vlib_combined_counter_main_t *domain_counters;
volatile u32 *counter_lock;
- /* Global counters */
- vlib_simple_counter_main_t icmp_relayed;
-
#ifdef MAP_SKIP_IP6_LOOKUP
/* pre-presolve */
u32 adj6_index, adj4_index;
/* Traffic class: zero, copy (~0) or fixed value */
u8 tc;
bool tc_copy;
- bool sec_check;
- bool sec_check_frag;
+
+ bool sec_check; /* Inbound security check */
+ bool sec_check_frag; /* Inbound security check for (subsequent) fragments */
+ bool icmp6_enabled; /* Send destination unreachable for security check failure */
/* ICMPv6 -> ICMPv4 relay parameters */
- ip4_address_t icmp_src_address;
+ ip4_address_t icmp4_src_address;
+ vlib_simple_counter_main_t icmp_relayed;
/* convenience */
vlib_main_t *vlib_main;
/*
* IPv4 encap and decap reassembly
*/
- //Conf
+ /* Configuration */
f32 ip4_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size))
u16 ip4_reass_conf_pool_size; //Max number of allocated reass structures
u16 ip4_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms
u32 ip4_reass_conf_buffers; //Maximum number of buffers used by ip4 reassembly
- //Runtime
+ /* Runtime */
map_ip4_reass_t *ip4_reass_pool;
u8 ip4_reass_ht_log2len; //Hash table size is 2^log2len
u16 ip4_reass_allocated;
u16 ip4_reass_fifo_last;
volatile u32 *ip4_reass_lock;
- //Counters
+ /* Counters */
u32 ip4_reass_buffered_counter;
+ bool frag_inner; /* Inner or outer fragmentation */
+ bool frag_ignore_df; /* Fragment (outer) packet even if DF is set */
+
/*
* IPv6 decap reassembly
*/
- //Conf
+ /* Configuration */
f32 ip6_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size))
u16 ip6_reass_conf_pool_size; //Max number of allocated reass structures
u16 ip6_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms
u32 ip6_reass_conf_buffers; //Maximum number of buffers used by ip6 reassembly
- //Runtime
+ /* Runtime */
map_ip6_reass_t *ip6_reass_pool;
u8 ip6_reass_ht_log2len; //Hash table size is 2^log2len
u16 ip6_reass_allocated;
u16 ip6_reass_fifo_last;
volatile u32 *ip6_reass_lock;
- //Counters
+ /* Counters */
u32 ip6_reass_buffered_counter;
} map_main_t;
/*
- * TODO: Remove SEC_CHECK / TRANSLATED_4TO6 / TRANSLATED_6TO4
+ * MAP Error counters/messages
*/
#define foreach_map_error \
/* Must be first. */ \
_(NONE, "valid MAP packets") \
_(BAD_PROTOCOL, "bad protocol") \
- _(WRONG_ICMP_TYPE, "wrong icmp type") \
_(SEC_CHECK, "security check failed") \
_(ENCAP_SEC_CHECK, "encap security check failed") \
_(DECAP_SEC_CHECK, "decap security check failed") \
_(ICMP, "unable to translate ICMP") \
_(ICMP_RELAY, "unable to relay ICMP") \
_(UNKNOWN, "unknown") \
+ _(NO_BINDING, "no binding") \
_(NO_DOMAIN, "no domain") \
_(FRAGMENTED, "packet is a fragment") \
_(FRAGMENT_MEMORY, "could not cache fragment") \
_(FRAGMENT_MALFORMED, "fragment has unexpected format")\
_(FRAGMENT_DROPPED, "dropped cached fragment") \
- _(MALFORMED, "malformed packet")
+ _(MALFORMED, "malformed packet") \
+ _(DF_SET, "can't fragment, DF set")
typedef enum {
#define _(sym,str) MAP_ERROR_##sym,
map_main_t *mm = &map_main;
ip4_main_t *im4 = &ip4_main;
ip_lookup_main_t *lm4 = &ip4_main.lookup_main;
+
+ /*
+ * Disable direct MAP domain lookup on decap, until the security check is updated to verify IPv4 SA.
+ * (That's done implicitly when MAP domain is looked up in the IPv4 FIB)
+ */
+#ifdef MAP_NONSHARED_DOMAIN_ENABLED
ip_lookup_main_t *lm6 = &ip6_main.lookup_main;
ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index);
ASSERT(adj);
*map_domain_index = p[0];
if (p[0] != ~0)
return pool_elt_at_index(mm->domains, p[0]);
+#endif
u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0);
ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai);