Skip to content

Commit 93f10f1

Browse files
anarkiwianarkiwi
authored
Merge pull request #2331 from anarkiwi/master
Verify ICMPv6 payload type.
2 parents 9203940 + 054871d commit 93f10f1

File tree

1 file changed

+29
-26
lines changed

1 file changed

+29
-26
lines changed

faucet/valve_route.py

+29-26
Original file line numberDiff line numberDiff line change
@@ -820,35 +820,37 @@ def _add_faucet_fib_to_vip(self, vlan, priority, faucet_vip, faucet_vip_host):
820820

821821
def _nd_solicit_handler(self, now, pkt_meta, _ipv6_pkt, icmpv6_pkt, src_ip, _dst_ip):
822822
ofmsgs = []
823-
solicited_ip = ipaddress.ip_address(btos(icmpv6_pkt.data.dst))
824-
vlan = pkt_meta.vlan
825-
if vlan.is_faucet_vip(solicited_ip):
826-
if self._stateful_gw(vlan, src_ip):
827-
ofmsgs.extend(
828-
self._add_host_fib_route(vlan, src_ip, blackhole=False))
829-
ofmsgs.extend(self._update_nexthop(
830-
now, vlan, pkt_meta.port, pkt_meta.eth_src, src_ip))
831-
ofmsgs.append(
832-
vlan.pkt_out_port(
833-
valve_packet.nd_advert, pkt_meta.port,
834-
vlan.faucet_mac, pkt_meta.eth_src,
835-
solicited_ip, src_ip))
836-
self.logger.info(
837-
'Responded to ND solicit for %s from %s' % (
838-
solicited_ip, pkt_meta.log()))
823+
if isinstance(icmpv6_pkt.data, icmpv6.nd_neighbor):
824+
solicited_ip = ipaddress.ip_address(btos(icmpv6_pkt.data.dst))
825+
vlan = pkt_meta.vlan
826+
if vlan.is_faucet_vip(solicited_ip):
827+
if self._stateful_gw(vlan, src_ip):
828+
ofmsgs.extend(
829+
self._add_host_fib_route(vlan, src_ip, blackhole=False))
830+
ofmsgs.extend(self._update_nexthop(
831+
now, vlan, pkt_meta.port, pkt_meta.eth_src, src_ip))
832+
ofmsgs.append(
833+
vlan.pkt_out_port(
834+
valve_packet.nd_advert, pkt_meta.port,
835+
vlan.faucet_mac, pkt_meta.eth_src,
836+
solicited_ip, src_ip))
837+
self.logger.info(
838+
'Responded to ND solicit for %s from %s' % (
839+
solicited_ip, pkt_meta.log()))
839840
return ofmsgs
840841

841842
def _nd_advert_handler(self, now, pkt_meta, _ipv6_pkt, icmpv6_pkt, _src_ip, _dst_ip):
842843
ofmsgs = []
843-
target_ip = ipaddress.ip_address(btos(icmpv6_pkt.data.dst))
844-
vlan = pkt_meta.vlan
845-
if vlan.ip_in_vip_subnet(target_ip):
846-
if self._stateful_gw(vlan, target_ip):
847-
ofmsgs.extend(self._update_nexthop(
848-
now, vlan, pkt_meta.port, pkt_meta.eth_src, target_ip))
849-
self.logger.info(
850-
'Received ND advert for %s from %s' % (
851-
target_ip, pkt_meta.log()))
844+
if isinstance(icmpv6_pkt.data, icmpv6.nd_neighbor):
845+
target_ip = ipaddress.ip_address(btos(icmpv6_pkt.data.dst))
846+
vlan = pkt_meta.vlan
847+
if vlan.ip_in_vip_subnet(target_ip):
848+
if self._stateful_gw(vlan, target_ip):
849+
ofmsgs.extend(self._update_nexthop(
850+
now, vlan, pkt_meta.port, pkt_meta.eth_src, target_ip))
851+
self.logger.info(
852+
'Received ND advert for %s from %s' % (
853+
target_ip, pkt_meta.log()))
852854
return ofmsgs
853855

854856
def _router_solicit_handler(self, _now, pkt_meta, _ipv6_pkt, _icmpv6_pkt, src_ip, _dst_ip):
@@ -872,7 +874,8 @@ def _echo_request_handler(self, _now, pkt_meta, ipv6_pkt, icmpv6_pkt, src_ip, ds
872874
ofmsgs = []
873875
vlan = pkt_meta.vlan
874876
if (vlan.from_connected_to_vip(src_ip, dst_ip) and
875-
pkt_meta.eth_dst == vlan.faucet_mac):
877+
pkt_meta.eth_dst == vlan.faucet_mac and
878+
isinstance(icmpv6_pkt.data, icmpv6.echo)):
876879
ofmsgs.append(
877880
vlan.pkt_out_port(
878881
valve_packet.icmpv6_echo_reply, pkt_meta.port,

0 commit comments

Comments
 (0)