0

I am running the bcc example /http_filter/http-parse-simple.c, in which a comment explains:

/*
  eBPF program.
  Filter IP and TCP packets, having payload not empty
  and containing "HTTP", "GET", "POST" ... as first bytes of payload
  if the program is loaded as PROG_TYPE_SOCKET_FILTER
  and attached to a socket
  return  0 -> DROP the packet
  return -1 -> KEEP the packet and return it to user space (userspace
      can read it from the socket_fd )
*/

And when I ran this example, I saw when I run a UDP packet(such as dig) or icmp packet(ping), the user programmer indeed does not receive the packet.

But the ping or dig program does not drop.

In my understanding, these Non-TCP packet should be drop(I expect that ping or dig will fail), but it is not.

So what is the reason?

And is there anyway else to drop skb_buff use ebpf/bcc?

Vector
  • 67
  • 1
  • 5
  • 2
    Some elements of your questions are unclear to me. 1) Are packets dropped (you say UDP/ICMP packets are dropped) or not (you add you expect ping/dig to fail but it works after all, so presumably packets are not dropped?) 2) What do you mean by “is there anyway else to drop skb_buff use ebpf/bcc”, could you please rephrase that? – Qeole Jan 07 '20 at 07:30

1 Answers1

2

TL;DR. http-parse-simple drops a copy of packets, not the original packets.

http-parse-simple's goal is to display to the user the URL of all HTTP requests made on a given interface. To that end, it creates a raw socket and attaches a BPF program to it. The raw socket receives a copy of all incoming packets on the interface; that is independent of BPF. The attached BPF program is then used to transmit to userspace only packets of interest (i.e., only HTTP packets); other packet's copies are dropped.

Thus, the userspace process of http-parse-simple receives only HTTP packets, and it does so without affecting your original applications (e.g., web browser) because the BPF program works on packet copies.

pchaigno
  • 11,313
  • 2
  • 29
  • 54