diff options
author | John Lo <loj@cisco.com> | 2018-06-25 12:35:21 -0400 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2018-06-25 22:46:14 +0000 |
commit | 0131b6c438e1e7ccc41c9abd1f02ac398d34dfaa (patch) | |
tree | 9a5d8065cf0374a9e3428d260292e24143e09823 /src | |
parent | adb5bd5344cd7b422c0c08e6434ad8642b897502 (diff) |
Add checks for bad ARP request packets in arp-termination node
Check ARP request packet with bad requester MAC/IP address and
drop these packets. Also removed useless VRRP check in the node.
Change-Id: I2c8a774d291928eb623b3a515f1edf7e338fa760
Signed-off-by: John Lo <loj@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/vnet/ethernet/arp.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c index a17f7dae02b..c6f9324eabe 100644 --- a/src/vnet/ethernet/arp.c +++ b/src/vnet/ethernet/arp.c @@ -2324,7 +2324,6 @@ arp_term_l2bd (vlib_main_t * vm, u16 bd_index0; u32 ip0; u8 *macp0; - u8 is_vrrp_reply0; pi0 = from[0]; to_next[0] = pi0; @@ -2373,24 +2372,22 @@ arp_term_l2bd (vlib_main_t * vm, if (error0) goto drop; - is_vrrp_reply0 = - ((arp0->opcode == - clib_host_to_net_u16 (ETHERNET_ARP_OPCODE_reply)) - && - (!memcmp - (arp0->ip4_over_ethernet[0].ethernet, vrrp_prefix, - sizeof (vrrp_prefix)))); - /* Trash ARP packets whose ARP-level source addresses do not - match their L2-frame-level source addresses, unless it's - a reply from a VRRP virtual router */ + match, or if requester address is mcast */ if (PREDICT_FALSE (memcmp (eth0->src_address, arp0->ip4_over_ethernet[0].ethernet, - sizeof (eth0->src_address)) && !is_vrrp_reply0)) + sizeof (eth0->src_address)) || + ethernet_address_cast (arp0->ip4_over_ethernet[0].ethernet))) { error0 = ETHERNET_ARP_ERROR_l2_address_mismatch; goto drop; } + if (PREDICT_FALSE + (ip4_address_is_multicast (&arp0->ip4_over_ethernet[0].ip4))) + { + error0 = ETHERNET_ARP_ERROR_l3_src_address_not_local; + goto drop; + } /* Check if anyone want ARP request events for L2 BDs */ { |