diff options
Diffstat (limited to 'src/vnet/ip')
-rw-r--r-- | src/vnet/ip/ip6_error.h | 8 | ||||
-rw-r--r-- | src/vnet/ip/reass/ip6_full_reass.c | 85 |
2 files changed, 77 insertions, 16 deletions
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h index 6e5df0ef6ba..207d0400d53 100644 --- a/src/vnet/ip/ip6_error.h +++ b/src/vnet/ip/ip6_error.h @@ -89,7 +89,13 @@ _ (REASS_NO_BUF, "out of buffers (drop)") \ _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout") \ _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error") \ - _ (REASS_INVALID_FRAG_LEN, "invalid fragment length") \ + _ (REASS_INVALID_FRAG_LEN, "invalid fragment length") \ + _ (REASS_TO_CUSTOM_APP, "send to custom drop app") \ + _ (REASS_NO_FRAG_HDR, "no fragmentation header") \ + _ (REASS_INVALID_FRAG_SIZE, "drop due to invalid fragment size") \ + _ (REASS_SUCCESS, "successful reassemblies") \ + _ (REASS_FRAGMENTS_REASSEMBLED, "fragments reassembled") \ + _ (REASS_FRAGMENTS_RCVD, "fragments received") \ _ (REASS_UNSUPP_IP_PROTO, "unsupported ip protocol") // clang-format on diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c index 3bc5faa5d9d..74193346c20 100644 --- a/src/vnet/ip/reass/ip6_full_reass.c +++ b/src/vnet/ip/reass/ip6_full_reass.c @@ -458,6 +458,11 @@ ip6_full_reass_drop_all (vlib_main_t *vm, vlib_node_runtime_t *node, next_index = reass->error_next_index; u32 bi = ~0; + /* record number of packets sent to custom app */ + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_TO_CUSTOM_APP, + vec_len (to_free)); + while (vec_len (to_free) > 0) { vlib_get_next_frame (vm, node, next_index, *to_next, @@ -616,6 +621,8 @@ again: if (now > reass->last_heard + rm->timeout) { + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_TIMEOUT, 1); ip6_full_reass_on_timeout (vm, node, reass, icmp_bi, n_left_to_next, to_next); ip6_full_reass_free (rm, rt, reass); @@ -912,6 +919,15 @@ ip6_full_reass_finalize (vlib_main_t * vm, vlib_node_runtime_t * node, *next0 = reass->next_index; } vnet_buffer (first_b)->ip.reass.estimated_mtu = reass->min_fragment_length; + /* Keep track of number of successfully reassembled packets and number of + * fragments reassembled */ + vlib_node_increment_counter (vm, node->node_index, IP6_ERROR_REASS_SUCCESS, + 1); + + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_FRAGMENTS_REASSEMBLED, + reass->fragments_n); + ip6_full_reass_free (rm, rt, reass); reass = NULL; free_buffers_and_return: @@ -1126,9 +1142,10 @@ ip6_full_reass_verify_upper_layer_present (vlib_node_runtime_t *node, } always_inline bool -ip6_full_reass_verify_fragment_multiple_8 (vlib_main_t * vm, - vlib_buffer_t * b, - ip6_frag_hdr_t * frag_hdr) +ip6_full_reass_verify_fragment_multiple_8 (vlib_main_t *vm, + vlib_node_runtime_t *node, + vlib_buffer_t *b, + ip6_frag_hdr_t *frag_hdr) { vnet_buffer_opaque_t *vnb = vnet_buffer (b); ip6_header_t *ip = vlib_buffer_get_current (b); @@ -1141,15 +1158,17 @@ ip6_full_reass_verify_fragment_multiple_8 (vlib_main_t * vm, icmp6_error_set_vnet_buffer (b, ICMP6_parameter_problem, ICMP6_parameter_problem_erroneous_header_field, (u8 *) & ip->payload_length - (u8 *) ip); + b->error = node->errors[IP6_ERROR_REASS_INVALID_FRAG_SIZE]; return false; } return true; } always_inline bool -ip6_full_reass_verify_packet_size_lt_64k (vlib_main_t * vm, - vlib_buffer_t * b, - ip6_frag_hdr_t * frag_hdr) +ip6_full_reass_verify_packet_size_lt_64k (vlib_main_t *vm, + vlib_node_runtime_t *node, + vlib_buffer_t *b, + ip6_frag_hdr_t *frag_hdr) { vnet_buffer_opaque_t *vnb = vnet_buffer (b); u32 fragment_first = ip6_frag_hdr_offset_bytes (frag_hdr); @@ -1163,6 +1182,7 @@ ip6_full_reass_verify_packet_size_lt_64k (vlib_main_t * vm, ICMP6_parameter_problem_erroneous_header_field, (u8 *) & frag_hdr->fragment_offset_and_more - (u8 *) ip0); + b->error = node->errors[IP6_ERROR_REASS_INVALID_FRAG_SIZE]; return false; } return true; @@ -1197,15 +1217,20 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, b0 = vlib_get_buffer (vm, bi0); ip6_header_t *ip0 = vlib_buffer_get_current (b0); - ip6_frag_hdr_t *frag_hdr; + ip6_frag_hdr_t *frag_hdr = NULL; ip6_ext_hdr_chain_t hdr_chain; + vnet_buffer_opaque_t *fvnb = vnet_buffer (b0); + int res = ip6_ext_header_walk ( b0, ip0, IP_PROTOCOL_IPV6_FRAGMENTATION, &hdr_chain); if (res < 0 || hdr_chain.eh[res].protocol != IP_PROTOCOL_IPV6_FRAGMENTATION) { + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_NO_FRAG_HDR, 1); // this is a mangled packet - no fragmentation - next0 = IP6_FULL_REASSEMBLY_NEXT_DROP; + next0 = is_custom_app ? fvnb->ip.reass.error_next_index : + IP6_FULL_REASSEMBLY_NEXT_DROP; ip6_full_reass_add_trace (vm, node, NULL, bi0, NULL, PASSTHROUGH, ~0); goto skip_reass; @@ -1215,6 +1240,10 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, next0 = IP6_FULL_REASSEMBLY_NEXT_DROP; goto skip_reass; } + + /* Keep track of received fragments */ + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_FRAGMENTS_RCVD, 1); frag_hdr = ip6_ext_next_header_offset (ip0, hdr_chain.eh[res].offset); vnet_buffer (b0)->ip.reass.ip6_frag_hdr_offset = @@ -1226,14 +1255,19 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (!ip6_full_reass_verify_upper_layer_present (node, b0, &hdr_chain)) { - next0 = IP6_FULL_REASSEMBLY_NEXT_ICMP_ERROR; + next0 = is_custom_app ? fvnb->ip.reass.error_next_index : + IP6_FULL_REASSEMBLY_NEXT_ICMP_ERROR; goto skip_reass; } } - if (!ip6_full_reass_verify_fragment_multiple_8 (vm, b0, frag_hdr) || - !ip6_full_reass_verify_packet_size_lt_64k (vm, b0, frag_hdr)) + + if (!ip6_full_reass_verify_fragment_multiple_8 (vm, node, b0, + frag_hdr) || + !ip6_full_reass_verify_packet_size_lt_64k (vm, node, b0, + frag_hdr)) { - next0 = IP6_FULL_REASSEMBLY_NEXT_ICMP_ERROR; + next0 = is_custom_app ? fvnb->ip.reass.error_next_index : + IP6_FULL_REASSEMBLY_NEXT_ICMP_ERROR; goto skip_reass; } @@ -1258,7 +1292,14 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, vnet_buffer (b0)->sw_if_index[VLIB_RX])) << 32 | (u64) frag_hdr->identification; - kv.k.as_u64[5] = ip0->protocol; + /* RFC 8200: The Next Header values in the Fragment headers of + * different fragments of the same original packet may differ. + * Only the value from the Offset zero fragment packet is used + * for reassembly. + * + * Also, IPv6 Header doesnt contain the protocol value unlike + * IPv4.*/ + kv.k.as_u64[5] = 0; } ip6_full_reass_t *reass = ip6_full_reass_find_or_create ( @@ -1340,7 +1381,6 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, } else { - vnet_buffer_opaque_t *fvnb = vnet_buffer (b0); next0 = fvnb->ip.reass.error_next_index; } error0 = IP6_ERROR_REASS_LIMIT_REACHED; @@ -1373,6 +1413,15 @@ ip6_full_reassembly_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { vnet_feature_next (&next0, b0); } + + /* Increment the counter to-custom-app also as this fragment is + * also going to application */ + if (is_custom_app) + { + vlib_node_increment_counter ( + vm, node->node_index, IP6_ERROR_REASS_TO_CUSTOM_APP, 1); + } + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); } @@ -1714,6 +1763,7 @@ ip6_full_reass_walk_expired (vlib_main_t *vm, vlib_node_runtime_t *node, { ip6_full_reass_per_thread_t *rt = &rm->per_thread_data[thread_index]; + u32 reass_timeout_cnt = 0; clib_spinlock_lock (&rt->lock); vec_reset_length (pool_indexes_to_free); @@ -1750,6 +1800,8 @@ ip6_full_reass_walk_expired (vlib_main_t *vm, vlib_node_runtime_t *node, { ip6_full_reass_t *reass = pool_elt_at_index (rt->pool, i[0]); u32 icmp_bi = ~0; + + reass_timeout_cnt += reass->fragments_n; ip6_full_reass_on_timeout (vm, node, reass, &icmp_bi, &n_left_to_next, &to_next); if (~0 != icmp_bi) @@ -1759,6 +1811,10 @@ ip6_full_reass_walk_expired (vlib_main_t *vm, vlib_node_runtime_t *node, } clib_spinlock_unlock (&rt->lock); + if (reass_timeout_cnt) + vlib_node_increment_counter (vm, node->node_index, + IP6_ERROR_REASS_TIMEOUT, + reass_timeout_cnt); } while (vec_len (vec_icmp_bi) > 0) @@ -1774,7 +1830,6 @@ ip6_full_reass_walk_expired (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_buffer_t *b = vlib_get_buffer (vm, bi); if (PREDICT_FALSE (b->flags & VLIB_BUFFER_IS_TRACED)) trace_frame = 1; - b->error = node->errors[IP6_ERROR_REASS_TIMEOUT]; to_next[0] = bi; ++f->n_vectors; to_next += 1; |