diff options
| author |   Klement Sekera <ksekera@cisco.com> | 2021-06-21 16:04:40 +0200 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2021-06-22 13:23:38 +0000 |
| commit | 79699b00c155f9f5b776451a55e151befa3ba33b (patch) | |
| tree | 14719b24cd6f3bb673e6ec1f92d8696f6d17ada6 | |
| parent | c73f3299ad765c87f57a0a810819d42c11b04d5e (diff) | |
nat: don't drop packet with ttl=1 if output feature
TTL was already decremented in ip4-rewrite so it's okay if it's 1.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
| -rw-r--r-- | src/plugins/nat/nat44-ed/nat44_ed_in2out.c | 4 | ||||
| -rw-r--r-- | test/test_nat44_ed.py | 26 |
2 files changed, 28 insertions, 2 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c index f3f3ffa13b0..426b6eeba5c 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c +++ b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c @@ -1030,7 +1030,7 @@ nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm, fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0); lookup.fib_index = rx_fib_index0; - if (PREDICT_FALSE (ip0->ttl == 1)) + if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1)) { vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, @@ -1308,7 +1308,7 @@ nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm, rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0); - if (PREDICT_FALSE (ip0->ttl == 1)) + if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1)) { vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, diff --git a/test/test_nat44_ed.py b/test/test_nat44_ed.py index 8fba019e7d8..9eea7c820ae 100644 --- a/test/test_nat44_ed.py +++ b/test/test_nat44_ed.py @@ -1189,6 +1189,32 @@ class TestNAT44ED(NAT44EDTestCase): capture = self.pg0.get_capture(len(pkts)) self.verify_capture_in(capture, self.pg0) + # in2out + pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture, ignore_port=True) + + # out2in + pkts = self.create_stream_out(self.pg1, ttl=2) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + # in2out + pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + for p in capture: + self.assertIn(ICMP, p) + self.assertEqual(p[ICMP].type, 11) # 11 == time-exceeded + def test_static_with_port_out2(self): """ NAT44ED 1:1 NAPT asymmetrical rule """ |