Attach XDP program to a network interface.

prog: BpfProgram record or program FD
iface: Interface name (e.g., "eth0")
mode: :skb (generic), :drv (native), or :hw (hardware)

Attach XDP program to multiple interfaces.

Build XDP program that passes IPv4 packets and drops others.
Uses clj-ebpf.net primitives for packet parsing.

Build XDP ingress program that performs DNAT on incoming packets.

This program:
1. Parses IPv4/TCP or IPv4/UDP packets
2. For TCP port 443, attempts SNI-based routing (TLS ClientHello parsing)
3. Falls back to listen map lookup by (ifindex, dst_port)
4. Falls back to config map LPM lookup by source IP
5. If match found, performs DNAT (rewrites dst IP and port)
6. Updates IP and L4 checksums
7. Creates conntrack entry for TC SNAT to use on reply path
8. Returns XDP_PASS to let kernel routing deliver packet

Routing priority:
1. Source IP exact/CIDR match (config map)
2. SNI hostname match (sni map, for TLS traffic)
3. Default target (listen map)

Register allocation:
r6 = saved XDP context (callee-saved)
r7 = data pointer (callee-saved)
r8 = data_end pointer (callee-saved)
r9 = IP header pointer / map value ptr (callee-saved)
r0-r5 = scratch, clobbered by helpers

Uses clj-ebpf.asm label-based assembly for automatic jump offset resolution.

Build the XDP ingress program.

Performs DNAT on incoming packets:
1. For TCP port 443, attempts SNI-based routing (TLS ClientHello parsing)
2. Falls back to listen map lookup by (ifindex, dst_port)
3. Falls back to config map LPM lookup by source IP
4. If match found, rewrites destination IP/port
5. Updates IP and L4 checksums
6. Creates conntrack entry for TC SNAT
7. Returns XDP_PASS to let kernel routing deliver packet

map-fds: Map containing :listen-map, optionally :config-map, :sni-map and :conntrack-map

Build a simple XDP program that passes all packets.
This is useful for initial testing of program loading/attachment.

Detach XDP program from an interface.

Detach XDP program from multiple interfaces.

Dump program bytecode for debugging.

Load the XDP ingress program.
Returns a BpfProgram record.

Verify the XDP program can be loaded (dry run).
Returns {:valid true} or {:valid false :error <message>}

Apply a checksum difference to an existing checksum.
old-csum-reg: Register containing old checksum (16-bit, will be modified)
diff-reg: Register containing the difference from csum_diff
scratch-reg: Scratch register

Result: old-csum-reg contains new 16-bit checksum

Fold a 32-bit checksum to 16 bits in XDP.
csum-reg will contain the folded result.
scratch-reg is clobbered.

Load data and data_end pointers from XDP context using 32-bit loads.
The kernel requires 32-bit access to xdp_md fields.

data-reg: Register to store data pointer
data-end-reg: Register to store data_end pointer
ctx-reg: XDP context register (typically :r1)

Update checksum for a 2-byte port change.
csum-reg: Register containing current checksum (will be modified)
old-port-reg: Register containing old port value
new-port-reg: Register containing new port value
scratch-reg: Scratch register

Uses incremental checksum: new_csum = ~(~old_csum + ~old_val + new_val)