Replyin to ARP request of ECMP source only if VM is hosted

When an ARP request is received on compute node on fabric interface from an ECMP source, ARP response is sent with Vhost mac even though the ARP request is not meant for any VM on that compute node. Because of this, even if BMS pings another BMS, every compute node receiving this ARP request is responding with Vhost mac leading to ARP cache poisoning in BMS. As a fix, only if ARP request is meant for a VM on compute node, the response is sent with Vhost mac. Change-Id: Iae8541c8404d6e6ce530f994b64b03dc0cd73170 closes-bug: #1491644
Juniper · Feb 20, 2016 · 737a135 · 737a135
1 parent e4190d9
commit 737a135
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/dp-core/vr_datapath.c b/dp-core/vr_datapath.c
@@ -65,6 +65,12 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
         }
     }
 
+     /* If ECMP source, we force routing */
+     if (fmd->fmd_ecmp_src_nh_index != -1) {
+         resp_mac = vif->vif_mac;
+         fmd->fmd_ecmp_src_nh_index = -1;
+     }
+
 
     /*
      * situations that are handled here (from_fabric)
@@ -112,9 +118,8 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
          * the originator is a bare metal (fmd->fmd_src)
          */
         if (to_vcp || to_gateway ||
-                ((nh) &&
-                 ((nh->nh_type == NH_ENCAP) ||
-                  (fmd->fmd_src == TOR_SOURCE)))) {
+                (nh && ((nh->nh_type == NH_ENCAP) ||
+                (fmd->fmd_src == TOR_SOURCE)))) {
             if (stats)
                 stats->vrf_arp_physical_stitch++;
         } else {
@@ -123,11 +128,12 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
             return MR_FLOOD;
         }
     } else {
-        /*
-         * if there is no stitching information, but flood flag is set
-         * we should flood
-         */
+
         if (!stitched && flood) {
+            /*
+             * if there is no stitching information, but flood flag is set
+             * we should flood
+             */
             if (stats)
                 stats->vrf_arp_virtual_flood++;
             return MR_FLOOD;

diff --git a/dp-core/vr_proto_ip.c b/dp-core/vr_proto_ip.c
@@ -1082,9 +1082,8 @@ vm_arp_request(struct vr_interface *vif, struct vr_packet *pkt,
             if (!(rt.rtr_nh->nh_flags & NH_FLAG_COMPOSITE_ECMP))
                 return MR_DROP;
 
-            /* If ECMP, we need to route the L3 packets */
-            VR_MAC_COPY(dmac, vif->vif_mac);
-            return MR_PROXY;
+            /* Mark it as ecmp source. -1 is invalid */
+            fmd->fmd_ecmp_src_nh_index = 0;
         }
 
         rt.rtr_nh = NULL;