diff options
| author | Han Zhou <zhouhan@gmail.com> | 2018-08-19 22:27:30 -0700 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2018-08-21 11:28:20 -0700 |
| commit | 054008ad493b26e8254e6aa03e4539b46d7ec218 (patch) | |
| tree | e54580969507a91338e89cd9fc3e2699a8ff7aee /tests | |
| parent | 6f016174429e55409fffa78c5ce0133cc6a535a1 (diff) | |
| download | openvswitch-054008ad493b26e8254e6aa03e4539b46d7ec218.tar.gz | |
ovn-northd: LR respond ARP from valid subnet only.
Currently ovn LR datapath responds ARP requests even if the ARP
requestor's src IP doesn't belong to the LR port's subnets. This
may generate unnecessary ARP responses and there could also be
security concerns. This patch restricts the ARP response only if
the requestor's IP matches the LR port's subnets.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/ovn.at | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/tests/ovn.at b/tests/ovn.at index 6165d69c0..df1b004ea 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -2671,9 +2671,9 @@ test_arp() { # 5. Router replies to query for its MAC address from any random IP address # in its subnet. # -# 6. Router replies to query for its MAC address from another subnet. +# 6. No reply to query for IP address other than router IP. # -# 7. No reply to query for IP address other than router IP. +# 7. No reply to query from another subnet. for i in 1 2 3; do for j in 1 2 3; do for k in 1 2 3; do @@ -2682,10 +2682,21 @@ for i in 1 2 3; do rip=`ip_to_hex 192 168 $i$j 254` # Router IP rmac=00000000ff$i$j # Router MAC otherip=`ip_to_hex 192 168 $i$j 55` # Some other IP in subnet - test_arp $i$j$k $smac $sip $rip $rmac #4 - test_arp $i$j$k $smac $otherip $rip $rmac #5 - test_arp $i$j$k $smac 0a123456 $rip $rmac #6 - test_arp $i$j$k $smac $sip $otherip #7 + externalip=`ip_to_hex 1 2 3 4` # Some other IP not in subnet + + test_arp $i$j$k $smac $sip $rip $rmac #4 + test_arp $i$j$k $smac $otherip $rip $rmac #5 + test_arp $i$j$k $smac $sip $otherip #6 + + # When rip is 192.168.33.254, ARP request from externalip won't be + # filtered, because 192.168.33.254 is configured to switch peer port + # for lrp33. + lrp33_rsp= + if test $i = 3 && test $j = 3; then + lrp33_rsp=$rmac + fi + test_arp $i$j$k $smac $externalip $rip $lrp33_rsp #7 + done done done |