From 2c058da4604f1325b36043df080b1dbb4b5c598f Mon Sep 17 00:00:00 2001
From: Joel Takvorian <joel.takvorian@qaraywa.net>
Date: Tue, 10 Jun 2025 16:41:55 +0200
Subject: [PATCH] [Trivial] Add config examples, + a link to RFC (#715)

* Add config examples, + a link to RFC

* regen bytecode
---
 bpf/dns_tracker.h                      |   1 +
 examples/direct-flp/README.md          |   7 +++++++
 examples/direct-flp/simple-stdout.json |   8 ++++++++
 examples/filters/README.md             |   7 +++++++
 examples/filters/single-ip.json        |   3 +++
 pkg/ebpf/bpf_arm64_bpfel.o             | Bin 290128 -> 290128 bytes
 pkg/ebpf/bpf_powerpc_bpfel.o           | Bin 288968 -> 288968 bytes
 pkg/ebpf/bpf_s390_bpfeb.o              | Bin 305480 -> 305480 bytes
 pkg/ebpf/bpf_x86_bpfel.o               | Bin 289872 -> 289872 bytes
 9 files changed, 26 insertions(+)
 create mode 100644 examples/direct-flp/README.md
 create mode 100644 examples/direct-flp/simple-stdout.json
 create mode 100644 examples/filters/README.md
 create mode 100644 examples/filters/single-ip.json

diff --git a/bpf/dns_tracker.h b/bpf/dns_tracker.h
index 30a22a35..2da30153 100644
--- a/bpf/dns_tracker.h
+++ b/bpf/dns_tracker.h
@@ -10,6 +10,7 @@
 #define DNS_QR_FLAG 0x8000
 #define UDP_MAXMSG 512
 
+// See https://www.rfc-editor.org/rfc/rfc1035 4.1.1. Header section format
 struct dns_header {
     u16 id;
     u16 flags;
diff --git a/examples/direct-flp/README.md b/examples/direct-flp/README.md
new file mode 100644
index 00000000..65d576f6
--- /dev/null
+++ b/examples/direct-flp/README.md
@@ -0,0 +1,7 @@
+## Simple example using direct-flp + stdout
+
+```bash
+export FLP_CONFIG=$(cat ./examples/direct-flp/simple-stdout.json)
+export EXPORT="direct-flp"
+sudo -E bin/netobserv-ebpf-agent
+```
diff --git a/examples/direct-flp/simple-stdout.json b/examples/direct-flp/simple-stdout.json
new file mode 100644
index 00000000..ceb3f9fe
--- /dev/null
+++ b/examples/direct-flp/simple-stdout.json
@@ -0,0 +1,8 @@
+{
+	"pipeline":[
+		{"name": "writer","follows": "preset-ingester"}
+	],
+	"parameters":[
+		{"name": "writer","write": {"type": "stdout"}}
+	]
+}
diff --git a/examples/filters/README.md b/examples/filters/README.md
new file mode 100644
index 00000000..6ba7b028
--- /dev/null
+++ b/examples/filters/README.md
@@ -0,0 +1,7 @@
+## Simple example filtering on a single IP
+
+```bash
+export ENABLE_FLOW_FILTER="true"
+export FLOW_FILTER_RULES=$(cat ./examples/filters/single-ip.json)
+sudo -E bin/netobserv-ebpf-agent
+```
diff --git a/examples/filters/single-ip.json b/examples/filters/single-ip.json
new file mode 100644
index 00000000..9fd14389
--- /dev/null
+++ b/examples/filters/single-ip.json
@@ -0,0 +1,3 @@
+[
+	{"ip_cidr":"192.168.1.20/32", "action": "Accept"}
+]
diff --git a/pkg/ebpf/bpf_arm64_bpfel.o b/pkg/ebpf/bpf_arm64_bpfel.o
index 593ef10b5e8ac3017a291f05bba700e2ecfffee5..f646fb9de640d9d3719aaa921badfbc1fc276231 100644
GIT binary patch
delta 870
zcmca`OYp)i!G;#bElg);)Qd1Oyf9*5C@ElI=qX@e;FDow_<+P0l3`@{fy9@SVPp_6
zMyOYpVPud%;v35_GAJPN?PVAlG?4fnGK>r!Q2w<728Mc04Mv6vr~qFf1B2KS28IqK
zKI;+&h8a-4Wg!ED$r=WR1yFuTAp?WZ1_p)$Q2zEp1_qHm3=Aib`22eq7+yg6l0^&*
zCTAEJK0x^)MGW-}LKheqBupSanq0)dz<-B<K?BO)R>Z)d`GkSN0Lp(?#K55A!N_2N
z#JBWdWN<*@OL;IdL_qmQ#S9E00gMb2koZ0Uj0_8){FdT+1_sd-Murtofpx_U3}Ok4
z3>%>QYsCx<LK%z<JCOLi8H@}EpnRD66Hxwdkop7$h6_->SP27zTnYoj4J5uq3IoFj
zD8Hq?7~%j1Q%DH7moP9W7cepiK>3X&3=EtN3=9*X{G%X#3j@OhGl+W5QU(U$3Py$-
zP<})y1A}M{Bf|qIzXZf@U}O+5ho}efRT>x>G@yL3H6R5oj0_1-fp4V@41yig<7P9-
z*M~4NEPx6tmN77J<}ffQSU}841@Q|Q7z8XK{FP-43{o=~84RHOw`B|r;&T`oETDY8
zas~#?1&j<1NPLwAj0_$~eDwv43;{@dBc%n53>i=XyK)8w!6l3g9Z-H{IRk^t4n~Fv
XQ2yL<1_sG3?Rs;Vw(HGdR=NlPr5UhU

delta 870
zcmca`OYp)i!G;#bElg);)C({&yf9*5C@ElI=qX@e;FDlv_<+P0l3--`fy9@SU}O+5
zMyOYpU}TU$;u}jaGAJPN?Ijo)G?4fn5{wKUQ2w<728Mc06-I^%r~qFf1B2KC28IqK
zKI;Moh8a-4Wg!ED$qELB1yFuTAp?WZ8U}^~Q2zEp1_qHG3=Aib`20H<7+yg6l0^&*
zCMOseK0x^)MGW-}LT4BlBupSanq0)dz<+~*K?BO)R>Z)d`GA4J0Lp(?#K55A!pLBO
z#J6-|WN<*@OSv#IL_qmQ#S9E0K8y?#koZ16j0_8){FdT+1_sdtMurtofpx_U3}P{i
z3>%>QYsCx<LMe<4JCOLiDU1vUpnRD66Hxwdkop(~h6_->SP27zTml2b4J5uq0t3Sb
zD8Hq?7~%j1Q%DH7moP9W=P)t|K>3X&3=Et#3=9*X{G%X#0|UbZGl+W5QU(U$5=Mp_
zP<})y1A}M<Bf|qIzXZguVPp_6ho}efRcaU+G@yL3H6R5Ij0_1-fp4V@41z7w<7P9-
z*9R~%EPx6tmN77JW-u@)SU}841@Utj7z8XK{FP-43{q1V84RHOw`B|r;xiZ-ETDY8
zas~#?IgAVrNPLw!j0_$~eDyhu3;{@dBc(Zv3>i=XyK)8w!3B&A9Z-H{IRk^t7Dk2%
XQ2yL<1_sFu?Rs;Vw(HGdR=NlPIYO_2

diff --git a/pkg/ebpf/bpf_powerpc_bpfel.o b/pkg/ebpf/bpf_powerpc_bpfel.o
index be544c5f498f400c40dec632ba757df2d7350eef..b2ea70b789f53ee1cbd2ea0df307c05c9821ac90 100644
GIT binary patch
delta 870
zcmX?cQSih?!G;#bEliP9>O~kCUKlYjc;+)OB<3?P@X0VTd_dw0$uKhfK;p~EFfs@j
zBh;(QFfvFW@r`8|85EHC_A-nN8c2K(8Ab*VD1UW614BKh1|vfSRN!$w1B2KS28IqK
zKI;+&h8a*kUjYMy$r=WR1yH_c0Rw~31_p)$P<~GV1B1vO28I(zeEvNQ3@@PkcOd;|
z7#Kc4`I?0c^$bE67#Ji>AU?_{WMJUG!@!^c<#!h{FlatuU@(C44;L~p=y)(PSRnB&
zJs24rkoZy_j0_P_K6?=ZgGc})!vrM0PXHss0w_PSsGfmAG=-621yrE9h=D;YfstVY
zl)t)&fk7yPkzofCpErY%;Q*8mQ-1==zW`F7z`$?;%70zNz#x~xz;FYJFOkB)@Bzw?
ztS^E%fWZ_J0y4!649W$J3<6MoSTO?wX9EMn1So$Nh~L7%Fu@F>{$4QygKz~S!wo23
zw}gQ~w1$!40hI3v;x{ld2$)0EgZL^9j0_r3zE~qjK?@^80#x912?K**$MjdznB?n2
z7#S8og};?BFmUEDFeq3+%&{tEVBjoZU=Xl`@asw$7^G$}G8jPlhe{b3#OE+FSU~xY
zOBon67ceq7An{ceFfw=`@zobFG6W#;jg%HJGGssngv%Hh1eY)}bU^ujWef~5I~W-z
XK>0;w3=EQ6+ILN7+P-T#Gv7r3s7k6;

delta 870
zcmX?cQSih?!G;#bEliP9>IE1XUKlYjc;+)OB<3?P@JTQ-d_dw0NiZ_}K;p|uFfs@j
zBh;%)FfvFW@r@-I85EHC_7aQ?8c2K(2}TAFD1UW614BKh3L`@WRN!$w1B2KC28IqK
zKI;Moh8a*kUjYMy$qELB1yH_c0Rw~38U}^~P<~GV1B1v828I(zeEuB_3@@PkcOd;I
z7#Kc4`I?0c^$bF17#Ji>AU?_{WMJUG!N8ya<#!h{FlattU@(C44;L~p=(sR4SRnB&
zT^Jc0koZzAj0_P_K6?=ZgNP3!!vrM0j}Ifm0w_PSsGfmAG=Y&}1yrE9h=D;YhLK?d
zl)t)&fk7yRkzofCpEre(;Q*8mQ-1==zW`Dn!@zI>%70zNz#x~vz;FYJFOk5&@Bzw?
ztS^E%fWZ_J0y4!649Yo-3<6MoSTO?wXAJ|x1So$Nh~L1#Fu@F>{$4QygK!BW!wo23
zw}gQ~w1Sc00hI3v;@2=T2$)0EgZL^nj0_r3zE~qjK?5U00#x912?K**%k)>%nB?mN
z7#S8og};?BFmPrtFeq3+%&{tEVBpMQU=Xl`@asw$7^J2!G8jPlhe{b3#Ah%vSU~xY
zOBon6=P)ujAn{e^Ffw=`@zv)rG6W#;jg;mvGGssngv%Hh1Q#$ebU^ujWef~5TNoK8
XK>0;w3=EPR+ILN7+P-T#Gv7r3Jaegi

diff --git a/pkg/ebpf/bpf_s390_bpfeb.o b/pkg/ebpf/bpf_s390_bpfeb.o
index 8b8fa5e4a98c4f5760d9bf267990682a467af265..21b413be52062b3afe38e9a8c5a6320dc7f51df4 100644
GIT binary patch
delta 886
zcmX?cN$A8Sp@tU5Elj^I*NbQ}Fc`gHU}z0tU}()@V3grwU@-cC#1~><F#3VSmt$Zs
z7C_>wGcXuSAn}bE7>pH=`1TA8#u`X`4+aKf4=8^dLp`GgCj*0V1ytZ21H%$A1_t8}
zBt9zxgYgUqzfF>XVT}m`gYg0=KZJo{gAfCQ@c}4*G6TaN5e5e16G(hX1_t8`NPK<<
z24kp)+rHK_Fq{Dy2=#Hh0RzJYAqEB$sE^w785r*HGccGyebhdQf#C@+1A__FM_|4t
z1A~bH#Dexy42&K+3=Ad~NPJ5M1``J)z7zw4Nd$!7QP0P~7$CyHU@`$J0OI>FFqlAn
z*pa}%m?Fx+V6p-#-^IX~AjZI8vH{B9#K4#Va_|l$KFER45b3ziz>olvhlWVUCkBQT
zIR*w3Xo%E<1tb_4OrSvmw-6fVoyrW11<DKzrW_CpI%63a8aNpkOrcTKxsZXOg_D87
z490)Tz*r&7z+eWopv#1Tu||}E!R!V^e^&qlV}mFIgE_=JH3qPN3Il^VG>E%87#LeX
z3ZOyMb%}woWBTlCO!D<1A`A@X(4^4ymw_RNlYzkk8dKel3=9RF3=EbKa~Zl@85n0s
zF)&y{W2*Zk1LGWV1_n!LOm)9vU|gWdz+efDDKKA!fx!|QQ((S21A`?rt#-d+Fk)Pw
x#K2&g0P#qV6a(WDK?VlP1}Hz2fpLcn1A`?rAbKhp7`L=%UuW8$eVzI4MF6>}ys!WO

delta 886
zcmX?cN$A8Sp@tU5Elj^I*9&MeFc`gHU}z0tU}()@V3govU@-cC#1~><F#3VSmt$Zs
z7C_>wGcXuSAn}bE7>pH=`1TA8#u`X`4+aKf4=8^dLp`GkCj*0V1ytZ21H%F_1_t8}
zBt9zxgYgUqzfF>XVTB0;gYg0=KZJo{jSvHa@c}4*G6Ta75e5e16G(hX1_t8`NPK<<
z24kp)+rHK_Fq{Ax2=#Hh0RzJsAqEB$sE^w785nNxGccGyebhdQf#Cr!1A__FM_|4t
z1A~bH#Dexy42&*13=Ad~NPJ5M1``J)z7zw4Nd$!7QP0P~=p(|wU@`$J0OI>FFqlAn
z*pa}%m>|l)V6p-#-^IWfBgVjBvH{B9#K4#Wa_|l$KFER45b3zizz_qHhlWVUCkBQD
zIR*w3Xo%E<1tb_4OrSvmw-6fVoyrW1Im!$SrW_CpI%63aYB(7fOrcTKxsZXOfs=v3
z490)Tz*r*8z+eWopv#1Tu|kxA!R!V^e^&qlV~r>SgE_=JH3qPN3Il^VG>E%87#JHs
z3ZOyMb%}woW%}%EO!D;sA`A@X(4^4ymw_RJlYzkk8dKel3=BD(3=EbKa~Zl@85pNX
zF)&y{W2*Zk1LF*F1_n!LOm)9vV4S1Lz+efDDKKA!fx!|QQ((S21A`?rt#-d+Fk+me
x#K2&g0P#qV6a(V|K?VlP1}Hz2fpLor1A`?rAbKhp7&o+MUuW8$eVzI4MF2oXyVL*x

diff --git a/pkg/ebpf/bpf_x86_bpfel.o b/pkg/ebpf/bpf_x86_bpfel.o
index 2e37acbbcb1e5611cc30be63fe3512331663e226..af1b4637721579fdcbf00c1f317446f07ecad2b8 100644
GIT binary patch
delta 870
zcmca`L-4{4!G;#bElhW(*NZSRyf9*55G-I|&@5nJ;FDow_<+P0l3`@{fy9@SVPp_6
zMyOYpVPud%;v35_GAJPN?PVAlG?4fnGK>r!P=0X%14BKh1|vfSRA6-h1B2KS28IqK
zKI;+&h8a-)wE_kPlQj$s3!r?#LIwt*4Gatip!|?R1_qHm3=Aib`22eq7+yg6+X@*N
zOwKSce1P&l7BbW`2wh-ckT8Mx$e@UUf&UHzg9elzT*Sbj`GkSN0Lt$!VqnnmU}UgB
z;#+z!GB_adr92oJBB1>9MGOog0gMb2koZ0Uj0_8)e8u8=1_sd-Murto0q<f42C)Q2
zh7C}DaWMmfPzEEz4kSKr1|!1(C?BT&1e8Amq&|Ux;R2MuxtM`LE`@>N1`=N)g@NG%
zl&@G{3~>O1DI^4*6f-a=7cepiK>2bd3=EtN3=9*X{3H;+g@Iv$8AScE5(Wn03Py$-
zQ2y5v1_sd@MurDazF;W>gJ=UIgMc|iJ&3Q;z{sEh<%@ZO6tplhBtQiwmohL2c1+Kk
z#Ux)J!pN`yD!i|hfq^rJfkD9nVh&Ro0|RFP1A~Aigzr|yz#uh)k--4U?<!+p5TC=y
zU;*W?E@NQOT)@cSfW%i>z{uc%#8+Ry$Pj?UH&R-_$dCaQxLwA;Ah?8)p##bnD`#Mk
b*}=##0m`>3XJC-r(r!1KX}jHQW}%A!;(wYq

delta 870
zcmca`L-4{4!G;#bElhW(*9$N*yf9*55G-I|&@5nJ;FDlv_<+P0l3--`fy9@SU}O+5
zMyOYpU}TU$;u}jaGAJPN?Ijo)G?4fn5{wKUP=0X%14BKh3L`@WRA6-h1B2KC28IqK
zKI;Moh8a-)wE_kPlNAgM3!r?#LIwt*H4F>~p!|?R1_qHG3=Aib`20H<7+yg6+X@*N
zOinN`e1P&l7BbW`2%TYIkT8Mx$e@UUf&T^rg9elzT*Sbj`GA4J0Lt$!Vqnm5VPvpC
z;#;~fGB_adrCb;pBB1>9MGOogK8y?#koZ16j0_8)e8u8=1_sdtMurto0q<f42C*1M
zh7C}DaWMmfPzoc%4kSKr3M0b-C?BT&1e8Amq&|j$;R2MuxtM`LE`fpJ1`=N)fq~%z
zl&@G{3~>O1DI^4*6f-a==P)t|K>2bd3=Et#3=9*X{3H;+fq`Ly8AScE5(Wn05=Mp_
zQ2y5v1_sdzMurDazF;W>gJ=ySgMc|iJ&3PT!^ofk<%@ZO6f`h0BtQiwmohL2woK2P
z#Ux)Jz{s!wD!i|hfq^rFfkD9nVh&Ro0|RFc1A~Aigzr|yz#uh+k--4U?<!+p5TC)w
zU;*W?E@NQOoWscAfW%js!^q%)#8;og$Pj?UH&U9z$dCaQxLwA;Ah>{$p##bnD`#Mk
b*}}*$0m`>3XJC-r&~7)IX}jHQW}%A!cBq+O

-- 
GitLab