eBPF assembly with LLVM
This post was left aside as a draft for a long time. Most of it was written in December 2017. I publish it with the hope it can still be helpful today, even though the Cilium guide also covers the feature.
One of the most useful evolution of eBPF (extended Berkeley Packet Filter) over the old BPF version (or cBPF, for classic BPF) is the availability of a back end based on clang and LLVM, allowing to produce eBPF bytecode from C source code.1
Note: some programs, more evolved than this sample, might need to pass the -mcpu option to llc and would use something closer to the following command instead:
This creates an object file in ELF format that contains the compiled bytecode. By default, the code is under the .text ELF section. Let’s dump it:
If you are not familiar with eBPF assembly syntax, you may be interested in this short reference (or at the complete documentation, but it is dense).
