Attach TC egress program to a network interface.

prog: BpfProgram record or program FD
iface: Interface name (e.g., "eth0")
priority: Filter priority (lower = higher priority)

Attach TC egress program to multiple interfaces.

Build the TC egress program.

Performs SNAT on reply packets from backends:
1. Parses IPv4/TCP/UDP headers
2. Builds reverse 5-tuple key from reply packet
3. Looks up conntrack map to find original destination
4. If found, rewrites source IP/port to original destination
5. Updates checksums using kernel helpers
6. Returns TC_ACT_OK

map-fds: Map containing :conntrack-map

Build the unified TC egress program for IPv4/IPv6 dual-stack.

Performs SNAT on reply packets from backends:
1. Branches on EtherType (IPv4 or IPv6)
2. Builds reverse 5-tuple key with unified format
3. Looks up unified conntrack map
4. If found, rewrites source IP/port
5. Updates checksums
6. Returns TC_ACT_OK

map-fds: Map containing unified :conntrack-map

Build TC program that passes IPv4 packets and drops others.
Uses clj-ebpf.net primitives for packet parsing.

Build a simple TC program that passes all packets.
This is useful for initial testing of program loading/attachment.

Build TC egress program that performs SNAT on reply packets.

This program:
1. Parses IPv4/TCP or IPv4/UDP packets
2. Builds reverse 5-tuple key from reply packet
3. Looks up conntrack map to find original destination
4. If found, performs SNAT (rewrites src IP and port to original dest)
5. Updates IP and L4 checksums using kernel helpers
6. Returns TC_ACT_OK to continue processing

For a reply packet from backend to client:
- Reply: src=backend_ip:backend_port, dst=client_ip:client_port
- Reverse key: {client_ip, backend_ip, client_port, backend_port, proto}
- This matches the conntrack entry created by XDP DNAT
- SNAT rewrites: src=backend -> src=orig_dst (the proxy address)

Register allocation:
r6 = saved SKB context (callee-saved)
r7 = data pointer (callee-saved)
r8 = data_end pointer (callee-saved)
r9 = IP header pointer / map value ptr (callee-saved)
r0-r5 = scratch, clobbered by helpers

Uses clj-ebpf.asm label-based assembly for automatic jump offset resolution.

Build unified TC egress program that performs SNAT on both IPv4 and IPv6 reply packets.

This program supports dual-stack operation:
1. Parses EtherType and branches for IPv4 or IPv6
2. Builds reverse 5-tuple key using unified 16-byte addresses
3. Looks up conntrack map with 40-byte key
4. If found, performs SNAT (rewrites src IP and port)
5. Updates checksums (IP header for IPv4 only, L4 for both)
6. Returns TC_ACT_OK

Uses unified conntrack key format:
- 40 bytes: src_ip(16) + dst_ip(16) + src_port(2) + dst_port(2) + proto(1) + pad(3)

Register allocation:
r6 = saved SKB context (callee-saved)
r7 = data pointer (callee-saved)
r8 = data_end pointer (callee-saved)
r9 = IP header pointer / map value ptr (callee-saved)
r0-r5 = scratch, clobbered by helpers

Detach TC egress program from an interface.

Detach TC egress program from multiple interfaces.

Dump program bytecode for debugging.

Load the TC egress program.
Returns a BpfProgram record.

Load the unified TC egress program for IPv4/IPv6 dual-stack.
Returns a BpfProgram record.

Set up clsact qdisc on an interface (required for TC attachment).

Load data and data_end pointers from SKB context using 32-bit loads.

data-reg: Register to store data pointer
data-end-reg: Register to store data_end pointer
ctx-reg: SKB context register (typically :r1)

Remove clsact qdisc from an interface.

Verify the TC program can be loaded (dry run).
Returns {:valid true} or {:valid false :error <message>}