aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVladimir Ratnikov <vratnikov@netgate.com>2020-03-18 08:20:08 -0400
committerOle Trøan <otroan@employees.org>2020-03-25 08:19:14 +0000
commitb1bd8760ce9b1416c8a7f12e411cfcf60de2929f (patch)
tree7eeed964b15adef909f474c18135e1736186e5d3
parent753b96f31b0f34983bbc213516f1a05825d868a8 (diff)
map: fix hop limit expiration at br
Before this patch, packet was dropped in ip4-input, but ip4-map-t node dropped response due to 'security check failed' This patch checkes if hop_limit==1 and sets error and next frame and sends icmp6 response correctly Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85
-rw-r--r--src/plugins/map/ip6_map_t.c14
-rw-r--r--src/plugins/map/test/test_map.py17
2 files changed, 29 insertions, 2 deletions
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index ce973ea2e7f..874a14c99ed 100644
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -544,6 +544,18 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
ip6_map_t_embedded_address (d0, &ip60->dst_address);
vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0;
+ map_port0 = -1;
+
+ if (PREDICT_FALSE (ip60->hop_limit == 1))
+ {
+ icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded,
+ ICMP6_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ p0->error = error_node->errors[MAP_ERROR_TIME_EXCEEDED];
+ next0 = IP6_MAPT_NEXT_ICMP;
+ goto trace;
+ }
+
if (PREDICT_FALSE
(ip6_parse (vm, p0, ip60, p0->current_length,
&(vnet_buffer (p0)->map_t.v6.l4_protocol),
@@ -554,7 +566,6 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
error0 == MAP_ERROR_NONE ? MAP_ERROR_MALFORMED : error0;
}
- map_port0 = -1;
l4_len0 =
(u32) clib_net_to_host_u16 (ip60->payload_length) +
sizeof (*ip60) - vnet_buffer (p0)->map_t.v6.l4_offset;
@@ -659,6 +670,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
}
p0->error = error_node->errors[error0];
+ trace:
if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
{
map_add_trace (vm, node, p0,
diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 66cb9ba20c4..59c23335052 100644
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -591,7 +591,22 @@ class TestMAP(VppTestCase):
for p in rx:
self.validate(p[1], icmp4_reply)
- # IPv6 Hop limit
+ # IPv6 Hop limit at BR
+ ip6_hlim_expired = IPv6(hlim=1, src='2001:db8:1ab::c0a8:1:ab',
+ dst='1234:5678:90ab:cdef:ac:1001:200:0')
+ p6 = (p_ether6 / ip6_hlim_expired / payload)
+
+ icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+ dst="2001:db8:1ab::c0a8:1:ab") /
+ ICMPv6TimeExceeded(code=0) /
+ IPv6(src="2001:db8:1ab::c0a8:1:ab",
+ dst='1234:5678:90ab:cdef:ac:1001:200:0',
+ hlim=1) / payload)
+ rx = self.send_and_expect(self.pg1, p6*1, self.pg1)
+ for p in rx:
+ self.validate(p[1], icmp6_reply)
+
+ # IPv6 Hop limit beyond BR
ip6_hlim_expired = IPv6(hlim=0, src='2001:db8:1ab::c0a8:1:ab',
dst='1234:5678:90ab:cdef:ac:1001:200:0')
p6 = (p_ether6 / ip6_hlim_expired / payload)