diff options
author | Matus Fabian <matfabia@cisco.com> | 2017-06-05 05:55:48 -0700 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2017-06-05 19:58:35 +0000 |
commit | 6fa74c60ea5930864750d64005b213647f12fe08 (patch) | |
tree | 6eb181c96f04540e96f96aaa37f4008080f14d12 /src | |
parent | 47366b19fb7f65dba1a7c731ee765b1216f47e33 (diff) |
SNAT: fix ICMP hairpinning
Change-Id: I9d63133bd1db72917571ade868040c4597c896a1
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/snat/in2out.c | 68 |
1 files changed, 67 insertions, 1 deletions
diff --git a/src/plugins/snat/in2out.c b/src/plugins/snat/in2out.c index bc86a7a4d23..ddde702a50c 100644 --- a/src/plugins/snat/in2out.c +++ b/src/plugins/snat/in2out.c @@ -515,7 +515,7 @@ u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, goto out; } - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request)) + if (PREDICT_FALSE(icmp_is_error_message (icmp0))) { b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; next0 = SNAT_IN2OUT_NEXT_DROP; @@ -869,11 +869,77 @@ static inline u32 icmp_in2out_slow_path (snat_main_t *sm, u32 thread_index, snat_session_t ** p_s0) { + snat_session_key_t key0, sm0; + clib_bihash_kv_8_8_t kv0, value0; + snat_worker_key_t k0; + u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0; + ip_csum_t sum0; + next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, next0, thread_index, p_s0, 0); snat_session_t * s0 = *p_s0; if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0)) { + /* Hairpinning */ + if (!icmp_is_error_message (icmp0)) + { + icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1); + u16 icmp_id0 = echo0->identifier; + key0.addr = ip0->dst_address; + key0.port = icmp_id0; + key0.protocol = SNAT_PROTOCOL_ICMP; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + + /* Check if destination is in active sessions */ + if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0)) + { + /* or static mappings */ + if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0)) + { + new_dst_addr0 = sm0.addr.as_u32; + vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + } + } + else + { + si = value0.value; + if (sm->num_workers > 1) + { + k0.addr = ip0->dst_address; + k0.port = icmp_id0; + k0.fib_index = sm->outside_fib_index; + kv0.key = k0.as_u64; + if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0)) + ASSERT(0); + else + ti = value0.value; + } + else + ti = sm->num_workers; + + s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); + new_dst_addr0 = s0->in2out.addr.as_u32; + vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + echo0->identifier = s0->in2out.port; + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port, + icmp_echo_header_t, identifier); + icmp0->checksum = ip_csum_fold (sum0); + } + + /* Destination is behind the same NAT, use internal address and port */ + if (new_dst_addr0) + { + old_dst_addr0 = ip0->dst_address.as_u32; + ip0->dst_address.as_u32 = new_dst_addr0; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + ip0->checksum = ip_csum_fold (sum0); + } + } + /* Accounting */ s0->last_heard = now; s0->total_pkts++; |