Send ICMP errors when the network is unreachable

Before this change, we would silently drop packets when unable to determine a
route to the destination host. This change brings us into line with RFC 792
(IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return
an ICMP error to the sender when unable to reach the destination.

Startblock:
  has LGTM from asfez
  and then
  add reviewer ghanan
PiperOrigin-RevId: 372214051

3 files changed, 145 insertions, 25 deletions

diff --git a/pkg/tcpip/network/internal/ip/BUILD b/pkg/tcpip/network/internal/ip/BUILD
index d21b4c7ef..fd944ce99 100644
--- a/pkg/tcpip/network/internal/ip/BUILD
+++ b/pkg/tcpip/network/internal/ip/BUILD
@@ -6,6 +6,7 @@ go_library(
     name = "ip",
     srcs = [
         "duplicate_address_detection.go",
+        "errors.go",
         "generic_multicast_protocol.go",
         "stats.go",
     ],
diff --git a/pkg/tcpip/network/internal/ip/errors.go b/pkg/tcpip/network/internal/ip/errors.go
new file mode 100644
index 000000000..50fabfd79
--- /dev/null
+++ b/pkg/tcpip/network/internal/ip/errors.go
@@ -0,0 +1,77 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+
+	"gvisor.dev/gvisor/pkg/tcpip"
+)
+
+// ForwardingError represents an error that occured while trying to forward
+// a packet.
+type ForwardingError interface {
+	isForwardingError()
+	fmt.Stringer
+}
+
+// ErrTTLExceeded indicates that the received packet's TTL has been exceeded.
+type ErrTTLExceeded struct{}
+
+func (*ErrTTLExceeded) isForwardingError() {}
+
+func (*ErrTTLExceeded) String() string { return "ttl exceeded" }
+
+// ErrIPOptProblem indicates the received packet had a problem with an IP
+// option.
+type ErrIPOptProblem struct{}
+
+func (*ErrIPOptProblem) isForwardingError() {}
+
+func (*ErrIPOptProblem) String() string { return "ip option problem" }
+
+// ErrLinkLocalSourceAddress indicates the received packet had a link-local
+// source address.
+type ErrLinkLocalSourceAddress struct{}
+
+func (*ErrLinkLocalSourceAddress) isForwardingError() {}
+
+func (*ErrLinkLocalSourceAddress) String() string { return "link local destination address" }
+
+// ErrLinkLocalDestinationAddress indicates the received packet had a link-local
+// destination address.
+type ErrLinkLocalDestinationAddress struct{}
+
+func (*ErrLinkLocalDestinationAddress) isForwardingError() {}
+
+func (*ErrLinkLocalDestinationAddress) String() string { return "link local destination address" }
+
+// ErrNoRoute indicates the Netstack couldn't find a route for the
+// received packet.
+type ErrNoRoute struct{}
+
+func (*ErrNoRoute) isForwardingError() {}
+
+func (*ErrNoRoute) String() string { return "no route" }
+
+// ErrOther indicates the packet coould not be forwarded for a reason
+// captured by the contained error.
+type ErrOther struct {
+	Err tcpip.Error
+}
+
+func (*ErrOther) isForwardingError() {}
+
+func (e *ErrOther) String() string { return fmt.Sprintf("other tcpip error: %s", e.Err) }
diff --git a/pkg/tcpip/network/internal/ip/stats.go b/pkg/tcpip/network/internal/ip/stats.go
index d06b26309..392f0b0c7 100644
--- a/pkg/tcpip/network/internal/ip/stats.go
+++ b/pkg/tcpip/network/internal/ip/stats.go
@@ -18,73 +18,114 @@ import "gvisor.dev/gvisor/pkg/tcpip"
 
 // LINT.IfChange(MultiCounterIPStats)
 
+// MultiCounterIPForwardingStats holds IP forwarding statistics. Each counter
+// may have several versions.
+type MultiCounterIPForwardingStats struct {
+	// Unrouteable is the number of IP packets received which were dropped
+	// because the netstack could not construct a route to their
+	// destination.
+	Unrouteable tcpip.MultiCounterStat
+
+	// ExhaustedTTL is the number of IP packets received which were dropped
+	// because their TTL was exhausted.
+	ExhaustedTTL tcpip.MultiCounterStat
+
+	// LinkLocalSource is the number of IP packets which were dropped
+	// because they contained a link-local source address.
+	LinkLocalSource tcpip.MultiCounterStat
+
+	// LinkLocalDestination is the number of IP packets which were dropped
+	// because they contained a link-local destination address.
+	LinkLocalDestination tcpip.MultiCounterStat
+
+	// Errors is the number of IP packets received which could not be
+	// successfully forwarded.
+	Errors tcpip.MultiCounterStat
+}
+
 // MultiCounterIPStats holds IP statistics, each counter may have several
 // versions.
 type MultiCounterIPStats struct {
-	// PacketsReceived is the number of IP packets received from the link layer.
+	// PacketsReceived is the number of IP packets received from the link
+	// layer.
 	PacketsReceived tcpip.MultiCounterStat
 
-	// DisabledPacketsReceived is the number of IP packets received from the link
-	// layer when the IP layer is disabled.
+	// DisabledPacketsReceived is the number of IP packets received from
+	// the link layer when the IP layer is disabled.
 	DisabledPacketsReceived tcpip.MultiCounterStat
 
-	// InvalidDestinationAddressesReceived is the number of IP packets received
-	// with an unknown or invalid destination address.
+	// InvalidDestinationAddressesReceived is the number of IP packets
+	// received with an unknown or invalid destination address.
 	InvalidDestinationAddressesReceived tcpip.MultiCounterStat
 
-	// InvalidSourceAddressesReceived is the number of IP packets received with a
-	// source address that should never have been received on the wire.
+	// InvalidSourceAddressesReceived is the number of IP packets received
+	// with a source address that should never have been received on the
+	// wire.
 	InvalidSourceAddressesReceived tcpip.MultiCounterStat
 
-	// PacketsDelivered is the number of incoming IP packets that are successfully
-	// delivered to the transport layer.
+	// PacketsDelivered is the number of incoming IP packets that are
+	// successfully delivered to the transport layer.
 	PacketsDelivered tcpip.MultiCounterStat
 
 	// PacketsSent is the number of IP packets sent via WritePacket.
 	PacketsSent tcpip.MultiCounterStat
 
-	// OutgoingPacketErrors is the number of IP packets which failed to write to a
-	// link-layer endpoint.
+	// OutgoingPacketErrors is the number of IP packets which failed to
+	// write to a link-layer endpoint.
 	OutgoingPacketErrors tcpip.MultiCounterStat
 
-	// MalformedPacketsReceived is the number of IP Packets that were dropped due
-	// to the IP packet header failing validation checks.
+	// MalformedPacketsReceived is the number of IP Packets that were
+	// dropped due to the IP packet header failing validation checks.
 	MalformedPacketsReceived tcpip.MultiCounterStat
 
-	// MalformedFragmentsReceived is the number of IP Fragments that were dropped
-	// due to the fragment failing validation checks.
+	// MalformedFragmentsReceived is the number of IP Fragments that were
+	// dropped due to the fragment failing validation checks.
 	MalformedFragmentsReceived tcpip.MultiCounterStat
 
 	// IPTablesPreroutingDropped is the number of IP packets dropped in the
 	// Prerouting chain.
 	IPTablesPreroutingDropped tcpip.MultiCounterStat
 
-	// IPTablesInputDropped is the number of IP packets dropped in the Input
-	// chain.
+	// IPTablesInputDropped is the number of IP packets dropped in the
+	// Input chain.
 	IPTablesInputDropped tcpip.MultiCounterStat
 
-	// IPTablesOutputDropped is the number of IP packets dropped in the Output
-	// chain.
+	// IPTablesOutputDropped is the number of IP packets dropped in the
+	// Output chain.
 	IPTablesOutputDropped tcpip.MultiCounterStat
 
-	// IPTablesPostroutingDropped is the number of IP packets dropped in the
-	// Postrouting chain.
+	// IPTablesPostroutingDropped is the number of IP packets dropped in
+	// the Postrouting chain.
 	IPTablesPostroutingDropped tcpip.MultiCounterStat
 
-	// TODO(https://gvisor.dev/issues/5529): Move the IPv4-only option stats out
-	// of IPStats.
+	// TODO(https://gvisor.dev/issues/5529): Move the IPv4-only option
+	// stats out of IPStats.
 
 	// OptionTimestampReceived is the number of Timestamp options seen.
 	OptionTimestampReceived tcpip.MultiCounterStat
 
-	// OptionRecordRouteReceived is the number of Record Route options seen.
+	// OptionRecordRouteReceived is the number of Record Route options
+	// seen.
 	OptionRecordRouteReceived tcpip.MultiCounterStat
 
-	// OptionRouterAlertReceived is the number of Router Alert options seen.
+	// OptionRouterAlertReceived is the number of Router Alert options
+	// seen.
 	OptionRouterAlertReceived tcpip.MultiCounterStat
 
 	// OptionUnknownReceived is the number of unknown IP options seen.
 	OptionUnknownReceived tcpip.MultiCounterStat
+
+	// Forwarding collects stats related to IP forwarding.
+	Forwarding MultiCounterIPForwardingStats
+}
+
+// Init sets internal counters to track a and b counters.
+func (m *MultiCounterIPForwardingStats) Init(a, b *tcpip.IPForwardingStats) {
+	m.Unrouteable.Init(a.Unrouteable, b.Unrouteable)
+	m.Errors.Init(a.Errors, b.Errors)
+	m.LinkLocalSource.Init(a.LinkLocalSource, b.LinkLocalSource)
+	m.LinkLocalDestination.Init(a.LinkLocalDestination, b.LinkLocalDestination)
+	m.ExhaustedTTL.Init(a.ExhaustedTTL, b.ExhaustedTTL)
 }
 
 // Init sets internal counters to track a and b counters.
@@ -106,6 +147,7 @@ func (m *MultiCounterIPStats) Init(a, b *tcpip.IPStats) {
 	m.OptionRecordRouteReceived.Init(a.OptionRecordRouteReceived, b.OptionRecordRouteReceived)
 	m.OptionRouterAlertReceived.Init(a.OptionRouterAlertReceived, b.OptionRouterAlertReceived)
 	m.OptionUnknownReceived.Init(a.OptionUnknownReceived, b.OptionUnknownReceived)
+	m.Forwarding.Init(&a.Forwarding, &b.Forwarding)
 }
 
 // LINT.ThenChange(:MultiCounterIPStats, ../../../tcpip.go:IPStats)