From 87663cdf644fb7c94c0fec9460829b7e4e7c35ca Mon Sep 17 00:00:00 2001 From: Vladimir Ratnikov Date: Fri, 20 Dec 2019 04:55:50 -0500 Subject: map: fix ip4-map-t DF behavior ip4_is_fragment(header) or ip4_is_first_fragment(header) didn't changed when packet with fragmentation needed arrives. This patch checks DF flag and MTU with packet length and if DF is set and length > MTU, packet is dropped. In case if ignore_df is set, DF flag makes no sense. Type: fix Fixes: d6d50cebde647f9a5ee7251a7fef977506f315d7 Signed-off-by: Vladimir Ratnikov Change-Id: I720e25167c19a0b13ac5fdfb41b12c0bbdc00d09 --- src/plugins/map/ip4_map_t.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c index a02b55478c2..dca32846480 100644 --- a/src/plugins/map/ip4_map_t.c +++ b/src/plugins/map/ip4_map_t.c @@ -575,6 +575,18 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) goto exit; } + bool df0 = + ip40->flags_and_fragment_offset & + clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT); + + if (PREDICT_FALSE + (df0 && !map_main.frag_ignore_df && (ip4_len0 > d0->mtu))) + { + p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED]; + next0 = IP4_MAPT_NEXT_DROP; + goto exit; + } + vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0; dst_port0 = -1; @@ -601,17 +613,6 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) pheader0->daddr.as_u64[1] = map_get_sfx_net (d0, ip40->dst_address.as_u32, (u16) dst_port0); - bool df0 = - ip40->flags_and_fragment_offset & - clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT); - - if (PREDICT_TRUE (ip4_is_first_fragment (ip40) && df0)) - { - p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED]; - next0 = IP4_MAPT_NEXT_MAPT_FRAGMENTED; - goto exit; - } - if (PREDICT_TRUE (error0 == MAP_ERROR_NONE && next0 != IP4_MAPT_NEXT_MAPT_ICMP)) { -- cgit 1.2.3-korg