summaryrefslogtreecommitdiffstats
path: root/test/test_nat44_ed.py
AgeCommit message (Collapse)AuthorFilesLines
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+45
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin1-1/+1
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-07-29nat: fix ICMP checksum validationKlement Sekera1-0/+44
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-19nat: harden ICMP handlingKlement Sekera1-0/+4
Verify that headers are not truncated and that checksums are valid. Correct checksum computation in translation code. Type: fix Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-14nat: adding support for icmp-error msgFilip Varga1-0/+35
Extending tests. Type: test Change-Id: I98cc1d214ead10ac53fed34a1492d9b5f37975a2 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-14nat: refactoring NAT44ED cfg functionsFilip Varga1-11/+2
Refactored & fixed NAT44ED configuration functions used for handling interfaces and nodes. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
2021-06-22nat: don't drop packet with ttl=1 if output featureKlement Sekera1-0/+26
TTL was already decremented in ip4-rewrite so it's okay if it's 1. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
2021-05-18nat: refactor multiple vrf testsKlement Sekera1-25/+120
Replace VRF test testing multiple scenarios into more simpler tests to improve readability and ease of debugging. Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibaad5328c73b401f52c5fe513dc0ed68ff3e3374
2021-05-13tests: move test source to vpp/testDave Wallace1-0/+3662
- Generate copyright year and version instead of using hard-coded data Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e