Merge pull request #11113 from opensourcerouting/pim6-icmp6-replace-bpf

pim6d: use ICMP6_FILTER instead of BPF on mroute
author: Donald Sharp <donaldsharp72@gmail.com> 2022-05-02 13:19:47 -0400
committer: GitHub <noreply@github.com> 2022-05-02 13:19:47 -0400
commit: 53f60d5d5b124ceb0243483d000d7cc70b9d6580 (patch)
tree: a8de4b2525f9bf407904a352f1f783adc9c611e9 /pimd/pim_mroute.c
parent: 6c65d0e8dccf379f9712ca264839ef0b2426d504 (diff)
parent: fef295d439236b2673ae4bb0d77f7681322b57f9 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/pimd/pim_mroute.c b/pimd/pim_mroute.c
index b7f483dbc0..5f951b4dfc 100644
--- a/pimd/pim_mroute.c
+++ b/pimd/pim_mroute.c
@@ -571,6 +571,27 @@ int pim_mroute_socket_enable(struct pim_instance *pim)
 			return -2;
 		}
 
+#if PIM_IPV == 6
+		struct icmp6_filter filter[1];
+		int ret;
+
+		/* Unlike IPv4, this socket is not used for MLD, so just drop
+		 * everything with an empty ICMP6 filter.  Otherwise we get
+		 * all kinds of garbage here, possibly even non-multicast
+		 * related ICMPv6 traffic (e.g. ping)
+		 *
+		 * (mroute kernel upcall "packets" are injected directly on the
+		 * socket, this sockopt -or any other- has no effect on them)
+		 */
+		ICMP6_FILTER_SETBLOCKALL(filter);
+		ret = setsockopt(fd, SOL_ICMPV6, ICMP6_FILTER, filter,
+				 sizeof(filter));
+		if (ret)
+			zlog_err(
+				"(VRF %s) failed to set mroute control filter: %m",
+				pim->vrf->name);
+#endif
+
 #ifdef SO_BINDTODEVICE
 		if (pim->vrf->vrf_id != VRF_DEFAULT
 		    && setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
author	Donald Sharp <donaldsharp72@gmail.com>	2022-05-02 13:19:47 -0400
committer	GitHub <noreply@github.com>	2022-05-02 13:19:47 -0400
commit	53f60d5d5b124ceb0243483d000d7cc70b9d6580 (patch)
tree	a8de4b2525f9bf407904a352f1f783adc9c611e9 /pimd/pim_mroute.c
parent	6c65d0e8dccf379f9712ca264839ef0b2426d504 (diff)
parent	fef295d439236b2673ae4bb0d77f7681322b57f9 (diff)