Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
map: honor icmp6-unreachables param in map-t
[vpp.git] / src / plugins / map / ip6_map_t.c
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index 95104dc..5a9c9af 100644 (file)
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -24,6 +24,7 @@ typedef enum
   IP6_MAPT_NEXT_MAPT_ICMP,
   IP6_MAPT_NEXT_MAPT_FRAGMENTED,
   IP6_MAPT_NEXT_DROP,
+  IP6_MAPT_NEXT_ICMP,
   IP6_MAPT_N_NEXT
 } ip6_mapt_next_t;
 
@@ -66,7 +67,7 @@ ip6_to_ip4_set_icmp_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
   // Security check
   // Note that this prevents an intermediate IPv6 router from answering
   // the request.
-  ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->flags);
+  ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->ip6_src_len);
   if (ip6->src_address.as_u64[0] !=
       map_get_pfx_net (ctx->d, ip4_sadr, ctx->sender_port)
       || ip6->src_address.as_u64[1] != map_get_sfx_net (ctx->d, ip4_sadr,
@@ -88,7 +89,7 @@ ip6_to_ip4_set_inner_icmp_cb (ip6_header_t * ip6, ip4_header_t * ip4,
   u32 inner_ip4_dadr;
 
   //Security check of inner packet
-  inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->flags);
+  inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->ip6_src_len);
   if (ip6->dst_address.as_u64[0] !=
       map_get_pfx_net (ctx->d, inner_ip4_dadr, ctx->sender_port)
       || ip6->dst_address.as_u64[1] != map_get_sfx_net (ctx->d,
@@ -305,6 +306,8 @@ ip6_map_t_fragmented (vlib_main_t * vm,
 
 /*
  * Translate IPv6 UDP/TCP packet to IPv4.
+ * Returns 0 on success.
+ * Returns a non-zero error code on error.
  */
 always_inline int
 map_ip6_to_ip4_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p,
@@ -370,6 +373,16 @@ map_ip6_to_ip4_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p,
   ip4->dst_address.as_u32 = vnet_buffer (p)->map_t.v6.daddr;
   ip4->src_address.as_u32 = vnet_buffer (p)->map_t.v6.saddr;
 
+  /*
+   * Drop spoofed packets that from a known domain source.
+   */
+  u32 map_domain_index = -1;
+  u8 error = 0;
+
+  ip4_map_get_domain (&ip4->src_address, &map_domain_index, &error);
+  if (error)
+    return error;
+
   ip4->ip_version_and_header_length =
     IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
   ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
@@ -463,6 +476,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
   u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
   vlib_node_runtime_t *error_node =
     vlib_node_get_runtime (vm, ip6_map_t_node.index);
+  map_main_t *mm = &map_main;
   vlib_combined_counter_main_t *cm = map_main.domain_counters;
   u32 thread_index = vm->thread_index;
 
@@ -614,7 +628,19 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
                                                                     payload_length));
            }
 
-         next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+         if (PREDICT_FALSE
+             (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled))
+           {
+             icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
+                                          ICMP6_destination_unreachable_source_address_failed_policy,
+                                          0);
+             next0 = IP6_MAPT_NEXT_ICMP;
+           }
+         else
+           {
+             next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+           }
+
          p0->error = error_node->errors[error0];
          if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
            {
@@ -726,6 +752,7 @@ VLIB_REGISTER_NODE(ip6_map_t_node) = {
     [IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp",
     [IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented",
     [IP6_MAPT_NEXT_DROP] = "error-drop",
+    [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error",
   },
 };
 /* *INDENT-ON* */
Vector Packet Processing