[qca-nss-sfe] Add source interface check validation
Change-Id: Ic2bbe856505c17c2d5c3c01edc21fda9bfba2e5c
Signed-off-by: Ratheesh Kannoth <quic_rkannoth@quicinc.com>
diff --git a/sfe_ipv4_udp.c b/sfe_ipv4_udp.c
index cd6c72b..313d6ff 100644
--- a/sfe_ipv4_udp.c
+++ b/sfe_ipv4_udp.c
@@ -131,6 +131,7 @@
bool hw_csum;
int err;
bool bridge_flow;
+ int ret;
/*
* Is our packet too short to contain a valid UDP header?
@@ -184,7 +185,25 @@
}
/*
- * If our packet has beern marked as "sync on find" we can't actually
+ * Source interface validate.
+ */
+ if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
+ struct sfe_ipv4_connection *c = cm->connection;
+ spin_lock_bh(&si->lock);
+ ret = sfe_ipv4_remove_connection(si, c);
+ spin_unlock_bh(&si->lock);
+
+ if (ret) {
+ sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+ }
+ rcu_read_unlock();
+ sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE);
+ DEBUG_TRACE("flush on wrong source interface check failure\n");
+ return 0;
+ }
+
+ /*
+ * If our packet has beern marked as "flush on find" we can't actually
* forward it in the fast path, but now that we've found an associated
* connection we need sync its status before exception it to slow path.
*/