helper for memmem() · iovisor/bcc#471

(6 comments) (0 reactions) (0 assignees)C (22,409 stars) (4,051 forks)batch import

enhancementhelp wantedprio:medium

説明

Protocol such as DNS or IPv6 are hard to filter with cBPF because important parts are relative to floating offset, since BPF disallows loops and has relatively narrow registers, we have to unroll them and scan message with a lot of branches, burning the instruction limit.

Proposal

Provide kernel helper such as memmem(off_from, off_to, pattern) where offsets (R0, R1) are relative to packet payload, and pattern (R2) is a b/h/w/dw, and returned value would be offset in packet where the match occured or packet length (no occurence).

コントリビューターガイド

技術スタック: c
領域: backendinfrastructureperformance
Issue 種別: feature
難度: 5
推定時間: over 1 week
活動状況: stale
明確さ: clear
前提条件: understanding of BPF internalskernel programming experienceC proficiency
初心者向け度: 10
調査方針: This issue proposes a new kernel helper `memmem()` for BPF to scan packet payloads for patterns. Research should focus on existing BPF helper patterns in the kernel (e.g., `bpf skb load bytes`), the BPF verifier constraints on loops, and how offset calculations are handled. Look at the kernel's BPF helper API in `include/uapi/linux/bpf.h` and existing helpers in `net/core/filter.c`. Consider discussing with the BPF mailing list or reviewing similar feature requests in the kernel bug tracker.