Expand description
Byte-frequency filtering that can be attached to file reads.
ebpfsieve provides a small, production-usable filtering primitive for
read-heavy pipelines: define required byte-frequency thresholds, attach the
filter to a reader, and scan file chunks for windows that might contain a
match before handing them to a more expensive verifier.
When running on Linux, the filter can be offloaded to an eBPF program
(see the kernel module) which runs inside the kernel’s VFS layer. This
allows skipping data before it is even copied from the kernel to userspace.
§Example
use ebpfsieve::{ByteFrequencyFilter, ByteThreshold};
let filter = ByteFrequencyFilter::new([
ByteThreshold::new(b'a', 3),
])?
.with_window_size(5)?;
let matches = filter.matching_windows(b"xyzaaaxyz");
// "yzaaa" at offset 1 has a=3 → first match
assert_eq!(matches[0].offset, 1);Re-exports§
pub use error::Error;pub use error::Result;pub use loader::FileReadFilter;pub use loader::FilteredChunk;pub use map::ByteThreshold;pub use map::MatchWindow;pub use program::ByteFrequencyFilter;
Modules§
- error
- Error types for ebpfsieve.
- kernel
- Kernel-side eBPF byte-frequency filter.
- loader
- File reading and chunk loading.
- map
- Match window and byte threshold mappings.
- program
- Byte frequency filtering program.
Structs§
- Match
Window Iter - Zero-allocation iterator over matching windows.