From 2b600184f3f43e740b54a1c51d3a35f8c1a77868 Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Fri, 29 Mar 2019 05:08:27 -0700
Subject: GBP: iVXLAN reflection check

packets should not egress on an iVXLAN tunnel if they
arrived on one.

Change-Id: I9adca30252364b4878f99e254aebc73b70a5d4d6
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/plugins/gbp/gbp_policy_dpo.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'src/plugins/gbp/gbp_policy_dpo.c')

diff --git a/src/plugins/gbp/gbp_policy_dpo.c b/src/plugins/gbp/gbp_policy_dpo.c
index 5fb04ff4df5..c3a51a46236 100644
--- a/src/plugins/gbp/gbp_policy_dpo.c
+++ b/src/plugins/gbp/gbp_policy_dpo.c
@@ -16,6 +16,7 @@
 #include <vnet/dpo/dvr_dpo.h>
 #include <vnet/dpo/drop_dpo.h>
 #include <vnet/vxlan-gbp/vxlan_gbp_packet.h>
+#include <vnet/vxlan-gbp/vxlan_gbp.h>
 
 #include <plugins/gbp/gbp.h>
 #include <plugins/gbp/gbp_policy_dpo.h>
@@ -153,6 +154,13 @@ gbp_policy_dpo_interpose (const dpo_id_t * original,
   gpd_clone->gpd_sclass = gpd->gpd_sclass;
   gpd_clone->gpd_sw_if_index = gpd->gpd_sw_if_index;
 
+  /*
+   * if no interface is provided, grab one from the parent
+   * on which we stack
+   */
+  if (~0 == gpd_clone->gpd_sw_if_index)
+    gpd_clone->gpd_sw_if_index = dpo_get_urpf (parent);
+
   dpo_stack (gbp_policy_dpo_type,
 	     gpd_clone->gpd_proto, &gpd_clone->gpd_dpo, parent);
 
@@ -286,6 +294,15 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
 	  gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]);
 	  vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index;
 
+	  /*
+	   * Reflection check; in and out on an ivxlan tunnel
+	   */
+	  if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (gpd0->gpd_sw_if_index))
+	      && (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R))
+	    {
+	      goto trace;
+	    }
+
 	  if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A)
 	    {
 	      next0 = gpd0->gpd_dpo.dpoi_next_node;
-- 
cgit 1.2.3-korg