aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2019-12-04 15:02:46 -0600
committerMatthew Smith <mgsmith@netgate.com>2019-12-05 10:24:41 -0600
commit9f3569615eaadcf24a880d8d5547df9ad7a1d35f (patch)
tree600e092bcbdea0338f1f26336c1904a5ae1bd2c0
parent1063f2ae80666d355407d58e0fda35fbd5292d9b (diff)
map: fix MAP-T ip6 port check
Type: fix Ticket: VPP-1804 Fix a regression introduced by 640edcd90. The port set ID on received IPv6 packets for MAP-T was being checked against the destination port. It should be checked against the source port. Added a new unit test to verify that a v6 packet with a good source port is translated and forwarded and a v6 packet with a bad source port is dropped. The important part of the test which will prevent similar future regressions is that the source port and destination port are not equal. The existing unit test used the same source and destination port which is why it did not fail when the regression was introduced. Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r--src/plugins/map/ip6_map_t.c10
-rw-r--r--src/plugins/map/test/test_map.py55
2 files changed, 60 insertions, 5 deletions
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index ef7b91349e5..7999507618a 100644
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -491,7 +491,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
n_left_to_next -= 1;
error0 = MAP_ERROR_NONE;
p0 = vlib_get_buffer (vm, pi0);
- u16 l4_dst_port = vnet_buffer (p0)->ip.reass.l4_dst_port;
+ u16 l4_src_port = vnet_buffer (p0)->ip.reass.l4_src_port;
ip60 = vlib_buffer_get_current (p0);
@@ -534,7 +534,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
(vnet_buffer (p0)->map_t.v6.frag_offset
&& ip6_frag_hdr_offset (frag0)))
{
- map_port0 = l4_dst_port;
+ map_port0 = l4_src_port;
next0 = IP6_MAPT_NEXT_MAPT_FRAGMENTED;
}
else
@@ -547,7 +547,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
vnet_buffer (p0)->map_t.checksum_offset =
vnet_buffer (p0)->map_t.v6.l4_offset + 16;
next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
- map_port0 = l4_dst_port;
+ map_port0 = l4_src_port;
}
else
if (PREDICT_TRUE
@@ -559,7 +559,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
vnet_buffer (p0)->map_t.checksum_offset =
vnet_buffer (p0)->map_t.v6.l4_offset + 6;
next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
- map_port0 = l4_dst_port;
+ map_port0 = l4_src_port;
}
else if (vnet_buffer (p0)->map_t.v6.l4_protocol ==
IP_PROTOCOL_ICMP6)
@@ -576,7 +576,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
u8_ptr_add (ip60,
vnet_buffer (p0)->map_t.v6.l4_offset))->
code == ICMP6_echo_request)
- map_port0 = l4_dst_port;
+ map_port0 = l4_src_port;
}
else
{
diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 94cb6d7865d..9da3d0c9074 100644
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -640,6 +640,61 @@ class TestMAP(VppTestCase):
for p in rx:
self.validate(p[1], p4_translated)
+ def test_map_t_ip6_psid(self):
+ """ MAP-T v6->v4 PSID validation"""
+
+ #
+ # Add a domain that maps from pg0 to pg1
+ #
+ map_dst = '2001:db8::/32'
+ map_src = '1234:5678:90ab:cdef::/64'
+ ip4_pfx = '192.168.0.0/24'
+ tag = 'MAP-T Test Domain'
+
+ self.vapi.map_add_domain(ip6_prefix=map_dst,
+ ip4_prefix=ip4_pfx,
+ ip6_src=map_src,
+ ea_bits_len=16,
+ psid_offset=6,
+ psid_length=4,
+ mtu=1500,
+ tag=tag)
+
+ # Enable MAP-T on interfaces.
+ self.vapi.map_if_enable_disable(is_enable=1,
+ sw_if_index=self.pg0.sw_if_index,
+ is_translation=1)
+ self.vapi.map_if_enable_disable(is_enable=1,
+ sw_if_index=self.pg1.sw_if_index,
+ is_translation=1)
+
+ map_route = VppIpRoute(self,
+ "2001:db8::",
+ 32,
+ [VppRoutePath(self.pg1.remote_ip6,
+ self.pg1.sw_if_index,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ map_route.add_vpp_config()
+
+ p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+ p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
+ dst='1234:5678:90ab:cdef:ac:1001:200:0')
+
+ # Send good IPv6 source port, ensure translated IPv4 received
+ payload = TCP(sport=0xabcd, dport=80)
+ p6 = (p_ether6 / p_ip6 / payload)
+ p4_translated = (IP(src='192.168.0.1',
+ dst=self.pg0.remote_ip4) / payload)
+ p4_translated.id = 0
+ p4_translated.ttl -= 1
+ rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
+ for p in rx:
+ self.validate(p[1], p4_translated)
+
+ # Send bad IPv6 source port, ensure translated IPv4 not received
+ payload = TCP(sport=0xdcba, dport=80)
+ p6 = (p_ether6 / p_ip6 / payload)
+ self.send_and_assert_no_replies(self.pg1, p6*1)
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)