interesting post describing low level eBPF without the usual wrapping libraries

[Michael Speer]

for those on the list that don't know what eBPF is, extended berkeley packet filters are tiny programs that can be passed into the linux kernel and attached to various events. they are a generalization of berkeley packet filters, initially created only for networking. these days they can be attached to a number of linux subsystems. the programs are JIT compiled from bytecode to machine code after the kernel verifies them.

why go to the effort of having a tiny compiler in kernel space just for events? they were originally used for filtering incoming packets before they reached user space. this avoided the significant effort of context switching into userspace notifying it there were pending packets, switching back to the kernel to copy them from the kernel into the userspace program and switching back to userspace just to analyze and discard them and go to sleep again waiting for more packets. I'm sure you can see how inefficient all that is versus just running a tiny program hooked to the socket without ever leaving the kernel.

the link discusses the low-level bits of how userspace interacts with the kernel to load and attach these programs.

https://feyor.sh/blog/ebpf-on-hard-mode/