while (n_left_from > 0 && n_left_to_next > 0)
{
u32 bi0, sw_if_index0, fib_index0, lbi0;
+ const gbp_endpoint_t *ge0, *ge_lpm0;
gbp_lpm_classify_next_t next0;
const ethernet_header_t *eh0;
const gbp_policy_dpo_t *gpd0;
const ip4_address_t *ip4_0;
const ip6_address_t *ip6_0;
- const gbp_endpoint_t *ge0;
const gbp_recirc_t *gr0;
const dpo_id_t *dpo0;
load_balance_t *lb0;
if (ip4_0)
{
- ge0 = gbp_endpoint_find_ip4 (ip4_0, fib_index0);
+ ge_lpm0 = gbp_endpoint_find_ip4 (ip4_0, fib_index0);
}
else if (ip6_0)
{
- ge0 = gbp_endpoint_find_ip6 (ip6_0, fib_index0);
+ ge_lpm0 = gbp_endpoint_find_ip6 (ip6_0, fib_index0);
}
else
{
- ge0 = NULL;
+ ge_lpm0 = NULL;
}
next0 = vnet_l2_feature_next
* if we found the EP by IP lookup, it must be from the EP
* not a network behind it
*/
- if (NULL != ge0)
+ if (NULL != ge_lpm0)
{
- sclass0 = ge0->ge_fwd.gef_sclass;
+ if (PREDICT_FALSE (ge0 != ge_lpm0))
+ {
+ /* an EP spoofing another EP */
+ sclass0 = SCLASS_INVALID;
+ next0 = GPB_LPM_CLASSIFY_DROP;
+ }
+ else
+ {
+ sclass0 = ge0->ge_fwd.gef_sclass;
+ }
goto trace;
}
}
mac=None)
rep.add_vpp_config()
+ #
+ # EP1 impersonating EP3 is dropped
+ #
+ p = (Ether(src=eep1.mac, dst="ff:ff:ff:ff:ff:ff") /
+ Dot1Q(vlan=100) /
+ ARP(op="who-has",
+ psrc="10.0.0.3", pdst="10.0.0.128",
+ hwsrc=eep1.mac, hwdst="ff:ff:ff:ff:ff:ff"))
+ self.send_and_assert_no_replies(self.pg0, p)
+
#
# ARP packet from External EPs are accepted and replied to
#
#
# ARP packet from host in remote subnet are accepted and replied to
#
- p_arp = (Ether(src=vlan_102.remote_mac, dst="ff:ff:ff:ff:ff:ff") /
+ p_arp = (Ether(src=eep3.mac, dst="ff:ff:ff:ff:ff:ff") /
Dot1Q(vlan=102) /
ARP(op="who-has",
- psrc="10.0.0.17", pdst="10.0.0.128",
- hwsrc=vlan_102.remote_mac, hwdst="ff:ff:ff:ff:ff:ff"))
+ psrc=eep3.ip4.address, pdst="10.0.0.128",
+ hwsrc=eep3.mac, hwdst="ff:ff:ff:ff:ff:ff"))
rxs = self.send_and_expect(self.pg0, p_arp * 1, self.pg0)
#