gbp: enforce same endpoint mac and ip src

During packet classification, make sure packets coming from an EP also
matches this specific EP IP address and vice-versa. This prevents and EP
to send a packet on behalf of another EP.

Type: fix

Change-Id: I30287644ec73b90d9b6913952a82b2baedf6a5ff
Signed-off-by: Benoît Ganne <bganne@cisco.com>

1 files changed, 13 insertions, 3 deletions

diff --git a/test/test_gbp.py b/test/test_gbp.py
index cc26238276a..ac0fb222633 100644
--- a/test/test_gbp.py
+++ b/test/test_gbp.py
@@ -3618,6 +3618,16 @@ class TestGBP(VppTestCase):
         rep.add_vpp_config()
 
         #
+        # EP1 impersonating EP3 is dropped
+        #
+        p = (Ether(src=eep1.mac, dst="ff:ff:ff:ff:ff:ff") /
+             Dot1Q(vlan=100) /
+             ARP(op="who-has",
+             psrc="10.0.0.3", pdst="10.0.0.128",
+             hwsrc=eep1.mac, hwdst="ff:ff:ff:ff:ff:ff"))
+        self.send_and_assert_no_replies(self.pg0, p)
+
+        #
         # ARP packet from External EPs are accepted and replied to
         #
         p_arp = (Ether(src=eep1.mac, dst="ff:ff:ff:ff:ff:ff") /
@@ -3630,11 +3640,11 @@ class TestGBP(VppTestCase):
         #
         # ARP packet from host in remote subnet are accepted and replied to
         #
-        p_arp = (Ether(src=vlan_102.remote_mac, dst="ff:ff:ff:ff:ff:ff") /
+        p_arp = (Ether(src=eep3.mac, dst="ff:ff:ff:ff:ff:ff") /
                  Dot1Q(vlan=102) /
                  ARP(op="who-has",
-                     psrc="10.0.0.17", pdst="10.0.0.128",
-                     hwsrc=vlan_102.remote_mac, hwdst="ff:ff:ff:ff:ff:ff"))
+                     psrc=eep3.ip4.address, pdst="10.0.0.128",
+                     hwsrc=eep3.mac, hwdst="ff:ff:ff:ff:ff:ff"))
         rxs = self.send_and_expect(self.pg0, p_arp * 1, self.pg0)
 
         #