This document provides an overview of eBPF/BPF and instructions for creating an eBPF program from scratch. It begins with explaining what eBPF/BPF is, its history and main ideas. It then covers how to build an eBPF program from the Linux kernel source code, including prerequisites, compilation steps, and modifying the makefile. The document also discusses how to program an eBPF program manually, analyzing the eBPF program and loader. It concludes with a promise of a quick demo.

1. ⾃⼰的eBPF程式⾃⼰做
Create an eBPF program by yourself
Huai-En Tseng

2. About me
• Huai-En Tseng 曾懷恩
• ChungHwa telecommunication laboratory.
• Associate researcher in Broadband
networks laboratory
• Focus on virtualization, high performance
computing, Linux kernel, system
programming optimization, network protocol
implementation, SDN
• Github: https://github.com/w180112
• Linkedin: https://www.linkedin.com/in/huai-
en-tseng-a10975157/

3. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo

4. What's eBPF/BPF?
• Berkeley Packet Filter
• in-kernel virtual machine
• basement of tcpdump and Wireshark
• invented in 1992 at USENIX conference
• BSD socket provides BPF injection custom rules

5. • Main idea: copy and filter
What's eBPF/BPF?

6. What's eBPF/BPF?
• extend BPF
• from filter to monitoring, traffic control, kernel tracing
• high level c language to inject the BPF pseudo code
• kernel space - user space can exchange info using BPF map structure
• compiled by llvm/clang, in-kernel verifier
• the traditional BPF is also called classic BPF(cBPF)

7. eBPF machanism
• An eBPF program can be split into 2 parts
• user space BPF loader
• kernel space BPF elf program
• BPF loader loads BPF program into
kernel space
• Then BPF program can be executed in in-kernel
BPF virtual machine

8. eBPF types
• eBPF supports many different features
• kernel tracing
• network monitoring
• traffic control
• eXpress Data Path
• increasing in each kernel version from v3.17
eBPF types listed in /include/uapi/inux/bpf.h
in kernel version v5.8.9

9. eBPF maps
• In eBPF, there are several maps structures
• Unlike cBPF using recv(), eBPF exchange
information between kernel space eBPF
program and user space BPF loader
• BPF_MAP_TYPE_ARRAY,
BPF_MAP_TYPE_PERCPU_ARRAY
• BPF_MAP_TYPE_HASH,
BPF_MAP_TYPE_PERCPU_HASH
• and others
eBPF maps listed in /include/uapi/inux/bpf.h
in kernel version v5.8.9

10. What's eBPF/BPF? - XDP

11. What's eBPF/BPF? - XDP

12. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo

13. eBPF tools
• BCC
• TC
• iproute2
• In-kernel source

14. in-kernel eBPF examples
• Many eBPF example source code is included in Linux kernel source code
under samples/bpf/
• and can be compiled by its own makefile

15. How to compile
• How to compile in-kernel eBPF source code? (Ubuntu 18.04)
• prerequisite
• verify your kernel version and download the kernel source code
match to your kernel version
• install required packages
• cd to /usr/src/linux-source-5.0.0/linux-source-5.0.0/ and start to
compile

16. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo

17. eBPF program analyzing
• Each eBPF program has hook point and type, programmer should define
the type in eBPF loader
• eBPF loader will look for SEC() to find eBPF hook point function definition
• The hook point type is depends on what types of eBPF in eBPF loader
• e.g. in XDP eBPF program source code, the parameter of hook point
function is a struct xdp_md pointer variable

18. eBPF program analyzing - using XDP
head of packet
tail of packet

19. eBPF program analyzing - using XDP
• Each XDP program should return XDP_* value at the end of XDP function
definition
drop packet directly
allow packet go through
into network stack

20. eBPF program analyzing - using XDP
• Our eBPF program is just like this so far.
• Now, let's start to add some code. First, we need to get the packet we
receive

21. eBPF program analyzing - using XDP
• Next, we can add whatever we want to
implement in this XDP program
• For this example, we try to filter and
drop incoming packets which are UDP
and port 55688

22. eBPF program analyzing
• We sometimes want to exchange data between user space eBPF loader
using MAP structure
• In this example, we try to statistic each incoming udp packet and store
into the map structure
Atomic operation

23. eBPF loader analyzing
• In eBPF loader, there are several steps to load eBPF program:
• find eBPF elf file and load the eBPF file file
• bpf_prog_load_xattr()
• find the hook point in eBPF program - the string in SEC()
• bpf_object__find_program_by_title()
• load the hook point function followed by the SEC()
• bpf_program__fd()
• In XDP loader, we need to attach the XDP program to network interface
• bpf_set_link_xdp_fd()

24. eBPF loader analyzing
• If the map structure is used, we should:
• find whether there is map in eBPF program and the map if so
• bpf_map__next()
• bpf_map__fd()
• set the entries in the map to 0
• bpf_map_update_elem()
• Then we can fetch the value in the map in each entry
• bpf_map_lookup_elem()

25. Modify the makefile in kernel source
• This makefile uses kbuild system to compile.
• Define the compile executable file name
• hostprogs-y += get_pkts
• Define the object files loader needs
• get_pkts-objs := bpf_load.o get_pkts_user.o
• Add always variable to compile elf file
• always += get_pkts_kern.o

26. Contents
• What's eBPF/BPF?
• How to build eBPF from in-kernel source
• Program an eBPF program by hand
• Quick demo

27. Quick demo

28. Thanks for attending