linux: ignore outgoing packets at the socket level

Since Linux 4.20, it is possible to ignore outgoing packets. This is
already done like this on *BSD.

diff --git a/src/daemon/priv-linux.c b/src/daemon/priv-linux.c
index 9a40915059c9653673405866e7272c2ffdb9d0de..43faca3a3f73ed0296578a9cc245d73b6e44980f 100644 (file)
--- a/src/daemon/priv-linux.c
+++ b/src/daemon/priv-linux.c
@@ -145,16 +145,16 @@ asroot_iface_init_os(int ifindex, char *name, int *fd, int proto)
                .len = sizeof(lldpd_filter_f) / sizeof(struct sock_filter)
        };
        if (setsockopt(*fd, SOL_SOCKET, SO_ATTACH_FILTER,
-                &prog, sizeof(prog)) < 0) {
+           &prog, sizeof(prog)) < 0) {
                rc = errno;
                log_warn("privsep", "unable to change filter for %s", name);
                return rc;
        }
 
 #ifdef SO_LOCK_FILTER
-       int enable = 1;
+       int lock = 1;
        if (setsockopt(*fd, SOL_SOCKET, SO_LOCK_FILTER,
-               &enable, sizeof(enable)) < 0) {
+           &lock, sizeof(lock)) < 0) {
                if (errno != ENOPROTOOPT) {
                        rc = errno;
                        log_warn("privsep", "unable to lock filter for %s", name);
@@ -162,6 +162,19 @@ asroot_iface_init_os(int ifindex, char *name, int *fd, int proto)
                }
        }
 #endif
+#ifdef PACKET_IGNORE_OUTGOING
+       int ignore = 1;
+       if (setsockopt(*fd, SOL_PACKET, PACKET_IGNORE_OUTGOING,
+           &ignore, sizeof(ignore)) < 0) {
+               if (errno != ENOPROTOOPT) {
+                       rc = errno;
+                       log_warn("privsep",
+                           "unable to set packet direction for BPF filter on %s",
+                           name);
+                       return rc;
+               }
+       }
+#endif
 
        return 0;
 }