The socket-filter program demonstrates how to load an eBPF program from an
ELF file, and attach it to a raw socket.
BPF_PROG_TYPE_SOCKET_FILTER was the first program type to be added to the
Linux kernel. When you attach a BPF program to a raw socket, you get access to
all the packets processed by that socket. Socket filter programs don't allow
you to modify the contents of those packets or to change the destination for
those packets; they give you access to them for observability purposes only.
The metadata that your program receives contains information related to the
network stack such as the protocol type that's being used to deliver the
packet.
Clone and change current directory to the cloned repository:
git clone --recurse-submodules https://github.com/Soil-Security/bpf-go-socket.git
or
git clone https://github.com/Soil-Security/bpf-go-socket.git
cd bpf-go-socket
git submodule update --init --recursive
Compile BPF application and Go loader:
make
Run the application as root with sudo:
$ sudo ./socket --index=0
Filtering as uid=0(root) on eth index: 0
ICMP: 20 TCP: 121 UDP: 12_Run the application as non-root user:
sudo setcap 'cap_net_raw=ep cap_bpf=ep' ./socket
$ ./socket
Filtering as uid=1000(dpacak) on eth index: 0
ICMP: 0 TCP: 6167 UDP: 0_