diff options
author | Vladimir Isaev <visaev@netgate.com> | 2020-10-07 14:55:11 +0300 |
---|---|---|
committer | Matthew Smith <mgsmith@netgate.com> | 2020-10-14 14:11:19 +0000 |
commit | 238d3844b210ff09d9092dd3f5d78cde8b7de1aa (patch) | |
tree | 7a5bba9abf6621299e59ee2aa50f7c84cffc7b08 /src | |
parent | 41b5ed63c232f754d28cff56304d9efab6b15147 (diff) |
nat: Fix ICMP bypass session creation
After get_icmp_o2i_ed_key() bihash key may include
IP protocol and addresses from inner ICMP packet.
It is OK for session lookup, but we should not create
a session on ICMP error message receiving.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/nat/out2in_ed.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c index 15cf48067d7..e9fbc595f04 100644 --- a/src/plugins/nat/out2in_ed.c +++ b/src/plugins/nat/out2in_ed.c @@ -452,6 +452,12 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip, pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value)); } + else if (ip->protocol == IP_PROTOCOL_ICMP && + icmp_type_is_error_message + (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)) + { + return; + } else { u32 proto; |