summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Barach <dave@barachs.net>2017-01-27 04:04:35 -0500
committerDave Barach <dave@barachs.net>2017-01-27 04:16:48 -0500
commit19359429304030728c14bc7296024301867f1e81 (patch)
tree3af6976b2951c166dcb314b4dd288569d2ddd2ab
parent3d31f00c64de8900730440750182e64fa01ef885 (diff)
drop-and-count snat out2in packets with no translations
Send dhcp server-to-client packets to the ip stack, so we can acquire snat outside interface addresses from a dhcp server Change-Id: I7751356fa23d9f26b503c9796bd85f96275fe978 Signed-off-by: Dave Barach <dave@barachs.net>
-rw-r--r--src/plugins/snat/out2in.c44
1 files changed, 41 insertions, 3 deletions
diff --git a/src/plugins/snat/out2in.c b/src/plugins/snat/out2in.c
index 855e9efb806..f08e16d3c51 100644
--- a/src/plugins/snat/out2in.c
+++ b/src/plugins/snat/out2in.c
@@ -19,6 +19,7 @@
#include <vnet/handoff.h>
#include <vnet/ip/ip.h>
+#include <vnet/ip/udp.h>
#include <vnet/ethernet/ethernet.h>
#include <vnet/fib/ip4_fib.h>
#include <snat/snat.h>
@@ -437,6 +438,14 @@ snat_out2in_node_fn (vlib_main_t * vm,
if (snat_static_mapping_match(sm, key0, &sm0, 1))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ /*
+ * Send DHCP packets to the ipv4 stack, or we won't
+ * be able to use dhcp client on the outside interface
+ */
+ if (proto0 != SNAT_PROTOCOL_UDP
+ || (udp0->dst_port
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ next0 = SNAT_OUT2IN_NEXT_DROP;
goto trace0;
}
@@ -444,7 +453,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
cpu_index);
if (!s0)
- goto trace0;
+ {
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto trace0;
+ }
}
else
s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
@@ -556,6 +569,14 @@ snat_out2in_node_fn (vlib_main_t * vm,
if (snat_static_mapping_match(sm, key1, &sm1, 1))
{
b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ /*
+ * Send DHCP packets to the ipv4 stack, or we won't
+ * be able to use dhcp client on the outside interface
+ */
+ if (proto1 != SNAT_PROTOCOL_UDP
+ || (udp1->dst_port
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ next1 = SNAT_OUT2IN_NEXT_DROP;
goto trace1;
}
@@ -563,7 +584,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
cpu_index);
if (!s1)
- goto trace1;
+ {
+ b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ next1 = SNAT_OUT2IN_NEXT_DROP;
+ goto trace1;
+ }
}
else
s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
@@ -709,6 +734,15 @@ snat_out2in_node_fn (vlib_main_t * vm,
if (snat_static_mapping_match(sm, key0, &sm0, 1))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ /*
+ * Send DHCP packets to the ipv4 stack, or we won't
+ * be able to use dhcp client on the outside interface
+ */
+ if (proto0 != SNAT_PROTOCOL_UDP
+ || (udp0->dst_port
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+
+ next0 = SNAT_OUT2IN_NEXT_DROP;
goto trace00;
}
@@ -716,7 +750,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
cpu_index);
if (!s0)
- goto trace00;
+ {
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto trace00;
+ }
}
else
s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,