summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <neale@graphiant.com>2021-04-02 07:34:39 +0000
committerMatthew Smith <mgsmith@netgate.com>2021-04-05 00:56:47 +0000
commite2b6736e1f5c9a841e37ea1e0c3db4c1989a10ba (patch)
tree26740cb0392570b67a02ff3e86810b60cceabe2a
parent014dba38cb9579808a2134fd10a071e4f8c4e213 (diff)
ip6-nd: Solicitation reply only if target is our link-local
Type: fix The fib source IP6_ND is used for all link-local entries, hence solicitation responses were sent for a peer's address. Constrain the source check to also in clude the LOCAL flag, which indicates that the link-local address is ours. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iba7e66049e4d89ee3f36d77aeb09310b978d70de
-rw-r--r--src/vnet/ip6-nd/ip6_nd.c13
-rw-r--r--test/test_ip6.py12
2 files changed, 21 insertions, 4 deletions
diff --git a/src/vnet/ip6-nd/ip6_nd.c b/src/vnet/ip6-nd/ip6_nd.c
index 917abddf7bb..311cbf743f7 100644
--- a/src/vnet/ip6-nd/ip6_nd.c
+++ b/src/vnet/ip6-nd/ip6_nd.c
@@ -215,10 +215,15 @@ icmp6_neighbor_solicitation_or_advertisement (vlib_main_t * vm,
/* It's an address that belongs to one of our interfaces
* that's good. */
}
- else
- if (fib_entry_is_sourced
- (fei, FIB_SOURCE_IP6_ND_PROXY) ||
- fib_entry_is_sourced (fei, FIB_SOURCE_IP6_ND))
+ else if (FIB_ENTRY_FLAG_LOCAL &
+ fib_entry_get_flags_for_source (
+ fei, FIB_SOURCE_IP6_ND))
+ {
+ /* It's one of our link local addresses
+ * that's good. */
+ }
+ else if (fib_entry_is_sourced (fei,
+ FIB_SOURCE_IP6_ND_PROXY))
{
/* The address was added by IPv6 Proxy ND config.
* We should only respond to these if the NS arrived on
diff --git a/test/test_ip6.py b/test/test_ip6.py
index 8abd8d6807f..7635a01c7ce 100644
--- a/test/test_ip6.py
+++ b/test/test_ip6.py
@@ -505,6 +505,18 @@ class TestIPv6(TestIPv6ND):
tgt_ip=self.pg0.local_ip6_ll)
#
+ # do not respond to a NS for the peer's address
+ #
+ p = (Ether(dst=in6_getnsmac(nsma), src=self.pg0.remote_mac) /
+ IPv6(dst=d,
+ src=self.pg0._remote_hosts[3].ip6_ll) /
+ ICMPv6ND_NS(tgt=self.pg0._remote_hosts[3].ip6_ll) /
+ ICMPv6NDOptSrcLLAddr(
+ lladdr=self.pg0.remote_mac))
+
+ self.send_and_assert_no_replies(self.pg0, p)
+
+ #
# we should have learned an ND entry for the peer's link-local
# but not inserted a route to it in the FIB
#