diff options
author | Neale Ranns <nranns@cisco.com> | 2017-10-21 09:37:55 -0700 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2017-10-31 08:06:03 +0000 |
commit | 4c7c8e55b03e21787cafb11cd49b9488c5ffef70 (patch) | |
tree | 7e853bdaf7c4e1cc9cb6c15e121b93944892be5e /src | |
parent | b3d1b203579226ca5136b9d6a2744577d07cfcc6 (diff) |
Refactor IP input checks for re-use at MPLS disposition
Change-Id: I7aafdecd6f370411138e6ab67b2ff72cda6e0666
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/vnet/dpo/mpls_disposition.c | 74 | ||||
-rw-r--r-- | src/vnet/ip/ip4_input.c | 163 | ||||
-rw-r--r-- | src/vnet/ip/ip4_input.h | 223 | ||||
-rw-r--r-- | src/vnet/ip/ip6_input.c | 113 | ||||
-rw-r--r-- | src/vnet/ip/ip6_input.h | 169 |
5 files changed, 465 insertions, 277 deletions
diff --git a/src/vnet/dpo/mpls_disposition.c b/src/vnet/dpo/mpls_disposition.c index 5dc33fcfdbd..77429de4116 100644 --- a/src/vnet/dpo/mpls_disposition.c +++ b/src/vnet/dpo/mpls_disposition.c @@ -13,7 +13,8 @@ * limitations under the License. */ -#include <vnet/ip/ip.h> +#include <vnet/ip/ip4_input.h> +#include <vnet/ip/ip6_input.h> #include <vnet/dpo/mpls_disposition.h> #include <vnet/mpls/mpls.h> @@ -115,6 +116,9 @@ typedef struct mpls_label_disposition_trace_t_ index_t mdd; } mpls_label_disposition_trace_t; +extern vlib_node_registration_t ip4_mpls_label_disposition_node; +extern vlib_node_registration_t ip6_mpls_label_disposition_node; + always_inline uword mpls_label_disposition_inline (vlib_main_t * vm, vlib_node_runtime_t * node, @@ -123,6 +127,12 @@ mpls_label_disposition_inline (vlib_main_t * vm, u8 payload_is_ip6) { u32 n_left_from, next_index, * from, * to_next; + vlib_node_runtime_t *error_node; + + if (payload_is_ip4) + error_node = vlib_node_get_runtime (vm, ip4_mpls_label_disposition_node.index); + else + error_node = vlib_node_get_runtime (vm, ip6_mpls_label_disposition_node.index); from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; @@ -173,21 +183,39 @@ mpls_label_disposition_inline (vlib_main_t * vm, mdd0 = mpls_disp_dpo_get(mddi0); mdd1 = mpls_disp_dpo_get(mddi1); + next0 = mdd0->mdd_dpo.dpoi_next_node; + next1 = mdd1->mdd_dpo.dpoi_next_node; + if (payload_is_ip4) { + ip4_header_t *ip0, *ip1; + + ip0 = vlib_buffer_get_current (b0); + ip1 = vlib_buffer_get_current (b1); + /* - * decrement the TTL on ingress to the LSP + * IPv4 input checks on the exposed IP header + * including checksum */ + ip4_input_check_x2 (vm, error_node, + b0, b1, ip0, ip1, + &next0, &next1, 1); } else if (payload_is_ip6) { + ip6_header_t *ip0, *ip1; + + ip0 = vlib_buffer_get_current (b0); + ip1 = vlib_buffer_get_current (b1); + /* - * decrement the TTL on ingress to the LSP + * IPv6 input checks on the exposed IP header */ + ip6_input_check_x2 (vm, error_node, + b0, b1, ip0, ip1, + &next0, &next1); } - - next0 = mdd0->mdd_dpo.dpoi_next_node; - next1 = mdd1->mdd_dpo.dpoi_next_node; + vnet_buffer(b0)->ip.adj_index[VLIB_TX] = mdd0->mdd_dpo.dpoi_index; vnet_buffer(b1)->ip.adj_index[VLIB_TX] = mdd1->mdd_dpo.dpoi_index; vnet_buffer(b0)->ip.rpf_id = mdd0->mdd_rpf_id; @@ -231,24 +259,32 @@ mpls_label_disposition_inline (vlib_main_t * vm, /* dst lookup was done by ip4 lookup */ mddi0 = vnet_buffer(b0)->ip.adj_index[VLIB_TX]; mdd0 = mpls_disp_dpo_get(mddi0); + next0 = mdd0->mdd_dpo.dpoi_next_node; if (payload_is_ip4) { + ip4_header_t *ip0; + + ip0 = vlib_buffer_get_current (b0); + /* - * decrement the TTL on ingress to the LSP + * IPv4 input checks on the exposed IP header + * including checksum */ + ip4_input_check_x1 (vm, error_node, b0, ip0, &next0, 1); } else if (payload_is_ip6) { + ip6_header_t *ip0; + + ip0 = vlib_buffer_get_current (b0); + /* - * decrement the TTL on ingress to the LSP + * IPv6 input checks on the exposed IP header */ - } - else - { + ip6_input_check_x1 (vm, error_node, b0, ip0, &next0); } - next0 = mdd0->mdd_dpo.dpoi_next_node; vnet_buffer(b0)->ip.adj_index[VLIB_TX] = mdd0->mdd_dpo.dpoi_index; vnet_buffer(b0)->ip.rpf_id = mdd0->mdd_rpf_id; @@ -294,10 +330,9 @@ VLIB_REGISTER_NODE (ip4_mpls_label_disposition_node) = { .vector_size = sizeof (u32), .format_trace = format_mpls_label_disposition_trace, - .n_next_nodes = 1, - .next_nodes = { - [0] = "ip4-drop", - } + .sibling_of = "ip4-input", + .n_errors = IP4_N_ERROR, + .error_strings = ip4_error_strings, }; VLIB_NODE_FUNCTION_MULTIARCH (ip4_mpls_label_disposition_node, ip4_mpls_label_disposition) @@ -316,10 +351,9 @@ VLIB_REGISTER_NODE (ip6_mpls_label_disposition_node) = { .vector_size = sizeof (u32), .format_trace = format_mpls_label_disposition_trace, - .n_next_nodes = 1, - .next_nodes = { - [0] = "ip6-drop", - } + .sibling_of = "ip6-input", + .n_errors = IP6_N_ERROR, + .error_strings = ip6_error_strings, }; VLIB_NODE_FUNCTION_MULTIARCH (ip6_mpls_label_disposition_node, ip6_mpls_label_disposition) diff --git a/src/vnet/ip/ip4_input.c b/src/vnet/ip/ip4_input.c index 3b08f4b0089..121f40f473d 100644 --- a/src/vnet/ip/ip4_input.c +++ b/src/vnet/ip/ip4_input.c @@ -37,7 +37,7 @@ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#include <vnet/ip/ip.h> +#include <vnet/ip/ip4_input.h> #include <vnet/ethernet/ethernet.h> #include <vnet/ppp/ppp.h> #include <vnet/hdlc/hdlc.h> @@ -60,16 +60,6 @@ format_ip4_input_trace (u8 * s, va_list * va) return s; } -typedef enum -{ - IP4_INPUT_NEXT_DROP, - IP4_INPUT_NEXT_PUNT, - IP4_INPUT_NEXT_LOOKUP, - IP4_INPUT_NEXT_LOOKUP_MULTICAST, - IP4_INPUT_NEXT_ICMP_ERROR, - IP4_INPUT_N_NEXT, -} ip4_input_next_t; - /* Validate IP v4 packets and pass them either to forwarding code or drop/punt exception packets. */ always_inline uword @@ -109,10 +99,9 @@ ip4_input_inline (vlib_main_t * vm, { vlib_buffer_t *p0, *p1; ip4_header_t *ip0, *ip1; - u32 sw_if_index0, pi0, ip_len0, cur_len0, next0; - u32 sw_if_index1, pi1, ip_len1, cur_len1, next1; - i32 len_diff0, len_diff1; - u8 error0, error1, arc0, arc1; + u32 sw_if_index0, pi0, next0; + u32 sw_if_index1, pi1, next1; + u8 arc0, arc1; /* Prefetch next iteration. */ { @@ -144,8 +133,6 @@ ip4_input_inline (vlib_main_t * vm, sw_if_index0 = vnet_buffer (p0)->sw_if_index[VLIB_RX]; sw_if_index1 = vnet_buffer (p1)->sw_if_index[VLIB_RX]; - error0 = error1 = IP4_ERROR_NONE; - if (PREDICT_FALSE (ip4_address_is_multicast (&ip0->dst_address))) { arc0 = lm->mcast_feature_arc_index; @@ -155,8 +142,6 @@ ip4_input_inline (vlib_main_t * vm, { arc0 = lm->ucast_feature_arc_index; next0 = IP4_INPUT_NEXT_LOOKUP; - if (PREDICT_FALSE (ip0->ttl < 1)) - error0 = IP4_ERROR_TIME_EXPIRED; } if (PREDICT_FALSE (ip4_address_is_multicast (&ip1->dst_address))) @@ -168,8 +153,6 @@ ip4_input_inline (vlib_main_t * vm, { arc1 = lm->ucast_feature_arc_index; next1 = IP4_INPUT_NEXT_LOOKUP; - if (PREDICT_FALSE (ip1->ttl < 1)) - error1 = IP4_ERROR_TIME_EXPIRED; } vnet_buffer (p0)->ip.adj_index[VLIB_RX] = ~0; @@ -180,82 +163,9 @@ ip4_input_inline (vlib_main_t * vm, vlib_increment_simple_counter (cm, thread_index, sw_if_index0, 1); vlib_increment_simple_counter (cm, thread_index, sw_if_index1, 1); - - /* Punt packets with options or wrong version. */ - if (PREDICT_FALSE (ip0->ip_version_and_header_length != 0x45)) - error0 = (ip0->ip_version_and_header_length & 0xf) != 5 ? - IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; - - if (PREDICT_FALSE (ip1->ip_version_and_header_length != 0x45)) - error1 = (ip1->ip_version_and_header_length & 0xf) != 5 ? - IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; - - /* Verify header checksum. */ - if (verify_checksum) - { - ip_csum_t sum0, sum1; - - ip4_partial_header_checksum_x1 (ip0, sum0); - ip4_partial_header_checksum_x1 (ip1, sum1); - - error0 = 0xffff != ip_csum_fold (sum0) ? - IP4_ERROR_BAD_CHECKSUM : error0; - error1 = 0xffff != ip_csum_fold (sum1) ? - IP4_ERROR_BAD_CHECKSUM : error1; - } - - /* Drop fragmentation offset 1 packets. */ - error0 = ip4_get_fragment_offset (ip0) == 1 ? - IP4_ERROR_FRAGMENT_OFFSET_ONE : error0; - error1 = ip4_get_fragment_offset (ip1) == 1 ? - IP4_ERROR_FRAGMENT_OFFSET_ONE : error1; - - /* Verify lengths. */ - ip_len0 = clib_net_to_host_u16 (ip0->length); - ip_len1 = clib_net_to_host_u16 (ip1->length); - - /* IP length must be at least minimal IP header. */ - error0 = ip_len0 < sizeof (ip0[0]) ? IP4_ERROR_TOO_SHORT : error0; - error1 = ip_len1 < sizeof (ip1[0]) ? IP4_ERROR_TOO_SHORT : error1; - - cur_len0 = vlib_buffer_length_in_chain (vm, p0); - cur_len1 = vlib_buffer_length_in_chain (vm, p1); - - len_diff0 = cur_len0 - ip_len0; - len_diff1 = cur_len1 - ip_len1; - - error0 = len_diff0 < 0 ? IP4_ERROR_BAD_LENGTH : error0; - error1 = len_diff1 < 0 ? IP4_ERROR_BAD_LENGTH : error1; - - p0->error = error_node->errors[error0]; - p1->error = error_node->errors[error1]; - - if (PREDICT_FALSE (error0 != IP4_ERROR_NONE)) - { - if (error0 == IP4_ERROR_TIME_EXPIRED) - { - icmp4_error_set_vnet_buffer (p0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = IP4_INPUT_NEXT_ICMP_ERROR; - } - else - next0 = error0 != IP4_ERROR_OPTIONS ? - IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; - } - if (PREDICT_FALSE (error1 != IP4_ERROR_NONE)) - { - if (error1 == IP4_ERROR_TIME_EXPIRED) - { - icmp4_error_set_vnet_buffer (p1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = IP4_INPUT_NEXT_ICMP_ERROR; - } - else - next1 = error1 != IP4_ERROR_OPTIONS ? - IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; - } + ip4_input_check_x2 (vm, error_node, + p0, p1, ip0, ip1, + &next0, &next1, verify_checksum); vlib_validate_buffer_enqueue_x2 (vm, node, next_index, to_next, n_left_to_next, @@ -265,9 +175,8 @@ ip4_input_inline (vlib_main_t * vm, { vlib_buffer_t *p0; ip4_header_t *ip0; - u32 sw_if_index0, pi0, ip_len0, cur_len0, next0; - i32 len_diff0; - u8 error0, arc0; + u32 sw_if_index0, pi0, next0; + u8 arc0; pi0 = from[0]; to_next[0] = pi0; @@ -281,8 +190,6 @@ ip4_input_inline (vlib_main_t * vm, sw_if_index0 = vnet_buffer (p0)->sw_if_index[VLIB_RX]; - error0 = IP4_ERROR_NONE; - if (PREDICT_FALSE (ip4_address_is_multicast (&ip0->dst_address))) { arc0 = lm->mcast_feature_arc_index; @@ -292,60 +199,14 @@ ip4_input_inline (vlib_main_t * vm, { arc0 = lm->ucast_feature_arc_index; next0 = IP4_INPUT_NEXT_LOOKUP; - if (PREDICT_FALSE (ip0->ttl < 1)) - error0 = IP4_ERROR_TIME_EXPIRED; } vnet_buffer (p0)->ip.adj_index[VLIB_RX] = ~0; vnet_feature_arc_start (arc0, sw_if_index0, &next0, p0); vlib_increment_simple_counter (cm, thread_index, sw_if_index0, 1); - - /* Punt packets with options or wrong version. */ - if (PREDICT_FALSE (ip0->ip_version_and_header_length != 0x45)) - error0 = (ip0->ip_version_and_header_length & 0xf) != 5 ? - IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; - - /* Verify header checksum. */ - if (verify_checksum) - { - ip_csum_t sum0; - - ip4_partial_header_checksum_x1 (ip0, sum0); - error0 = - 0xffff != - ip_csum_fold (sum0) ? IP4_ERROR_BAD_CHECKSUM : error0; - } - - /* Drop fragmentation offset 1 packets. */ - error0 = - ip4_get_fragment_offset (ip0) == - 1 ? IP4_ERROR_FRAGMENT_OFFSET_ONE : error0; - - /* Verify lengths. */ - ip_len0 = clib_net_to_host_u16 (ip0->length); - - /* IP length must be at least minimal IP header. */ - error0 = ip_len0 < sizeof (ip0[0]) ? IP4_ERROR_TOO_SHORT : error0; - - cur_len0 = vlib_buffer_length_in_chain (vm, p0); - len_diff0 = cur_len0 - ip_len0; - error0 = len_diff0 < 0 ? IP4_ERROR_BAD_LENGTH : error0; - - p0->error = error_node->errors[error0]; - if (PREDICT_FALSE (error0 != IP4_ERROR_NONE)) - { - if (error0 == IP4_ERROR_TIME_EXPIRED) - { - icmp4_error_set_vnet_buffer (p0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = IP4_INPUT_NEXT_ICMP_ERROR; - } - else - next0 = error0 != IP4_ERROR_OPTIONS ? - IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; - } + ip4_input_check_x1 (vm, error_node, p0, ip0, &next0, + verify_checksum); vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, @@ -406,7 +267,7 @@ ip4_input_no_checksum (vlib_main_t * vm, return ip4_input_inline (vm, node, frame, /* verify_checksum */ 0); } -static char *ip4_error_strings[] = { +char *ip4_error_strings[] = { #define _(sym,string) string, foreach_ip4_error #undef _ diff --git a/src/vnet/ip/ip4_input.h b/src/vnet/ip/ip4_input.h new file mode 100644 index 00000000000..75306a34db3 --- /dev/null +++ b/src/vnet/ip/ip4_input.h @@ -0,0 +1,223 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* + * ip/ip4_input.c: IP v4 input node + * + * Copyright (c) 2008 Eliot Dresselhaus + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#ifndef included_ip_input_h +#define included_ip_input_h + +#include <vnet/ip/ip.h> +#include <vnet/ethernet/ethernet.h> + +extern char *ip4_error_strings[]; + +typedef enum +{ + IP4_INPUT_NEXT_DROP, + IP4_INPUT_NEXT_PUNT, + IP4_INPUT_NEXT_LOOKUP, + IP4_INPUT_NEXT_LOOKUP_MULTICAST, + IP4_INPUT_NEXT_ICMP_ERROR, + IP4_INPUT_N_NEXT, +} ip4_input_next_t; + +always_inline void +ip4_input_check_x2 (vlib_main_t * vm, + vlib_node_runtime_t * error_node, + vlib_buffer_t * p0, vlib_buffer_t * p1, + ip4_header_t * ip0, ip4_header_t * ip1, + u32 * next0, u32 * next1, int verify_checksum) +{ + u8 error0, error1; + u32 ip_len0, cur_len0; + u32 ip_len1, cur_len1; + i32 len_diff0, len_diff1; + + error0 = error1 = IP4_ERROR_NONE; + + /* Punt packets with options or wrong version. */ + if (PREDICT_FALSE (ip0->ip_version_and_header_length != 0x45)) + error0 = (ip0->ip_version_and_header_length & 0xf) != 5 ? + IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; + + if (PREDICT_FALSE (ip1->ip_version_and_header_length != 0x45)) + error1 = (ip1->ip_version_and_header_length & 0xf) != 5 ? + IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; + + if (PREDICT_FALSE (ip0->ttl < 1)) + error0 = IP4_ERROR_TIME_EXPIRED; + if (PREDICT_FALSE (ip1->ttl < 1)) + error1 = IP4_ERROR_TIME_EXPIRED; + + /* Verify header checksum. */ + if (verify_checksum) + { + ip_csum_t sum0, sum1; + + ip4_partial_header_checksum_x1 (ip0, sum0); + ip4_partial_header_checksum_x1 (ip1, sum1); + + error0 = 0xffff != ip_csum_fold (sum0) ? + IP4_ERROR_BAD_CHECKSUM : error0; + error1 = 0xffff != ip_csum_fold (sum1) ? + IP4_ERROR_BAD_CHECKSUM : error1; + } + + /* Drop fragmentation offset 1 packets. */ + error0 = ip4_get_fragment_offset (ip0) == 1 ? + IP4_ERROR_FRAGMENT_OFFSET_ONE : error0; + error1 = ip4_get_fragment_offset (ip1) == 1 ? + IP4_ERROR_FRAGMENT_OFFSET_ONE : error1; + + /* Verify lengths. */ + ip_len0 = clib_net_to_host_u16 (ip0->length); + ip_len1 = clib_net_to_host_u16 (ip1->length); + + /* IP length must be at least minimal IP header. */ + error0 = ip_len0 < sizeof (ip0[0]) ? IP4_ERROR_TOO_SHORT : error0; + error1 = ip_len1 < sizeof (ip1[0]) ? IP4_ERROR_TOO_SHORT : error1; + + cur_len0 = vlib_buffer_length_in_chain (vm, p0); + cur_len1 = vlib_buffer_length_in_chain (vm, p1); + + len_diff0 = cur_len0 - ip_len0; + len_diff1 = cur_len1 - ip_len1; + + error0 = len_diff0 < 0 ? IP4_ERROR_BAD_LENGTH : error0; + error1 = len_diff1 < 0 ? IP4_ERROR_BAD_LENGTH : error1; + + if (PREDICT_FALSE (error0 != IP4_ERROR_NONE)) + { + if (error0 == IP4_ERROR_TIME_EXPIRED) + { + icmp4_error_set_vnet_buffer (p0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + *next0 = IP4_INPUT_NEXT_ICMP_ERROR; + } + else + *next0 = error0 != IP4_ERROR_OPTIONS ? + IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; + } + if (PREDICT_FALSE (error1 != IP4_ERROR_NONE)) + { + if (error1 == IP4_ERROR_TIME_EXPIRED) + { + icmp4_error_set_vnet_buffer (p1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + *next1 = IP4_INPUT_NEXT_ICMP_ERROR; + } + else + *next1 = error1 != IP4_ERROR_OPTIONS ? + IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; + } + + p0->error = error_node->errors[error0]; + p1->error = error_node->errors[error1]; +} + +always_inline void +ip4_input_check_x1 (vlib_main_t * vm, + vlib_node_runtime_t * error_node, + vlib_buffer_t * p0, + ip4_header_t * ip0, u32 * next0, int verify_checksum) +{ + u32 ip_len0, cur_len0; + i32 len_diff0; + u8 error0; + + error0 = IP4_ERROR_NONE; + + /* Punt packets with options or wrong version. */ + if (PREDICT_FALSE (ip0->ip_version_and_header_length != 0x45)) + error0 = (ip0->ip_version_and_header_length & 0xf) != 5 ? + IP4_ERROR_OPTIONS : IP4_ERROR_VERSION; + + /* Verify header checksum. */ + if (verify_checksum) + { + ip_csum_t sum0; + + ip4_partial_header_checksum_x1 (ip0, sum0); + + error0 = 0xffff != ip_csum_fold (sum0) ? + IP4_ERROR_BAD_CHECKSUM : error0; + } + + /* Drop fragmentation offset 1 packets. */ + error0 = ip4_get_fragment_offset (ip0) == 1 ? + IP4_ERROR_FRAGMENT_OFFSET_ONE : error0; + + /* Verify lengths. */ + ip_len0 = clib_net_to_host_u16 (ip0->length); + + /* IP length must be at least minimal IP header. */ + error0 = ip_len0 < sizeof (ip0[0]) ? IP4_ERROR_TOO_SHORT : error0; + + cur_len0 = vlib_buffer_length_in_chain (vm, p0); + + len_diff0 = cur_len0 - ip_len0; + + error0 = len_diff0 < 0 ? IP4_ERROR_BAD_LENGTH : error0; + + if (PREDICT_FALSE (error0 != IP4_ERROR_NONE)) + { + if (error0 == IP4_ERROR_TIME_EXPIRED) + { + icmp4_error_set_vnet_buffer (p0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + *next0 = IP4_INPUT_NEXT_ICMP_ERROR; + } + else + *next0 = error0 != IP4_ERROR_OPTIONS ? + IP4_INPUT_NEXT_DROP : IP4_INPUT_NEXT_PUNT; + } + + p0->error = error_node->errors[error0]; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ + +#endif diff --git a/src/vnet/ip/ip6_input.c b/src/vnet/ip/ip6_input.c index ffdc4727660..3b38d347e6e 100644 --- a/src/vnet/ip/ip6_input.c +++ b/src/vnet/ip/ip6_input.c @@ -37,7 +37,7 @@ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#include <vnet/ip/ip.h> +#include <vnet/ip/ip6_input.h> #include <vnet/ethernet/ethernet.h> #include <vnet/ppp/ppp.h> #include <vnet/hdlc/hdlc.h> @@ -60,15 +60,6 @@ format_ip6_input_trace (u8 * s, va_list * va) return s; } -typedef enum -{ - IP6_INPUT_NEXT_DROP, - IP6_INPUT_NEXT_LOOKUP, - IP6_INPUT_NEXT_LOOKUP_MULTICAST, - IP6_INPUT_NEXT_ICMP_ERROR, - IP6_INPUT_N_NEXT, -} ip6_input_next_t; - /* Validate IP v6 packets and pass them either to forwarding code or drop exception packets. */ static uword @@ -108,7 +99,7 @@ ip6_input (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) ip6_header_t *ip0, *ip1; u32 pi0, sw_if_index0, next0 = 0; u32 pi1, sw_if_index1, next1 = 0; - u8 error0, error1, arc0, arc1; + u8 arc0, arc1; /* Prefetch next iteration. */ { @@ -173,65 +164,8 @@ ip6_input (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) vlib_increment_simple_counter (cm, thread_index, sw_if_index0, 1); vlib_increment_simple_counter (cm, thread_index, sw_if_index1, 1); - - error0 = error1 = IP6_ERROR_NONE; - - /* Version != 6? Drop it. */ - error0 = - (clib_net_to_host_u32 - (ip0->ip_version_traffic_class_and_flow_label) >> 28) != - 6 ? IP6_ERROR_VERSION : error0; - error1 = - (clib_net_to_host_u32 - (ip1->ip_version_traffic_class_and_flow_label) >> 28) != - 6 ? IP6_ERROR_VERSION : error1; - - /* hop limit < 1? Drop it. for link-local broadcast packets, - * like dhcpv6 packets from client has hop-limit 1, which should not - * be dropped. - */ - error0 = ip0->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error0; - error1 = ip1->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error1; - - /* L2 length must be at least minimal IP header. */ - error0 = - p0->current_length < - sizeof (ip0[0]) ? IP6_ERROR_TOO_SHORT : error0; - error1 = - p1->current_length < - sizeof (ip1[0]) ? IP6_ERROR_TOO_SHORT : error1; - - if (PREDICT_FALSE (error0 != IP6_ERROR_NONE)) - { - if (error0 == IP6_ERROR_TIME_EXPIRED) - { - icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded, - ICMP6_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = IP6_INPUT_NEXT_ICMP_ERROR; - } - else - { - next0 = IP6_INPUT_NEXT_DROP; - } - } - if (PREDICT_FALSE (error1 != IP6_ERROR_NONE)) - { - if (error1 == IP6_ERROR_TIME_EXPIRED) - { - icmp6_error_set_vnet_buffer (p1, ICMP6_time_exceeded, - ICMP6_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = IP6_INPUT_NEXT_ICMP_ERROR; - } - else - { - next1 = IP6_INPUT_NEXT_DROP; - } - } - - p0->error = error_node->errors[error0]; - p1->error = error_node->errors[error1]; + ip6_input_check_x2 (vm, error_node, + p0, p1, ip0, ip1, &next0, &next1); vlib_validate_buffer_enqueue_x2 (vm, node, next_index, to_next, n_left_to_next, @@ -243,7 +177,7 @@ ip6_input (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) vlib_buffer_t *p0; ip6_header_t *ip0; u32 pi0, sw_if_index0, next0 = 0; - u8 error0, arc0; + u8 arc0; pi0 = from[0]; to_next[0] = pi0; @@ -271,40 +205,7 @@ ip6_input (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) vnet_feature_arc_start (arc0, sw_if_index0, &next0, p0); vlib_increment_simple_counter (cm, thread_index, sw_if_index0, 1); - error0 = IP6_ERROR_NONE; - - /* Version != 6? Drop it. */ - error0 = - (clib_net_to_host_u32 - (ip0->ip_version_traffic_class_and_flow_label) >> 28) != - 6 ? IP6_ERROR_VERSION : error0; - - /* hop limit < 1? Drop it. for link-local broadcast packets, - * like dhcpv6 packets from client has hop-limit 1, which should not - * be dropped. - */ - error0 = ip0->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error0; - - /* L2 length must be at least minimal IP header. */ - error0 = - p0->current_length < - sizeof (ip0[0]) ? IP6_ERROR_TOO_SHORT : error0; - - if (PREDICT_FALSE (error0 != IP6_ERROR_NONE)) - { - if (error0 == IP6_ERROR_TIME_EXPIRED) - { - icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded, - ICMP6_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = IP6_INPUT_NEXT_ICMP_ERROR; - } - else - { - next0 = IP6_INPUT_NEXT_DROP; - } - } - p0->error = error_node->errors[error0]; + ip6_input_check_x1 (vm, error_node, p0, ip0, &next0); vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, @@ -317,7 +218,7 @@ ip6_input (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) return frame->n_vectors; } -static char *ip6_error_strings[] = { +char *ip6_error_strings[] = { #define _(sym,string) string, foreach_ip6_error #undef _ diff --git a/src/vnet/ip/ip6_input.h b/src/vnet/ip/ip6_input.h new file mode 100644 index 00000000000..4c0d78459b1 --- /dev/null +++ b/src/vnet/ip/ip6_input.h @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* + * ip/ip6_input.c: IP v6 input node + * + * Copyright (c) 2008 Eliot Dresselhaus + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#ifndef included_ip6_input_h +#define included_ip6_input_h + +#include <vnet/ip/ip.h> + +extern char *ip6_error_strings[]; + +typedef enum +{ + IP6_INPUT_NEXT_DROP, + IP6_INPUT_NEXT_LOOKUP, + IP6_INPUT_NEXT_LOOKUP_MULTICAST, + IP6_INPUT_NEXT_ICMP_ERROR, + IP6_INPUT_N_NEXT, +} ip6_input_next_t; + +always_inline void +ip6_input_check_x2 (vlib_main_t * vm, + vlib_node_runtime_t * error_node, + vlib_buffer_t * p0, vlib_buffer_t * p1, + ip6_header_t * ip0, ip6_header_t * ip1, + u32 * next0, u32 * next1) +{ + u8 error0, error1; + + error0 = error1 = IP6_ERROR_NONE; + + /* Version != 6? Drop it. */ + error0 = + (clib_net_to_host_u32 + (ip0->ip_version_traffic_class_and_flow_label) >> 28) != + 6 ? IP6_ERROR_VERSION : error0; + error1 = + (clib_net_to_host_u32 + (ip1->ip_version_traffic_class_and_flow_label) >> 28) != + 6 ? IP6_ERROR_VERSION : error1; + + /* hop limit < 1? Drop it. for link-local broadcast packets, + * like dhcpv6 packets from client has hop-limit 1, which should not + * be dropped. + */ + error0 = ip0->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error0; + error1 = ip1->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error1; + + /* L2 length must be at least minimal IP header. */ + error0 = + p0->current_length < sizeof (ip0[0]) ? IP6_ERROR_TOO_SHORT : error0; + error1 = + p1->current_length < sizeof (ip1[0]) ? IP6_ERROR_TOO_SHORT : error1; + + if (PREDICT_FALSE (error0 != IP6_ERROR_NONE)) + { + if (error0 == IP6_ERROR_TIME_EXPIRED) + { + icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, + 0); + *next0 = IP6_INPUT_NEXT_ICMP_ERROR; + } + else + { + *next0 = IP6_INPUT_NEXT_DROP; + } + } + if (PREDICT_FALSE (error1 != IP6_ERROR_NONE)) + { + if (error1 == IP6_ERROR_TIME_EXPIRED) + { + icmp6_error_set_vnet_buffer (p1, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, + 0); + *next1 = IP6_INPUT_NEXT_ICMP_ERROR; + } + else + { + *next1 = IP6_INPUT_NEXT_DROP; + } + } +} + +always_inline void +ip6_input_check_x1 (vlib_main_t * vm, + vlib_node_runtime_t * error_node, + vlib_buffer_t * p0, ip6_header_t * ip0, u32 * next0) +{ + u8 error0; + + error0 = IP6_ERROR_NONE; + + /* Version != 6? Drop it. */ + error0 = + (clib_net_to_host_u32 + (ip0->ip_version_traffic_class_and_flow_label) >> 28) != + 6 ? IP6_ERROR_VERSION : error0; + + /* hop limit < 1? Drop it. for link-local broadcast packets, + * like dhcpv6 packets from client has hop-limit 1, which should not + * be dropped. + */ + error0 = ip0->hop_limit < 1 ? IP6_ERROR_TIME_EXPIRED : error0; + + /* L2 length must be at least minimal IP header. */ + error0 = + p0->current_length < sizeof (ip0[0]) ? IP6_ERROR_TOO_SHORT : error0; + + if (PREDICT_FALSE (error0 != IP6_ERROR_NONE)) + { + if (error0 == IP6_ERROR_TIME_EXPIRED) + { + icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, + 0); + *next0 = IP6_INPUT_NEXT_ICMP_ERROR; + } + else + { + *next0 = IP6_INPUT_NEXT_DROP; + } + } +} + +#endif + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |