sd-dhcp-client: use BPF on raw socket

Filter out everything except UDP packets destined for the DHCP client port,
this should avoid the vast majority of spurious wakeups.

Filter based on [0], with permission.

Possible improvemnts: also check for the DHCP magic cookie to drop invalid
packets. Check for our xid to filter out packets destined for other clients.

[0]: <https://github.com/ambrop72/badvpn/blob/master/dhcpclient/BDHCPClient.c#L57>

diff --git a/src/libsystemd-network/dhcp-network.c b/src/libsystemd-network/dhcp-network.c
index ecc94b9be782946a30d89bfcd96c2ce44e980b44..8bfb2d50af7a620424881a462387333913e053ce 100644 (file)
--- a/src/libsystemd-network/dhcp-network.c
+++ b/src/libsystemd-network/dhcp-network.c
@@ -25,6 +25,7 @@
 #include <net/ethernet.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <linux/filter.h>
 
 #include "socket-util.h"
 
@@ -32,6 +33,19 @@
 
 int dhcp_network_bind_raw_socket(int index, union sockaddr_union *link)
 {
+        struct sock_filter filter[] = {
+            BPF_STMT(BPF_LD + BPF_B + BPF_ABS, offsetof(DHCPPacket, ip.protocol)), /* A <- IP protocol */
+            BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 1, 0),                /* IP protocol = UDP? */
+            BPF_STMT(BPF_RET + BPF_K, 0),                                          /* ignore */
+            BPF_STMT(BPF_LD + BPF_H + BPF_ABS, offsetof(DHCPPacket, udp.dest)),    /* A <- UDP destination port */
+            BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DHCP_PORT_CLIENT, 1, 0),           /* UDP destination port = DHCP client? */
+            BPF_STMT(BPF_RET + BPF_K, 0),                                          /* ignore */
+            BPF_STMT(BPF_RET + BPF_K, 65535),                                      /* return all */
+        };
+        struct sock_fprog fprog = {
+            .len = ELEMENTSOF(filter),
+            .filter = filter
+        };
         int s, one = 1;
 
         assert(index > 0);
@@ -50,6 +64,10 @@ int dhcp_network_bind_raw_socket(int index, union sockaddr_union *link)
         if (setsockopt (s, SOL_PACKET, PACKET_AUXDATA, &one, sizeof(one)) < 0)
                 return -errno;
 
+        if (setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
+                return -errno;
+        }
+
         if (bind(s, &link->sa, sizeof(link->ll)) < 0) {
                 safe_close(s);
                 return -errno;