eBPF (Extended Berkeley Packet Filter) is the hottest technology now a day and it makes talking to the Linux kernel far easier without actually changing the kernel itself. Now it is possible to make additional changes to the kernel related to security, networking, and observability.

As an eBPF program is loaded into the kernel, a verifier ensures that it is safe to run, and rejects it if not. Once loaded, an eBPF the program needs to be attached to an event so that whenever the event happens, the program is triggered.

eBPF allows us to collect customized information about how an app is behaving without having to change the app in any way, by observing it from within the kernel. We can build on this observability to create eBPF security tools that detect or even prevent malicious activity within the kernel. And we can develop powerful, high-performance networking capabilities with eBPF, handling network packets within the kernel and avoiding costly transitions to and from user space.

eBPF programming is incredibly powerful, but it’s also complex. For most of us, the utility of eBPF is going to come not from writing programs ourselves but from using tools created by others. There are an increasing number of projects and vendors building on the eBPF platform to create a new generation of tooling, covering observability, security, networking, and more.