To perform its functions, the Berkeley Packet Filter was integrated as a machine code interpreter within a virtual machine. As a result, the BPF executes instructions in a predefined format . As an interpreter, Berkeley Filter reads the source files, parses them, and executes their instructions successively. Translate the instructions into machine code to allow direct execution.
Berkeley Filter uses system calls ( SysCalls) , which are calls to specific system functions, ready to be used, to make requests to the operating system kernel, also called the kernel. This is responsible for verifying the access rights before confirming or rejecting the request. Among the roughly 330 Linux SysCalls are the following:
- read - Read permission, with which a file can be read
- write - Write permission, to write to a file
- open - Permission to open files or devices
- close - Permission for files or devices
- stat - Retrieve the status of a file
As the BPF is in constant development, today it functions as a universal and virtual machine directly at the core of the operating system, where all the processing and organization of data takes place. With many new features, the filter is known as Extended BPF or by its abbreviation eBPF. With this, you can run any intermediate code (bytecode) safely and at runtime ( just in time compilation ) directly in the operating kernel. Extended BPF works in the operating kernel within a sandbox and is therefore protected. This sandbox, also known as a sandbox , helps minimize the risk that the system will negatively affect the logic of the operating kernel..