|filter.txt: Linux Socket Filtering
|Written by: Jay Schulist <firstname.lastname@example.org>
| Linux Socket Filtering is derived from the Berkeley
|Packet Filter. There are some distinct differences between
|the BSD and Linux Kernel Filtering.
|Linux Socket Filtering (LSF) allows a user-space program to
|attach a filter onto any socket and allow or disallow certain
|types of data to come through the socket. LSF follows exactly
|the same filter code structure as the BSD Berkeley Packet Filter
|(BPF), so referring to the BSD bpf.4 manpage is very helpful in
|LSF is much simpler than BPF. One does not have to worry about
|devices or anything like that. You simply create your filter
|code, send it to the kernel via the SO_ATTACH_FILTER option and
|if your filter code passes the kernel check on it, you then
|immediately begin filtering data on that socket.
|You can also detach filters from your socket via the
|SO_DETACH_FILTER option. This will probably not be used much
|since when you close a socket that has a filter on it the
|filter is automagically removed. The other less common case
|may be adding a different filter on the same socket where you had another
|filter that is still running: the kernel takes care of removing
|the old one and placing your new one in its place, assuming your
|filter has passed the checks, otherwise if it fails the old filter
|will remain on that socket.
|SO_LOCK_FILTER option allows to lock the filter attached to a
|socket. Once set, a filter cannot be removed or changed. This allows
|one process to setup a socket, attach a filter, lock it then drop
|privileges and be assured that the filter will be kept until the
|socket is closed.
|setsockopt(sockfd, SOL_SOCKET, SO_ATTACH_FILTER, &Filter, sizeof(Filter));
|setsockopt(sockfd, SOL_SOCKET, SO_DETACH_FILTER, &value, sizeof(value));
|setsockopt(sockfd, SOL_SOCKET, SO_LOCK_FILTER, &value, sizeof(value));
|See the BSD bpf.4 manpage and the BSD Packet Filter paper written by
|Steven McCanne and Van Jacobson of Lawrence Berkeley Laboratory.