attach bpf filter to icmp socket on polls

this will improve performance when having lots of forwarder instances with icmp remote on same server

Author: Arian8j2

Cargo.lock

@@ -10,3 +10,4 @@ etherparse = "0.13.0"
 socket2 = { version = "0.5.5", features = ["all"] }
 mio = { version = "1.0.2", features = ["net", "os-poll"] }
 parking_lot = "0.12.3"
+libc = "0.2.158"

forwarder/Cargo.toml

@@ -34,8 +34,8 @@ pub fn run(listen_uri: Uri, remote_uri: Uri, passphrase: Option<String>) -> anyh
     let socket = Arc::new(socket);
     log::info!("listen on '{listen_addr}'");
 
-    let poll = poll::new(remote_uri.protocol, remote_uri.addr.is_ipv6())
-        .with_context(|| "couldn't create poll")?;
+    let poll =
+        poll::new(remote_uri.protocol, remote_uri.addr).with_context(|| "couldn't create poll")?;
     let registry = poll
         .get_registry()
         .with_context(|| "couldn't get registry of poll")?;

forwarder/src/lib.rs

@@ -4,7 +4,7 @@ use crate::{
     uri::Protocol,
 };
 use parking_lot::RwLock;
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 
 type OnPeerRecvCallback = dyn Fn(&Peer, &mut [u8]);
 
@@ -32,9 +32,9 @@ pub trait Registry: Send + Sync {
 mod icmp;
 mod udp;
 
-pub fn new(protocol: Protocol, is_ipv6: bool) -> anyhow::Result<Box<dyn Poll>> {
+pub fn new(protocol: Protocol, remote_addr: SocketAddr) -> anyhow::Result<Box<dyn Poll>> {
     Ok(match protocol {
         Protocol::Udp => Box::new(udp::UdpPoll(mio::Poll::new()?)),
-        Protocol::Icmp => Box::new(icmp::IcmpPoll { is_ipv6 }),
+        Protocol::Icmp => Box::new(icmp::IcmpPoll { remote_addr }),
     })
 }

forwarder/src/poll.rs

@@ -5,11 +5,11 @@ use crate::{
     MAX_PACKET_SIZE,
 };
 use parking_lot::RwLock;
-use std::{mem::MaybeUninit, sync::Arc};
+use std::{mem::MaybeUninit, net::SocketAddr, sync::Arc};
 
 #[derive(Debug)]
 pub struct IcmpPoll {
-    pub is_ipv6: bool,
+    pub remote_addr: SocketAddr,
 }
 
 impl Poll for IcmpPoll {
@@ -22,18 +22,28 @@ impl Poll for IcmpPoll {
         peers: Arc<RwLock<PeerManager>>,
         on_peer_recv: Box<dyn Fn(&Peer, &mut [u8])>,
     ) -> anyhow::Result<()> {
-        let listen_addr = crate::peer::create_any_addr(self.is_ipv6);
+        let is_ipv6 = self.remote_addr.is_ipv6();
+        let listen_addr = crate::peer::create_any_addr(is_ipv6);
         let socket: socket2::Socket = IcmpSocket::inner_bind(listen_addr)?;
         let mut buffer = [0u8; MAX_PACKET_SIZE];
 
+        #[cfg(target_os = "linux")]
+        if !is_ipv6 {
+            let filter = create_bpf_filter(self.remote_addr.port());
+            if let Err(error) = socket.attach_filter(&filter) {
+                // filter is not required so continue if it errors
+                log::warn!("couldn't attach bpf filter to socket: {error:?}");
+            }
+        }
+
         loop {
             let Ok(size) =
                 socket.recv(unsafe { &mut *(&mut buffer as *mut [u8] as *mut [MaybeUninit<u8>]) })
             else {
                 continue;
             };
             let Some(icmp_packet) =
-                crate::socket::icmp::parse_icmp_packet(&mut buffer[..size], self.is_ipv6)
+                crate::socket::icmp::parse_icmp_packet(&mut buffer[..size], is_ipv6)
             else {
                 continue;
             };
@@ -47,6 +57,17 @@ impl Poll for IcmpPoll {
     }
 }
 
+#[cfg(target_os = "linux")]
+fn create_bpf_filter(remote_port: u16) -> [libc::sock_filter; 4] {
+    [
+        (0x28, 0, 0, 0x0000001a),         // ldh [26]          ; icmp sequence
+        (0x15, 0, 1, remote_port as u32), // jne #port, drop
+        (0x06, 0, 0, 0xffffffff),         // ret #-1
+        (0x06, 0, 0, 0000000000),         // drop: ret #0
+    ]
+    .map(|(code, jt, jf, k)| libc::sock_filter { code, jt, jf, k })
+}
+
 #[derive(Debug)]
 pub struct IcmpRegistry;
 // icmp doesn't need a registry because we manage it's poll ourself