summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2024-02-05 22:57:55 +0000
committerMatthew Smith <mgsmith@netgate.com>2024-03-05 23:31:40 +0000
commit205ed8f8845a8ea36f38ed29df158a5a07c2e2c3 (patch)
tree3b2d78c3e33485a62f955ad59ce63dea0a758831
parent904459ff32ffce73b97dd3cb40f0b367a6b558f9 (diff)
ip: force full reassembly before virtual
Type: improvement The vnet buffer metadata for full IP reassembly and shallow virtual reassembly overlaps. If you have full reassembly and virtual reassembly enabled on the same interface and virtual reassembly happens to process packets first, full reassembly will stomp on the metadata populated by virtual reassembly. Virtual reassembly gets enabled implicitly when NAT feature nodes are enabled. Those NAT feature nodes rely on the virtual reassembly metadata being populated correctly in order to find L4 proto & ports. When NAT and IP full reassembly are both enabled on an interface, NAT can drop fragmented packets because the virtual reassembly metadata can be overwritten by full reassembly. Ensure that full reassembly runs before virtual reassembly. Add a runs_before dependency to ensure that ip4-full-reassembly-feature runs before ip4-sv-reassembly-feature. There was a duplicate VNET_FEATURE_INIT() for ip4-full-reassembly-feature. It seems to have been intended for enabling ip4-full-reassembly-custom as a feature node, but its contents are identical to the earlier VNET_FEATURE_INIT() for ip4-full-reassembly-feature. Removed the duplicate. Change-Id: Ie600b854d4ceb90a7cb736810140d410b8f72447 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r--src/vnet/ip/reass/ip4_full_reass.c19
1 files changed, 5 insertions, 14 deletions
diff --git a/src/vnet/ip/reass/ip4_full_reass.c b/src/vnet/ip/reass/ip4_full_reass.c
index c65f349e5b0..7f0b8d90c12 100644
--- a/src/vnet/ip/reass/ip4_full_reass.c
+++ b/src/vnet/ip/reass/ip4_full_reass.c
@@ -1424,11 +1424,11 @@ VLIB_REGISTER_NODE (ip4_full_reass_node_feature) = {
};
VNET_FEATURE_INIT (ip4_full_reass_feature, static) = {
- .arc_name = "ip4-unicast",
- .node_name = "ip4-full-reassembly-feature",
- .runs_before = VNET_FEATURES ("ip4-lookup",
- "ipsec4-input-feature"),
- .runs_after = 0,
+ .arc_name = "ip4-unicast",
+ .node_name = "ip4-full-reassembly-feature",
+ .runs_before = VNET_FEATURES ("ip4-lookup", "ipsec4-input-feature",
+ "ip4-sv-reassembly-feature"),
+ .runs_after = 0,
};
VLIB_NODE_FN (ip4_full_reass_node_custom) (vlib_main_t * vm,
@@ -1453,15 +1453,6 @@ VLIB_REGISTER_NODE (ip4_full_reass_node_custom) = {
},
};
-VNET_FEATURE_INIT (ip4_full_reass_custom, static) = {
- .arc_name = "ip4-unicast",
- .node_name = "ip4-full-reassembly-feature",
- .runs_before = VNET_FEATURES ("ip4-lookup",
- "ipsec4-input-feature"),
- .runs_after = 0,
-};
-
-
#ifndef CLIB_MARCH_VARIANT
uword
ip4_full_reass_custom_register_next_node (uword node_index)