Linux > eBPF

Involves the use of several BPF tools for tracing.

A progressive (three levels of difficulty) tutorial to learn how to process packets with XDP.

An introductory guide to writing image-based eBPF gadgets and performing post-processing with WASM.

List of community developed labs.

Jesper Dangaard Brouer's prototype-kernel repository contains some additional examples that can be compiled outside of kernel infrastructure.

Provides basic but complete examples of eBPF applications also compatible with hardware offload.

A heavily commented sample demonstrating how to encapsulate and decapsulate MPLS within IP. The code is commented for those new to BPF development.

A collection of compiled (as ELF object files) samples gathered from several projects, primarily intended to serve as test cases for user space verifiers.

A fully documented and tested example of an eBPF probe that logs all force-kills and prints them out in user-space.

Program that uses XDP/TC-eBPF to provide statefull firewalling and socket redirection.

Tooling and framework to write eBPF code in Rust efficiently.

github.com

project (GitHub repository) is a technology relying on eBPF and XDP to provide "fast in-kernel networking and security policy enforcement for containers based on eBPF programs generated on the fly". Many presentations available (with overlap):

Extreme Performance Tuning guide - Mark II.

Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico's eBPF data plane delivers a low latency, high throughput data plane with a rich network security policy model.

Use eBPF to speed up your Service Mesh. Merbridge replaces iptables rules with eBPF to intercept traffic. It also combines msg_redirect to reduce latency with a shortened datapath between sidecars and services.

An open-source C++ library for capturing, parsing and crafting network packets. It features a C++ interface for creating AF_XDP sockets, making it easy to send and receive packets through them.

A high performance and lightweight captive portal solution for wireless networks. It leverages eBPF for traffic control and deep packet inspection capabilities, with plans to gradually replace nftables firewall functionality with eBPF-based solutions.

A proof-of-concept IPX implementation for Linux using eBPF.

A kubectl plug-in for executing bpftrace programs in a Kubernetes cluster.

Framework for running BPF programs with rules on Linux as a daemon. Container aware.

A distinct BPF daemon, trying to leverage the flexibility of the bcc tools to trace and debug remote targets, and in particular devices running with Android.

A Linux shell environment for using tracing tools on Android with BPFd.

System daemon to compile and load eBPF programs into the kernel, and forward program output to socket for metric aggregation.

An in-kernel solution based on XDP for 5G UPF.

A web interface to explore system's maps and programs.

A TUI (terminal user interface) application for real time monitoring of eBPF programs.

An eBPF Manager for Linux and Kubernetes. Includes a built-in program loader that supports program cooperation for XDP and TC programs, as well as deployment of eBPF programs from OCI images.

A process-aware, eBPF-based tcpdump-like tool.

A TUI for sniffing network traffic using eBPF on Linux.

Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico's eBPF data plane delivers a low latency, high throughput data plane with a rich network security policy model.

A DWARF-aware eBPF tracer for source-level userspace tracing, with an interactive TUI and a scriptable CLI.

A C library used for handling BPF objects (programs and maps), and manipulating ELF object files containing them. It is shipped with the kernel and mirrored on GitHub.

Scaffolding for BPF application development with libbpf and BPF CO-RE.

Pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.

eBPF library for Go, powered by libbpf.

A pure Rust library for writing, loading, and managing eBPF objects, with a focus on developer experience and operability. It supports writing eBPF programs in Rust and distributing library code over crates.io to share it between eBPF programs. Aya does not depend on libbpf.

Templates for writing BPF applications in Aya that can be used with cargo generate.

A pure Zig framework for writing cross platform eBPF programs, powered by libbpf and Zig toolchain.

A compilation framework and runtime library to build, distribute, dynamically load, and run CO-RE eBPF applications in multiple languages and WebAssembly. It supports writing eBPF kernel code only (to build simple CO-RE libbpf eBPF applications), writing the kernel part in both BCC and libbpf styles, and writing userspace in multiple languages in a WASM module and distributing it with simple JSON data or WASM OCI images. The runtime is based on libbpf only and provides CO-RE to BCC-style eBPF programs without depending on the LLVM library.

A rootkit that leverages multiple eBPF features to implement offensive security techniques.

An utility to statically analyze eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit.

A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the kernel.

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

A GitHub repository with notes and ideas regarding the future evolutions of XDP.

eBPF specification (somewhat outdated; information should still be valid, but not exhaustive).