diff options
-rw-r--r-- | src/plugins/map/map.api | 169 | ||||
-rw-r--r-- | src/plugins/map/map.c | 334 | ||||
-rw-r--r-- | src/plugins/map/map.h | 18 | ||||
-rw-r--r-- | src/plugins/map/map_api.c | 339 |
4 files changed, 648 insertions, 212 deletions
diff --git a/src/plugins/map/map.api b/src/plugins/map/map.api index 9918d7210c4..78e7bec2c0b 100644 --- a/src/plugins/map/map.api +++ b/src/plugins/map/map.api @@ -13,7 +13,7 @@ * limitations under the License. */ -option version = "2.2.0"; +option version = "2.3.0"; import "vnet/ip/ip_types.api"; @@ -153,3 +153,170 @@ define map_summary_stats_reply u64 total_ip4_fragments; u64 total_security_check[2]; }; + + +/** \brief Set MAP fragmentation parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param inner - 1=frag inner packet, 0=frag tunnel packets + @param ignore_df - 1=IP4 fragment despite DF bit, 0=honor DF +*/ +autoreply define map_param_set_fragmentation +{ + u32 client_index; + u32 context; + bool inner; + bool ignore_df; +}; + + +/** \brief Set MAP ICMP parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param icmp4_err_relay_src - IPv4 ICMP err relay src address +*/ +autoreply define map_param_set_icmp +{ + u32 client_index; + u32 context; + vl_api_ip4_address_t ip4_err_relay_src; +}; + + +/** \brief Set MAP ICMP6 parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param enable_unreachable - 1 = send ICMP unreachable err msgs +*/ +autoreply define map_param_set_icmp6 +{ + u32 client_index; + u32 context; + bool enable_unreachable; +}; + + +/** \brief Add/delete MAP pre-resolve IP addresses parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_add - 1 = Add non-zero IP addresses, 0 = delete + @param ip4_nh_address - direct IP4 next-hop address + @param ip6_nh_address - direct IP6 next-hop address +*/ +autoreply define map_param_add_del_pre_resolve +{ + u32 client_index; + u32 context; + bool is_add; + vl_api_ip4_address_t ip4_nh_address; + vl_api_ip6_address_t ip6_nh_address; +}; + + +/** \brief Set MAP reassembly parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_ip6 - 1 = params apply to IPv6, 0 = params apply to IPv4 + @param lifetime_ms - reassembly valid lifetime, or ~0 + @param pool_size - max number of reassemblies, or ~0 + @param buffers - max number of reassembly buffers, or ~0 + @param ht_ratio - hash-table size factor, or ~0 +*/ +autoreply define map_param_set_reassembly +{ + u32 client_index; + u32 context; + bool is_ip6; + u16 lifetime_ms; + u16 pool_size; + u32 buffers; + f64 ht_ratio; +}; + + +/** \brief Set MAP security-check parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param enable - 1=enable security check on first inbound packet + @param fragments - 1=enable check on (subsequent) fragments too +*/ +autoreply define map_param_set_security_check +{ + u32 client_index; + u32 context; + bool enable; + bool fragments; +}; + + +/** \brief Set MAP traffic class parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param copy - 1 = copy packet class/TOS field, 0 = use class instead + @param class - class field value when copy == 0 +*/ +autoreply define map_param_set_traffic_class +{ + u32 client_index; + u32 context; + bool copy; + u8 class; +}; + + +/** \brief Request for a single block of MAP parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define map_param_get +{ + u32 client_index; + u32 context; +}; + + +/** \brief Reply for map_param_get request + @param context - sender context, to match reply w/ request + @param retval - return code for request + @param inner - 1=frag inner packet, 0=frag tunnel packets, ~0=untouched + @param ignore_df - 1=IP4 fragm despite DF bit, 0=honor DF, ~0=untouched + @param icmp_ip4_err_relay_src - IPv4 ICMP err relay src address + @param icmp6_enable_unreachable - 1 = send ICMP unreachable err msgs + @param ip4_nh_address - direct IP4 next-hop address + @param ip6_nh_address - direct IP6 next-hop address + @param ip4_lifetime_ms - reassembly valid lifetime, or ~0 + @param ip4_pool_size - max number of reassemblies, or ~0 + @param ip4_buffers - max number of reassembly buffers, or ~0 + @param ip4_ht_ratio - reassembly valid lifetime, or ~0 + @param ip6_lifetime_ms - max number of reassemblies, or ~0 + @param ip6_pool_size - max number of reassemblies, or ~0 + @param ip6_buffers - max number of reassembly buffers, or ~0 + @param ip6_ht_ratio - hash-table size factor, or ~0 + @param sec_check_enable - 1=enable security check on first inbound packet + @param sec_check_fragments - 1=enable check on (subsequent) fragments too + @param tc_copy - 1 = copy packet class/TOS field, 0 = use class instead + @param tc_class - class field value when copy == 0 +*/ +define map_param_get_reply +{ + u32 context; + i32 retval; + u8 frag_inner; + u8 frag_ignore_df; + vl_api_ip4_address_t icmp_ip4_err_relay_src; + bool icmp6_enable_unreachable; + vl_api_ip4_address_t ip4_nh_address; + vl_api_ip6_address_t ip6_nh_address; + u16 ip4_lifetime_ms; + u16 ip4_pool_size; + u32 ip4_buffers; + f64 ip4_ht_ratio; + u16 ip6_lifetime_ms; + u16 ip6_pool_size; + u32 ip6_buffers; + f64 ip6_ht_ratio; + bool sec_check_enable; + bool sec_check_fragments; + bool tc_copy; + u8 tc_class; +}; diff --git a/src/plugins/map/map.c b/src/plugins/map/map.c index ee3ff728b58..8156ec835a8 100644 --- a/src/plugins/map/map.c +++ b/src/plugins/map/map.c @@ -440,7 +440,7 @@ map_fib_unresolve (map_main_pre_resolved_t * pr, pr->sibling = FIB_NODE_INDEX_INVALID; } -static void +void map_pre_resolve (ip4_address_t * ip4, ip6_address_t * ip6, int is_del) { if (ip6 && (ip6->as_u64[0] != 0 || ip6->as_u64[1] != 0)) @@ -476,8 +476,11 @@ map_security_check_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; clib_error_t *error = NULL; + bool enable = false; + bool check_frag = false; + bool saw_enable = false; + bool saw_frag = false; /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) @@ -485,10 +488,26 @@ map_security_check_command_fn (vlib_main_t * vm, while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { - if (unformat (line_input, "off")) - mm->sec_check = false; - else if (unformat (line_input, "on")) - mm->sec_check = true; + if (unformat (line_input, "enable")) + { + enable = false; + saw_enable = true; + } + else if (unformat (line_input, "disable")) + { + enable = true; + saw_enable = true; + } + else if (unformat (line_input, "fragments on")) + { + check_frag = true; + saw_frag = true; + } + else if (unformat (line_input, "fragments off")) + { + check_frag = false; + saw_frag = true; + } else { error = clib_error_return (0, "unknown input `%U'", @@ -497,45 +516,28 @@ map_security_check_command_fn (vlib_main_t * vm, } } -done: - unformat_free (line_input); - - return error; -} - -static clib_error_t * -map_security_check_frag_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; - clib_error_t *error = NULL; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; + if (!saw_enable) + { + error = clib_error_return (0, + "Must specify enable 'enable' or 'disable'"); + goto done; + } - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + if (!saw_frag) { - if (unformat (line_input, "off")) - mm->sec_check_frag = false; - else if (unformat (line_input, "on")) - mm->sec_check_frag = true; - else - { - error = clib_error_return (0, "unknown input `%U'", - format_unformat_error, line_input); - goto done; - } + error = clib_error_return (0, "Must specify fragments 'on' or 'off'"); + goto done; } + map_param_set_security_check (enable, check_frag); + done: unformat_free (line_input); return error; } + static clib_error_t * map_add_domain_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) @@ -754,6 +756,7 @@ map_icmp_relay_source_address_command_fn (vlib_main_t * vm, { unformat_input_t _line_input, *line_input = &_line_input; ip4_address_t icmp_src_address; + ip4_address_t *p_icmp_addr = 0; map_main_t *mm = &map_main; clib_error_t *error = NULL; @@ -767,7 +770,10 @@ map_icmp_relay_source_address_command_fn (vlib_main_t * vm, { if (unformat (line_input, "%U", unformat_ip4_address, &icmp_src_address)) - mm->icmp4_src_address = icmp_src_address; + { + mm->icmp4_src_address = icmp_src_address; + p_icmp_addr = &icmp_src_address; + } else { error = clib_error_return (0, "unknown input `%U'", @@ -776,6 +782,8 @@ map_icmp_relay_source_address_command_fn (vlib_main_t * vm, } } + map_param_set_icmp (p_icmp_addr); + done: unformat_free (line_input); @@ -788,9 +796,9 @@ map_icmp_unreachables_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; int num_m_args = 0; clib_error_t *error = NULL; + bool enabled = false; /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) @@ -800,9 +808,9 @@ map_icmp_unreachables_command_fn (vlib_main_t * vm, { num_m_args++; if (unformat (line_input, "on")) - mm->icmp6_enabled = true; + enabled = true; else if (unformat (line_input, "off")) - mm->icmp6_enabled = false; + enabled = false; else { error = clib_error_return (0, "unknown input `%U'", @@ -815,19 +823,26 @@ map_icmp_unreachables_command_fn (vlib_main_t * vm, if (num_m_args != 1) error = clib_error_return (0, "mandatory argument(s) missing"); + + map_param_set_icmp6 (enabled); + done: unformat_free (line_input); return error; } + static clib_error_t * map_fragment_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; clib_error_t *error = NULL; + bool frag_inner = false; + bool frag_ignore_df = false; + bool saw_in_out = false; + bool saw_df = false; /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) @@ -836,9 +851,25 @@ map_fragment_command_fn (vlib_main_t * vm, while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "inner")) - mm->frag_inner = true; + { + frag_inner = true; + saw_in_out = true; + } else if (unformat (line_input, "outer")) - mm->frag_inner = false; + { + frag_inner = false; + saw_in_out = true; + } + else if (unformat (line_input, "ignore-df")) + { + frag_ignore_df = true; + saw_df = true; + } + else if (unformat (line_input, "honor-df")) + { + frag_ignore_df = false; + saw_df = true; + } else { error = clib_error_return (0, "unknown input `%U'", @@ -847,39 +878,20 @@ map_fragment_command_fn (vlib_main_t * vm, } } -done: - unformat_free (line_input); - - return error; -} - -static clib_error_t * -map_fragment_df_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; - clib_error_t *error = NULL; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; + if (!saw_in_out) + { + error = clib_error_return (0, "Must specify 'inner' or 'outer'"); + goto done; + } - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + if (!saw_df) { - if (unformat (line_input, "on")) - mm->frag_ignore_df = true; - else if (unformat (line_input, "off")) - mm->frag_ignore_df = false; - else - { - error = clib_error_return (0, "unknown input `%U'", - format_unformat_error, line_input); - goto done; - } + error = clib_error_return (0, "Must specify 'ignore-df' or 'honor-df'"); + goto done; } + map_param_set_fragmentation (frag_inner, frag_ignore_df); + done: unformat_free (line_input); @@ -892,11 +904,10 @@ map_traffic_class_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - map_main_t *mm = &map_main; u32 tc = 0; clib_error_t *error = NULL; + bool tc_copy = false; - mm->tc_copy = false; /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) @@ -905,9 +916,9 @@ map_traffic_class_command_fn (vlib_main_t * vm, while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "copy")) - mm->tc_copy = true; + tc_copy = true; else if (unformat (line_input, "%x", &tc)) - mm->tc = tc & 0xff; + tc = tc & 0xff; else { error = clib_error_return (0, "unknown input `%U'", @@ -916,6 +927,8 @@ map_traffic_class_command_fn (vlib_main_t * vm, } } + map_param_set_traffic_class (tc_copy, tc); + done: unformat_free (line_input); @@ -1282,110 +1295,34 @@ map_params_reass_command_fn (vlib_main_t * vm, unformat_input_t * input, MAP_IP6_REASS_CONF_BUFFERS_MAX); } - if (ip4) + int rv; + u32 reass = 0, packets = 0; + rv = map_param_set_reassembly (!ip4, lifetime, pool_size, buffers, ht_ratio, + &reass, &packets); + + switch (rv) { - u32 reass = 0, packets = 0; - if (pool_size != ~0) - { - if (map_ip4_reass_conf_pool_size (pool_size, &reass, &packets)) - { - vlib_cli_output (vm, "Could not set ip4-reass pool-size"); - } - else - { - vlib_cli_output (vm, - "Setting ip4-reass pool-size (destroyed-reassembly=%u , dropped-fragments=%u)", - reass, packets); - } - } - if (ht_ratio != (MAP_IP4_REASS_CONF_HT_RATIO_MAX + 1)) - { - if (map_ip4_reass_conf_ht_ratio (ht_ratio, &reass, &packets)) - { - vlib_cli_output (vm, "Could not set ip4-reass ht-log2len"); - } - else - { - vlib_cli_output (vm, - "Setting ip4-reass ht-log2len (destroyed-reassembly=%u , dropped-fragments=%u)", - reass, packets); - } - } - if (lifetime != ~0) - { - if (map_ip4_reass_conf_lifetime (lifetime)) - vlib_cli_output (vm, "Could not set ip4-reass lifetime"); - else - vlib_cli_output (vm, "Setting ip4-reass lifetime"); - } - if (buffers != ~(0ull)) - { - if (map_ip4_reass_conf_buffers (buffers)) - vlib_cli_output (vm, "Could not set ip4-reass buffers"); - else - vlib_cli_output (vm, "Setting ip4-reass buffers"); - } + case 0: + vlib_cli_output (vm, + "Note: destroyed-reassembly=%u , dropped-fragments=%u", + reass, packets); + break; - if (map_main.ip4_reass_conf_buffers > - map_main.ip4_reass_conf_pool_size * - MAP_IP4_REASS_MAX_FRAGMENTS_PER_REASSEMBLY) - { - vlib_cli_output (vm, - "Note: 'ip4-reass buffers' > pool-size * max-fragments-per-reassembly."); - } - } + case MAP_ERR_BAD_POOL_SIZE: + return clib_error_return (0, "Could not set reass pool-size"); - if (ip6) - { - u32 reass = 0, packets = 0; - if (pool_size != ~0) - { - if (map_ip6_reass_conf_pool_size (pool_size, &reass, &packets)) - { - vlib_cli_output (vm, "Could not set ip6-reass pool-size"); - } - else - { - vlib_cli_output (vm, - "Setting ip6-reass pool-size (destroyed-reassembly=%u , dropped-fragments=%u)", - reass, packets); - } - } - if (ht_ratio != (MAP_IP4_REASS_CONF_HT_RATIO_MAX + 1)) - { - if (map_ip6_reass_conf_ht_ratio (ht_ratio, &reass, &packets)) - { - vlib_cli_output (vm, "Could not set ip6-reass ht-log2len"); - } - else - { - vlib_cli_output (vm, - "Setting ip6-reass ht-log2len (destroyed-reassembly=%u , dropped-fragments=%u)", - reass, packets); - } - } - if (lifetime != ~0) - { - if (map_ip6_reass_conf_lifetime (lifetime)) - vlib_cli_output (vm, "Could not set ip6-reass lifetime"); - else - vlib_cli_output (vm, "Setting ip6-reass lifetime"); - } - if (buffers != ~(0ull)) - { - if (map_ip6_reass_conf_buffers (buffers)) - vlib_cli_output (vm, "Could not set ip6-reass buffers"); - else - vlib_cli_output (vm, "Setting ip6-reass buffers"); - } + case MAP_ERR_BAD_HT_RATIO: + return clib_error_return (0, "Could not set reass ht-log2len"); - if (map_main.ip6_reass_conf_buffers > - map_main.ip6_reass_conf_pool_size * - MAP_IP6_REASS_MAX_FRAGMENTS_PER_REASSEMBLY) - { - vlib_cli_output (vm, - "Note: 'ip6-reass buffers' > pool-size * max-fragments-per-reassembly."); - } + case MAP_ERR_BAD_LIFETIME: + return clib_error_return (0, "Could not set ip6-reass lifetime"); + + case MAP_ERR_BAD_BUFFERS: + return clib_error_return (0, "Could not set ip6-reass buffers"); + + case MAP_ERR_BAD_BUFFERS_TOO_LARGE: + return clib_error_return (0, + "Note: 'ip6-reass buffers' > pool-size * max-fragments-per-reassembly."); } return 0; @@ -2032,6 +1969,7 @@ VLIB_CLI_COMMAND(map_pre_resolve_command, static) = { /*? * Enable or disable the MAP-E inbound security check + * Specifiy if the inbound security check should be done on fragments * * @cliexpar * @cliexstart{map params security-check} @@ -2039,14 +1977,20 @@ VLIB_CLI_COMMAND(map_pre_resolve_command, static) = { * By default, a decapsulated packet's IPv4 source address will be * verified against the outer header's IPv6 source address. Disabling * this feature will allow IPv4 source address spoofing. + * + * Typically the inbound on-decapsulation security check is only done + * on the first packet. The packet that contains the L4 + * information. While a security check on every fragment is possible, + * it has a cost. State must be created on the first fragment. * @cliexend ?*/ VLIB_CLI_COMMAND(map_security_check_command, static) = { .path = "map params security-check", - .short_help = "map params security-check on|off", + .short_help = "map params security-check enable|disable fragments on|off", .function = map_security_check_command_fn, }; + /*? * Specifiy the IPv4 source address used for relayed ICMP error messages * @@ -2085,19 +2029,6 @@ VLIB_CLI_COMMAND(map_icmp_unreachables_command, static) = { * * @cliexpar * @cliexstart{map params fragment} - * @cliexend - ?*/ -VLIB_CLI_COMMAND(map_fragment_command, static) = { - .path = "map params fragment", - .short_help = "map params fragment inner|outer", - .function = map_fragment_command_fn, -}; - -/*? - * Ignore the IPv4 Don't fragment bit - * - * @cliexpar - * @cliexstart{map params fragment ignore-df} * * Allows fragmentation of the IPv4 packet even if the DF bit is * set. The choice between inner or outer fragmentation of tunnel @@ -2106,29 +2037,12 @@ VLIB_CLI_COMMAND(map_fragment_command, static) = { * endpoint. * @cliexend ?*/ -VLIB_CLI_COMMAND(map_fragment_df_command, static) = { - .path = "map params fragment ignore-df", - .short_help = "map params fragment ignore-df on|off", - .function = map_fragment_df_command_fn, +VLIB_CLI_COMMAND(map_fragment_command, static) = { + .path = "map params fragment", + .short_help = "map params fragment inner|outer ignore-df|honor-df", + .function = map_fragment_command_fn, }; -/*? - * Specifiy if the inbound security check should be done on fragments - * - * @cliexpar - * @cliexstart{map params security-check fragments} - * - * Typically the inbound on-decapsulation security check is only done - * on the first packet. The packet that contains the L4 - * information. While a security check on every fragment is possible, - * it has a cost. State must be created on the first fragment. - * @cliexend - ?*/ -VLIB_CLI_COMMAND(map_security_check_frag_command, static) = { - .path = "map params security-check fragments", - .short_help = "map params security-check fragments on|off", - .function = map_security_check_frag_command_fn, -}; /*? * Add MAP domain diff --git a/src/plugins/map/map.h b/src/plugins/map/map.h index 0d4270d5806..21baf73678a 100644 --- a/src/plugins/map/map.h +++ b/src/plugins/map/map.h @@ -25,6 +25,13 @@ #define MAP_SKIP_IP6_LOOKUP 1 +#define MAP_ERR_GOOD 0 +#define MAP_ERR_BAD_POOL_SIZE -1 +#define MAP_ERR_BAD_HT_RATIO -2 +#define MAP_ERR_BAD_LIFETIME -3 +#define MAP_ERR_BAD_BUFFERS -4 +#define MAP_ERR_BAD_BUFFERS_TOO_LARGE -5 + int map_create_domain (ip4_address_t * ip4_prefix, u8 ip4_prefix_len, ip6_address_t * ip6_prefix, u8 ip6_prefix_len, ip6_address_t * ip6_src, u8 ip6_src_len, @@ -35,6 +42,17 @@ int map_add_del_psid (u32 map_domain_index, u16 psid, ip6_address_t * tep, u8 is_add); u8 *format_map_trace (u8 * s, va_list * args); +int map_param_set_fragmentation (bool inner, bool ignore_df); +int map_param_set_icmp (ip4_address_t * ip4_err_relay_src); +int map_param_set_icmp6 (u8 enable_unreachable); +void map_pre_resolve (ip4_address_t * ip4, ip6_address_t * ip6, int is_del); +int map_param_set_reassembly (bool is_ipv6, u16 lifetime_ms, + u16 pool_size, u32 buffers, f64 ht_ratio, + u32 * reass, u32 * packets); +int map_param_set_security_check (bool enable, bool fragments); +int map_param_set_traffic_class (bool copy, u8 tc); + + typedef enum { MAP_DOMAIN_PREFIX = 1 << 0, diff --git a/src/plugins/map/map_api.c b/src/plugins/map/map_api.c index 0b17793e952..8ce6428fbc6 100644 --- a/src/plugins/map/map_api.c +++ b/src/plugins/map/map_api.c @@ -252,13 +252,350 @@ out: vl_api_send_msg (reg, (u8 *) rmp); } + +int +map_param_set_fragmentation (bool inner, bool ignore_df) +{ + map_main_t *mm = &map_main; + + mm->frag_inner = ! !inner; + mm->frag_ignore_df = ! !ignore_df; + + return 0; +} + +static void + vl_api_map_param_set_fragmentation_t_handler + (vl_api_map_param_set_fragmentation_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_fragmentation_reply_t *rmp; + int rv = 0; + + rv = map_param_set_fragmentation (mp->inner, mp->ignore_df); + + REPLY_MACRO (VL_API_MAP_PARAM_SET_FRAGMENTATION_REPLY); +} + + +int +map_param_set_icmp (ip4_address_t * icmp_src_address) +{ + map_main_t *mm = &map_main; + + if (icmp_src_address == 0) + return -1; + + mm->icmp4_src_address = *icmp_src_address; + + return 0; +} + + +static void +vl_api_map_param_set_icmp_t_handler (vl_api_map_param_set_icmp_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_icmp_reply_t *rmp; + int rv; + + rv = map_param_set_icmp ((ip4_address_t *) & mp->ip4_err_relay_src); + + REPLY_MACRO (VL_API_MAP_PARAM_SET_ICMP_REPLY); +} + + +int +map_param_set_icmp6 (u8 enable_unreachable) +{ + map_main_t *mm = &map_main; + + mm->icmp6_enabled = ! !enable_unreachable; + + return 0; +} + +static void +vl_api_map_param_set_icmp6_t_handler (vl_api_map_param_set_icmp6_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_icmp6_reply_t *rmp; + int rv; + + rv = map_param_set_icmp6 (mp->enable_unreachable); + + REPLY_MACRO (VL_API_MAP_PARAM_SET_ICMP6_REPLY); +} + + +static void + vl_api_map_param_add_del_pre_resolve_t_handler + (vl_api_map_param_add_del_pre_resolve_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_add_del_pre_resolve_reply_t *rmp; + int rv = 0; + + map_pre_resolve ((ip4_address_t *) & mp->ip4_nh_address, + (ip6_address_t *) & mp->ip6_nh_address, mp->is_add); + + REPLY_MACRO (VL_API_MAP_PARAM_ADD_DEL_PRE_RESOLVE_REPLY); +} + + +int +map_param_set_reassembly (bool is_ipv6, + u16 lifetime_ms, + u16 pool_size, + u32 buffers, + f64 ht_ratio, u32 * reass, u32 * packets) +{ + u32 ps_reass = 0, ps_packets = 0; + u32 ht_reass = 0, ht_packets = 0; + + if (is_ipv6) + { + if (pool_size != (u16) ~ 0) + { + if (pool_size > MAP_IP6_REASS_CONF_POOL_SIZE_MAX) + return MAP_ERR_BAD_POOL_SIZE; + if (map_ip6_reass_conf_pool_size + (pool_size, &ps_reass, &ps_packets)) + return MAP_ERR_BAD_POOL_SIZE; + } + + if (ht_ratio != (MAP_IP6_REASS_CONF_HT_RATIO_MAX + 1)) + { + if (ht_ratio > MAP_IP6_REASS_CONF_HT_RATIO_MAX) + return MAP_ERR_BAD_HT_RATIO; + if (map_ip6_reass_conf_ht_ratio (ht_ratio, &ht_reass, &ht_packets)) + return MAP_ERR_BAD_HT_RATIO; + } + + if (lifetime_ms != (u16) ~ 0) + { + if (lifetime_ms > MAP_IP6_REASS_CONF_LIFETIME_MAX) + return MAP_ERR_BAD_LIFETIME; + if (map_ip6_reass_conf_lifetime (lifetime_ms)) + return MAP_ERR_BAD_LIFETIME; + } + + if (buffers != ~0) + { + if (buffers > MAP_IP6_REASS_CONF_BUFFERS_MAX) + return MAP_ERR_BAD_BUFFERS; + if (map_ip6_reass_conf_buffers (buffers)) + return MAP_ERR_BAD_BUFFERS; + } + + if (map_main.ip6_reass_conf_buffers > + map_main.ip6_reass_conf_pool_size * + MAP_IP6_REASS_MAX_FRAGMENTS_PER_REASSEMBLY) + { + return MAP_ERR_BAD_BUFFERS_TOO_LARGE; + } + } + else + { + if (pool_size != (u16) ~ 0) + { + if (pool_size > MAP_IP4_REASS_CONF_POOL_SIZE_MAX) + return MAP_ERR_BAD_POOL_SIZE; + if (map_ip4_reass_conf_pool_size + (pool_size, &ps_reass, &ps_packets)) + return MAP_ERR_BAD_POOL_SIZE; + } + + if (ht_ratio != (MAP_IP4_REASS_CONF_HT_RATIO_MAX + 1)) + { + if (ht_ratio > MAP_IP4_REASS_CONF_HT_RATIO_MAX) + return MAP_ERR_BAD_HT_RATIO; + if (map_ip4_reass_conf_ht_ratio (ht_ratio, &ht_reass, &ht_packets)) + return MAP_ERR_BAD_HT_RATIO; + } + + if (lifetime_ms != (u16) ~ 0) + { + if (lifetime_ms > MAP_IP4_REASS_CONF_LIFETIME_MAX) + return MAP_ERR_BAD_LIFETIME; + if (map_ip4_reass_conf_lifetime (lifetime_ms)) + return MAP_ERR_BAD_LIFETIME; + } + + if (buffers != ~0) + { + if (buffers > MAP_IP4_REASS_CONF_BUFFERS_MAX) + return MAP_ERR_BAD_BUFFERS; + if (map_ip4_reass_conf_buffers (buffers)) + return MAP_ERR_BAD_BUFFERS; + } + + if (map_main.ip4_reass_conf_buffers > + map_main.ip4_reass_conf_pool_size * + MAP_IP4_REASS_MAX_FRAGMENTS_PER_REASSEMBLY) + { + return MAP_ERR_BAD_BUFFERS_TOO_LARGE; + } + } + + if (reass) + *reass = ps_reass + ht_reass; + + if (packets) + *packets = ps_packets + ht_packets; + + return 0; +} + + +static void + vl_api_map_param_set_reassembly_t_handler + (vl_api_map_param_set_reassembly_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_reassembly_reply_t *rmp; + u32 reass = 0, packets = 0; + int rv; + f64 ht_ratio; + + ht_ratio = (f64) clib_net_to_host_u64 (mp->ht_ratio); + if (ht_ratio == ~0) + ht_ratio = MAP_IP6_REASS_CONF_HT_RATIO_MAX + 1; + + rv = map_param_set_reassembly (mp->is_ip6, + clib_net_to_host_u16 (mp->lifetime_ms), + clib_net_to_host_u16 (mp->pool_size), + clib_net_to_host_u32 (mp->buffers), + ht_ratio, &reass, &packets); + + /* + * FIXME: Should the lost reass and packet counts be returned in the API? + */ + + REPLY_MACRO (VL_API_MAP_PARAM_SET_REASSEMBLY_REPLY); +} + + +int +map_param_set_security_check (bool enable, bool fragments) +{ + map_main_t *mm = &map_main; + + mm->sec_check = ! !enable; + mm->sec_check_frag = ! !fragments; + + return 0; +} + +static void + vl_api_map_param_set_security_check_t_handler + (vl_api_map_param_set_security_check_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_security_check_reply_t *rmp; + int rv; + + rv = map_param_set_security_check (mp->enable, mp->fragments); + + REPLY_MACRO (VL_API_MAP_PARAM_SET_SECURITY_CHECK_REPLY); +} + + +int +map_param_set_traffic_class (bool copy, u8 tc) +{ + map_main_t *mm = &map_main; + + mm->tc_copy = ! !copy; + mm->tc = tc; + + return 0; +} + +static void + vl_api_map_param_set_traffic_class_t_handler + (vl_api_map_param_set_traffic_class_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_set_traffic_class_reply_t *rmp; + int rv; + + rv = map_param_set_traffic_class (mp->copy, mp->class); + + REPLY_MACRO (VL_API_MAP_PARAM_SET_TRAFFIC_CLASS_REPLY); +} + + +static void +vl_api_map_param_get_t_handler (vl_api_map_param_get_t * mp) +{ + map_main_t *mm = &map_main; + vl_api_map_param_get_reply_t *rmp; + vl_api_registration_t *reg; + + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + rmp = vl_msg_api_alloc (sizeof (*rmp)); + rmp->_vl_msg_id = htons (VL_API_MAP_PARAM_GET_REPLY + mm->msg_id_base); + rmp->context = mp->context; + rmp->retval = 0; + + rmp->frag_inner = mm->frag_inner; + rmp->frag_ignore_df = mm->frag_ignore_df; + + clib_memcpy (&rmp->icmp_ip4_err_relay_src, + &mm->icmp4_src_address, sizeof (rmp->icmp_ip4_err_relay_src)); + + rmp->icmp6_enable_unreachable = mm->icmp6_enabled; + + /* + * FIXME: How are these addresses re-extracted from the FIB? + * Or should a local map_main copy be kept? + */ + clib_memset (&rmp->ip4_nh_address, 0, sizeof (rmp->ip4_nh_address)); + clib_memset (&rmp->ip6_nh_address, 0, sizeof (rmp->ip6_nh_address)); + + rmp->ip4_lifetime_ms = + clib_net_to_host_u16 (mm->ip4_reass_conf_lifetime_ms); + rmp->ip4_pool_size = clib_net_to_host_u16 (mm->ip4_reass_conf_pool_size); + rmp->ip4_buffers = clib_net_to_host_u32 (mm->ip4_reass_conf_buffers); + rmp->ip4_ht_ratio = + clib_net_to_host_u32 ((u32) mm->ip4_reass_conf_ht_ratio); + + rmp->ip6_lifetime_ms = + clib_net_to_host_u16 (mm->ip6_reass_conf_lifetime_ms); + rmp->ip6_pool_size = clib_net_to_host_u16 (mm->ip6_reass_conf_pool_size); + rmp->ip6_buffers = clib_net_to_host_u32 (mm->ip6_reass_conf_buffers); + rmp->ip6_ht_ratio = + clib_net_to_host_u32 ((u32) mm->ip6_reass_conf_ht_ratio); + + rmp->sec_check_enable = mm->sec_check; + rmp->sec_check_fragments = mm->sec_check_frag; + + rmp->tc_copy = mm->tc_copy; + rmp->tc_class = mm->tc; + + vl_api_send_msg (reg, (u8 *) rmp); +} + + #define foreach_map_plugin_api_msg \ _(MAP_ADD_DOMAIN, map_add_domain) \ _(MAP_DEL_DOMAIN, map_del_domain) \ _(MAP_ADD_DEL_RULE, map_add_del_rule) \ _(MAP_DOMAIN_DUMP, map_domain_dump) \ _(MAP_RULE_DUMP, map_rule_dump) \ -_(MAP_SUMMARY_STATS, map_summary_stats) +_(MAP_SUMMARY_STATS, map_summary_stats) \ +_(MAP_PARAM_SET_FRAGMENTATION, map_param_set_fragmentation) \ +_(MAP_PARAM_SET_ICMP, map_param_set_icmp) \ +_(MAP_PARAM_SET_ICMP6, map_param_set_icmp6) \ +_(MAP_PARAM_ADD_DEL_PRE_RESOLVE, map_param_add_del_pre_resolve) \ +_(MAP_PARAM_SET_REASSEMBLY, map_param_set_reassembly) \ +_(MAP_PARAM_SET_SECURITY_CHECK, map_param_set_security_check) \ +_(MAP_PARAM_SET_TRAFFIC_CLASS, map_param_set_traffic_class) \ +_(MAP_PARAM_GET, map_param_get) #define vl_msg_name_crc_list #include <map/map_all_api_h.h> |