Add extra validation for VXLAN packets and tunnels

- On VXLAN packet decap, validate its DIP against VXLAN tunnel.
- Add extra logic to validate and handle creation of multicast
  VXLAN tunnels.

Change-Id: I6abdddd7be4cd9f1bcfc88d9970ba681fdd72f7c
Signed-off-by: John Lo <loj@cisco.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/vpp/vpp-api/api.c b/vpp/vpp-api/api.c
index 3868af9c377..a5f50ff1eef 100644
--- a/vpp/vpp-api/api.c
+++ b/vpp/vpp-api/api.c
@@ -3104,6 +3104,7 @@ static void vl_api_vxlan_add_del_tunnel_t_handler
   u32 encap_fib_index;
   uword *p;
   ip4_main_t *im = &ip4_main;
+  vnet_main_t *vnm = vnet_get_main ();
   u32 sw_if_index = ~0;
 
   p = hash_get (im->fib_index_by_table_id, ntohl (mp->encap_vrf_id));
@@ -3129,6 +3130,13 @@ static void vl_api_vxlan_add_del_tunnel_t_handler
       goto out;
     }
   a->mcast_sw_if_index = ntohl (mp->mcast_sw_if_index);
+  if (ip46_address_is_multicast (&a->dst) &&
+      pool_is_free_index (vnm->interface_main.sw_interfaces,
+			  a->mcast_sw_if_index))
+    {
+      rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
+      goto out;
+    }
   a->encap_fib_index = encap_fib_index;
   a->decap_next_index = ntohl (mp->decap_next_index);
   a->vni = ntohl (mp->vni);