It's not just "you can't do DNS compression", or "you probably can't do general-case string comparisons". It's much more fundamentally that anything you "detect" in eBPF code, even in the extremely rare cases where it's offloaded into NIC chipset, has to get plugged right back into the kernel to do anything with that data. You can't write a general-purpose eBPF program; eBPF is just an telemetry and packet processing offload.
That eBPF firewall is a perfect example of what I'm talking about. It relies not just on the kernel but on a cooperating userland process to do all the "interesting" bits.
That eBPF firewall is a perfect example of what I'm talking about. It relies not just on the kernel but on a cooperating userland process to do all the "interesting" bits.