This patch adds some fixes and improvements:
Fixes bug where save_rewrite_length gets overwritten on reassembly
handoff.
Fixes bug where duplicate fragments could cause a reassembly context
to be lost, because the race losing thread would remove bihash entry
created by winning thread.
Improves tracing by adding more events.
Adds extended shallow reassembly. This is a toggleable option, which if
turned on will cause reassembly to wait for both first and last
fragments to calculate total IP payload length. Furthermore it'll store
a local copy of first fragment and necessary data to retrieve it in
vnet_buffer2. This allows downstream features to access full L3/L4
headers when dealing with fragments.
Type: fix
Change-Id: I81695070533410c5815291dbc65ea71c87e3ae05
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Update to the MAP rule lookup (in IPv6) based on the rule's source
prefix instead of DMR
Type: improvement
Per RFC, the DMR is allowed to serve multiple MAP Basic Mapping Rules, but this
capability was prevented by the above logic.
Updates to the code include populating a new hash table based on the MAP rule
ip6 prefix and length, changing several functions to reference this new table,
and slight alterations to a few functions regarding pre-lookup bitmasking.
All changes are commented with [dgeist] and are in need of peer review,
especially the bitmask alterations.
An attempt was made at generating an additonal MAP rule in the test_map_br test
harness, but the coding appears very much oriented towards testing just one
rule. I would appreciate suggestions on how to test multi-rule cases.
Issue: VPP-2111
Change-Id: Id1fea280eba625e23cd893575d9b63aac7f48405
Signed-off-by: Dan Geist <dan@polter.net>
This adds a new data model for counters.
Specifying the errors severity and unit.
A later patch will update vpp_get_stats to take advantage of this.
Only the map plugin is updates as an example.
New .api language:
A new "counters" keyword to define counter sets.
counters map {
none {
severity info;
type counter64;
units "packets";
description "valid MAP packets";
};
bad_protocol {
severity error;
type counter64;
units "packets";
description "bad protocol";
};
};
Each counter has 4 keywords. severity, which is one of error, info or warn.
A type, which is one of counter64 or gauge64.
units, which is a text field using units from YANG.
paths {
"/err/ip4-map" "map";
"/err/ip6-map" "map";
"/err/ip4-t-map" "map";
"/err/ip6-t-map" "map";
};
A new paths keyword that maps the counter-set to a path in the stats segment KV store.
Updated VPP CLI to include severity so user can see error counter severity.
DBGvpp# show errors
Count Node Reason Severity
13 ethernet-input no error error
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ib2177543f49d4c3aef4d7fa72476cff2068f7771
Signed-off-by: Ole Troan <ot@cisco.com>
Before this patch, packet was dropped in ip4-input,
but ip4-map-t node dropped response due to
'security check failed'
This patch checkes if hop_limit==1 and sets error
and next frame and sends icmp6 response correctly
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85
type should be used to get ICMP type instead of code.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Iabf4ae38befde18309caff8efd9e1d956a2fde82
Without this patch offset for TCP/UDP headers was not calculated
correctly if there is one or more IPv6 extension headers.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I04d6f5e42f8f072987192d6236085afbd74a4420
With this commit, forward the translated packet directly to the
specified next-hop if pre-resolve param is enabled in MAP-T.
Type: fix
Change-Id: Ie26080c7820318c7982599577a4af6e4d01a0574
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
With this commit, send ICMPv6 unreachable messages back if security
check fails and icmp6-unreachables param enabled in MAP-T.
Type: fix
Change-Id: I9a8869df7763c764a1672e3faa1fde8dc13ec85a
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Prevent malicious packets with spoofed embedded IPv4 addresses
by limiting the IPv6 ingress packets to known MAP-T domains.
Drop spoofed packets.
Add several tests that ensure spoofing isn't allowed.
Type: fix
Fixes: fc7344f9be
Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Type: fix
Ticket: VPP-1804
Fix a regression introduced by 640edcd90.
The port set ID on received IPv6 packets for MAP-T was being
checked against the destination port. It should be checked
against the source port.
Added a new unit test to verify that a v6 packet with a good
source port is translated and forwarded and a v6 packet with
a bad source port is dropped. The important part of the test
which will prevent similar future regressions is that the
source port and destination port are not equal. The existing
unit test used the same source and destination port which is
why it did not fail when the regression was introduced.
Change-Id: Idc144ea509722bb9e0f80b3887d220384a04e6d6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
This provides a functional interface to IP fragmentation.
Allowing external features to fragment. Supports
arbitrary encap size, for e.g. MPLS or inner fragmentation
of tunnels.
This also removed dual loop in MAP that was fundamentally broken.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ia89ecec8ee3cbe2416edbe87630fdb714898c2a8
Signed-off-by: Ole Troan <ot@cisco.com>
This change is part of an effort to unify reassembly code. By removing
shallow virtual reassembly functionality in MAP and using the common
vnet provided shallow virtual reassembly, code size and complexity
is reduced.
Type: refactor
Change-Id: Iec8edd039f7b967b53e17bb9bca228a8b452ac0c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
This reverts commit 0ae15ed43a.
Re-add MAP CE support later. This patch polluted the code
with too many if (ce) ...
Change-Id: Ia0ffd6fdb452aa5d30abec57772c17fc16fb0dbd
Signed-off-by: Ole Troan <ot@cisco.com>
- Error where ICMPv6 error code doesn't reset VLIB_TX = -1
Leading to crash for ICMP generated on tunnelled packets
- Missed setting VNET_BUFFER_F_LOCALLY_ORIGINATED, so
IP in IPv6 packets never got fragmented.
- Add support for fragmentation of buffer chains.
- Remove support for inner fragmentation in frag code itself.
Change-Id: If9a97301b7e35ca97ffa5c0fada2b9e7e7dbfb27
Signed-off-by: Ole Troan <ot@cisco.com>
It is cheaper to get thread index from vlib_main_t if available...
Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50
Signed-off-by: Damjan Marion <damarion@cisco.com>
Only remaining traces of MAP in the src/vnet is now in buffer.h.
Awaiting a new buffer opaque API (hint, hint).
Change-Id: Ie165561484731f1d7ed6e0f604b43624e06db3f0
Signed-off-by: Ole Troan <ot@cisco.com>
