In order to perform its functions, the Berkeley Packet Filter was embedded as an interpreter in machine language as part of a virtual machine. As a result, the BPF executes a predefined format of instructions. In its role as interpreter, the Berkeley Filter reads the source files, analyzes them and runs instruction by instruction. In turn, it translates the instructions into machine codes, thereby enabling direct execution.
Using SysCalls – i.e. by calling up special, operational system functions – the Berkeley Filter sends requests to the kernel. This checks the access rights before confirming or denying the request. The around 330 Linux SysCalls include the following:
- read – allows a file to be read
- write – allows a file to be written
- open – opens files or devices
- close – closes files or devices
- stat – requests the status of a file
Thanks to ongoing development, BPF now operates as a universal, virtual machine directly in the kernel, where the entire organization of processes and data occurs. With its many new features, the filter is known as Extended BPF – or eBPF for short. It can securely run any applied intermediate language (byte code) during runtime (just-in-time compilation) directly in the kernel. The Extended BPF runs within an isolated environment in the kernel and is therefore executed under protection. This environment model – known as a sandbox – helps to reduce the risk that the system has an adverse effect on the kernel logic.