This repository provides a collection of BPF (Berkeley Packet Filter) application examples and scaffolding for developers. It aims to simplify the creation of BPF-based tools for system monitoring, tracing, and networking by offering ready-to-use code snippets and demonstrating best practices with libbpf and BPF CO-RE.

How It Works

The project showcases various BPF program types, including tracepoints, kprobes, uprobes, XDP, and LSM hooks. It leverages BPF CO-RE (Compile Once – Run Everywhere) for portability across different kernel versions and configurations. Examples demonstrate state management using BPF maps, data communication to userspace via ring buffers, and interaction with kernel structures like struct task_struct using vmlinux.h.

Quick Start & Requirements

• Install Dependencies: clang (>= v11), libelf, zlib. On Ubuntu/Debian: sudo apt install clang libelf1 libelf-dev zlib1g-dev. On CentOS/Fedora: sudo dnf install clang elfutils-libelf elfutils-libelf-devel zlib-devel.
• Build & Run (C Examples):

  git clone --recurse-submodules https://github.com/libbpf/libbpf-bootstrap
  cd libbpf-bootstrap/examples/c
  make
  sudo ./bootstrap
  

• Build & Run (Rust Examples):

  # Install libbpf-cargo: cargo install libbpf-cargo
  cd examples/rust
  cargo build --release
  sudo ./target/release/xdp 1
  

• Documentation: https://github.com/libbpf/libbpf-bootstrap

Highlighted Details

• BPF CO-RE: Enables BPF programs to run on diverse kernel versions without recompilation.
• Multiple Examples: Covers process execution tracing (bootstrap), user-space function probing (uprobe), network packet handling (xdp, tc, sockfilter), and security hooks (lsm).
• Build System Flexibility: Supports make, cmake, and xmake for C examples, and cargo for Rust examples.
• BPF Iterators: Demonstrates advanced BPF features like iterating over kernel data structures (task_iter).

Maintenance & Community

The project is actively maintained by the libbpf community. Links to community resources are not explicitly provided in the README.

Licensing & Compatibility

The project is dual-licensed under "Dual BSD/GPL". This generally allows for broad compatibility with both open-source and commercial projects.

Limitations & Caveats

Some examples, like fentry and fexit, require Linux kernel version 5.5 or newer. The minimal example is designed for older kernels and does not use BPF CO-RE. The minimal_ns example is specifically for namespaced environments like containers.