-1

I am trying to write some sort of very basic packet filtering in Linux (Ubuntu) user space.

Is it possible to drop down packets in user space via c program using raw socket (AF_PACKET), without any kernel intervention (such as writing kernel module) and net filtering?

Thanks a lot

Tali

Tali
  • 31
  • 1
  • 7
  • The kernel makes a copy of the packet, sends that to your user space program, and the original packet gets processed as normal by the kernel TCP/IP stack. So no. – nos Mar 21 '17 at 21:40
  • Thanks. Is it true also for packets that leave the host? – Tali Mar 21 '17 at 21:47
  • If anybody googles this topic later like I did, please look for XDP and possibly AF_XDP rather than AF_PACKET. It doesn't do exactly what OP asked for (filtering is still done in the kernel) but it might help with similar cases. – Pavel Šimerda Sep 14 '20 at 12:02

2 Answers2

2

It is possible (assuming I understand what you're asking). There are a number of "zero-copy" driver implementations that allow user-space to obtain a large memory-mapped buffer into which (/ from which) packets are directly DMA'd.

That pretty much precludes having the kernel process those same packets though (possible but very difficult to properly coordinate user-space packet sniffing with kernel processing of the same packets). But it's fine if you're creating your own IDS/IPS or whatever and don't need to "terminate" connections on the local machine.

It would definitely not be the standard AF_PACKET; you have to either create your own or use an existing implementation: look into netmap, DPDK, and PF_RING (maybe PF_RING/ZC? not sure). I worked on a couple of proprietary implementations in a previous career so I know it's possible.

The basic idea is either (1) completely duplicate everything the driver is responsible for -- that is, move the driver implementation completely into user space (DPDK basically does this). This is straight-forward on paper, but is a lot of work and makes the driver pretty much fully custom.

Or (2) modify driver source so that key network buffer allocation requests get satisfied with an address that is also mmap'd by the user-space process. You then have the problem of communicating buffer life-cycles / reference counts between user-space and kernel. That's very messy but can be done and is probably less work overall. (I dunno -- there may be a way to automate this latter method if you're clever enough -- I haven't been in this space in some years.)

Whichever way you go, there are several pieces you need to put together to do this right. For example, if you want really high performance, you'll need to use the adapter's "RSS" type mechanisms to split the traffic into multiple queues and pin each to a particular CPU -- then make sure the corresponding application components are pinned to the same CPU.

All that being said, unless your need is pretty severe, you're best staying with plain old AF_PACKET.

Gil Hamilton
  • 11,973
  • 28
  • 51
  • Thanks so much for this so detailed answer. All of those terms and ideas you mentioned are new to me (It’s not my formal education..) but it is so good filling to know there are options up there! It feels like a great starting point to continue! I already started to google them. Since my objective is to selectively drop packets via the user space along (and not just sniffing), I will filter the information for this purpose! Mean while, thanks a lot. Tali – Tali Mar 22 '17 at 09:58
0

You can use iptable rules to drop packets for a given criteria, but dropping using packet filters is not possible, because the packet filters get a copy of the packet while the original packet flows through usual path.

Shridhar.S
  • 112
  • 2