summaryrefslogtreecommitdiffstats
path: root/src/plugins/gbp
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-03-29 05:08:27 -0700
committerNeale Ranns <nranns@cisco.com>2019-04-03 13:48:19 +0000
commit2b600184f3f43e740b54a1c51d3a35f8c1a77868 (patch)
treece2384579f02214589729ee90642aec035906f47 /src/plugins/gbp
parent7cae003a68ed3e1022bcc8d33d0b5375918a83f7 (diff)
GBP: iVXLAN reflection check
packets should not egress on an iVXLAN tunnel if they arrived on one. Change-Id: I9adca30252364b4878f99e254aebc73b70a5d4d6 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/gbp')
-rw-r--r--src/plugins/gbp/gbp_policy_dpo.c17
-rw-r--r--src/plugins/gbp/gbp_policy_node.c37
2 files changed, 42 insertions, 12 deletions
diff --git a/src/plugins/gbp/gbp_policy_dpo.c b/src/plugins/gbp/gbp_policy_dpo.c
index 5fb04ff4df5..c3a51a46236 100644
--- a/src/plugins/gbp/gbp_policy_dpo.c
+++ b/src/plugins/gbp/gbp_policy_dpo.c
@@ -16,6 +16,7 @@
#include <vnet/dpo/dvr_dpo.h>
#include <vnet/dpo/drop_dpo.h>
#include <vnet/vxlan-gbp/vxlan_gbp_packet.h>
+#include <vnet/vxlan-gbp/vxlan_gbp.h>
#include <plugins/gbp/gbp.h>
#include <plugins/gbp/gbp_policy_dpo.h>
@@ -153,6 +154,13 @@ gbp_policy_dpo_interpose (const dpo_id_t * original,
gpd_clone->gpd_sclass = gpd->gpd_sclass;
gpd_clone->gpd_sw_if_index = gpd->gpd_sw_if_index;
+ /*
+ * if no interface is provided, grab one from the parent
+ * on which we stack
+ */
+ if (~0 == gpd_clone->gpd_sw_if_index)
+ gpd_clone->gpd_sw_if_index = dpo_get_urpf (parent);
+
dpo_stack (gbp_policy_dpo_type,
gpd_clone->gpd_proto, &gpd_clone->gpd_dpo, parent);
@@ -286,6 +294,15 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]);
vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index;
+ /*
+ * Reflection check; in and out on an ivxlan tunnel
+ */
+ if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (gpd0->gpd_sw_if_index))
+ && (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R))
+ {
+ goto trace;
+ }
+
if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A)
{
next0 = gpd0->gpd_dpo.dpoi_next_node;
diff --git a/src/plugins/gbp/gbp_policy_node.c b/src/plugins/gbp/gbp_policy_node.c
index ff21e7d0e2e..1f2ac4310e0 100644
--- a/src/plugins/gbp/gbp_policy_node.c
+++ b/src/plugins/gbp/gbp_policy_node.c
@@ -17,9 +17,11 @@
#include <plugins/gbp/gbp_policy_dpo.h>
#include <vnet/vxlan-gbp/vxlan_gbp_packet.h>
+#include <vnet/vxlan-gbp/vxlan_gbp.h>
#define foreach_gbp_policy \
- _(DENY, "deny")
+ _(DENY, "deny") \
+ _(REFLECTION, "reflection")
typedef enum
{
@@ -37,10 +39,8 @@ static char *gbp_policy_error_strings[] = {
typedef enum
{
-#define _(sym,str) GBP_POLICY_NEXT_##sym,
- foreach_gbp_policy
-#undef _
- GBP_POLICY_N_NEXT,
+ GBP_POLICY_NEXT_DROP,
+ GBP_POLICY_N_NEXT,
} gbp_policy_next_t;
/**
@@ -53,6 +53,7 @@ typedef struct gbp_policy_trace_t_
u32 dst_epg;
u32 acl_index;
u32 allowed;
+ u32 flags;
} gbp_policy_trace_t;
always_inline dpo_proto_t
@@ -138,7 +139,7 @@ gbp_policy_inline (vlib_main_t * vm,
index_t gci0;
gc0 = NULL;
- next0 = GBP_POLICY_NEXT_DENY;
+ next0 = GBP_POLICY_NEXT_DROP;
bi0 = from[0];
to_next[0] = bi0;
from += 1;
@@ -151,7 +152,16 @@ gbp_policy_inline (vlib_main_t * vm,
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
/*
- * If the A0bit is set then policy has already been applied
+ * Reflection check; in and out on an ivxlan tunnel
+ */
+ if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (sw_if_index0)) &&
+ (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R))
+ {
+ goto trace;
+ }
+
+ /*
+ * If the A-bit is set then policy has already been applied
* and we skip enforcement here.
*/
if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A)
@@ -165,6 +175,7 @@ gbp_policy_inline (vlib_main_t * vm,
key0.as_u32 = ~0;
goto trace;
}
+
/*
* determine the src and dst EPG
*/
@@ -307,8 +318,9 @@ gbp_policy_inline (vlib_main_t * vm,
vlib_add_trace (vm, node, b0, sizeof (*t));
t->sclass = key0.gck_src;
t->dst_epg = key0.gck_dst;
- t->acl_index = (gc0 ? gc0->gc_acl_index : ~0),
- t->allowed = (next0 != GBP_POLICY_NEXT_DENY);
+ t->acl_index = (gc0 ? gc0->gc_acl_index : ~0);
+ t->allowed = (next0 != GBP_POLICY_NEXT_DROP);
+ t->flags = vnet_buffer2 (b0)->gbp.flags;
}
/* verify speculative enqueue, maybe switch current next frame */
@@ -346,8 +358,9 @@ format_gbp_policy_trace (u8 * s, va_list * args)
gbp_policy_trace_t *t = va_arg (*args, gbp_policy_trace_t *);
s =
- format (s, "sclass:%d, dst:%d, acl:%d allowed:%d",
- t->sclass, t->dst_epg, t->acl_index, t->allowed);
+ format (s, "sclass:%d, dst:%d, acl:%d allowed:%d flags:%U",
+ t->sclass, t->dst_epg, t->acl_index, t->allowed,
+ format_vxlan_gbp_header_gpflags, t->flags);
return s;
}
@@ -365,7 +378,7 @@ VLIB_REGISTER_NODE (gbp_policy_port_node) = {
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes = {
- [GBP_POLICY_NEXT_DENY] = "error-drop",
+ [GBP_POLICY_NEXT_DROP] = "error-drop",
},
};