commit 5dee3779839c88820264f6521717b4047e53b256
author Ratheesh Kannoth <quic_rkannoth@quicinc.com> Tue Jan 18 11:27:14 2022 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Fri Jan 28 09:18:44 2022 -0800
tree baa9835d56a03c86983de93adc89687513f8432c
parent 034d6353edb901ff0e8f88df592ad852eeb4b748

[qca-nss-sfe] Add source interface check validation

Change-Id: Ic2bbe856505c17c2d5c3c01edc21fda9bfba2e5c
Signed-off-by: Ratheesh Kannoth <quic_rkannoth@quicinc.com>

sfe_ipv6_udp.c

diff --git a/sfe_ipv6_udp.c b/sfe_ipv6_udp.c
index 9258ae7..9e32513 100644
--- a/sfe_ipv6_udp.c
+++ b/sfe_ipv6_udp.c
@@ -201,6 +201,24 @@
 	}
 
 	/*
+	 * Source interface validate.
+	 */
+	if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
+		struct sfe_ipv6_connection *c = cm->connection;
+		spin_lock_bh(&si->lock);
+		ret = sfe_ipv6_remove_connection(si, c);
+		spin_unlock_bh(&si->lock);
+
+		if (ret) {
+			sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+		}
+		rcu_read_unlock();
+		sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE);
+		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		return 0;
+	}
+
+	/*
 	 * If our packet has been marked as "flush on find" we can't actually
 	 * forward it in the fast path, but now that we've found an associated
 	 * connection we need sync its status before exception it to slow path.