From b728a3c8b74127e9a7decd8ecb7dc6cbefb0ab84 Mon Sep 17 00:00:00 2001
From: Alexander Chernavin <achernavin@netgate.com>
Date: Wed, 5 Feb 2020 09:05:06 -0500
Subject: map: honor icmp6-unreachables param in map-t

With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.

Type: fix

Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
---
 src/plugins/map/test/test_map.py | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

(limited to 'src/plugins/map/test/test_map.py')

diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 123fb547a59..c64341bfc19 100644
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -13,7 +13,7 @@ from scapy.layers.l2 import Ether
 from scapy.packet import Raw
 from scapy.layers.inet import IP, UDP, ICMP, TCP
 from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment, \
-    ICMPv6EchoRequest
+    ICMPv6EchoRequest, ICMPv6DestUnreach
 
 
 class TestMAP(VppTestCase):
@@ -691,6 +691,36 @@ class TestMAP(VppTestCase):
         for p in rx:
             self.validate(p[1], p4_translated)
 
+        # TCP MSS clamping cleanup
+        self.vapi.map_param_set_tcp(0)
+
+        # Enable icmp6 param to get back ICMPv6 unreachable messages in case
+        # of security check fails
+        self.vapi.map_param_set_icmp6(enable_unreachable=1)
+
+        # Send back an IPv6 packet that will be droppped due to security
+        # check fail
+        p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+        p_ip6_sec_check_fail = IPv6(src='2001:db8:1fe::c0a8:1:f',
+                                    dst='1234:5678:90ab:cdef:ac:1001:200:0')
+        payload = TCP(sport=0xabcd, dport=0xabcd)
+        p6 = (p_ether6 / p_ip6_sec_check_fail / payload)
+
+        self.pg_send(self.pg1, p6*1)
+        self.pg0.get_capture(0, timeout=1)
+        rx = self.pg1.get_capture(1)
+
+        icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+                            dst='2001:db8:1fe::c0a8:1:f') /
+                       ICMPv6DestUnreach(code=5) /
+                       p_ip6_sec_check_fail / payload)
+
+        for p in rx:
+            self.validate(p[1], icmp6_reply)
+
+        # ICMPv6 unreachable messages cleanup
+        self.vapi.map_param_set_icmp6(enable_unreachable=0)
+
     def test_map_t_ip6_psid(self):
         """ MAP-T v6->v4 PSID validation"""
 
-- 
cgit 1.2.3-korg