How to use a raw socket to listen only for wanted traffic?

Question

Three related questions:

Do raw sockets have any method of filtering equivalent to the in-kernel BPF (used by libpcap)?
Does opening a raw socket mean that it receives every IP packet on the machine?
How do iptables interact with raw sockets - does a raw socket see packets that iptables drops?

After a bit more reading, it looks like you choose which IP protocol (UDP/TCP/ICMP) to listen to. — fadedbee, Jul 29 '14 at 15:47

score 2 · Answer 1 · answered Dec 03 '16 at 23:50

Do raw sockets have any method of filtering equivalent to the in-kernel BPF (used by libpcap)?

Well they do, and it's more than equivalent: they support BPF filters themselves. You would attach a socket like this:

 setsockopt(socket, SOL_SOCKET, SO_ATTACH_FILTER, &bpf_filter, sizeof(bpf_filter));

(There is a complete example in this question).

During the last few years BPF has undergone a lot of changes on Linux, and you can now attach it to a variety of hooks for networking: sockets, but also tc ingress/egress interfaces, XDP (on NICs with compatible drivers). Also: kprobes, tracepoints, perf events, cgroups, maybe more… for tracing/monitoring.

I am not sure enough to answer to questions 2 and 3, sorry.

How to use a raw socket to listen only for wanted traffic?

1 Answers1