What is the difference between BPF and eBPF?

Question

I'm new to eBPF, and there are a lot of tutorials saying eBPF is just the extended BPF, but I cannot understand what extended mean? So what is the difference between BPF and eBPF? Are the samples resides in Linux source file [root]/samples/bpf examples of eBPF or just BPF?

Answer 1

BPF is sometimes used to refer to eBPF (created in 2014) and sometimes to cBPF (its predecessor from 1991). You can find a detailed comparison of the two in the kernel documentation.

---

cBPF (classic BPF) is a small bytecode with two 32-bit registers to perform basic filtering on packets and syscalls. No state can be persisted between two calls to a cBPF program.

cBPF is still used by e.g. seccomp and tcpdump, but is actually translated to eBPF bytecode in the recent kernels.

---

eBPF (extended BPF) is a new bytecode with significant extensions. The bytecode has a more "modern" form, with 10 64-bit registers, fall-through jumps, and a stack space, enabling easier JIT-compilation to native instruction sets. It can call special functions, called helpers, to interact with the kernel. It can save state to maps using those helpers. It comes with a new syscall, bpf(2), to manipulate BPF objects (e.g., maps, programs, etc.). A good introduction to the eBPF ecosystem is available at ebpf.io.

eBPF programs can be written in C and compiled to the bytecode using LLVM/Clang. The examples in the kernel sources are eBPF programs.