From fa27d4d4f1f3a32eba275f3fc4e06ff15c7a5690 Mon Sep 17 00:00:00 2001
From: Alexander Skorichenko <askorichenko@netgate.com>
Date: Fri, 27 May 2022 08:23:20 +0000
Subject: nat: disable nat44-ei-in2out-output ttl check

Type: fix

A packet passing through nat44-ei-in2out-output,
has its ttl value validated in earlier nodes.
"ip4-input" node checks ttl for locally generated packets.
"ip4-rewrite" node validates ttl in forwarded packets.

Thus for example, the ED counterpart disables ttl checks
in its "nat44-ed-in2out-output" node.
This patch updates nat44 EI conditions for ttl checks to
those currently used in nat44 ED case, meaning no extra ttl
validation for in2out when output-feature is enabled.

Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: Idd15d7c9a746b60c0a6dac5537d00ef10c257fdc
(cherry picked from commit d1ca70c7e11dac7b9fff802ca5f1d9051c984c34)
---
 src/plugins/nat/nat44-ei/nat44_ei_in2out.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/plugins/nat/nat44-ei/nat44_ei_in2out.c b/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
index 7506063855d..01b333a5234 100644
--- a/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
+++ b/src/plugins/nat/nat44-ei/nat44_ei_in2out.c
@@ -1345,7 +1345,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 
       next0 = next1 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
 
-      if (PREDICT_FALSE (ip0->ttl == 1))
+      if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
 	{
 	  vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
 	  icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
@@ -1564,7 +1564,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
       rx_fib_index1 =
 	vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index1);
 
-      if (PREDICT_FALSE (ip1->ttl == 1))
+      if (PREDICT_FALSE (!is_output_feature && ip1->ttl == 1))
 	{
 	  vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
 	  icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
@@ -1811,7 +1811,7 @@ nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
       rx_fib_index0 =
 	vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index0);
 
-      if (PREDICT_FALSE (ip0->ttl == 1))
+      if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
 	{
 	  vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
 	  icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
-- 
cgit 1.2.3-korg