eBPF TCP setup
TCP SYN fingerprinting uses an XDP program loaded by huginn-ebpf-agent. The agent pins BPF maps under bpffs (for example /sys/fs/bpf/huginn/). Huginn Proxy opens those maps read-only and emits x-huginn-net-tcp.
Architecture
Section titled “Architecture”Two processes cooperate:
- Agent: loads XDP, attaches to the interface, pins maps, stays running.
- Proxy: accepts connections, looks up
(src_ip, src_port)in the map, formats the p0f-style signature.
Preconditions
Section titled “Preconditions”- Kernel ≥ 5.11 recommended for modern BPF UAPI.
- bpffs mounted at
/sys/fs/bpf. - One agent per interface: two loaders race to attach XDP.
Capabilities
Section titled “Capabilities”The agent needs appropriate Linux capabilities (e.g. BPF, NET_ADMIN, often PERFMON) and, in many clusters, an unconfined seccomp profile for bpf() syscalls. The proxy does not need the same caps when it only opens pinned maps.
Environment variables (typical)
Section titled “Environment variables (typical)”Examples (exact names in source / docs on master):
HUGINN_EBPF_PIN_PATH: where maps are pinnedHUGINN_EBPF_INTERFACE: NIC to attach XDPHUGINN_EBPF_DST_PORT/HUGINN_EBPF_DST_IP_V4: filter traffic toward the proxy listenerHUGINN_EBPF_SYN_MAP_MAX_ENTRIES: map sizingHUGINN_EBPF_METRICS_ADDR/HUGINN_EBPF_METRICS_PORT: agent metrics bind
Kubernetes networking
Section titled “Kubernetes networking”The SYN map is keyed by source IP and port as seen on the wire. CNIs that SNAT client traffic in a way that hides the original tuple can break correlation. Prefer CNIs that preserve the client endpoint toward the pod, or place the proxy where it sees the real tuple.
Ordering
Section titled “Ordering”Start the agent before or restart the proxy after maps exist; the proxy retries map open when the agent comes up later.