eBPF has revolutionized Linux observability and security by allowing sandboxed programs to run in the kernel without changing kernel source code or loading modules| Hexmos Journal
An Intellyx Brain Candy Update RAD Security provides a command center for dispatching specialized AI agents on missions to investigate vulnerabilities, alerts, and compliance checks using runtime application telemetry data and cloud security signals from across the enterprise application environment. Since our last briefing with them in 2024, the firm has stayed close to its […]| Intellyx – The Digital Transformation Experts – Analysts
In Istio’s new ambient mode, the istio-cni component running on each Kubernetes worker node is responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node. By default it relies on iptables and Generic Network Virtualization Encapsulation (Geneve) overlay tunnels to achieve this redirection. We have now added support for an eBPF-based method of traffic redirection. Why eBPF Although performance considerations are essential in the implementation of Istio am...| Istio Blog
On June 16, 2025, I gave a Lightning Talk at KubeCon + CloudNativeCon Japan 2025. The title of my talk was: “From Kernel To Kubernetes: Mapping eBPF-Detected Processes To Pods!” In this session, I …| Yuki Nakamura's Blog
By combining the power of eBPF and Nftables, Magic Firewall can mitigate sophisticated attacks on infrastructure by enforcing a positive security model.| The Cloudflare Blog
Calico Enterprise lets users write network policies using domain names instead of IP addresses. This is done by dynamically mapping domain names to IP addresses and matching the egress traffic against these IPs. We have...| Tigera - Creator of Calico
一个 XDP 练习程序:作为 TCP 的 server 端,用 XDP 实现所有的 TCP 端口都接受 TCP 建立连接。(只是能够建立连接而已,无法支持后续的 TCP 数据传输,所以不具有实际意义,纯粹好玩。)| www.kawabangga.com
Preface A core feature of the common tcpdump packet capture tool is its support for the pcap-filter syntax. This lets it filter traffic and capture only specific packets matching the filter. When developing network-related tools with eBPF, supporting the pcap-filter syntax would greatly improve user experience. That's why the ptcpdump tool I developed includes built-in support for the pcap-filter syntax. Adding pcap-filter support to eBPF programs the usual way involves complex logic. However...| mozillazg's Blog
Recently at I gave a short talk titled "Linux at Cloudflare". The talk ended up being mostly about BPF. It seems, no matter the question - BPF is the answer. Here is a transcript of a slightly adjusted version of that talk.| The Cloudflare Blog
This post benchmarks various approaches to filter egress traffic in the Linux kernel. It compares iptables, ipset, tc-bpf, and cgroup-bpf. It demonstrates how diverse aspects of the eBPF implementation can impact performance.| pchaigno
On Mar 15, 2025, I had the pleasure of presenting at the Cloud Native Community Japan – eBPF Japan Meetup #3, where I introduced Tetragon’s implementation of eBPF-based Process Lifecycl…| Yuki Nakamura's Blog
When working with eBPF, retrieving process and thread information is essential for monitoring and observability. One commonly used helper function for this purpose is bpf_get_current_pid_tgid(…| Yuki Nakamura's Blog
Deploying Cilium in my upstream K8s cluster and test some features| blog.andreasm.io
TL;DR; I created eBPF-based software in Rust that can monitor the Process lifecycle.🦀🐝 🚀 process 101708: root: /usr/sbin/iptables 💥 exit 101708: root: /usr/sbin/iptables 🚀 process 101705: yukinakam…| Yuki Nakamura's Blog
How we scrape callstack information from the LuaJIT engine for profiling| Debug Daily. Optimize Always | Polar Signals
eBPFs are fun. They present an easy way to insert pieces of code in the kernel which are compiled to opcodes which are guaranteed to not crash it: The instructions allowed are limited, backward jumps are not allowed (so no indefinite looping!) and you can’t dereference pointers, but can instead do checked reads from pointers which can fail without panicking the entire system. You can attach an eBPF to thousands of hooks in the Linux kernel - uprobes, kprobes, tracepoints, even things like p...| nikofil’s blog
yo kiddo, do u ready to learn about eBPF? but this time it’s not about eBPF but about openvswitch, yep now we doing diehard let’s tracing openvswitch with ebpf.| JustHumanz
TL;DR This guide demonstrates how to implement eBPF Tail Calls using Rust’s Aya. 🦀🐝 Introduction: Tail CallsRun eBPF Tail Calls programPrerequisitesClone the RepositoryGenerate Struct codesBu…| Yuki Nakamura's Blog
TL;DR In this post, I’ll walk you through an example of an eBPF Kprobe program using Aya with Rust. 🦀🐝 Introduction: KprobesRun eBPF Kprobe tracing programPrerequisitesCheck available KprobesClone …| Yuki Nakamura's Blog
TL;DR In this post, I’ll walk you through an example of an eBPF RawTracepoint program using Aya with Rust. 🦀🐝 Introduction: RawTracepoints vs TracepointsArgument HandlingPerformanceRun eBPF RawTrac…| Yuki Nakamura's Blog
Today, most organizations and individuals use Linux and the Linux kernel with a “one-size-fits-all” approach. This differs from how Linux was used in the past–for example, 20 years ago, many users would compile their kernel...| Tigera
TL;DR This post shows an example eBPF Tracepoint program and shares tips on writing the eBPF Tracepoint programs with aya. 🦀🐝 IntroductionDataflow Kernel spaceUser spaceBenefits of using ayaOne lan…| Yuki Nakamura's Blog
TL;DR In this post, I explain how Tetragon detects process creation and termination using eBPF.🐝 Introduction I was really impressed when I used Tetragon for the first time. Just after deploying Tetragon, it automatically collected process lifecycle events like: I’ve been reading Tetraon’s code to understand its implementaion in kernel-space and user-space programs. Now that… Continue reading Tetragon Process Lifecycle Observation: eBPF Part→| Yuki Nakamura's Blog
The secret of Istio’s abilities in traffic management, security, observability and policy is all in the Envoy proxy. Istio uses Envoy as the “sidecar” to intercept service traffic, with the kernel’s netfilter packet filter functionality configured by iptables. There are shortcomings in using iptables to perform this interception. Since netfilter is a highly versatile tool for filtering packets, several routing rules and data filtering processes are applied before reaching the destinat...| Istio Blog
Tracing TFA to find out how to change user under under which OSWatcher ist started. Continue Reading → The post Changing OSWatcher User appeared first on All-round Database Topics.| All-round Database Topics
A server crash can prevent a correct TFA start.| All-round Database Topics
The case study of troubleshooting a serious kernel memory leak issue caused by a failed ACFS snapshot deletion.| All-round Database Topics
This post discusses the publication of the first grant dedicated to eBPF research.| pchaigno
很早前就想写一篇关于eBPF的文章,但是迟迟没有动手,这两天有点时间,所以就来写一篇,这文章主要还是简单的介绍eBPF 是用来干什么的,并通过几个示例来介绍是怎么玩的,这个技术非常非常之强,Linux 操作系统的观测性实在是太强大了,并在 BCC 加持下变得一览无余。这个技术不是一般的运维人员或是系统管理员可以驾驭的,这个还是要有底层系统知识并有一定开发能...| 酷 壳 - CoolShell
In 2021, Microsoft open sourced their eBPF-for-Windows project. They rely on existing open-source projects to JIT-compile, interpret, and verify BPF programs. Interestingly, PREVAIL, the BPF verifier they use, originated from peer-reviewed academic work and contrasts significantly with the Linux verifier.| π · chaingo
Tomorrow, Yoann Ghigoff et al. will present their paper BMC: Accelerating Memcached using Safe In-kernel Caching and Pre-stack Processing at NSDI 2021. In this paper, the authors propose to speed up Memcached using eBPF by implementing a transparent, first-level cache at the XDP hook. It’s not everyday we see BPF being used on application protocols!| π · chaingo
For an upcoming blog post, I wanted to measure the cost of BPF tail calls. Tail calls allow you to jump from one BPF program to another. Their overhead varied a lot in recent kernels, with a first increase caused by Spectre mitigations and a decrease thanks to improvements in Linux 5.5.| π · chaingo
Tomorrow, Marco Spaziani Brunella et al. will present their paper hXDP: Efficient Software Packet Processing on FPGA NICs at OSDI 2020, or rather, the video they recorded will be played at OSDI 2020. In this paper, the authors investigate the execution of XDP BPF programs in FPGA-powered NICs.| π · chaingo
