| // Copyright (c) 2017, Google Inc. |
| // |
| // P4_16 specification dhcp spoof table. |
| // Note: This code has not been tested and is expected to contain bugs. |
| |
| #ifndef P4_SPEC_SPOOF_PROTECTION_P4_ |
| #define P4_SPEC_SPOOF_PROTECTION_P4_ |
| |
| #include "headers.p4" |
| #include "parser.p4" |
| |
| //------------------------------------------------------------------------------ |
| // Spoof protection |
| //------------------------------------------------------------------------------ |
| |
| control spoof_protection(inout parsed_packet_t hdr, |
| inout local_metadata_t local_metadata, |
| inout standard_metadata_t standard_metadata) { |
| |
| @proto_package("spoof_protection") |
| action drop_packet() { |
| mark_to_drop(); |
| } |
| |
| // Drop all DHCP response packets to all host-facing ports. |
| // This protects against a host sending a DHCP response to another host |
| // directly and hijacking the DHCP session |
| // (i.e. spoof the installer/DHCP-Relay app). |
| @proto_package("spoof_protection") |
| table dhcp_spoof_protection_table { |
| key = { |
| local_metadata.l4_dst_port: exact @proto_tag(1); |
| standard_metadata.egress_spec: exact @proto_tag(2); |
| } |
| actions = { |
| @proto_tag(1) drop_packet; |
| } |
| } |
| |
| apply { |
| if(hdr.udp.isValid()) { |
| dhcp_spoof_protection_table.apply(); |
| } |
| } |
| } // end spoof_protection |
| |
| #endif // P4_SPEC_SPOOF_PROTECTION_P4_ |