Packet bounds checking helpers for BPF programs.
These helpers generate BPF verifier-safe packet bounds checks. Every XDP/TC program must check packet bounds before accessing data.
The BPF verifier requires specific instruction patterns to mark memory ranges as safe. These helpers generate compliant patterns.
Usage: (require '[clj-ebpf.net.bounds :as bounds])
;; Check if we can read 14 bytes (Ethernet header) (bounds/build-bounds-check :r6 :r7 0 14 10)
;; With label-based jumps (bounds/build-bounds-check-label :r6 :r7 0 14 :drop)
Packet bounds checking helpers for BPF programs. These helpers generate BPF verifier-safe packet bounds checks. Every XDP/TC program must check packet bounds before accessing data. The BPF verifier requires specific instruction patterns to mark memory ranges as safe. These helpers generate compliant patterns. Usage: (require '[clj-ebpf.net.bounds :as bounds]) ;; Check if we can read 14 bytes (Ethernet header) (bounds/build-bounds-check :r6 :r7 0 14 10) ;; With label-based jumps (bounds/build-bounds-check-label :r6 :r7 0 14 :drop)
(build-bounds-check data-reg end-reg offset size fail-offset)Generate instructions to check if accessing [data + offset, data + offset + size) is within packet bounds. Jumps forward by fail-offset if out of bounds.
Register conventions (caller must set up): data-reg: Register containing packet data start (e.g., :r6) end-reg: Register containing packet data end (e.g., :r7)
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-offset: Instructions to jump forward on failure (numeric offset)
Uses: :r8 as scratch (clobbered)
Returns: Vector of 3 instructions
Example: ;; Check if we can read 14 bytes (Ethernet header) (build-bounds-check :r6 :r7 0 14 10) ;; Generates: ;; mov r8, r6 ; r8 = data ;; add r8, 14 ; r8 = data + offset + size ;; jgt r8, r7, +10 ; if r8 > data_end, jump forward 10
Generate instructions to check if accessing [data + offset, data + offset + size) is within packet bounds. Jumps forward by fail-offset if out of bounds. Register conventions (caller must set up): data-reg: Register containing packet data start (e.g., :r6) end-reg: Register containing packet data end (e.g., :r7) Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-offset: Instructions to jump forward on failure (numeric offset) Uses: :r8 as scratch (clobbered) Returns: Vector of 3 instructions Example: ;; Check if we can read 14 bytes (Ethernet header) (build-bounds-check :r6 :r7 0 14 10) ;; Generates: ;; mov r8, r6 ; r8 = data ;; add r8, 14 ; r8 = data + offset + size ;; jgt r8, r7, +10 ; if r8 > data_end, jump forward 10
(build-bounds-check-label data-reg end-reg offset size fail-label)Like build-bounds-check but uses a label for the failure target. Requires clj-ebpf.asm for label resolution.
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-label: Keyword label to jump to on failure
Uses: :r8 as scratch (clobbered)
Returns: Vector of 3 pseudo-instructions (resolve with asm/assemble-with-labels)
Example: (build-bounds-check-label :r6 :r7 0 14 :drop)
Like build-bounds-check but uses a label for the failure target. Requires clj-ebpf.asm for label resolution. Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-label: Keyword label to jump to on failure Uses: :r8 as scratch (clobbered) Returns: Vector of 3 pseudo-instructions (resolve with asm/assemble-with-labels) Example: (build-bounds-check-label :r6 :r7 0 14 :drop)
(build-bounds-check-label-with-scratch data-reg
end-reg
offset
size
fail-label
scratch-reg)Like build-bounds-check-with-scratch but uses a label for the failure target.
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-label: Keyword label to jump to on failure scratch-reg: Register to use as scratch
Returns: Vector of 3 pseudo-instructions
Like build-bounds-check-with-scratch but uses a label for the failure target. Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-label: Keyword label to jump to on failure scratch-reg: Register to use as scratch Returns: Vector of 3 pseudo-instructions
(build-bounds-check-with-scratch data-reg
end-reg
offset
size
fail-offset
scratch-reg)Generate bounds check using a custom scratch register.
Like build-bounds-check but allows specifying which register to use as scratch, in case :r8 is needed for something else.
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-offset: Instructions to jump forward on failure scratch-reg: Register to use as scratch (will be clobbered)
Returns: Vector of 3 instructions
Generate bounds check using a custom scratch register. Like build-bounds-check but allows specifying which register to use as scratch, in case :r8 is needed for something else. Args: data-reg: Register with data pointer end-reg: Register with data_end pointer offset: Byte offset from data start size: Number of bytes to access fail-offset: Instructions to jump forward on failure scratch-reg: Register to use as scratch (will be clobbered) Returns: Vector of 3 instructions
(check-eth-header data-reg end-reg fail-label)Generate bounds check for Ethernet header (14 bytes from data start).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for Ethernet header (14 bytes from data start). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure Returns: Vector of instructions
(check-ipv4-header data-reg end-reg fail-label)Generate bounds check for minimum IPv4 header (20 bytes after Ethernet).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for minimum IPv4 header (20 bytes after Ethernet). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure Returns: Vector of instructions
(check-ipv6-header data-reg end-reg fail-label)Generate bounds check for IPv6 header (40 bytes after Ethernet).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for IPv6 header (40 bytes after Ethernet). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer fail-label: Label to jump to on failure Returns: Vector of instructions
(check-l4-ports data-reg end-reg l4-offset fail-label)Generate bounds check for L4 port access (4 bytes at L4 offset).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to L4 header from data start fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for L4 port access (4 bytes at L4 offset). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to L4 header from data start fail-label: Label to jump to on failure Returns: Vector of instructions
(check-tcp-header data-reg end-reg l4-offset fail-label)Generate bounds check for minimum TCP header (20 bytes at L4 offset).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to TCP header from data start fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for minimum TCP header (20 bytes at L4 offset). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to TCP header from data start fail-label: Label to jump to on failure Returns: Vector of instructions
(check-udp-header data-reg end-reg l4-offset fail-label)Generate bounds check for UDP header (8 bytes at L4 offset).
Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to UDP header from data start fail-label: Label to jump to on failure
Returns: Vector of instructions
Generate bounds check for UDP header (8 bytes at L4 offset). Args: data-reg: Register with data pointer end-reg: Register with data_end pointer l4-offset: Offset to UDP header from data start fail-label: Label to jump to on failure Returns: Vector of instructions
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |