This post was left aside as a draft for a long time. Most of it was written in August 2022, but it should still be accurate as of its publication. Networking eBPF programs take a pointer ctx to a struct __sk_buff (or a struct xdp_md) as their only argument. This struct is a lighter version of the socket buffer, SKB (or an XDP equivalent), that contains some metadata about the packet to process. In particular, it contains 32-bit long unsigned integers (__u32), ctx->data and ctx->data_end, poin...
