map: fix MAP-T ip6 port check

Type: fix Ticket: VPP-1804 Fix a regression introduced by 640edcd90. The port set ID on received IPv6 packets for MAP-T was being checked against the destination port. It should be checked against the source port. Added a new unit test to verify that a v6 packet with a good source port is translated and forwarded and a v6 packet with a bad source port is dropped. The important part of the test which will prevent similar future regressions is that the source port and destination port are not equal. The existing unit test used the same source and destination port which is why it did not fail when the regression was introduced. Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-12-04 15:02:46 -06:00
parent 1063f2ae80
commit 9f3569615e
2 changed files with 60 additions and 5 deletions
@@ -491,7 +491,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	  n_left_to_next -= 1;
 	  error0 = MAP_ERROR_NONE;
 	  p0 = vlib_get_buffer (vm, pi0);
-	  u16 l4_dst_port = vnet_buffer (p0)->ip.reass.l4_dst_port;
+	  u16 l4_src_port = vnet_buffer (p0)->ip.reass.l4_src_port;

 	  ip60 = vlib_buffer_get_current (p0);

@@ -534,7 +534,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      (vnet_buffer (p0)->map_t.v6.frag_offset
 	       && ip6_frag_hdr_offset (frag0)))
 	    {
-	      map_port0 = l4_dst_port;
+	      map_port0 = l4_src_port;
 	      next0 = IP6_MAPT_NEXT_MAPT_FRAGMENTED;
 	    }
 	  else
@@ -547,7 +547,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      vnet_buffer (p0)->map_t.checksum_offset =
 		vnet_buffer (p0)->map_t.v6.l4_offset + 16;
 	      next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
-	      map_port0 = l4_dst_port;
+	      map_port0 = l4_src_port;
 	    }
 	  else
 	    if (PREDICT_TRUE
@@ -559,7 +559,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	      vnet_buffer (p0)->map_t.checksum_offset =
 		vnet_buffer (p0)->map_t.v6.l4_offset + 6;
 	      next0 = IP6_MAPT_NEXT_MAPT_TCP_UDP;
-	      map_port0 = l4_dst_port;
+	      map_port0 = l4_src_port;
 	    }
 	  else if (vnet_buffer (p0)->map_t.v6.l4_protocol ==
 		   IP_PROTOCOL_ICMP6)
@@ -576,7 +576,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 		      u8_ptr_add (ip60,
 				  vnet_buffer (p0)->map_t.v6.l4_offset))->
 		  code == ICMP6_echo_request)
-		map_port0 = l4_dst_port;
+		map_port0 = l4_src_port;
 	    }
 	  else
 	    {
@@ -640,6 +640,61 @@ class TestMAP(VppTestCase):
        for p in rx:
            self.validate(p[1], p4_translated)

+    def test_map_t_ip6_psid(self):
+        """ MAP-T v6->v4 PSID validation"""
+
+        #
+        # Add a domain that maps from pg0 to pg1
+        #
+        map_dst = '2001:db8::/32'
+        map_src = '1234:5678:90ab:cdef::/64'
+        ip4_pfx = '192.168.0.0/24'
+        tag = 'MAP-T Test Domain'
+
+        self.vapi.map_add_domain(ip6_prefix=map_dst,
+                                 ip4_prefix=ip4_pfx,
+                                 ip6_src=map_src,
+                                 ea_bits_len=16,
+                                 psid_offset=6,
+                                 psid_length=4,
+                                 mtu=1500,
+                                 tag=tag)
+
+        # Enable MAP-T on interfaces.
+        self.vapi.map_if_enable_disable(is_enable=1,
+                                        sw_if_index=self.pg0.sw_if_index,
+                                        is_translation=1)
+        self.vapi.map_if_enable_disable(is_enable=1,
+                                        sw_if_index=self.pg1.sw_if_index,
+                                        is_translation=1)
+
+        map_route = VppIpRoute(self,
+                               "2001:db8::",
+                               32,
+                               [VppRoutePath(self.pg1.remote_ip6,
+                                             self.pg1.sw_if_index,
+                                             proto=DpoProto.DPO_PROTO_IP6)])
+        map_route.add_vpp_config()
+
+        p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+        p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
+                     dst='1234:5678:90ab:cdef:ac:1001:200:0')
+
+        # Send good IPv6 source port, ensure translated IPv4 received
+        payload = TCP(sport=0xabcd, dport=80)
+        p6 = (p_ether6 / p_ip6 / payload)
+        p4_translated = (IP(src='192.168.0.1',
+                            dst=self.pg0.remote_ip4) / payload)
+        p4_translated.id = 0
+        p4_translated.ttl -= 1
+        rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
+        for p in rx:
+            self.validate(p[1], p4_translated)
+
+        # Send bad IPv6 source port, ensure translated IPv4 not received
+        payload = TCP(sport=0xdcba, dport=80)
+        p6 = (p_ether6 / p_ip6 / payload)
+        self.send_and_assert_no_replies(self.pg1, p6*1)

 if __name__ == '__main__':
    unittest.main(testRunner=VppTestRunner)