map: fix MAP-T ip6 port check

Type: fix
Ticket: VPP-1804

Fix a regression introduced by 640edcd90.

The port set ID on received IPv6 packets for MAP-T was being
checked against the destination port. It should be checked
against the source port.

Added a new unit test to verify that a v6 packet with a good
source port is translated and forwarded and a v6 packet with
a bad source port is dropped. The important part of the test
which will prevent similar future regressions is that the
source port and destination port are not equal. The existing
unit test used the same source and destination port which is
why it did not fail when the regression was introduced.

Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index ef7b913..7999507 100644 (file)
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -491,7 +491,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
          n_left_to_next -= 1;
          error0 = MAP_ERROR_NONE;
          p0 = vlib_get_buffer (vm, pi0);
-         u16 l4_dst_port = vnet_buffer (p0)->ip.reass.l4_dst_port;
+         u16 l4_src_port = vnet_buffer (p0)->ip.reass.l4_src_port;
 
          ip60 = vlib_buffer_get_current (p0);
 
@@ -534,7 +534,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
              (vnet_buffer (p0)->map_t.v6.frag_offset
               && ip6_frag_hdr_offset (frag0)))
            {
-             map_port0 = l4_dst_port;
+             map_port0 = l4_src_port;
              next0 = IP6_MAPT_NEXT_MAPT_FRAGMENTED;
            }
          else
@@ -547,7 +547,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
              vnet_buffer (p0)->map_t.checksum_offset =
                vnet_buffer (p0)->map_t.v6.l4_offset + 16;
              next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
-             map_port0 = l4_dst_port;
+             map_port0 = l4_src_port;
            }
          else
            if (PREDICT_TRUE
@@ -559,7 +559,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
              vnet_buffer (p0)->map_t.checksum_offset =
                vnet_buffer (p0)->map_t.v6.l4_offset + 6;
              next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
-             map_port0 = l4_dst_port;
+             map_port0 = l4_src_port;
            }
          else if (vnet_buffer (p0)->map_t.v6.l4_protocol ==
                   IP_PROTOCOL_ICMP6)
@@ -576,7 +576,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
                      u8_ptr_add (ip60,
                                  vnet_buffer (p0)->map_t.v6.l4_offset))->
                  code == ICMP6_echo_request)
-               map_port0 = l4_dst_port;
+               map_port0 = l4_src_port;
            }
          else
            {

diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 94cb6d7..9da3d0c 100644 (file)
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -640,6 +640,61 @@ class TestMAP(VppTestCase):
         for p in rx:
             self.validate(p[1], p4_translated)
 
+    def test_map_t_ip6_psid(self):
+        """ MAP-T v6->v4 PSID validation"""
+
+        #
+        # Add a domain that maps from pg0 to pg1
+        #
+        map_dst = '2001:db8::/32'
+        map_src = '1234:5678:90ab:cdef::/64'
+        ip4_pfx = '192.168.0.0/24'
+        tag = 'MAP-T Test Domain'
+
+        self.vapi.map_add_domain(ip6_prefix=map_dst,
+                                 ip4_prefix=ip4_pfx,
+                                 ip6_src=map_src,
+                                 ea_bits_len=16,
+                                 psid_offset=6,
+                                 psid_length=4,
+                                 mtu=1500,
+                                 tag=tag)
+
+        # Enable MAP-T on interfaces.
+        self.vapi.map_if_enable_disable(is_enable=1,
+                                        sw_if_index=self.pg0.sw_if_index,
+                                        is_translation=1)
+        self.vapi.map_if_enable_disable(is_enable=1,
+                                        sw_if_index=self.pg1.sw_if_index,
+                                        is_translation=1)
+
+        map_route = VppIpRoute(self,
+                               "2001:db8::",
+                               32,
+                               [VppRoutePath(self.pg1.remote_ip6,
+                                             self.pg1.sw_if_index,
+                                             proto=DpoProto.DPO_PROTO_IP6)])
+        map_route.add_vpp_config()
+
+        p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+        p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
+                     dst='1234:5678:90ab:cdef:ac:1001:200:0')
+
+        # Send good IPv6 source port, ensure translated IPv4 received
+        payload = TCP(sport=0xabcd, dport=80)
+        p6 = (p_ether6 / p_ip6 / payload)
+        p4_translated = (IP(src='192.168.0.1',
+                            dst=self.pg0.remote_ip4) / payload)
+        p4_translated.id = 0
+        p4_translated.ttl -= 1
+        rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
+        for p in rx:
+            self.validate(p[1], p4_translated)
+
+        # Send bad IPv6 source port, ensure translated IPv4 not received
+        payload = TCP(sport=0xdcba, dport=80)
+        p6 = (p_ether6 / p_ip6 / payload)
+        self.send_and_assert_no_replies(self.pg1, p6*1)
 
 if __name__ == '__main__':
     unittest.main(testRunner=VppTestRunner)