November 20, 2017

BPF Updates 13

This is issue 13 of the regular newsletter around BPF written by Alexander Alemayhu. It summarizes ongoing development, presentations, videos and other information related to BPF and XDP. It is released roughly once a week.

The v4.15 merge window is open and already has a summary on part 1 out. Which contains a BPF section listing some of the new things:


The user-space bpftool utility can be used to examine and manipulate BPF programs and maps; see this man page for more information.

Hooks have been added to allow security modules to control access to BPF objects; see this changelog for more information.

A new BPF-based device controller has been added; it uses the version-2 control-group interface. Documentation for this feature is entirely absent, but one can look at the sample program added in this commit that uses it.

The highlights since last time

  • New helper function bpf_getsockops to retrieve socket options. supports TCP_CONGESTION for now. The new BPF_SOCK_OPS_BASE_RTT feature significantly improves TCP-NV.
  • It is now possible to attach multiple programs to tracepoint / kprobes / uprobes. The programs will run in sequence. With the change for trace points one application does not exclude others from attaching to the same call.

More interesting topics

  • New helper function bpf_override_function under discussion to allow for error injection via kprobes.
  • BPF runtime finally gets a FAQ section in the kernel's documentation directory.
  • bpftool gets support for dumping JSON.


Cilium - Kernel Native Security & DDOS Mitigation for Microservices with BPF

The slides of Cynthia's talk were already in the last issue. Docker has since published the recording as well, definitely worth watching the recording. Fun talk on Cilium, BPF, and Kafka.

Linux Networking Development

Focusing on development areas in the kernel. Also some advice in there for aspiring kernel developers. ;-)

XDP: The Future of Networks

Great introduction to BPF and XDP. With some myth busting and potential improvements.

A Gentle Introduction to [e]BPF - Michael Schubert, Kinvolk GmbH

Good introduction to BPF. Also nice that it shows the structures, links to some tools and verifier.

LISA 17 - Fast and Safe Production Monitoring of JVM Applications with BPF Magic

Focusing on the tracing case with Java but the approaches could still be applied to other environments.

LISA17 Container Performance Analysis

Goes through some of the tools used at Netflix and a lot of other smaller tools for tracing. The emphasis on identifying the bottlenecks sounds good.

LISA17 Linux Performance Monitoring With BPF

Lab session for tracing tools with BCC. This is useful for learning about tracing on Linux. It also answers basic question what is tracepoints, kprobes, uprobes, etc. and what are some of the limitations to dynamic tracing. Looks like a lot of fun.

XDP – eXpress Data Path An in-kernel network fast-path A technology overview

Great introduction to BPF and XDP. Also explains the problems and why it is needed.

In case you missed it

Reports from Netconf and Netdev coverage of the discussions from netconf and all the talks from netdev. All lot of interesting BPF topics in there. Check it out!

security things in Linux v4.14

The security summary contains a section eBPF JIT 32-bit ARM support and seccomp improvements.

SystemTap 3.2 release

SystemTap now has an experimental eBPF backend.

Another attempt to address the tracepoint ABI problem

Steven Rostedt proposes different scheme where tracepoints are placed but no trace event. Then on userspace a kernel module have to be loaded and there would be no need to add this to the kernel ABI. Will moving the ABI to a module really solve this problem?

Using eBPF and XDP in Suricata coverage of Eric Leblond's talk from Kernel Recipes. The recording was already in the last issue.



A curated list of awesome projects related to eBPF


Configs and scripts for bootstrapping an opinionated Kubernetes cluster anywhere.


The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.


Userspace cBPF interpreter and cBPF to eBPF converter


vltrace is a syscall tracing tool which utilizes eBPF - an efficient tracing feature of the Linux kernel.

Random cool note

We blew way past 7Mpps with UDP+XDP. I’m sure you know that already though :)


Please note that netdev and llvm-commits receive a lot of patches and the list below is not meant to be comprehensive.