From 19359429304030728c14bc7296024301867f1e81 Mon Sep 17 00:00:00 2001 From: Dave Barach Date: Fri, 27 Jan 2017 04:04:35 -0500 Subject: drop-and-count snat out2in packets with no translations Send dhcp server-to-client packets to the ip stack, so we can acquire snat outside interface addresses from a dhcp server Change-Id: I7751356fa23d9f26b503c9796bd85f96275fe978 Signed-off-by: Dave Barach --- src/plugins/snat/out2in.c | 44 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/src/plugins/snat/out2in.c b/src/plugins/snat/out2in.c index 855e9efb..f08e16d3 100644 --- a/src/plugins/snat/out2in.c +++ b/src/plugins/snat/out2in.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -437,6 +438,14 @@ snat_out2in_node_fn (vlib_main_t * vm, if (snat_static_mapping_match(sm, key0, &sm0, 1)) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (proto0 != SNAT_PROTOCOL_UDP + || (udp0->dst_port + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace0; } @@ -444,7 +453,11 @@ snat_out2in_node_fn (vlib_main_t * vm, s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node, cpu_index); if (!s0) - goto trace0; + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace0; + } } else s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions, @@ -556,6 +569,14 @@ snat_out2in_node_fn (vlib_main_t * vm, if (snat_static_mapping_match(sm, key1, &sm1, 1)) { b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (proto1 != SNAT_PROTOCOL_UDP + || (udp1->dst_port + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + next1 = SNAT_OUT2IN_NEXT_DROP; goto trace1; } @@ -563,7 +584,11 @@ snat_out2in_node_fn (vlib_main_t * vm, s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node, cpu_index); if (!s1) - goto trace1; + { + b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next1 = SNAT_OUT2IN_NEXT_DROP; + goto trace1; + } } else s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions, @@ -709,6 +734,15 @@ snat_out2in_node_fn (vlib_main_t * vm, if (snat_static_mapping_match(sm, key0, &sm0, 1)) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (proto0 != SNAT_PROTOCOL_UDP + || (udp0->dst_port + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace00; } @@ -716,7 +750,11 @@ snat_out2in_node_fn (vlib_main_t * vm, s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node, cpu_index); if (!s0) - goto trace00; + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace00; + } } else s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions, -- cgit 1.2.3-korg