map: honor icmp6-unreachables param in map-t

With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.

Type: fix

Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>

src/plugins/map/ip6_map_t.c

@@ -24,6 +24,7 @@ typedef enum
   IP6_MAPT_NEXT_MAPT_ICMP,
   IP6_MAPT_NEXT_MAPT_FRAGMENTED,
   IP6_MAPT_NEXT_DROP,
+  IP6_MAPT_NEXT_ICMP,
   IP6_MAPT_N_NEXT
 } ip6_mapt_next_t;
 
@@ -475,6 +476,7 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
   u32 n_left_from, *from, next_index, *to_next, n_left_to_next;
   vlib_node_runtime_t *error_node =
     vlib_node_get_runtime (vm, ip6_map_t_node.index);
+  map_main_t *mm = &map_main;
   vlib_combined_counter_main_t *cm = map_main.domain_counters;
   u32 thread_index = vm->thread_index;
 
@@ -626,7 +628,19 @@ ip6_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 								     payload_length));
 	    }
 
-	  next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+	  if (PREDICT_FALSE
+	      (error0 == MAP_ERROR_SEC_CHECK && mm->icmp6_enabled))
+	    {
+	      icmp6_error_set_vnet_buffer (p0, ICMP6_destination_unreachable,
+					   ICMP6_destination_unreachable_source_address_failed_policy,
+					   0);
+	      next0 = IP6_MAPT_NEXT_ICMP;
+	    }
+	  else
+	    {
+	      next0 = (error0 != MAP_ERROR_NONE) ? IP6_MAPT_NEXT_DROP : next0;
+	    }
+
 	  p0->error = error_node->errors[error0];
 	  if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
 	    {
@@ -738,6 +752,7 @@ VLIB_REGISTER_NODE(ip6_map_t_node) = {
     [IP6_MAPT_NEXT_MAPT_ICMP] = "ip6-map-t-icmp",
     [IP6_MAPT_NEXT_MAPT_FRAGMENTED] = "ip6-map-t-fragmented",
     [IP6_MAPT_NEXT_DROP] = "error-drop",
+    [IP6_MAPT_NEXT_ICMP] = "ip6-icmp-error",
   },
 };
 /* *INDENT-ON* */

src/plugins/map/test/test_map.py

@@ -13,7 +13,7 @@ from scapy.layers.l2 import Ether
 from scapy.packet import Raw
 from scapy.layers.inet import IP, UDP, ICMP, TCP
 from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment, \
-    ICMPv6EchoRequest
+    ICMPv6EchoRequest, ICMPv6DestUnreach
 
 
 class TestMAP(VppTestCase):
@@ -691,6 +691,36 @@ class TestMAP(VppTestCase):
         for p in rx:
             self.validate(p[1], p4_translated)
 
+        # TCP MSS clamping cleanup
+        self.vapi.map_param_set_tcp(0)
+
+        # Enable icmp6 param to get back ICMPv6 unreachable messages in case
+        # of security check fails
+        self.vapi.map_param_set_icmp6(enable_unreachable=1)
+
+        # Send back an IPv6 packet that will be droppped due to security
+        # check fail
+        p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
+        p_ip6_sec_check_fail = IPv6(src='2001:db8:1fe::c0a8:1:f',
+                                    dst='1234:5678:90ab:cdef:ac:1001:200:0')
+        payload = TCP(sport=0xabcd, dport=0xabcd)
+        p6 = (p_ether6 / p_ip6_sec_check_fail / payload)
+
+        self.pg_send(self.pg1, p6*1)
+        self.pg0.get_capture(0, timeout=1)
+        rx = self.pg1.get_capture(1)
+
+        icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
+                            dst='2001:db8:1fe::c0a8:1:f') /
+                       ICMPv6DestUnreach(code=5) /
+                       p_ip6_sec_check_fail / payload)
+
+        for p in rx:
+            self.validate(p[1], icmp6_reply)
+
+        # ICMPv6 unreachable messages cleanup
+        self.vapi.map_param_set_icmp6(enable_unreachable=0)
+
     def test_map_t_ip6_psid(self):
         """ MAP-T v6->v4 PSID validation"""