2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 #include <vnet/ip/ip_frag.h>
18 #include <vnet/ip/ip4_to_ip6.h>
19 #include <vnet/ip/ip6_to_ip4.h>
20 #include <vnet/ip/reass/ip4_sv_reass.h>
24 IP6_MAP_NEXT_IP4_LOOKUP,
25 #ifdef MAP_SKIP_IP6_LOOKUP
26 IP6_MAP_NEXT_IP4_REWRITE,
28 IP6_MAP_NEXT_IP6_REASS,
29 IP6_MAP_NEXT_IP4_REASS,
30 IP6_MAP_NEXT_IP4_FRAGMENT,
31 IP6_MAP_NEXT_IP6_ICMP_RELAY,
32 IP6_MAP_NEXT_IP6_LOCAL,
38 enum ip6_map_ip6_reass_next_e
40 IP6_MAP_IP6_REASS_NEXT_IP6_MAP,
41 IP6_MAP_IP6_REASS_NEXT_DROP,
42 IP6_MAP_IP6_REASS_N_NEXT,
45 enum ip6_map_post_ip4_reass_next_e
47 IP6_MAP_POST_IP4_REASS_NEXT_IP4_LOOKUP,
48 IP6_MAP_POST_IP4_REASS_NEXT_IP4_FRAGMENT,
49 IP6_MAP_POST_IP4_REASS_NEXT_DROP,
50 IP6_MAP_POST_IP4_REASS_N_NEXT,
53 enum ip6_icmp_relay_next_e
55 IP6_ICMP_RELAY_NEXT_IP4_LOOKUP,
56 IP6_ICMP_RELAY_NEXT_DROP,
57 IP6_ICMP_RELAY_N_NEXT,
60 vlib_node_registration_t ip6_map_post_ip4_reass_node;
61 vlib_node_registration_t ip6_map_ip6_reass_node;
62 static vlib_node_registration_t ip6_map_icmp_relay_node;
69 } map_ip6_map_ip4_reass_trace_t;
72 format_ip6_map_post_ip4_reass_trace (u8 * s, va_list * args)
74 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
75 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
76 map_ip6_map_ip4_reass_trace_t *t =
77 va_arg (*args, map_ip6_map_ip4_reass_trace_t *);
78 return format (s, "MAP domain index: %d L4 port: %u Status: %s",
79 t->map_domain_index, clib_net_to_host_u16 (t->port),
80 t->cached ? "cached" : "forwarded");
88 } map_ip6_map_ip6_reass_trace_t;
91 format_ip6_map_ip6_reass_trace (u8 * s, va_list * args)
93 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
94 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
95 map_ip6_map_ip6_reass_trace_t *t =
96 va_arg (*args, map_ip6_map_ip6_reass_trace_t *);
97 return format (s, "Offset: %d Fragment length: %d Status: %s", t->offset,
98 t->frag_len, t->out ? "out" : "in");
104 static_always_inline bool
105 ip6_map_sec_check (map_domain_t * d, u16 port, ip4_header_t * ip4,
108 u16 sp4 = clib_net_to_host_u16 (port);
109 u32 sa4 = clib_net_to_host_u32 (ip4->src_address.as_u32);
110 u64 sal6 = map_get_pfx (d, sa4, sp4);
111 u64 sar6 = map_get_sfx (d, sa4, sp4);
114 (sal6 != clib_net_to_host_u64 (ip6->src_address.as_u64[0])
115 || sar6 != clib_net_to_host_u64 (ip6->src_address.as_u64[1])))
120 static_always_inline void
121 ip6_map_security_check (map_domain_t * d, vlib_buffer_t * b0,
122 ip4_header_t * ip4, ip6_header_t * ip6, u32 * next,
125 map_main_t *mm = &map_main;
126 if (d->ea_bits_len || d->rules)
128 if (d->psid_length > 0)
130 if (!ip4_is_fragment (ip4))
132 u16 port = ip4_get_port (ip4, 1);
137 ip6_map_sec_check (d, port, ip4,
138 ip6) ? MAP_ERROR_NONE :
139 MAP_ERROR_DECAP_SEC_CHECK;
143 *error = MAP_ERROR_BAD_PROTOCOL;
148 if (mm->sec_check_frag)
150 vnet_buffer (b0)->ip.reass.next_index =
151 map_main.ip4_sv_reass_custom_next_index;
152 *next = IP6_MAP_NEXT_IP4_REASS;
159 static_always_inline bool
160 ip6_map_ip4_lookup_bypass (vlib_buffer_t * p0, ip4_header_t * ip)
162 #ifdef MAP_SKIP_IP6_LOOKUP
163 if (FIB_NODE_INDEX_INVALID != pre_resolved[FIB_PROTOCOL_IP4].fei)
165 vnet_buffer (p0)->ip.adj_index[VLIB_TX] =
166 pre_resolved[FIB_PROTOCOL_IP4].dpo.dpoi_index;
177 ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
179 u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
180 vlib_node_runtime_t *error_node =
181 vlib_node_get_runtime (vm, ip6_map_node.index);
182 map_main_t *mm = &map_main;
183 vlib_combined_counter_main_t *cm = mm->domain_counters;
184 u32 thread_index = vm->thread_index;
186 from = vlib_frame_vector_args (frame);
187 n_left_from = frame->n_vectors;
188 next_index = node->cached_next_index;
189 while (n_left_from > 0)
191 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
194 while (n_left_from >= 4 && n_left_to_next >= 2)
197 vlib_buffer_t *p0, *p1;
198 u8 error0 = MAP_ERROR_NONE;
199 u8 error1 = MAP_ERROR_NONE;
200 map_domain_t *d0 = 0, *d1 = 0;
201 ip4_header_t *ip40, *ip41;
202 ip6_header_t *ip60, *ip61;
203 u16 port0 = 0, port1 = 0;
204 u32 map_domain_index0 = ~0, map_domain_index1 = ~0;
205 u32 next0 = IP6_MAP_NEXT_IP4_LOOKUP;
206 u32 next1 = IP6_MAP_NEXT_IP4_LOOKUP;
208 /* Prefetch next iteration. */
210 vlib_buffer_t *p2, *p3;
212 p2 = vlib_get_buffer (vm, from[2]);
213 p3 = vlib_get_buffer (vm, from[3]);
215 vlib_prefetch_buffer_header (p2, LOAD);
216 vlib_prefetch_buffer_header (p3, LOAD);
218 /* IPv6 + IPv4 header + 8 bytes of ULP */
219 CLIB_PREFETCH (p2->data, 68, LOAD);
220 CLIB_PREFETCH (p3->data, 68, LOAD);
223 pi0 = to_next[0] = from[0];
224 pi1 = to_next[1] = from[1];
230 p0 = vlib_get_buffer (vm, pi0);
231 p1 = vlib_get_buffer (vm, pi1);
232 ip60 = vlib_buffer_get_current (p0);
233 ip61 = vlib_buffer_get_current (p1);
234 vlib_buffer_advance (p0, sizeof (ip6_header_t));
235 vlib_buffer_advance (p1, sizeof (ip6_header_t));
236 ip40 = vlib_buffer_get_current (p0);
237 ip41 = vlib_buffer_get_current (p1);
240 * Encapsulated IPv4 packet
241 * - IPv4 fragmented -> Pass to virtual reassembly unless security check disabled
242 * - Lookup/Rewrite or Fragment node in case of packet > MTU
243 * Fragmented IPv6 packet
245 * - Error -> Pass to ICMPv6/ICMPv4 relay
246 * - Info -> Pass to IPv6 local
247 * Anything else -> drop
250 (ip60->protocol == IP_PROTOCOL_IP_IN_IP
251 && clib_net_to_host_u16 (ip60->payload_length) > 20))
254 ip4_map_get_domain ((ip4_address_t *) & ip40->
255 src_address.as_u32, &map_domain_index0,
258 else if (ip60->protocol == IP_PROTOCOL_ICMP6 &&
259 clib_net_to_host_u16 (ip60->payload_length) >
260 sizeof (icmp46_header_t))
262 icmp46_header_t *icmp = (void *) (ip60 + 1);
263 next0 = (icmp->type == ICMP6_echo_request
265 ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
266 IP6_MAP_NEXT_IP6_ICMP_RELAY;
268 else if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
270 next0 = IP6_MAP_NEXT_IP6_REASS;
274 error0 = MAP_ERROR_BAD_PROTOCOL;
277 (ip61->protocol == IP_PROTOCOL_IP_IN_IP
278 && clib_net_to_host_u16 (ip61->payload_length) > 20))
281 ip4_map_get_domain ((ip4_address_t *) & ip41->
282 src_address.as_u32, &map_domain_index1,
285 else if (ip61->protocol == IP_PROTOCOL_ICMP6 &&
286 clib_net_to_host_u16 (ip61->payload_length) >
287 sizeof (icmp46_header_t))
289 icmp46_header_t *icmp = (void *) (ip61 + 1);
290 next1 = (icmp->type == ICMP6_echo_request
292 ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
293 IP6_MAP_NEXT_IP6_ICMP_RELAY;
295 else if (ip61->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
297 next1 = IP6_MAP_NEXT_IP6_REASS;
301 error1 = MAP_ERROR_BAD_PROTOCOL;
306 /* MAP inbound security check */
307 ip6_map_security_check (d0, p0, ip40, ip60, &next0, &error0);
309 if (PREDICT_TRUE (error0 == MAP_ERROR_NONE &&
310 next0 == IP6_MAP_NEXT_IP4_LOOKUP))
314 && (clib_host_to_net_u16 (ip40->length) > d0->mtu)))
316 vnet_buffer (p0)->ip_frag.flags = 0;
317 vnet_buffer (p0)->ip_frag.next_index =
318 IP4_FRAG_NEXT_IP4_LOOKUP;
319 vnet_buffer (p0)->ip_frag.mtu = d0->mtu;
320 next0 = IP6_MAP_NEXT_IP4_FRAGMENT;
325 ip6_map_ip4_lookup_bypass (p0,
327 IP6_MAP_NEXT_IP4_REWRITE : next0;
329 vlib_increment_combined_counter (cm + MAP_DOMAIN_COUNTER_RX,
331 map_domain_index0, 1,
338 /* MAP inbound security check */
339 ip6_map_security_check (d1, p1, ip41, ip61, &next1, &error1);
341 if (PREDICT_TRUE (error1 == MAP_ERROR_NONE &&
342 next1 == IP6_MAP_NEXT_IP4_LOOKUP))
346 && (clib_host_to_net_u16 (ip41->length) > d1->mtu)))
348 vnet_buffer (p1)->ip_frag.flags = 0;
349 vnet_buffer (p1)->ip_frag.next_index =
350 IP4_FRAG_NEXT_IP4_LOOKUP;
351 vnet_buffer (p1)->ip_frag.mtu = d1->mtu;
352 next1 = IP6_MAP_NEXT_IP4_FRAGMENT;
357 ip6_map_ip4_lookup_bypass (p1,
359 IP6_MAP_NEXT_IP4_REWRITE : next1;
361 vlib_increment_combined_counter (cm + MAP_DOMAIN_COUNTER_RX,
363 map_domain_index1, 1,
369 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
371 map_add_trace (vm, node, p0, map_domain_index0, port0);
374 if (PREDICT_FALSE (p1->flags & VLIB_BUFFER_IS_TRACED))
376 map_add_trace (vm, node, p1, map_domain_index1, port1);
379 if (error0 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled)
381 /* Set ICMP parameters */
382 vlib_buffer_advance (p0, -sizeof (ip6_header_t));
383 icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
384 ICMP6_destination_unreachable_source_address_failed_policy,
386 next0 = IP6_MAP_NEXT_ICMP;
390 next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP;
393 if (error1 == MAP_ERROR_DECAP_SEC_CHECK && mm->icmp6_enabled)
395 /* Set ICMP parameters */
396 vlib_buffer_advance (p1, -sizeof (ip6_header_t));
397 icmp6_error_set_vnet_buffer (p1, ICMP6_destination_unreachable,
398 ICMP6_destination_unreachable_source_address_failed_policy,
400 next1 = IP6_MAP_NEXT_ICMP;
404 next1 = (error1 == MAP_ERROR_NONE) ? next1 : IP6_MAP_NEXT_DROP;
408 if (next0 == IP6_MAP_NEXT_IP6_LOCAL)
409 vlib_buffer_advance (p0, -sizeof (ip6_header_t));
410 if (next1 == IP6_MAP_NEXT_IP6_LOCAL)
411 vlib_buffer_advance (p1, -sizeof (ip6_header_t));
413 p0->error = error_node->errors[error0];
414 p1->error = error_node->errors[error1];
415 vlib_validate_buffer_enqueue_x2 (vm, node, next_index, to_next,
416 n_left_to_next, pi0, pi1, next0,
421 while (n_left_from > 0 && n_left_to_next > 0)
425 u8 error0 = MAP_ERROR_NONE;
426 map_domain_t *d0 = 0;
430 u32 map_domain_index0 = ~0;
431 u32 next0 = IP6_MAP_NEXT_IP4_LOOKUP;
433 pi0 = to_next[0] = from[0];
439 p0 = vlib_get_buffer (vm, pi0);
440 ip60 = vlib_buffer_get_current (p0);
441 vlib_buffer_advance (p0, sizeof (ip6_header_t));
442 ip40 = vlib_buffer_get_current (p0);
445 * Encapsulated IPv4 packet
446 * - IPv4 fragmented -> Pass to virtual reassembly unless security check disabled
447 * - Lookup/Rewrite or Fragment node in case of packet > MTU
448 * Fragmented IPv6 packet
450 * - Error -> Pass to ICMPv6/ICMPv4 relay
451 * - Info -> Pass to IPv6 local
452 * Anything else -> drop
455 (ip60->protocol == IP_PROTOCOL_IP_IN_IP
456 && clib_net_to_host_u16 (ip60->payload_length) > 20))
459 ip4_map_get_domain ((ip4_address_t *) & ip40->
460 src_address.as_u32, &map_domain_index0,
463 else if (ip60->protocol == IP_PROTOCOL_ICMP6 &&
464 clib_net_to_host_u16 (ip60->payload_length) >
465 sizeof (icmp46_header_t))
467 icmp46_header_t *icmp = (void *) (ip60 + 1);
468 next0 = (icmp->type == ICMP6_echo_request
470 ICMP6_echo_reply) ? IP6_MAP_NEXT_IP6_LOCAL :
471 IP6_MAP_NEXT_IP6_ICMP_RELAY;
473 else if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION &&
474 (((ip6_frag_hdr_t *) (ip60 + 1))->next_hdr ==
475 IP_PROTOCOL_IP_IN_IP))
477 next0 = IP6_MAP_NEXT_IP6_REASS;
481 /* XXX: Move get_domain to ip6_get_domain lookup on source */
482 //error0 = MAP_ERROR_BAD_PROTOCOL;
483 vlib_buffer_advance (p0, -sizeof (ip6_header_t));
484 vnet_feature_next (&next0, p0);
489 /* MAP inbound security check */
490 ip6_map_security_check (d0, p0, ip40, ip60, &next0, &error0);
492 if (PREDICT_TRUE (error0 == MAP_ERROR_NONE &&
493 next0 == IP6_MAP_NEXT_IP4_LOOKUP))
497 && (clib_host_to_net_u16 (ip40->length) > d0->mtu)))
499 vnet_buffer (p0)->ip_frag.flags = 0;
500 vnet_buffer (p0)->ip_frag.next_index =
501 IP4_FRAG_NEXT_IP4_LOOKUP;
502 vnet_buffer (p0)->ip_frag.mtu = d0->mtu;
503 next0 = IP6_MAP_NEXT_IP4_FRAGMENT;
508 ip6_map_ip4_lookup_bypass (p0,
510 IP6_MAP_NEXT_IP4_REWRITE : next0;
512 vlib_increment_combined_counter (cm + MAP_DOMAIN_COUNTER_RX,
514 map_domain_index0, 1,
520 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
522 map_add_trace (vm, node, p0, map_domain_index0, port0);
525 if (mm->icmp6_enabled &&
526 (error0 == MAP_ERROR_DECAP_SEC_CHECK
527 || error0 == MAP_ERROR_NO_DOMAIN))
529 /* Set ICMP parameters */
530 vlib_buffer_advance (p0, -sizeof (ip6_header_t));
531 icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
532 ICMP6_destination_unreachable_source_address_failed_policy,
534 next0 = IP6_MAP_NEXT_ICMP;
538 next0 = (error0 == MAP_ERROR_NONE) ? next0 : IP6_MAP_NEXT_DROP;
542 if (next0 == IP6_MAP_NEXT_IP6_LOCAL)
543 vlib_buffer_advance (p0, -sizeof (ip6_header_t));
545 p0->error = error_node->errors[error0];
546 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
547 n_left_to_next, pi0, next0);
549 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
552 return frame->n_vectors;
556 static_always_inline void
557 ip6_map_ip6_reass_prepare (vlib_main_t * vm, vlib_node_runtime_t * node,
558 map_ip6_reass_t * r, u32 ** fragments_ready,
559 u32 ** fragments_to_drop)
563 ip6_frag_hdr_t *frag0;
566 if (!r->ip4_header.ip_version_and_header_length)
569 //The IP header is here, we need to check for packets
570 //that can be forwarded
572 for (i = 0; i < MAP_IP6_REASS_MAX_FRAGMENTS_PER_REASSEMBLY; i++)
574 if (r->fragments[i].pi == ~0 ||
575 ((!r->fragments[i].next_data_len)
576 && (r->fragments[i].next_data_offset != (0xffff))))
579 p0 = vlib_get_buffer (vm, r->fragments[i].pi);
580 ip60 = vlib_buffer_get_current (p0);
581 frag0 = (ip6_frag_hdr_t *) (ip60 + 1);
582 ip40 = (ip4_header_t *) (frag0 + 1);
584 if (ip6_frag_hdr_offset (frag0))
586 //Not first fragment, add the IPv4 header
587 clib_memcpy_fast (ip40, &r->ip4_header, 20);
590 #ifdef MAP_IP6_REASS_COUNT_BYTES
592 clib_net_to_host_u16 (ip60->payload_length) - sizeof (*frag0);
595 if (ip6_frag_hdr_more (frag0))
597 //Not last fragment, we copy end of next
598 clib_memcpy_fast (u8_ptr_add (ip60, p0->current_length),
599 r->fragments[i].next_data, 20);
600 p0->current_length += 20;
601 ip60->payload_length = u16_net_add (ip60->payload_length, 20);
604 if (!ip4_is_fragment (ip40))
606 ip40->fragment_id = frag_id_6to4 (frag0->identification);
607 ip40->flags_and_fragment_offset =
608 clib_host_to_net_u16 (ip6_frag_hdr_offset (frag0));
612 ip40->flags_and_fragment_offset =
613 clib_host_to_net_u16 (ip4_get_fragment_offset (ip40) +
614 ip6_frag_hdr_offset (frag0));
617 if (ip6_frag_hdr_more (frag0))
618 ip40->flags_and_fragment_offset |=
619 clib_host_to_net_u16 (IP4_HEADER_FLAG_MORE_FRAGMENTS);
622 clib_host_to_net_u16 (p0->current_length - sizeof (*ip60) -
624 ip40->checksum = ip4_header_checksum (ip40);
626 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
628 map_ip6_map_ip6_reass_trace_t *tr =
629 vlib_add_trace (vm, node, p0, sizeof (*tr));
630 tr->offset = ip4_get_fragment_offset (ip40);
631 tr->frag_len = clib_net_to_host_u16 (ip40->length) - sizeof (*ip40);
635 vec_add1 (*fragments_ready, r->fragments[i].pi);
636 r->fragments[i].pi = ~0;
637 r->fragments[i].next_data_len = 0;
638 r->fragments[i].next_data_offset = 0;
639 map_main.ip6_reass_buffered_counter--;
641 //TODO: Best solution would be that ip6_map handles extension headers
642 // and ignores atomic fragment. But in the meantime, let's just copy the header.
644 u8 protocol = frag0->next_hdr;
645 memmove (u8_ptr_add (ip40, -sizeof (*ip60)), ip60, sizeof (*ip60));
646 ((ip6_header_t *) u8_ptr_add (ip40, -sizeof (*ip60)))->protocol =
648 vlib_buffer_advance (p0, sizeof (*frag0));
653 map_ip6_drop_pi (u32 pi)
655 vlib_main_t *vm = vlib_get_main ();
656 vlib_node_runtime_t *n =
657 vlib_node_get_runtime (vm, ip6_map_ip6_reass_node.index);
658 vlib_set_next_frame_buffer (vm, n, IP6_MAP_IP6_REASS_NEXT_DROP, pi);
663 * TODO: We should count the number of successfully
664 * transmitted fragment bytes and compare that to the last fragment
665 * offset such that we can free the reassembly structure when all fragments
666 * have been forwarded.
669 ip6_map_ip6_reass (vlib_main_t * vm,
670 vlib_node_runtime_t * node, vlib_frame_t * frame)
672 u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
673 vlib_node_runtime_t *error_node =
674 vlib_node_get_runtime (vm, ip6_map_ip6_reass_node.index);
675 u32 *fragments_to_drop = NULL;
676 u32 *fragments_ready = NULL;
678 from = vlib_frame_vector_args (frame);
679 n_left_from = frame->n_vectors;
680 next_index = node->cached_next_index;
681 while (n_left_from > 0)
683 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
686 while (n_left_from > 0 && n_left_to_next > 0)
690 u8 error0 = MAP_ERROR_NONE;
692 ip6_frag_hdr_t *frag0;
697 pi0 = to_next[0] = from[0];
703 p0 = vlib_get_buffer (vm, pi0);
704 ip60 = vlib_buffer_get_current (p0);
705 frag0 = (ip6_frag_hdr_t *) (ip60 + 1);
707 clib_host_to_net_u16 (frag0->fragment_offset_and_more) & (~7);
709 clib_net_to_host_u16 (ip60->payload_length) - sizeof (*frag0);
711 ip6_frag_hdr_more (frag0) ? (offset + frag_len) : (0xffff);
713 //FIXME: Support other extension headers, maybe
715 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
717 map_ip6_map_ip6_reass_trace_t *tr =
718 vlib_add_trace (vm, node, p0, sizeof (*tr));
720 tr->frag_len = frag_len;
724 map_ip6_reass_lock ();
726 map_ip6_reass_get (&ip60->src_address, &ip60->dst_address,
727 frag0->identification, frag0->next_hdr,
729 //FIXME: Use better error codes
730 if (PREDICT_FALSE (!r))
732 // Could not create a caching entry
733 error0 = MAP_ERROR_FRAGMENT_MEMORY;
735 else if (PREDICT_FALSE ((frag_len <= 20 &&
736 (ip6_frag_hdr_more (frag0) || (!offset)))))
738 //Very small fragment are restricted to the last one and
739 //can't be the first one
740 error0 = MAP_ERROR_FRAGMENT_MALFORMED;
743 if (map_ip6_reass_add_fragment
744 (r, pi0, offset, next_offset, (u8 *) (frag0 + 1), frag_len))
746 map_ip6_reass_free (r, &fragments_to_drop);
747 error0 = MAP_ERROR_FRAGMENT_MEMORY;
751 #ifdef MAP_IP6_REASS_COUNT_BYTES
752 if (!ip6_frag_hdr_more (frag0))
753 r->expected_total = offset + frag_len;
755 ip6_map_ip6_reass_prepare (vm, node, r, &fragments_ready,
757 #ifdef MAP_IP6_REASS_COUNT_BYTES
758 if (r->forwarded >= r->expected_total)
759 map_ip6_reass_free (r, &fragments_to_drop);
762 map_ip6_reass_unlock ();
764 if (error0 == MAP_ERROR_NONE)
774 //All data from that packet was copied no need to keep it, but this is not an error
775 p0->error = error_node->errors[MAP_ERROR_NONE];
776 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
777 to_next, n_left_to_next,
779 IP6_MAP_IP6_REASS_NEXT_DROP);
784 p0->error = error_node->errors[error0];
785 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
787 IP6_MAP_IP6_REASS_NEXT_DROP);
790 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
793 map_send_all_to_node (vm, fragments_ready, node,
794 &error_node->errors[MAP_ERROR_NONE],
795 IP6_MAP_IP6_REASS_NEXT_IP6_MAP);
796 map_send_all_to_node (vm, fragments_to_drop, node,
797 &error_node->errors[MAP_ERROR_FRAGMENT_DROPPED],
798 IP6_MAP_IP6_REASS_NEXT_DROP);
800 vec_free (fragments_to_drop);
801 vec_free (fragments_ready);
802 return frame->n_vectors;
806 * ip6_map_post_ip4_reass
809 ip6_map_post_ip4_reass (vlib_main_t * vm,
810 vlib_node_runtime_t * node, vlib_frame_t * frame)
812 u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
813 vlib_node_runtime_t *error_node =
814 vlib_node_get_runtime (vm, ip6_map_post_ip4_reass_node.index);
815 map_main_t *mm = &map_main;
816 vlib_combined_counter_main_t *cm = mm->domain_counters;
817 u32 thread_index = vm->thread_index;
819 from = vlib_frame_vector_args (frame);
820 n_left_from = frame->n_vectors;
821 next_index = node->cached_next_index;
822 while (n_left_from > 0)
824 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
827 while (n_left_from > 0 && n_left_to_next > 0)
831 u8 error0 = MAP_ERROR_NONE;
836 u32 map_domain_index0 = ~0;
837 u32 next0 = IP6_MAP_POST_IP4_REASS_NEXT_IP4_LOOKUP;
839 pi0 = to_next[0] = from[0];
845 p0 = vlib_get_buffer (vm, pi0);
846 ip40 = vlib_buffer_get_current (p0);
847 ip60 = ((ip6_header_t *) ip40) - 1;
850 ip4_map_get_domain ((ip4_address_t *) & ip40->src_address.as_u32,
851 &map_domain_index0, &error0);
853 port0 = vnet_buffer (p0)->ip.reass.l4_src_port;
855 if (PREDICT_TRUE (error0 == MAP_ERROR_NONE))
857 ip6_map_sec_check (d0, port0, ip40,
858 ip60) ? MAP_ERROR_NONE :
859 MAP_ERROR_DECAP_SEC_CHECK;
862 (d0->mtu && (clib_host_to_net_u16 (ip40->length) > d0->mtu)
863 && error0 == MAP_ERROR_NONE))
865 vnet_buffer (p0)->ip_frag.flags = 0;
866 vnet_buffer (p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP4_LOOKUP;
867 vnet_buffer (p0)->ip_frag.mtu = d0->mtu;
868 next0 = IP6_MAP_POST_IP4_REASS_NEXT_IP4_FRAGMENT;
871 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
873 map_ip6_map_ip4_reass_trace_t *tr =
874 vlib_add_trace (vm, node, p0, sizeof (*tr));
875 tr->map_domain_index = map_domain_index0;
879 if (error0 == MAP_ERROR_NONE)
880 vlib_increment_combined_counter (cm + MAP_DOMAIN_COUNTER_RX,
882 map_domain_index0, 1,
887 MAP_ERROR_NONE) ? next0 : IP6_MAP_POST_IP4_REASS_NEXT_DROP;
888 p0->error = error_node->errors[error0];
889 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
890 n_left_to_next, pi0, next0);
893 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
895 return frame->n_vectors;
902 ip6_map_icmp_relay (vlib_main_t * vm,
903 vlib_node_runtime_t * node, vlib_frame_t * frame)
905 u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
906 vlib_node_runtime_t *error_node =
907 vlib_node_get_runtime (vm, ip6_map_icmp_relay_node.index);
908 map_main_t *mm = &map_main;
909 u32 thread_index = vm->thread_index;
910 u16 *fragment_ids, *fid;
912 from = vlib_frame_vector_args (frame);
913 n_left_from = frame->n_vectors;
914 next_index = node->cached_next_index;
916 /* Get random fragment IDs for replies. */
918 clib_random_buffer_get_data (&vm->random_buffer,
919 n_left_from * sizeof (fragment_ids[0]));
921 while (n_left_from > 0)
923 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
926 while (n_left_from > 0 && n_left_to_next > 0)
930 u8 error0 = MAP_ERROR_NONE;
932 u32 next0 = IP6_ICMP_RELAY_NEXT_IP4_LOOKUP;
935 pi0 = to_next[0] = from[0];
941 p0 = vlib_get_buffer (vm, pi0);
942 ip60 = vlib_buffer_get_current (p0);
943 u16 tlen = clib_net_to_host_u16 (ip60->payload_length);
950 * Original IPv4 header / packet
954 * Original IPv4 header / packet
957 /* Need at least ICMP(8) + IPv6(40) + IPv4(20) + L4 header(8) */
960 error0 = MAP_ERROR_ICMP_RELAY;
964 icmp46_header_t *icmp60 = (icmp46_header_t *) (ip60 + 1);
965 ip6_header_t *inner_ip60 = (ip6_header_t *) (icmp60 + 2);
967 if (inner_ip60->protocol != IP_PROTOCOL_IP_IN_IP)
969 error0 = MAP_ERROR_ICMP_RELAY;
973 ip4_header_t *inner_ip40 = (ip4_header_t *) (inner_ip60 + 1);
974 vlib_buffer_advance (p0, 60); /* sizeof ( IPv6 + ICMP + IPv6 - IPv4 - ICMP ) */
975 ip4_header_t *new_ip40 = vlib_buffer_get_current (p0);
976 icmp46_header_t *new_icmp40 = (icmp46_header_t *) (new_ip40 + 1);
979 * Relay according to RFC2473, section 8.3
981 switch (icmp60->type)
983 case ICMP6_destination_unreachable:
984 case ICMP6_time_exceeded:
985 case ICMP6_parameter_problem:
986 /* Type 3 - destination unreachable, Code 1 - host unreachable */
987 new_icmp40->type = ICMP4_destination_unreachable;
989 ICMP4_destination_unreachable_destination_unreachable_host;
992 case ICMP6_packet_too_big:
993 /* Type 3 - destination unreachable, Code 4 - packet too big */
994 /* Potential TODO: Adjust domain tunnel MTU based on the value received here */
995 mtu = clib_net_to_host_u32 (*((u32 *) (icmp60 + 1)));
999 (inner_ip40->flags_and_fragment_offset &
1000 clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT)))
1002 error0 = MAP_ERROR_ICMP_RELAY;
1006 new_icmp40->type = ICMP4_destination_unreachable;
1008 ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set;
1009 *((u32 *) (new_icmp40 + 1)) =
1010 clib_host_to_net_u32 (mtu < 1280 ? 1280 : mtu);
1014 error0 = MAP_ERROR_ICMP_RELAY;
1019 * Ensure the total ICMP packet is no longer than 576 bytes (RFC1812)
1021 new_ip40->ip_version_and_header_length = 0x45;
1023 u16 nlen = (tlen - 20) > 576 ? 576 : tlen - 20;
1024 new_ip40->length = clib_host_to_net_u16 (nlen);
1025 new_ip40->fragment_id = fid[0];
1028 new_ip40->protocol = IP_PROTOCOL_ICMP;
1029 new_ip40->src_address = mm->icmp4_src_address;
1030 new_ip40->dst_address = inner_ip40->src_address;
1031 new_ip40->checksum = ip4_header_checksum (new_ip40);
1033 new_icmp40->checksum = 0;
1034 ip_csum_t sum = ip_incremental_checksum (0, new_icmp40, nlen - 20);
1035 new_icmp40->checksum = ~ip_csum_fold (sum);
1037 vlib_increment_simple_counter (&mm->icmp_relayed, thread_index, 0,
1041 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
1043 map_trace_t *tr = vlib_add_trace (vm, node, p0, sizeof (*tr));
1044 tr->map_domain_index = 0;
1049 (error0 == MAP_ERROR_NONE) ? next0 : IP6_ICMP_RELAY_NEXT_DROP;
1050 p0->error = error_node->errors[error0];
1051 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
1052 n_left_to_next, pi0, next0);
1054 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1057 return frame->n_vectors;
1061 static char *map_error_strings[] = {
1062 #define _(sym,string) string,
1068 VNET_FEATURE_INIT (ip6_map_feature, static) =
1070 .arc_name = "ip6-unicast",
1071 .node_name = "ip6-map",
1072 .runs_before = VNET_FEATURES ("ip6-flow-classify"),
1075 VLIB_REGISTER_NODE(ip6_map_node) = {
1076 .function = ip6_map,
1078 .vector_size = sizeof(u32),
1079 .format_trace = format_map_trace,
1080 .type = VLIB_NODE_TYPE_INTERNAL,
1082 .n_errors = MAP_N_ERROR,
1083 .error_strings = map_error_strings,
1085 .n_next_nodes = IP6_MAP_N_NEXT,
1087 [IP6_MAP_NEXT_IP4_LOOKUP] = "ip4-lookup",
1088 #ifdef MAP_SKIP_IP6_LOOKUP
1089 [IP6_MAP_NEXT_IP4_REWRITE] = "ip4-load-balance",
1091 [IP6_MAP_NEXT_IP6_REASS] = "ip6-map-ip6-reass",
1092 [IP6_MAP_NEXT_IP4_REASS] = "ip4-sv-reassembly-custom-next",
1093 [IP6_MAP_NEXT_IP4_FRAGMENT] = "ip4-frag",
1094 [IP6_MAP_NEXT_IP6_ICMP_RELAY] = "ip6-map-icmp-relay",
1095 [IP6_MAP_NEXT_IP6_LOCAL] = "ip6-local",
1096 [IP6_MAP_NEXT_DROP] = "error-drop",
1097 [IP6_MAP_NEXT_ICMP] = "ip6-icmp-error",
1103 VLIB_REGISTER_NODE(ip6_map_ip6_reass_node) = {
1104 .function = ip6_map_ip6_reass,
1105 .name = "ip6-map-ip6-reass",
1106 .vector_size = sizeof(u32),
1107 .format_trace = format_ip6_map_ip6_reass_trace,
1108 .type = VLIB_NODE_TYPE_INTERNAL,
1109 .n_errors = MAP_N_ERROR,
1110 .error_strings = map_error_strings,
1111 .n_next_nodes = IP6_MAP_IP6_REASS_N_NEXT,
1113 [IP6_MAP_IP6_REASS_NEXT_IP6_MAP] = "ip6-map",
1114 [IP6_MAP_IP6_REASS_NEXT_DROP] = "error-drop",
1120 VLIB_REGISTER_NODE(ip6_map_post_ip4_reass_node) = {
1121 .function = ip6_map_post_ip4_reass,
1122 .name = "ip6-map-post-ip4-reass",
1123 .vector_size = sizeof(u32),
1124 .format_trace = format_ip6_map_post_ip4_reass_trace,
1125 .type = VLIB_NODE_TYPE_INTERNAL,
1126 .n_errors = MAP_N_ERROR,
1127 .error_strings = map_error_strings,
1128 .n_next_nodes = IP6_MAP_POST_IP4_REASS_N_NEXT,
1130 [IP6_MAP_POST_IP4_REASS_NEXT_IP4_LOOKUP] = "ip4-lookup",
1131 [IP6_MAP_POST_IP4_REASS_NEXT_IP4_FRAGMENT] = "ip4-frag",
1132 [IP6_MAP_POST_IP4_REASS_NEXT_DROP] = "error-drop",
1138 VLIB_REGISTER_NODE(ip6_map_icmp_relay_node, static) = {
1139 .function = ip6_map_icmp_relay,
1140 .name = "ip6-map-icmp-relay",
1141 .vector_size = sizeof(u32),
1142 .format_trace = format_map_trace, //FIXME
1143 .type = VLIB_NODE_TYPE_INTERNAL,
1144 .n_errors = MAP_N_ERROR,
1145 .error_strings = map_error_strings,
1146 .n_next_nodes = IP6_ICMP_RELAY_N_NEXT,
1148 [IP6_ICMP_RELAY_NEXT_IP4_LOOKUP] = "ip4-lookup",
1149 [IP6_ICMP_RELAY_NEXT_DROP] = "error-drop",
1155 ip6_map_init (vlib_main_t * vm)
1157 map_main.ip4_sv_reass_custom_next_index =
1158 ip4_sv_reass_custom_register_next_node
1159 (ip6_map_post_ip4_reass_node.index);
1163 VLIB_INIT_FUNCTION (ip6_map_init) =
1165 .runs_after = VLIB_INITS ("map_init"),};
1168 * fd.io coding-style-patch-verification: ON
1171 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob