eBPF 101: Your First Step into Kernel Programming

Summary

I. What is this eBPF? It looks scary! Have you wanted to write programs that act as drivers for Linux? Wanted programs to run at a kernel level? Wanted to monitor events, internal resources and get better observability? All you need to know is how to make good use of Linux eBPF. eBPF is a technology in the Linux kernel that can run sandboxed programs in a privileged context (in the OS kernel). It is used to efficiently extend the capabilities of the kernel without changing kernel source code. An operating system kernel is hard to modify due to its central role and high requirement towards stability and security. Innovation at the operating system level is lower compared to functionality implemented outside of the operating system. And developing drivers is difficult in general (I have tried that in Windows and failed). link : https://ebpf.io/what-is-ebpf/ eBPF changes this formula fundamentally. It allows sandboxed programs to run within the operating system, which means that application developers can run eBPF programs to add additional capabilities to the operating system at runtime. The operating system then guarantees efficiency as if natively compiled with the aid of a Just-In-Time (JIT) compiler and verification engine. This has led to a wave of eBPF-based projects covering a wide array of use cases, improving networking, observability, and security spaces. Let's dive right into some practical scenario where we will build a simple firewall to block traffic from a particular ip like 8.8.8.8. And counts the incoming packets transfered each second. Follow through is you have an Ubuntu machine ready. II. Developing with eBPF made Simple. We need 2 files for a simple ePBF program. A Python user space script for interacting with eBPF A C code that uses eBPF functions and modules (core logic) Let's download the requirements and setup a python virtual environment for smooth workflow. Initial setup for ubuntu: sudo apt-get update && sudo apt-get install -y bpfcc-tools ...