MAP: Disable direct adjacency domain lookup for decap until IPv4 SA security check is fixed.
Change-Id: If85ea73629e46cb09757fe842d79507cf54e37f3
Signed-off-by: Ole Troan <ot@cisco.com>
+/*
+ * ip4_map_ttl
+ */
+static inline void
+ip4_map_decrement_ttl (ip4_header_t *ip, u8 *error)
+{
+ i32 ttl = ip->ttl;
+
+ /* Input node should have reject packets with ttl 0. */
+ ASSERT (ip->ttl > 0);
+
+ u32 checksum = ip->checksum + clib_host_to_net_u16(0x0100);
+ checksum += checksum >= 0xffff;
+ ip->checksum = checksum;
+ ttl -= 1;
+ ip->ttl = ttl;
+ *error = ttl <= 0 ? IP4_ERROR_TIME_EXPIRED : *error;
+
+ /* Verify checksum. */
+ ASSERT (ip->checksum == ip4_header_checksum(ip));
+}
+
*/
port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0);
*/
port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0);
+ /* Decrement IPv4 TTL */
+ ip4_map_decrement_ttl(ip40, &error0);
+
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
u16 dp40 = clib_net_to_host_u16(port0);
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
u16 dp40 = clib_net_to_host_u16(port0);
s = format(s, " RX: %lld/%lld", v.packets, v.bytes);
map_domain_counter_unlock(mm);
}
s = format(s, " RX: %lld/%lld", v.packets, v.bytes);
map_domain_counter_unlock(mm);
}
if (d->rules) {
int i;
ip6_address_t dst;
if (d->rules) {
int i;
ip6_address_t dst;
_(FRAGMENT_MEMORY, "could not cache fragment") \
_(FRAGMENT_MALFORMED, "fragment has unexpected format")\
_(FRAGMENT_DROPPED, "dropped cached fragment") \
_(FRAGMENT_MEMORY, "could not cache fragment") \
_(FRAGMENT_MALFORMED, "fragment has unexpected format")\
_(FRAGMENT_DROPPED, "dropped cached fragment") \
- _(MALFORMED, "malformed packet")
+ _(MALFORMED, "malformed packet") \
+ _(IP4_ERROR_TIME_EXPIRED, "time expired")
typedef enum {
#define _(sym,str) MAP_ERROR_##sym,
typedef enum {
#define _(sym,str) MAP_ERROR_##sym,
map_main_t *mm = &map_main;
ip4_main_t *im4 = &ip4_main;
ip_lookup_main_t *lm4 = &ip4_main.lookup_main;
map_main_t *mm = &map_main;
ip4_main_t *im4 = &ip4_main;
ip_lookup_main_t *lm4 = &ip4_main.lookup_main;
+
+ /*
+ * Disable direct MAP domain lookup on decap, until the security check is updated to verify IPv4 SA.
+ * (That's done implicitly when MAP domain is looked up in the IPv4 FIB)
+ */
+#ifdef MAP_NONSHARED_DOMAIN_ENABLED
ip_lookup_main_t *lm6 = &ip6_main.lookup_main;
ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index);
ASSERT(adj);
ip_lookup_main_t *lm6 = &ip6_main.lookup_main;
ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index);
ASSERT(adj);
*map_domain_index = p[0];
if (p[0] != ~0)
return pool_elt_at_index(mm->domains, p[0]);
*map_domain_index = p[0];
if (p[0] != ~0)
return pool_elt_at_index(mm->domains, p[0]);
u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0);
ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai);
u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0);
ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai);