From 9f3569615eaadcf24a880d8d5547df9ad7a1d35f Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Wed, 4 Dec 2019 15:02:46 -0600 Subject: map: fix MAP-T ip6 port check Type: fix Ticket: VPP-1804 Fix a regression introduced by 640edcd90. The port set ID on received IPv6 packets for MAP-T was being checked against the destination port. It should be checked against the source port. Added a new unit test to verify that a v6 packet with a good source port is translated and forwarded and a v6 packet with a bad source port is dropped. The important part of the test which will prevent similar future regressions is that the source port and destination port are not equal. The existing unit test used the same source and destination port which is why it did not fail when the regression was introduced. Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6 Signed-off-by: Matthew Smith --- src/plugins/map/ip6_map_t.c | 10 ++++---- src/plugins/map/test/test_map.py | 55 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c index ef7b91349e5..7999507618a 100644 --- a/src/plugins/map/ip6_map_t.c +++ b/src/plugins/map/ip6_map_t.c @@ -491,7 +491,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) n_left_to_next -= 1; error0 = MAP_ERROR_NONE; p0 = vlib_get_buffer (vm, pi0); - u16 l4_dst_port = vnet_buffer (p0)->ip.reass.l4_dst_port; + u16 l4_src_port = vnet_buffer (p0)->ip.reass.l4_src_port; ip60 = vlib_buffer_get_current (p0); @@ -534,7 +534,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) (vnet_buffer (p0)->map_t.v6.frag_offset && ip6_frag_hdr_offset (frag0))) { - map_port0 = l4_dst_port; + map_port0 = l4_src_port; next0 = IP6_MAPT_NEXT_MAPT_FRAGMENTED; } else @@ -547,7 +547,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) vnet_buffer (p0)->map_t.checksum_offset = vnet_buffer (p0)->map_t.v6.l4_offset + 16; next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP; - map_port0 = l4_dst_port; + map_port0 = l4_src_port; } else if (PREDICT_TRUE @@ -559,7 +559,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) vnet_buffer (p0)->map_t.checksum_offset = vnet_buffer (p0)->map_t.v6.l4_offset + 6; next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP; - map_port0 = l4_dst_port; + map_port0 = l4_src_port; } else if (vnet_buffer (p0)->map_t.v6.l4_protocol == IP_PROTOCOL_ICMP6) @@ -576,7 +576,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) u8_ptr_add (ip60, vnet_buffer (p0)->map_t.v6.l4_offset))-> code == ICMP6_echo_request) - map_port0 = l4_dst_port; + map_port0 = l4_src_port; } else { diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py index 94cb6d7865d..9da3d0c9074 100644 --- a/src/plugins/map/test/test_map.py +++ b/src/plugins/map/test/test_map.py @@ -640,6 +640,61 @@ class TestMAP(VppTestCase): for p in rx: self.validate(p[1], p4_translated) + def test_map_t_ip6_psid(self): + """ MAP-T v6->v4 PSID validation""" + + # + # Add a domain that maps from pg0 to pg1 + # + map_dst = '2001:db8::/32' + map_src = '1234:5678:90ab:cdef::/64' + ip4_pfx = '192.168.0.0/24' + tag = 'MAP-T Test Domain' + + self.vapi.map_add_domain(ip6_prefix=map_dst, + ip4_prefix=ip4_pfx, + ip6_src=map_src, + ea_bits_len=16, + psid_offset=6, + psid_length=4, + mtu=1500, + tag=tag) + + # Enable MAP-T on interfaces. + self.vapi.map_if_enable_disable(is_enable=1, + sw_if_index=self.pg0.sw_if_index, + is_translation=1) + self.vapi.map_if_enable_disable(is_enable=1, + sw_if_index=self.pg1.sw_if_index, + is_translation=1) + + map_route = VppIpRoute(self, + "2001:db8::", + 32, + [VppRoutePath(self.pg1.remote_ip6, + self.pg1.sw_if_index, + proto=DpoProto.DPO_PROTO_IP6)]) + map_route.add_vpp_config() + + p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) + p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f', + dst='1234:5678:90ab:cdef:ac:1001:200:0') + + # Send good IPv6 source port, ensure translated IPv4 received + payload = TCP(sport=0xabcd, dport=80) + p6 = (p_ether6 / p_ip6 / payload) + p4_translated = (IP(src='192.168.0.1', + dst=self.pg0.remote_ip4) / payload) + p4_translated.id = 0 + p4_translated.ttl -= 1 + rx = self.send_and_expect(self.pg1, p6*1, self.pg0) + for p in rx: + self.validate(p[1], p4_translated) + + # Send bad IPv6 source port, ensure translated IPv4 not received + payload = TCP(sport=0xdcba, dport=80) + p6 = (p_ether6 / p_ip6 / payload) + self.send_and_assert_no_replies(self.pg1, p6*1) if __name__ == '__main__': unittest.main(testRunner=VppTestRunner) -- cgit 1.2.3-korg