diff options
| author | David Lamparter <equinox@opensourcerouting.org> | 2022-04-27 09:23:27 +0200 |
|---|---|---|
| committer | David Lamparter <equinox@opensourcerouting.org> | 2022-04-28 10:46:57 +0200 |
| commit | fef295d439236b2673ae4bb0d77f7681322b57f9 (patch) | |
| tree | ebe268eb6ee99a25aca3062fc96f3cee37a8f994 | |
| parent | 633a50d11c7dc14e543e849cc4ec135ca0416f17 (diff) | |
pim6d: use ICMP6_FILTER instead of BPF on mroute
The ICMP6_FILTER option is always checked by the kernel, so the cost is
taken whether or not anything is set there. Use it instead of taking on
additional cost with a BPF program.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
| -rw-r--r-- | pimd/pim6_mroute_msg.c | 15 | ||||
| -rw-r--r-- | pimd/pim_mroute.c | 21 |
2 files changed, 21 insertions, 15 deletions
diff --git a/pimd/pim6_mroute_msg.c b/pimd/pim6_mroute_msg.c index f34fa5965a..37d67ad048 100644 --- a/pimd/pim6_mroute_msg.c +++ b/pimd/pim6_mroute_msg.c @@ -45,17 +45,6 @@ int pim_mroute_set(struct pim_instance *pim, int enable) int err; int opt, data; socklen_t data_len = sizeof(data); - static const struct sock_filter filter[] = { - BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 1), - BPF_STMT(BPF_RET | BPF_K, 0xffff), - BPF_STMT(BPF_RET | BPF_K, 0), - }; - - static const struct sock_fprog bpf = { - .len = array_size(filter), - .filter = (struct sock_filter *)filter, - }; /* * We need to create the VRF table for the pim mroute_socket @@ -133,10 +122,6 @@ int pim_mroute_set(struct pim_instance *pim, int enable) zlog_warn( "PIM-SM will not work properly on this platform, until the ability to receive the WHOLEPKT upcall"); #endif - if (setsockopt(pim->mroute_socket, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf))) { - zlog_warn("Failure to attach SO_ATTACH_FILTER on fd %d: %d %s", - pim->mroute_socket, errno, safe_strerror(errno)); - } } return 0; diff --git a/pimd/pim_mroute.c b/pimd/pim_mroute.c index 43d05dfe9c..7cad0d9711 100644 --- a/pimd/pim_mroute.c +++ b/pimd/pim_mroute.c @@ -571,6 +571,27 @@ int pim_mroute_socket_enable(struct pim_instance *pim) return -2; } +#if PIM_IPV == 6 + struct icmp6_filter filter[1]; + int ret; + + /* Unlike IPv4, this socket is not used for MLD, so just drop + * everything with an empty ICMP6 filter. Otherwise we get + * all kinds of garbage here, possibly even non-multicast + * related ICMPv6 traffic (e.g. ping) + * + * (mroute kernel upcall "packets" are injected directly on the + * socket, this sockopt -or any other- has no effect on them) + */ + ICMP6_FILTER_SETBLOCKALL(filter); + ret = setsockopt(fd, SOL_ICMPV6, ICMP6_FILTER, filter, + sizeof(filter)); + if (ret) + zlog_err( + "(VRF %s) failed to set mroute control filter: %m", + pim->vrf->name); +#endif + #ifdef SO_BINDTODEVICE if (pim->vrf->vrf_id != VRF_DEFAULT && setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, |