diff options
author | Alexander Chernavin <achernavin@netgate.com> | 2020-02-05 09:05:06 -0500 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2020-02-20 09:03:34 +0000 |
commit | b728a3c8b74127e9a7decd8ecb7dc6cbefb0ab84 (patch) | |
tree | bece0dc5beeb9f6b0f93e2038c24ec417ef511ea /src/plugins/map/ip6_map_t.c | |
parent | 8a10c7351b35ab8405c2a9b030dba74a4da28f30 (diff) |
map: honor icmp6-unreachables param in map-t
With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.
Type: fix
Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Diffstat (limited to 'src/plugins/map/ip6_map_t.c')
-rw-r--r-- | src/plugins/map/ip6_map_t.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c index e205c60e29a..5a9c9af76cc 100644 --- a/src/plugins/map/ip6_map_t.c +++ b/src/plugins/map/ip6_map_t.c @@ -24,6 +24,7 @@ typedef enum IP6_MAPT_NEXT_MAPT_ICMP, IP6_MAPT_NEXT_MAPT_FRAGMENTED, IP6_MAPT_NEXT_DROP, + IP6_MAPT_NEXT_ICMP, IP6_MAPT_N_NEXT } ip6_mapt_next_t; @@ -475,6 +476,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) u32 n_left_from, *from, next_index, *to_next, n_left_to_next; vlib_node_runtime_t *error_node = vlib_node_get_runtime (vm, ip6_map_t_node.index); + map_main_t *mm = &map_main; vlib_combined_counter_main_t *cm = map_main.domain_counters; u32 thread_index = vm->thread_index; @@ -626,7 +628,19 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) payload_length)); } - next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0; + if (PREDICT_FALSE + (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled)) + { + icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable, + ICMP6_destination_unreachable_source_address_failed_policy, + 0); + next0 = IP6_MAPT_NEXT_ICMP; + } + else + { + next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0; + } + p0->error = error_node->errors[error0]; if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED)) { @@ -738,6 +752,7 @@ VLIB_REGISTER_NODE(ip6_map_t_node) = { [IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp", [IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented", [IP6_MAPT_NEXT_DROP] = "error-drop", + [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error", }, }; /* *INDENT-ON* */ |