diff options
author | Filip Tehlar <ftehlar@cisco.com> | 2021-01-13 16:28:10 +0000 |
---|---|---|
committer | Filip Tehlar <ftehlar@cisco.com> | 2021-01-13 16:31:49 +0000 |
commit | 887f1aa725ed64c3c83aca557bd7bb6588bacaf7 (patch) | |
tree | 256a40f5bc0563ac52ab20927151b958c8bc7f31 /src | |
parent | bf93c6e9bf340e323157ca2b4ffa8e83a36e5108 (diff) |
ikev2: remove assert condition
Remove assert condition ensuring that a packet was punted with reason
spi=0. We can't rely on data in punt_reason because it is defind in an
union. This patch adds a new IKE node that handles punted IKE packets
separately.
Type: fix
Change-Id: I2e1b44922e53e049bd8512fa5cb85cee6a2b8aa7
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/ikev2/ikev2.c | 55 |
1 files changed, 36 insertions, 19 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 8d06bd3a382..cfc3d9f9940 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -2834,9 +2834,8 @@ ikev2_generate_sa_init_data_and_log (ikev2_sa_t * sa) } static_always_inline uword -ikev2_node_internal (vlib_main_t * vm, - vlib_node_runtime_t * node, vlib_frame_t * frame, - u8 is_ip4) +ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node, + vlib_frame_t *frame, u8 is_ip4, u8 natt) { u32 n_left = frame->n_vectors, *from; ikev2_main_t *km = &ikev2_main; @@ -2862,15 +2861,9 @@ ikev2_node_internal (vlib_main_t * vm, ikev2_sa_t sa; /* temporary store for SA */ u32 rlen, slen = 0; int ip_hdr_sz = 0; - int is_req = 0, has_non_esp_marker = 0; + int is_req = 0; - ASSERT (0 == b0->punt_reason - || (is_ip4 - && b0->punt_reason == - ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0])); - - if (is_ip4 - && b0->punt_reason == ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0]) + if (natt) { u8 *ptr = vlib_buffer_get_current (b0); ip40 = (ip4_header_t *) ptr; @@ -2903,12 +2896,12 @@ ikev2_node_internal (vlib_main_t * vm, rlen = b0->current_length - ip_hdr_sz - sizeof (*udp0); /* check for non-esp marker */ - if (*((u32 *) ike0) == 0) + if (natt) { + ASSERT (*((u32 *) ike0) == 0); ike0 = (ike_header_t *) ((u8 *) ike0 + sizeof (ikev2_non_esp_marker)); rlen -= sizeof (ikev2_non_esp_marker); - has_non_esp_marker = 1; } if (clib_net_to_host_u32 (ike0->length) != rlen) @@ -3273,13 +3266,13 @@ ikev2_node_internal (vlib_main_t * vm, if (udp0->dst_port == clib_net_to_host_u16 (IKEV2_PORT_NATT) && ikev2_natt_active (sa0)) { - if (!has_non_esp_marker) + if (!natt) slen = ikev2_insert_non_esp_marker (ike0, slen); } } else { - if (has_non_esp_marker) + if (natt) slen += sizeof (ikev2_non_esp_marker); u16 tp = udp0->dst_port; @@ -3334,13 +3327,20 @@ ikev2_node_internal (vlib_main_t * vm, static uword ikev2_ip4 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */ ); + return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 0); +} + +static uword +ikev2_ip4_natt (vlib_main_t *vm, vlib_node_runtime_t *node, + vlib_frame_t *frame) +{ + return ikev2_node_internal (vm, node, frame, 1 /* is_ip4 */, 1 /* natt */); } static uword ikev2_ip6 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return ikev2_node_internal (vm, node, frame, 0 /* is_ip4 */ ); + return ikev2_node_internal (vm, node, frame, 0 /* is_ip4 */, 0); } /* *INDENT-OFF* */ @@ -3361,6 +3361,23 @@ VLIB_REGISTER_NODE (ikev2_node_ip4,static) = { }, }; +VLIB_REGISTER_NODE (ikev2_node_ip4_natt,static) = { + .function = ikev2_ip4_natt, + .name = "ikev2-ip4-natt", + .vector_size = sizeof (u32), + .format_trace = format_ikev2_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(ikev2_error_strings), + .error_strings = ikev2_error_strings, + + .n_next_nodes = IKEV2_IP4_N_NEXT, + .next_nodes = { + [IKEV2_NEXT_IP4_LOOKUP] = "ip4-lookup", + [IKEV2_NEXT_IP4_ERROR_DROP] = "error-drop", + }, +}; + VLIB_REGISTER_NODE (ikev2_node_ip6,static) = { .function = ikev2_ip6, .name = "ikev2-ip6", @@ -4666,9 +4683,9 @@ ikev2_init (vlib_main_t * vm) udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip4.index, 1); udp_register_dst_port (vm, IKEV2_PORT_NATT, ikev2_node_ip6.index, 0); - vlib_punt_hdl_t punt_hdl = vlib_punt_client_register ("ikev2-ip4"); + vlib_punt_hdl_t punt_hdl = vlib_punt_client_register ("ikev2-ip4-natt"); vlib_punt_register (punt_hdl, ipsec_punt_reason[IPSEC_PUNT_IP4_SPI_UDP_0], - "ikev2-ip4"); + "ikev2-ip4-natt"); ikev2_cli_reference (); km->log_level = IKEV2_LOG_ERROR; |