Linux: Lock the BPF filter from future changes

author Roy Marples <roy@marples.name>

Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)

committer Roy Marples <roy@marples.name>

Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)
author Roy Marples <roy@marples.name>
Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)
committer Roy Marples <roy@marples.name>
Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)
diff --git a/src/if-linux.c b/src/if-linux.c

index 2e86fe616b69493fb865699409235d163e6d4b0f..62bb239874291d3e71bd3dd1772d6efc4378780e 100644 (file)
--- a/src/if-linux.c
+++ b/src/if-linux.c
@@ -1725,7 +1725,17 @@ bpf_attach(int s, void *filter, unsigned int filter_len)
         };
  
         /* Install the filter. */
-       return setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &pf, sizeof(pf));
+       if (setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER, &pf, sizeof(pf)) == -1)
+               return -1;
+
+#ifdef SO_LOCK_FILTER
+       int on = 1;
+
+       if (setsockopt(s, SOL_SOCKET, SO_LOCK_FILTER, &on, sizeof(on)) == -1)
+               return -1;
+#endif
+
+       return 0;
  }
  
  int
author	Roy Marples <roy@marples.name>
	Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)
committer	Roy Marples <roy@marples.name>
	Sat, 16 May 2020 11:28:56 +0000 (12:28 +0100)