From 238d3844b210ff09d9092dd3f5d78cde8b7de1aa Mon Sep 17 00:00:00 2001
From: Vladimir Isaev <visaev@netgate.com>
Date: Wed, 7 Oct 2020 14:55:11 +0300
Subject: nat: Fix ICMP bypass session creation

After get_icmp_o2i_ed_key() bihash key may include
IP protocol and addresses from inner ICMP packet.

It is OK for session lookup, but we should not create
a session on ICMP error message receiving.

Type: fix

Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
---
 src/plugins/nat/out2in_ed.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 15cf48067d7..e9fbc595f04 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -452,6 +452,12 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
 	pool_elt_at_index (tsm->sessions,
 			   ed_value_get_session_index (&value));
     }
+  else if (ip->protocol == IP_PROTOCOL_ICMP &&
+	   icmp_type_is_error_message
+	   (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+    {
+      return;
+    }
   else
     {
       u32 proto;
-- 
cgit 1.2.3-korg