aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/snat/out2in.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/snat/out2in.c')
-rw-r--r--src/plugins/snat/out2in.c43
1 files changed, 42 insertions, 1 deletions
diff --git a/src/plugins/snat/out2in.c b/src/plugins/snat/out2in.c
index 13355043658..b52402cedd5 100644
--- a/src/plugins/snat/out2in.c
+++ b/src/plugins/snat/out2in.c
@@ -1234,6 +1234,16 @@ snat_det_out2in_node_fn (vlib_main_t * vm,
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace0;
+ }
+
key0.ext_host_addr = ip0->src_address;
key0.ext_host_port = tcp0->src;
key0.out_port = tcp0->dst;
@@ -1329,6 +1339,16 @@ snat_det_out2in_node_fn (vlib_main_t * vm,
sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip1->ttl == 1))
+ {
+ vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace1;
+ }
+
key1.ext_host_addr = ip1->src_address;
key1.ext_host_port = tcp1->src;
key1.out_port = tcp1->dst;
@@ -1455,6 +1475,16 @@ snat_det_out2in_node_fn (vlib_main_t * vm,
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace00;
+ }
+
key0.ext_host_addr = ip0->src_address;
key0.ext_host_port = tcp0->src;
key0.out_port = tcp0->dst;
@@ -1569,12 +1599,13 @@ VLIB_REGISTER_NODE (snat_det_out2in_node) = {
.runtime_data_bytes = sizeof (snat_runtime_t),
- .n_next_nodes = 2,
+ .n_next_nodes = SNAT_OUT2IN_N_NEXT,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
+ [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
@@ -1800,6 +1831,16 @@ snat_out2in_fast_node_fn (vlib_main_t * vm,
vnet_feature_next (sw_if_index0, &next0, b0);
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace00;
+ }
+
proto0 = ip_proto_to_snat_proto (ip0->protocol);
if (PREDICT_FALSE (proto0 == ~0))