aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOle Troan <ot@cisco.com>2016-01-07 14:37:25 +0100
committerOle Troan <ot@cisco.com>2016-01-07 20:17:14 +0100
commitcda948225887b2f53032ffb321f2d922b9836bd2 (patch)
tree3c2b1fc0615546d0ee180d13f45133d45da714b7
parent366ac6ecdea0214363f523967830c370697c8944 (diff)
- ICMP6: Add generic ICMP6 error node. Caller sets code/type fields.
- MAP: Added knob to send unreachable ICMP6 on unmatched binding. Change-Id: I314547cc1157d8a73887e7518ebfe3e68d331650 Signed-off-by: Ole Troan <ot@cisco.com>
-rw-r--r--vnet/vnet/buffer.h12
-rw-r--r--vnet/vnet/ip/icmp6.c83
-rw-r--r--vnet/vnet/ip/icmp6.h8
-rw-r--r--vnet/vnet/ip/ip6_input.c31
-rw-r--r--vnet/vnet/map/ip4_map.c8
-rw-r--r--vnet/vnet/map/ip6_map.c51
-rw-r--r--vnet/vnet/map/map.c59
-rw-r--r--vnet/vnet/map/map.h4
8 files changed, 198 insertions, 58 deletions
diff --git a/vnet/vnet/buffer.h b/vnet/vnet/buffer.h
index 9cbb402b..f6c00232 100644
--- a/vnet/vnet/buffer.h
+++ b/vnet/vnet/buffer.h
@@ -66,7 +66,10 @@ _(gre) \
_(l2_classify) \
_(io_handoff) \
_(policer) \
-_(output_features)
+_(output_features) \
+_(map) \
+_(map_t) \
+_(ip_frag)
/*
* vnet stack buffer opaque array overlay structure.
@@ -117,6 +120,13 @@ typedef struct {
u32 mini_connection_index;
} tcp;
+
+ /* ICMP */
+ struct {
+ u8 type;
+ u8 code;
+ u32 data;
+ } icmp;
};
} ip;
diff --git a/vnet/vnet/ip/icmp6.c b/vnet/vnet/ip/icmp6.c
index 4e4bb8ec..c5eb0f60 100644
--- a/vnet/vnet/ip/icmp6.c
+++ b/vnet/vnet/ip/icmp6.c
@@ -483,19 +483,44 @@ VLIB_REGISTER_NODE (ip6_icmp_echo_request_node,static) = {
};
typedef enum {
- ICMP6_TTL_EXPIRE_NEXT_DROP,
- ICMP6_TTL_EXPIRE_NEXT_LOOKUP,
- ICMP6_TTL_EXPIRE_N_NEXT,
-} icmp_ttl_expire_next_t;
+ IP6_ICMP_ERROR_NEXT_DROP,
+ IP6_ICMP_ERROR_NEXT_LOOKUP,
+ IP6_ICMP_ERROR_N_NEXT,
+} ip6_icmp_error_next_t;
+
+void
+icmp6_error_set_vnet_buffer (vlib_buffer_t *b, u8 type, u8 code, u32 data)
+{
+ vnet_buffer(b)->ip.icmp.type = type;
+ vnet_buffer(b)->ip.icmp.code = code;
+ vnet_buffer(b)->ip.icmp.data = data;
+}
+
+static u8
+icmp6_icmp_type_to_error (u8 type)
+{
+ switch (type) {
+ case ICMP6_destination_unreachable:
+ return ICMP6_ERROR_DEST_UNREACH_SENT;
+ case ICMP6_packet_too_big:
+ return ICMP6_ERROR_PACKET_TOO_BIG_SENT;
+ case ICMP6_time_exceeded:
+ return ICMP6_ERROR_TTL_EXPIRE_SENT;
+ case ICMP6_parameter_problem:
+ return ICMP6_ERROR_PARAM_PROBLEM_SENT;
+ default:
+ return ICMP6_ERROR_DROP;
+ }
+}
static uword
-ip6_icmp_ttl_expire (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
+ip6_icmp_error (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
{
u32 * from, * to_next;
uword n_left_from, n_left_to_next;
- icmp_ttl_expire_next_t next_index;
+ ip6_icmp_error_next_t next_index;
ip6_main_t *im = &ip6_main;
ip_lookup_main_t * lm = &im->lookup_main;
@@ -514,8 +539,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
while (n_left_from > 0 && n_left_to_next > 0)
{
u32 pi0 = from[0];
- u32 next0 = ICMP6_TTL_EXPIRE_NEXT_LOOKUP;
- u8 error0 = ICMP6_ERROR_TTL_EXPIRE_RESP_SENT;
+ u32 next0 = IP6_ICMP_ERROR_NEXT_LOOKUP;
+ u8 error0 = ICMP6_ERROR_NONE;
vlib_buffer_t * p0;
ip6_header_t * ip0, * out_ip0;
icmp46_header_t * icmp0;
@@ -533,8 +558,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
ip0 = vlib_buffer_get_current(p0);
sw_if_index0 = vnet_buffer(p0)->sw_if_index[VLIB_RX];
- /* RFC2463 says to keep as much of the original packet as possible
- * within the MTU. We cheat "a little" here by keeping whatever fits
+ /* RFC4443 says to keep as much of the original packet as possible
+ * within the minimum MTU. We cheat "a little" here by keeping whatever fits
* in the first buffer, to be more efficient */
if (PREDICT_FALSE(p0->total_length_not_including_first_buffer))
{ /* clear current_length of all other buffers in chain */
@@ -547,7 +572,7 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
}
}
- /* Add IP header and ICMPv6 header including a 4 byte ununsed field */
+ /* Add IP header and ICMPv6 header including a 4 byte data field */
vlib_buffer_advance(p0,
-sizeof(ip6_header_t)-sizeof(icmp46_header_t)-4);
out_ip0 = vlib_buffer_get_current(p0);
@@ -556,8 +581,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
/* Fill ip header fields */
out_ip0->ip_version_traffic_class_and_flow_label =
clib_host_to_net_u32(0x6<<28);
- out_ip0->payload_length =
- clib_host_to_net_u16(p0->current_length - sizeof(ip6_header_t));
+ u16 plen = p0->current_length > 1280 ? 1280 : p0->current_length;
+ out_ip0->payload_length = clib_host_to_net_u16(plen - sizeof(ip6_header_t));
out_ip0->protocol = IP_PROTOCOL_ICMP6;
out_ip0->hop_limit = 0xff;
out_ip0->dst_address = ip0->src_address;
@@ -570,23 +595,27 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
ip6_address_t *if_ip =
ip_interface_address_get_address(lm, if_add);
out_ip0->src_address = *if_ip;
- vlib_error_count (vm, node->node_index, error0, 1);
}
else /* interface has no IP6 address - should not happen */
{
- next0 = ICMP6_TTL_EXPIRE_NEXT_DROP;
- error0 = ICMP6_ERROR_TTL_EXPIRE_RESP_DROP;
+ next0 = IP6_ICMP_ERROR_NEXT_DROP;
+ error0 = ICMP6_ERROR_DROP;
}
/* Fill icmp header fields */
- icmp0->type = ICMP6_time_exceeded;
- icmp0->code = ICMP6_time_exceeded_ttl_exceeded_in_transit;
+ icmp0->type = vnet_buffer(p0)->ip.icmp.type;
+ icmp0->code = vnet_buffer(p0)->ip.icmp.code;
+ *((u32 *)(icmp0 + 1)) = clib_host_to_net_u32(vnet_buffer(p0)->ip.icmp.data);
icmp0->checksum = 0;
icmp0->checksum = ip6_tcp_udp_icmp_compute_checksum(
vm, p0, out_ip0, &bogus_length);
+
+
/* Update error status */
- p0->error = node->errors[error0];
+ if (error0 == ICMP6_ERROR_NONE)
+ error0 = icmp6_icmp_type_to_error(icmp0->type);
+ vlib_error_count(vm, node->node_index, error0, 1);
/* Verify speculative enqueue, maybe switch current next frame */
vlib_validate_buffer_enqueue_x1(vm, node, next_index,
@@ -599,18 +628,18 @@ ip6_icmp_ttl_expire (vlib_main_t * vm,
return frame->n_vectors;
}
-VLIB_REGISTER_NODE (ip6_icmp_ttl_expire_node) = {
- .function = ip6_icmp_ttl_expire,
- .name = "ip6-icmp-ttl-expire",
+VLIB_REGISTER_NODE (ip6_icmp_error_node) = {
+ .function = ip6_icmp_error,
+ .name = "ip6-icmp-error",
.vector_size = sizeof (u32),
.n_errors = ARRAY_LEN (icmp_error_strings),
.error_strings = icmp_error_strings,
- .n_next_nodes = ICMP6_TTL_EXPIRE_N_NEXT,
+ .n_next_nodes = IP6_ICMP_ERROR_N_NEXT,
.next_nodes = {
- [ICMP6_TTL_EXPIRE_NEXT_DROP] = "error-drop",
- [ICMP6_TTL_EXPIRE_NEXT_LOOKUP] = "ip6-lookup",
+ [IP6_ICMP_ERROR_NEXT_DROP] = "error-drop",
+ [IP6_ICMP_ERROR_NEXT_LOOKUP] = "ip6-lookup",
},
.format_trace = format_icmp6_input_trace,
diff --git a/vnet/vnet/ip/icmp6.h b/vnet/vnet/ip/icmp6.h
index 92f6913a..d44d0c3d 100644
--- a/vnet/vnet/ip/icmp6.h
+++ b/vnet/vnet/ip/icmp6.h
@@ -46,8 +46,11 @@
_ (ROUTER_ADVERTISEMENTS_TX, "router advertisements sent") \
_ (ROUTER_ADVERTISEMENTS_RX, "router advertisements received") \
_ (DST_LOOKUP_MISS, "icmp6 dst address lookup misses") \
- _ (TTL_EXPIRE_RESP_SENT, "TTL time exceeded response sent") \
- _ (TTL_EXPIRE_RESP_DROP, "TTL time exceeded response dropped")
+ _ (DEST_UNREACH_SENT, "destination unreachable response sent") \
+ _ (PACKET_TOO_BIG_SENT, "packet too big response sent") \
+ _ (TTL_EXPIRE_SENT, "hop limit exceeded response sent") \
+ _ (PARAM_PROBLEM_SENT, "parameter Pproblem response sent") \
+ _ (DROP, "error message dropped")
typedef enum {
@@ -62,6 +65,7 @@ typedef struct {
format_function_t format_icmp6_input_trace;
void icmp6_register_type (vlib_main_t * vm, icmp6_type_t type, u32 node_index);
+void icmp6_error_set_vnet_buffer (vlib_buffer_t *b, u8 type, u8 code, u32 data);
extern vlib_node_registration_t ip6_icmp_input_node;
diff --git a/vnet/vnet/ip/ip6_input.c b/vnet/vnet/ip/ip6_input.c
index ef8c7762..473b2b27 100644
--- a/vnet/vnet/ip/ip6_input.c
+++ b/vnet/vnet/ip/ip6_input.c
@@ -62,7 +62,7 @@ static u8 * format_ip6_input_trace (u8 * s, va_list * va)
typedef enum {
IP6_INPUT_NEXT_DROP,
IP6_INPUT_NEXT_LOOKUP,
- IP6_INPUT_NEXT_TTL_EXPIRE,
+ IP6_INPUT_NEXT_ICMP,
IP6_INPUT_N_NEXT,
} ip6_input_next_t;
@@ -186,13 +186,23 @@ ip6_input (vlib_main_t * vm,
if (PREDICT_FALSE(error0 != IP6_ERROR_NONE))
{
- next0 = (error0 == IP6_ERROR_TIME_EXPIRED) ?
- IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP;
+ if (error0 == IP6_ERROR_TIME_EXPIRED) {
+ icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded,
+ ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
+ next0 = IP6_INPUT_NEXT_ICMP;
+ } else {
+ next0 = IP6_INPUT_NEXT_DROP;
+ }
}
if (PREDICT_FALSE(error1 != IP6_ERROR_NONE))
{
- next1 = (error1 == IP6_ERROR_TIME_EXPIRED) ?
- IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP;
+ if (error1 == IP6_ERROR_TIME_EXPIRED) {
+ icmp6_error_set_vnet_buffer(p1, ICMP6_time_exceeded,
+ ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
+ next1 = IP6_INPUT_NEXT_ICMP;
+ } else {
+ next1 = IP6_INPUT_NEXT_DROP;
+ }
}
p0->error = error_node->errors[error0];
@@ -249,8 +259,13 @@ ip6_input (vlib_main_t * vm,
if (PREDICT_FALSE(error0 != IP6_ERROR_NONE))
{
- next0 = (error0 == IP6_ERROR_TIME_EXPIRED) ?
- IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP;
+ if (error0 == IP6_ERROR_TIME_EXPIRED) {
+ icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded,
+ ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
+ next0 = IP6_INPUT_NEXT_ICMP;
+ } else {
+ next0 = IP6_INPUT_NEXT_DROP;
+ }
}
p0->error = error_node->errors[error0];
@@ -283,7 +298,7 @@ VLIB_REGISTER_NODE (ip6_input_node) = {
.next_nodes = {
[IP6_INPUT_NEXT_DROP] = "error-drop",
[IP6_INPUT_NEXT_LOOKUP] = "ip6-lookup",
- [IP6_INPUT_NEXT_TTL_EXPIRE] = "ip6-icmp-ttl-expire",
+ [IP6_INPUT_NEXT_ICMP] = "ip6-icmp-error",
},
.format_buffer = format_ip6_header,
diff --git a/vnet/vnet/map/ip4_map.c b/vnet/vnet/map/ip4_map.c
index c8ee2764..343b57d2 100644
--- a/vnet/vnet/map/ip4_map.c
+++ b/vnet/vnet/map/ip4_map.c
@@ -76,7 +76,7 @@ ip4_map_get_port (ip4_header_t *ip, map_dir_e dir)
icmp46_header_t *icmp = (void *)(ip + 1);
if (icmp->type == ICMP4_echo_request || icmp->type == ICMP4_echo_reply) {
return *((u16 *)(icmp + 1));
- } else if (clib_net_to_host_u16(ip->length) >= 64) { // IP + ICMP + IP + L4 header
+ } else if (clib_net_to_host_u16(ip->length) >= 56) { // IP + ICMP + IP + L4 header
ip4_header_t *icmp_ip = (ip4_header_t *)(icmp + 2);
if (PREDICT_TRUE((icmp_ip->protocol == IP_PROTOCOL_TCP) ||
(icmp_ip->protocol == IP_PROTOCOL_UDP))) {
@@ -256,8 +256,8 @@ ip4_map (vlib_main_t *vm,
u64 dal61 = map_get_pfx(d1, da41, dp41);
u64 dar60 = map_get_sfx(d0, da40, dp40);
u64 dar61 = map_get_sfx(d1, da41, dp41);
- if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_UNKNOWN;
- if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_UNKNOWN;
+ if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_NO_BINDING;
+ if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_NO_BINDING;
/* construct ipv6 header */
vlib_buffer_advance(p0, - sizeof(ip6_header_t));
@@ -375,7 +375,7 @@ ip4_map (vlib_main_t *vm,
u16 dp40 = clib_net_to_host_u16(port0);
u64 dal60 = map_get_pfx(d0, da40, dp40);
u64 dar60 = map_get_sfx(d0, da40, dp40);
- if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_UNKNOWN;
+ if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_NO_BINDING;
/* construct ipv6 header */
vlib_buffer_advance(p0, - (sizeof(ip6_header_t)));
diff --git a/vnet/vnet/map/ip6_map.c b/vnet/vnet/map/ip6_map.c
index 7ef85e79..208f45f5 100644
--- a/vnet/vnet/map/ip6_map.c
+++ b/vnet/vnet/map/ip6_map.c
@@ -27,6 +27,7 @@ enum ip6_map_next_e {
IP6_MAP_NEXT_IP6_ICMP_RELAY,
IP6_MAP_NEXT_IP6_LOCAL,
IP6_MAP_NEXT_DROP,
+ IP6_MAP_NEXT_ICMP,
IP6_MAP_N_NEXT,
};
@@ -142,7 +143,6 @@ ip6_map_ip4_lookup_bypass (vlib_buffer_t *p0, ip4_header_t *ip)
return (false);
}
-
/*
* ip6_map
*/
@@ -230,7 +230,6 @@ ip6_map (vlib_main_t *vm,
next0 = IP6_MAP_NEXT_IP6_REASS;
} else {
error0 = MAP_ERROR_BAD_PROTOCOL;
- next0 = IP6_MAP_NEXT_DROP;
}
if (PREDICT_TRUE(ip61->protocol == IP_PROTOCOL_IP_IN_IP && clib_net_to_host_u16(ip61->payload_length) > 20)) {
d1 = ip6_map_get_domain(vnet_buffer(p1)->ip.adj_index[VLIB_TX], (ip4_address_t *)&ip41->src_address.as_u32,
@@ -244,7 +243,6 @@ ip6_map (vlib_main_t *vm,
next1 = IP6_MAP_NEXT_IP6_REASS;
} else {
error1 = MAP_ERROR_BAD_PROTOCOL;
- next1 = IP6_MAP_NEXT_DROP;
}
if (d0) {
@@ -298,6 +296,32 @@ ip6_map (vlib_main_t *vm,
tr->port = port1;
}
+ if (error0 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled) {
+ /* Set ICMP parameters */
+ vlib_buffer_advance(p0, -sizeof(ip6_header_t));
+ icmp6_error_set_vnet_buffer(p0, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy, 0);
+ next0 = IP6_MAP_NEXT_ICMP;
+ } else {
+ next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP;
+ }
+
+ if (error1 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled) {
+ /* Set ICMP parameters */
+ vlib_buffer_advance(p1, -sizeof(ip6_header_t));
+ icmp6_error_set_vnet_buffer(p1, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy, 0);
+ next1 = IP6_MAP_NEXT_ICMP;
+ } else {
+ next1 = (error1 == MAP_ERROR_NONE) ? next1 : IP6_MAP_NEXT_DROP;
+ }
+
+ /* Reset packet */
+ if (next0 == IP6_MAP_NEXT_IP6_LOCAL)
+ vlib_buffer_advance(p0, -sizeof(ip6_header_t));
+ if (next1 == IP6_MAP_NEXT_IP6_LOCAL)
+ vlib_buffer_advance(p1, -sizeof(ip6_header_t));
+
p0->error = error_node->errors[error0];
p1->error = error_node->errors[error1];
vlib_validate_buffer_enqueue_x2(vm, node, next_index, to_next, n_left_to_next, pi0, pi1, next0, next1);
@@ -377,7 +401,21 @@ ip6_map (vlib_main_t *vm,
tr->port = (u16)port0;
}
- next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP;
+ if (mm->icmp6_enabled &&
+ (error0 == MAP_ERROR_DECAP_SEC_CHECK || error0 == MAP_ERROR_NO_DOMAIN)) {
+ /* Set ICMP parameters */
+ vlib_buffer_advance(p0, -sizeof(ip6_header_t));
+ icmp6_error_set_vnet_buffer(p0, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy, 0);
+ next0 = IP6_MAP_NEXT_ICMP;
+ } else {
+ next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP;
+ }
+
+ /* Reset packet */
+ if (next0 == IP6_MAP_NEXT_IP6_LOCAL)
+ vlib_buffer_advance(p0, -sizeof(ip6_header_t));
+
p0->error = error_node->errors[error0];
vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, pi0, next0);
}
@@ -626,7 +664,7 @@ ip6_map_ip4_reass (vlib_main_t *vm,
ip4_header_t *ip40;
ip6_header_t *ip60;
i32 port0 = 0;
- u32 map_domain_index0;
+ u32 map_domain_index0 = ~0;
u32 next0 = IP6_MAP_IP4_REASS_NEXT_IP4_LOOKUP;
u8 cached = 0;
@@ -860,7 +898,7 @@ ip6_map_icmp_relay (vlib_main_t *vm,
new_ip40->fragment_id = fid[0]; fid++;
new_ip40->ttl = 64;
new_ip40->protocol = IP_PROTOCOL_ICMP;
- new_ip40->src_address = mm->icmp_src_address;
+ new_ip40->src_address = mm->icmp4_src_address;
new_ip40->dst_address = inner_ip40->src_address;
new_ip40->checksum = ip4_header_checksum(new_ip40);
@@ -916,6 +954,7 @@ VLIB_REGISTER_NODE(ip6_map_node) = {
[IP6_MAP_NEXT_IP6_ICMP_RELAY] = "ip6-map-icmp-relay",
[IP6_MAP_NEXT_IP6_LOCAL] = "ip6-local",
[IP6_MAP_NEXT_DROP] = "error-drop",
+ [IP6_MAP_NEXT_ICMP] = "ip6-icmp-error",
},
};
diff --git a/vnet/vnet/map/map.c b/vnet/vnet/map/map.c
index b7eb1f14..eb5496b8 100644
--- a/vnet/vnet/map/map.c
+++ b/vnet/vnet/map/map.c
@@ -602,8 +602,7 @@ map_icmp_relay_source_address_command_fn (vlib_main_t *vm,
ip4_address_t icmp_src_address;
map_main_t *mm = &map_main;
- memset(&icmp_src_address, 0, sizeof(icmp_src_address));
-
+ mm->icmp4_src_address.as_u32 = 0;
/* Get a line of input. */
if (!unformat_user(input, unformat_line_input, line_input))
@@ -611,13 +610,45 @@ map_icmp_relay_source_address_command_fn (vlib_main_t *vm,
while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) {
if (unformat(line_input, "%U", unformat_ip4_address, &icmp_src_address))
- mm->icmp_src_address = icmp_src_address;
+ mm->icmp4_src_address = icmp_src_address;
+ else
+ return clib_error_return(0, "unknown input `%U'",
+ format_unformat_error, input);
+ }
+ unformat_free(line_input);
+
+ return 0;
+}
+
+static clib_error_t *
+map_icmp_unreachables_command_fn (vlib_main_t *vm,
+ unformat_input_t *input,
+ vlib_cli_command_t *cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ map_main_t *mm = &map_main;
+ int num_m_args = 0;
+
+ /* Get a line of input. */
+ if (!unformat_user(input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) {
+ num_m_args++;
+ if (unformat(line_input, "on"))
+ mm->icmp6_enabled = true;
+ else if (unformat(line_input, "off"))
+ mm->icmp6_enabled = false;
else
return clib_error_return(0, "unknown input `%U'",
format_unformat_error, input);
}
unformat_free(line_input);
+
+ if (num_m_args != 1)
+ return clib_error_return(0, "mandatory argument(s) missing");
+
return 0;
}
@@ -833,9 +864,11 @@ show_map_stats_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_co
else
vlib_cli_output(vm, "MAP traffic-class: %x", mm->tc);
- vlib_cli_output(vm, "MAP IPv6 inbound security check: %s Fragments: %s", mm->sec_check ? "enabled" : "disabled",
+ vlib_cli_output(vm, "MAP IPv6 inbound security check: %s, fragmented packet security check: %s", mm->sec_check ? "enabled" : "disabled",
mm->sec_check_frag ? "enabled" : "disabled");
+ vlib_cli_output(vm, "ICMP-relay IPv4 source address: %U\n", format_ip4_address, &mm->icmp4_src_address);
+ vlib_cli_output(vm, "ICMP6 unreachables sent for unmatched packets: %s\n", mm->icmp6_enabled ? "enabled" : "disabled");
/*
* Counters
@@ -861,9 +894,9 @@ show_map_stats_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_co
}
map_domain_counter_unlock (mm);
- vlib_cli_output(vm, "Encapsulated packets: %d bytes: %d\n", total_pkts[MAP_DOMAIN_COUNTER_TX],
+ vlib_cli_output(vm, "Encapsulated packets: %lld bytes: %lld\n", total_pkts[MAP_DOMAIN_COUNTER_TX],
total_bytes[MAP_DOMAIN_COUNTER_TX]);
- vlib_cli_output(vm, "Decapsulated packets: %d bytes: %d\n", total_pkts[MAP_DOMAIN_COUNTER_RX],
+ vlib_cli_output(vm, "Decapsulated packets: %lld bytes: %lld\n", total_pkts[MAP_DOMAIN_COUNTER_RX],
total_bytes[MAP_DOMAIN_COUNTER_RX]);
vlib_cli_output(vm, "ICMP relayed packets: %d\n", vlib_get_simple_counter(&mm->icmp_relayed, 0));
@@ -1524,12 +1557,17 @@ VLIB_CLI_COMMAND(map_security_check_command, static) = {
};
VLIB_CLI_COMMAND(map_icmp_relay_source_address_command, static) = {
- .path = "map params icmp-source-address",
- .short_help =
- "icmp-source-address <ip4-address>",
+ .path = "map params icmp source-address",
+ .short_help = "source-address <ip4-address>",
.function = map_icmp_relay_source_address_command_fn,
};
+VLIB_CLI_COMMAND(map_icmp_unreachables_command, static) = {
+ .path = "map params icmp unreachables",
+ .short_help = "unreachables {on|off}",
+ .function = map_icmp_unreachables_command_fn,
+};
+
VLIB_CLI_COMMAND(map_security_check_frag_command, static) = {
.path = "map params security-check fragments",
.short_help =
@@ -1598,6 +1636,9 @@ clib_error_t *map_init (vlib_main_t *vm)
mm->sec_check = true;
mm->sec_check_frag = false;
+ /* ICMP6 Type 1, Code 5 for security check failure */
+ mm->icmp6_enabled = false;
+
vec_validate(mm->domain_counters, MAP_N_DOMAIN_COUNTER - 1);
mm->domain_counters[MAP_DOMAIN_COUNTER_RX].name = "rx";
mm->domain_counters[MAP_DOMAIN_COUNTER_TX].name = "tx";
diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h
index 95b842d4..6d12b71b 100644
--- a/vnet/vnet/map/map.h
+++ b/vnet/vnet/map/map.h
@@ -205,9 +205,10 @@ typedef struct {
bool tc_copy;
bool sec_check;
bool sec_check_frag;
+ bool icmp6_enabled;
/* ICMPv6 -> ICMPv4 relay parameters */
- ip4_address_t icmp_src_address;
+ ip4_address_t icmp4_src_address;
/* convenience */
vlib_main_t *vlib_main;
@@ -269,6 +270,7 @@ typedef struct {
_(ICMP, "unable to translate ICMP") \
_(ICMP_RELAY, "unable to relay ICMP") \
_(UNKNOWN, "unknown") \
+ _(NO_BINDING, "no binding") \
_(NO_DOMAIN, "no domain") \
_(FRAGMENTED, "packet is a fragment") \
_(FRAGMENT_MEMORY, "could not cache fragment") \