When are socket filters removed?

[sebastiaoamaro]

Hello everyone, I am running a program similar to this https://github.com/foniod/redbpf/blob/main/examples/example-userspace/examples/tcp-lifetime.rs I have a quick question, when are these socket filters removed? Or is there a certain way to remove them? (Didn't know where I could ask this, without creating an issue sorry if it is not supposed to be here) Thanks in advance.

[rhdxmr]

Hi @sebastiaoamaro

I found this phrase from a manpage of socket(7)

SO_DETACH_FILTER (since Linux 2.2), SO_DETACH_BPF (since Linux 3.19)
These two options, which are synonyms, may be used to remove the classic or
extended BPF program attached to a socket with either SO_ATTACH_FILTER or
SO_ATTACH_BPF.  The option value is ignored.

Currently, SocketFilter offers attach_socket_filter that makes use of SO_ATTACH_BPF but it does not support the opposite method that uses SO_DETACH_BPF.

I also checked that closing the fd of BPF program attached to the socket does not remove the filter.

[rhdxmr]

@sebastiaoamaro Is your program working OK even though currently RedBPF does not support detaching BPF from socket? What was your decision? I am just curious about that. Could you tell me that if you don't mind.

regards,

[sebastiaoamaro]

Haven't had any problems so didn't look into it that much, but I think I might copy the attach_socket_filter and implement deattach since I already have the redbpf library locally due to the other problem I had. Might do a pull request with both those changes.

[sebastiaoamaro]

Hi, bringing this up again because I was gonna implement the deattach function but thinking about it if the raw_socket is destroyed after the program ends (this should happen or not?) then so should the filter right? Best Regards.

[rhdxmr]

Hi @sebastiaoamaro Long time no see! How are you?

I believe Linux closes raw sockets automatically when the process exits. If it is not, the sockets are leaked and they are not associated with any processes. It doesn't make sense to me.

So I am 99% sure that raw sockets are closed when program ends, and at the same time the filter is also detached automatically.

warm regards,

[sebastiaoamaro]

I am fine hope everything is good with you as well, took a vacation from the work I was using redbpf on but I am back now :) Ok, that makes sense to me, I will close the issue then. Thanks a lot for the help!

[rhdxmr]

Wow. It sounds good to hear you took a vacation.

I thought that detach method of SocketFilter was needed to detach the filter programmatically in your situation. Is it enough to detach the filter when raw socket is closed?

[sebastiaoamaro]

The idea was to not leave the program that increments maps running after the program closes. Since the socket is destroyed I assume the eBPF program that increments the maps will die as well.

[rhdxmr]

I understand. Thanks for the explanation.

Have a happy weekend! See you.