summaryrefslogtreecommitdiffstats
path: root/src/plugins/map/test/test_map.py
diff options
context:
space:
mode:
authorAlexander Chernavin <achernavin@netgate.com>2020-02-05 09:05:06 -0500
committerOle Trøan <otroan@employees.org>2020-02-20 09:03:34 +0000
commitb728a3c8b74127e9a7decd8ecb7dc6cbefb0ab84 (patch)
treebece0dc5beeb9f6b0f93e2038c24ec417ef511ea /src/plugins/map/test/test_map.py
parent8a10c7351b35ab8405c2a9b030dba74a4da28f30 (diff)
map: honor icmp6-unreachables param in map-t
With this commit, send ICMPv6 unreachable messages back if security check fails and icmp6-unreachables param enabled in MAP-T. Type: fix Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Diffstat (limited to 'src/plugins/map/test/test_map.py')
-rw-r--r--src/plugins/map/test/test_map.py32
1 files changed, 31 insertions, 1 deletions
diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 123fb547a59..c64341bfc19 100644
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -13,7 +13,7 @@ from scapy.layers.l2 import Ether
from scapy.packet import Raw
from scapy.layers.inet import IP, UDP, ICMP, TCP
from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment, \
- ICMPv6EchoRequest
+ ICMPv6EchoRequest, ICMPv6DestUnreach
class TestMAP(VppTestCase):
@@ -691,6 +691,36 @@ class TestMAP(VppTestCase):
for p in rx:
self.validate(p[1], p4_translated)
+ # TCP MSS clamping cleanup
+ self.vapi.map_param_set_tcp(0)
+
+ # Enable icmp6 param to get back ICMPv6 unreachable messages in case
+ # of security check fails
+ self.vapi.map_param_set_icmp6(enable_unreachable=1)
+
+ # Send back an IPv6 packet that will be droppped due to security
+ # check fail
+ p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+ p_ip6_sec_check_fail = IPv6(src='2001:db8:1fe::c0a8:1:f',
+ dst='1234:5678:90ab:cdef:ac:1001:200:0')
+ payload = TCP(sport=0xabcd, dport=0xabcd)
+ p6 = (p_ether6 / p_ip6_sec_check_fail / payload)
+
+ self.pg_send(self.pg1, p6*1)
+ self.pg0.get_capture(0, timeout=1)
+ rx = self.pg1.get_capture(1)
+
+ icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+ dst='2001:db8:1fe::c0a8:1:f') /
+ ICMPv6DestUnreach(code=5) /
+ p_ip6_sec_check_fail / payload)
+
+ for p in rx:
+ self.validate(p[1], icmp6_reply)
+
+ # ICMPv6 unreachable messages cleanup
+ self.vapi.map_param_set_icmp6(enable_unreachable=0)
+
def test_map_t_ip6_psid(self):
""" MAP-T v6->v4 PSID validation"""