Program type BPF_PROG_TYPE_SOCKET_FILTER
Socket filter programs can hook into network sockets and are designed to filter or modify packets received by that socket (the program isn't called for egress/outgoing packets).
A noticeable use-case for this program type is tcpdump which uses a raw sockets in combination with a socket filter generated from the filter query to efficiently filter packets and only pay the kernel-userspace barrier cost for packets of interest.
Usage
Socket filter programs are typically put into an ELF section prefixed with socket. The socket filter is called by the kernel with a __sk_buff context. The return value from indicates how many bytes of the message should be kept. Returning a value less than the size of the packet will truncate it and returning 0 will discard the packet.
Context
This program type isn't allowed to read from and write to all fields of the context since doing so might break assumptions in the kernel or because data isn't available at the point where the program is hooked into the kernel.
Context fields
Attachment
This program type can be attached to network sockets using the setsockopt syscall with the SOL_SOCKET socket level and SO_ATTACH_BPF socket option.
Helper functions
Not all helper functions are available in all program types. These are the helper calls available for socket filter programs:
Supported helper functions
bpf_cgrp_storage_deletebpf_cgrp_storage_getbpf_dynptr_databpf_dynptr_from_membpf_dynptr_readbpf_dynptr_writebpf_for_each_map_elembpf_get_current_ancestor_cgroup_idv6.4bpf_get_current_cgroup_idv6.4bpf_get_current_pid_tgidv6.10bpf_get_current_taskbpf_get_current_task_btfbpf_get_netns_cookiev6.15bpf_get_ns_current_pid_tgidv6.10bpf_get_numa_node_idbpf_get_prandom_u32bpf_get_smp_processor_idbpf_get_socket_cookiebpf_get_socket_uidbpf_jiffies64bpf_kptr_xchgbpf_ktime_get_boot_nsbpf_ktime_get_nsbpf_ktime_get_tai_nsbpf_loopbpf_map_delete_elembpf_map_lookup_elembpf_map_lookup_percpu_elembpf_map_peek_elembpf_map_pop_elembpf_map_push_elembpf_map_update_elembpf_per_cpu_ptrbpf_perf_event_outputbpf_probe_read_kernelbpf_probe_read_kernel_strbpf_probe_read_userbpf_probe_read_user_strbpf_ringbuf_discardbpf_ringbuf_discard_dynptrbpf_ringbuf_outputbpf_ringbuf_querybpf_ringbuf_reservebpf_ringbuf_reserve_dynptrbpf_ringbuf_submitbpf_ringbuf_submit_dynptrbpf_skb_load_bytesbpf_skb_load_bytes_relativebpf_snprintfbpf_snprintf_btfbpf_spin_lockbpf_spin_unlockbpf_strncmpbpf_tail_callbpf_task_pt_regsbpf_this_cpu_ptrbpf_timer_cancelbpf_timer_initbpf_timer_set_callbackbpf_timer_startbpf_trace_printkbpf_trace_vprintkbpf_user_ringbuf_drain
KFuncs
Supported kfuncs
__bpf_trapbpf_arena_alloc_pagesbpf_arena_free_pagesbpf_arena_reserve_pagesbpf_cast_to_kern_ctxbpf_cgroup_read_xattrbpf_copy_from_user_dynptrbpf_copy_from_user_strbpf_copy_from_user_str_dynptrbpf_copy_from_user_task_dynptrbpf_copy_from_user_task_strbpf_copy_from_user_task_str_dynptrbpf_dynptr_adjustbpf_dynptr_clonebpf_dynptr_copybpf_dynptr_from_skbbpf_dynptr_is_nullbpf_dynptr_is_rdonlybpf_dynptr_memsetbpf_dynptr_sizebpf_dynptr_slicebpf_dynptr_slice_rdwrbpf_get_kmem_cachebpf_iter_bits_destroybpf_iter_bits_newbpf_iter_bits_nextbpf_iter_css_destroybpf_iter_css_newbpf_iter_css_nextbpf_iter_css_task_destroybpf_iter_css_task_newbpf_iter_css_task_nextbpf_iter_dmabuf_destroybpf_iter_dmabuf_newbpf_iter_dmabuf_nextbpf_iter_kmem_cache_destroybpf_iter_kmem_cache_newbpf_iter_kmem_cache_nextbpf_iter_num_destroybpf_iter_num_newbpf_iter_num_nextbpf_iter_task_destroybpf_iter_task_newbpf_iter_task_nextbpf_iter_task_vma_destroybpf_iter_task_vma_newbpf_iter_task_vma_nextbpf_local_irq_restorebpf_local_irq_savebpf_map_sum_elem_countbpf_preempt_disablebpf_preempt_enablebpf_probe_read_kernel_dynptrbpf_probe_read_kernel_str_dynptrbpf_probe_read_user_dynptrbpf_probe_read_user_str_dynptrbpf_rcu_read_lockbpf_rcu_read_unlockbpf_rdonly_castbpf_res_spin_lockbpf_res_spin_lock_irqsavebpf_res_spin_unlockbpf_res_spin_unlock_irqrestorebpf_strchrbpf_strchrnulbpf_strcmpbpf_strcspnbpf_stream_vprintkbpf_strlenbpf_strnchrbpf_strnlenbpf_strnstrbpf_strrchrbpf_strspnbpf_strstrbpf_wq_initbpf_wq_set_callback_implbpf_wq_start
Examples
Program example
Attachment example
History
Socket filters pre-date eBPF itself, socket filters were the first ever prototype in the original BPF implementation, now referred to as cBPF (classic BPF). In fact, usage of this program type was the reason for inventing the whole system1.