Add checks for bad ARP request packets in arp-termination node

Check ARP request packet with bad requester MAC/IP address and
drop these packets. Also removed useless VRRP check in the node.

Change-Id: I2c8a774d291928eb623b3a515f1edf7e338fa760
Signed-off-by: John Lo <loj@cisco.com>

1 files changed, 9 insertions, 12 deletions

diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c
index a17f7dae02b..c6f9324eabe 100644
--- a/src/vnet/ethernet/arp.c
+++ b/src/vnet/ethernet/arp.c
@@ -2324,7 +2324,6 @@ arp_term_l2bd (vlib_main_t * vm,
 	  u16 bd_index0;
 	  u32 ip0;
 	  u8 *macp0;
-	  u8 is_vrrp_reply0;
 
 	  pi0 = from[0];
 	  to_next[0] = pi0;
@@ -2373,24 +2372,22 @@ arp_term_l2bd (vlib_main_t * vm,
 	  if (error0)
 	    goto drop;
 
-	  is_vrrp_reply0 =
-	    ((arp0->opcode ==
-	      clib_host_to_net_u16 (ETHERNET_ARP_OPCODE_reply))
-	     &&
-	     (!memcmp
-	      (arp0->ip4_over_ethernet[0].ethernet, vrrp_prefix,
-	       sizeof (vrrp_prefix))));
-
 	  /* Trash ARP packets whose ARP-level source addresses do not
-	     match their L2-frame-level source addresses, unless it's
-	     a reply from a VRRP virtual router */
+	     match, or if requester address is mcast */
 	  if (PREDICT_FALSE
 	      (memcmp (eth0->src_address, arp0->ip4_over_ethernet[0].ethernet,
-		       sizeof (eth0->src_address)) && !is_vrrp_reply0))
+		       sizeof (eth0->src_address)) ||
+	       ethernet_address_cast (arp0->ip4_over_ethernet[0].ethernet)))
 	    {
 	      error0 = ETHERNET_ARP_ERROR_l2_address_mismatch;
 	      goto drop;
 	    }
+	  if (PREDICT_FALSE
+	      (ip4_address_is_multicast (&arp0->ip4_over_ethernet[0].ip4)))
+	    {
+	      error0 = ETHERNET_ARP_ERROR_l3_src_address_not_local;
+	      goto drop;
+	    }
 
 	  /* Check if anyone want ARP request events for L2 BDs */
 	  {