diff options
author | Filip Varga <fivarga@cisco.com> | 2021-06-29 12:10:01 +0200 |
---|---|---|
committer | Ole Tr�an <otroan@employees.org> | 2021-07-15 11:17:29 +0000 |
commit | 0aea808ac5cb1132b9787c8f7d5f9d995cd3413b (patch) | |
tree | fe6a512c0944ab7cfb35b15386cf9d4892e5c320 /src/plugins | |
parent | a0648b66df7579ff1b37feaece8d00984e9cf326 (diff) |
nat: nat44-ed sm fix
Fixing nat44-ed identity map in2out communication.
TCP packets would get dropped because of the order
of testing TCP state.
Type: fix
Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d
Signed-off-by: Filip Varga <fivarga@cisco.com>
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/nat/nat44-ed/nat44_ed_in2out.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c index f7257db789f..523d26257bf 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c +++ b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c @@ -342,7 +342,7 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b, ip4_address_t outside_addr; u16 outside_port; u32 outside_fib_index; - u8 is_identity_nat; + u8 is_identity_nat = 0; u32 nat_proto = ip_proto_to_nat_proto (proto); snat_session_t *s = NULL; @@ -350,17 +350,6 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b, ip4_address_t daddr = r_addr; u16 dport = r_port; - if (PREDICT_TRUE (nat_proto == NAT_PROTOCOL_TCP)) - { - if (PREDICT_FALSE - (!tcp_flags_is_init - (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))) - { - b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; - return NAT_NEXT_DROP; - } - } - if (PREDICT_FALSE (nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index))) { @@ -402,13 +391,22 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b, } else { + if (PREDICT_FALSE (is_identity_nat)) + { + *sessionp = NULL; + return next; + } is_sm = 1; } - if (PREDICT_FALSE (is_sm && is_identity_nat)) + if (PREDICT_TRUE (nat_proto == NAT_PROTOCOL_TCP)) { - *sessionp = NULL; - return next; + if (PREDICT_FALSE (!tcp_flags_is_init ( + vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))) + { + b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; + return NAT_NEXT_DROP; + } } s = nat_ed_session_alloc (sm, thread_index, now, proto); |