From: "Theo de Raadt" Subject: Re: bpf filtering on arbitrary sockets To: Damien Miller , tech@openbsd.org Date: Thu, 30 Oct 2025 09:26:05 -0600 Florian Obser wrote: > On 2025-10-30 16:03 +11, Damien Miller wrote: > > What do you think? What would be a good daemon to try this against? > > I was thinking dhcpleased but that seems to use bpf for most of its > > sending, though that should IMO be converted to AF_FRAME now that we > > have it. > > dhcpleased(8) cannot work with AF_FRAME because: > > frame protocol family sockets are designed as an alternative to bpf(4) > for handling low data and packet rate communication protocols. Rather > than filtering every frame entering the system before the network stack, > like bpf(4), processing of the frame protocol family runs after the built > in protocol handlers in the kernel, thus avoiding the overhead. For this > reason, it is not possible to handle IPv4 or IPv6 packets with frame > protocol sockets because the kernel network stack consumes them before > the receive handling for frame sockets is run. > > dhcp packets are IPv4/UDP. in frame manual page: DESCRIPTION The frame protocol family provides an interface for sending and receiving low level network interface frames through the normal socket(2) mechanisms. I dislike how the manual page dances around trying to avoid using the word "ethernet". Sure it is trying to be general, but what does that mean?? Currently only Ethernet interfaces are supported. What is there, other than ethernet??