From 6c01dceea5c612373453db7f1ccda589a2cd782e Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Fri, 16 Nov 2018 04:41:31 -0800 Subject: NAT44: fix bug in TCP close with output-feature interface (VPP-1493) Change-Id: If8c883d6b1ee58de9a03012d3567ec82211a0225 Signed-off-by: Matus Fabian --- src/plugins/nat/in2out_ed.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) (limited to 'src/plugins/nat/in2out_ed.c') diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c index e32e1386d8d..f3999f00129 100644 --- a/src/plugins/nat/in2out_ed.c +++ b/src/plugins/nat/in2out_ed.c @@ -37,7 +37,8 @@ _(BAD_ICMP_TYPE, "unsupported ICMP type") \ _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \ _(DROP_FRAGMENT, "Drop fragment") \ _(MAX_REASS, "Maximum reassemblies exceeded") \ -_(MAX_FRAG, "Maximum fragments per reassembly exceeded") +_(MAX_FRAG, "Maximum fragments per reassembly exceeded")\ +_(NON_SYN, "non-SYN packet try to create session") typedef enum { @@ -513,7 +514,19 @@ nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip, make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index, src_port, dst_port); if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) - return 1; + { + s = pool_elt_at_index (tsm->sessions, value.value); + if (nat44_is_ses_closed (s)) + { + nat_log_debug ("TCP close connection %U", format_snat_session, + &sm->per_thread_data[thread_index], s); + nat_free_session_data (sm, s, thread_index); + nat44_delete_session (sm, s, thread_index); + } + else + s->flags |= SNAT_SESSION_FLAG_OUTPUT_FEATURE; + return 1; + } /* dst NAT check */ make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index, @@ -1021,6 +1034,13 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm, goto trace00; } + if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0)) + { + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace00; + } + next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, next0, thread_index, now); @@ -1225,6 +1245,13 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm, goto trace01; } + if ((proto1 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp1)) + { + b1->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; + next1 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace01; + } + next1 = slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node, next1, thread_index, now); @@ -1458,6 +1485,13 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm, goto trace0; } + if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0)) + { + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace0; + } + next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, next0, thread_index, now); @@ -1858,6 +1892,13 @@ nat44_ed_in2out_reass_node_fn_inline (vlib_main_t * vm, } } + if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0)) + { + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN]; + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace0; + } + next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, next0, thread_index, now); -- cgit 1.2.3-korg