From 2b600184f3f43e740b54a1c51d3a35f8c1a77868 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Fri, 29 Mar 2019 05:08:27 -0700 Subject: GBP: iVXLAN reflection check packets should not egress on an iVXLAN tunnel if they arrived on one. Change-Id: I9adca30252364b4878f99e254aebc73b70a5d4d6 Signed-off-by: Neale Ranns --- src/plugins/gbp/gbp_policy_dpo.c | 17 +++++++++++++++++ src/plugins/gbp/gbp_policy_node.c | 37 +++++++++++++++++++++++++------------ 2 files changed, 42 insertions(+), 12 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/gbp/gbp_policy_dpo.c b/src/plugins/gbp/gbp_policy_dpo.c index 5fb04ff4df5..c3a51a46236 100644 --- a/src/plugins/gbp/gbp_policy_dpo.c +++ b/src/plugins/gbp/gbp_policy_dpo.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include @@ -153,6 +154,13 @@ gbp_policy_dpo_interpose (const dpo_id_t * original, gpd_clone->gpd_sclass = gpd->gpd_sclass; gpd_clone->gpd_sw_if_index = gpd->gpd_sw_if_index; + /* + * if no interface is provided, grab one from the parent + * on which we stack + */ + if (~0 == gpd_clone->gpd_sw_if_index) + gpd_clone->gpd_sw_if_index = dpo_get_urpf (parent); + dpo_stack (gbp_policy_dpo_type, gpd_clone->gpd_proto, &gpd_clone->gpd_dpo, parent); @@ -286,6 +294,15 @@ gbp_policy_dpo_inline (vlib_main_t * vm, gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]); vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index; + /* + * Reflection check; in and out on an ivxlan tunnel + */ + if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (gpd0->gpd_sw_if_index)) + && (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R)) + { + goto trace; + } + if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A) { next0 = gpd0->gpd_dpo.dpoi_next_node; diff --git a/src/plugins/gbp/gbp_policy_node.c b/src/plugins/gbp/gbp_policy_node.c index ff21e7d0e2e..1f2ac4310e0 100644 --- a/src/plugins/gbp/gbp_policy_node.c +++ b/src/plugins/gbp/gbp_policy_node.c @@ -17,9 +17,11 @@ #include #include +#include #define foreach_gbp_policy \ - _(DENY, "deny") + _(DENY, "deny") \ + _(REFLECTION, "reflection") typedef enum { @@ -37,10 +39,8 @@ static char *gbp_policy_error_strings[] = { typedef enum { -#define _(sym,str) GBP_POLICY_NEXT_##sym, - foreach_gbp_policy -#undef _ - GBP_POLICY_N_NEXT, + GBP_POLICY_NEXT_DROP, + GBP_POLICY_N_NEXT, } gbp_policy_next_t; /** @@ -53,6 +53,7 @@ typedef struct gbp_policy_trace_t_ u32 dst_epg; u32 acl_index; u32 allowed; + u32 flags; } gbp_policy_trace_t; always_inline dpo_proto_t @@ -138,7 +139,7 @@ gbp_policy_inline (vlib_main_t * vm, index_t gci0; gc0 = NULL; - next0 = GBP_POLICY_NEXT_DENY; + next0 = GBP_POLICY_NEXT_DROP; bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -151,7 +152,16 @@ gbp_policy_inline (vlib_main_t * vm, sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX]; /* - * If the A0bit is set then policy has already been applied + * Reflection check; in and out on an ivxlan tunnel + */ + if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (sw_if_index0)) && + (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R)) + { + goto trace; + } + + /* + * If the A-bit is set then policy has already been applied * and we skip enforcement here. */ if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A) @@ -165,6 +175,7 @@ gbp_policy_inline (vlib_main_t * vm, key0.as_u32 = ~0; goto trace; } + /* * determine the src and dst EPG */ @@ -307,8 +318,9 @@ gbp_policy_inline (vlib_main_t * vm, vlib_add_trace (vm, node, b0, sizeof (*t)); t->sclass = key0.gck_src; t->dst_epg = key0.gck_dst; - t->acl_index = (gc0 ? gc0->gc_acl_index : ~0), - t->allowed = (next0 != GBP_POLICY_NEXT_DENY); + t->acl_index = (gc0 ? gc0->gc_acl_index : ~0); + t->allowed = (next0 != GBP_POLICY_NEXT_DROP); + t->flags = vnet_buffer2 (b0)->gbp.flags; } /* verify speculative enqueue, maybe switch current next frame */ @@ -346,8 +358,9 @@ format_gbp_policy_trace (u8 * s, va_list * args) gbp_policy_trace_t *t = va_arg (*args, gbp_policy_trace_t *); s = - format (s, "sclass:%d, dst:%d, acl:%d allowed:%d", - t->sclass, t->dst_epg, t->acl_index, t->allowed); + format (s, "sclass:%d, dst:%d, acl:%d allowed:%d flags:%U", + t->sclass, t->dst_epg, t->acl_index, t->allowed, + format_vxlan_gbp_header_gpflags, t->flags); return s; } @@ -365,7 +378,7 @@ VLIB_REGISTER_NODE (gbp_policy_port_node) = { .n_next_nodes = GBP_POLICY_N_NEXT, .next_nodes = { - [GBP_POLICY_NEXT_DENY] = "error-drop", + [GBP_POLICY_NEXT_DROP] = "error-drop", }, }; -- cgit 1.2.3-korg