From 26c9d4b0cd9c53054d1174bc15aaf8c07e9a8f93 Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Sun, 5 Apr 2020 17:07:32 +0200
Subject: nat: don't drop packet for expired session

If session is expired, the packet which we just received might be a one,
which legitimely creates a new session, process it in slow path instead
to decide the outcome.

Type: fix

Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
---
 src/plugins/nat/in2out_ed.c | 4 ++--
 src/plugins/nat/nat.h       | 2 --
 src/plugins/nat/out2in_ed.c | 4 ++--
 3 files changed, 4 insertions(+), 6 deletions(-)

(limited to 'src/plugins/nat')

diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c
index 4be76372a49..6ca1e6ecb4d 100644
--- a/src/plugins/nat/in2out_ed.c
+++ b/src/plugins/nat/in2out_ed.c
@@ -982,8 +982,8 @@ nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t * vm,
 	      nat_free_session_data (sm, s0, thread_index, 0);
 	      nat44_delete_session (sm, s0, thread_index);
 
-	      b0->error = node->errors[NAT_IN2OUT_ED_ERROR_SESS_EXPIRED];
-	      next0 = NAT_NEXT_DROP;
+	      // session no longer exists, go slow path
+	      next0 = def_slow;
 	      goto trace0;
 	    }
 
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h
index 83611016e34..fde6a0a7308 100644
--- a/src/plugins/nat/nat.h
+++ b/src/plugins/nat/nat.h
@@ -219,7 +219,6 @@ _(UNSUPPORTED_PROTOCOL, "unsupported protocol")         \
 _(IN2OUT_PACKETS, "good in2out packets processed")      \
 _(OUT_OF_PORTS, "out of ports")                         \
 _(BAD_ICMP_TYPE, "unsupported ICMP type")               \
-_(SESS_EXPIRED, "session expired")                      \
 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded")   \
 _(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \
 _(DROP_FRAGMENT, "drop fragment")                       \
@@ -250,7 +249,6 @@ _(OUT2IN_PACKETS, "good out2in packets processed")      \
 _(OUT_OF_PORTS, "out of ports")                         \
 _(BAD_ICMP_TYPE, "unsupported ICMP type")               \
 _(NO_TRANSLATION, "no translation")                     \
-_(SESS_EXPIRED, "session expired")                      \
 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded")   \
 _(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \
 _(DROP_FRAGMENT, "drop fragment")                       \
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index adf0ec4f726..64f40cf1917 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -795,8 +795,8 @@ nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
 	      nat_free_session_data (sm, s0, thread_index, 0);
 	      nat44_delete_session (sm, s0, thread_index);
 
-	      b0->error = node->errors[NAT_OUT2IN_ED_ERROR_SESS_EXPIRED];
-	      next0 = NAT_NEXT_DROP;
+	      // session no longer exists, go slow path
+	      next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
 	      goto trace0;
 	    }
 	  //
-- 
cgit 1.2.3-korg