From 8ea6d7153b053f1b9bf837ef3a927136f44b41fd Mon Sep 17 00:00:00 2001
From: AkshayaNadahalli <anadahal@cisco.com>
Date: Tue, 7 Feb 2017 23:59:54 +0530
Subject: Fix source address reachability check for ip6 local packets

Currently ip6 local check fails with error - source lookup miss if
route to source of packet is over a dpo object such as load balance -
recurssive route, tunnel adj - GRE, SR etc.
So unless packet source is of a directly connected neibhor or has
route with both interface and nexthop specified, it will be dropped.
Fix is to check urpf list and if at least one link exists in the list,
then allow packets to be processed, else drop.

Change-Id: Id426311bb63bab506754a79409c602fdb6d0f190
Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
---
 src/vnet/ip/ip6_forward.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'src/vnet/ip/ip6_forward.c')

diff --git a/src/vnet/ip/ip6_forward.c b/src/vnet/ip/ip6_forward.c
index 50951c27495..06c20bbaa12 100644
--- a/src/vnet/ip/ip6_forward.c
+++ b/src/vnet/ip/ip6_forward.c
@@ -1463,16 +1463,14 @@ ip6_local (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      type0 != IP_BUILTIN_PROTOCOL_ICMP &&
 	      !ip6_address_is_link_local_unicast (&ip0->src_address))
 	    {
-	      u32 src_adj_index0 = ip6_src_lookup_for_packet (im, p0, ip0);
-	      error0 = (ADJ_INDEX_INVALID == src_adj_index0
+	      error0 = (!ip6_urpf_loose_check (im, p0, ip0)
 			? IP6_ERROR_SRC_LOOKUP_MISS : error0);
 	    }
 	  if (error1 == IP6_ERROR_UNKNOWN_PROTOCOL &&
 	      type1 != IP_BUILTIN_PROTOCOL_ICMP &&
 	      !ip6_address_is_link_local_unicast (&ip1->src_address))
 	    {
-	      u32 src_adj_index1 = ip6_src_lookup_for_packet (im, p1, ip1);
-	      error1 = (ADJ_INDEX_INVALID == src_adj_index1
+	      error1 = (!ip6_urpf_loose_check (im, p1, ip1)
 			? IP6_ERROR_SRC_LOOKUP_MISS : error1);
 	    }
 
@@ -1570,8 +1568,7 @@ ip6_local (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      type0 != IP_BUILTIN_PROTOCOL_ICMP &&
 	      !ip6_address_is_link_local_unicast (&ip0->src_address))
 	    {
-	      u32 src_adj_index0 = ip6_src_lookup_for_packet (im, p0, ip0);
-	      error0 = (ADJ_INDEX_INVALID == src_adj_index0
+	      error0 = (!ip6_urpf_loose_check (im, p0, ip0)
 			? IP6_ERROR_SRC_LOOKUP_MISS : error0);
 	    }
 
-- 
cgit 1.2.3-korg