Enable BPF filtering on sockets
by from OpenBSD Journal on (#7145K)
Would it be useful for our system security to let daemons use thebpf(4)interface to filter on the sockets they handle?
In a recentmessageto tech@ titledbpf filtering on arbitrary sockets,Damien Miller (djm@) presents a preliminary patch and explains,
List: openbsd-techSubject: bpf filtering on arbitrary socketsFrom: Damien Miller <djm () mindrot ! org>Date: 2025-10-30 5:03:00Hi,This is an idea that came up while talking with dlg@ about networkdaemons.Quite a few programs and daemons use SOCK_RAW to send link-level packetsafter pledge(). E.g. usr.sbin/relayd/check_icmp.c wants to send ICMPpackets.The problem with this is that, if they get compromised, they still holda very powerful socket that can send pretty much arbitrary packets. Ifone of these programs gets compromised then the attacker can prettyeasily pivot through the existing raw socket.