summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFilip Varga <fivarga@cisco.com>2021-06-29 12:10:01 +0200
committerOle Tr�an <otroan@employees.org>2021-07-15 11:17:29 +0000
commit0aea808ac5cb1132b9787c8f7d5f9d995cd3413b (patch)
treefe6a512c0944ab7cfb35b15386cf9d4892e5c320 /src
parenta0648b66df7579ff1b37feaece8d00984e9cf326 (diff)
nat: nat44-ed sm fix
Fixing nat44-ed identity map in2out communication. TCP packets would get dropped because of the order of testing TCP state. Type: fix Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d Signed-off-by: Filip Varga <fivarga@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/plugins/nat/nat44-ed/nat44_ed_in2out.c28
1 files changed, 13 insertions, 15 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
index f7257db789f..523d26257bf 100644
--- a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
+++ b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
@@ -342,7 +342,7 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
ip4_address_t outside_addr;
u16 outside_port;
u32 outside_fib_index;
- u8 is_identity_nat;
+ u8 is_identity_nat = 0;
u32 nat_proto = ip_proto_to_nat_proto (proto);
snat_session_t *s = NULL;
@@ -350,17 +350,6 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
ip4_address_t daddr = r_addr;
u16 dport = r_port;
- if (PREDICT_TRUE (nat_proto == NAT_PROTOCOL_TCP))
- {
- if (PREDICT_FALSE
- (!tcp_flags_is_init
- (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
- {
- b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
- return NAT_NEXT_DROP;
- }
- }
-
if (PREDICT_FALSE
(nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
{
@@ -402,13 +391,22 @@ slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
}
else
{
+ if (PREDICT_FALSE (is_identity_nat))
+ {
+ *sessionp = NULL;
+ return next;
+ }
is_sm = 1;
}
- if (PREDICT_FALSE (is_sm && is_identity_nat))
+ if (PREDICT_TRUE (nat_proto == NAT_PROTOCOL_TCP))
{
- *sessionp = NULL;
- return next;
+ if (PREDICT_FALSE (!tcp_flags_is_init (
+ vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
+ {
+ b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
+ return NAT_NEXT_DROP;
+ }
}
s = nat_ed_session_alloc (sm, thread_index, now, proto);