reassembly: prevent long chain attack
limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime
Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
diff --git a/src/vnet/ip/ip.api b/src/vnet/ip/ip.api
index 39d394f..afb0960 100644
--- a/src/vnet/ip/ip.api
+++ b/src/vnet/ip/ip.api
@@ -20,7 +20,7 @@
called through a shared memory interface.
*/
-option version = "2.0.0";
+option version = "2.0.1";
import "vnet/ip/ip_types.api";
import "vnet/fib/fib_types.api";
import "vnet/ethernet/ethernet_types.api";
@@ -1085,6 +1085,7 @@
u32 context;
u32 timeout_ms;
u32 max_reassemblies;
+ u32 max_reassembly_length;
u32 expire_walk_interval_ms;
u8 is_ip6;
};
@@ -1102,6 +1103,7 @@
i32 retval;
u32 timeout_ms;
u32 max_reassemblies;
+ u32 max_reassembly_length;
u32 expire_walk_interval_ms;
u8 is_ip6;
};
diff --git a/src/vnet/ip/ip4_error.h b/src/vnet/ip/ip4_error.h
index badcc66..d3bf6d7 100644
--- a/src/vnet/ip/ip4_error.h
+++ b/src/vnet/ip/ip4_error.h
@@ -86,6 +86,8 @@
/* Errors signalled by ip4-reassembly */ \
_ (REASS_DUPLICATE_FRAGMENT, "duplicate/overlapping fragments") \
_ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \
+ _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)") \
+ _ (REASS_NO_BUF, "out of buffers (drop)") \
_ (REASS_MALFORMED_PACKET, "malformed packets") \
_ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")
diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c
index b38ade0..f273510 100644
--- a/src/vnet/ip/ip4_reassembly.c
+++ b/src/vnet/ip/ip4_reassembly.c
@@ -30,6 +30,7 @@
#define IP4_REASS_TIMEOUT_DEFAULT_MS 100
#define IP4_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS 10000 // 10 seconds default
#define IP4_REASS_MAX_REASSEMBLIES_DEFAULT 1024
+#define IP4_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT 3
#define IP4_REASS_HT_LOAD_FACTOR (0.75)
#define IP4_REASS_DEBUG_BUFFERS 0
@@ -57,6 +58,7 @@
typedef enum
{
IP4_REASS_RC_OK,
+ IP4_REASS_RC_TOO_MANY_FRAGMENTS,
IP4_REASS_RC_INTERNAL_ERROR,
IP4_REASS_RC_NO_BUF,
} ip4_reass_rc_t;
@@ -133,7 +135,8 @@
u8 next_index;
// minimum fragment length for this reassembly - used to estimate MTU
u16 min_fragment_length;
-
+ // number of fragments in this reassembly
+ u32 fragments_n;
} ip4_reass_t;
typedef struct
@@ -150,6 +153,9 @@
u32 timeout_ms;
f64 timeout;
u32 expire_walk_interval_ms;
+ // maximum number of fragments in one reassembly
+ u32 max_reass_len;
+ // maximum number of reassemblies
u32 max_reass_n;
// IPv4 runtime
@@ -750,6 +756,7 @@
}
*bi0 = ~0;
reass->min_fragment_length = clib_net_to_host_u16 (fip->length);
+ reass->fragments_n = 1;
return IP4_REASS_RC_OK;
}
reass->min_fragment_length = clib_min (clib_net_to_host_u16 (fip->length),
@@ -907,6 +914,7 @@
}
break;
}
+ ++reass->fragments_n;
if (consumed)
{
if (PREDICT_FALSE (fb->flags & VLIB_BUFFER_IS_TRACED))
@@ -925,6 +933,10 @@
if (consumed)
{
*bi0 = ~0;
+ if (reass->fragments_n > rm->max_reass_len)
+ {
+ rc = IP4_REASS_RC_TOO_MANY_FRAGMENTS;
+ }
}
else
{
@@ -1022,10 +1034,26 @@
case IP4_REASS_RC_OK:
/* nothing to do here */
break;
+ case IP4_REASS_RC_TOO_MANY_FRAGMENTS:
+ vlib_node_increment_counter (vm, node->node_index,
+ IP4_ERROR_REASS_FRAGMENT_CHAIN_TOO_LONG,
+ 1);
+ ip4_reass_on_timeout (vm, rm, reass);
+ ip4_reass_free (rm, rt, reass);
+ goto next_packet;
+ break;
case IP4_REASS_RC_NO_BUF:
- /* fallthrough */
+ vlib_node_increment_counter (vm, node->node_index,
+ IP4_ERROR_REASS_NO_BUF,
+ 1);
+ ip4_reass_on_timeout (vm, rm, reass);
+ ip4_reass_free (rm, rt, reass);
+ goto next_packet;
+ break;
case IP4_REASS_RC_INTERNAL_ERROR:
- /* drop everything and start with a clean slate */
+ vlib_node_increment_counter (vm, node->node_index,
+ IP4_ERROR_REASS_INTERNAL_ERROR,
+ 1);
ip4_reass_on_timeout (vm, rm, reass);
ip4_reass_free (rm, rt, reass);
goto next_packet;
@@ -1176,20 +1204,21 @@
static void
ip4_reass_set_params (u32 timeout_ms, u32 max_reassemblies,
- u32 expire_walk_interval_ms)
+ u32 max_reassembly_length, u32 expire_walk_interval_ms)
{
ip4_reass_main.timeout_ms = timeout_ms;
ip4_reass_main.timeout = (f64) timeout_ms / (f64) MSEC_PER_SEC;
ip4_reass_main.max_reass_n = max_reassemblies;
+ ip4_reass_main.max_reass_len = max_reassembly_length;
ip4_reass_main.expire_walk_interval_ms = expire_walk_interval_ms;
}
vnet_api_error_t
ip4_reass_set (u32 timeout_ms, u32 max_reassemblies,
- u32 expire_walk_interval_ms)
+ u32 max_reassembly_length, u32 expire_walk_interval_ms)
{
u32 old_nbuckets = ip4_reass_get_nbuckets ();
- ip4_reass_set_params (timeout_ms, max_reassemblies,
+ ip4_reass_set_params (timeout_ms, max_reassemblies, max_reassembly_length,
expire_walk_interval_ms);
vlib_process_signal_event (ip4_reass_main.vlib_main,
ip4_reass_main.ip4_reass_expire_node_idx,
@@ -1223,10 +1252,11 @@
vnet_api_error_t
ip4_reass_get (u32 * timeout_ms, u32 * max_reassemblies,
- u32 * expire_walk_interval_ms)
+ u32 * max_reassembly_length, u32 * expire_walk_interval_ms)
{
*timeout_ms = ip4_reass_main.timeout_ms;
*max_reassemblies = ip4_reass_main.max_reass_n;
+ *max_reassembly_length = ip4_reass_main.max_reass_len;
*expire_walk_interval_ms = ip4_reass_main.expire_walk_interval_ms;
return 0;
}
@@ -1256,6 +1286,7 @@
ip4_reass_set_params (IP4_REASS_TIMEOUT_DEFAULT_MS,
IP4_REASS_MAX_REASSEMBLIES_DEFAULT,
+ IP4_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT,
IP4_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS);
nbuckets = ip4_reass_get_nbuckets ();
diff --git a/src/vnet/ip/ip4_reassembly.h b/src/vnet/ip/ip4_reassembly.h
index 521ca0f..4ceb0ab 100644
--- a/src/vnet/ip/ip4_reassembly.h
+++ b/src/vnet/ip/ip4_reassembly.h
@@ -30,12 +30,14 @@
* @brief set ip4 reassembly configuration
*/
vnet_api_error_t ip4_reass_set (u32 timeout_ms, u32 max_reassemblies,
+ u32 max_reassembly_length,
u32 expire_walk_interval_ms);
/**
* @brief get ip4 reassembly configuration
*/
vnet_api_error_t ip4_reass_get (u32 * timeout_ms, u32 * max_reassemblies,
+ u32 * max_reassembly_length,
u32 * expire_walk_interval_ms);
vnet_api_error_t ip4_reass_enable_disable (u32 sw_if_index,
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 6a20de4..3ca2be6 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h
@@ -81,6 +81,8 @@
_ (REASS_DUPLICATE_FRAGMENT, "duplicate fragments") \
_ (REASS_OVERLAPPING_FRAGMENT, "overlapping fragments") \
_ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \
+ _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)") \
+ _ (REASS_NO_BUF, "out of buffers (drop)") \
_ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout") \
_ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")
diff --git a/src/vnet/ip/ip6_reassembly.c b/src/vnet/ip/ip6_reassembly.c
index 9906250..45cd2b2 100644
--- a/src/vnet/ip/ip6_reassembly.c
+++ b/src/vnet/ip/ip6_reassembly.c
@@ -30,12 +30,14 @@
#define IP6_REASS_TIMEOUT_DEFAULT_MS 100
#define IP6_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS 10000 // 10 seconds default
#define IP6_REASS_MAX_REASSEMBLIES_DEFAULT 1024
+#define IP6_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT 3
#define IP6_REASS_HT_LOAD_FACTOR (0.75)
typedef enum
{
IP6_REASS_RC_OK,
IP6_REASS_RC_INTERNAL_ERROR,
+ IP6_REASS_RC_TOO_MANY_FRAGMENTS,
IP6_REASS_RC_NO_BUF,
} ip6_reass_rc_t;
@@ -112,6 +114,8 @@
u8 next_index;
// minimum fragment length for this reassembly - used to estimate MTU
u16 min_fragment_length;
+ // number of fragments for this reassembly
+ u32 fragments_n;
} ip6_reass_t;
typedef struct
@@ -128,6 +132,9 @@
u32 timeout_ms;
f64 timeout;
u32 expire_walk_interval_ms;
+ // maximum number of fragments in one reassembly
+ u32 max_reass_len;
+ // maximum number of reassemblies
u32 max_reass_n;
// IPv6 runtime
@@ -744,6 +751,7 @@
*bi0);
reass->min_fragment_length = clib_net_to_host_u16 (fip->payload_length);
consumed = 1;
+ reass->fragments_n = 1;
goto check_if_done_maybe;
}
reass->min_fragment_length =
@@ -797,6 +805,7 @@
}
break;
}
+ ++reass->fragments_n;
check_if_done_maybe:
if (consumed)
{
@@ -816,6 +825,10 @@
if (consumed)
{
*bi0 = ~0;
+ if (reass->fragments_n > rm->max_reass_len)
+ {
+ return IP6_REASS_RC_TOO_MANY_FRAGMENTS;
+ }
}
else
{
@@ -989,10 +1002,25 @@
case IP6_REASS_RC_OK:
/* nothing to do here */
break;
+ case IP6_REASS_RC_TOO_MANY_FRAGMENTS:
+ vlib_node_increment_counter (vm, node->node_index,
+ IP6_ERROR_REASS_FRAGMENT_CHAIN_TOO_LONG,
+ 1);
+ ip6_reass_drop_all (vm, rm, reass);
+ ip6_reass_free (rm, rt, reass);
+ goto next_packet;
+ break;
case IP6_REASS_RC_NO_BUF:
- /* fallthrough */
+ vlib_node_increment_counter (vm, node->node_index,
+ IP6_ERROR_REASS_NO_BUF, 1);
+ ip6_reass_drop_all (vm, rm, reass);
+ ip6_reass_free (rm, rt, reass);
+ goto next_packet;
+ break;
case IP6_REASS_RC_INTERNAL_ERROR:
- /* drop everything and start with a clean slate */
+ vlib_node_increment_counter (vm, node->node_index,
+ IP6_ERROR_REASS_INTERNAL_ERROR,
+ 1);
ip6_reass_drop_all (vm, rm, reass);
ip6_reass_free (rm, rt, reass);
goto next_packet;
@@ -1151,20 +1179,21 @@
static void
ip6_reass_set_params (u32 timeout_ms, u32 max_reassemblies,
- u32 expire_walk_interval_ms)
+ u32 max_reassembly_length, u32 expire_walk_interval_ms)
{
ip6_reass_main.timeout_ms = timeout_ms;
ip6_reass_main.timeout = (f64) timeout_ms / (f64) MSEC_PER_SEC;
ip6_reass_main.max_reass_n = max_reassemblies;
+ ip6_reass_main.max_reass_len = max_reassembly_length;
ip6_reass_main.expire_walk_interval_ms = expire_walk_interval_ms;
}
vnet_api_error_t
ip6_reass_set (u32 timeout_ms, u32 max_reassemblies,
- u32 expire_walk_interval_ms)
+ u32 max_reassembly_length, u32 expire_walk_interval_ms)
{
u32 old_nbuckets = ip6_reass_get_nbuckets ();
- ip6_reass_set_params (timeout_ms, max_reassemblies,
+ ip6_reass_set_params (timeout_ms, max_reassemblies, max_reassembly_length,
expire_walk_interval_ms);
vlib_process_signal_event (ip6_reass_main.vlib_main,
ip6_reass_main.ip6_reass_expire_node_idx,
@@ -1231,6 +1260,7 @@
ip6_reass_set_params (IP6_REASS_TIMEOUT_DEFAULT_MS,
IP6_REASS_MAX_REASSEMBLIES_DEFAULT,
+ IP6_REASS_MAX_REASSEMBLY_LENGTH_DEFAULT,
IP6_REASS_EXPIRE_WALK_INTERVAL_DEFAULT_MS);
nbuckets = ip6_reass_get_nbuckets ();
diff --git a/src/vnet/ip/ip6_reassembly.h b/src/vnet/ip/ip6_reassembly.h
index 5084eda..1ca2b20 100644
--- a/src/vnet/ip/ip6_reassembly.h
+++ b/src/vnet/ip/ip6_reassembly.h
@@ -30,6 +30,7 @@
* @brief set ip6 reassembly configuration
*/
vnet_api_error_t ip6_reass_set (u32 timeout_ms, u32 max_reassemblies,
+ u32 max_reassembly_length,
u32 expire_walk_interval_ms);
/**
diff --git a/src/vnet/ip/ip_api.c b/src/vnet/ip/ip_api.c
index ce3456d..5a6053d 100644
--- a/src/vnet/ip/ip_api.c
+++ b/src/vnet/ip/ip_api.c
@@ -3328,12 +3328,14 @@
{
rv = ip6_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
clib_net_to_host_u32 (mp->max_reassemblies),
+ clib_net_to_host_u32 (mp->max_reassembly_length),
clib_net_to_host_u32 (mp->expire_walk_interval_ms));
}
else
{
rv = ip4_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
clib_net_to_host_u32 (mp->max_reassemblies),
+ clib_net_to_host_u32 (mp->max_reassembly_length),
clib_net_to_host_u32 (mp->expire_walk_interval_ms));
}
@@ -3364,6 +3366,7 @@
{
rmp->is_ip6 = 0;
ip4_reass_get (&rmp->timeout_ms, &rmp->max_reassemblies,
+ &rmp->max_reassembly_length,
&rmp->expire_walk_interval_ms);
}
rmp->timeout_ms = clib_host_to_net_u32 (rmp->timeout_ms);
diff --git a/test/framework.py b/test/framework.py
index 47de2c4..201892a 100644
--- a/test/framework.py
+++ b/test/framework.py
@@ -1000,6 +1000,19 @@
if pkt.haslayer(ICMPv6EchoReply):
self.assert_checksum_valid(pkt, 'ICMPv6EchoReply', 'cksum')
+ def get_packet_counter(self, counter):
+ if counter.startswith("/"):
+ counter_value = self.statistics.get_counter(counter)
+ else:
+ counters = self.vapi.cli("sh errors").split('\n')
+ counter_value = -1
+ for i in range(1, len(counters) - 1):
+ results = counters[i].split()
+ if results[1] == counter:
+ counter_value = int(results[0])
+ break
+ return counter_value
+
def assert_packet_counter_equal(self, counter, expected_value):
if counter.startswith("/"):
counter_value = self.statistics.get_counter(counter)
diff --git a/test/test_ipip.py b/test/test_ipip.py
index 16f8369..e5b9092 100644
--- a/test/test_ipip.py
+++ b/test/test_ipip.py
@@ -160,6 +160,11 @@
sw_if_index=self.pg1.sw_if_index,
enable_ip4=1)
+ self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+ max_reassembly_length=1000,
+ expire_walk_interval_ms=10000,
+ is_ip6=0)
+
# Send lots of fragments, verify reassembled packet
frags, p4_reply = self.generate_ip4_frags(3131, 1400)
f = []
@@ -415,6 +420,11 @@
sw_if_index=self.pg1.sw_if_index,
enable_ip6=1)
+ self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+ max_reassembly_length=1000,
+ expire_walk_interval_ms=10000,
+ is_ip6=1)
+
# Send lots of fragments, verify reassembled packet
before_cnt = self.statistics.get_counter(
'/err/ipip6-input/packets decapsulated')
diff --git a/test/test_reassembly.py b/test/test_reassembly.py
index f57c14c..05877fa 100644
--- a/test/test_reassembly.py
+++ b/test/test_reassembly.py
@@ -83,6 +83,7 @@
is_ip6 = 1 if scapy_ip_family == IPv6 else 0
self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=0,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000,
is_ip6=is_ip6)
@@ -183,6 +184,7 @@
is_ip6 = 1 if scapy_ip_family == IPv6 else 0
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000,
is_ip6=is_ip6)
@@ -229,9 +231,11 @@
self.vapi.ip_reassembly_enable_disable(
sw_if_index=self.src_if.sw_if_index, enable_ip4=True)
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10)
self.sleep(.25)
self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000)
def tearDown(self):
@@ -301,6 +305,37 @@
stream = self.__class__.fragments_200
super(TestIPv4Reassembly, self).test_random(family, stream)
+ def test_long_fragment_chain(self):
+ """ long fragment chain """
+
+ error_cnt_str = \
+ "/err/ip4-reassembly-feature/fragment chain too long (drop)"
+
+ error_cnt = self.get_packet_counter(error_cnt_str)
+
+ self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000,
+ max_reassembly_length=3,
+ expire_walk_interval_ms=50)
+
+ p1 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) /
+ IP(id=1000, src=self.src_if.remote_ip4,
+ dst=self.dst_if.remote_ip4) /
+ UDP(sport=1234, dport=5678) /
+ Raw("X" * 1000))
+ p2 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) /
+ IP(id=1001, src=self.src_if.remote_ip4,
+ dst=self.dst_if.remote_ip4) /
+ UDP(sport=1234, dport=5678) /
+ Raw("X" * 1000))
+ frags = fragment_rfc791(p1, 200) + fragment_rfc791(p2, 500)
+
+ self.pg_enable_capture()
+ self.src_if.add_stream(frags)
+ self.pg_start()
+
+ self.dst_if.get_capture(1)
+ self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1)
+
def test_5737(self):
""" fragment length + ip header size > 65535 """
self.vapi.cli("clear errors")
@@ -504,6 +539,7 @@
if len(frags_400) > 1)
self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=50)
self.pg_enable_capture()
@@ -565,9 +601,11 @@
self.vapi.ip_reassembly_enable_disable(
sw_if_index=self.src_if.sw_if_index, enable_ip6=True)
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10, is_ip6=1)
self.sleep(.25)
self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000, is_ip6=1)
self.logger.debug(self.vapi.ppcli("show ip6-reassembly details"))
self.logger.debug(self.vapi.ppcli("show buffers"))
@@ -647,6 +685,32 @@
]
super(TestIPv6Reassembly, self).test_duplicates(family, fragments)
+ def test_long_fragment_chain(self):
+ """ long fragment chain """
+
+ error_cnt_str = \
+ "/err/ip6-reassembly-feature/fragment chain too long (drop)"
+
+ error_cnt = self.get_packet_counter(error_cnt_str)
+
+ self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000,
+ max_reassembly_length=3,
+ expire_walk_interval_ms=50, is_ip6=1)
+
+ p = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) /
+ IPv6(src=self.src_if.remote_ip6,
+ dst=self.dst_if.remote_ip6) /
+ UDP(sport=1234, dport=5678) /
+ Raw("X" * 1000))
+ frags = fragment_rfc8200(p, 1, 300) + fragment_rfc8200(p, 2, 500)
+
+ self.pg_enable_capture()
+ self.src_if.add_stream(frags)
+ self.pg_start()
+
+ self.dst_if.get_capture(1)
+ self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1)
+
def test_overlap1(self):
""" overlapping fragments case #1 (differs from IP test case)"""
@@ -741,9 +805,11 @@
if len(frags_400) > 1)
self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=50)
self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=50, is_ip6=1)
self.pg_enable_capture()
@@ -865,9 +931,11 @@
""" Test setup - force timeout on existing reassemblies """
super(TestIPv4ReassemblyLocalNode, self).setUp()
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10)
self.sleep(.25)
self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000)
def tearDown(self):
@@ -996,13 +1064,17 @@
sw_if_index=self.dst_if.sw_if_index, enable_ip4=True,
enable_ip6=True)
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10)
self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10, is_ip6=1)
self.sleep(.25)
self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000)
self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000,
+ max_reassembly_length=1000,
expire_walk_interval_ms=10000, is_ip6=1)
def tearDown(self):