diff options
author | Ole Troan <ot@cisco.com> | 2016-01-07 14:37:25 +0100 |
---|---|---|
committer | Ole Troan <ot@cisco.com> | 2016-01-07 20:17:14 +0100 |
commit | cda948225887b2f53032ffb321f2d922b9836bd2 (patch) | |
tree | 3c2b1fc0615546d0ee180d13f45133d45da714b7 /vnet | |
parent | 366ac6ecdea0214363f523967830c370697c8944 (diff) |
- ICMP6: Add generic ICMP6 error node. Caller sets code/type fields.
- MAP: Added knob to send unreachable ICMP6 on unmatched binding.
Change-Id: I314547cc1157d8a73887e7518ebfe3e68d331650
Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'vnet')
-rw-r--r-- | vnet/vnet/buffer.h | 12 | ||||
-rw-r--r-- | vnet/vnet/ip/icmp6.c | 83 | ||||
-rw-r--r-- | vnet/vnet/ip/icmp6.h | 8 | ||||
-rw-r--r-- | vnet/vnet/ip/ip6_input.c | 31 | ||||
-rw-r--r-- | vnet/vnet/map/ip4_map.c | 8 | ||||
-rw-r--r-- | vnet/vnet/map/ip6_map.c | 51 | ||||
-rw-r--r-- | vnet/vnet/map/map.c | 59 | ||||
-rw-r--r-- | vnet/vnet/map/map.h | 4 |
8 files changed, 198 insertions, 58 deletions
diff --git a/vnet/vnet/buffer.h b/vnet/vnet/buffer.h index 9cbb402bd60..f6c0023222e 100644 --- a/vnet/vnet/buffer.h +++ b/vnet/vnet/buffer.h @@ -66,7 +66,10 @@ _(gre) \ _(l2_classify) \ _(io_handoff) \ _(policer) \ -_(output_features) +_(output_features) \ +_(map) \ +_(map_t) \ +_(ip_frag) /* * vnet stack buffer opaque array overlay structure. @@ -117,6 +120,13 @@ typedef struct { u32 mini_connection_index; } tcp; + + /* ICMP */ + struct { + u8 type; + u8 code; + u32 data; + } icmp; }; } ip; diff --git a/vnet/vnet/ip/icmp6.c b/vnet/vnet/ip/icmp6.c index 4e4bb8ece81..c5eb0f609b8 100644 --- a/vnet/vnet/ip/icmp6.c +++ b/vnet/vnet/ip/icmp6.c @@ -483,19 +483,44 @@ VLIB_REGISTER_NODE (ip6_icmp_echo_request_node,static) = { }; typedef enum { - ICMP6_TTL_EXPIRE_NEXT_DROP, - ICMP6_TTL_EXPIRE_NEXT_LOOKUP, - ICMP6_TTL_EXPIRE_N_NEXT, -} icmp_ttl_expire_next_t; + IP6_ICMP_ERROR_NEXT_DROP, + IP6_ICMP_ERROR_NEXT_LOOKUP, + IP6_ICMP_ERROR_N_NEXT, +} ip6_icmp_error_next_t; + +void +icmp6_error_set_vnet_buffer (vlib_buffer_t *b, u8 type, u8 code, u32 data) +{ + vnet_buffer(b)->ip.icmp.type = type; + vnet_buffer(b)->ip.icmp.code = code; + vnet_buffer(b)->ip.icmp.data = data; +} + +static u8 +icmp6_icmp_type_to_error (u8 type) +{ + switch (type) { + case ICMP6_destination_unreachable: + return ICMP6_ERROR_DEST_UNREACH_SENT; + case ICMP6_packet_too_big: + return ICMP6_ERROR_PACKET_TOO_BIG_SENT; + case ICMP6_time_exceeded: + return ICMP6_ERROR_TTL_EXPIRE_SENT; + case ICMP6_parameter_problem: + return ICMP6_ERROR_PARAM_PROBLEM_SENT; + default: + return ICMP6_ERROR_DROP; + } +} static uword -ip6_icmp_ttl_expire (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) +ip6_icmp_error (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) { u32 * from, * to_next; uword n_left_from, n_left_to_next; - icmp_ttl_expire_next_t next_index; + ip6_icmp_error_next_t next_index; ip6_main_t *im = &ip6_main; ip_lookup_main_t * lm = &im->lookup_main; @@ -514,8 +539,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, while (n_left_from > 0 && n_left_to_next > 0) { u32 pi0 = from[0]; - u32 next0 = ICMP6_TTL_EXPIRE_NEXT_LOOKUP; - u8 error0 = ICMP6_ERROR_TTL_EXPIRE_RESP_SENT; + u32 next0 = IP6_ICMP_ERROR_NEXT_LOOKUP; + u8 error0 = ICMP6_ERROR_NONE; vlib_buffer_t * p0; ip6_header_t * ip0, * out_ip0; icmp46_header_t * icmp0; @@ -533,8 +558,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, ip0 = vlib_buffer_get_current(p0); sw_if_index0 = vnet_buffer(p0)->sw_if_index[VLIB_RX]; - /* RFC2463 says to keep as much of the original packet as possible - * within the MTU. We cheat "a little" here by keeping whatever fits + /* RFC4443 says to keep as much of the original packet as possible + * within the minimum MTU. We cheat "a little" here by keeping whatever fits * in the first buffer, to be more efficient */ if (PREDICT_FALSE(p0->total_length_not_including_first_buffer)) { /* clear current_length of all other buffers in chain */ @@ -547,7 +572,7 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, } } - /* Add IP header and ICMPv6 header including a 4 byte ununsed field */ + /* Add IP header and ICMPv6 header including a 4 byte data field */ vlib_buffer_advance(p0, -sizeof(ip6_header_t)-sizeof(icmp46_header_t)-4); out_ip0 = vlib_buffer_get_current(p0); @@ -556,8 +581,8 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, /* Fill ip header fields */ out_ip0->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32(0x6<<28); - out_ip0->payload_length = - clib_host_to_net_u16(p0->current_length - sizeof(ip6_header_t)); + u16 plen = p0->current_length > 1280 ? 1280 : p0->current_length; + out_ip0->payload_length = clib_host_to_net_u16(plen - sizeof(ip6_header_t)); out_ip0->protocol = IP_PROTOCOL_ICMP6; out_ip0->hop_limit = 0xff; out_ip0->dst_address = ip0->src_address; @@ -570,23 +595,27 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, ip6_address_t *if_ip = ip_interface_address_get_address(lm, if_add); out_ip0->src_address = *if_ip; - vlib_error_count (vm, node->node_index, error0, 1); } else /* interface has no IP6 address - should not happen */ { - next0 = ICMP6_TTL_EXPIRE_NEXT_DROP; - error0 = ICMP6_ERROR_TTL_EXPIRE_RESP_DROP; + next0 = IP6_ICMP_ERROR_NEXT_DROP; + error0 = ICMP6_ERROR_DROP; } /* Fill icmp header fields */ - icmp0->type = ICMP6_time_exceeded; - icmp0->code = ICMP6_time_exceeded_ttl_exceeded_in_transit; + icmp0->type = vnet_buffer(p0)->ip.icmp.type; + icmp0->code = vnet_buffer(p0)->ip.icmp.code; + *((u32 *)(icmp0 + 1)) = clib_host_to_net_u32(vnet_buffer(p0)->ip.icmp.data); icmp0->checksum = 0; icmp0->checksum = ip6_tcp_udp_icmp_compute_checksum( vm, p0, out_ip0, &bogus_length); + + /* Update error status */ - p0->error = node->errors[error0]; + if (error0 == ICMP6_ERROR_NONE) + error0 = icmp6_icmp_type_to_error(icmp0->type); + vlib_error_count(vm, node->node_index, error0, 1); /* Verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1(vm, node, next_index, @@ -599,18 +628,18 @@ ip6_icmp_ttl_expire (vlib_main_t * vm, return frame->n_vectors; } -VLIB_REGISTER_NODE (ip6_icmp_ttl_expire_node) = { - .function = ip6_icmp_ttl_expire, - .name = "ip6-icmp-ttl-expire", +VLIB_REGISTER_NODE (ip6_icmp_error_node) = { + .function = ip6_icmp_error, + .name = "ip6-icmp-error", .vector_size = sizeof (u32), .n_errors = ARRAY_LEN (icmp_error_strings), .error_strings = icmp_error_strings, - .n_next_nodes = ICMP6_TTL_EXPIRE_N_NEXT, + .n_next_nodes = IP6_ICMP_ERROR_N_NEXT, .next_nodes = { - [ICMP6_TTL_EXPIRE_NEXT_DROP] = "error-drop", - [ICMP6_TTL_EXPIRE_NEXT_LOOKUP] = "ip6-lookup", + [IP6_ICMP_ERROR_NEXT_DROP] = "error-drop", + [IP6_ICMP_ERROR_NEXT_LOOKUP] = "ip6-lookup", }, .format_trace = format_icmp6_input_trace, diff --git a/vnet/vnet/ip/icmp6.h b/vnet/vnet/ip/icmp6.h index 92f6913a454..d44d0c3dbc9 100644 --- a/vnet/vnet/ip/icmp6.h +++ b/vnet/vnet/ip/icmp6.h @@ -46,8 +46,11 @@ _ (ROUTER_ADVERTISEMENTS_TX, "router advertisements sent") \ _ (ROUTER_ADVERTISEMENTS_RX, "router advertisements received") \ _ (DST_LOOKUP_MISS, "icmp6 dst address lookup misses") \ - _ (TTL_EXPIRE_RESP_SENT, "TTL time exceeded response sent") \ - _ (TTL_EXPIRE_RESP_DROP, "TTL time exceeded response dropped") + _ (DEST_UNREACH_SENT, "destination unreachable response sent") \ + _ (PACKET_TOO_BIG_SENT, "packet too big response sent") \ + _ (TTL_EXPIRE_SENT, "hop limit exceeded response sent") \ + _ (PARAM_PROBLEM_SENT, "parameter Pproblem response sent") \ + _ (DROP, "error message dropped") typedef enum { @@ -62,6 +65,7 @@ typedef struct { format_function_t format_icmp6_input_trace; void icmp6_register_type (vlib_main_t * vm, icmp6_type_t type, u32 node_index); +void icmp6_error_set_vnet_buffer (vlib_buffer_t *b, u8 type, u8 code, u32 data); extern vlib_node_registration_t ip6_icmp_input_node; diff --git a/vnet/vnet/ip/ip6_input.c b/vnet/vnet/ip/ip6_input.c index ef8c7762625..473b2b2719f 100644 --- a/vnet/vnet/ip/ip6_input.c +++ b/vnet/vnet/ip/ip6_input.c @@ -62,7 +62,7 @@ static u8 * format_ip6_input_trace (u8 * s, va_list * va) typedef enum { IP6_INPUT_NEXT_DROP, IP6_INPUT_NEXT_LOOKUP, - IP6_INPUT_NEXT_TTL_EXPIRE, + IP6_INPUT_NEXT_ICMP, IP6_INPUT_N_NEXT, } ip6_input_next_t; @@ -186,13 +186,23 @@ ip6_input (vlib_main_t * vm, if (PREDICT_FALSE(error0 != IP6_ERROR_NONE)) { - next0 = (error0 == IP6_ERROR_TIME_EXPIRED) ? - IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP; + if (error0 == IP6_ERROR_TIME_EXPIRED) { + icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); + next0 = IP6_INPUT_NEXT_ICMP; + } else { + next0 = IP6_INPUT_NEXT_DROP; + } } if (PREDICT_FALSE(error1 != IP6_ERROR_NONE)) { - next1 = (error1 == IP6_ERROR_TIME_EXPIRED) ? - IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP; + if (error1 == IP6_ERROR_TIME_EXPIRED) { + icmp6_error_set_vnet_buffer(p1, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); + next1 = IP6_INPUT_NEXT_ICMP; + } else { + next1 = IP6_INPUT_NEXT_DROP; + } } p0->error = error_node->errors[error0]; @@ -249,8 +259,13 @@ ip6_input (vlib_main_t * vm, if (PREDICT_FALSE(error0 != IP6_ERROR_NONE)) { - next0 = (error0 == IP6_ERROR_TIME_EXPIRED) ? - IP6_INPUT_NEXT_TTL_EXPIRE : IP6_INPUT_NEXT_DROP; + if (error0 == IP6_ERROR_TIME_EXPIRED) { + icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, 0); + next0 = IP6_INPUT_NEXT_ICMP; + } else { + next0 = IP6_INPUT_NEXT_DROP; + } } p0->error = error_node->errors[error0]; @@ -283,7 +298,7 @@ VLIB_REGISTER_NODE (ip6_input_node) = { .next_nodes = { [IP6_INPUT_NEXT_DROP] = "error-drop", [IP6_INPUT_NEXT_LOOKUP] = "ip6-lookup", - [IP6_INPUT_NEXT_TTL_EXPIRE] = "ip6-icmp-ttl-expire", + [IP6_INPUT_NEXT_ICMP] = "ip6-icmp-error", }, .format_buffer = format_ip6_header, diff --git a/vnet/vnet/map/ip4_map.c b/vnet/vnet/map/ip4_map.c index c8ee2764f23..343b57d210f 100644 --- a/vnet/vnet/map/ip4_map.c +++ b/vnet/vnet/map/ip4_map.c @@ -76,7 +76,7 @@ ip4_map_get_port (ip4_header_t *ip, map_dir_e dir) icmp46_header_t *icmp = (void *)(ip + 1); if (icmp->type == ICMP4_echo_request || icmp->type == ICMP4_echo_reply) { return *((u16 *)(icmp + 1)); - } else if (clib_net_to_host_u16(ip->length) >= 64) { // IP + ICMP + IP + L4 header + } else if (clib_net_to_host_u16(ip->length) >= 56) { // IP + ICMP + IP + L4 header ip4_header_t *icmp_ip = (ip4_header_t *)(icmp + 2); if (PREDICT_TRUE((icmp_ip->protocol == IP_PROTOCOL_TCP) || (icmp_ip->protocol == IP_PROTOCOL_UDP))) { @@ -256,8 +256,8 @@ ip4_map (vlib_main_t *vm, u64 dal61 = map_get_pfx(d1, da41, dp41); u64 dar60 = map_get_sfx(d0, da40, dp40); u64 dar61 = map_get_sfx(d1, da41, dp41); - if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_UNKNOWN; - if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_UNKNOWN; + if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_NO_BINDING; + if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_NO_BINDING; /* construct ipv6 header */ vlib_buffer_advance(p0, - sizeof(ip6_header_t)); @@ -375,7 +375,7 @@ ip4_map (vlib_main_t *vm, u16 dp40 = clib_net_to_host_u16(port0); u64 dal60 = map_get_pfx(d0, da40, dp40); u64 dar60 = map_get_sfx(d0, da40, dp40); - if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_UNKNOWN; + if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_NO_BINDING; /* construct ipv6 header */ vlib_buffer_advance(p0, - (sizeof(ip6_header_t))); diff --git a/vnet/vnet/map/ip6_map.c b/vnet/vnet/map/ip6_map.c index 7ef85e791f5..208f45f521c 100644 --- a/vnet/vnet/map/ip6_map.c +++ b/vnet/vnet/map/ip6_map.c @@ -27,6 +27,7 @@ enum ip6_map_next_e { IP6_MAP_NEXT_IP6_ICMP_RELAY, IP6_MAP_NEXT_IP6_LOCAL, IP6_MAP_NEXT_DROP, + IP6_MAP_NEXT_ICMP, IP6_MAP_N_NEXT, }; @@ -142,7 +143,6 @@ ip6_map_ip4_lookup_bypass (vlib_buffer_t *p0, ip4_header_t *ip) return (false); } - /* * ip6_map */ @@ -230,7 +230,6 @@ ip6_map (vlib_main_t *vm, next0 = IP6_MAP_NEXT_IP6_REASS; } else { error0 = MAP_ERROR_BAD_PROTOCOL; - next0 = IP6_MAP_NEXT_DROP; } if (PREDICT_TRUE(ip61->protocol == IP_PROTOCOL_IP_IN_IP && clib_net_to_host_u16(ip61->payload_length) > 20)) { d1 = ip6_map_get_domain(vnet_buffer(p1)->ip.adj_index[VLIB_TX], (ip4_address_t *)&ip41->src_address.as_u32, @@ -244,7 +243,6 @@ ip6_map (vlib_main_t *vm, next1 = IP6_MAP_NEXT_IP6_REASS; } else { error1 = MAP_ERROR_BAD_PROTOCOL; - next1 = IP6_MAP_NEXT_DROP; } if (d0) { @@ -298,6 +296,32 @@ ip6_map (vlib_main_t *vm, tr->port = port1; } + if (error0 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled) { + /* Set ICMP parameters */ + vlib_buffer_advance(p0, -sizeof(ip6_header_t)); + icmp6_error_set_vnet_buffer(p0, ICMP6_destination_unreachable, + ICMP6_destination_unreachable_source_address_failed_policy, 0); + next0 = IP6_MAP_NEXT_ICMP; + } else { + next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP; + } + + if (error1 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled) { + /* Set ICMP parameters */ + vlib_buffer_advance(p1, -sizeof(ip6_header_t)); + icmp6_error_set_vnet_buffer(p1, ICMP6_destination_unreachable, + ICMP6_destination_unreachable_source_address_failed_policy, 0); + next1 = IP6_MAP_NEXT_ICMP; + } else { + next1 = (error1 == MAP_ERROR_NONE) ? next1 : IP6_MAP_NEXT_DROP; + } + + /* Reset packet */ + if (next0 == IP6_MAP_NEXT_IP6_LOCAL) + vlib_buffer_advance(p0, -sizeof(ip6_header_t)); + if (next1 == IP6_MAP_NEXT_IP6_LOCAL) + vlib_buffer_advance(p1, -sizeof(ip6_header_t)); + p0->error = error_node->errors[error0]; p1->error = error_node->errors[error1]; vlib_validate_buffer_enqueue_x2(vm, node, next_index, to_next, n_left_to_next, pi0, pi1, next0, next1); @@ -377,7 +401,21 @@ ip6_map (vlib_main_t *vm, tr->port = (u16)port0; } - next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP; + if (mm->icmp6_enabled && + (error0 == MAP_ERROR_DECAP_SEC_CHECK || error0 == MAP_ERROR_NO_DOMAIN)) { + /* Set ICMP parameters */ + vlib_buffer_advance(p0, -sizeof(ip6_header_t)); + icmp6_error_set_vnet_buffer(p0, ICMP6_destination_unreachable, + ICMP6_destination_unreachable_source_address_failed_policy, 0); + next0 = IP6_MAP_NEXT_ICMP; + } else { + next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP; + } + + /* Reset packet */ + if (next0 == IP6_MAP_NEXT_IP6_LOCAL) + vlib_buffer_advance(p0, -sizeof(ip6_header_t)); + p0->error = error_node->errors[error0]; vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, pi0, next0); } @@ -626,7 +664,7 @@ ip6_map_ip4_reass (vlib_main_t *vm, ip4_header_t *ip40; ip6_header_t *ip60; i32 port0 = 0; - u32 map_domain_index0; + u32 map_domain_index0 = ~0; u32 next0 = IP6_MAP_IP4_REASS_NEXT_IP4_LOOKUP; u8 cached = 0; @@ -860,7 +898,7 @@ ip6_map_icmp_relay (vlib_main_t *vm, new_ip40->fragment_id = fid[0]; fid++; new_ip40->ttl = 64; new_ip40->protocol = IP_PROTOCOL_ICMP; - new_ip40->src_address = mm->icmp_src_address; + new_ip40->src_address = mm->icmp4_src_address; new_ip40->dst_address = inner_ip40->src_address; new_ip40->checksum = ip4_header_checksum(new_ip40); @@ -916,6 +954,7 @@ VLIB_REGISTER_NODE(ip6_map_node) = { [IP6_MAP_NEXT_IP6_ICMP_RELAY] = "ip6-map-icmp-relay", [IP6_MAP_NEXT_IP6_LOCAL] = "ip6-local", [IP6_MAP_NEXT_DROP] = "error-drop", + [IP6_MAP_NEXT_ICMP] = "ip6-icmp-error", }, }; diff --git a/vnet/vnet/map/map.c b/vnet/vnet/map/map.c index b7eb1f14839..eb5496b8829 100644 --- a/vnet/vnet/map/map.c +++ b/vnet/vnet/map/map.c @@ -602,8 +602,7 @@ map_icmp_relay_source_address_command_fn (vlib_main_t *vm, ip4_address_t icmp_src_address; map_main_t *mm = &map_main; - memset(&icmp_src_address, 0, sizeof(icmp_src_address)); - + mm->icmp4_src_address.as_u32 = 0; /* Get a line of input. */ if (!unformat_user(input, unformat_line_input, line_input)) @@ -611,13 +610,45 @@ map_icmp_relay_source_address_command_fn (vlib_main_t *vm, while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) { if (unformat(line_input, "%U", unformat_ip4_address, &icmp_src_address)) - mm->icmp_src_address = icmp_src_address; + mm->icmp4_src_address = icmp_src_address; + else + return clib_error_return(0, "unknown input `%U'", + format_unformat_error, input); + } + unformat_free(line_input); + + return 0; +} + +static clib_error_t * +map_icmp_unreachables_command_fn (vlib_main_t *vm, + unformat_input_t *input, + vlib_cli_command_t *cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + map_main_t *mm = &map_main; + int num_m_args = 0; + + /* Get a line of input. */ + if (!unformat_user(input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) { + num_m_args++; + if (unformat(line_input, "on")) + mm->icmp6_enabled = true; + else if (unformat(line_input, "off")) + mm->icmp6_enabled = false; else return clib_error_return(0, "unknown input `%U'", format_unformat_error, input); } unformat_free(line_input); + + if (num_m_args != 1) + return clib_error_return(0, "mandatory argument(s) missing"); + return 0; } @@ -833,9 +864,11 @@ show_map_stats_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_co else vlib_cli_output(vm, "MAP traffic-class: %x", mm->tc); - vlib_cli_output(vm, "MAP IPv6 inbound security check: %s Fragments: %s", mm->sec_check ? "enabled" : "disabled", + vlib_cli_output(vm, "MAP IPv6 inbound security check: %s, fragmented packet security check: %s", mm->sec_check ? "enabled" : "disabled", mm->sec_check_frag ? "enabled" : "disabled"); + vlib_cli_output(vm, "ICMP-relay IPv4 source address: %U\n", format_ip4_address, &mm->icmp4_src_address); + vlib_cli_output(vm, "ICMP6 unreachables sent for unmatched packets: %s\n", mm->icmp6_enabled ? "enabled" : "disabled"); /* * Counters @@ -861,9 +894,9 @@ show_map_stats_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_co } map_domain_counter_unlock (mm); - vlib_cli_output(vm, "Encapsulated packets: %d bytes: %d\n", total_pkts[MAP_DOMAIN_COUNTER_TX], + vlib_cli_output(vm, "Encapsulated packets: %lld bytes: %lld\n", total_pkts[MAP_DOMAIN_COUNTER_TX], total_bytes[MAP_DOMAIN_COUNTER_TX]); - vlib_cli_output(vm, "Decapsulated packets: %d bytes: %d\n", total_pkts[MAP_DOMAIN_COUNTER_RX], + vlib_cli_output(vm, "Decapsulated packets: %lld bytes: %lld\n", total_pkts[MAP_DOMAIN_COUNTER_RX], total_bytes[MAP_DOMAIN_COUNTER_RX]); vlib_cli_output(vm, "ICMP relayed packets: %d\n", vlib_get_simple_counter(&mm->icmp_relayed, 0)); @@ -1524,12 +1557,17 @@ VLIB_CLI_COMMAND(map_security_check_command, static) = { }; VLIB_CLI_COMMAND(map_icmp_relay_source_address_command, static) = { - .path = "map params icmp-source-address", - .short_help = - "icmp-source-address <ip4-address>", + .path = "map params icmp source-address", + .short_help = "source-address <ip4-address>", .function = map_icmp_relay_source_address_command_fn, }; +VLIB_CLI_COMMAND(map_icmp_unreachables_command, static) = { + .path = "map params icmp unreachables", + .short_help = "unreachables {on|off}", + .function = map_icmp_unreachables_command_fn, +}; + VLIB_CLI_COMMAND(map_security_check_frag_command, static) = { .path = "map params security-check fragments", .short_help = @@ -1598,6 +1636,9 @@ clib_error_t *map_init (vlib_main_t *vm) mm->sec_check = true; mm->sec_check_frag = false; + /* ICMP6 Type 1, Code 5 for security check failure */ + mm->icmp6_enabled = false; + vec_validate(mm->domain_counters, MAP_N_DOMAIN_COUNTER - 1); mm->domain_counters[MAP_DOMAIN_COUNTER_RX].name = "rx"; mm->domain_counters[MAP_DOMAIN_COUNTER_TX].name = "tx"; diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h index 95b842d4782..6d12b71be2b 100644 --- a/vnet/vnet/map/map.h +++ b/vnet/vnet/map/map.h @@ -205,9 +205,10 @@ typedef struct { bool tc_copy; bool sec_check; bool sec_check_frag; + bool icmp6_enabled; /* ICMPv6 -> ICMPv4 relay parameters */ - ip4_address_t icmp_src_address; + ip4_address_t icmp4_src_address; /* convenience */ vlib_main_t *vlib_main; @@ -269,6 +270,7 @@ typedef struct { _(ICMP, "unable to translate ICMP") \ _(ICMP_RELAY, "unable to relay ICMP") \ _(UNKNOWN, "unknown") \ + _(NO_BINDING, "no binding") \ _(NO_DOMAIN, "no domain") \ _(FRAGMENTED, "packet is a fragment") \ _(FRAGMENT_MEMORY, "could not cache fragment") \ |