From 366ac6ecdea0214363f523967830c370697c8944 Mon Sep 17 00:00:00 2001 From: Ole Troan Date: Wed, 6 Jan 2016 12:40:28 +0100 Subject: MAP: Decrement TTL of payload IPv4 packet. MAP: Disable direct adjacency domain lookup for decap until IPv4 SA security check is fixed. Change-Id: If85ea73629e46cb09757fe842d79507cf54e37f3 Signed-off-by: Ole Troan --- vnet/vnet/map/ip4_map.c | 25 +++++++++++++++++++++++++ vnet/vnet/map/map.c | 3 ++- vnet/vnet/map/map.h | 10 +++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/vnet/vnet/map/ip4_map.c b/vnet/vnet/map/ip4_map.c index 6ed176c8..c8ee2764 100644 --- a/vnet/vnet/map/ip4_map.c +++ b/vnet/vnet/map/ip4_map.c @@ -155,6 +155,28 @@ ip4_map_ip6_lookup_bypass (vlib_buffer_t *p0, ip4_header_t *ip) return (false); } +/* + * ip4_map_ttl + */ +static inline void +ip4_map_decrement_ttl (ip4_header_t *ip, u8 *error) +{ + i32 ttl = ip->ttl; + + /* Input node should have reject packets with ttl 0. */ + ASSERT (ip->ttl > 0); + + u32 checksum = ip->checksum + clib_host_to_net_u16(0x0100); + checksum += checksum >= 0xffff; + ip->checksum = checksum; + ttl -= 1; + ip->ttl = ttl; + *error = ttl <= 0 ? IP4_ERROR_TIME_EXPIRED : *error; + + /* Verify checksum. */ + ASSERT (ip->checksum == ip4_header_checksum(ip)); +} + /* * ip4_map */ @@ -345,6 +367,9 @@ ip4_map (vlib_main_t *vm, */ port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0); + /* Decrement IPv4 TTL */ + ip4_map_decrement_ttl(ip40, &error0); + /* MAP calc */ u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32); u16 dp40 = clib_net_to_host_u16(port0); diff --git a/vnet/vnet/map/map.c b/vnet/vnet/map/map.c index fe54f654..b7eb1f14 100644 --- a/vnet/vnet/map/map.c +++ b/vnet/vnet/map/map.c @@ -681,7 +681,8 @@ format_map_domain (u8 *s, va_list *args) s = format(s, " RX: %lld/%lld", v.packets, v.bytes); map_domain_counter_unlock(mm); } - + s = format(s, "\n"); + if (d->rules) { int i; ip6_address_t dst; diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h index ae58cdb9..95b842d4 100644 --- a/vnet/vnet/map/map.h +++ b/vnet/vnet/map/map.h @@ -274,7 +274,8 @@ typedef struct { _(FRAGMENT_MEMORY, "could not cache fragment") \ _(FRAGMENT_MALFORMED, "fragment has unexpected format")\ _(FRAGMENT_DROPPED, "dropped cached fragment") \ - _(MALFORMED, "malformed packet") + _(MALFORMED, "malformed packet") \ + _(IP4_ERROR_TIME_EXPIRED, "time expired") typedef enum { #define _(sym,str) MAP_ERROR_##sym, @@ -392,6 +393,12 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr, map_main_t *mm = &map_main; ip4_main_t *im4 = &ip4_main; ip_lookup_main_t *lm4 = &ip4_main.lookup_main; + + /* + * Disable direct MAP domain lookup on decap, until the security check is updated to verify IPv4 SA. + * (That's done implicitly when MAP domain is looked up in the IPv4 FIB) + */ +#ifdef MAP_NONSHARED_DOMAIN_ENABLED ip_lookup_main_t *lm6 = &ip6_main.lookup_main; ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index); ASSERT(adj); @@ -400,6 +407,7 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr, *map_domain_index = p[0]; if (p[0] != ~0) return pool_elt_at_index(mm->domains, p[0]); +#endif u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0); ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai); -- cgit 1.2.3-korg