effectively allowing one program to jump to another. It enables modular program design and efficient execution of complex tasks.
Helper functions help the programs in managing data flow through sockets. For example, facilitating tasks like binding, retrieving cookies, and redirecting packets. This enables the programs to influence network communication directly.
These helper functions are defined by the kernel, meaning eBPF programs can only use a predefined list of calls, often referred to as a “whitelist.” While the number of helper functions is initially limited, it has been continuously expanding, making eBPF an increasingly powerful tool.
Extended Berkeley Packet Filter is incredibly useful for understanding and monitoring what’s happening inside a computer. eBPF’s capability to interact directly with kernel subsystems without altering the kernel code has made it essential for kernel-level observability. Here are a few applications of the tool:
Network Monitoring
eBPF has transformed network observability by enabling high-speed packet filtering and analysis. For instance, XDP allows eBPF programs to process network packets immediately upon arrival at the network interface card (NIC), significantly lowering latency.
Example Use Case
A company could use this special technology tool to build a custom packet filter that blocks specific types of malicious traffic, like DDoS packets, before they reach the rest of the system. By running this filter in kernel space, the tool eliminates the need to send packets to user space, thus avoiding additional overhead.
Tracing Kernel Events
It involves watching and recording specific activities inside the core part of an operating system (kernel). This helps us understand how the system works and find any problems. eBPF is a tool that allows us to do this safely and efficiently by attaching small programs to these activities without changing the kernel itself. Tools like bpftrace enable users to attach eBPF programs to kernel trace points. Furthermore, it helps improve monitoring system performance, track function calls, and identify system bottlenecks.
Example Use Case
A developer could use the tool to trace file system calls on a server to pinpoint performance bottlenecks. By attaching the program to the kernel’s tracepoints related to file access, the developer can gather data on how frequently files are accessed, which files are accessed the most, and the performance impact of these accesses.
Security Auditing and Hardening
Security auditing deals with checking a computer or network to make sure it’s safe from hackers. eBPF is also a useful tool for system security improvement. Through tracing and filtering system calls, eBPF can assist in identifying abnormal or malicious activity, including attempts at unauthorized access or execution of known attack patterns.
Example Use Case
A security group might employ Extended Berkeley Packet Filter to create a specialty monitoring tool to trace system calls such as execve() (which executes a program) and record any unauthorized commands that may indicate a break-in.
Performance Profiling
Performance profiling is like checking how well a computer program works. With eBPF, developers can profile application performance by tracing kernel functions. Doing this allows us to find parts of the program that are slow or use too much energy. Accordingly, we can fix them to make the program run better.
Example Use Case
By hooking a program eBPF to critical kernel functions, developers can observe the execution duration of many systems calls and kernel functions, giving them useful information on system performance.
Let’s walk through creating a simple Extended Berkeley Packet Filter program that stops certain types of network messages, called ICMP packets, from reaching the computer. This is like setting up a filter to block unwanted letters from being delivered.
Prerequisites
Before starting, ensure you have the required dependencies installed on your Ubuntu system:
sudo apt install clang llvm libelf-dev libbpf-dev libpcap-dev build-essential linux-headers-$(uname -r) linux-tools-common linux-tools-generic tcpdump
These packages provide the necessary tools for compiling and loading Extended Berkeley Packet Filter programs.
Step 1: Write the XDP eBPF Program
Create a file drop_icmp.c with the following content:
include "vmlinux.h"
include
SEC("xdp") // Define the section for XDP programs
int drop_icmp(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
// Ensure the packet has at least an Ethernet header
if (data + sizeof(struct ethhdr) > data_end)
return XDP_PASS;
// Process the IP header
struct iphdr *ip = data + sizeof(struct ethhdr);
if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) > data_end)
return XDP_PASS;
// Drop ICMP packets
if (ip->protocol == IPPROTO_ICMP)
return XDP_DROP;
return XDP_PASS;
}
char _license[] SEC("license") = "GPL";
XDP program: This program checks if a packet is an ICMP packet by inspecting the IP header. If the packet is ICMP, the program drops it. Otherwise, it passes the packet through.
Step 2: Generate the vmlinux.h Header
To compile the program, you’ll need the vmlinux.h header, which contains kernel data structures necessary for working with the tool. You can extract it using the bpftool command:
bpftool btf dump file/sys/kernel/btf/vmlinux format c >vmlinux.h
This will create the vmlinux.h file, which you can include during the compilation process.
Step 3: Compile the Extended Berkeley Packet Filter Program
Now, compile your program into an object file (.o) using Clang. This will generate the BPF bytecode that can be loaded into the kernel:
clang -target bpf -O2 -Wall -c drop_icmp.c -o drop_icmp.o
Step 4: Attach the Extended Berkeley Packet Filter Program to a Network Interface
Once the program is compiled, you can load it onto a network interface using the ip command. In this example, we attach the program to the enp0s8 interface in XDP mode:
sudo ip link set dev enp0s8 xdp obj drop_icmp.o sec xdp
Step 5: Detach the Program from the Interface
To remove the XDP program from the network interface, use the following command:
sudo ip link set dev enp0s8 xdp off
This command disables XDP on the enp0s8 interface and detaches the program.
This tutorial demonstrates how to write and deploy an XDP program to filter network traffic using eBPF, specifically dropping ICMP packets.
Extended Berkeley Packet Filter is a revolutionary technology that provides detailed visibility into Linux system behavior with enhanced security and performance. Through its capability of executing secure, high-performance code inside the kernel, organizations can enhance monitoring and optimization of network traffic and system activities. ThinkPalm is one of the pioneers of these technologies, providing cutting-edge solutions based on the features of eBPF to deliver secure, trustworthy, and efficient technology infrastructures. Moreover, as this special tool continues to advance, maintaining pace with innovating companies like ThinkPalm will become necessary to fuel next-generation innovation for system performance and observability.
To summarize, Extended Berkeley Packet Filter offers exceptional performance, a low level of overhead, and great flexibility for monitoring, performance profiling, and security tasks due to running systems in kernel space. From network performance improvements to kernel event tracing and security auditing, this special tool is one of the most fascinating developments in modern Linux systems.
Knowing how this technology works allows you to use it to make your system more observable and reliable. As the tool incorporates advanced features, it’s safe to assume that its value in developing new systems and enhancing the security of Linux monitoring will rise in the future.
Deepanraj Pounraj is a data communication protocol developer with expertise across the networking stack—from the data link layer to the application layer. He specializes in building secure and efficient communication systems for embedded, IoT, and enterprise networks.
