I was wondering if there's a difference between eBPF XDP and eBPF socket filter mode when parsing a packet header information.
Say I want to retrieve a destination IP address and a source IP address from a packet header using eBPF.
If there's no difference in doing so between XDP and socket filter mode, maybe it's better to implement packet monitoring functionality in XDP instead of implementing it in a socket filter program?
If so, wouldn't it be always better to monitor every incoming packet using XDP instead of using a socket buffer since XDP can offload its operations to a NIC when used with hardware offload mode?
Thanks!
If your kernel supports direct packet access for socket filter programs, there is indeed little difference between parsing them with socket filter or XDP programs.
There are however other reasons to prefer tc or socket filter programs to XDP programs. The main reason is likely that XDP has relatively few helpers available, especially compared to tc programs. Then, different program types have access to different information; for example, tc programs have partial access to the skb and socket filter programs can access socket uids and cookies.