Age | Commit message (Collapse) | Author | Files | Lines |
|
Prevent malicious packets with spoofed embedded IPv4 addresses
by limiting the IPv6 ingress packets to known MAP-T domains.
Drop spoofed packets.
Add several tests that ensure spoofing isn't allowed.
Type: fix
Fixes: fc7344f9be
Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Remove NAT's implementation of shallow virtual reassembly with
corresponding CLIs, APIs & tests. Replace with standalone shallow
virtual reassembly provided by ipX-sv-reass* nodes.
Type: refactor
Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Ticket: VPP-1804
Fix a regression introduced by 640edcd90.
The port set ID on received IPv6 packets for MAP-T was being
checked against the destination port. It should be checked
against the source port.
Added a new unit test to verify that a v6 packet with a good
source port is translated and forwarded and a v6 packet with
a bad source port is dropped. The important part of the test
which will prevent similar future regressions is that the
source port and destination port are not equal. The existing
unit test used the same source and destination port which is
why it did not fail when the regression was introduced.
Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This provides a functional interface to IP fragmentation.
Allowing external features to fragment. Supports
arbitrary encap size, for e.g. MPLS or inner fragmentation
of tunnels.
This also removed dual loop in MAP that was fundamentally broken.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ia89ecec8ee3cbe2416edbe87630fdb714898c2a8
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This change is part of an effort to unify reassembly code. By removing
shallow virtual reassembly functionality in MAP and using the common
vnet provided shallow virtual reassembly, code size and complexity
is reduced.
Type: refactor
Change-Id: Iec8edd039f7b967b53e17bb9bca228a8b452ac0c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I25c86aea23dff19656449b23133db27b1f062ac0
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: I3c77cadaa7b677073af00407f368bd48d703fdac
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This reverts commit 0ae15ed43aaa600a75ca4c154bc62478820c00b4.
Re-add MAP CE support later. This patch polluted the code
with too many if (ce) ...
Change-Id: Ia0ffd6fdb452aa5d30abec57772c17fc16fb0dbd
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
- Error where ICMPv6 error code doesn't reset VLIB_TX = -1
Leading to crash for ICMP generated on tunnelled packets
- Missed setting VNET_BUFFER_F_LOCALLY_ORIGINATED, so
IP in IPv6 packets never got fragmented.
- Add support for fragmentation of buffer chains.
- Remove support for inner fragmentation in frag code itself.
Change-Id: If9a97301b7e35ca97ffa5c0fada2b9e7e7dbfb27
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
It is cheaper to get thread index from vlib_main_t if available...
Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Only remaining traces of MAP in the src/vnet is now in buffer.h.
Awaiting a new buffer opaque API (hint, hint).
Change-Id: Ie165561484731f1d7ed6e0f604b43624e06db3f0
Signed-off-by: Ole Troan <ot@cisco.com>
|