summaryrefslogtreecommitdiffstats
path: root/src/plugins/map/ip6_map_t.c
diff options
context:
space:
mode:
authorAlexander Chernavin <achernavin@netgate.com>2020-02-05 09:05:06 -0500
committerOle Trøan <otroan@employees.org>2020-02-20 09:03:34 +0000
commitb728a3c8b74127e9a7decd8ecb7dc6cbefb0ab84 (patch)
treebece0dc5beeb9f6b0f93e2038c24ec417ef511ea /src/plugins/map/ip6_map_t.c
parent8a10c7351b35ab8405c2a9b030dba74a4da28f30 (diff)
map: honor icmp6-unreachables param in map-t
With this commit, send ICMPv6 unreachable messages back if security check fails and icmp6-unreachables param enabled in MAP-T. Type: fix Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Diffstat (limited to 'src/plugins/map/ip6_map_t.c')
-rw-r--r--src/plugins/map/ip6_map_t.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index e205c60e29a..5a9c9af76cc 100644
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -24,6 +24,7 @@ typedef enum
IP6_MAPT_NEXT_MAPT_ICMP,
IP6_MAPT_NEXT_MAPT_FRAGMENTED,
IP6_MAPT_NEXT_DROP,
+ IP6_MAPT_NEXT_ICMP,
IP6_MAPT_N_NEXT
} ip6_mapt_next_t;
@@ -475,6 +476,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
vlib_node_runtime_t *error_node =
vlib_node_get_runtime (vm, ip6_map_t_node.index);
+ map_main_t *mm = &map_main;
vlib_combined_counter_main_t *cm = map_main.domain_counters;
u32 thread_index = vm->thread_index;
@@ -626,7 +628,19 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
payload_length));
}
- next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ if (PREDICT_FALSE
+ (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled))
+ {
+ icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy,
+ 0);
+ next0 = IP6_MAPT_NEXT_ICMP;
+ }
+ else
+ {
+ next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ }
+
p0->error = error_node->errors[error0];
if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
{
@@ -738,6 +752,7 @@ VLIB_REGISTER_NODE(ip6_map_t_node) = {
[IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp",
[IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented",
[IP6_MAPT_NEXT_DROP] = "error-drop",
+ [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error",
},
};
/* *INDENT-ON* */