IPIP and IPv6 fragmentation
- Error where ICMPv6 error code doesn't reset VLIB_TX = -1 Leading to crash for ICMP generated on tunnelled packets - Missed setting VNET_BUFFER_F_LOCALLY_ORIGINATED, so IP in IPv6 packets never got fragmented. - Add support for fragmentation of buffer chains. - Remove support for inner fragmentation in frag code itself. Change-Id: If9a97301b7e35ca97ffa5c0fada2b9e7e7dbfb27 Signed-off-by: Ole Troan <ot@cisco.com>
This commit is contained in:
Ole Troan
@@ -167,7 +167,8 @@ ip4_map_fragment (vlib_buffer_t * b, u16 mtu, bool df, u8 * error)
|
||||
|
||||
if (mm->frag_inner)
|
||||
{
|
||||
ip_frag_set_vnet_buffer (b, sizeof (ip6_header_t), mtu,
|
||||
// TODO: Fix inner fragmentation after removed inner support from ip-frag.
|
||||
ip_frag_set_vnet_buffer (b, /*sizeof (ip6_header_t), */ mtu,
|
||||
IP4_FRAG_NEXT_IP6_LOOKUP,
|
||||
IP_FRAG_FLAG_IP6_HEADER);
|
||||
return (IP4_MAP_NEXT_IP4_FRAGMENT);
|
||||
@@ -183,7 +184,7 @@ ip4_map_fragment (vlib_buffer_t * b, u16 mtu, bool df, u8 * error)
|
||||
*error = MAP_ERROR_DF_SET;
|
||||
return (IP4_MAP_NEXT_ICMP_ERROR);
|
||||
}
|
||||
ip_frag_set_vnet_buffer (b, 0, mtu, IP6_FRAG_NEXT_IP6_LOOKUP,
|
||||
ip_frag_set_vnet_buffer (b, mtu, IP6_FRAG_NEXT_IP6_LOOKUP,
|
||||
IP_FRAG_FLAG_IP6_HEADER);
|
||||
return (IP4_MAP_NEXT_IP6_FRAGMENT);
|
||||
}
|
||||
@@ -621,7 +622,7 @@ ip4_map_reass (vlib_main_t * vm,
|
||||
&& (clib_net_to_host_u16 (ip60->payload_length) +
|
||||
sizeof (*ip60) > d0->mtu)))
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = sizeof (*ip60);
|
||||
// TODO: vnet_buffer (p0)->ip_frag.header_offset = sizeof (*ip60);
|
||||
vnet_buffer (p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP6_LOOKUP;
|
||||
vnet_buffer (p0)->ip_frag.mtu = d0->mtu;
|
||||
vnet_buffer (p0)->ip_frag.flags = IP_FRAG_FLAG_IP6_HEADER;
|
||||
|
||||
@@ -237,7 +237,6 @@ ip4_map_t_icmp (vlib_main_t * vm,
|
||||
|
||||
if (vnet_buffer (p0)->map_t.mtu < p0->current_length)
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.next_index = IP6_FRAG_NEXT_IP6_LOOKUP;
|
||||
next0 = IP4_MAPT_ICMP_NEXT_IP6_FRAG;
|
||||
@@ -322,7 +321,6 @@ ip4_map_t_fragmented (vlib_main_t * vm,
|
||||
{
|
||||
if (vnet_buffer (p0)->map_t.mtu < p0->current_length)
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP6_FRAG_NEXT_IP6_LOOKUP;
|
||||
@@ -391,7 +389,6 @@ ip4_map_t_tcp_udp (vlib_main_t * vm,
|
||||
if (vnet_buffer (p0)->map_t.mtu < p0->current_length)
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP6_FRAG_NEXT_IP6_LOOKUP;
|
||||
@@ -409,7 +406,6 @@ ip4_map_t_tcp_udp (vlib_main_t * vm,
|
||||
if (vnet_buffer (p1)->map_t.mtu < p1->current_length)
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p1)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p1)->ip_frag.mtu = vnet_buffer (p1)->map_t.mtu;
|
||||
vnet_buffer (p1)->ip_frag.next_index =
|
||||
IP6_FRAG_NEXT_IP6_LOOKUP;
|
||||
@@ -453,7 +449,6 @@ ip4_map_t_tcp_udp (vlib_main_t * vm,
|
||||
if (vnet_buffer (p0)->map_t.mtu < p0->current_length)
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP6_FRAG_NEXT_IP6_LOOKUP;
|
||||
|
||||
@@ -308,7 +308,6 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
|
||||
(d0->mtu
|
||||
&& (clib_host_to_net_u16 (ip40->length) > d0->mtu)))
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.flags = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
@@ -341,7 +340,6 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
|
||||
(d1->mtu
|
||||
&& (clib_host_to_net_u16 (ip41->length) > d1->mtu)))
|
||||
{
|
||||
vnet_buffer (p1)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p1)->ip_frag.flags = 0;
|
||||
vnet_buffer (p1)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
@@ -495,7 +493,6 @@ ip6_map (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
|
||||
(d0->mtu
|
||||
&& (clib_host_to_net_u16 (ip40->length) > d0->mtu)))
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.flags = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
@@ -935,7 +932,6 @@ ip6_map_ip4_reass (vlib_main_t * vm,
|
||||
(d0->mtu && (clib_host_to_net_u16 (ip40->length) > d0->mtu)
|
||||
&& error0 == MAP_ERROR_NONE && !cached))
|
||||
{
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.flags = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
vnet_buffer (p0)->ip_frag.mtu = d0->mtu;
|
||||
|
||||
@@ -264,7 +264,6 @@ ip6_map_t_icmp (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index = IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next0 = IP6_MAPT_ICMP_NEXT_IP4_FRAG;
|
||||
}
|
||||
@@ -348,7 +347,6 @@ ip6_map_t_fragmented (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next0 = IP6_MAPT_FRAGMENTED_NEXT_IP4_FRAG;
|
||||
@@ -366,7 +364,6 @@ ip6_map_t_fragmented (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p1)->ip_frag.mtu = vnet_buffer (p1)->map_t.mtu;
|
||||
vnet_buffer (p1)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p1)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next1 = IP6_MAPT_FRAGMENTED_NEXT_IP4_FRAG;
|
||||
@@ -405,7 +402,6 @@ ip6_map_t_fragmented (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next0 = IP6_MAPT_FRAGMENTED_NEXT_IP4_FRAG;
|
||||
@@ -466,7 +462,6 @@ ip6_map_t_tcp_udp (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next0 = IP6_MAPT_TCP_UDP_NEXT_IP4_FRAG;
|
||||
@@ -484,7 +479,6 @@ ip6_map_t_tcp_udp (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p1)->ip_frag.mtu = vnet_buffer (p1)->map_t.mtu;
|
||||
vnet_buffer (p1)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p1)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next1 = IP6_MAPT_TCP_UDP_NEXT_IP4_FRAG;
|
||||
@@ -523,7 +517,6 @@ ip6_map_t_tcp_udp (vlib_main_t * vm,
|
||||
{
|
||||
//Send to fragmentation node if necessary
|
||||
vnet_buffer (p0)->ip_frag.mtu = vnet_buffer (p0)->map_t.mtu;
|
||||
vnet_buffer (p0)->ip_frag.header_offset = 0;
|
||||
vnet_buffer (p0)->ip_frag.next_index =
|
||||
IP4_FRAG_NEXT_IP4_LOOKUP;
|
||||
next0 = IP6_MAPT_TCP_UDP_NEXT_IP4_FRAG;
|
||||
|
||||
@@ -277,7 +277,6 @@ typedef struct
|
||||
struct
|
||||
{
|
||||
u32 pad[2]; /* do not overlay w/ ip.adj_index[0,1] */
|
||||
u16 header_offset;
|
||||
u16 mtu;
|
||||
u8 next_index;
|
||||
u8 flags; //See ip_frag.h
|
||||
|
||||
+17
-6
@@ -524,14 +524,24 @@ ip6_icmp_error (vlib_main_t * vm,
|
||||
{
|
||||
b = vlib_get_buffer (vm, b->next_buffer);
|
||||
b->current_length = 0;
|
||||
// XXX: Buffer leak???
|
||||
}
|
||||
}
|
||||
|
||||
/* Add IP header and ICMPv6 header including a 4 byte data field */
|
||||
vlib_buffer_advance (p0,
|
||||
-sizeof (ip6_header_t) -
|
||||
sizeof (icmp46_header_t) - 4);
|
||||
int headroom = sizeof (ip6_header_t) + sizeof (icmp46_header_t) + 4;
|
||||
|
||||
/* Verify that we're not falling off the edge */
|
||||
if (p0->current_data - headroom < -VLIB_BUFFER_PRE_DATA_SIZE)
|
||||
{
|
||||
next0 = IP6_ICMP_ERROR_NEXT_DROP;
|
||||
error0 = ICMP6_ERROR_DROP;
|
||||
goto error;
|
||||
}
|
||||
|
||||
vlib_buffer_advance (p0, -headroom);
|
||||
vnet_buffer (p0)->sw_if_index[VLIB_TX] = ~0;
|
||||
p0->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
|
||||
p0->current_length =
|
||||
p0->current_length > 1280 ? 1280 : p0->current_length;
|
||||
|
||||
@@ -561,6 +571,7 @@ ip6_icmp_error (vlib_main_t * vm,
|
||||
{
|
||||
next0 = IP6_ICMP_ERROR_NEXT_DROP;
|
||||
error0 = ICMP6_ERROR_DROP;
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* Fill icmp header fields */
|
||||
@@ -573,11 +584,11 @@ ip6_icmp_error (vlib_main_t * vm,
|
||||
ip6_tcp_udp_icmp_compute_checksum (vm, p0, out_ip0,
|
||||
&bogus_length);
|
||||
|
||||
|
||||
|
||||
/* Update error status */
|
||||
if (error0 == ICMP6_ERROR_NONE)
|
||||
error0 = icmp6_icmp_type_to_error (icmp0->type);
|
||||
|
||||
error:
|
||||
vlib_error_count (vm, node->node_index, error0, 1);
|
||||
|
||||
/* Verify speculative enqueue, maybe switch current next frame */
|
||||
@@ -602,7 +613,7 @@ VLIB_REGISTER_NODE (ip6_icmp_error_node) = {
|
||||
|
||||
.n_next_nodes = IP6_ICMP_ERROR_N_NEXT,
|
||||
.next_nodes = {
|
||||
[IP6_ICMP_ERROR_NEXT_DROP] = "ip6-drop",
|
||||
[IP6_ICMP_ERROR_NEXT_DROP] = "error-drop",
|
||||
[IP6_ICMP_ERROR_NEXT_LOOKUP] = "ip6-lookup",
|
||||
},
|
||||
|
||||
|
||||
@@ -2097,7 +2097,7 @@ ip4_mtu_check (vlib_buffer_t * b, u16 packet_len,
|
||||
else
|
||||
{
|
||||
/* IP fragmentation */
|
||||
ip_frag_set_vnet_buffer (b, 0, adj_packet_bytes,
|
||||
ip_frag_set_vnet_buffer (b, adj_packet_bytes,
|
||||
IP4_FRAG_NEXT_IP4_REWRITE, 0);
|
||||
*next = IP4_REWRITE_NEXT_FRAGMENT;
|
||||
}
|
||||
|
||||
@@ -1566,9 +1566,10 @@ ip6_mtu_check (vlib_buffer_t * b, u16 packet_bytes,
|
||||
if (is_locally_generated)
|
||||
{
|
||||
/* IP fragmentation */
|
||||
ip_frag_set_vnet_buffer (b, 0, adj_packet_bytes,
|
||||
ip_frag_set_vnet_buffer (b, adj_packet_bytes,
|
||||
IP6_FRAG_NEXT_IP6_REWRITE, 0);
|
||||
*next = IP6_REWRITE_NEXT_FRAGMENT;
|
||||
*error = IP6_ERROR_MTU_EXCEEDED;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
+208
-300
File diff suppressed because it is too large
Load Diff
@@ -84,7 +84,7 @@ typedef enum
|
||||
IP_FRAG_N_ERROR,
|
||||
} ip_frag_error_t;
|
||||
|
||||
void ip_frag_set_vnet_buffer (vlib_buffer_t * b, u16 offset, u16 mtu,
|
||||
void ip_frag_set_vnet_buffer (vlib_buffer_t * b, u16 mtu,
|
||||
u8 next_index, u8 flags);
|
||||
void
|
||||
ip4_frag_do_fragment (vlib_main_t * vm, u32 pi, u32 ** buffer,
|
||||
|
||||
@@ -138,6 +138,10 @@ ipip6_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b,
|
||||
ip6_header_t *ip6;
|
||||
const ipip_tunnel_t *t = data;
|
||||
|
||||
/* Must set locally originated otherwise we're not allowed to
|
||||
fragment the packet later */
|
||||
b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
|
||||
|
||||
ip6 = vlib_buffer_get_current (b);
|
||||
ip6->payload_length =
|
||||
clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b) -
|
||||
|
||||
@@ -99,6 +99,14 @@ ipip_input (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
if (is_ipv6)
|
||||
{
|
||||
ip60 = vlib_buffer_get_current (b0);
|
||||
/* Check for outer fragmentation */
|
||||
if (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION)
|
||||
{
|
||||
next0 = IPIP_INPUT_NEXT_DROP;
|
||||
b0->error = node->errors[IPIP_ERROR_FRAGMENTED_PACKET];
|
||||
goto drop;
|
||||
}
|
||||
|
||||
vlib_buffer_advance (b0, sizeof (*ip60));
|
||||
ip_set (&src0, &ip60->src_address, false);
|
||||
ip_set (&dst0, &ip60->dst_address, false);
|
||||
|
||||
@@ -134,7 +134,8 @@ class VPPStats:
|
||||
for i in range(rv_len):
|
||||
n = ffi.string(rv[i].name).decode()
|
||||
e = stat_entry_to_python(self.api, rv[i])
|
||||
stats[n] = e
|
||||
if e != None:
|
||||
stats[n] = e
|
||||
return stats
|
||||
|
||||
def get_counter(self, name):
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
diff --git a/scapy/layers/inet6.py b/scapy/layers/inet6.py
|
||||
index b58978f4..c4a3084d 100644
|
||||
--- a/scapy/layers/inet6.py
|
||||
+++ b/scapy/layers/inet6.py
|
||||
@@ -1073,6 +1073,7 @@ def defragment6(packets):
|
||||
q = res[0]
|
||||
nh = q[IPv6ExtHdrFragment].nh
|
||||
q[IPv6ExtHdrFragment].underlayer.nh = nh
|
||||
+ q[IPv6ExtHdrFragment].underlayer.plen = len(fragmentable)
|
||||
del q[IPv6ExtHdrFragment].underlayer.payload
|
||||
q /= conf.raw_layer(load=fragmentable)
|
||||
|
||||
+207
-20
File diff suppressed because it is too large
Load Diff
+1
-1
@@ -360,7 +360,7 @@ class TestMPLS(VppTestCase):
|
||||
# ICMP sourced from the interface's address
|
||||
self.assertEqual(rx_ip.src, src_if.local_ip6)
|
||||
# hop-limit reset to 255 for IMCP packet
|
||||
self.assertEqual(rx_ip.hlim, 254)
|
||||
self.assertEqual(rx_ip.hlim, 255)
|
||||
|
||||
icmp = rx[ICMPv6TimeExceeded]
|
||||
|
||||
|
||||
+3
-3
@@ -188,16 +188,16 @@ class TestMTU(VppTestCase):
|
||||
p_icmp6 = ICMPv6PacketTooBig(mtu=1280, cksum=0x4c7a)
|
||||
icmp6_reply = (IPv6(src=self.pg0.local_ip6,
|
||||
dst=self.pg0.remote_ip6,
|
||||
hlim=254, plen=1240) /
|
||||
hlim=255, plen=1240) /
|
||||
p_icmp6 / p_ip6 / p_payload)
|
||||
icmp6_reply[2].hlim -= 1
|
||||
n = icmp6_reply.__class__(str(icmp6_reply))
|
||||
s = str(icmp6_reply)
|
||||
icmp6_reply = s[0:1280]
|
||||
icmp6_reply_str = s[0:1280]
|
||||
|
||||
rx = self.send_and_expect(self.pg0, p6*9, self.pg0)
|
||||
for p in rx:
|
||||
self.validate_bytes(str(p[1]), icmp6_reply)
|
||||
self.validate_bytes(str(p[1]), icmp6_reply_str)
|
||||
|
||||
# Reset MTU
|
||||
self.vapi.sw_interface_set_mtu(self.pg1.sw_if_index,
|
||||
|
||||
Reference in New Issue
Block a user