eBPF — Divulging The Hidden Super Power


Let me start the blog with a real story. A year back one of my friends called me to discuss tech (which is a very common thing between us). We share different technical challenges each of us faces at our workplace or by any of our peers and these discussions lead to some informative and creative knowledge-sharing sessions. In such a discussion, he described a specific challenge faced by his cousin, who works for a giant cloud provider. The challenge was to restrict certain IPs dynamically as they provide threats such as a DOS (Denial of service attack), the application developer’s brain in me impetuously replied that these should be handled at a firewall level, or middleware can be written to check the origin of the packet and maintain a blacklist for the malicious senders and ignore the requests (Yes I come from a NodeJS and Go background so the initial solution strikes as a middleware). My friend patiently explained the scale and performance at which this needed to be executed which was way beyond my comprehension. After a noob’s doubt clearing session, we agreed that the scale he wanted could only be achieved at a kernel level. I wished him luck (sarcastically) to write a kernel patch and raise a PR hoping the OS maintainers would include the kernel patch in an upcoming kernel release and he can use this feature when it is released. As a reply to my sarcasm, he shared with me a link to an article that detailed something called “eBPF” (extended Berkeley Packet Filter). I did a basic skimming through the article, and my ignorant mind came to sense that there are amazing inventions in the tech world that I am unaware of.


The eBPF came to life in 2014, introduced in Linux kernel 3.18, thereby unlocking the God mode of the Linux kernel. The natural doubt anyone reading this blog would have is regarding the name. If this is an “extended berkeley packet filter” then there should be a BPF “berkeley packet filter”. Well, you are right. The BSD packet filter is not a new concept. It was from the 90’s. This gem has been hiding under the radar for years, the Xennails were true innovators. BPF was very basic and its only job was to filter packets at the kernel level hence the name.

  • Kube-proxy — the component which implements Services and load balancing by DNAT iptables rules
  • Most CNI plugins are using iptables for Network Policies

Program Execution Bozo’s Guide

To explain the importance of eBPF there needs to be an explanation of how programs are executed in Linux, I will try to explain it from a 1000ft view for everyone.

  1. Kernel space
  2. User space
Credits: slideshare

eBPF Dissected

eBPF is the provision to run custom code that runs on the kernel for various processes like

  • Observability (tracing)
  • Debugging
  • Firewalling
  • Load Balancing
  • Network related activity
  • A system call
  • Function entry/exit
  • When a packet enters or leaves
  • K probes or U probes

Additional Trick Under Your Sleeve

The ebpf is indeed a powerful tool that you could have under your sleeve. When working on high-performance projects tweaking the packets or extending the tracing functionality all help you give better observability of what’s happening with the system. Even though encountering the ebpf by an application developer at the present stage is very feeble, if you are a performance engineer/network engineer or even security engineer, the chance of you encountering ebpf in the future is going to shoot up to the sky.


As said in Spiderman movies “Great power comes with great responsibility” when you unlock the God mode of Linux you are on your own, the guards that protected your program from corrupting the whole are not available now. There are specific use cases to use Ebpf, it is not the swiss knife for all your performance issues. The community is pretty huge now including big players like meta, google, Cloudflare, and Netflix all using the tech daily. The tech has loads of potential to grow, recent years have seen separate conf for ebpf enthusiasts.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CoffeeBeans empowers organizations to transform their business through the use of advanced technologies. Building data-driven solutions that drive innovation.