At CodiLime, we believe that sharing knowledge with both our external and internal communities creates an organizational culture founded on innovation. That is why we organize regular online events during which our coworkers share their first-hand experiences and know-how on particular network and software development cases.
Our latest event was held around the topic of the Berkeley Packet Filter, introduced by our senior software engineer, Łukasz Kszonowski. During his presentation, Łukasz covered the following topics:
- What is the BPF?
- Occurring compilations
- Communication with Linux user space
- BPF limitations
- Usages of BPF - Big Tech interest and eBPF vs. Netfilter
- Hands-on demo - live code explanation
This article has been written to introduce you to the Berkeley Packet Filter. In the article, you will find a brief overview of the Berkeley Packet Filter, the BPF’s limitations, and how user space in Linux communicates with BPF. The following article is just a short overview of an in-depth video focused on the Linux Berkeley Packet Filter.
What is the Berkeley Packet Filter?
Let’s start with an explanation. The Berkeley Packet Filter was originally introduced to increase network packet handling performance. Previous BPF solutions offered only user space, but with increased network traffic — this was not enough.
For this reason, the original BPF is now considered to be outdated and has been replaced with a newer, improved version.
The newer, improved version is called eBPF (extended BPF) and differs significantly from the previous cBPF version. One of the differences is that eBPF runs in a kernel’s virtual machine, where Just in Time (JIT) is optional and disabled by default. Yet, using a JIT compiler improves performance and enables the program to translate the code to the machine from bytecode.
We have previously explained what eBPF is in one of our articles: “How to drop a packet in Linux in more ways than one”.
Additionally, an eBPF program written for a specific kernel version can be run on older kernels as long as it does not require features not present at that time. Also, there are other alternative versions of the BPF.
For example, one of the most popular variations is uBPF, which is written in C language, the same as kernel implementation. Other implementations written in other languages also exist, such as Rust (rBPF) and Golang (goBPF).
>> Read more about our network professional services.
User space in Linux
Let’s take a look at another key term. In the video, we also discuss what user space communication is. So, what is it? User space is a place in memory where non-kernel applications run. One of the undoubted advantages of the BPF is that the program runs inside the kernel, resulting in a performance increase. On the other hand, it can operate in user space on copied data, which is significantly slower.
What’s more important? The user space program that communicates with the BPF program acts as a control app, and the entire load is on the kernel side. As a result, we can communicate with the BPF program using a virtual file system called BPFFS, which provides several data types, but has some limitations.
Berkeley Packet Filter limitations
Like any technology, the BPF also has some limitations. BPF is a program but not a regular one. Due to the incorporated safety in the Linux kernel, there are some limitations on what the program can do.
The most frequent limitations are:
- No loops (since kernel 5.8 up to 32 iterations)
- Only inline functions
- No use of external libraries
- No const arrays
- No global variables
If you want to learn more about the Berkeley Packet Filter, check out our video, in which we cover the above aspects as well as hands-on examples of BPF use:
Łukasz also prepared a repository with a code so you can check the exact code shown in the video and have an even better experience.
Conclusion
In this article, we wanted to highlight some of the key issues and give a basic understanding of important terms. However, you will find a deeper explanation and hands-on examples in the video.
Don’t forget to check and subscribe to our YouTube channel if you are interested in other related videos.