This simple XDP program drops multicast ethernet packets.
There are at least two ways in which it can be improved. First,
it doesn't handle VLAN. Second, it operates quite invisibly so
perhaps some simple statistics could be added.
Anyone brave enough to try and flesh this out? :-)
#include <uapi/linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/etherdevice.h>
#include "bpf_helpers.h"
SEC("xdp_example1")
int xdp_example1(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
/* Make sure a full ethernet header is there. */
if (data + sizeof(*eth) > data_end)
return XDP_DROP;
/* Drop packet is destination address is multicast. */
if (is_multicast_ether_addr(eth->h_dest))
return XDP_DROP;
return XDP_PASS;
}
|