| Carmelo Cascone | 9ab4061 | 2017-09-19 16:31:55 +0900 | [diff] [blame] | 1 | // Copyright (c) 2017, Google Inc. |
| 2 | // |
| 3 | // P4_16 specification dhcp spoof table. |
| 4 | // Note: This code has not been tested and is expected to contain bugs. |
| 5 | |
| 6 | #ifndef P4_SPEC_SPOOF_PROTECTION_P4_ |
| 7 | #define P4_SPEC_SPOOF_PROTECTION_P4_ |
| 8 | |
| 9 | #include "headers.p4" |
| 10 | #include "parser.p4" |
| 11 | |
| 12 | //------------------------------------------------------------------------------ |
| 13 | // Spoof protection |
| 14 | //------------------------------------------------------------------------------ |
| 15 | |
| 16 | control spoof_protection(inout parsed_packet_t hdr, |
| 17 | inout local_metadata_t local_metadata, |
| 18 | inout standard_metadata_t standard_metadata) { |
| 19 | |
| 20 | @proto_package("spoof_protection") |
| 21 | action drop_packet() { |
| 22 | mark_to_drop(); |
| 23 | } |
| 24 | |
| 25 | // Drop all DHCP response packets to all host-facing ports. |
| 26 | // This protects against a host sending a DHCP response to another host |
| 27 | // directly and hijacking the DHCP session |
| 28 | // (i.e. spoof the installer/DHCP-Relay app). |
| 29 | @proto_package("spoof_protection") |
| 30 | table dhcp_spoof_protection_table { |
| 31 | key = { |
| 32 | local_metadata.l4_dst_port: exact @proto_tag(1); |
| 33 | standard_metadata.egress_spec: exact @proto_tag(2); |
| 34 | } |
| 35 | actions = { |
| 36 | @proto_tag(1) drop_packet; |
| 37 | } |
| 38 | } |
| 39 | |
| 40 | apply { |
| 41 | if(hdr.udp.isValid()) { |
| 42 | dhcp_spoof_protection_table.apply(); |
| 43 | } |
| 44 | } |
| 45 | } // end spoof_protection |
| 46 | |
| 47 | #endif // P4_SPEC_SPOOF_PROTECTION_P4_ |