#ifdef MAP_SKIP_IP6_LOOKUP
IP4_MAP_NEXT_IP6_REWRITE,
#endif
- IP4_MAP_NEXT_FRAGMENT,
+ IP4_MAP_NEXT_IP4_FRAGMENT,
+ IP4_MAP_NEXT_IP6_FRAGMENT,
IP4_MAP_NEXT_REASS,
+ IP4_MAP_NEXT_ICMP_ERROR,
IP4_MAP_NEXT_DROP,
IP4_MAP_N_NEXT,
};
icmp46_header_t *icmp = (void *)(ip + 1);
if (icmp->type == ICMP4_echo_request || icmp->type == ICMP4_echo_reply) {
return *((u16 *)(icmp + 1));
- } else if (clib_net_to_host_u16(ip->length) >= 64) { // IP + ICMP + IP + L4 header
+ } else if (clib_net_to_host_u16(ip->length) >= 56) { // IP + ICMP + IP + L4 header
ip4_header_t *icmp_ip = (ip4_header_t *)(icmp + 2);
if (PREDICT_TRUE((icmp_ip->protocol == IP_PROTOCOL_TCP) ||
(icmp_ip->protocol == IP_PROTOCOL_UDP))) {
ASSERT (ip->checksum == ip4_header_checksum(ip));
}
+static u32
+ip4_map_fragment (vlib_buffer_t *b, u16 mtu, bool df, u8 *error)
+{
+ map_main_t *mm = &map_main;
+
+ if (mm->frag_inner) {
+ ip_frag_set_vnet_buffer(b, sizeof(ip6_header_t), mtu, IP4_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER);
+ return (IP4_MAP_NEXT_IP4_FRAGMENT);
+ } else {
+ if (df && !mm->frag_ignore_df) {
+ icmp4_error_set_vnet_buffer(b, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set, mtu);
+ vlib_buffer_advance(b, sizeof(ip6_header_t));
+ *error = MAP_ERROR_DF_SET;
+ return (IP4_MAP_NEXT_ICMP_ERROR);
+ }
+ ip_frag_set_vnet_buffer(b, 0, mtu, IP6_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER);
+ return (IP4_MAP_NEXT_IP6_FRAGMENT);
+ }
+}
+
/*
* ip4_map
*/
p1 = vlib_get_buffer(vm, pi1);
ip40 = vlib_buffer_get_current(p0);
ip41 = vlib_buffer_get_current(p1);
- p0->current_length = clib_net_to_host_u16(ip40->length);
- p1->current_length = clib_net_to_host_u16(ip41->length);
d0 = ip4_map_get_domain(vnet_buffer(p0)->ip.adj_index[VLIB_TX], &map_domain_index0);
d1 = ip4_map_get_domain(vnet_buffer(p1)->ip.adj_index[VLIB_TX], &map_domain_index1);
ASSERT(d0);
port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0);
port1 = ip4_map_port_and_security_check(d1, ip41, &next1, &error1);
+ /* Decrement IPv4 TTL */
+ ip4_map_decrement_ttl(ip40, &error0);
+ ip4_map_decrement_ttl(ip41, &error1);
+ bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
+ bool df1 = ip41->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
+
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
u32 da41 = clib_net_to_host_u32(ip41->dst_address.as_u32);
u64 dal61 = map_get_pfx(d1, da41, dp41);
u64 dar60 = map_get_sfx(d0, da40, dp40);
u64 dar61 = map_get_sfx(d1, da41, dp41);
- if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_UNKNOWN;
- if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_UNKNOWN;
+ if (dal60 == 0 && dar60 == 0) error0 = MAP_ERROR_NO_BINDING;
+ if (dal61 == 0 && dar61 == 0) error1 = MAP_ERROR_NO_BINDING;
/* construct ipv6 header */
vlib_buffer_advance(p0, - sizeof(ip6_header_t));
*/
if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) {
- vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0);
- vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p0)->ip_frag.mtu = d0->mtu;
- vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next0 = IP4_MAP_NEXT_FRAGMENT;
+ next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0);
} else {
next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1,
*/
if (PREDICT_TRUE(error1 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d1->mtu && (clib_net_to_host_u16(ip6h1->payload_length) + sizeof(*ip6h1) > d1->mtu))) {
- vnet_buffer(p1)->ip_frag.header_offset = sizeof(*ip6h1);
- vnet_buffer(p1)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p1)->ip_frag.mtu = d1->mtu;
- vnet_buffer(p1)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next1 = IP4_MAP_NEXT_FRAGMENT;
+ next1 = ip4_map_fragment(p1, d1->mtu, df1, &error1);
} else {
next1 = ip4_map_ip6_lookup_bypass(p1, ip41) ? IP4_MAP_NEXT_IP6_REWRITE : next1;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index1, 1,
p0 = vlib_get_buffer(vm, pi0);
ip40 = vlib_buffer_get_current(p0);
- p0->current_length = clib_net_to_host_u16(ip40->length);
d0 = ip4_map_get_domain(vnet_buffer(p0)->ip.adj_index[VLIB_TX], &map_domain_index0);
ASSERT(d0);
/* Decrement IPv4 TTL */
ip4_map_decrement_ttl(ip40, &error0);
+ bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
u16 dp40 = clib_net_to_host_u16(port0);
u64 dal60 = map_get_pfx(d0, da40, dp40);
u64 dar60 = map_get_sfx(d0, da40, dp40);
- if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_UNKNOWN;
+ if (dal60 == 0 && dar60 == 0 && error0 == MAP_ERROR_NONE) error0 = MAP_ERROR_NO_BINDING;
/* construct ipv6 header */
vlib_buffer_advance(p0, - (sizeof(ip6_header_t)));
*/
if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) {
- vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0);
- vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p0)->ip_frag.mtu = d0->mtu;
- vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next0 = IP4_MAP_NEXT_FRAGMENT;
+ next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0);
} else {
next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1,
#ifdef MAP_SKIP_IP6_LOOKUP
[IP4_MAP_NEXT_IP6_REWRITE] = "ip6-rewrite",
#endif
- [IP4_MAP_NEXT_FRAGMENT] = "ip4-frag",
+ [IP4_MAP_NEXT_IP4_FRAGMENT] = "ip4-frag",
+ [IP4_MAP_NEXT_IP6_FRAGMENT] = "ip6-frag",
[IP4_MAP_NEXT_REASS] = "ip4-map-reass",
+ [IP4_MAP_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[IP4_MAP_NEXT_DROP] = "error-drop",
},
};