x/net/{ipv4,ipv6}: support attaching BPF socket filters to sockets. #14974
Comments
|
CL https://golang.org/cl/21176 mentions this issue. |
|
I'm not keen on exposing SetsockBlahBlah API because it makes people who have no interest in networking stuff confuse and complain. At present, x/sys/unix package has no capability to work together with runtime-integrated network poller and it doesn't appear to come up soon. That's the reason why x/net/{icmp,ipv4,ipv6} packages never use x/sys/unix and I dropped BPF/netlink/routing socket APIs from x/sys/unix package. A few random thoughts on your plan:
What do you think? |
|
Ack on not changing x/sys/unix, I'll revert the change I sent out for that. I originally thought that x/net used x/sys for syscalls, before going to plug my code into x/net and discovering that it imports its own godefs. Adding x/net/bpf sounds like a good idea, although it'll take me a bit more time to build an API for that - my current code just uses slices of tcpdump -dd output, which is obviously not great :). I also already have some code to set up an AF_PACKET socket with filtering, if that would be of interest, although it does not have any netpoller integration since (afaik) there's currently no way to get a netpoller-friendly AF_PACKET socket out of the net package. |
danderson
changed the title
|
CL https://golang.org/cl/23105 mentions this issue. |
Updates golang/go#14974 Change-Id: I80da378a788d5d826b3b79ab308372231c012391 Reviewed-on: https://go-review.googlesource.com/23105 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
|
CL https://golang.org/cl/23107 mentions this issue. |
Linux supports attaching packet filters to sockets. This turns out to be very important for IPConns of popular protocols like TCP or UDP, otherwise the kernel will helpfully give you ~all traffic the machine is involved in through a small kernel-userspace straw.
The API is to call setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER) with a BPF program struct. The struct is already defined by x/sys/unix, but needs an appropriate Setsockopt wrapper that accepts that struct. Then, x/net/ipv4's PacketConn and RawConn should get methods plumbed through, so that you can use net and x/net/ipv4 types exclusively to set packet filters, without having to touch raw FDs and syscalls directly.
I have most of the code for this already in a different repository, which I'm going to put together into a code review - filing this for tracking, and of course to ask if this sounds like a reasonable addition.
The text was updated successfully, but these errors were encountered: