isisd: use BPF on Linux/PF_PACKET

we *really* don't want to receive every single packet (of any protocol type) coming in on an IS-IS enabled interface. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2025-08-14 06:50:17 +00:00 · 2016-11-15 08:26:56 +09:00 · 2016-11-15 08:26:56 +09:00 · 4fa80053a3
commit 4fa80053a3
parent 095f8fae64
1 changed files with 27 additions and 0 deletions
--- a/isisd/isis_pfpacket.c
+++ b/isisd/isis_pfpacket.c
@ -25,6 +25,8 @@
 #include <net/ethernet.h>	/* the L2 protocols */
 #include <netpacket/packet.h>

+#include <linux/filter.h>
+
 #include "log.h"
 #include "network.h"
 #include "stream.h"
@ -44,6 +46,25 @@

 extern struct zebra_privs_t isisd_privs;

+/* tcpdump -i eth0 'isis' -dd */
+static struct sock_filter isisfilter[] = {
+/* NB: we're in SOCK_DGRAM, so src/dst mac + length are stripped off!
+ * (OTOH it's a bit more lower-layer agnostic and might work over GRE?) */
+/*	{ 0x28, 0, 0, 0x0000000c - 14 }, */
+/*	{ 0x25, 5, 0, 0x000005dc }, */
+	{ 0x28, 0, 0, 0x0000000e - 14 },
+	{ 0x15, 0, 3, 0x0000fefe },
+	{ 0x30, 0, 0, 0x00000011 - 14 },
+	{ 0x15, 0, 1, 0x00000083 },
+	{ 0x6, 0, 0, 0x00040000 },
+	{ 0x6, 0, 0, 0x00000000 },
+};
+
+static struct sock_fprog bpf = {
+	.len = array_size(isisfilter),
+	.filter = isisfilter,
+};
+
 /*
 * Table 9 - Architectural constants for use with ISO 8802 subnetworks
 * ISO 10589 - 8.4.8
@ -117,6 +138,12 @@ open_packet_socket (struct isis_circuit *circuit)
      return ISIS_WARNING;
    }

+  if (setsockopt (fd, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof (bpf)))
+    {
+      zlog_warn ("open_packet_socket(): SO_ATTACH_FILTER failed: %s",
+		 safe_strerror (errno));
+    }
+
  /*
   * Bind to the physical interface
   */