What is TC-BPF?
TC-BPF is a powerful mechanism that allows attaching eBPF programs to various hook points in the Linux Traffic Control (TC) subsystem. TC, part of the Linux kernel's traffic control suite, allows administrators to manage packet scheduling, shaping, and filtering. eBPF, on the other hand, is a revolutionary technology that allows sandboxed programs to run safely within the Linux kernel without modifying kernel code.
Combining the two, TC-BPF enables users to write custom programs that can be attached to network ingress or egress points. These programs can inspect, modify, redirect, or drop packets based on programmable logic — all with high efficiency and low overhead.
Key Benefits of TC-BPF
- Performance: Unlike iptables or other user-space tools, TC-BPF operates within the kernel, reducing context switching and processing time. It’s ideal for high-throughput scenarios like data centers and cloud environments.
- Flexibility: TC-BPF allows fine-grained control over packet handling. You can inspect headers, payloads, and even make routing or filtering decisions on the fly.
- Safety and Security: eBPF programs are verified before execution to ensure they cannot crash the kernel or access unsafe memory. This provides a safe way to extend kernel functionality.
- Programmability: With TC-BPF, you can write logic in a high-level language (like C or Rust), compile it to BPF bytecode, and load it dynamically — making it easier to update and maintain networking logic.
Use Cases of TC-BPF
- Custom Packet Filtering: Create firewall-like behavior that’s faster and more flexible than traditional tools.
- Load Balancing: Implement service-aware load balancing directly at the network interface level.
- QoS and Rate Limiting: Use custom policies to prioritize certain traffic classes over others.
- Observability: Monitor packet flows and gather telemetry without impacting performance.
- Traffic Redirection: Redirect traffic based on headers, metadata, or payload content — useful in scenarios like transparent proxying or traffic mirroring.
How TC-BPF Works
At its core, TC-BPF works by attaching an eBPF program to a specific hook in the TC subsystem — either ingress (incoming packets) or egress (outgoing packets). This is done using the tc command-line utility, part of the iproute2 package.
A simple flow might look like:
- Write an eBPF program in C using the TC-BPF hooks (classifier or action).
- Compile it using LLVM/Clang to produce BPF bytecode.
- Attach the program to a network interface at ingress/egress using tc filter add ... bpf obj.
For example:
tc qdisc add dev eth0 clsact
tc filter add dev eth0 ingress bpf da obj my_filter.o sec classifier
This attaches a BPF program to the ingress of eth0.
TC-BPF vs XDP
Both TC-BPF and XDP (eXpress Data Path) leverage eBPF, but they operate at different layers of the network stack. XDP attaches to the earliest possible point (even before SKB is allocated), making it faster but also more limited (e.g., no TCP reassembly). TC-BPF operates at the TC layer, which provides more context and flexibility, albeit with slightly higher latency.
Use XDP for ultra-low-latency requirements (like DDoS protection) and TC-BPF for more context-aware and complex packet manipulation.
Real-World Adoption
Big tech companies like Facebook (Meta), Google, and Cloudflare use TC-BPF and eBPF extensively in production. Cloudflare, for instance, has written about using TC-BPF for advanced traffic engineering and mitigation.
Projects like Cilium, a Kubernetes CNI plugin, use TC-BPF to enforce network policies, monitor traffic, and redirect connections — showcasing its capability to handle production-scale workloads.
Conclusion
TC-BPF program is a game-changer in the world of Linux networking. By bridging the performance of kernel-level processing with the flexibility of custom code, it offers an elegant solution for modern networking challenges. Whether you're managing large-scale cloud infrastructure or building next-gen observability tools, TC-BPF is a powerful ally in your toolkit.