diff options
-rw-r--r-- | vnet/vnet/ip/icmp6.c | 5 | ||||
-rw-r--r-- | vnet/vnet/ip/ip6_input.c | 10 | ||||
-rw-r--r-- | vnet/vnet/ip/ip_frag.c | 33 | ||||
-rw-r--r-- | vnet/vnet/ip/ip_frag.h | 7 | ||||
-rw-r--r-- | vnet/vnet/map/ip4_map.c | 54 | ||||
-rw-r--r-- | vnet/vnet/map/map.c | 72 | ||||
-rw-r--r-- | vnet/vnet/map/map.h | 31 |
7 files changed, 164 insertions, 48 deletions
diff --git a/vnet/vnet/ip/icmp6.c b/vnet/vnet/ip/icmp6.c index c5eb0f60..e6022adf 100644 --- a/vnet/vnet/ip/icmp6.c +++ b/vnet/vnet/ip/icmp6.c @@ -571,6 +571,7 @@ ip6_icmp_error (vlib_main_t * vm, b->current_length = 0; } } + p0->current_length = p0->current_length > 1280 ? 1280 : p0->current_length; /* Add IP header and ICMPv6 header including a 4 byte data field */ vlib_buffer_advance(p0, @@ -581,8 +582,8 @@ ip6_icmp_error (vlib_main_t * vm, /* Fill ip header fields */ out_ip0->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32(0x6<<28); - u16 plen = p0->current_length > 1280 ? 1280 : p0->current_length; - out_ip0->payload_length = clib_host_to_net_u16(plen - sizeof(ip6_header_t)); + + out_ip0->payload_length = clib_host_to_net_u16(p0->current_length - sizeof(ip6_header_t)); out_ip0->protocol = IP_PROTOCOL_ICMP6; out_ip0->hop_limit = 0xff; out_ip0->dst_address = ip0->src_address; diff --git a/vnet/vnet/ip/ip6_input.c b/vnet/vnet/ip/ip6_input.c index 473b2b27..f96a1cfb 100644 --- a/vnet/vnet/ip/ip6_input.c +++ b/vnet/vnet/ip/ip6_input.c @@ -62,7 +62,7 @@ static u8 * format_ip6_input_trace (u8 * s, va_list * va) typedef enum { IP6_INPUT_NEXT_DROP, IP6_INPUT_NEXT_LOOKUP, - IP6_INPUT_NEXT_ICMP, + IP6_INPUT_NEXT_ICMP_ERROR, IP6_INPUT_N_NEXT, } ip6_input_next_t; @@ -189,7 +189,7 @@ ip6_input (vlib_main_t * vm, if (error0 == IP6_ERROR_TIME_EXPIRED) { icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded, ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); - next0 = IP6_INPUT_NEXT_ICMP; + next0 = IP6_INPUT_NEXT_ICMP_ERROR; } else { next0 = IP6_INPUT_NEXT_DROP; } @@ -199,7 +199,7 @@ ip6_input (vlib_main_t * vm, if (error1 == IP6_ERROR_TIME_EXPIRED) { icmp6_error_set_vnet_buffer(p1, ICMP6_time_exceeded, ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); - next1 = IP6_INPUT_NEXT_ICMP; + next1 = IP6_INPUT_NEXT_ICMP_ERROR; } else { next1 = IP6_INPUT_NEXT_DROP; } @@ -262,7 +262,7 @@ ip6_input (vlib_main_t * vm, if (error0 == IP6_ERROR_TIME_EXPIRED) { icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded, ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); - next0 = IP6_INPUT_NEXT_ICMP; + next0 = IP6_INPUT_NEXT_ICMP_ERROR; } else { next0 = IP6_INPUT_NEXT_DROP; } @@ -298,7 +298,7 @@ VLIB_REGISTER_NODE (ip6_input_node) = { .next_nodes = { [IP6_INPUT_NEXT_DROP] = "error-drop", [IP6_INPUT_NEXT_LOOKUP] = "ip6-lookup", - [IP6_INPUT_NEXT_ICMP] = "ip6-icmp-error", + [IP6_INPUT_NEXT_ICMP_ERROR] = "ip6-icmp-error", }, .format_buffer = format_ip6_header, diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c index 22176187..3436090a 100644 --- a/vnet/vnet/ip/ip_frag.c +++ b/vnet/vnet/ip/ip_frag.c @@ -37,9 +37,8 @@ static u8 * format_ip_frag_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); ip_frag_trace_t * t = va_arg (*args, ip_frag_trace_t *); - s = format(s, "IPv%s offset: %u mtu: %u fragments: %u next: %s", - t->ipv6?"6":"4", - t->header_offset, t->mtu, t->n_fragments, node->next_node_names[t->next]); + s = format(s, "IPv%s offset: %u mtu: %u fragments: %u", + t->ipv6?"6":"4", t->header_offset, t->mtu, t->n_fragments); return s; } @@ -146,6 +145,14 @@ ip4_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err } } +void +ip_frag_set_vnet_buffer (vlib_buffer_t *b, u16 offset, u16 mtu, u8 next_index, u8 flags) +{ + vnet_buffer(b)->ip_frag.header_offset = offset; + vnet_buffer(b)->ip_frag.mtu = mtu; + vnet_buffer(b)->ip_frag.next_index = next_index; + vnet_buffer(b)->ip_frag.flags = flags; +} static uword ip4_frag (vlib_main_t *vm, @@ -189,13 +196,25 @@ ip4_frag (vlib_main_t *vm, tr->next = vnet_buffer(p0)->ip_frag.next_index; } - next0 = (error0 == IP_FRAG_ERROR_NONE) ? vnet_buffer(p0)->ip_frag.next_index : IP4_FRAG_NEXT_DROP; - frag_sent += vec_len(buffer); - small_packets += (vec_len(buffer) == 1); + if (error0 == IP_FRAG_ERROR_DONT_FRAGMENT_SET) { + icmp4_error_set_vnet_buffer(p0, ICMP4_destination_unreachable, + ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set, + vnet_buffer(p0)->ip_frag.mtu); + vlib_buffer_advance(p0, vnet_buffer(p0)->ip_frag.header_offset); + next0 = IP4_FRAG_NEXT_ICMP_ERROR; + } else + next0 = (error0 == IP_FRAG_ERROR_NONE) ? vnet_buffer(p0)->ip_frag.next_index : IP4_FRAG_NEXT_DROP; + + if (error0 == IP_FRAG_ERROR_NONE) { + frag_sent += vec_len(buffer); + small_packets += (vec_len(buffer) == 1); + } else + vlib_error_count(vm, ip4_frag_node.index, error0, 1); //Send fragments that were added in the frame frag_from = buffer; frag_left = vec_len(buffer); + while (frag_left > 0) { while (frag_left > 0 && n_left_to_next > 0) { u32 i; @@ -218,6 +237,7 @@ ip4_frag (vlib_main_t *vm, vlib_put_next_frame(vm, node, next_index, n_left_to_next); } vec_free(buffer); + vlib_node_increment_counter(vm, ip4_frag_node.index, IP_FRAG_ERROR_FRAGMENT_SENT, frag_sent); vlib_node_increment_counter(vm, ip4_frag_node.index, IP_FRAG_ERROR_SMALL_PACKET, small_packets); @@ -426,6 +446,7 @@ VLIB_REGISTER_NODE (ip4_frag_node) = { .next_nodes = { [IP4_FRAG_NEXT_IP4_LOOKUP] = "ip4-lookup", [IP4_FRAG_NEXT_IP6_LOOKUP] = "ip6-lookup", + [IP4_FRAG_NEXT_ICMP_ERROR] = "ip4-icmp-error", [IP4_FRAG_NEXT_DROP] = "error-drop" }, }; diff --git a/vnet/vnet/ip/ip_frag.h b/vnet/vnet/ip/ip_frag.h index 04566904..76238655 100644 --- a/vnet/vnet/ip/ip_frag.h +++ b/vnet/vnet/ip/ip_frag.h @@ -49,6 +49,7 @@ vlib_node_registration_t ip6_frag_node; typedef enum { IP4_FRAG_NEXT_IP4_LOOKUP, IP4_FRAG_NEXT_IP6_LOOKUP, + IP4_FRAG_NEXT_ICMP_ERROR, IP4_FRAG_NEXT_DROP, IP4_FRAG_N_NEXT } ip4_frag_next_t; @@ -65,8 +66,8 @@ typedef enum { _(NONE, "packet fragmented") \ _(SMALL_PACKET, "packet smaller than MTU") \ _(FRAGMENT_SENT, "number of sent fragments") \ - _(CANT_FRAGMENT_HEADER, "can't fragment header'") \ - _(DONT_FRAGMENT_SET, "can't fragment this packet'") \ + _(CANT_FRAGMENT_HEADER, "can't fragment header") \ + _(DONT_FRAGMENT_SET, "can't fragment this packet") \ _(MALFORMED, "malformed packet") \ _(MEMORY, "could not allocate buffer") \ _(UNKNOWN, "unknown error") @@ -78,4 +79,6 @@ typedef enum { IP_FRAG_N_ERROR, } ip_frag_error_t; +void ip_frag_set_vnet_buffer(vlib_buffer_t *b, u16 offset, u16 mtu, u8 next_index, u8 flags); + #endif /* ifndef IP_FRAG_H */ diff --git a/vnet/vnet/map/ip4_map.c b/vnet/vnet/map/ip4_map.c index 343b57d2..7b9b3ed9 100644 --- a/vnet/vnet/map/ip4_map.c +++ b/vnet/vnet/map/ip4_map.c @@ -27,8 +27,10 @@ enum ip4_map_next_e { #ifdef MAP_SKIP_IP6_LOOKUP IP4_MAP_NEXT_IP6_REWRITE, #endif - IP4_MAP_NEXT_FRAGMENT, + IP4_MAP_NEXT_IP4_FRAGMENT, + IP4_MAP_NEXT_IP6_FRAGMENT, IP4_MAP_NEXT_REASS, + IP4_MAP_NEXT_ICMP_ERROR, IP4_MAP_NEXT_DROP, IP4_MAP_N_NEXT, }; @@ -177,6 +179,27 @@ ip4_map_decrement_ttl (ip4_header_t *ip, u8 *error) ASSERT (ip->checksum == ip4_header_checksum(ip)); } +static u32 +ip4_map_fragment (vlib_buffer_t *b, u16 mtu, bool df, u8 *error) +{ + map_main_t *mm = &map_main; + + if (mm->frag_inner) { + ip_frag_set_vnet_buffer(b, sizeof(ip6_header_t), mtu, IP4_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER); + return (IP4_MAP_NEXT_IP4_FRAGMENT); + } else { + if (df && !mm->frag_ignore_df) { + icmp4_error_set_vnet_buffer(b, ICMP4_destination_unreachable, + ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set, mtu); + vlib_buffer_advance(b, sizeof(ip6_header_t)); + *error = MAP_ERROR_DF_SET; + return (IP4_MAP_NEXT_ICMP_ERROR); + } + ip_frag_set_vnet_buffer(b, 0, mtu, IP6_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER); + return (IP4_MAP_NEXT_IP6_FRAGMENT); + } +} + /* * ip4_map */ @@ -247,6 +270,12 @@ ip4_map (vlib_main_t *vm, port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0); port1 = ip4_map_port_and_security_check(d1, ip41, &next1, &error1); + /* Decrement IPv4 TTL */ + ip4_map_decrement_ttl(ip40, &error0); + ip4_map_decrement_ttl(ip41, &error1); + bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT); + bool df1 = ip41->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT); + /* MAP calc */ u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32); u32 da41 = clib_net_to_host_u32(ip41->dst_address.as_u32); @@ -288,11 +317,7 @@ ip4_map (vlib_main_t *vm, */ if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) { if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) { - vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0); - vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP; - vnet_buffer(p0)->ip_frag.mtu = d0->mtu; - vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER; - next0 = IP4_MAP_NEXT_FRAGMENT; + next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0); } else { next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0; vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1, @@ -308,11 +333,7 @@ ip4_map (vlib_main_t *vm, */ if (PREDICT_TRUE(error1 == MAP_ERROR_NONE)) { if (PREDICT_FALSE(d1->mtu && (clib_net_to_host_u16(ip6h1->payload_length) + sizeof(*ip6h1) > d1->mtu))) { - vnet_buffer(p1)->ip_frag.header_offset = sizeof(*ip6h1); - vnet_buffer(p1)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP; - vnet_buffer(p1)->ip_frag.mtu = d1->mtu; - vnet_buffer(p1)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER; - next1 = IP4_MAP_NEXT_FRAGMENT; + next1 = ip4_map_fragment(p1, d1->mtu, df1, &error1); } else { next1 = ip4_map_ip6_lookup_bypass(p1, ip41) ? IP4_MAP_NEXT_IP6_REWRITE : next1; vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index1, 1, @@ -369,6 +390,7 @@ ip4_map (vlib_main_t *vm, /* Decrement IPv4 TTL */ ip4_map_decrement_ttl(ip40, &error0); + bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT); /* MAP calc */ u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32); @@ -396,11 +418,7 @@ ip4_map (vlib_main_t *vm, */ if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) { if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) { - vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0); - vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP; - vnet_buffer(p0)->ip_frag.mtu = d0->mtu; - vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER; - next0 = IP4_MAP_NEXT_FRAGMENT; + next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0); } else { next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0; vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1, @@ -591,8 +609,10 @@ VLIB_REGISTER_NODE(ip4_map_node) = { #ifdef MAP_SKIP_IP6_LOOKUP [IP4_MAP_NEXT_IP6_REWRITE] = "ip6-rewrite", #endif - [IP4_MAP_NEXT_FRAGMENT] = "ip4-frag", + [IP4_MAP_NEXT_IP4_FRAGMENT] = "ip4-frag", + [IP4_MAP_NEXT_IP6_FRAGMENT] = "ip6-frag", [IP4_MAP_NEXT_REASS] = "ip4-map-reass", + [IP4_MAP_NEXT_ICMP_ERROR] = "ip4-icmp-error", [IP4_MAP_NEXT_DROP] = "error-drop", }, }; diff --git a/vnet/vnet/map/map.c b/vnet/vnet/map/map.c index eb5496b8..a63122b5 100644 --- a/vnet/vnet/map/map.c +++ b/vnet/vnet/map/map.c @@ -653,6 +653,58 @@ map_icmp_unreachables_command_fn (vlib_main_t *vm, } static clib_error_t * +map_fragment_command_fn (vlib_main_t *vm, + unformat_input_t *input, + vlib_cli_command_t *cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + map_main_t *mm = &map_main; + + /* Get a line of input. */ + if (!unformat_user(input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) { + if (unformat(line_input, "inner")) + mm->frag_inner = true; + else if (unformat(line_input, "outer")) + mm->frag_inner = false; + else + return clib_error_return(0, "unknown input `%U'", + format_unformat_error, input); + } + unformat_free(line_input); + + return 0; +} + +static clib_error_t * +map_fragment_df_command_fn (vlib_main_t *vm, + unformat_input_t *input, + vlib_cli_command_t *cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + map_main_t *mm = &map_main; + + /* Get a line of input. */ + if (!unformat_user(input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) { + if (unformat(line_input, "on")) + mm->frag_ignore_df = true; + else if (unformat(line_input, "off")) + mm->frag_ignore_df = false; + else + return clib_error_return(0, "unknown input `%U'", + format_unformat_error, input); + } + unformat_free(line_input); + + return 0; +} + +static clib_error_t * map_traffic_class_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd) @@ -869,6 +921,8 @@ show_map_stats_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_co vlib_cli_output(vm, "ICMP-relay IPv4 source address: %U\n", format_ip4_address, &mm->icmp4_src_address); vlib_cli_output(vm, "ICMP6 unreachables sent for unmatched packets: %s\n", mm->icmp6_enabled ? "enabled" : "disabled"); + vlib_cli_output(vm, "Inner fragmentation: %s\n", mm->frag_inner ? "enabled" : "disabled"); + vlib_cli_output(vm, "Fragment packets regardless of DF flag: %s\n", mm->frag_ignore_df ? "enabled" : "disabled"); /* * Counters @@ -1563,11 +1617,23 @@ VLIB_CLI_COMMAND(map_icmp_relay_source_address_command, static) = { }; VLIB_CLI_COMMAND(map_icmp_unreachables_command, static) = { - .path = "map params icmp unreachables", + .path = "map params icmp6 unreachables", .short_help = "unreachables {on|off}", .function = map_icmp_unreachables_command_fn, }; +VLIB_CLI_COMMAND(map_fragment_command, static) = { + .path = "map params fragment", + .short_help = "[inner|outer] [ignore-df [on|off]]", + .function = map_fragment_command_fn, +}; + +VLIB_CLI_COMMAND(map_fragment_df_command, static) = { + .path = "map params fragment ignore-df", + .short_help = "on|off", + .function = map_fragment_df_command_fn, +}; + VLIB_CLI_COMMAND(map_security_check_frag_command, static) = { .path = "map params security-check fragments", .short_help = @@ -1639,6 +1705,10 @@ clib_error_t *map_init (vlib_main_t *vm) /* ICMP6 Type 1, Code 5 for security check failure */ mm->icmp6_enabled = false; + /* Inner or outer fragmentation */ + mm->frag_inner = false; + mm->frag_ignore_df = false; + vec_validate(mm->domain_counters, MAP_N_DOMAIN_COUNTER - 1); mm->domain_counters[MAP_DOMAIN_COUNTER_RX].name = "rx"; mm->domain_counters[MAP_DOMAIN_COUNTER_TX].name = "tx"; diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h index 6d12b71b..d38d7f47 100644 --- a/vnet/vnet/map/map.h +++ b/vnet/vnet/map/map.h @@ -190,9 +190,6 @@ typedef struct { vlib_combined_counter_main_t *domain_counters; volatile u32 *counter_lock; - /* Global counters */ - vlib_simple_counter_main_t icmp_relayed; - #ifdef MAP_SKIP_IP6_LOOKUP /* pre-presolve */ u32 adj6_index, adj4_index; @@ -203,12 +200,14 @@ typedef struct { /* Traffic class: zero, copy (~0) or fixed value */ u8 tc; bool tc_copy; - bool sec_check; - bool sec_check_frag; - bool icmp6_enabled; + + bool sec_check; /* Inbound security check */ + bool sec_check_frag; /* Inbound security check for (subsequent) fragments */ + bool icmp6_enabled; /* Send destination unreachable for security check failure */ /* ICMPv6 -> ICMPv4 relay parameters */ ip4_address_t icmp4_src_address; + vlib_simple_counter_main_t icmp_relayed; /* convenience */ vlib_main_t *vlib_main; @@ -217,13 +216,13 @@ typedef struct { /* * IPv4 encap and decap reassembly */ - //Conf + /* Configuration */ f32 ip4_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size)) u16 ip4_reass_conf_pool_size; //Max number of allocated reass structures u16 ip4_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms u32 ip4_reass_conf_buffers; //Maximum number of buffers used by ip4 reassembly - //Runtime + /* Runtime */ map_ip4_reass_t *ip4_reass_pool; u8 ip4_reass_ht_log2len; //Hash table size is 2^log2len u16 ip4_reass_allocated; @@ -231,19 +230,22 @@ typedef struct { u16 ip4_reass_fifo_last; volatile u32 *ip4_reass_lock; - //Counters + /* Counters */ u32 ip4_reass_buffered_counter; + bool frag_inner; /* Inner or outer fragmentation */ + bool frag_ignore_df; /* Fragment (outer) packet even if DF is set */ + /* * IPv6 decap reassembly */ - //Conf + /* Configuration */ f32 ip6_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size)) u16 ip6_reass_conf_pool_size; //Max number of allocated reass structures u16 ip6_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms u32 ip6_reass_conf_buffers; //Maximum number of buffers used by ip6 reassembly - //Runtime + /* Runtime */ map_ip6_reass_t *ip6_reass_pool; u8 ip6_reass_ht_log2len; //Hash table size is 2^log2len u16 ip6_reass_allocated; @@ -251,19 +253,18 @@ typedef struct { u16 ip6_reass_fifo_last; volatile u32 *ip6_reass_lock; - //Counters + /* Counters */ u32 ip6_reass_buffered_counter; } map_main_t; /* - * TODO: Remove SEC_CHECK / TRANSLATED_4TO6 / TRANSLATED_6TO4 + * MAP Error counters/messages */ #define foreach_map_error \ /* Must be first. */ \ _(NONE, "valid MAP packets") \ _(BAD_PROTOCOL, "bad protocol") \ - _(WRONG_ICMP_TYPE, "wrong icmp type") \ _(SEC_CHECK, "security check failed") \ _(ENCAP_SEC_CHECK, "encap security check failed") \ _(DECAP_SEC_CHECK, "decap security check failed") \ @@ -277,7 +278,7 @@ typedef struct { _(FRAGMENT_MALFORMED, "fragment has unexpected format")\ _(FRAGMENT_DROPPED, "dropped cached fragment") \ _(MALFORMED, "malformed packet") \ - _(IP4_ERROR_TIME_EXPIRED, "time expired") + _(DF_SET, "can't fragment, DF set") typedef enum { #define _(sym,str) MAP_ERROR_##sym, |