From d6d50cebde647f9a5ee7251a7fef977506f315d7 Mon Sep 17 00:00:00 2001
From: Vladimir Ratnikov <vratnikov@netgate.com>
Date: Fri, 27 Sep 2019 03:26:49 -0400
Subject: map: fix DF[Don't fragment] ip4-map-t behaviour

This patch allows ip4-map-t plugin to drop
packets if DF flag is set and packet size
is bigger than MTU

Type: fix

Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I0c1531a1f876d9efc8e7e2bff9804f298becdb68
---
 src/plugins/map/ip4_map_t.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src/plugins/map/ip4_map_t.c')

diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c
index 2ab1af95922..621fb0615dc 100644
--- a/src/plugins/map/ip4_map_t.c
+++ b/src/plugins/map/ip4_map_t.c
@@ -600,6 +600,17 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	  pheader0->daddr.as_u64[1] =
 	    map_get_sfx_net (d0, ip40->dst_address.as_u32, (u16) dst_port0);
 
+	  bool df0 =
+	    ip40->flags_and_fragment_offset &
+	    clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
+
+	  if (PREDICT_TRUE (ip4_is_first_fragment (ip40) && df0))
+	    {
+	      p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED];
+	      next0 = IP4_MAPT_NEXT_MAPT_FRAGMENTED;
+	      goto exit;
+	    }
+
 	  if (PREDICT_TRUE
 	      (error0 == MAP_ERROR_NONE && next0 != IP4_MAPT_NEXT_MAPT_ICMP))
 	    {
-- 
cgit 1.2.3-korg