diff options
| author |   Andrew Yourtchenko <ayourtch@gmail.com> | 2017-04-04 14:10:40 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion.lists@gmail.com> | 2017-04-06 15:30:21 +0000 |
| commit | d1b05647427c79cfd5322991bbe663fae65f37b5 (patch) | |
| tree | c7449b51cd46575c7978d8cac795b15a84f4163a /src/plugins/acl/fa_node.h | |
| parent | 0eb2b16f95c0c43302be79a1c4df8b828ac97e37 (diff) | |
acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL (VPP-682)
This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
Diffstat (limited to 'src/plugins/acl/fa_node.h')
| -rw-r--r-- | src/plugins/acl/fa_node.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/plugins/acl/fa_node.h b/src/plugins/acl/fa_node.h index 76a40a38486..8edd0069217 100644 --- a/src/plugins/acl/fa_node.h +++ b/src/plugins/acl/fa_node.h @@ -22,10 +22,12 @@ typedef union { u64 as_u64; struct { - u8 tcp_flags_valid; u8 tcp_flags; - u8 is_input; - u8 l4_valid; + u8 tcp_flags_valid:1; + u8 is_input:1; + u8 l4_valid:1; + u8 is_nonfirst_fragment:1; + u8 flags_reserved:4; }; } fa_packet_info_t; |