IP6_MAPT_NEXT_MAPT_ICMP,
IP6_MAPT_NEXT_MAPT_FRAGMENTED,
IP6_MAPT_NEXT_DROP,
+ IP6_MAPT_NEXT_ICMP,
IP6_MAPT_N_NEXT
} ip6_mapt_next_t;
// Security check
// Note that this prevents an intermediate IPv6 router from answering
// the request.
- ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->flags);
+ ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->ip6_src_len);
if (ip6->src_address.as_u64[0] !=
map_get_pfx_net (ctx->d, ip4_sadr, ctx->sender_port)
|| ip6->src_address.as_u64[1] != map_get_sfx_net (ctx->d, ip4_sadr,
u32 inner_ip4_dadr;
//Security check of inner packet
- inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->flags);
+ inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->ip6_src_len);
if (ip6->dst_address.as_u64[0] !=
map_get_pfx_net (ctx->d, inner_ip4_dadr, ctx->sender_port)
|| ip6->dst_address.as_u64[1] != map_get_sfx_net (ctx->d,
/*
* Translate IPv6 UDP/TCP packet to IPv4.
+ * Returns 0 on success.
+ * Returns a non-zero error code on error.
*/
always_inline int
map_ip6_to_ip4_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p,
ip4->dst_address.as_u32 = vnet_buffer (p)->map_t.v6.daddr;
ip4->src_address.as_u32 = vnet_buffer (p)->map_t.v6.saddr;
+ /*
+ * Drop spoofed packets that from a known domain source.
+ */
+ u32 map_domain_index = -1;
+ u8 error = 0;
+
+ ip4_map_get_domain (&ip4->src_address, &map_domain_index, &error);
+ if (error)
+ return error;
+
ip4->ip_version_and_header_length =
IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
vlib_node_runtime_t *error_node =
vlib_node_get_runtime (vm, ip6_map_t_node.index);
+ map_main_t *mm = &map_main;
vlib_combined_counter_main_t *cm = map_main.domain_counters;
u32 thread_index = vm->thread_index;
payload_length));
}
- next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ if (PREDICT_FALSE
+ (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled))
+ {
+ icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy,
+ 0);
+ next0 = IP6_MAPT_NEXT_ICMP;
+ }
+ else
+ {
+ next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ }
+
p0->error = error_node->errors[error0];
if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
{
[IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp",
[IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented",
[IP6_MAPT_NEXT_DROP] = "error-drop",
+ [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error",
},
};
/* *INDENT-ON* */