commit 1935e6a868d79d127d39815047953e192cf19b0e
author Girish Gowdra <girish@opennetworking.org> Sat Oct 31 21:48:22 2020 -0700
committer Girish Gowdra <girish@opennetworking.org> Thu Nov 12 09:08:57 2020 -0800
tree 103c45bd0c9092414126e67a0e6c64ab27ffa830
parent 4fd3067141fb527f78574979a000e305a3fcffb0

VOL-3464: DHCP packets can be trapped to ONOS without Authentication

- ACLs can be sometimes have very broad classifiers to work around the limited number
  of ACLs that can be installed on the BAL. This would mean that unwanted
  packets can sometimes be trapped to host and could be used by the end user
  for DDoS attacks by sending spurious packets that match broad classifier BAL ACLs.
  This patch introduces some very low level checks on the trapped packets
  at the openolt agent application. The packets could be trapped at the application
  as a result of broad level BAL ACL classifiers, but the application
  does more low checks derived from VOLTHA flow and only then allows the packets to
  VOLTHA system if the low checks pass.
- Update BUILDING.md with details of installing PcapPlusPlus library.
- Bump version to 3.1.0

Change-Id: I53eee968c51659c31353eeb5d8d4e144a443c293

agent/src/indications.cc

diff --git a/agent/src/indications.cc b/agent/src/indications.cc
index 03f81fe..0583ddb 100644
--- a/agent/src/indications.cc
+++ b/agent/src/indications.cc
@@ -490,18 +490,28 @@
 
 static void PacketIndication(bcmolt_devid olt, bcmolt_msg *msg) {
     openolt::Indication ind;
-    openolt::PacketIndication* pkt_ind = new openolt::PacketIndication;
 
     switch (msg->obj_type) {
         case BCMOLT_OBJ_ID_ACCESS_CONTROL:
             switch (msg->subgroup) {
                 case BCMOLT_ACCESS_CONTROL_AUTO_SUBGROUP_RECEIVE_ETH_PACKET:
                 {
+                    int32_t gemport_id;
                     bcmolt_access_control_receive_eth_packet *pkt =
                         (bcmolt_access_control_receive_eth_packet*)msg;
                     bcmolt_access_control_receive_eth_packet_data *pkt_data =
                         &((bcmolt_access_control_receive_eth_packet*)msg)->data;
 
+                    // Set the gemport_id to be passed to is_packet_allowed function
+                    gemport_id = pkt_data->svc_port_id == BCMOLT_SERVICE_PORT_ID_INVALID ? -1 : pkt_data->svc_port_id;
+
+                    // Allow the packet to host only if "is_packet_allowed" routine returns true, else drop the packet.
+                    if (! is_packet_allowed(pkt_data, gemport_id) ) {
+                        OPENOLT_LOG(WARNING, openolt_log_id, "packet not allowed to host\n");
+                        bcmolt_msg_free(msg);
+                        return;
+                    }
+                    openolt::PacketIndication* pkt_ind = new openolt::PacketIndication;
                     pkt_ind->set_intf_type(bcmolt_to_grpc_interface_rf__intf_type(
                                             (bcmolt_interface_type)pkt_data->interface_ref.intf_type));
                     pkt_ind->set_intf_id((bcmolt_interface_id)pkt_data->interface_ref.intf_id);
@@ -513,8 +523,8 @@
                         OPENOLT_LOG(INFO, openolt_log_id, "packet indication, ingress intf_type %s, ingress intf_id %d, gem_port %d\n",
                             pkt_ind->intf_type().c_str(), pkt_ind->intf_id(), pkt_data->svc_port_id);
                     } else if (pkt_data->interface_ref.intf_type == BCMOLT_INTERFACE_TYPE_NNI ) {
-                        OPENOLT_LOG(INFO, openolt_log_id, "packet indication, ingress intf_type %s, ingress intf_id %d\n",
-                            pkt_ind->intf_type().c_str(), pkt_ind->intf_id());
+                        OPENOLT_LOG(INFO, openolt_log_id, "packet indication, ingress intf_type %s, ingress intf_id %d, gem_port %d \n",
+                            pkt_ind->intf_type().c_str(), pkt_ind->intf_id(), pkt_data->svc_port_id);
                     }
                 }
             }