This is a minimal example of how to write an eBPF filter in rust natively. This "hello-world" draws on a lot of inspiration from this blog post however I found the need to use gobpf unecessary.
The blog uses gobpf simply from what I can surmise to leverage gobpf ability to load ebpf programs for kprobes. gobpf uses the section names in a well understood format to attach the filter to the correct function.
The following will has rustc emit the LLVM IR instead of produce a full library.
The LLVM IR can then be fed into llc which can generate the correct eBPF object ELF file.
cargo rustc --release -- --emit=llvm-ir
cp target/release/deps/rust_ebpf_demo-*.ll rust_ebpf_demo.ll
cargo rustc --release -- --emit=llvm-bc
cp target/release/deps/rust_ebpf_demo-*.bc rust_ebpf_demo.bc
llc rust_ebpf_demo.bc -march=bpf -filetype=obj -o rust_ebpf_demo.oIn order to see the test you have to make sure you have the trace pipe enabled.
echo 1 > /sys/kernel/debug/tracing/tracing_on
# Once enabled you can do:
sudo cat /sys/kernel/debug/tracing/trace_pipe