Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
yuzibo and qmonnet Add a series of notes about ebpf from oracle (#20)
Add links to a series of six articles covering several aspects of the BPF infrastructure.

Signed-off-by: Bo YU <>
Latest commit 8c5d262 Apr 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes Thanks yeoman Nov 5, 2017 Update broken link to `` Feb 18, 2018
package.json Restart list with Dive into BPF List (#3) Feb 4, 2018 Add a series of notes about ebpf from oracle (#20) Apr 23, 2019
yarn.lock Restart list with Dive into BPF List (#3) Feb 4, 2018

Awesome eBPF Awesome

A curated list of awesome projects related to eBPF.

Note: eBPF is an exciting piece of technology, and it's ecosystem is constantly evolving. We'd love help from you to keep this awesome list up to date, and improve its signal-to-noise ratio in anyway we can. Please feel free to leave any feedback.


What is BPF?

TODO: Update with concise overview of BPF (cBPF and eBPF), and what it's used for already.


Generic Documentation and Presentations

If you are new to eBPF, you may want to try the links described as “introduction” or ”documentation” in this section (although you might not want to start with “kernel documentation”, which is dense).

BPF Internals

Kernel Tracing



Hardware Offload

  • eBPF/XDP hardware offload to SmartNICs (Jakub Kicinski and Nic Viljoen, netdev 1.2, Tokyo, October 2016) Hardware offload for eBPF with TC or XDP (Linux kernel 4.9+), introduced by Netronome.

Projects based on, or related to eBPF



  • linux/samples/bpf/ in the kernel tree: some sample eBPF programs.
  • linux/tools/testing/selftests/bpf in the kernel tree: Linux BPF selftests, with many eBPF programs.
  • prototype-kernel/kernel/samples/bpf from Jesper Dangaard Brouer's prototype-kernel repository contains some additional examples that can be compiled outside of kernel infrastructure.
  • iproute2/examples/bpf/ from iproute2 package: some networking programs to attach to the TC interface.
  • bcc/examples: coming along with the bcc tools, mostly about tracing.
  • bcc/tools themselves can be seen as example use cases for BPF programs, mostly for tracing and monitoring. bcc tools have been packaged for some Linux distributions.
  • MPLSinIP sample a heavily commented sample demonstrating how to encapsulate & decapsulate MPLS within IP. The code is commented for those new to BPF development.

The Code

  • linux/include/linux/bpf.h, linux/include/uapi/bpf.h: definitions related to eBPF, to be used respectively in the kernel and to interface with userspace programs.
  • linux/include/linux/filter.h, linux/include/uapi/filter.h: information used to run the BPF programs themselves.
  • linux/kernel/bpf/: This directory contains most of BPF-related code. In particular, those files are worth of interest:
    • syscall.c: different operations permitted by the system call, such as program loading or map management.
    • core.c: BPF interpreter.
    • verifier.c: BPF verifier.
  • linux/net/core/filter.c: functions and eBPF helpers related to networking (TC, XDP etc.); also contains the code to migrate cBPF bytecode to eBPF (all cBPF programs are translated to eBPF in recent kernels).
  • linux/kernel/trace/bpf_trace.c. functions and eBPF helpers related to tracing and monitoring (kprobes, tracepoints, etc.).
  • The JIT compilers are under the directory of their respective architectures, such as file linux/arch/x86/net/bpf_jit_comp.c for x86. Exception is made for JIT compilers used for hardware offload, sitting in their drivers, such as linux/drivers/net/ethernet/netronome/nfp/bpf/jit.c for Netronome NFP.
  • linux/net/sched/, and in particular in files act_bpf.c (action) and cls_bpf.c (filter): code related to BPF actions and filters with TC.
  • linux/kernel/seccomp.c: code related to seccomp.
  • linux/net/core/dev.c contains the function dev_change_xdp_fd() that is called through a Netlink command to hook a XDP program to a device, after is has been loaded into the kernel from user space. This function in turns uses a callback from the relevant driver.

Tools and utilities


  • bcc framework and set of tools - One way to handle BPF programs, in particular for tracing and monitoring. Also includes some utilities that may help inspect maps or programs on the system.
  • P4 compiler for BPF targets for bcc - An alternative to the restricted C.
  • Lua front-end for bcc - Another alternative to C, and even to most of the Python code used in bcc.


  • iproute2 - Package containing tools for network management on Linux. In particular, it contains tc, used to manage eBPF filters and actions, and ip, used to manage XDP programs. Most of the code related to BPF is in lib/bpf.c.
  • iproute2-next - The development tree, synchronised with net-next.


  • LLVM package contains several tools used in eBPF workflow. Snapshots of the latest versions for Ubuntu/Debian can be retrieved from here.
    • clang is used to compile C to eBPF object file under the ELF format (clang v3.7.1+). The BPF backend was added with this commit.
    • llvm-objdump is used to dump the content of an object file in human-readable format, possibly with the initial C source code (llvm-objdump v4.0+).
    • llvm-mc is used to compile from LLVM intermediate representation to eBPF object file, so that one can compile from C to eBPF assembly, tinker with assembly, then compile to ELF file.

bpftool and others from the kernel tree

  • bpftool and other tools in the kernel tree, under linux/tools/net/ for versions earlier than 4.15, or linux/tools/bpf/ after that:
    • bpftool - A generic utility that can be used to interact with eBPF programs and maps from userspace, for example to show, dump, load, disassemble, pin programs, or to show, create, pin, update, delete maps, or to attach and detach programs to cgroups.
    • bpf_asm - A minimal cBPF assembler.
    • bpf_dbg - A small debugger for cBPF programs.
    • bpf_jit_disasm - A disassembler for both BPF flavors and could be highly useful for JIT debugging.

User space eBPF

  • uBPF - Written in C. Contains an interpreter, a JIT compiler for x86_64 architecture, an assembler and a disassembler.
  • A generic implementation - With support for FreeBSD kernel, FreeBSD user space, Linux kernel, Linux user space and MacOSX user space. Used for the BPF extension module for VALE switch.
  • rbpf - Written in Rust. Interpreter for Linux, MacOSX and Windows, and JIT-compiler for x86_64 under Linux.

Testing in virtual environments

Development and Community

Other lists of resources on eBPF


Thank you to Quentin Monnet and Daniel Borkmann for their original work on Dive into BPF: A List of Reading Material which became the basis for this list.


Contributions welcome! Read the contribution guidelines first.



To the extent possible under law, zoidbergwill has waived all copyright and related or neighboring rights to this work.

You can’t perform that action at this time.