map: fix hop limit expiration at br

Before this patch, packet was dropped in ip4-input,
but ip4-map-t node dropped response due to
'security check failed'
This patch checkes if hop_limit==1 and sets error
and next frame and sends icmp6 response correctly

Type: fix

Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85

diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index ce973ea..874a14c 100644 (file)
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -544,6 +544,18 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
            ip6_map_t_embedded_address (d0, &ip60->dst_address);
          vnet_buffer (p0)->map_t.mtu = d0->mtu ? d0->mtu : ~0;
 
+         map_port0 = -1;
+
+         if (PREDICT_FALSE (ip60->hop_limit == 1))
+           {
+             icmp6_error_set_vnet_buffer (p0, ICMP6_time_exceeded,
+                                          ICMP6_time_exceeded_ttl_exceeded_in_transit,
+                                          0);
+             p0->error = error_node->errors[MAP_ERROR_TIME_EXCEEDED];
+             next0 = IP6_MAPT_NEXT_ICMP;
+             goto trace;
+           }
+
          if (PREDICT_FALSE
              (ip6_parse (vm, p0, ip60, p0->current_length,
                          &(vnet_buffer (p0)->map_t.v6.l4_protocol),
@@ -554,7 +566,6 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
                error0 == MAP_ERROR_NONE ? MAP_ERROR_MALFORMED : error0;
            }
 
-         map_port0 = -1;
          l4_len0 =
            (u32) clib_net_to_host_u16 (ip60->payload_length) +
            sizeof (*ip60) - vnet_buffer (p0)->map_t.v6.l4_offset;
@@ -659,6 +670,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
            }
 
          p0->error = error_node->errors[error0];
+       trace:
          if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
            {
              map_add_trace (vm, node, p0,

diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 66cb9ba..59c2333 100644 (file)
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -591,7 +591,22 @@ class TestMAP(VppTestCase):
         for p in rx:
             self.validate(p[1], icmp4_reply)
 
-        # IPv6 Hop limit
+        # IPv6 Hop limit at BR
+        ip6_hlim_expired = IPv6(hlim=1, src='2001:db8:1ab::c0a8:1:ab',
+                                dst='1234:5678:90ab:cdef:ac:1001:200:0')
+        p6 = (p_ether6 / ip6_hlim_expired / payload)
+
+        icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+                            dst="2001:db8:1ab::c0a8:1:ab") /
+                       ICMPv6TimeExceeded(code=0) /
+                       IPv6(src="2001:db8:1ab::c0a8:1:ab",
+                            dst='1234:5678:90ab:cdef:ac:1001:200:0',
+                            hlim=1) / payload)
+        rx = self.send_and_expect(self.pg1, p6*1, self.pg1)
+        for p in rx:
+            self.validate(p[1], icmp6_reply)
+
+        # IPv6 Hop limit beyond BR
         ip6_hlim_expired = IPv6(hlim=0, src='2001:db8:1ab::c0a8:1:ab',
                                 dst='1234:5678:90ab:cdef:ac:1001:200:0')
         p6 = (p_ether6 / ip6_hlim_expired / payload)