Add missing drop policy code section, fix one test and add two new on…

…es. (snabbco#48)

Add missing drop policy code section, fix one test and add two new ones.

src/apps/lwaftr/lwaftr.lua

@@ -540,7 +540,7 @@ local function encapsulate_and_transmit(lwstate, pkt, ipv6_dst, ipv6_src, pkt_sr
       if lwstate.policy_icmpv4_outgoing == lwconf.policies['DROP'] then
          -- Not counting bytes because we do not even generate the packets.
          counter.add(lwstate.counters["drop-out-by-policy-icmpv4-packets"])
-         return drop(pkt)
+         return drop_ipv4(lwstate, pkt, pkt_src_link)
       end
       local ipv4_header = get_ethernet_payload(pkt)
       local dst_ip = get_ipv4_src_address_ptr(ipv4_header)
@@ -564,6 +564,11 @@ local function encapsulate_and_transmit(lwstate, pkt, ipv6_dst, ipv6_src, pkt_sr
    if encapsulating_packet_with_df_flag_would_exceed_mtu(lwstate, pkt) then
       counter.add(lwstate.counters["drop-over-mtu-but-dont-fragment-ipv4-bytes"], pkt.length)
       counter.add(lwstate.counters["drop-over-mtu-but-dont-fragment-ipv4-packets"])
+      if lwstate.policy_icmpv4_outgoing == lwconf.policies['DROP'] then
+         -- Not counting bytes because we do not even generate the packets.
+         counter.add(lwstate.counters["drop-out-by-policy-icmpv4-packets"])
+         return drop_ipv4(lwstate, pkt, pkt_src_link)
+      end
       local reply = cannot_fragment_df_packet_error(lwstate, pkt)
       drop_ipv4(lwstate, pkt, pkt_src_link)
       return transmit_icmpv4_reply(lwstate, reply, pkt)

src/program/lwaftr/tests/data/counters/from-inet-ipv4-in-binding-big-packet-df-set-drop.lua

@@ -0,0 +1,10 @@
+return {
+   ["in-ipv4-bytes"] = 1494,
+   ["in-ipv4-packets"] = 1,
+
+   ["drop-over-mtu-but-dont-fragment-ipv4-bytes"] = 1494,
+   ["drop-over-mtu-but-dont-fragment-ipv4-packets"] = 1,
+   ["drop-out-by-policy-icmpv4-packets"] = 1,
+   ["drop-all-ipv4-iface-bytes"] = 1494,
+   ["drop-all-ipv4-iface-packets"] = 1,
+}

src/program/lwaftr/tests/data/counters/in-ipv4-ipv6-out-icmpv4-ipv6-hairpin-1-drop.lua

@@ -0,0 +1,13 @@
+return {
+   ["in-ipv6-bytes"] = 106,
+   ["in-ipv6-packets"] = 1,
+
+   ["hairpin-ipv4-bytes"] = 66,
+   ["hairpin-ipv4-packets"] = 1,
+
+   ["drop-ttl-zero-ipv4-bytes"] = 66,
+   ["drop-ttl-zero-ipv4-packets"] = 1,
+   ["drop-out-by-policy-icmpv4-packets"] = 1,
+   ["drop-all-ipv6-iface-bytes"] = 106,
+   ["drop-all-ipv6-iface-packets"] = 1,
+}

src/program/lwaftr/tests/data/small_ipv6_mtu_no_icmp_allow.conf

@@ -0,0 +1,17 @@
+aftr_ipv4_ip = 10.10.10.10,
+aftr_ipv6_ip = 8:9:a:b:c:d:e:f,
+aftr_mac_b4_side = 22:22:22:22:22:22,
+aftr_mac_inet_side = 12:12:12:12:12:12,
+binding_table = binding-table.txt,
+hairpinning = true,
+icmpv6_rate_limiter_n_packets=6e5,
+icmpv6_rate_limiter_n_seconds=2,
+inet_mac = 68:68:68:68:68:68,
+ipv4_mtu = 1500,
+ipv6_mtu = 1280,
+next_hop6_mac = 44:44:44:44:44:44,
+policy_icmpv4_incoming = ALLOW,
+policy_icmpv6_incoming = ALLOW,
+policy_icmpv4_outgoing = ALLOW,
+policy_icmpv6_outgoing = ALLOW,
+vlan_tagging = false

src/program/lwaftr/tests/data/small_ipv6_mtu_no_icmp_vlan_allow.conf

@@ -0,0 +1,19 @@
+aftr_ipv4_ip = 10.10.10.10,
+aftr_ipv6_ip = 8:9:a:b:c:d:e:f,
+aftr_mac_b4_side = 22:22:22:22:22:22,
+aftr_mac_inet_side = 12:12:12:12:12:12,
+binding_table = binding-table.txt,
+hairpinning = true,
+icmpv6_rate_limiter_n_packets=6e5,
+icmpv6_rate_limiter_n_seconds=2,
+inet_mac = 68:68:68:68:68:68,
+ipv4_mtu = 1500,
+ipv6_mtu = 1280,
+next_hop6_mac = 44:44:44:44:44:44,
+policy_icmpv4_incoming = ALLOW,
+policy_icmpv6_incoming = ALLOW,
+policy_icmpv4_outgoing = ALLOW,
+policy_icmpv6_outgoing = ALLOW,
+v4_vlan_tag = 1092, # 0x444
+v6_vlan_tag = 1638, # 0x666
+vlan_tagging = true

src/program/lwaftr/tests/end-to-end/end-to-end-vlan.sh

@@ -144,11 +144,17 @@ snabb_run_and_cmp ${TEST_CONF}/small_ipv6_mtu_no_icmp_vlan.conf \
    ${TEST_DATA}/tcp-ipv4-2ipv6frags-reassembled.pcap ${EMPTY} \
    ${COUNTERS}/in-1p-ipv6-out-1p-ipv4-3.lua
 
-echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4."
+echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4, drop policy."
 snabb_run_and_cmp ${TEST_CONF}/small_ipv6_mtu_no_icmp_vlan.conf \
+   ${TEST_DATA}/tcp-frominet-bound1494-DF.pcap  ${EMPTY} \
+   ${EMPTY} ${EMPTY} \
+   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set-drop.lua
+
+echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4, allow policy."
+snabb_run_and_cmp ${TEST_CONF}/small_ipv6_mtu_no_icmp_vlan_allow.conf \
    ${TEST_DATA}/tcp-frominet-bound1494-DF.pcap  ${EMPTY} \
    ${TEST_DATA}/icmpv4-fromlwaftr-replyto-tcp-frominet-bound1494-DF.pcap ${EMPTY} \
-   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set.lua
+   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set-allow.lua
 
 echo "Testing: from-internet IPv4 packet NOT found in the binding table, no ICMP."
 snabb_run_and_cmp ${TEST_CONF}/no_icmp_vlan.conf \
@@ -259,6 +265,12 @@ snabb_run_and_cmp ${TEST_CONF}/tunnel_icmp_vlan.conf \
    ${EMPTY} ${TEST_DATA}/tcp-fromb4-tob4-ipv6-ttl-1-reply.pcap \
    ${COUNTERS}/in-ipv4-ipv6-out-icmpv4-ipv6-hairpin-1.lua
 
+echo "Testing: from-to-b4 TCP packet, with hairpinning, TTL 1, drop policy"
+snabb_run_and_cmp ${TEST_CONF}/no_icmp_vlan.conf \
+   ${EMPTY} ${TEST_DATA}/tcp-fromb4-tob4-ipv6-ttl-1.pcap \
+   ${EMPTY} ${EMPTY} \
+   ${COUNTERS}/in-ipv4-ipv6-out-icmpv4-ipv6-hairpin-1-drop.lua
+
 echo "Testing: from-b4 IPv6 packet, with hairpinning, to B4 with custom lwAFTR address"
 snabb_run_and_cmp ${TEST_CONF}/no_icmp_vlan.conf \
    ${EMPTY} ${TEST_DATA}/tcp-fromb4-tob4-customBRIP-ipv6.pcap \

src/program/lwaftr/tests/end-to-end/end-to-end.sh

@@ -155,11 +155,17 @@ snabb_run_and_cmp ${TEST_BASE}/small_ipv6_mtu_no_icmp.conf \
    ${TEST_BASE}/tcp-ipv4-2ipv6frags-reassembled.pcap ${EMPTY} \
    ${COUNTERS}/in-1p-ipv6-out-1p-ipv4-3.lua
 
-echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4."
+echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4, drop policy."
 snabb_run_and_cmp ${TEST_BASE}/small_ipv6_mtu_no_icmp.conf \
+   ${TEST_BASE}/tcp-frominet-bound1494-DF.pcap  ${EMPTY} \
+   ${EMPTY} ${EMPTY} \
+   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set-drop.lua
+
+echo "Testing: from-internet IPv4 packet found in the binding table, needs IPv6 fragmentation, DF set, ICMP-3,4, allow policy."
+snabb_run_and_cmp ${TEST_BASE}/small_ipv6_mtu_no_icmp_allow.conf \
    ${TEST_BASE}/tcp-frominet-bound1494-DF.pcap  ${EMPTY} \
    ${TEST_BASE}/icmpv4-fromlwaftr-replyto-tcp-frominet-bound1494-DF.pcap ${EMPTY} \
-   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set.lua
+   ${COUNTERS}/from-inet-ipv4-in-binding-big-packet-df-set-allow.lua
 
 echo "Testing: from-internet IPv4 packet NOT found in the binding table, no ICMP."
 snabb_run_and_cmp ${TEST_BASE}/no_icmp.conf \
@@ -276,6 +282,12 @@ snabb_run_and_cmp ${TEST_BASE}/tunnel_icmp.conf \
    ${EMPTY} ${TEST_BASE}/tcp-fromb4-tob4-ipv6-ttl-1-reply.pcap \
    ${COUNTERS}/in-ipv4-ipv6-out-icmpv4-ipv6-hairpin-1.lua
 
+echo "Testing: from-to-b4 TCP packet, with hairpinning, TTL 1, drop policy"
+snabb_run_and_cmp ${TEST_BASE}/no_icmp.conf \
+   ${EMPTY} ${TEST_BASE}/tcp-fromb4-tob4-ipv6-ttl-1.pcap \
+   ${EMPTY} ${EMPTY} \
+   ${COUNTERS}/in-ipv4-ipv6-out-icmpv4-ipv6-hairpin-1-drop.lua
+
 echo "Testing: from-to-b4 IPv6 packet, with hairpinning, with vlan tag"
 snabb_run_and_cmp ${TEST_BASE}/vlan.conf \
    ${EMPTY} ${TEST_BASE}/tcp-fromb4-tob4-ipv6-vlan.pcap \