diff options
author | Vladislav Grishenko <themiron@yandex-team.ru> | 2021-11-19 22:53:41 +0500 |
---|---|---|
committer | Neale Ranns <neale@graphiant.com> | 2022-03-25 07:57:58 +0000 |
commit | b9feb61e8f6778bfc100b4bbcb9eee8795e20191 (patch) | |
tree | 129d11e45e2812757bd85d0d73bcd483ec944b79 /src/vnet | |
parent | 89d74bdee88a10f04831246217448abae81f6142 (diff) |
fib: fix ip6-ll fib selection for non-ethernet interfaces
Fixes case when packet to link-local address is received over
gre/mpls or other non-ethernet interface and ip6-ll fib for it
is undefined.
If by a chance ip6-ll fib index is valid, packet will be passed
to some ip6 fib with possibilities to be sent out over unrelated
interface or be looped again into ip6-link-local dpo till oom
and crash.
Type: fix
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: Ie985f0373ea45e2926db7fb0a1ff951eca0e38f6
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/dpo/ip6_ll_dpo.c | 20 | ||||
-rw-r--r-- | src/vnet/ip/ip6_ll_table.c | 24 |
2 files changed, 37 insertions, 7 deletions
diff --git a/src/vnet/dpo/ip6_ll_dpo.c b/src/vnet/dpo/ip6_ll_dpo.c index f86472c16c5..deb67d88137 100644 --- a/src/vnet/dpo/ip6_ll_dpo.c +++ b/src/vnet/dpo/ip6_ll_dpo.c @@ -97,6 +97,11 @@ typedef enum ip6_ll_next_t_ IP6_LL_NEXT_NUM, } ip6_ll_next_t; +typedef enum ip6_ll_error_t_ +{ + IP6_LL_ERROR_NO_TABLE, +} ip6_ll_error_t; + always_inline uword ip6_ll_dpo_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) @@ -131,10 +136,19 @@ ip6_ll_dpo_inline (vlib_main_t * vm, /* use the packet's RX interface to pick the link-local FIB */ fib_index0 = ip6_ll_fib_get (vnet_buffer (p0)->sw_if_index[VLIB_RX]); + + if (~0 == fib_index0) + { + next0 = IP6_LL_NEXT_DROP; + p0->error = node->errors[IP6_LL_ERROR_NO_TABLE]; + goto trace0; + } + /* write that fib index into the packet so it's used in the * lookup node next */ vnet_buffer (p0)->sw_if_index[VLIB_TX] = fib_index0; + trace0: if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED)) { ip6_ll_dpo_trace_t *tr = vlib_add_trace (vm, node, p0, @@ -170,6 +184,10 @@ ip6_ll_dpo_switch (vlib_main_t * vm, return (ip6_ll_dpo_inline (vm, node, frame)); } +static char *ip6_ll_dpo_error_strings[] = { + [IP6_LL_ERROR_NO_TABLE] = "Interface is not mapped to an IP6-LL table", +}; + /** * @brief */ @@ -180,6 +198,8 @@ VLIB_REGISTER_NODE (ip6_ll_dpo_node) = .name = "ip6-link-local", .vector_size = sizeof (u32), .format_trace = format_ip6_ll_dpo_trace, + .n_errors = ARRAY_LEN (ip6_ll_dpo_error_strings), + .error_strings = ip6_ll_dpo_error_strings, .n_next_nodes = IP6_LL_NEXT_NUM, .next_nodes = { [IP6_LL_NEXT_DROP] = "ip6-drop", diff --git a/src/vnet/ip/ip6_ll_table.c b/src/vnet/ip/ip6_ll_table.c index e4010bc43c4..b3f42daf26c 100644 --- a/src/vnet/ip/ip6_ll_table.c +++ b/src/vnet/ip/ip6_ll_table.c @@ -114,9 +114,9 @@ ip6_ll_table_entry_update (const ip6_ll_prefix_t * ilp, }; fib_prefix_t fp; - vec_validate (ip6_ll_table.ilt_fibs, ilp->ilp_sw_if_index); + vec_validate_init_empty (ip6_ll_table.ilt_fibs, ilp->ilp_sw_if_index, ~0); - if (0 == ip6_ll_fib_get (ilp->ilp_sw_if_index)) + if (~0 == ip6_ll_fib_get (ilp->ilp_sw_if_index)) { ip6_ll_fib_create (ilp->ilp_sw_if_index); } @@ -151,11 +151,12 @@ ip6_ll_table_entry_delete (const ip6_ll_prefix_t * ilp) * if there are no ND sourced prefixes left, then we can clean up this FIB */ fib_index = ip6_ll_fib_get (ilp->ilp_sw_if_index); - if (0 == fib_table_get_num_entries (fib_index, - FIB_PROTOCOL_IP6, FIB_SOURCE_IP6_ND)) + if (~0 != fib_index && + 0 == fib_table_get_num_entries (fib_index, FIB_PROTOCOL_IP6, + FIB_SOURCE_IP6_ND)) { fib_table_unlock (fib_index, FIB_PROTOCOL_IP6, FIB_SOURCE_IP6_ND); - ip6_ll_table.ilt_fibs[ilp->ilp_sw_if_index] = 0; + ip6_ll_table.ilt_fibs[ilp->ilp_sw_if_index] = ~0; } } @@ -273,8 +274,7 @@ ip6_ll_show_fib (vlib_main_t * vm, u8 *s = NULL; fib_index = ip6_ll_table.ilt_fibs[sw_if_index]; - - if (0 == fib_index) + if (~0 == fib_index) continue; fib_table = fib_table_get (fib_index, FIB_PROTOCOL_IP6); @@ -354,6 +354,16 @@ VLIB_CLI_COMMAND (ip6_show_fib_command, static) = { /* *INDENT-ON* */ static clib_error_t * +ip6_ll_sw_interface_add_del (vnet_main_t *vnm, u32 sw_if_index, u32 is_add) +{ + vec_validate_init_empty (ip6_ll_table.ilt_fibs, sw_if_index, ~0); + + return (NULL); +} + +VNET_SW_INTERFACE_ADD_DEL_FUNCTION (ip6_ll_sw_interface_add_del); + +static clib_error_t * ip6_ll_module_init (vlib_main_t * vm) { clib_error_t *error; |