map: honor icmp6-unreachables param in map-t
With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.
Type: fix
Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index e205c60..5a9c9af 100644
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -24,6 +24,7 @@
IP6_MAPT_NEXT_MAPT_ICMP,
IP6_MAPT_NEXT_MAPT_FRAGMENTED,
IP6_MAPT_NEXT_DROP,
+ IP6_MAPT_NEXT_ICMP,
IP6_MAPT_N_NEXT
} ip6_mapt_next_t;
@@ -475,6 +476,7 @@
u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
vlib_node_runtime_t *error_node =
vlib_node_get_runtime (vm, ip6_map_t_node.index);
+ map_main_t *mm = &map_main;
vlib_combined_counter_main_t *cm = map_main.domain_counters;
u32 thread_index = vm->thread_index;
@@ -626,7 +628,19 @@
payload_length));
}
- next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ if (PREDICT_FALSE
+ (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled))
+ {
+ icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
+ ICMP6_destination_unreachable_source_address_failed_policy,
+ 0);
+ next0 = IP6_MAPT_NEXT_ICMP;
+ }
+ else
+ {
+ next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+ }
+
p0->error = error_node->errors[error0];
if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
{
@@ -738,6 +752,7 @@
[IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp",
[IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented",
[IP6_MAPT_NEXT_DROP] = "error-drop",
+ [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error",
},
};
/* *INDENT-ON* */
diff --git a/src/plugins/map/test/test_map.py b/src/plugins/map/test/test_map.py
index 123fb54..c64341b 100644
--- a/src/plugins/map/test/test_map.py
+++ b/src/plugins/map/test/test_map.py
@@ -13,7 +13,7 @@
from scapy.packet import Raw
from scapy.layers.inet import IP, UDP, ICMP, TCP
from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment, \
- ICMPv6EchoRequest
+ ICMPv6EchoRequest, ICMPv6DestUnreach
class TestMAP(VppTestCase):
@@ -691,6 +691,36 @@
for p in rx:
self.validate(p[1], p4_translated)
+ # TCP MSS clamping cleanup
+ self.vapi.map_param_set_tcp(0)
+
+ # Enable icmp6 param to get back ICMPv6 unreachable messages in case
+ # of security check fails
+ self.vapi.map_param_set_icmp6(enable_unreachable=1)
+
+ # Send back an IPv6 packet that will be droppped due to security
+ # check fail
+ p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+ p_ip6_sec_check_fail = IPv6(src='2001:db8:1fe::c0a8:1:f',
+ dst='1234:5678:90ab:cdef:ac:1001:200:0')
+ payload = TCP(sport=0xabcd, dport=0xabcd)
+ p6 = (p_ether6 / p_ip6_sec_check_fail / payload)
+
+ self.pg_send(self.pg1, p6*1)
+ self.pg0.get_capture(0, timeout=1)
+ rx = self.pg1.get_capture(1)
+
+ icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+ dst='2001:db8:1fe::c0a8:1:f') /
+ ICMPv6DestUnreach(code=5) /
+ p_ip6_sec_check_fail / payload)
+
+ for p in rx:
+ self.validate(p[1], icmp6_reply)
+
+ # ICMPv6 unreachable messages cleanup
+ self.vapi.map_param_set_icmp6(enable_unreachable=0)
+
def test_map_t_ip6_psid(self):
""" MAP-T v6->v4 PSID validation"""