ip6-nd: Solicitation reply only if target is our link-local

Type: fix

The fib source IP6_ND is used for all link-local entries, hence
solicitation responses were sent for a peer's address. Constrain the
source check to also in clude the LOCAL flag, which indicates that the
link-local address is ours.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iba7e66049e4d89ee3f36d77aeb09310b978d70de

diff --git a/src/vnet/ip6-nd/ip6_nd.c b/src/vnet/ip6-nd/ip6_nd.c
index 917abdd..311cbf7 100644 (file)
--- a/src/vnet/ip6-nd/ip6_nd.c
+++ b/src/vnet/ip6-nd/ip6_nd.c
@@ -215,10 +215,15 @@ icmp6_neighbor_solicitation_or_advertisement (vlib_main_t * vm,
                          /* It's an address that belongs to one of our interfaces
                           * that's good. */
                        }
-                     else
-                       if (fib_entry_is_sourced
-                           (fei, FIB_SOURCE_IP6_ND_PROXY) ||
-                           fib_entry_is_sourced (fei, FIB_SOURCE_IP6_ND))
+                     else if (FIB_ENTRY_FLAG_LOCAL &
+                              fib_entry_get_flags_for_source (
+                                fei, FIB_SOURCE_IP6_ND))
+                       {
+                         /* It's one of our link local addresses
+                          * that's good. */
+                       }
+                     else if (fib_entry_is_sourced (fei,
+                                                    FIB_SOURCE_IP6_ND_PROXY))
                        {
                          /* The address was added by IPv6 Proxy ND config.
                           * We should only respond to these if the NS arrived on

diff --git a/test/test_ip6.py b/test/test_ip6.py
index 8abd8d6..7635a01 100644 (file)
--- a/test/test_ip6.py
+++ b/test/test_ip6.py
@@ -504,6 +504,18 @@ class TestIPv6(TestIPv6ND):
                                 dst_ip=self.pg0._remote_hosts[3].ip6_ll,
                                 tgt_ip=self.pg0.local_ip6_ll)
 
+        #
+        # do not respond to a NS for the peer's address
+        #
+        p = (Ether(dst=in6_getnsmac(nsma), src=self.pg0.remote_mac) /
+             IPv6(dst=d,
+                  src=self.pg0._remote_hosts[3].ip6_ll) /
+             ICMPv6ND_NS(tgt=self.pg0._remote_hosts[3].ip6_ll) /
+             ICMPv6NDOptSrcLLAddr(
+                 lladdr=self.pg0.remote_mac))
+
+        self.send_and_assert_no_replies(self.pg0, p)
+
         #
         # we should have learned an ND entry for the peer's link-local
         # but not inserted a route to it in the FIB