diff options
| author |   Matus Fabian <matfabia@cisco.com> | 2018-09-05 06:01:55 -0700 |
|---|---|---|
| committer |   Ole Trøan <otroan@employees.org> | 2018-09-06 07:32:30 +0000 |
| commit | a7f8b228ff505acc052a77101b12e714ead26536 (patch) | |
| tree | 44f42ff50c300bfd3c5517de7a4de8e537541c42 /src/plugins/nat/nat_reass.c | |
| parent | 05ca4a364366ffd639b6136967330deb249cbe22 (diff) | |
NAT: fix maximum out of order fragments (VPP-1399)
All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment.
Change-Id: Id0c968f45629698e347e8226c5926f27b48b82d6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'src/plugins/nat/nat_reass.c')
| -rwxr-xr-x | src/plugins/nat/nat_reass.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/plugins/nat/nat_reass.c b/src/plugins/nat/nat_reass.c index eb1b4925521..8fd370de2fc 100755 --- a/src/plugins/nat/nat_reass.c +++ b/src/plugins/nat/nat_reass.c @@ -249,6 +249,13 @@ nat_ip4_reass_find_or_create (ip4_address_t src, ip4_address_t dst, srm->ip4_reass_head_index, reass->lru_list_index); } + + if (reass->flags && NAT_REASS_FLAG_MAX_FRAG_DROP) + { + reass = 0; + goto unlock; + } + goto unlock; } @@ -326,7 +333,8 @@ unlock: } int -nat_ip4_reass_add_fragment (nat_reass_ip4_t * reass, u32 bi) +nat_ip4_reass_add_fragment (nat_reass_ip4_t * reass, u32 bi, + u32 ** bi_to_drop) { nat_reass_main_t *srm = &nat_reass_main; dlist_elt_t *elt; @@ -336,6 +344,8 @@ nat_ip4_reass_add_fragment (nat_reass_ip4_t * reass, u32 bi) { nat_ipfix_logging_max_fragments_ip4 (srm->ip4_max_frag, &reass->key.src); + reass->flags |= NAT_REASS_FLAG_MAX_FRAG_DROP; + nat_ip4_reass_get_frags_inline (reass, bi_to_drop); return -1; } @@ -446,6 +456,13 @@ nat_ip6_reass_find_or_create (ip6_address_t src, ip6_address_t dst, srm->ip6_reass_head_index, reass->lru_list_index); } + + if (reass->flags && NAT_REASS_FLAG_MAX_FRAG_DROP) + { + reass = 0; + goto unlock; + } + goto unlock; } @@ -522,7 +539,8 @@ unlock: } int -nat_ip6_reass_add_fragment (nat_reass_ip6_t * reass, u32 bi) +nat_ip6_reass_add_fragment (nat_reass_ip6_t * reass, u32 bi, + u32 ** bi_to_drop) { nat_reass_main_t *srm = &nat_reass_main; dlist_elt_t *elt; @@ -532,6 +550,8 @@ nat_ip6_reass_add_fragment (nat_reass_ip6_t * reass, u32 bi) { nat_ipfix_logging_max_fragments_ip6 (srm->ip6_max_frag, &reass->key.src); + reass->flags |= NAT_REASS_FLAG_MAX_FRAG_DROP; + nat_ip6_reass_get_frags_inline (reass, bi_to_drop); return -1; } |