aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVladimir Isaev <visaev@netgate.com>2020-10-07 14:55:11 +0300
committerMatthew Smith <mgsmith@netgate.com>2020-10-14 14:11:19 +0000
commit238d3844b210ff09d9092dd3f5d78cde8b7de1aa (patch)
tree7a5bba9abf6621299e59ee2aa50f7c84cffc7b08
parent41b5ed63c232f754d28cff56304d9efab6b15147 (diff)
nat: Fix ICMP bypass session creation
After get_icmp_o2i_ed_key() bihash key may include IP protocol and addresses from inner ICMP packet. It is OK for session lookup, but we should not create a session on ICMP error message receiving. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
-rw-r--r--src/plugins/nat/out2in_ed.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 15cf48067d7..e9fbc595f04 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -452,6 +452,12 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
pool_elt_at_index (tsm->sessions,
ed_value_get_session_index (&value));
}
+ else if (ip->protocol == IP_PROTOCOL_ICMP &&
+ icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+ {
+ return;
+ }
else
{
u32 proto;