diff options
author | Filip Varga <fivarga@cisco.com> | 2020-02-25 14:31:33 +0100 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2020-03-13 11:17:13 +0000 |
commit | a73f2d6f53c224668bd6bbea1a980ee4313c794f (patch) | |
tree | c40965985639940beb294e8688aedbe30e47a548 /src/plugins/nat/out2in_ed.c | |
parent | c27b43673237c3971c1c170646b531728e0d8eb1 (diff) |
nat: timed out session scavenging upgrade
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
Diffstat (limited to 'src/plugins/nat/out2in_ed.c')
-rw-r--r-- | src/plugins/nat/out2in_ed.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c index 91b8d5a8aae..420b7b7a863 100644 --- a/src/plugins/nat/out2in_ed.c +++ b/src/plugins/nat/out2in_ed.c @@ -203,8 +203,6 @@ create_session_for_static_mapping_ed (snat_main_t * sm, snat_session_key_t eh_key; nat44_is_idle_session_ctx_t ctx; - nat44_session_try_cleanup (&l_key.addr, l_key.fib_index, thread_index, now); - if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index))) { b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED]; @@ -764,6 +762,21 @@ nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm, } s0 = pool_elt_at_index (tsm->sessions, value0.value); + // drop if session expired + u64 sess_timeout_time; + sess_timeout_time = s0->last_heard + + (f64) nat44_session_get_timeout (sm, s0); + if (now >= sess_timeout_time) + { + // delete session + nat_free_session_data (sm, s0, thread_index, 0); + nat44_delete_session (sm, s0, thread_index); + + next0 = NAT_NEXT_DROP; + goto trace0; + } + // + old_addr0 = ip0->dst_address.as_u32; new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32; vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; |