From 8786a4cd4a62f2817da7060afd8523857f504912 Mon Sep 17 00:00:00 2001 From: Nathan Skrzypczak Date: Fri, 26 Feb 2021 18:12:20 +0100 Subject: cnat: Fix snat with dhcp Type: fix We didn't check that the srcEndpoint was resolved when creating the session, we could end up sNATing with 0.0.0.0 as src_addr Change-Id: If8dfa577e659cfe90b148657a44c0390a7d383e9 Signed-off-by: Nathan Skrzypczak --- src/plugins/cnat/cnat_node_feature.c | 2 ++ src/plugins/cnat/cnat_node_snat.c | 13 +++++++------ src/plugins/cnat/cnat_node_vip.c | 4 ++-- src/plugins/cnat/test/test_cnat.py | 9 ++++++--- 4 files changed, 17 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/plugins/cnat/cnat_node_feature.c b/src/plugins/cnat/cnat_node_feature.c index 10293de5069..c99160cb33e 100644 --- a/src/plugins/cnat/cnat_node_feature.c +++ b/src/plugins/cnat/cnat_node_feature.c @@ -72,6 +72,7 @@ cnat_input_feature_fn (vlib_main_t *vm, vlib_node_runtime_t *node, cc = cnat_client_ip6_find (&ip6->dst_address); /* TODO: same as above */ } + /* Wrong session key */ if (session->key.cs_proto == 0) goto trace; @@ -265,6 +266,7 @@ cnat_output_feature_fn (vlib_main_t *vm, vlib_node_runtime_t *node, udp0 = (udp_header_t *) (ip6 + 1); } + /* Wrong session key */ if (session->key.cs_proto == 0) goto trace; diff --git a/src/plugins/cnat/cnat_node_snat.c b/src/plugins/cnat/cnat_node_snat.c index ef784a6c103..5cc84c42ccd 100644 --- a/src/plugins/cnat/cnat_node_snat.c +++ b/src/plugins/cnat/cnat_node_snat.c @@ -64,12 +64,9 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node, vnet_feature_next (&arc_next0, b); next0 = arc_next0; - if (iproto != IP_PROTOCOL_UDP && iproto != IP_PROTOCOL_TCP - && iproto != IP_PROTOCOL_ICMP && iproto != IP_PROTOCOL_ICMP6) - { - /* Dont translate */ - goto trace; - } + /* Wrong session key */ + if (session->key.cs_proto == 0) + goto trace; if (!session_not_found) { @@ -96,6 +93,8 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node, a VIP) */ if (AF_IP4 == ctx->af) { + if (!(cm->snat_ip4.ce_flags & CNAT_EP_FLAG_RESOLVED)) + goto trace; ip46_address_set_ip4 (&session->value.cs_ip[VLIB_RX], &ip_addr_v4 (&cm->snat_ip4.ce_ip)); ip46_address_set_ip4 (&session->value.cs_ip[VLIB_TX], @@ -103,6 +102,8 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node, } else { + if (!(cm->snat_ip6.ce_flags & CNAT_EP_FLAG_RESOLVED)) + goto trace; ip46_address_set_ip6 (&session->value.cs_ip[VLIB_RX], &ip_addr_v6 (&cm->snat_ip6.ce_ip)); ip46_address_set_ip6 (&session->value.cs_ip[VLIB_TX], diff --git a/src/plugins/cnat/cnat_node_vip.c b/src/plugins/cnat/cnat_node_vip.c index bc7d30369ab..f0a4ad7d84e 100644 --- a/src/plugins/cnat/cnat_node_vip.c +++ b/src/plugins/cnat/cnat_node_vip.c @@ -62,8 +62,8 @@ cnat_vip_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_buffer_t *b, cc = cnat_client_get (vnet_buffer (b)->ip.adj_index[VLIB_TX]); - if (iproto != IP_PROTOCOL_UDP && iproto != IP_PROTOCOL_TCP - && iproto != IP_PROTOCOL_ICMP && iproto != IP_PROTOCOL_ICMP6) + /* Wrong session key */ + if (session->key.cs_proto == 0) { /* Dont translate & follow the fib programming */ next0 = cc->cc_parent.dpoi_next_node; diff --git a/src/plugins/cnat/test/test_cnat.py b/src/plugins/cnat/test/test_cnat.py index 4398a63d5aa..ce32644a78c 100644 --- a/src/plugins/cnat/test/test_cnat.py +++ b/src/plugins/cnat/test/test_cnat.py @@ -527,8 +527,10 @@ class TestCNatTranslation(VppTestCase): class TestCNatSourceNAT(VppTestCase): """ CNat Source NAT """ extra_vpp_punt_config = ["cnat", "{", + "session-cleanup-timeout", "0.1", "session-max-age", "1", - "tcp-max-age", "1", "}"] + "tcp-max-age", "1", + "scanner", "off", "}"] @classmethod def setUpClass(cls): @@ -556,10 +558,10 @@ class TestCNatSourceNAT(VppTestCase): self.pg1.configure_ipv4_neighbors() self.pg1.configure_ipv6_neighbors() - self.vapi.cli("test cnat scanner off") self.vapi.cnat_set_snat_addresses( snat_ip4=self.pg2.remote_hosts[0].ip4, - snat_ip6=self.pg2.remote_hosts[0].ip6) + snat_ip6=self.pg2.remote_hosts[0].ip6, + sw_if_index=INVALID_INDEX) self.vapi.feature_enable_disable( enable=1, arc_name="ip6-unicast", @@ -953,6 +955,7 @@ class TestCNatDHCP(VppTestCase): self.pg0.sw_if_index, 1, True)) self.config_ips([1], is_add=0, is_v6=False) self.config_ips([1], is_add=0, is_v6=True) + self.vapi.cnat_set_snat_addresses(sw_if_index=INVALID_INDEX) if __name__ == '__main__': -- cgit 1.2.3-korg