diff options
author | Klement Sekera <ksekera@cisco.com> | 2019-05-16 14:35:46 +0200 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2019-05-20 12:13:11 +0000 |
commit | 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch) | |
tree | ba831c36c69365d67a2d20d7a6d447b831a1b88e | |
parent | b388e1a50603a07e20007141221ca4f4a18ab698 (diff) |
reassembly: prevent long chain attack
limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime
Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
-rw-r--r-- | src/vnet/ip/ip.api | 4 | ||||
-rw-r--r-- | src/vnet/ip/ip4_error.h | 2 | ||||
-rw-r--r-- | src/vnet/ip/ip4_reassembly.c | 45 | ||||
-rw-r--r-- | src/vnet/ip/ip4_reassembly.h | 2 | ||||
-rw-r--r-- | src/vnet/ip/ip6_error.h | 2 | ||||
-rw-r--r-- | src/vnet/ip/ip6_reassembly.c | 40 | ||||
-rw-r--r-- | src/vnet/ip/ip6_reassembly.h | 1 | ||||
-rw-r--r-- | src/vnet/ip/ip_api.c | 3 | ||||
-rw-r--r-- | test/framework.py | 13 | ||||
-rw-r--r-- | test/test_ipip.py | 10 | ||||
-rw-r--r-- | test/test_reassembly.py | 72 |
11 files changed, 181 insertions, 13 deletions
diff --git a/src/vnet/ip/ip.api b/src/vnet/ip/ip.api index 39d394f709d..afb0960c78a 100644 --- a/src/vnet/ip/ip.api +++ b/src/vnet/ip/ip.api @@ -20,7 +20,7 @@ called through a shared memory interface. */ -option version = "2.0.0"; +option version = "2.0.1"; import "vnet/ip/ip_types.api"; import "vnet/fib/fib_types.api"; import "vnet/ethernet/ethernet_types.api"; @@ -1085,6 +1085,7 @@ autoreply define ip_reassembly_set u32 context; u32 timeout_ms; u32 max_reassemblies; + u32 max_reassembly_length; u32 expire_walk_interval_ms; u8 is_ip6; }; @@ -1102,6 +1103,7 @@ define ip_reassembly_get_reply i32 retval; u32 timeout_ms; u32 max_reassemblies; + u32 max_reassembly_length; u32 expire_walk_interval_ms; u8 is_ip6; }; diff --git a/src/vnet/ip/ip4_error.h b/src/vnet/ip/ip4_error.h index badcc6609e9..d3bf6d79714 100644 --- a/src/vnet/ip/ip4_error.h +++ b/src/vnet/ip/ip4_error.h @@ -86,6 +86,8 @@ /* Errors signalled by ip4-reassembly */ \ _ (REASS_DUPLICATE_FRAGMENT, "duplicate/overlapping fragments") \ _ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \ + _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)") \ + _ (REASS_NO_BUF, "out of buffers (drop)") \ _ (REASS_MALFORMED_PACKET, "malformed packets") \ _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error") diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c index b38ade09efd..f27351038fe 100644 --- a/src/vnet/ip/ip4_reassembly.c +++ b/src/vnet/ip/ip4_reassembly.c @@ -30,6 +30,7 @@ #define IP4_REASS_TIMEOUT_DEFAULT_MS 100 #define IP4_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS 10000 // 10 seconds default #define IP4_REASS_MAX_REASSEMBLIES_DEFAULT 1024 +#define IP4_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT 3 #define IP4_REASS_HT_LOAD_FACTOR (0.75) #define IP4_REASS_DEBUG_BUFFERS 0 @@ -57,6 +58,7 @@ typedef enum { IP4_REASS_RC_OK, + IP4_REASS_RC_TOO_MANY_FRAGMENTS, IP4_REASS_RC_INTERNAL_ERROR, IP4_REASS_RC_NO_BUF, } ip4_reass_rc_t; @@ -133,7 +135,8 @@ typedef struct u8 next_index; // minimum fragment length for this reassembly - used to estimate MTU u16 min_fragment_length; - + // number of fragments in this reassembly + u32 fragments_n; } ip4_reass_t; typedef struct @@ -150,6 +153,9 @@ typedef struct u32 timeout_ms; f64 timeout; u32 expire_walk_interval_ms; + // maximum number of fragments in one reassembly + u32 max_reass_len; + // maximum number of reassemblies u32 max_reass_n; // IPv4 runtime @@ -750,6 +756,7 @@ ip4_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, } *bi0 = ~0; reass->min_fragment_length = clib_net_to_host_u16 (fip->length); + reass->fragments_n = 1; return IP4_REASS_RC_OK; } reass->min_fragment_length = clib_min (clib_net_to_host_u16 (fip->length), @@ -907,6 +914,7 @@ ip4_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, } break; } + ++reass->fragments_n; if (consumed) { if (PREDICT_FALSE (fb->flags & VLIB_BUFFER_IS_TRACED)) @@ -925,6 +933,10 @@ ip4_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, if (consumed) { *bi0 = ~0; + if (reass->fragments_n > rm->max_reass_len) + { + rc = IP4_REASS_RC_TOO_MANY_FRAGMENTS; + } } else { @@ -1022,10 +1034,26 @@ ip4_reassembly_inline (vlib_main_t * vm, case IP4_REASS_RC_OK: /* nothing to do here */ break; + case IP4_REASS_RC_TOO_MANY_FRAGMENTS: + vlib_node_increment_counter (vm, node->node_index, + IP4_ERROR_REASS_FRAGMENT_CHAIN_TOO_LONG, + 1); + ip4_reass_on_timeout (vm, rm, reass); + ip4_reass_free (rm, rt, reass); + goto next_packet; + break; case IP4_REASS_RC_NO_BUF: - /* fallthrough */ + vlib_node_increment_counter (vm, node->node_index, + IP4_ERROR_REASS_NO_BUF, + 1); + ip4_reass_on_timeout (vm, rm, reass); + ip4_reass_free (rm, rt, reass); + goto next_packet; + break; case IP4_REASS_RC_INTERNAL_ERROR: - /* drop everything and start with a clean slate */ + vlib_node_increment_counter (vm, node->node_index, + IP4_ERROR_REASS_INTERNAL_ERROR, + 1); ip4_reass_on_timeout (vm, rm, reass); ip4_reass_free (rm, rt, reass); goto next_packet; @@ -1176,20 +1204,21 @@ ip4_rehash_cb (clib_bihash_kv_16_8_t * kv, void *_ctx) static void ip4_reass_set_params (u32 timeout_ms, u32 max_reassemblies, - u32 expire_walk_interval_ms) + u32 max_reassembly_length, u32 expire_walk_interval_ms) { ip4_reass_main.timeout_ms = timeout_ms; ip4_reass_main.timeout = (f64) timeout_ms / (f64) MSEC_PER_SEC; ip4_reass_main.max_reass_n = max_reassemblies; + ip4_reass_main.max_reass_len = max_reassembly_length; ip4_reass_main.expire_walk_interval_ms = expire_walk_interval_ms; } vnet_api_error_t ip4_reass_set (u32 timeout_ms, u32 max_reassemblies, - u32 expire_walk_interval_ms) + u32 max_reassembly_length, u32 expire_walk_interval_ms) { u32 old_nbuckets = ip4_reass_get_nbuckets (); - ip4_reass_set_params (timeout_ms, max_reassemblies, + ip4_reass_set_params (timeout_ms, max_reassemblies, max_reassembly_length, expire_walk_interval_ms); vlib_process_signal_event (ip4_reass_main.vlib_main, ip4_reass_main.ip4_reass_expire_node_idx, @@ -1223,10 +1252,11 @@ ip4_reass_set (u32 timeout_ms, u32 max_reassemblies, vnet_api_error_t ip4_reass_get (u32 * timeout_ms, u32 * max_reassemblies, - u32 * expire_walk_interval_ms) + u32 * max_reassembly_length, u32 * expire_walk_interval_ms) { *timeout_ms = ip4_reass_main.timeout_ms; *max_reassemblies = ip4_reass_main.max_reass_n; + *max_reassembly_length = ip4_reass_main.max_reass_len; *expire_walk_interval_ms = ip4_reass_main.expire_walk_interval_ms; return 0; } @@ -1256,6 +1286,7 @@ ip4_reass_init_function (vlib_main_t * vm) ip4_reass_set_params (IP4_REASS_TIMEOUT_DEFAULT_MS, IP4_REASS_MAX_REASSEMBLIES_DEFAULT, + IP4_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT, IP4_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS); nbuckets = ip4_reass_get_nbuckets (); diff --git a/src/vnet/ip/ip4_reassembly.h b/src/vnet/ip/ip4_reassembly.h index 521ca0f1998..4ceb0ab2409 100644 --- a/src/vnet/ip/ip4_reassembly.h +++ b/src/vnet/ip/ip4_reassembly.h @@ -30,12 +30,14 @@ * @brief set ip4 reassembly configuration */ vnet_api_error_t ip4_reass_set (u32 timeout_ms, u32 max_reassemblies, + u32 max_reassembly_length, u32 expire_walk_interval_ms); /** * @brief get ip4 reassembly configuration */ vnet_api_error_t ip4_reass_get (u32 * timeout_ms, u32 * max_reassemblies, + u32 * max_reassembly_length, u32 * expire_walk_interval_ms); vnet_api_error_t ip4_reass_enable_disable (u32 sw_if_index, diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h index 6a20de4f18e..3ca2be61a55 100644 --- a/src/vnet/ip/ip6_error.h +++ b/src/vnet/ip/ip6_error.h @@ -81,6 +81,8 @@ _ (REASS_DUPLICATE_FRAGMENT, "duplicate fragments") \ _ (REASS_OVERLAPPING_FRAGMENT, "overlapping fragments") \ _ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \ + _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)") \ + _ (REASS_NO_BUF, "out of buffers (drop)") \ _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout") \ _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error") diff --git a/src/vnet/ip/ip6_reassembly.c b/src/vnet/ip/ip6_reassembly.c index 9906250cb0f..45cd2b2eaeb 100644 --- a/src/vnet/ip/ip6_reassembly.c +++ b/src/vnet/ip/ip6_reassembly.c @@ -30,12 +30,14 @@ #define IP6_REASS_TIMEOUT_DEFAULT_MS 100 #define IP6_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS 10000 // 10 seconds default #define IP6_REASS_MAX_REASSEMBLIES_DEFAULT 1024 +#define IP6_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT 3 #define IP6_REASS_HT_LOAD_FACTOR (0.75) typedef enum { IP6_REASS_RC_OK, IP6_REASS_RC_INTERNAL_ERROR, + IP6_REASS_RC_TOO_MANY_FRAGMENTS, IP6_REASS_RC_NO_BUF, } ip6_reass_rc_t; @@ -112,6 +114,8 @@ typedef struct u8 next_index; // minimum fragment length for this reassembly - used to estimate MTU u16 min_fragment_length; + // number of fragments for this reassembly + u32 fragments_n; } ip6_reass_t; typedef struct @@ -128,6 +132,9 @@ typedef struct u32 timeout_ms; f64 timeout; u32 expire_walk_interval_ms; + // maximum number of fragments in one reassembly + u32 max_reass_len; + // maximum number of reassemblies u32 max_reass_n; // IPv6 runtime @@ -744,6 +751,7 @@ ip6_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, *bi0); reass->min_fragment_length = clib_net_to_host_u16 (fip->payload_length); consumed = 1; + reass->fragments_n = 1; goto check_if_done_maybe; } reass->min_fragment_length = @@ -797,6 +805,7 @@ ip6_reass_update (vlib_main_t * vm, vlib_node_runtime_t * node, } break; } + ++reass->fragments_n; check_if_done_maybe: if (consumed) { @@ -816,6 +825,10 @@ check_if_done_maybe: if (consumed) { *bi0 = ~0; + if (reass->fragments_n > rm->max_reass_len) + { + return IP6_REASS_RC_TOO_MANY_FRAGMENTS; + } } else { @@ -989,10 +1002,25 @@ ip6_reassembly_inline (vlib_main_t * vm, case IP6_REASS_RC_OK: /* nothing to do here */ break; + case IP6_REASS_RC_TOO_MANY_FRAGMENTS: + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_FRAGMENT_CHAIN_TOO_LONG, + 1); + ip6_reass_drop_all (vm, rm, reass); + ip6_reass_free (rm, rt, reass); + goto next_packet; + break; case IP6_REASS_RC_NO_BUF: - /* fallthrough */ + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_NO_BUF, 1); + ip6_reass_drop_all (vm, rm, reass); + ip6_reass_free (rm, rt, reass); + goto next_packet; + break; case IP6_REASS_RC_INTERNAL_ERROR: - /* drop everything and start with a clean slate */ + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_INTERNAL_ERROR, + 1); ip6_reass_drop_all (vm, rm, reass); ip6_reass_free (rm, rt, reass); goto next_packet; @@ -1151,20 +1179,21 @@ ip6_rehash_cb (clib_bihash_kv_48_8_t * kv, void *_ctx) static void ip6_reass_set_params (u32 timeout_ms, u32 max_reassemblies, - u32 expire_walk_interval_ms) + u32 max_reassembly_length, u32 expire_walk_interval_ms) { ip6_reass_main.timeout_ms = timeout_ms; ip6_reass_main.timeout = (f64) timeout_ms / (f64) MSEC_PER_SEC; ip6_reass_main.max_reass_n = max_reassemblies; + ip6_reass_main.max_reass_len = max_reassembly_length; ip6_reass_main.expire_walk_interval_ms = expire_walk_interval_ms; } vnet_api_error_t ip6_reass_set (u32 timeout_ms, u32 max_reassemblies, - u32 expire_walk_interval_ms) + u32 max_reassembly_length, u32 expire_walk_interval_ms) { u32 old_nbuckets = ip6_reass_get_nbuckets (); - ip6_reass_set_params (timeout_ms, max_reassemblies, + ip6_reass_set_params (timeout_ms, max_reassemblies, max_reassembly_length, expire_walk_interval_ms); vlib_process_signal_event (ip6_reass_main.vlib_main, ip6_reass_main.ip6_reass_expire_node_idx, @@ -1231,6 +1260,7 @@ ip6_reass_init_function (vlib_main_t * vm) ip6_reass_set_params (IP6_REASS_TIMEOUT_DEFAULT_MS, IP6_REASS_MAX_REASSEMBLIES_DEFAULT, + IP6_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT, IP6_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS); nbuckets = ip6_reass_get_nbuckets (); diff --git a/src/vnet/ip/ip6_reassembly.h b/src/vnet/ip/ip6_reassembly.h index 5084edaaf8c..1ca2b20813c 100644 --- a/src/vnet/ip/ip6_reassembly.h +++ b/src/vnet/ip/ip6_reassembly.h @@ -30,6 +30,7 @@ * @brief set ip6 reassembly configuration */ vnet_api_error_t ip6_reass_set (u32 timeout_ms, u32 max_reassemblies, + u32 max_reassembly_length, u32 expire_walk_interval_ms); /** diff --git a/src/vnet/ip/ip_api.c b/src/vnet/ip/ip_api.c index ce3456d77d9..5a6053d1f42 100644 --- a/src/vnet/ip/ip_api.c +++ b/src/vnet/ip/ip_api.c @@ -3328,12 +3328,14 @@ vl_api_ip_reassembly_set_t_handler (vl_api_ip_reassembly_set_t * mp) { rv = ip6_reass_set (clib_net_to_host_u32 (mp->timeout_ms), clib_net_to_host_u32 (mp->max_reassemblies), + clib_net_to_host_u32 (mp->max_reassembly_length), clib_net_to_host_u32 (mp->expire_walk_interval_ms)); } else { rv = ip4_reass_set (clib_net_to_host_u32 (mp->timeout_ms), clib_net_to_host_u32 (mp->max_reassemblies), + clib_net_to_host_u32 (mp->max_reassembly_length), clib_net_to_host_u32 (mp->expire_walk_interval_ms)); } @@ -3364,6 +3366,7 @@ vl_api_ip_reassembly_get_t_handler (vl_api_ip_reassembly_get_t * mp) { rmp->is_ip6 = 0; ip4_reass_get (&rmp->timeout_ms, &rmp->max_reassemblies, + &rmp->max_reassembly_length, &rmp->expire_walk_interval_ms); } rmp->timeout_ms = clib_host_to_net_u32 (rmp->timeout_ms); diff --git a/test/framework.py b/test/framework.py index 47de2c4d967..201892aea27 100644 --- a/test/framework.py +++ b/test/framework.py @@ -1000,6 +1000,19 @@ class VppTestCase(unittest.TestCase): if pkt.haslayer(ICMPv6EchoReply): self.assert_checksum_valid(pkt, 'ICMPv6EchoReply', 'cksum') + def get_packet_counter(self, counter): + if counter.startswith("/"): + counter_value = self.statistics.get_counter(counter) + else: + counters = self.vapi.cli("sh errors").split('\n') + counter_value = -1 + for i in range(1, len(counters) - 1): + results = counters[i].split() + if results[1] == counter: + counter_value = int(results[0]) + break + return counter_value + def assert_packet_counter_equal(self, counter, expected_value): if counter.startswith("/"): counter_value = self.statistics.get_counter(counter) diff --git a/test/test_ipip.py b/test/test_ipip.py index 16f83694b20..e5b9092a431 100644 --- a/test/test_ipip.py +++ b/test/test_ipip.py @@ -160,6 +160,11 @@ class TestIPIP(VppTestCase): sw_if_index=self.pg1.sw_if_index, enable_ip4=1) + self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000, + max_reassembly_length=1000, + expire_walk_interval_ms=10000, + is_ip6=0) + # Send lots of fragments, verify reassembled packet frags, p4_reply = self.generate_ip4_frags(3131, 1400) f = [] @@ -415,6 +420,11 @@ class TestIPIP6(VppTestCase): sw_if_index=self.pg1.sw_if_index, enable_ip6=1) + self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000, + max_reassembly_length=1000, + expire_walk_interval_ms=10000, + is_ip6=1) + # Send lots of fragments, verify reassembled packet before_cnt = self.statistics.get_counter( '/err/ipip6-input/packets decapsulated') diff --git a/test/test_reassembly.py b/test/test_reassembly.py index f57c14c1cf5..05877fad66d 100644 --- a/test/test_reassembly.py +++ b/test/test_reassembly.py @@ -83,6 +83,7 @@ class TestIPReassemblyMixin(object): is_ip6 = 1 if scapy_ip_family == IPv6 else 0 self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=0, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=is_ip6) @@ -183,6 +184,7 @@ class TestIPReassemblyMixin(object): is_ip6 = 1 if scapy_ip_family == IPv6 else 0 self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=is_ip6) @@ -229,9 +231,11 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): self.vapi.ip_reassembly_enable_disable( sw_if_index=self.src_if.sw_if_index, enable_ip4=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) def tearDown(self): @@ -301,6 +305,37 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): stream = self.__class__.fragments_200 super(TestIPv4Reassembly, self).test_random(family, stream) + def test_long_fragment_chain(self): + """ long fragment chain """ + + error_cnt_str = \ + "/err/ip4-reassembly-feature/fragment chain too long (drop)" + + error_cnt = self.get_packet_counter(error_cnt_str) + + self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=3, + expire_walk_interval_ms=50) + + p1 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IP(id=1000, src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + p2 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IP(id=1001, src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + frags = fragment_rfc791(p1, 200) + fragment_rfc791(p2, 500) + + self.pg_enable_capture() + self.src_if.add_stream(frags) + self.pg_start() + + self.dst_if.get_capture(1) + self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1) + def test_5737(self): """ fragment length + ip header size > 65535 """ self.vapi.cli("clear errors") @@ -504,6 +539,7 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): if len(frags_400) > 1) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50) self.pg_enable_capture() @@ -565,9 +601,11 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): self.vapi.ip_reassembly_enable_disable( sw_if_index=self.src_if.sw_if_index, enable_ip6=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10, is_ip6=1) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=1) self.logger.debug(self.vapi.ppcli("show ip6-reassembly details")) self.logger.debug(self.vapi.ppcli("show buffers")) @@ -647,6 +685,32 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): ] super(TestIPv6Reassembly, self).test_duplicates(family, fragments) + def test_long_fragment_chain(self): + """ long fragment chain """ + + error_cnt_str = \ + "/err/ip6-reassembly-feature/fragment chain too long (drop)" + + error_cnt = self.get_packet_counter(error_cnt_str) + + self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=3, + expire_walk_interval_ms=50, is_ip6=1) + + p = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IPv6(src=self.src_if.remote_ip6, + dst=self.dst_if.remote_ip6) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + frags = fragment_rfc8200(p, 1, 300) + fragment_rfc8200(p, 2, 500) + + self.pg_enable_capture() + self.src_if.add_stream(frags) + self.pg_start() + + self.dst_if.get_capture(1) + self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1) + def test_overlap1(self): """ overlapping fragments case #1 (differs from IP test case)""" @@ -741,9 +805,11 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): if len(frags_400) > 1) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50, is_ip6=1) self.pg_enable_capture() @@ -865,9 +931,11 @@ class TestIPv4ReassemblyLocalNode(VppTestCase): """ Test setup - force timeout on existing reassemblies """ super(TestIPv4ReassemblyLocalNode, self).setUp() self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) def tearDown(self): @@ -996,13 +1064,17 @@ class TestFIFReassembly(VppTestCase): sw_if_index=self.dst_if.sw_if_index, enable_ip4=True, enable_ip6=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10, is_ip6=1) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=1) def tearDown(self): |