Understand XDP programs, BTF and CO-RE, kprobes vs uprobes, Cilium architecture, and BPF maps for state sharing.
0 / 5 completed
1 / 5
What does XDP (eXpress Data Path) enable in eBPF networking?
XDP: by attaching at the driver level, XDP programs can XDP_DROP packets in nanoseconds before any kernel networking stack overhead. Cloudflare uses XDP for DDoS mitigation, dropping attack packets at line rate without consuming CPU on full packet processing.
2 / 5
What is BTF (BPF Type Format) and why is it important?
BTF + CO-RE: kernel data structures like task_struct can change between kernel versions. BTF lets libbpf relocate field accesses at load time by looking up the actual offsets in the running kernel's BTF. One compiled eBPF binary runs correctly on kernels 5.4 through 6.x without modification.
3 / 5
What is the difference between kprobes and uprobes in eBPF?
kprobe vs uprobe: a kprobe on tcp_sendmsg fires whenever any process makes a TCP send, letting you trace all network I/O kernel-side. A uprobe on /usr/bin/python:PyEval_EvalFrameEx lets you trace Python function calls — all without modifying the application or its source code.
4 / 5
What is Cilium and how does it use eBPF?
Cilium: instead of iptables rules (which are linear and slow to update), Cilium generates eBPF programs and BPF maps encoding network policy. Policy updates are near-instant since BPF map updates are atomic. Cilium also provides L7-aware policy (HTTP, gRPC) and the Hubble UI for real-time flow visibility.
5 / 5
What is a BPF map and how do eBPF programs use it?
BPF map: eBPF programs cannot have global mutable variables across invocations. Maps persist state between program invocations and allow userspace to read results. A BPF_MAP_TYPE_PERCPU_HASH tracks per-CPU counters with no atomic overhead; a BPF_RINGBUF efficiently streams events to userspace.