diff options
author | Neale Ranns <nranns@cisco.com> | 2019-03-29 05:08:27 -0700 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-04-03 13:48:19 +0000 |
commit | 2b600184f3f43e740b54a1c51d3a35f8c1a77868 (patch) | |
tree | ce2384579f02214589729ee90642aec035906f47 /src/plugins/gbp/gbp_policy_dpo.c | |
parent | 7cae003a68ed3e1022bcc8d33d0b5375918a83f7 (diff) |
GBP: iVXLAN reflection check
packets should not egress on an iVXLAN tunnel if they
arrived on one.
Change-Id: I9adca30252364b4878f99e254aebc73b70a5d4d6
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/gbp/gbp_policy_dpo.c')
-rw-r--r-- | src/plugins/gbp/gbp_policy_dpo.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/plugins/gbp/gbp_policy_dpo.c b/src/plugins/gbp/gbp_policy_dpo.c index 5fb04ff4df5..c3a51a46236 100644 --- a/src/plugins/gbp/gbp_policy_dpo.c +++ b/src/plugins/gbp/gbp_policy_dpo.c @@ -16,6 +16,7 @@ #include <vnet/dpo/dvr_dpo.h> #include <vnet/dpo/drop_dpo.h> #include <vnet/vxlan-gbp/vxlan_gbp_packet.h> +#include <vnet/vxlan-gbp/vxlan_gbp.h> #include <plugins/gbp/gbp.h> #include <plugins/gbp/gbp_policy_dpo.h> @@ -153,6 +154,13 @@ gbp_policy_dpo_interpose (const dpo_id_t * original, gpd_clone->gpd_sclass = gpd->gpd_sclass; gpd_clone->gpd_sw_if_index = gpd->gpd_sw_if_index; + /* + * if no interface is provided, grab one from the parent + * on which we stack + */ + if (~0 == gpd_clone->gpd_sw_if_index) + gpd_clone->gpd_sw_if_index = dpo_get_urpf (parent); + dpo_stack (gbp_policy_dpo_type, gpd_clone->gpd_proto, &gpd_clone->gpd_dpo, parent); @@ -286,6 +294,15 @@ gbp_policy_dpo_inline (vlib_main_t * vm, gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]); vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index; + /* + * Reflection check; in and out on an ivxlan tunnel + */ + if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (gpd0->gpd_sw_if_index)) + && (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R)) + { + goto trace; + } + if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A) { next0 = gpd0->gpd_dpo.dpoi_next_node; |