helper for memmem() · iovisor/bcc#471

(6 comments) (0 reactions) (0 assignees)C (22,409 stars) (4,051 forks)batch import

enhancementhelp wantedprio:medium

Description

Protocol such as DNS or IPv6 are hard to filter with cBPF because important parts are relative to floating offset, since BPF disallows loops and has relatively narrow registers, we have to unroll them and scan message with a lot of branches, burning the instruction limit.

Proposal

Provide kernel helper such as memmem(off_from, off_to, pattern) where offsets (R0, R1) are relative to packet payload, and pattern (R2) is a b/h/w/dw, and returned value would be offset in packet where the match occured or packet length (no occurence).

Contributor guide

Tech stack: c
Domain: backendinfrastructureperformance
Issue type: feature
Difficulty: 5
Estimated time: over 1 week
Activity status: stale
Clarity: clear
Prerequisites: understanding of BPF internalskernel programming experienceC proficiency
Newbie friendliness: 10
Research direction: This issue proposes a new kernel helper `memmem()` for BPF to scan packet payloads for patterns. Research should focus on existing BPF helper patterns in the kernel (e.g., `bpf skb load bytes`), the BPF verifier constraints on loops, and how offset calculations are handled. Look at the kernel's BPF helper API in `include/uapi/linux/bpf.h` and existing helpers in `net/core/filter.c`. Consider discussing with the BPF mailing list or reviewing similar feature requests in the kernel bug tracker.