isisd: use BPF on Linux/PF_PACKET

we *really* don't want to receive every single packet (of any protocol
type) coming in on an IS-IS enabled interface.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
This commit is contained in:
David Lamparter 2016-11-15 08:26:56 +09:00
parent 095f8fae64
commit 4fa80053a3

View File

@ -25,6 +25,8 @@
#include <net/ethernet.h> /* the L2 protocols */
#include <netpacket/packet.h>
#include <linux/filter.h>
#include "log.h"
#include "network.h"
#include "stream.h"
@ -44,6 +46,25 @@
extern struct zebra_privs_t isisd_privs;
/* tcpdump -i eth0 'isis' -dd */
static struct sock_filter isisfilter[] = {
/* NB: we're in SOCK_DGRAM, so src/dst mac + length are stripped off!
* (OTOH it's a bit more lower-layer agnostic and might work over GRE?) */
/* { 0x28, 0, 0, 0x0000000c - 14 }, */
/* { 0x25, 5, 0, 0x000005dc }, */
{ 0x28, 0, 0, 0x0000000e - 14 },
{ 0x15, 0, 3, 0x0000fefe },
{ 0x30, 0, 0, 0x00000011 - 14 },
{ 0x15, 0, 1, 0x00000083 },
{ 0x6, 0, 0, 0x00040000 },
{ 0x6, 0, 0, 0x00000000 },
};
static struct sock_fprog bpf = {
.len = array_size(isisfilter),
.filter = isisfilter,
};
/*
* Table 9 - Architectural constants for use with ISO 8802 subnetworks
* ISO 10589 - 8.4.8
@ -117,6 +138,12 @@ open_packet_socket (struct isis_circuit *circuit)
return ISIS_WARNING;
}
if (setsockopt (fd, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof (bpf)))
{
zlog_warn ("open_packet_socket(): SO_ATTACH_FILTER failed: %s",
safe_strerror (errno));
}
/*
* Bind to the physical interface
*/