picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

sd-dhcp-client: use BPF on raw socket

Browse source 
Filter out everything except UDP packets destined for the DHCP client port,
this should avoid the vast majority of spurious wakeups.

Filter based on [0], with permission.

Possible improvemnts: also check for the DHCP magic cookie to drop invalid
packets. Check for our xid to filter out packets destined for other clients.

[0]: <https://github.com/ambrop72/badvpn/blob/master/dhcpclient/BDHCPClient.c#L57>
This commit is contained in:
Tom Gundersen 2014-03-31 09:54:18 +02:00
parent b6b20d1d36
commit bc29e507e2
1 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/libsystemd-network/dhcp-network.c
View file

@ -25,6 +25,7 @@
#include <net/ethernet.h>
#include <stdio.h>
#include <unistd.h>
#include <linux/filter.h>
#include "socket-util.h"
@ -32,6 +33,19 @@
int dhcp_network_bind_raw_socket(int index, union sockaddr_union *link)
{
struct sock_filter filter[] = {
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, offsetof(DHCPPacket, ip.protocol)), /* A <- IP protocol */
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 1, 0), /* IP protocol = UDP? */
BPF_STMT(BPF_RET + BPF_K, 0), /* ignore */
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(DHCPPacket, udp.dest)), /* A <- UDP destination port */
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DHCP_PORT_CLIENT, 1, 0), /* UDP destination port = DHCP client? */
BPF_STMT(BPF_RET + BPF_K, 0), /* ignore */
BPF_STMT(BPF_RET + BPF_K, 65535), /* return all */
};
struct sock_fprog fprog = {
.len = ELEMENTSOF(filter),
.filter = filter
};
int s, one = 1;
assert(index > 0);
@ -50,6 +64,10 @@ int dhcp_network_bind_raw_socket(int index, union sockaddr_union *link)
if (setsockopt (s, SOL_PACKET, PACKET_AUXDATA, &one, sizeof(one)) < 0)
return -errno;
if (setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
return -errno;
}
if (bind(s, &link->sa, sizeof(link->ll)) < 0) {
safe_close(s);
return -errno;