From c47b97ddacc35cb10e4a2b0dcfff3e690ec5bf76 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Thu, 6 Jun 2019 17:53:21 +0200 Subject: gbp: enforce same endpoint mac and ip src MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit During packet classification, make sure packets coming from an EP also matches this specific EP IP address and vice-versa. This prevents and EP to send a packet on behalf of another EP. Type: fix Change-Id: I30287644ec73b90d9b6913952a82b2baedf6a5ff Signed-off-by: Benoît Ganne --- test/test_gbp.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'test/test_gbp.py') diff --git a/test/test_gbp.py b/test/test_gbp.py index cc26238276a..ac0fb222633 100644 --- a/test/test_gbp.py +++ b/test/test_gbp.py @@ -3617,6 +3617,16 @@ class TestGBP(VppTestCase): mac=None) rep.add_vpp_config() + # + # EP1 impersonating EP3 is dropped + # + p = (Ether(src=eep1.mac, dst="ff:ff:ff:ff:ff:ff") / + Dot1Q(vlan=100) / + ARP(op="who-has", + psrc="10.0.0.3", pdst="10.0.0.128", + hwsrc=eep1.mac, hwdst="ff:ff:ff:ff:ff:ff")) + self.send_and_assert_no_replies(self.pg0, p) + # # ARP packet from External EPs are accepted and replied to # @@ -3630,11 +3640,11 @@ class TestGBP(VppTestCase): # # ARP packet from host in remote subnet are accepted and replied to # - p_arp = (Ether(src=vlan_102.remote_mac, dst="ff:ff:ff:ff:ff:ff") / + p_arp = (Ether(src=eep3.mac, dst="ff:ff:ff:ff:ff:ff") / Dot1Q(vlan=102) / ARP(op="who-has", - psrc="10.0.0.17", pdst="10.0.0.128", - hwsrc=vlan_102.remote_mac, hwdst="ff:ff:ff:ff:ff:ff")) + psrc=eep3.ip4.address, pdst="10.0.0.128", + hwsrc=eep3.mac, hwdst="ff:ff:ff:ff:ff:ff")) rxs = self.send_and_expect(self.pg0, p_arp * 1, self.pg0) # -- cgit 1.2.3-korg