From 0131b6c438e1e7ccc41c9abd1f02ac398d34dfaa Mon Sep 17 00:00:00 2001 From: John Lo Date: Mon, 25 Jun 2018 12:35:21 -0400 Subject: Add checks for bad ARP request packets in arp-termination node Check ARP request packet with bad requester MAC/IP address and drop these packets. Also removed useless VRRP check in the node. Change-Id: I2c8a774d291928eb623b3a515f1edf7e338fa760 Signed-off-by: John Lo --- src/vnet/ethernet/arp.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) (limited to 'src/vnet/ethernet/arp.c') diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c index a17f7dae02b..c6f9324eabe 100644 --- a/src/vnet/ethernet/arp.c +++ b/src/vnet/ethernet/arp.c @@ -2324,7 +2324,6 @@ arp_term_l2bd (vlib_main_t * vm, u16 bd_index0; u32 ip0; u8 *macp0; - u8 is_vrrp_reply0; pi0 = from[0]; to_next[0] = pi0; @@ -2373,24 +2372,22 @@ arp_term_l2bd (vlib_main_t * vm, if (error0) goto drop; - is_vrrp_reply0 = - ((arp0->opcode == - clib_host_to_net_u16 (ETHERNET_ARP_OPCODE_reply)) - && - (!memcmp - (arp0->ip4_over_ethernet[0].ethernet, vrrp_prefix, - sizeof (vrrp_prefix)))); - /* Trash ARP packets whose ARP-level source addresses do not - match their L2-frame-level source addresses, unless it's - a reply from a VRRP virtual router */ + match, or if requester address is mcast */ if (PREDICT_FALSE (memcmp (eth0->src_address, arp0->ip4_over_ethernet[0].ethernet, - sizeof (eth0->src_address)) && !is_vrrp_reply0)) + sizeof (eth0->src_address)) || + ethernet_address_cast (arp0->ip4_over_ethernet[0].ethernet))) { error0 = ETHERNET_ARP_ERROR_l2_address_mismatch; goto drop; } + if (PREDICT_FALSE + (ip4_address_is_multicast (&arp0->ip4_over_ethernet[0].ip4))) + { + error0 = ETHERNET_ARP_ERROR_l3_src_address_not_local; + goto drop; + } /* Check if anyone want ARP request events for L2 BDs */ { -- cgit 1.2.3-korg