BPF or Berkeley Packet Filter mechanism was first introduced in linux in 1997 in version 2.1.75 inspired by BSDs to handle network packet filtering. The main user of BPF interface was initially the packet capture tool tcpdump. Over the years other tools adopted it. As its need to solve different networking filtering evolved, a number of extensions were added.
Recently in kernel versions 3.15 - 3.19 it received a major overhaul which drastically expanded its applicability. This tutorial will cover how the instruction set looks today and why. Its architecture, capabilities, interface, just-in-time compilers. The audience will learn how it's being used in different areas of the kernel like tracing and networking. What user space tools exist and how they can be used. How to write and debug programs. What future plans are for X+BPF, where X is tracing, OVS, sockets, netdevices, etc. Where it makes sense to use BPF and where it is not. Live demos included.