How can i drop packet in kernel after catched it by sock_raw in usermode?

Question

I have use sock_raw get all ip packet from kernel.

socket(PF_PACKET, SOCK_RAW, htons(protocol);

But packet still alive in kernel, how can i drop it?

Answer 1

You cannot. When you receive the packet on a raw socket, the kernel has created a copy and delivered it to your receiving process. The packet will continue being processed in the meantime according to the usual semantics. It's likely this will have completed (ie whatever the stack would normally do with it will already be done) by the time your process receives it.

However, if the packet is not actually destined to your box (eg you're receiving it only because you have the network interface in promiscuous mode), or if there is no local process [or in-kernel component] interested in receiving it, the packet will just be discarded anyway.

If you simply wish to receive all packets that arrive on an interface without processing them, you can simply bring the interface up in promiscuous mode without giving it an IP address. Then packets will be delivered to your raw socket but will then be discarded by the stack.

Answer 2

Old question, but others might find this answer useful.

Depends on the usecase, but you can actually drop ingress packets after you get them from AF_PACKET SOCK_RAW. To do that, put an ingress qdisc where we have drop action. Example:

sudo tc qdisc add dev eth0 ingress
sudo tc filter add dev eth0 parent ffff: matchall action drop

Explaination: this works, because the AF_PACKET sniff the packet's copy from the per-device tap, which is a little bit earlier than the ingress qdisc in the kernel network stack's packet processing pipeline. That way you can implement a simple userspace switch.