datapath: drop packets on interfaces with admin down flag

rjarry · christophefontaine · commit d3bab2074c2b · 2025-10-14T09:57:14.000+02:00
Check GR_IFACE_F_UP flag in eth_input, eth_output, ipip_input and
ipip_output nodes before processing packets. If the interface or its
parent (for VLANs) is administratively down, redirect packets to the
iface_input_admin_down drop node.

This prevents traffic from flowing through interfaces that have been
disabled via configuration.

Signed-off-by: Robin Jarry &lt;rjarry@redhat.com&gt;
diff --git a/modules/infra/datapath/eth_input.c b/modules/infra/datapath/eth_input.c
@@ -16,6 +16,7 @@ enum {
 	UNKNOWN_ETHER_TYPE = 0,
 	UNKNOWN_VLAN,
 	INVALID_IFACE,
+	IFACE_DOWN,
 	NB_EDGES,
 };
 
@@ -57,6 +58,11 @@ eth_input_process(struct rte_graph *graph, struct rte_node *node, void **objs, u
 		eth_type = eth->ether_type;
 		vlan_id = 0;
 
+		if (!(eth_in->iface->flags & GR_IFACE_F_UP)) {
+			edge = IFACE_DOWN;
+			goto next;
+		}
+
 		if (m->ol_flags & RTE_MBUF_F_RX_VLAN_STRIPPED) {
 			vlan_id = m->vlan_tci & 0xfff;
 		} else if (eth_type == RTE_BE16(RTE_ETHER_TYPE_VLAN)) {
@@ -75,6 +81,10 @@ eth_input_process(struct rte_graph *graph, struct rte_node *node, void **objs, u
 				edge = UNKNOWN_VLAN;
 				goto next;
 			}
+			if (!(vlan_iface->flags & GR_IFACE_F_UP)) {
+				edge = IFACE_DOWN;
+				goto next;
+			}
 			eth_in->iface = vlan_iface;
 		}
 		edge = l2l3_edges[eth_type];
@@ -147,6 +157,7 @@ static struct rte_node_register node = {
 		[UNKNOWN_ETHER_TYPE] = "eth_input_unknown_type",
 		[UNKNOWN_VLAN] = "eth_input_unknown_vlan",
 		[INVALID_IFACE] = "eth_input_invalid_iface",
+		[IFACE_DOWN] = "iface_input_admin_down",
 		// other edges are updated dynamically with gr_eth_input_add_type
 	},
 };
@@ -166,3 +177,4 @@ GR_NODE_REGISTER(info);
 GR_DROP_REGISTER(eth_input_unknown_type);
 GR_DROP_REGISTER(eth_input_unknown_vlan);
 GR_DROP_REGISTER(eth_input_invalid_iface);
+GR_DROP_REGISTER(iface_input_admin_down);
diff --git a/modules/infra/datapath/eth_output.c b/modules/infra/datapath/eth_output.c
@@ -18,6 +18,7 @@ enum {
 	INVAL = 0,
 	NO_HEADROOM,
 	NO_MAC,
+	IFACE_DOWN,
 	NB_EDGES,
 };
 
@@ -48,8 +49,21 @@ eth_output_process(struct rte_graph *graph, struct rte_node *node, void **objs,
 		iface = priv->iface;
 		vlan = NULL;
 
+		if (!(priv->iface->flags & GR_IFACE_F_UP)) {
+			edge = IFACE_DOWN;
+			goto next;
+		}
 		if (priv->iface->type == GR_IFACE_TYPE_VLAN) {
 			const struct iface_info_vlan *sub = iface_info_vlan(priv->iface);
+			priv->iface = iface_from_id(sub->parent_id);
+			if (priv->iface == NULL) {
+				edge = INVAL;
+				goto next;
+			}
+			if (!(priv->iface->flags & GR_IFACE_F_UP)) {
+				edge = IFACE_DOWN;
+				goto next;
+			}
 			vlan = (struct rte_vlan_hdr *)rte_pktmbuf_prepend(mbuf, sizeof(*vlan));
 			if (unlikely(vlan == NULL)) {
 				edge = NO_HEADROOM;
@@ -58,7 +72,6 @@ eth_output_process(struct rte_graph *graph, struct rte_node *node, void **objs,
 			vlan->vlan_tci = rte_cpu_to_be_16(sub->vlan_id);
 			vlan->eth_proto = priv->ether_type;
 			priv->ether_type = RTE_BE16(RTE_ETHER_TYPE_VLAN);
-			priv->iface = iface_from_id(sub->parent_id);
 			src_mac = sub->mac;
 		} else if (iface_get_eth_addr(priv->iface->id, &src_mac) < 0) {
 			edge = NO_MAC;
@@ -107,6 +120,7 @@ static struct rte_node_register node = {
 		[INVAL] = "eth_output_inval",
 		[NO_HEADROOM] = "error_no_headroom",
 		[NO_MAC] = "eth_output_no_mac",
+		[IFACE_DOWN] = "iface_input_admin_down",
 	},
 };
 
diff --git a/modules/ipip/datapath_in.c b/modules/ipip/datapath_in.c
@@ -21,6 +21,7 @@
 enum {
 	IP_INPUT = 0,
 	NO_TUNNEL,
+	IFACE_DOWN,
 	EDGE_COUNT,
 };
 
@@ -61,6 +62,10 @@ ipip_input_process(struct rte_graph *graph, struct rte_node *node, void **objs,
 			edge = NO_TUNNEL;
 			goto next;
 		}
+		if (!(ipip->flags & GR_IFACE_F_UP)) {
+			edge = IFACE_DOWN;
+			goto next;
+		}
 		// The hw checksum offload only works on the outer IP.
 		// Clear the offload flag so that ip_input will check it in software.
 		mbuf->ol_flags |= RTE_MBUF_F_RX_IP_CKSUM_NONE;
@@ -95,6 +100,7 @@ static struct rte_node_register ipip_input_node = {
 	.next_nodes = {
 		[IP_INPUT] = "ip_input",
 		[NO_TUNNEL] = "ipip_input_no_tunnel",
+		[IFACE_DOWN] = "iface_input_admin_down",
 	},
 };
 
diff --git a/modules/ipip/datapath_out.c b/modules/ipip/datapath_out.c
@@ -23,6 +23,7 @@ enum {
 	IP_OUTPUT = 0,
 	NO_TUNNEL,
 	NO_HEADROOM,
+	IFACE_DOWN,
 	EDGE_COUNT,
 };
 
@@ -51,6 +52,10 @@ ipip_output_process(struct rte_graph *graph, struct rte_node *node, void **objs,
 			struct trace_ipip_data *t = gr_mbuf_trace_add(mbuf, node, sizeof(*t));
 			t->iface_id = iface->id;
 		}
+		if (!(iface->flags & GR_IFACE_F_UP)) {
+			edge = IFACE_DOWN;
+			goto next;
+		}
 		ip_data->iface = iface;
 		ipip = iface_info_ipip(iface);
 
@@ -98,6 +103,7 @@ static struct rte_node_register ipip_output_node = {
 		[IP_OUTPUT] = "ip_output",
 		[NO_TUNNEL] = "ipip_output_no_tunnel",
 		[NO_HEADROOM] = "error_no_headroom",
+		[IFACE_DOWN] = "iface_input_admin_down",
 	},
 };
 
