mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-03 20:27:03 +00:00
isisd: use BPF on Linux/PF_PACKET
we *really* don't want to receive every single packet (of any protocol type) coming in on an IS-IS enabled interface. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
This commit is contained in:
parent
095f8fae64
commit
4fa80053a3
@ -25,6 +25,8 @@
|
||||
#include <net/ethernet.h> /* the L2 protocols */
|
||||
#include <netpacket/packet.h>
|
||||
|
||||
#include <linux/filter.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "network.h"
|
||||
#include "stream.h"
|
||||
@ -44,6 +46,25 @@
|
||||
|
||||
extern struct zebra_privs_t isisd_privs;
|
||||
|
||||
/* tcpdump -i eth0 'isis' -dd */
|
||||
static struct sock_filter isisfilter[] = {
|
||||
/* NB: we're in SOCK_DGRAM, so src/dst mac + length are stripped off!
|
||||
* (OTOH it's a bit more lower-layer agnostic and might work over GRE?) */
|
||||
/* { 0x28, 0, 0, 0x0000000c - 14 }, */
|
||||
/* { 0x25, 5, 0, 0x000005dc }, */
|
||||
{ 0x28, 0, 0, 0x0000000e - 14 },
|
||||
{ 0x15, 0, 3, 0x0000fefe },
|
||||
{ 0x30, 0, 0, 0x00000011 - 14 },
|
||||
{ 0x15, 0, 1, 0x00000083 },
|
||||
{ 0x6, 0, 0, 0x00040000 },
|
||||
{ 0x6, 0, 0, 0x00000000 },
|
||||
};
|
||||
|
||||
static struct sock_fprog bpf = {
|
||||
.len = array_size(isisfilter),
|
||||
.filter = isisfilter,
|
||||
};
|
||||
|
||||
/*
|
||||
* Table 9 - Architectural constants for use with ISO 8802 subnetworks
|
||||
* ISO 10589 - 8.4.8
|
||||
@ -117,6 +138,12 @@ open_packet_socket (struct isis_circuit *circuit)
|
||||
return ISIS_WARNING;
|
||||
}
|
||||
|
||||
if (setsockopt (fd, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof (bpf)))
|
||||
{
|
||||
zlog_warn ("open_packet_socket(): SO_ATTACH_FILTER failed: %s",
|
||||
safe_strerror (errno));
|
||||
}
|
||||
|
||||
/*
|
||||
* Bind to the physical interface
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user