Add checks for bad ARP request packets in arp-termination node
Check ARP request packet with bad requester MAC/IP address and
drop these packets. Also removed useless VRRP check in the node.
Change-Id: I2c8a774d291928eb623b3a515f1edf7e338fa760
Signed-off-by: John Lo <loj@cisco.com>
diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c
index a17f7da..c6f9324 100644
--- a/src/vnet/ethernet/arp.c
+++ b/src/vnet/ethernet/arp.c
@@ -2324,7 +2324,6 @@
u16 bd_index0;
u32 ip0;
u8 *macp0;
- u8 is_vrrp_reply0;
pi0 = from[0];
to_next[0] = pi0;
@@ -2373,24 +2372,22 @@
if (error0)
goto drop;
- is_vrrp_reply0 =
- ((arp0->opcode ==
- clib_host_to_net_u16 (ETHERNET_ARP_OPCODE_reply))
- &&
- (!memcmp
- (arp0->ip4_over_ethernet[0].ethernet, vrrp_prefix,
- sizeof (vrrp_prefix))));
-
/* Trash ARP packets whose ARP-level source addresses do not
- match their L2-frame-level source addresses, unless it's
- a reply from a VRRP virtual router */
+ match, or if requester address is mcast */
if (PREDICT_FALSE
(memcmp (eth0->src_address, arp0->ip4_over_ethernet[0].ethernet,
- sizeof (eth0->src_address)) && !is_vrrp_reply0))
+ sizeof (eth0->src_address)) ||
+ ethernet_address_cast (arp0->ip4_over_ethernet[0].ethernet)))
{
error0 = ETHERNET_ARP_ERROR_l2_address_mismatch;
goto drop;
}
+ if (PREDICT_FALSE
+ (ip4_address_is_multicast (&arp0->ip4_over_ethernet[0].ip4)))
+ {
+ error0 = ETHERNET_ARP_ERROR_l3_src_address_not_local;
+ goto drop;
+ }
/* Check if anyone want ARP request events for L2 BDs */
{