Gitiles
Code Review Sign In
gerrit.opencord.org / openolt / 1935e6a868d79d127d39815047953e192cf19b0e^! / . / agent / src / core_data.cc
commit1935e6a868d79d127d39815047953e192cf19b0e[log] [tgz]
authorGirish Gowdra <girish@opennetworking.org>Sat Oct 31 21:48:22 2020 -0700
committerGirish Gowdra <girish@opennetworking.org>Thu Nov 12 09:08:57 2020 -0800
tree103c45bd0c9092414126e67a0e6c64ab27ffa830
parent4fd3067141fb527f78574979a000e305a3fcffb0 [diff] [blame]
VOL-3464: DHCP packets can be trapped to ONOS without Authentication

- ACLs can be sometimes have very broad classifiers to work around the limited number
  of ACLs that can be installed on the BAL. This would mean that unwanted
  packets can sometimes be trapped to host and could be used by the end user
  for DDoS attacks by sending spurious packets that match broad classifier BAL ACLs.
  This patch introduces some very low level checks on the trapped packets
  at the openolt agent application. The packets could be trapped at the application
  as a result of broad level BAL ACL classifiers, but the application
  does more low checks derived from VOLTHA flow and only then allows the packets to
  VOLTHA system if the low checks pass.
- Update BUILDING.md with details of installing PcapPlusPlus library.
- Bump version to 3.1.0

Change-Id: I53eee968c51659c31353eeb5d8d4e144a443c293

diff --git a/agent/src/core_data.cc b/agent/src/core_data.cc
index 1836263..ad66ae3 100644
--- a/agent/src/core_data.cc
+++ b/agent/src/core_data.cc

@@ -142,8 +142,8 @@
 
 bool operator<(const acl_classifier_key& a1, const acl_classifier_key& a2)
 {
-    return ((a1.ether_type + 2*a1.ip_proto + 3*a1.src_port + 4*a1.dst_port) <
-            (a2.ether_type + 2*a2.ip_proto + 3*a2.src_port + 4*a2.dst_port));
+    return ((a1.ether_type + 2*a1.ip_proto + 3*a1.src_port + 4*a1.dst_port + 5*a1.o_vid) <
+            (a2.ether_type + 2*a2.ip_proto + 3*a2.src_port + 4*a2.dst_port + 5*a2.o_vid));
 }
 
 typedef std::tuple<uint64_t, std::string> flow_id_flow_direction;
@@ -164,6 +164,19 @@
 typedef std::tuple<uint16_t, uint8_t, std::string> acl_id_intf_id_intf_type;
 std::map<acl_id_intf_id_intf_type, uint16_t> intf_acl_registration_ref_cnt;
 
+// Data structures to work around ACL limits on BAL -- start --
+
+// This flag is set as soon as ACL count reaches MAX_ACL_WITH_VLAN_CLASSIFIER is hit.
+// It is not reset when ACL count comes below MAX_ACL_WITH_VLAN_CLASSIFIER again
+bool max_acls_with_vlan_classifiers_hit = false;
+// Map of flow_id -> trap_to_host_pkt_info_with_vlan
+std::map<uint64_t, trap_to_host_pkt_info_with_vlan> trap_to_host_pkt_info_with_vlan_for_flow_id;
+// Map of trap_to_host_pkt_info -> cvid_list
+std::map<trap_to_host_pkt_info, std::list<uint16_t> > trap_to_host_vlan_ids_for_trap_to_host_pkt_info;
+
+// Data structures to work around ACL limits on BAL -- end --
+
+
 std::bitset<MAX_ACL_ID> acl_id_bitset;
 bcmos_fastlock acl_id_bitset_lock;
 
@@ -185,6 +198,8 @@
 std::map<uint64_t, device_flow> voltha_flow_to_device_flow;
 bcmos_fastlock voltha_flow_to_device_flow_lock;
 
+// Lock to protect critical section around handling data associated with ACL trap packet handling
+bcmos_fastlock acl_packet_trap_handler_lock;
 
 // General purpose lock used to gaurd critical section during various API handling at the core_api_handler
 bcmos_fastlock data_lock;