diff options
author | Juraj Sloboda <jsloboda@cisco.com> | 2018-04-13 12:00:46 +0200 |
---|---|---|
committer | Chris Luke <chris_luke@comcast.com> | 2018-04-13 15:40:44 +0000 |
commit | 1d328abbe9d3d3dd7a0a92d79706616744d5d2fc (patch) | |
tree | bc7ada5841db1ad9ee081acc026727d8adc05d51 | |
parent | 1af3389118b49e89e82b05db28865c8197577b0f (diff) |
NAT66: Do not translate if packet not aimed at outside interface
Change-Id: Id5a2a90d81cc9cb87cb6fb89ac2f4ca3cbcb51e2
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
(cherry picked from commit 9341e34b500ce7c68fc6857a24ee7b67cac121b1)
-rw-r--r-- | src/plugins/nat/nat.c | 9 | ||||
-rw-r--r-- | src/plugins/nat/nat66.h | 3 | ||||
-rw-r--r-- | src/plugins/nat/nat66_in2out.c | 43 | ||||
-rw-r--r-- | test/test_nat.py | 23 |
4 files changed, 78 insertions, 0 deletions
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index b4e5c799ac6..84a94c57f6f 100644 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -2430,12 +2430,14 @@ static clib_error_t * snat_config (vlib_main_t * vm, unformat_input_t * input) { snat_main_t * sm = &snat_main; + nat66_main_t * nm = &nat66_main; u32 translation_buckets = 1024; u32 translation_memory_size = 128<<20; u32 user_buckets = 128; u32 user_memory_size = 64<<20; u32 max_translations_per_user = 100; u32 outside_vrf_id = 0; + u32 outside_ip6_vrf_id = 0; u32 inside_vrf_id = 0; u32 static_mapping_buckets = 1024; u32 static_mapping_memory_size = 64<<20; @@ -2468,6 +2470,9 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "outside VRF id %d", &outside_vrf_id)) ; + else if (unformat (input, "outside ip6 VRF id %d", + &outside_ip6_vrf_id)) + ; else if (unformat (input, "inside VRF id %d", &inside_vrf_id)) ; @@ -2511,6 +2516,10 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, outside_vrf_id, FIB_SOURCE_PLUGIN_HI); + nm->outside_vrf_id = outside_ip6_vrf_id; + nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, + outside_ip6_vrf_id, + FIB_SOURCE_PLUGIN_HI); sm->inside_vrf_id = inside_vrf_id; sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, inside_vrf_id, diff --git a/src/plugins/nat/nat66.h b/src/plugins/nat/nat66.h index ac5557fc491..52befd5c166 100644 --- a/src/plugins/nat/nat66.h +++ b/src/plugins/nat/nat66.h @@ -55,6 +55,9 @@ typedef struct clib_bihash_24_8_t sm_e; /** Session counters */ vlib_combined_counter_main_t session_counters; + + u32 outside_vrf_id; + u32 outside_fib_index; } nat66_main_t; extern nat66_main_t nat66_main; diff --git a/src/plugins/nat/nat66_in2out.c b/src/plugins/nat/nat66_in2out.c index 1ec4da78d63..d606bf46260 100644 --- a/src/plugins/nat/nat66_in2out.c +++ b/src/plugins/nat/nat66_in2out.c @@ -69,6 +69,46 @@ typedef enum NAT66_IN2OUT_N_NEXT, } nat66_in2out_next_t; +static inline u8 +nat66_not_translate (u32 rx_fib_index, ip6_address_t ip6_addr) +{ + nat66_main_t *nm = &nat66_main; + u32 sw_if_index; + snat_interface_t *i; + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP6, + .fp_len = 128, + .fp_addr = { + .ip6 = ip6_addr, + }, + }; + + fei = fib_table_lookup (rx_fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID == fei) + return 1; + sw_if_index = fib_entry_get_resolving_interface (fei); + + if (sw_if_index == ~0) + { + fei = fib_table_lookup (nm->outside_fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID == fei) + return 1; + sw_if_index = fib_entry_get_resolving_interface (fei); + } + + /* *INDENT-OFF* */ + pool_foreach (i, nm->interfaces, + ({ + /* NAT packet aimed at outside interface */ + if (nat_interface_is_outside (i) && sw_if_index == i->sw_if_index) + return 0; + })); + /* *INDENT-ON* */ + + return 1; +} + static inline uword nat66_in2out_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) @@ -131,6 +171,9 @@ nat66_in2out_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index0); + if (nat66_not_translate (fib_index0, ip60->dst_address)) + goto trace0; + sm0 = nat66_static_mapping_get (&ip60->src_address, fib_index0, 1); if (PREDICT_FALSE (!sm0)) { diff --git a/test/test_nat.py b/test/test_nat.py index 4470a054bed..7c126199072 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -6436,6 +6436,29 @@ class TestNAT66(MethodHolder): self.assertEqual(len(sm), 1) self.assertEqual(sm[0].total_pkts, 8) + def test_check_no_translate(self): + """ NAT66 translate only when egress interface is outside interface """ + self.vapi.nat66_add_del_interface(self.pg0.sw_if_index) + self.vapi.nat66_add_del_interface(self.pg1.sw_if_index) + self.vapi.nat66_add_del_static_mapping(self.pg0.remote_ip6n, + self.nat_addr_n) + + # in2out + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + UDP()) + self.pg0.add_stream([p]) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + packet = capture[0] + try: + self.assertEqual(packet[IPv6].src, self.pg0.remote_ip6) + self.assertEqual(packet[IPv6].dst, self.pg1.remote_ip6) + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + def clear_nat66(self): """ Clear NAT66 configuration. |