From b1bd8760ce9b1416c8a7f12e411cfcf60de2929f Mon Sep 17 00:00:00 2001 From: Vladimir Ratnikov Date: Wed, 18 Mar 2020 08:20:08 -0400 Subject: map: fix hop limit expiration at br Before this patch, packet was dropped in ip4-input, but ip4-map-t node dropped response due to 'security check failed' This patch checkes if hop_limit==1 and sets error and next frame and sends icmp6 response correctly Type: fix Signed-off-by: Vladimir Ratnikov Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85 --- src/plugins/map/ip6_map_t.c | 14 +++++++++++++- src/plugins/map/test/test_map.py | 17 ++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) (limited to 'src/plugins/map') diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c index ce973ea2e7f..874a14c99ed 100644 --- a/src/plugins/map/ip6_map_t.c +++ b/src/plugins/map/ip6_map_t.c @@ -544,6 +544,18 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) ip6_map_t_embedded_address (d0, &ip60->dst_address); vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0; + map_port0 = -1; + + if (PREDICT_FALSE (ip60->hop_limit == 1)) + { + icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded, + ICMP6_time_exceeded_ttl_exceeded_in_transit, + 0); + p0->error = error_node->errors[MAP_ERROR_TIME_EXCEEDED]; + next0 = IP6_MAPT_NEXT_ICMP; + goto trace; + } + if (PREDICT_FALSE (ip6_parse (vm, p0, ip60, p0->current_length, &(vnet_buffer (p0)->map_t.v6.l4_protocol), @@ -554,7 +566,6 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) error0 == MAP_ERROR_NONE ? MAP_ERROR_MALFORMED : error0; } - map_port0 = -1; l4_len0 = (u32) clib_net_to_host_u16 (ip60->payload_length) + sizeof (*ip60) - vnet_buffer (p0)->map_t.v6.l4_offset; @@ -659,6 +670,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) } p0->error = error_node->errors[error0]; + trace: if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED)) { map_add_trace (vm, node, p0, diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py index 66cb9ba20c4..59c23335052 100644 --- a/src/plugins/map/test/test_map.py +++ b/src/plugins/map/test/test_map.py @@ -591,7 +591,22 @@ class TestMAP(VppTestCase): for p in rx: self.validate(p[1], icmp4_reply) - # IPv6 Hop limit + # IPv6 Hop limit at BR + ip6_hlim_expired = IPv6(hlim=1, src='2001:db8:1ab::c0a8:1:ab', + dst='1234:5678:90ab:cdef:ac:1001:200:0') + p6 = (p_ether6 / ip6_hlim_expired / payload) + + icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6, + dst="2001:db8:1ab::c0a8:1:ab") / + ICMPv6TimeExceeded(code=0) / + IPv6(src="2001:db8:1ab::c0a8:1:ab", + dst='1234:5678:90ab:cdef:ac:1001:200:0', + hlim=1) / payload) + rx = self.send_and_expect(self.pg1, p6*1, self.pg1) + for p in rx: + self.validate(p[1], icmp6_reply) + + # IPv6 Hop limit beyond BR ip6_hlim_expired = IPv6(hlim=0, src='2001:db8:1ab::c0a8:1:ab', dst='1234:5678:90ab:cdef:ac:1001:200:0') p6 = (p_ether6 / ip6_hlim_expired / payload) -- cgit 1.2.3-korg