From 1b5ca985dc51bea730ce5ee799641c75f73a0f26 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Wed, 16 Dec 2020 13:06:58 +0000 Subject: vxlan: Protect against tunnel config where source is not local Type: fix If a tunnel's source is not local then post encap VPP will attempt to receive (via ip4-local) that packet, things go wrong from there. The fix is when stacking the encap forwarding don't accept a receive DPO. This approach is taken, rather than rejecting bad tunnels, because the 'local-ness' of the tunnel's source can change and we can't reject tunnels that were once correctly configured but are no longer. the user will quickly discover their mistake as traffic won't pass. Signed-off-by: Neale Ranns Change-Id: I46198422e321606e8baba003112e978a526b4c2f --- src/vnet/vxlan/vxlan.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/vnet/vxlan/vxlan.c b/src/vnet/vxlan/vxlan.c index bf205adc8fb..71d03f6d03d 100644 --- a/src/vnet/vxlan/vxlan.c +++ b/src/vnet/vxlan/vxlan.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -151,11 +152,19 @@ vxlan_tunnel_restack_dpo (vxlan_tunnel_t * t) * skip single bucket load balance dpo's */ while (DPO_LOAD_BALANCE == dpo.dpoi_type) { - load_balance_t *lb = load_balance_get (dpo.dpoi_index); + const load_balance_t *lb; + const dpo_id_t *choice; + + lb = load_balance_get (dpo.dpoi_index); if (lb->lb_n_buckets > 1) break; - dpo_copy (&dpo, load_balance_get_bucket_i (lb, 0)); + choice = load_balance_get_bucket_i (lb, 0); + + if (DPO_RECEIVE == choice->dpoi_type) + dpo_copy (&dpo, drop_dpo_get (choice->dpoi_proto)); + else + dpo_copy (&dpo, choice); } u32 encap_index = is_ip4 ? -- cgit 1.2.3-korg