Writing a BPF packet filter on macOS in Go

Without filter With BPF filter Network Userspace Network Userspace ┌───────┐ ┌─────────┐ ┌───────┐ ┌─────────┐ │ ARP │──→│ ARP │ │ ARP │──→│ ARP │ │ IPv4 │──→│ IPv4 │ │ IPv4 │ │ reply │ │ ARP │──→│ ARP │ │ ARP │ │ │ │ IPv6 │──→│ IPv6 │ │ IPv6 │ │ │ │ IPv4 │──→│ IPv4 │ │ IPv4 │ │ │ │ ARP │──→│ ARP │ │ ARP │ │ │ │ ... │──→│ ... │ │ ... │ │ │ └───────┘ └─────────┘ └───────┘ └─────────┘ ~10,000 ~10,000 ~10,000 ~100 packets copied packets copied App filters in userspace Kernel filters before copy The problem: discovering VM IP addresses without a guest agent In a recent change to qcontroller, I removed the dependency on QEMU Guest Agent (QGA) for discovering a VM's IP address. Previously, users had to install QGA inside every VM—easy enough with cloud-init, but still a hard requirement just to answer the question "what IP did this VM get?" The alternative: ARP scanning. I already control the MAC addresses assigned to VMs, so I can periodically broadcast ARP requests on the virtual network i