Seonglae ChoExtended Berkely Packet Filter
Programs that run in an in-kernel, Provable security virtual machine. It enables the dynamic insertion of powerful security, visibility, and networking control logic into the Linux kernel. The user space communicates with the eBPF program through the bpf() system call.
It basically provides runtime configurable kernel functionality like high-performance networking, multi-cluster and multi-cloud capabilities, advanced load balancing, transparent encryption, extensive network security capabilities, transparent observability.
- Process can install multiple BPF filters and once installed, filter cannot be removed, can only be added. (all run on every syscall)
- If program forks, child inherits all filters and if program calls
execve, all filters are preserved.
- The input of BPF is syscall number, syscall args., architecture.
eBPF Notion
eBPF Usages
![[Linux] eBPF(Extended Berkeley Packet Filter)란?](https://www.notion.so/image/https%3A%2F%2Fi5i5.tistory.com%2Ffavicon.ico?table=block&id=323ac938-df99-4ca4-9d06-eead7974efb7&cache=v2)
![[Linux] eBPF(Extended Berkeley Packet Filter)란?](https://www.notion.so/image/https%3A%2F%2Fimg1.daumcdn.net%2Fthumb%2FR800x0%2F%3Fscode%3Dmtistory2%26fname%3Dhttps%253A%252F%252Fblog.kakaocdn.net%252Fdn%252FzSsjV%252Fbtq5SShTObh%252FjjkD1NF4sro00lFoHp64Gk%252Fimg.png?table=block&id=323ac938-df99-4ca4-9d06-eead7974efb7&cache=v2)