EBPF
Fleeting- External reference: https://www.tigera.io/learn/guides/ebpf/
- External reference: https://ebpf.io/what-is-ebpf
eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules
eBPF is a Linux kernel feature that allows fast yet safe mini-programs to be loaded into the kernel in order to customise its operation
eBPF is a virtual machine embedded within the Linux kernel
. This allows the behaviour of the kernel to be (sometimes heavily) customised
very strict static verifier; the verifier sandboxes the program, ensuring it can only access allowed parts of memory and ensuring that it must terminate quickly
eBPF stands for “extended Berkeley Packet Filter”. The Berkeley Packet Filter was an earlier, more specialised virtual machine that was tailored for filtering packets
Tracing programs can be attached to a significant proportion of the functions in the kernel
Traffic Control (tc) programs can be attached at ingress and egress to a given network device
XDP, or “eXpress Data Path”, is actually the name of an eBPF hook. Each network device has an XDP ingress hook that is triggered once for each incoming packet before the kernel allocates a socket buffer for the packet.
Several types of socket programs hook into various operations on sockets, allowing the eBPF program to, for example, change the destination IP of a newly-created socket
seccomp hooks allow for syscalls to be policed in fine-grained
And… probably a few more hooks by the time you read this; eBPF is under heavy development in the kernel