chapter 6: packet filter returns 0 does not drop the packet

[at15]

I am running the example code in vagrant, after loading the code and ping localhost, I can see the output from bpf code but the packet is not dropped. Based on doc, when the filter returns 0 the packet should be dropped for SO_ATTACH_FILTER

Attach a classic BPF (SO_ATTACH_FILTER) or an extended BPF
(SO_ATTACH_BPF) program to the socket for use as a filter of
incoming packets. A packet will be dropped if the filter pro‐
gram returns zero. If the filter program returns a nonzero
value which is less than the packet's data length, the packet
will be truncated to the length returned.

[vagrant@bpfbook packet-filtering-raw-sockets]$ sudo ./loader-bin bpf_program.o
TCP 0 UDP 0 ICMP 0 packets
TCP 0 UDP 0 ICMP 0 packets
TCP 0 UDP 0 ICMP 0 packets
TCP 0 UDP 0 ICMP 4 packets
TCP 0 UDP 0 ICMP 8 packets

ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.046 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.073 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.070 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.071 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.072 ms
64 bytes from 127.0.0.1: icmp_seq=7 ttl=64 time=0.064 ms
^C
--- 127.0.0.1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 53ms
rtt min/avg/max/mdev = 0.046/0.066/0.073/0.013 ms

I am seeing the same behavior that packets are not dropped when I am running examples from bcc (on my local machine w/ 5.0 kernel) e.g. https://github.com/iovisor/bcc/tree/master/examples/networking/http_filter I am not sure if missed some obvious things due to my lack of knowledge on network and bpf ....

[fntlnz]

Hi @at15 we are all here to learn! :)
The program you are running is not meant to drop packets. It's made to count them.

In fact, here (https://github.com/bpftools/linux-observability-with-bpf/blob/master/code/chapter-6/packet-filtering-raw-sockets/bpf_program.c#L43-L52) we don't use any drop instruction.

You can see that it works in your output by looking at the increasing number of ICMP packets in your first output. When you do a ping, an ICMP packet is transmitted.

[at15]

@fntlnz thanks! It seems when using raw socket and BPF_PROG_TYPE_SOCKET_FILTER, the filter result only has effect on the program that reads from that raw socket, and has no effect on other processes, e.g. bcc/http_filter reads from the raw socket it created.

So for the example in chapter 6, if we read from the raw socket we created in loader.c we will get nothing because we returned 0 (I haven't write the code verify my assumption though ..)

Does this means the bpf code with BPF_PROG_TYPE_SOCKET_FILTER cannot change the behavior of other processes to do things like fault injection? If I want to drop packet for all the processes using bpf I should use traffic control and return TC_ACT_SHOT or maybe XDP?

btw: what happens if I alter the sk buffer in bpf code, will it cause problem for other process?