From 737a135f6cd3fc2638ed4b5fe2039534a5d4f553 Mon Sep 17 00:00:00 2001
From: Divakar <ddivakar@juniper.net>
Date: Tue, 22 Sep 2015 21:59:40 +0530
Subject: [PATCH] Replyin to ARP request of ECMP source only if VM is hosted

When an ARP request is received on compute node on fabric interface from
an ECMP source, ARP response is sent with Vhost mac even though the ARP
request is not meant for any VM on that compute node. Because of this,
even if BMS pings another BMS, every compute node receiving this ARP
request is responding with Vhost mac leading to ARP cache poisoning in
BMS.

As a fix, only if ARP request is meant for a VM on compute node, the
response is sent with Vhost mac.

Change-Id: Iae8541c8404d6e6ce530f994b64b03dc0cd73170
closes-bug: #1491644
---
 dp-core/vr_datapath.c | 20 +++++++++++++-------
 dp-core/vr_proto_ip.c |  5 ++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/dp-core/vr_datapath.c b/dp-core/vr_datapath.c
index f5438a6af..96f79f589 100644
--- a/dp-core/vr_datapath.c
+++ b/dp-core/vr_datapath.c
@@ -65,6 +65,12 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
         }
     }
 
+     /* If ECMP source, we force routing */
+     if (fmd->fmd_ecmp_src_nh_index != -1) {
+         resp_mac = vif->vif_mac;
+         fmd->fmd_ecmp_src_nh_index = -1;
+     }
+
 
     /*
      * situations that are handled here (from_fabric)
@@ -112,9 +118,8 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
          * the originator is a bare metal (fmd->fmd_src)
          */
         if (to_vcp || to_gateway ||
-                ((nh) &&
-                 ((nh->nh_type == NH_ENCAP) ||
-                  (fmd->fmd_src == TOR_SOURCE)))) {
+                (nh && ((nh->nh_type == NH_ENCAP) ||
+                (fmd->fmd_src == TOR_SOURCE)))) {
             if (stats)
                 stats->vrf_arp_physical_stitch++;
         } else {
@@ -123,11 +128,12 @@ vr_get_proxy_mac(struct vr_packet *pkt, struct vr_forwarding_md *fmd,
             return MR_FLOOD;
         }
     } else {
-        /*
-         * if there is no stitching information, but flood flag is set
-         * we should flood
-         */
+
         if (!stitched && flood) {
+            /*
+             * if there is no stitching information, but flood flag is set
+             * we should flood
+             */
             if (stats)
                 stats->vrf_arp_virtual_flood++;
             return MR_FLOOD;
diff --git a/dp-core/vr_proto_ip.c b/dp-core/vr_proto_ip.c
index dffbe9bae..5b576cdb3 100644
--- a/dp-core/vr_proto_ip.c
+++ b/dp-core/vr_proto_ip.c
@@ -1082,9 +1082,8 @@ vm_arp_request(struct vr_interface *vif, struct vr_packet *pkt,
             if (!(rt.rtr_nh->nh_flags & NH_FLAG_COMPOSITE_ECMP))
                 return MR_DROP;
 
-            /* If ECMP, we need to route the L3 packets */
-            VR_MAC_COPY(dmac, vif->vif_mac);
-            return MR_PROXY;
+            /* Mark it as ecmp source. -1 is invalid */
+            fmd->fmd_ecmp_src_nh_index = 0;
         }
 
         rt.rtr_nh = NULL;