From f74cc08998291114d9bc20fa933222f1fca87e0e Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Thu, 10 Aug 2023 09:16:09 +0800 Subject: [PATCH] Refine the default flow in ARPSpoofGuardTable The current default flow in ARPSpoofGuardTable forwards packets to ARPResponderTable, which is ineffective in preventing ARP spoofing. To rectify this, the proposed solution is to modify the action of the default flow within ARPSpoofGuardTable to drop the packets. Signed-off-by: Hongliang Liu --- pkg/agent/openflow/pipeline.go | 2 +- pkg/agent/openflow/pipeline_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go index 4a871daa8b9..659f69269fd 100644 --- a/pkg/agent/openflow/pipeline.go +++ b/pkg/agent/openflow/pipeline.go @@ -116,7 +116,7 @@ var ( // Tables of pipelineARP are declared below. // Tables in stageValidation: - ARPSpoofGuardTable = newTable("ARPSpoofGuard", stageValidation, pipelineARP) + ARPSpoofGuardTable = newTable("ARPSpoofGuard", stageValidation, pipelineARP, defaultDrop) // Tables in stageOutput: ARPResponderTable = newTable("ARPResponder", stageOutput, pipelineARP) diff --git a/pkg/agent/openflow/pipeline_test.go b/pkg/agent/openflow/pipeline_test.go index 08b27cb4ded..b7cd157a2cc 100644 --- a/pkg/agent/openflow/pipeline_test.go +++ b/pkg/agent/openflow/pipeline_test.go @@ -87,7 +87,7 @@ func pipelineDefaultFlows(externalNodeEnabled, isEncap, isIPv4 bool) []string { flows = append(flows, "cookie=0x1000000000000, table=PipelineRootClassifier, priority=200,arp actions=goto_table:ARPSpoofGuard", "cookie=0x1000000000000, table=PipelineRootClassifier, priority=200,ip actions=goto_table:Classifier", - "cookie=0x1000000000000, table=ARPSpoofGuard, priority=0 actions=goto_table:ARPResponder", + "cookie=0x1000000000000, table=ARPSpoofGuard, priority=0 actions=drop", "cookie=0x1000000000000, table=ARPResponder, priority=0 actions=drop", "cookie=0x1000000000000, table=PipelineIPClassifier, priority=210,ip,nw_dst=224.0.0.0/4 actions=resubmit:MulticastEgressRule", "cookie=0x1000000000000, table=PipelineIPClassifier, priority=0 actions=goto_table:UnSNAT", @@ -111,7 +111,7 @@ func pipelineDefaultFlows(externalNodeEnabled, isEncap, isIPv4 bool) []string { "cookie=0x1000000000000, table=PipelineRootClassifier, priority=200,arp actions=goto_table:ARPSpoofGuard", "cookie=0x1000000000000, table=PipelineRootClassifier, priority=0 actions=drop", "cookie=0x1000000000000, table=PipelineRootClassifier, priority=200,ip actions=goto_table:Classifier", - "cookie=0x1000000000000, table=ARPSpoofGuard, priority=0 actions=goto_table:ARPResponder", + "cookie=0x1000000000000, table=ARPSpoofGuard, priority=0 actions=drop", "cookie=0x1000000000000, table=ARPResponder, priority=0 actions=drop", "cookie=0x1000000000000, table=Classifier, priority=0 actions=drop", "cookie=0x1000000000000, table=SpoofGuard, priority=0 actions=drop",