diff options
Diffstat (limited to 'src/vnet/ipip')
-rw-r--r-- | src/vnet/ipip/ipip.h | 11 | ||||
-rw-r--r-- | src/vnet/ipip/node.c | 8 |
2 files changed, 14 insertions, 5 deletions
diff --git a/src/vnet/ipip/ipip.h b/src/vnet/ipip/ipip.h index 6afb188f8ee..28833df9755 100644 --- a/src/vnet/ipip/ipip.h +++ b/src/vnet/ipip/ipip.h @@ -26,11 +26,12 @@ extern vnet_hw_interface_class_t ipip_hw_interface_class; -#define foreach_ipip_error \ - /* Must be first. */ \ - _(DECAP_PKTS, "packets decapsulated") \ - _(BAD_PROTOCOL, "bad protocol") \ - _(NO_TUNNEL, "no tunnel") +#define foreach_ipip_error \ + /* Must be first. */ \ + _(DECAP_PKTS, "packets decapsulated") \ + _(BAD_PROTOCOL, "bad protocol") \ + _(NO_TUNNEL, "no tunnel") \ + _(FRAGMENTED_PACKET, "fragmented outer packet") typedef enum { diff --git a/src/vnet/ipip/node.c b/src/vnet/ipip/node.c index d55b91a0b93..60d6223d5f3 100644 --- a/src/vnet/ipip/node.c +++ b/src/vnet/ipip/node.c @@ -108,6 +108,14 @@ ipip_input (vlib_main_t * vm, vlib_node_runtime_t * node, else { ip40 = vlib_buffer_get_current (b0); + /* Check for outer fragmentation */ + if (ip40->flags_and_fragment_offset & + clib_host_to_net_u16 (IP4_HEADER_FLAG_MORE_FRAGMENTS)) + { + next0 = IPIP_INPUT_NEXT_DROP; + b0->error = node->errors[IPIP_ERROR_FRAGMENTED_PACKET]; + goto drop; + } vlib_buffer_advance (b0, sizeof (*ip40)); ip_set (&src0, &ip40->src_address, true); ip_set (&dst0, &ip40->dst_address, true); |