From a73f2d6f53c224668bd6bbea1a980ee4313c794f Mon Sep 17 00:00:00 2001
From: Filip Varga <fivarga@cisco.com>
Date: Tue, 25 Feb 2020 14:31:33 +0100
Subject: nat: timed out session scavenging upgrade

Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).

Type: improvement

Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
---
 src/plugins/nat/out2in.c | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'src/plugins/nat/out2in.c')

diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index 144f324dbf4..f920599b059 100755
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -188,9 +188,6 @@ create_session_for_static_mapping (snat_main_t * sm,
   udp_header_t *udp0;
   nat44_is_idle_session_ctx_t ctx0;
 
-  nat44_session_try_cleanup (&in2out.addr, in2out.fib_index, thread_index,
-			     now);
-
   if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index)))
     {
       b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
-- 
cgit 1.2.3-korg