Outer fragmentation.
ICMP PMTUD.
Add DF ignore knob.
Change-Id: Icfd7b5c5d9629db3b8130ba15dc6c9a5e709d23b
Signed-off-by: Ole Troan <ot@cisco.com>
b->current_length = 0;
}
}
+ p0->current_length = p0->current_length > 1280 ? 1280 : p0->current_length;
/* Add IP header and ICMPv6 header including a 4 byte data field */
vlib_buffer_advance(p0,
/* Fill ip header fields */
out_ip0->ip_version_traffic_class_and_flow_label =
clib_host_to_net_u32(0x6<<28);
- u16 plen = p0->current_length > 1280 ? 1280 : p0->current_length;
- out_ip0->payload_length = clib_host_to_net_u16(plen - sizeof(ip6_header_t));
+
+ out_ip0->payload_length = clib_host_to_net_u16(p0->current_length - sizeof(ip6_header_t));
out_ip0->protocol = IP_PROTOCOL_ICMP6;
out_ip0->hop_limit = 0xff;
out_ip0->dst_address = ip0->src_address;
typedef enum {
IP6_INPUT_NEXT_DROP,
IP6_INPUT_NEXT_LOOKUP,
- IP6_INPUT_NEXT_ICMP,
+ IP6_INPUT_NEXT_ICMP_ERROR,
IP6_INPUT_N_NEXT,
} ip6_input_next_t;
if (error0 == IP6_ERROR_TIME_EXPIRED) {
icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded,
ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
- next0 = IP6_INPUT_NEXT_ICMP;
+ next0 = IP6_INPUT_NEXT_ICMP_ERROR;
} else {
next0 = IP6_INPUT_NEXT_DROP;
}
if (error1 == IP6_ERROR_TIME_EXPIRED) {
icmp6_error_set_vnet_buffer(p1, ICMP6_time_exceeded,
ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
- next1 = IP6_INPUT_NEXT_ICMP;
+ next1 = IP6_INPUT_NEXT_ICMP_ERROR;
} else {
next1 = IP6_INPUT_NEXT_DROP;
}
if (error0 == IP6_ERROR_TIME_EXPIRED) {
icmp6_error_set_vnet_buffer(p0, ICMP6_time_exceeded,
ICMP6_time_exceeded_ttl_exceeded_in_transit, 0);
- next0 = IP6_INPUT_NEXT_ICMP;
+ next0 = IP6_INPUT_NEXT_ICMP_ERROR;
} else {
next0 = IP6_INPUT_NEXT_DROP;
}
.next_nodes = {
[IP6_INPUT_NEXT_DROP] = "error-drop",
[IP6_INPUT_NEXT_LOOKUP] = "ip6-lookup",
- [IP6_INPUT_NEXT_ICMP] = "ip6-icmp-error",
+ [IP6_INPUT_NEXT_ICMP_ERROR] = "ip6-icmp-error",
},
.format_buffer = format_ip6_header,
CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ip_frag_trace_t * t = va_arg (*args, ip_frag_trace_t *);
- s = format(s, "IPv%s offset: %u mtu: %u fragments: %u next: %s",
- t->ipv6?"6":"4",
- t->header_offset, t->mtu, t->n_fragments, node->next_node_names[t->next]);
+ s = format(s, "IPv%s offset: %u mtu: %u fragments: %u",
+ t->ipv6?"6":"4", t->header_offset, t->mtu, t->n_fragments);
return s;
}
}
}
+void
+ip_frag_set_vnet_buffer (vlib_buffer_t *b, u16 offset, u16 mtu, u8 next_index, u8 flags)
+{
+ vnet_buffer(b)->ip_frag.header_offset = offset;
+ vnet_buffer(b)->ip_frag.mtu = mtu;
+ vnet_buffer(b)->ip_frag.next_index = next_index;
+ vnet_buffer(b)->ip_frag.flags = flags;
+}
static uword
ip4_frag (vlib_main_t *vm,
tr->next = vnet_buffer(p0)->ip_frag.next_index;
}
- next0 = (error0 == IP_FRAG_ERROR_NONE) ? vnet_buffer(p0)->ip_frag.next_index : IP4_FRAG_NEXT_DROP;
- frag_sent += vec_len(buffer);
- small_packets += (vec_len(buffer) == 1);
+ if (error0 == IP_FRAG_ERROR_DONT_FRAGMENT_SET) {
+ icmp4_error_set_vnet_buffer(p0, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set,
+ vnet_buffer(p0)->ip_frag.mtu);
+ vlib_buffer_advance(p0, vnet_buffer(p0)->ip_frag.header_offset);
+ next0 = IP4_FRAG_NEXT_ICMP_ERROR;
+ } else
+ next0 = (error0 == IP_FRAG_ERROR_NONE) ? vnet_buffer(p0)->ip_frag.next_index : IP4_FRAG_NEXT_DROP;
+
+ if (error0 == IP_FRAG_ERROR_NONE) {
+ frag_sent += vec_len(buffer);
+ small_packets += (vec_len(buffer) == 1);
+ } else
+ vlib_error_count(vm, ip4_frag_node.index, error0, 1);
//Send fragments that were added in the frame
frag_from = buffer;
frag_left = vec_len(buffer);
+
while (frag_left > 0) {
while (frag_left > 0 && n_left_to_next > 0) {
u32 i;
vlib_put_next_frame(vm, node, next_index, n_left_to_next);
}
vec_free(buffer);
+
vlib_node_increment_counter(vm, ip4_frag_node.index, IP_FRAG_ERROR_FRAGMENT_SENT, frag_sent);
vlib_node_increment_counter(vm, ip4_frag_node.index, IP_FRAG_ERROR_SMALL_PACKET, small_packets);
.next_nodes = {
[IP4_FRAG_NEXT_IP4_LOOKUP] = "ip4-lookup",
[IP4_FRAG_NEXT_IP6_LOOKUP] = "ip6-lookup",
+ [IP4_FRAG_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[IP4_FRAG_NEXT_DROP] = "error-drop"
},
};
typedef enum {
IP4_FRAG_NEXT_IP4_LOOKUP,
IP4_FRAG_NEXT_IP6_LOOKUP,
+ IP4_FRAG_NEXT_ICMP_ERROR,
IP4_FRAG_NEXT_DROP,
IP4_FRAG_N_NEXT
} ip4_frag_next_t;
_(NONE, "packet fragmented") \
_(SMALL_PACKET, "packet smaller than MTU") \
_(FRAGMENT_SENT, "number of sent fragments") \
- _(CANT_FRAGMENT_HEADER, "can't fragment header'") \
- _(DONT_FRAGMENT_SET, "can't fragment this packet'") \
+ _(CANT_FRAGMENT_HEADER, "can't fragment header") \
+ _(DONT_FRAGMENT_SET, "can't fragment this packet") \
_(MALFORMED, "malformed packet") \
_(MEMORY, "could not allocate buffer") \
_(UNKNOWN, "unknown error")
IP_FRAG_N_ERROR,
} ip_frag_error_t;
+void ip_frag_set_vnet_buffer(vlib_buffer_t *b, u16 offset, u16 mtu, u8 next_index, u8 flags);
+
#endif /* ifndef IP_FRAG_H */
#ifdef MAP_SKIP_IP6_LOOKUP
IP4_MAP_NEXT_IP6_REWRITE,
#endif
- IP4_MAP_NEXT_FRAGMENT,
+ IP4_MAP_NEXT_IP4_FRAGMENT,
+ IP4_MAP_NEXT_IP6_FRAGMENT,
IP4_MAP_NEXT_REASS,
+ IP4_MAP_NEXT_ICMP_ERROR,
IP4_MAP_NEXT_DROP,
IP4_MAP_N_NEXT,
};
ASSERT (ip->checksum == ip4_header_checksum(ip));
}
+static u32
+ip4_map_fragment (vlib_buffer_t *b, u16 mtu, bool df, u8 *error)
+{
+ map_main_t *mm = &map_main;
+
+ if (mm->frag_inner) {
+ ip_frag_set_vnet_buffer(b, sizeof(ip6_header_t), mtu, IP4_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER);
+ return (IP4_MAP_NEXT_IP4_FRAGMENT);
+ } else {
+ if (df && !mm->frag_ignore_df) {
+ icmp4_error_set_vnet_buffer(b, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_fragmentation_needed_and_dont_fragment_set, mtu);
+ vlib_buffer_advance(b, sizeof(ip6_header_t));
+ *error = MAP_ERROR_DF_SET;
+ return (IP4_MAP_NEXT_ICMP_ERROR);
+ }
+ ip_frag_set_vnet_buffer(b, 0, mtu, IP6_FRAG_NEXT_IP6_LOOKUP, IP_FRAG_FLAG_IP6_HEADER);
+ return (IP4_MAP_NEXT_IP6_FRAGMENT);
+ }
+}
+
/*
* ip4_map
*/
port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0);
port1 = ip4_map_port_and_security_check(d1, ip41, &next1, &error1);
+ /* Decrement IPv4 TTL */
+ ip4_map_decrement_ttl(ip40, &error0);
+ ip4_map_decrement_ttl(ip41, &error1);
+ bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
+ bool df1 = ip41->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
+
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
u32 da41 = clib_net_to_host_u32(ip41->dst_address.as_u32);
*/
if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) {
- vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0);
- vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p0)->ip_frag.mtu = d0->mtu;
- vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next0 = IP4_MAP_NEXT_FRAGMENT;
+ next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0);
} else {
next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1,
*/
if (PREDICT_TRUE(error1 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d1->mtu && (clib_net_to_host_u16(ip6h1->payload_length) + sizeof(*ip6h1) > d1->mtu))) {
- vnet_buffer(p1)->ip_frag.header_offset = sizeof(*ip6h1);
- vnet_buffer(p1)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p1)->ip_frag.mtu = d1->mtu;
- vnet_buffer(p1)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next1 = IP4_MAP_NEXT_FRAGMENT;
+ next1 = ip4_map_fragment(p1, d1->mtu, df1, &error1);
} else {
next1 = ip4_map_ip6_lookup_bypass(p1, ip41) ? IP4_MAP_NEXT_IP6_REWRITE : next1;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index1, 1,
/* Decrement IPv4 TTL */
ip4_map_decrement_ttl(ip40, &error0);
+ bool df0 = ip40->flags_and_fragment_offset & clib_host_to_net_u16(IP4_HEADER_FLAG_DONT_FRAGMENT);
/* MAP calc */
u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
*/
if (PREDICT_TRUE(error0 == MAP_ERROR_NONE)) {
if (PREDICT_FALSE(d0->mtu && (clib_net_to_host_u16(ip6h0->payload_length) + sizeof(*ip6h0) > d0->mtu))) {
- vnet_buffer(p0)->ip_frag.header_offset = sizeof(*ip6h0);
- vnet_buffer(p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
- vnet_buffer(p0)->ip_frag.mtu = d0->mtu;
- vnet_buffer(p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
- next0 = IP4_MAP_NEXT_FRAGMENT;
+ next0 = ip4_map_fragment(p0, d0->mtu, df0, &error0);
} else {
next0 = ip4_map_ip6_lookup_bypass(p0, ip40) ? IP4_MAP_NEXT_IP6_REWRITE : next0;
vlib_increment_combined_counter(cm + MAP_DOMAIN_COUNTER_TX, cpu_index, map_domain_index0, 1,
#ifdef MAP_SKIP_IP6_LOOKUP
[IP4_MAP_NEXT_IP6_REWRITE] = "ip6-rewrite",
#endif
- [IP4_MAP_NEXT_FRAGMENT] = "ip4-frag",
+ [IP4_MAP_NEXT_IP4_FRAGMENT] = "ip4-frag",
+ [IP4_MAP_NEXT_IP6_FRAGMENT] = "ip6-frag",
[IP4_MAP_NEXT_REASS] = "ip4-map-reass",
+ [IP4_MAP_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[IP4_MAP_NEXT_DROP] = "error-drop",
},
};
return 0;
}
+static clib_error_t *
+map_fragment_command_fn (vlib_main_t *vm,
+ unformat_input_t *input,
+ vlib_cli_command_t *cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ map_main_t *mm = &map_main;
+
+ /* Get a line of input. */
+ if (!unformat_user(input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) {
+ if (unformat(line_input, "inner"))
+ mm->frag_inner = true;
+ else if (unformat(line_input, "outer"))
+ mm->frag_inner = false;
+ else
+ return clib_error_return(0, "unknown input `%U'",
+ format_unformat_error, input);
+ }
+ unformat_free(line_input);
+
+ return 0;
+}
+
+static clib_error_t *
+map_fragment_df_command_fn (vlib_main_t *vm,
+ unformat_input_t *input,
+ vlib_cli_command_t *cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ map_main_t *mm = &map_main;
+
+ /* Get a line of input. */
+ if (!unformat_user(input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input(line_input) != UNFORMAT_END_OF_INPUT) {
+ if (unformat(line_input, "on"))
+ mm->frag_ignore_df = true;
+ else if (unformat(line_input, "off"))
+ mm->frag_ignore_df = false;
+ else
+ return clib_error_return(0, "unknown input `%U'",
+ format_unformat_error, input);
+ }
+ unformat_free(line_input);
+
+ return 0;
+}
+
static clib_error_t *
map_traffic_class_command_fn (vlib_main_t *vm,
unformat_input_t *input,
vlib_cli_output(vm, "ICMP-relay IPv4 source address: %U\n", format_ip4_address, &mm->icmp4_src_address);
vlib_cli_output(vm, "ICMP6 unreachables sent for unmatched packets: %s\n", mm->icmp6_enabled ? "enabled" : "disabled");
+ vlib_cli_output(vm, "Inner fragmentation: %s\n", mm->frag_inner ? "enabled" : "disabled");
+ vlib_cli_output(vm, "Fragment packets regardless of DF flag: %s\n", mm->frag_ignore_df ? "enabled" : "disabled");
/*
* Counters
};
VLIB_CLI_COMMAND(map_icmp_unreachables_command, static) = {
- .path = "map params icmp unreachables",
+ .path = "map params icmp6 unreachables",
.short_help = "unreachables {on|off}",
.function = map_icmp_unreachables_command_fn,
};
+VLIB_CLI_COMMAND(map_fragment_command, static) = {
+ .path = "map params fragment",
+ .short_help = "[inner|outer] [ignore-df [on|off]]",
+ .function = map_fragment_command_fn,
+};
+
+VLIB_CLI_COMMAND(map_fragment_df_command, static) = {
+ .path = "map params fragment ignore-df",
+ .short_help = "on|off",
+ .function = map_fragment_df_command_fn,
+};
+
VLIB_CLI_COMMAND(map_security_check_frag_command, static) = {
.path = "map params security-check fragments",
.short_help =
/* ICMP6 Type 1, Code 5 for security check failure */
mm->icmp6_enabled = false;
+ /* Inner or outer fragmentation */
+ mm->frag_inner = false;
+ mm->frag_ignore_df = false;
+
vec_validate(mm->domain_counters, MAP_N_DOMAIN_COUNTER - 1);
mm->domain_counters[MAP_DOMAIN_COUNTER_RX].name = "rx";
mm->domain_counters[MAP_DOMAIN_COUNTER_TX].name = "tx";
vlib_combined_counter_main_t *domain_counters;
volatile u32 *counter_lock;
- /* Global counters */
- vlib_simple_counter_main_t icmp_relayed;
-
#ifdef MAP_SKIP_IP6_LOOKUP
/* pre-presolve */
u32 adj6_index, adj4_index;
/* Traffic class: zero, copy (~0) or fixed value */
u8 tc;
bool tc_copy;
- bool sec_check;
- bool sec_check_frag;
- bool icmp6_enabled;
+
+ bool sec_check; /* Inbound security check */
+ bool sec_check_frag; /* Inbound security check for (subsequent) fragments */
+ bool icmp6_enabled; /* Send destination unreachable for security check failure */
/* ICMPv6 -> ICMPv4 relay parameters */
ip4_address_t icmp4_src_address;
+ vlib_simple_counter_main_t icmp_relayed;
/* convenience */
vlib_main_t *vlib_main;
/*
* IPv4 encap and decap reassembly
*/
- //Conf
+ /* Configuration */
f32 ip4_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size))
u16 ip4_reass_conf_pool_size; //Max number of allocated reass structures
u16 ip4_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms
u32 ip4_reass_conf_buffers; //Maximum number of buffers used by ip4 reassembly
- //Runtime
+ /* Runtime */
map_ip4_reass_t *ip4_reass_pool;
u8 ip4_reass_ht_log2len; //Hash table size is 2^log2len
u16 ip4_reass_allocated;
u16 ip4_reass_fifo_last;
volatile u32 *ip4_reass_lock;
- //Counters
+ /* Counters */
u32 ip4_reass_buffered_counter;
+ bool frag_inner; /* Inner or outer fragmentation */
+ bool frag_ignore_df; /* Fragment (outer) packet even if DF is set */
+
/*
* IPv6 decap reassembly
*/
- //Conf
+ /* Configuration */
f32 ip6_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size))
u16 ip6_reass_conf_pool_size; //Max number of allocated reass structures
u16 ip6_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms
u32 ip6_reass_conf_buffers; //Maximum number of buffers used by ip6 reassembly
- //Runtime
+ /* Runtime */
map_ip6_reass_t *ip6_reass_pool;
u8 ip6_reass_ht_log2len; //Hash table size is 2^log2len
u16 ip6_reass_allocated;
u16 ip6_reass_fifo_last;
volatile u32 *ip6_reass_lock;
- //Counters
+ /* Counters */
u32 ip6_reass_buffered_counter;
} map_main_t;
/*
- * TODO: Remove SEC_CHECK / TRANSLATED_4TO6 / TRANSLATED_6TO4
+ * MAP Error counters/messages
*/
#define foreach_map_error \
/* Must be first. */ \
_(NONE, "valid MAP packets") \
_(BAD_PROTOCOL, "bad protocol") \
- _(WRONG_ICMP_TYPE, "wrong icmp type") \
_(SEC_CHECK, "security check failed") \
_(ENCAP_SEC_CHECK, "encap security check failed") \
_(DECAP_SEC_CHECK, "decap security check failed") \
_(FRAGMENT_MALFORMED, "fragment has unexpected format")\
_(FRAGMENT_DROPPED, "dropped cached fragment") \
_(MALFORMED, "malformed packet") \
- _(IP4_ERROR_TIME_EXPIRED, "time expired")
+ _(DF_SET, "can't fragment, DF set")
typedef enum {
#define _(sym,str) MAP_ERROR_##sym,
Code Review / vpp.git / commitdiff