Is there a good explanation for why saying this is a 'new type of software' and a 'fundamental change to the 50 year old kernel structure' isn't hyperbole? I understand that it is some sort of constrained virtual machine that can analyze packets, bit it seems like the marketing here is a little much.
It can do much more than analyze packets. It's a way of running user defined programs in kernel space with fairly strong assurances that it won't crash the kernel.
BPF programs can hook directly into the kernel more or less and can safely share memory to userspace. This is important because after all the fall out from Spectre and Meltdown, they found that the BPF virtual machine programs were immune from this class of vulnerabilities.
It’s a culmination of decades of research and implementation to mainstream Ring-0 OS kernels that are upgradable at runtime with untrusted userspace code.
This seems like a roundabout way of getting to something much more like what wikipedia calls a "Language-based System"[1], which is something I've been thinking about a lot lately. Very cool.
BPF (eBPF) tracing is a superpower that can analyze everything, and I'll show you how in my upcoming book BPF Performance Tools: Linux System and Application Observability, coming soon from Addison Wesley. The book includes over 150 BPF observability tools that you can run to find performance wins and troubleshoot software, and also shows you how to write your own. Over one hundred of these BPF tools are newly-developed for this book; you can see many of them in this diagram...
