Hello, I've been attempting to connect a socket filter using libbpfgo. However, I haven't been able to locate any functionality within the module that enables me to do so. Is socket filter attachment not supported? If it isn't, the documentation doesn't make it very clear.

I'm familiar with the example for tc available at https://github.com/aquasecurity/libbpfgo/blob/main/selftest/tc/main.go. However, I believe this differs from a socket filter (please correct me if I'm mistaken).

@barthr How about this example: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse

Lets use this issue to add an example/selftest to have a socket program in the source code so people can use as a reference as well. What @mozillazg has provided looks like a nice example.

@mozillazg Actually, I just saw https://github.com/mozillazg/hello-libbpfgo. It is a very very nice set of examples, @mozillazg. Why don't you merge it all into a "examples" directory within libbpfgo ? That would bring great value to the project! I know its nice to keep it as a personal reference, but we can give proper credits in the source code, I'm pretty sure!

You could even create an entire "hello-world" structure of how to use libbpfgo, and we can add issues to document things giving explanations on whys etc. If you pick this issue, and a recent discussion you also helped with, people are "missing" that type of info from the repo.

@barthr How about this example: https://github.com/mozillazg/hello-libbpfgo/tree/master/18-socket-filter-capture-icmp-traffic-kernel-parse

Thanks for your response, this is really helpful

@rafaeldtinoco

I am very willing to create an 'examples' directory in the libbpfgo repository and add some example programs there. However, we need to clarify one thing first, which is, what is the difference between the 'selftest' directory and the 'examples' directory? What type of programs should be placed under the 'selftest' directory, and what type should be placed under the 'examples' directory?

@mozillazg

For now, I can think of things that would fit example and not selftests:

• socket filtering (involved libbpfgo calls are already tested by other selftests but the "socket filtering" program logic doesn't exist elsewhere).
• sk_msg filtering (ditto)
• use of BTFHUB external BTF files

But you are right, an examples directory should be different in the sense that it should "teach" a user how to do something (like the xdp-tutorial repo) instead of "test something". We can imagine the code being followed by a bunch of comments and/or markdown files explaining more about it.

WDYT ?

@rafaeldtinoco

I agree that the contents of the 'examples' directory should resemble the philosophy of the xdp-tutorial repository. However, unlike the xdp-tutorial repository, I believe that our 'examples' directory should primarily focus on introducing how to write user-space Golang programs using Golang and libbpfgo, instead of explaining how to write kernel-space eBPF C programs.

For instance, when discussing the 'socket filtering' program, our focus should be on explaining how to create a raw socket in Golang and then attach the eBPF program to that socket. As for writing the corresponding eBPF C program, we will only gloss over it and the corresponding eBPF C will not contain any business logic.

WDYT?

I really like the idea and I think it would improve adoption speed because of this.