map: fix ip4-map-t DF behavior

ip4_is_fragment(header)
or ip4_is_first_fragment(header) didn't changed
when packet with fragmentation needed arrives.

This patch checks DF flag and MTU with packet
length and if DF is set and length > MTU, packet
is dropped. In case if ignore_df is set, DF flag
makes no sense.

Type: fix
Fixes: d6d50cebde647f9a5ee7251a7fef977506f315d7

Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I720e25167c19a0b13ac5fdfb41b12c0bbdc00d09

diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c
index a02b554..dca3284 100644 (file)
--- a/src/plugins/map/ip4_map_t.c
+++ b/src/plugins/map/ip4_map_t.c
@@ -575,6 +575,18 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
              goto exit;
            }
 
+         bool df0 =
+           ip40->flags_and_fragment_offset &
+           clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
+
+         if (PREDICT_FALSE
+             (df0 && !map_main.frag_ignore_df && (ip4_len0 > d0->mtu)))
+           {
+             p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED];
+             next0 = IP4_MAPT_NEXT_DROP;
+             goto exit;
+           }
+
          vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0;
 
          dst_port0 = -1;
@@ -601,17 +613,6 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
          pheader0->daddr.as_u64[1] =
            map_get_sfx_net (d0, ip40->dst_address.as_u32, (u16) dst_port0);
 
-         bool df0 =
-           ip40->flags_and_fragment_offset &
-           clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
-
-         if (PREDICT_TRUE (ip4_is_first_fragment (ip40) && df0))
-           {
-             p0->error = error_node->errors[MAP_ERROR_FRAGMENT_DROPPED];
-             next0 = IP4_MAPT_NEXT_MAPT_FRAGMENTED;
-             goto exit;
-           }
-
          if (PREDICT_TRUE
              (error0 == MAP_ERROR_NONE && next0 != IP4_MAPT_NEXT_MAPT_ICMP))
            {