From owner-freebsd-hackers@FreeBSD.ORG Tue Jan 25 15:53:00 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C68D816A4CE for ; Tue, 25 Jan 2005 15:53:00 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E87243D31 for ; Tue, 25 Jan 2005 15:53:00 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id j0PFqZkY004742; Tue, 25 Jan 2005 10:52:35 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)j0PFqZq2004739; Tue, 25 Jan 2005 15:52:35 GMT (envelope-from robert@fledge.watson.org) Date: Tue, 25 Jan 2005 15:52:35 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: DJF In-Reply-To: <20050125094646.GA969@nexus.hta.fhz.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-hackers@freebsd.org Subject: Re: Rawsock bpf mambo jambo? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 15:53:00 -0000 On Tue, 25 Jan 2005, DJF wrote: > I've recently been looking into raw socket programming. However there's > still a question that remains. Maybe it's just a case of RTFM, if so > point me to a good manual on the topic. The man pages indicate that you > can do read and write operations with rawsock aswell as bpf. However, in > all of the source codes I found, a raw socket was used to write to, and > bpf was used to read from the interface. > > What's the advantage in using the rawsock bpf combination instead of bpf > (or raw socket) only? Hmm. Well, both of the mechanisms have some limitations, so it could be that combining them overcomes some of those limitations. Here are some features/limitations of both: Raw IP socket Works at the IP layer Works only with IP packets Checksums can be calculated for your Receives packets "unmatched" by the rest of the IP stack Send operations are routed using the routing table If there's a send error, it is available via errno Receives packets from any interface Will pick a source address for you if you like Filtered by IP-layer firewalling BPF Works at the linker layer Works with any link layer packets from the interface Calculate your own checksums if you transmit Figure out your own address if you transmit If you want routing from above the link layer, do it yourself Receives any packets, not just unmatched packets (subject to selection of a point in the link layer protocol stack) No send error delivery You must pick an interface, and it requires an ioctl to switch -- if you need to receive from more than one interface, you need more than one file descriptor open to more than one BPF device Not filtered by IP-layer firewalling So, you might use IP to send a packet, so that it picks an address, does lots of the paperwork, routing, etc, but then look for the response using BPF. Or, you might use BPF to implement low level listening functionality, but send responses using the IP layer. Note that the reason that dhclient uses BPF on FreeBSD instead of a UDP socket is that a quirk (feature) of the Berkeley sockets API is that you can't bind the IP address 0.0.0.0 for sending. Robert N M Watson