Reference
Quick Reference and Resources
A consolidated reference for BPF primitives, helper functions, and additional learning resources. Use this page when you need to quickly look up how to accomplish a specific task in BPF.
Quick Reference
| Need | Solution | Notes |
|---|---|---|
| Block IPs from a list | BPF_MAP_TYPE_HASH with IP keys | Used in DDoS engine and IP blocklist |
| Count packets per source | BPF_MAP_TYPE_PERCPU_HASH or BPF_MAP_TYPE_LRU_HASH | Per-CPU variant avoids lock contention |
| Rate limiting | BPF_MAP_TYPE_HASH + token bucket in BPF | Store timestamp and token count per key |
| Round-robin backend selection | BPF_MAP_TYPE_ARRAY + atomic counter | Index into backend array with __sync_fetch_and_add |
| Consistent hashing | Hash 5-tuple, mod N backends | Use jhash or similar; see Katran for reference |
| DNS query inspection | Parse UDP payload after L3/L4 headers | Match on QNAME field in DNS wire format |
| Pass packet to kernel stack | Return XDP_PASS | Default when no action needed |
| Drop packet | Return XDP_DROP | Fastest discard path in the kernel |
| Redirect to another interface | bpf_redirect() + return XDP_REDIRECT | Needed for load balancer forwarding |
| Rewrite MAC addresses | Direct header modification via xdp_md->data | Required after redirect to set correct L2 header |
| Share state between XDP and user space | BPF_MAP_TYPE_HASH or BPF_MAP_TYPE_ARRAY | Pin maps to BPFFS for persistence across program reloads |
| Tail call to another BPF program | BPF_MAP_TYPE_PROG_ARRAY + bpf_tail_call() | Used in Katran’s xdp_root.c for program chaining |
| IP blocklist (CIDR ranges) | BPF_MAP_TYPE_LPM_TRIE | Longest prefix match for subnet-level blocking |
| DNS query log | BPF_MAP_TYPE_RINGBUF + Go consumer | Stream events to userspace without polling |
| Debug output | bpf_printk() + bpftool prog trace | Kernel trace pipe; use only during development |
| Routing lookup | bpf_fib_lookup() | Resolve next-hop MAC and interface from kernel FIB |
| String comparison | bpf_strncmp() | Compare variable string against a constant |
| Substring search | bpf_strstr() (kernel 6.x+) | Find a needle in a haystack buffer |
| Read kernel memory | bpf_probe_read_kernel_str() | Safe read from kernel address space |
| Read user memory | bpf_probe_read_user_str() | Safe read from user address space |
| Get process name | bpf_get_current_comm() | Returns the comm (name) of the running task |
| Convert port (network to host) | bpf_ntohs() | 16-bit network byte order to host byte order |
| Convert IP (network to host) | bpf_ntohl() | 32-bit network byte order to host byte order |
Reading Materials
Additional Resources
- Load Balancer Challenge - L4 LB eBPF-XDP load balancer
- Deep Dive into Cloudflare’s Cache Mechanism - Cloudflare cache internals
- Scratch to Success LB - Step-by-step LB build
- VLAN Filter Support - Bridge VLAN filtering
- Edge-FaaS Scheduling