diff options
| author |   Klement Sekera <ksekera@cisco.com> | 2021-06-28 13:40:40 +0200 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2021-07-19 17:46:33 +0000 |
| commit | 05b5a5b3b4b04823776feed6403b5a99b2e06d76 (patch) | |
| tree | b3becc951fccb20f0785acf6f4349a0a2b16a484 /src/plugins/nat/nat44-ed/nat44_ed.h | |
| parent | 04572bea3499ab013d92799648c38b021767ff39 (diff) | |
nat: harden ICMP handling
Verify that headers are not truncated and that checksums are valid.
Correct checksum computation in translation code.
Type: fix
Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/plugins/nat/nat44-ed/nat44_ed.h')
| -rw-r--r-- | src/plugins/nat/nat44-ed/nat44_ed.h | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed.h b/src/plugins/nat/nat44-ed/nat44_ed.h index 15e8e480b4e..6abdbadae43 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed.h +++ b/src/plugins/nat/nat44-ed/nat44_ed.h @@ -125,13 +125,14 @@ typedef enum #undef _ } snat_session_state_t; -#define foreach_nat_in2out_ed_error \ -_(UNSUPPORTED_PROTOCOL, "unsupported protocol") \ -_(OUT_OF_PORTS, "out of ports") \ -_(BAD_ICMP_TYPE, "unsupported ICMP type") \ -_(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ -_(NON_SYN, "non-SYN packet try to create session") \ -_(TCP_CLOSED, "drops due to TCP in transitory timeout") +#define foreach_nat_in2out_ed_error \ + _ (UNSUPPORTED_PROTOCOL, "unsupported protocol") \ + _ (OUT_OF_PORTS, "out of ports") \ + _ (BAD_ICMP_TYPE, "unsupported ICMP type") \ + _ (MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ + _ (NON_SYN, "non-SYN packet try to create session") \ + _ (TCP_CLOSED, "drops due to TCP in transitory timeout") \ + _ (TRNSL_FAILED, "couldn't translate packet") typedef enum { @@ -149,7 +150,8 @@ typedef enum _ (MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ _ (NON_SYN, "non-SYN packet try to create session") \ _ (TCP_CLOSED, "drops due to TCP in transitory timeout") \ - _ (HASH_ADD_FAILED, "hash table add failed") + _ (HASH_ADD_FAILED, "hash table add failed") \ + _ (TRNSL_FAILED, "couldn't translate packet") typedef enum { @@ -1132,17 +1134,18 @@ typedef enum NAT_ED_TRNSL_ERR_SUCCESS = 0, NAT_ED_TRNSL_ERR_TRANSLATION_FAILED = 1, NAT_ED_TRNSL_ERR_FLOW_MISMATCH = 2, + NAT_ED_TRNSL_ERR_PACKET_TRUNCATED = 3, + NAT_ED_TRNSL_ERR_INNER_IP_CORRUPT = 4, + NAT_ED_TRNSL_ERR_INVALID_CSUM = 5, } nat_translation_error_e; -nat_translation_error_e -nat_6t_flow_buf_translate_i2o (snat_main_t *sm, vlib_buffer_t *b, - ip4_header_t *ip, nat_6t_flow_t *f, - nat_protocol_t proto, int is_output_feature); +nat_translation_error_e nat_6t_flow_buf_translate_i2o ( + vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip, + nat_6t_flow_t *f, nat_protocol_t proto, int is_output_feature); -nat_translation_error_e -nat_6t_flow_buf_translate_o2i (snat_main_t *sm, vlib_buffer_t *b, - ip4_header_t *ip, nat_6t_flow_t *f, - nat_protocol_t proto, int is_output_feature); +nat_translation_error_e nat_6t_flow_buf_translate_o2i ( + vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip, + nat_6t_flow_t *f, nat_protocol_t proto, int is_output_feature); void nat_6t_l3_l4_csum_calc (nat_6t_flow_t *f); |