mirror of https://github.com/mkerrisk/man-pages
socket.7: Minor tweaks to Craig's patch
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6e9336599c
commit
096da11042
125
man7/socket.7
125
man7/socket.7
|
@ -301,21 +301,25 @@ The value 0 indicates that this is not a listening socket,
|
|||
the value 1 indicates that this is a listening socket.
|
||||
This socket option is read-only.
|
||||
.TP
|
||||
.BR SO_ATTACH_FILTER " and " SO_ATTACH_BPF
|
||||
Attach a classic or extended BPF program (respectively) to the socket
|
||||
for use as a filter of incoming packets. A packet will be dropped if
|
||||
the filter program returns zero. If the filter program returns a
|
||||
non-zero value which is less than the packet's data length, the packet
|
||||
will be truncated to the length returned. If the value returned by
|
||||
the filter is greater than or equal to the packet's data length, the
|
||||
packet is allowed to proceed unmodified.
|
||||
.BR SO_ATTACH_FILTER " (since Linux 2.2), " SO_ATTACH_BPF " (since Linux 3.19)"
|
||||
Attach a classic BPF
|
||||
.RB ( SO_ATTACH_FILTER )
|
||||
or an extended BPF
|
||||
.RB ( SO_ATTACH_BPF )
|
||||
program to the socket for use as a filter of incoming packets.
|
||||
A packet will be dropped if the filter program returns zero.
|
||||
If the filter program returns a
|
||||
non-zero value which is less than the packet's data length,
|
||||
the packet will be truncated to the length returned.
|
||||
If the value returned by the filter is greater than or equal to the
|
||||
packet's data length, the packet is allowed to proceed unmodified.
|
||||
|
||||
The argument for
|
||||
.BR SO_ATTACH_FILTER
|
||||
is a
|
||||
.I sock_fprog
|
||||
structure in
|
||||
.B <linux/filter.h>.
|
||||
structure, defined in
|
||||
.IR <linux/filter.h> :
|
||||
.sp
|
||||
.in +4n
|
||||
.nf
|
||||
|
@ -332,31 +336,33 @@ is a file descriptor returned by the
|
|||
.BR bpf (2)
|
||||
system call and must refer to a program of type
|
||||
.BR BPF_PROG_TYPE_SOCKET_FILTER.
|
||||
These options may be set multiple times for a given socket, each time
|
||||
replacing the previous filter program. The classic and extended
|
||||
versions may be called on the same socket, but the previous filter
|
||||
will always be replaced such that a socket never has more than one
|
||||
filter defined.
|
||||
|
||||
.BR SO_ATTACH_FILTER
|
||||
is available since Linux 2.2.
|
||||
.BR SO_ATTACH_BPF
|
||||
is available since Linux 3.19. Both classic and extended BPF are
|
||||
explained in the kernel source file
|
||||
These options may be set multiple times for a given socket,
|
||||
each time replacing the previous filter program.
|
||||
The classic and extended versions may be called on the same socket,
|
||||
but the previous filter will always be replaced such that a socket
|
||||
never has more than one filter defined.
|
||||
|
||||
Both classic and extended BPF are explained in the kernel source file
|
||||
.I Documentation/networking/filter.txt
|
||||
.TP
|
||||
.BR SO_ATTACH_REUSEPORT_CBPF ", " SO_ATTACH_REUSEPORT_EBPF " (since Linux 4.5)"
|
||||
.BR SO_ATTACH_REUSEPORT_CBPF ", " SO_ATTACH_REUSEPORT_EBPF
|
||||
For use with the
|
||||
.BR SO_REUSEPORT
|
||||
option, these options allow the user to set a classic or extended
|
||||
BPF program (respectively) which defines how packets are assigned to
|
||||
option, these options allow the user to set a classic BPF
|
||||
.RB ( SO_ATTACH_REUSEPORT_CBPF )
|
||||
or an extended BPF
|
||||
.RB ( SO_ATTACH_REUSEPORT_EBPF )
|
||||
program which defines how packets are assigned to
|
||||
the sockets in the reuseport group (that is, all sockets which have
|
||||
.BR SO_REUSEPORT
|
||||
set and are using the same local address to receive packets). The BPF
|
||||
program must return an index between 0 and N-1 representing the socket
|
||||
which should receive the packet (where N is the number of sockets in
|
||||
the group). If the BPF program returns an invalid index, socket
|
||||
selection will fall back to the plain
|
||||
set and are using the same local address to receive packets).
|
||||
|
||||
The BPF program must return an index between 0 and N\-1 representing
|
||||
the socket which should receive the packet
|
||||
(where N is the number of sockets in the group).
|
||||
If the BPF program returns an invalid index,
|
||||
socket selection will fall back to the plain
|
||||
.BR SO_REUSEPORT
|
||||
mechanism.
|
||||
|
||||
|
@ -365,25 +371,26 @@ Sockets are numbered in the order in which they are added to the group
|
|||
.BR bind (2)
|
||||
calls for UDP sockets or the order of
|
||||
.BR listen (2)
|
||||
calls for TCP sockets). New sockets added to a reuseport group will
|
||||
inherit the BPF program. When a socket is removed from a reuseport
|
||||
group (via
|
||||
.BR close (2))
|
||||
calls for TCP sockets).
|
||||
New sockets added to a reuseport group will inherit the BPF program.
|
||||
When a socket is removed from a reuseport group (via
|
||||
.BR close (2)),
|
||||
the last socket in the group will be moved into the closed socket's
|
||||
position.
|
||||
|
||||
These options may be set repeatedly at any time on any single socket
|
||||
in the group to replace the current BPF program used by all sockets in
|
||||
the group.
|
||||
These options may be set repeatedly at any time on any socket in the group
|
||||
to replace the current BPF program used by all sockets in the group.
|
||||
|
||||
.BR SO_ATTACH_REUSEPORT_CBPF
|
||||
takes the same socket argument type as
|
||||
takes the same argument type as
|
||||
.BR SO_ATTACH_FILTER
|
||||
and
|
||||
.BR SO_ATTACH_REUSEPORT_EBPF
|
||||
takes the same socket argument type as
|
||||
takes the same argument type as
|
||||
.BR SO_ATTACH_BPF.
|
||||
UDP support for this feature is available since Linux 4.5.
|
||||
TCP support for this feature is available since Linux 4.6.
|
||||
|
||||
UDP support for this feature is available since Linux 4.5;
|
||||
TCP support is available since Linux 4.6.
|
||||
.TP
|
||||
.B SO_BINDTODEVICE
|
||||
Bind this socket to a particular device like \(lqeth0\(rq,
|
||||
|
@ -442,17 +449,14 @@ Only allowed for processes with the
|
|||
.B CAP_NET_ADMIN
|
||||
capability or an effective user ID of 0.
|
||||
.TP
|
||||
.BR SO_DETACH_FILTER " and " SO_DETACH_BPF
|
||||
These options may be used to remove the BPF program attached to the
|
||||
socket with either
|
||||
.BR SO_DETACH_FILTER " (since Linux 2.2), " SO_DETACH_BPF " (since Linux 3.19)"
|
||||
These two options, which are synonyms,
|
||||
may be used to remove the classic or extended BPF
|
||||
program attached to a socket with either
|
||||
.BR SO_ATTACH_FILTER
|
||||
or
|
||||
.BR SO_ATTACH_BPF.
|
||||
.BR SO_ATTACH_BPF .
|
||||
The option value is ignored.
|
||||
.BR SO_DETACH_FILTER
|
||||
is available since Linux 2.2.
|
||||
.BR SO_DETACH_BPF
|
||||
is available since Linux 3.19.
|
||||
.TP
|
||||
.BR SO_DOMAIN " (since Linux 2.6.32)"
|
||||
Retrieves the socket domain as an integer, returning a value such as
|
||||
|
@ -510,23 +514,30 @@ When the socket is closed as part of
|
|||
it always lingers in the background.
|
||||
.TP
|
||||
.B SO_LOCK_FILTER
|
||||
.\" commit d59577b6ffd313d0ab3be39cb1ab47e29bdc9182
|
||||
When set, this option will prevent an unprivileged process from
|
||||
changing the filters associated with the socket. These filters
|
||||
include any set using the socket options
|
||||
changing the filters associated with the socket.
|
||||
These filters include any set using the socket options
|
||||
.BR SO_ATTACH_FILTER,
|
||||
.BR SO_ATTACH_BPF,
|
||||
.BR SO_ATTACH_REUSEPORT_CBPF
|
||||
or
|
||||
.BR SO_ATTACH_REUSEPORT_EPBF.
|
||||
The typical use case is for a privileged process to setup a socket with
|
||||
and
|
||||
.BR SO_ATTACH_REUSEPORT_EPBF .
|
||||
|
||||
The typical use case is for a privileged process to set up a socket with
|
||||
restrictive filters, set
|
||||
.BR SO_LOCK_FILTER
|
||||
.BR SO_LOCK_FILTER ,
|
||||
and then either drop its privileges or pass the socket file descriptor
|
||||
to an unprivileged process. Attempts to change a filter by an
|
||||
unprivileged process while
|
||||
to an unprivileged process.
|
||||
|
||||
Once the
|
||||
.BR SO_LOCK_FILTER
|
||||
is set will result in an error with value
|
||||
.BR EPERM.
|
||||
option has been enabled,
|
||||
attempts by an unprivileged process to change or remove the filter
|
||||
attached to a socket, or to disable the
|
||||
.BR SO_LOCK_FILTER
|
||||
option will fail with the error
|
||||
.BR EPERM .
|
||||
.TP
|
||||
.BR SO_MARK " (since Linux 2.6.25)"
|
||||
.\" commit 4a19ec5800fc3bb64e2d87c4d9fdd9e636086fe0
|
||||
|
|
Loading…
Reference in New Issue