eBPF — Extended Berkeley Packet Filter — began in 1992 as a compact virtual machine for filtering network packets in the kernel without the overhead of copying data to userspace. Alexei Starovoitov and Daniel Borkmann expanded it dramatically in 2014 into a general-purpose, sandboxed, JIT-compiled virtual machine that can run verified programs inside the kernel in response to virtually any event. It is now used for network performance, security monitoring, distributed tracing, profiling, load balancing, and an expanding list of applications its original designers never contemplated. Major companies run significant infrastructure on eBPF programs. The Linux kernel now contains more eBPF tooling than some entire operating systems contain of anything. Packet filtering is still supported. It is the least interesting thing eBPF does.
