While the current bpf probes work, there's a series of issues that make me wanna rewrite them:
- All structures are unaligned.
- The TCP probe has issues, we don't have a flag for attempted connection, a better implementation would be to not use the tracing probes, and use the actual tcp probes.
- The style looks like Go.
- There are too many files and subdirectories, and they have the same name Probe.bpf.c, it's a pain to navigate.
- There are missing spots for accounting for dropped events.
- Some probes rely on user data which might not be faulted in.
There's a lot of knowledge there that should be kept, especially regarding old kernels, but for a better and brighter future we should consider rewriting them.
While the current bpf probes work, there's a series of issues that make me wanna rewrite them:
There's a lot of knowledge there that should be kept, especially regarding old kernels, but for a better and brighter future we should consider rewriting them.