map: fix ip4-map-t DF behavior

ip4_is_fragment(header)
or ip4_is_first_fragment(header) didn't changed
when packet with fragmentation needed arrives.

This patch checks DF flag and MTU with packet
length and if DF is set and length > MTU, packet
is dropped. In case if ignore_df is set, DF flag
makes no sense.

Type: fix
Fixes: d6d50cebde647f9a5ee7251a7fef977506f315d7

Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I720e25167c19a0b13ac5fdfb41b12c0bbdc00d09

1 files changed, 12 insertions, 11 deletions

diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c
index a02b55478c2..dca32846480 100644
--- a/src/plugins/map/ip4_map_t.c
+++ b/src/plugins/map/ip4_map_t.c
@@ -575,6 +575,18 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      goto exit;
 	    }
 
+	  bool df0 =
+	    ip40->flags_and_fragment_offset &
+	    clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
+
+	  if (PREDICT_FALSE
+	      (df0 && !map_main.frag_ignore_df && (ip4_len0 > d0->mtu)))
+	    {
+	      p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED];
+	      next0 = IP4_MAPT_NEXT_DROP;
+	      goto exit;
+	    }
+
 	  vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0;
 
 	  dst_port0 = -1;
@@ -601,17 +613,6 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	  pheader0->daddr.as_u64[1] =
 	    map_get_sfx_net (d0, ip40->dst_address.as_u32, (u16) dst_port0);
 
-	  bool df0 =
-	    ip40->flags_and_fragment_offset &
-	    clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
-
-	  if (PREDICT_TRUE (ip4_is_first_fragment (ip40) && df0))
-	    {
-	      p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED];
-	      next0 = IP4_MAPT_NEXT_MAPT_FRAGMENTED;
-	      goto exit;
-	    }
-
 	  if (PREDICT_TRUE
 	      (error0 == MAP_ERROR_NONE && next0 != IP4_MAPT_NEXT_MAPT_ICMP))
 	    {