Rawsock bpf mambo jambo?

Robert Watson rwatson at freebsd.org
Tue Jan 25 07:53:00 PST 2005 

On Tue, 25 Jan 2005, DJF wrote:

> I've recently been looking into raw socket programming. However there's
> still a question that remains. Maybe it's just a case of RTFM, if so
> point me to a good manual on the topic. The man pages indicate that you
> can do read and write operations with rawsock aswell as bpf. However, in
> all of the source codes I found, a raw socket was used to write to, and
> bpf was used to read from the interface. 
> 
> What's the advantage in using the rawsock bpf combination instead of bpf
> (or raw socket) only? 

Hmm.  Well, both of the mechanisms have some limitations, so it could be
that combining them overcomes some of those limitations.  Here are some
features/limitations of both:

Raw IP socket
	Works at the IP layer
	Works only with IP packets
	Checksums can be calculated for your
	Receives packets "unmatched" by the rest of the IP stack
	Send operations are routed using the routing table
	If there's a send error, it is available via errno
	Receives packets from any interface
	Will pick a source address for you if you like
	Filtered by IP-layer firewalling

BPF
	Works at the linker layer
	Works with any link layer packets from the interface
	Calculate your own checksums if you transmit
	Figure out your own address if you transmit
	If you want routing from above the link layer, do it yourself
	Receives any packets, not just unmatched packets (subject to
	  selection of a point in the link layer protocol stack)
	No send error delivery
	You must pick an interface, and it requires an ioctl to switch --
	  if you need to receive from more than one interface, you need more
	  than one file descriptor open to more than one BPF device
	Not filtered by IP-layer firewalling

So, you might use IP to send a packet, so that it picks an address, does
lots of the paperwork, routing, etc, but then look for the response using
BPF.  Or, you might use BPF to implement low level listening
functionality, but send responses using the IP layer. 

Note that the reason that dhclient uses BPF on FreeBSD instead of a UDP
socket is that a quirk (feature) of the Berkeley sockets API is that you
can't bind the IP address 0.0.0.0 for sending.

Robert N M Watson

More information about the freebsd-hackers mailing list