Program type BPF_PROG_TYPE_SOCKET_FILTER
Socket filter programs can hook into network sockets and are designed to filter or modify packets received by that socket (the program isn't called for egress/outgoing packets).
A noticeable use-case for this program type is tcpdump which uses a raw sockets in combination with a socket filter generated from the filter query to efficiently filter packets and only pay the kernel-userspace barrier cost for packets of interest.
Usage
Socket filter programs are typically put into an ELF section prefixed with socket. The socket filter is called by the kernel with a __sk_buff context. The return value from indicates how many bytes of the message should be kept. Returning a value less then the side of the packet will truncate it and returning 0 will discard the packet.
Context
This program type isn't allowed to read from and write to all fields of the context since doing so might break assumptions in the kernel or because data isn't available at the point where the program is hooked into the kernel.
Context fields
Attachment
This program type can be attached to network sockets using the setsockopt syscall with the SOL_SOCKET socket level and SO_ATTACH_BPF socket option.
Helper functions
Not all helper functions are available in all program types. These are the helper calls available for socket filter programs:
Supported helper functions
- bpf_skb_load_bytes
- bpf_skb_load_bytes_relative
- bpf_get_socket_cookie
- bpf_get_socket_uid
- bpf_perf_event_output
- bpf_map_lookup_elem
- bpf_map_update_elem
- bpf_map_delete_elem
- bpf_map_push_elem
- bpf_map_pop_elem
- bpf_map_peek_elem
- bpf_map_lookup_percpu_elem
- bpf_get_prandom_u32
- bpf_get_smp_processor_id
- bpf_get_numa_node_id
- bpf_tail_call
- bpf_ktime_get_ns
- bpf_ktime_get_boot_ns
- bpf_ringbuf_output
- bpf_ringbuf_reserve
- bpf_ringbuf_submit
- bpf_ringbuf_discard
- bpf_ringbuf_query
- bpf_for_each_map_elem
- bpf_loop
- bpf_strncmp
- bpf_spin_lock
- bpf_spin_unlock
- bpf_jiffies64
- bpf_per_cpu_ptr
- bpf_this_cpu_ptr
- bpf_timer_init
- bpf_timer_set_callback
- bpf_timer_start
- bpf_timer_cancel
- bpf_trace_printk
- bpf_get_current_task
- bpf_get_current_task_btf
- bpf_probe_read_user
- bpf_probe_read_kernel
- bpf_probe_read_user_str
- bpf_probe_read_kernel_str
- bpf_snprintf_btf
- bpf_snprintf
- bpf_task_pt_regs
- bpf_trace_vprintk
KFuncs
Supported kfuncs
- bpf_cast_to_kern_ctx
- bpf_dynptr_adjust
- bpf_dynptr_clone
- bpf_dynptr_from_skb
- bpf_dynptr_is_null
- bpf_dynptr_is_rdonly
- bpf_dynptr_size
- bpf_dynptr_slice
- bpf_dynptr_slice_rdwr
- bpf_iter_css_destroy
- bpf_iter_css_new
- bpf_iter_css_next
- bpf_iter_css_task_destroy
- bpf_iter_css_task_new
- bpf_iter_css_task_next
- bpf_iter_num_destroy
- bpf_iter_num_new
- bpf_iter_num_next
- bpf_iter_task_destroy
- bpf_iter_task_new
- bpf_iter_task_next
- bpf_iter_task_vma_destroy
- bpf_iter_task_vma_new
- bpf_iter_task_vma_next
- bpf_map_sum_elem_count
- bpf_rcu_read_lock
- bpf_rcu_read_unlock
- bpf_rdonly_cast
Examples
Program example
Attachment example
History
Socket filters pre-date eBPF itself, socket filters were the first ever prototype in the original BPF implementation, now referred to as cBPF (classic BPF). In fact, usage of this program type was the reason for inventing the whole system1.