Code Review
/
vpp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
nat: harden ICMP handling
[vpp.git]
/
src
/
plugins
/
nat
/
nat44-ed
/
nat44_ed_in2out.c
diff --git
a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
index
85cda76
..
ead5685
100644
(file)
--- a/
src/plugins/nat/nat44-ed/nat44_ed_in2out.c
+++ b/
src/plugins/nat/nat44-ed/nat44_ed_in2out.c
@@
-342,7
+342,7
@@
slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
ip4_address_t outside_addr;
u16 outside_port;
u32 outside_fib_index;
ip4_address_t outside_addr;
u16 outside_port;
u32 outside_fib_index;
- u8 is_identity_nat;
+ u8 is_identity_nat
= 0
;
u32 nat_proto = ip_proto_to_nat_proto (proto);
snat_session_t *s = NULL;
u32 nat_proto = ip_proto_to_nat_proto (proto);
snat_session_t *s = NULL;
@@
-350,17
+350,6
@@
slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
ip4_address_t daddr = r_addr;
u16 dport = r_port;
ip4_address_t daddr = r_addr;
u16 dport = r_port;
- if (PREDICT_TRUE (nat_proto == NAT_PROTOCOL_TCP))
- {
- if (PREDICT_FALSE
- (!tcp_flags_is_init
- (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
- {
- b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
- return NAT_NEXT_DROP;
- }
- }
-
if (PREDICT_FALSE
(nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
{
if (PREDICT_FALSE
(nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
{
@@
-402,13
+391,22
@@
slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
}
else
{
}
else
{
+ if (PREDICT_FALSE (is_identity_nat))
+ {
+ *sessionp = NULL;
+ return next;
+ }
is_sm = 1;
}
is_sm = 1;
}
- if (PREDICT_
FALSE (is_sm && is_identity_nat
))
+ if (PREDICT_
TRUE (nat_proto == NAT_PROTOCOL_TCP
))
{
{
- *sessionp = NULL;
- return next;
+ if (PREDICT_FALSE (!tcp_flags_is_init (
+ vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
+ {
+ b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
+ return NAT_NEXT_DROP;
+ }
}
s = nat_ed_session_alloc (sm, thread_index, now, proto);
}
s = nat_ed_session_alloc (sm, thread_index, now, proto);
@@
-1012,7
+1010,7
@@
nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm,
vlib_prefetch_buffer_header (p2, LOAD);
vlib_prefetch_buffer_header (p2, LOAD);
-
CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, LOAD
);
+
clib_prefetch_load (p2->data
);
}
if (is_output_feature)
}
if (is_output_feature)
@@
-1030,7
+1028,7
@@
nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm,
fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
lookup.fib_index = rx_fib_index0;
fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
lookup.fib_index = rx_fib_index0;
- if (PREDICT_FALSE (ip0->ttl == 1))
+ if (PREDICT_FALSE (
!is_output_feature &&
ip0->ttl == 1))
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
@@
-1179,16
+1177,18
@@
nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm,
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
next[0] = NAT_NEXT_DROP;
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
next[0] = NAT_NEXT_DROP;
+ b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
goto trace0;
}
if (NAT_ED_TRNSL_ERR_SUCCESS !=
goto trace0;
}
if (NAT_ED_TRNSL_ERR_SUCCESS !=
- (translation_error = nat_6t_flow_buf_translate (
- sm, b0, ip0, f, proto0, is_output_feature)))
+ (translation_error = nat_6t_flow_buf_translate
_i2o
(
+
vm,
sm, b0, ip0, f, proto0, is_output_feature)))
{
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
next[0] = NAT_NEXT_DROP;
{
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
next[0] = NAT_NEXT_DROP;
+ b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
goto trace0;
}
goto trace0;
}
@@
-1308,7
+1308,7
@@
nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
rx_fib_index0 =
fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
rx_fib_index0 =
fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
- if (PREDICT_FALSE (ip0->ttl == 1))
+ if (PREDICT_FALSE (
!is_output_feature &&
ip0->ttl == 1))
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
@@
-1329,10
+1329,15
@@
nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
if (!s0)
next[0] = NAT_NEXT_DROP;
if (!s0)
next[0] = NAT_NEXT_DROP;
- if (NAT_ED_TRNSL_ERR_SUCCESS !=
- (translation_error = nat_6t_flow_buf_translate (
- sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
+ if (NAT_NEXT_DROP != next[0] && s0 &&
+ NAT_ED_TRNSL_ERR_SUCCESS !=
+ (translation_error = nat_6t_flow_buf_translate_i2o (
+ vm, sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
{
{
+ nat_free_session_data (sm, s0, thread_index, 0);
+ nat_ed_session_delete (sm, s0, thread_index, 1);
+ next[0] = NAT_NEXT_DROP;
+ b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
goto trace0;
}
goto trace0;
}
@@
-1348,9
+1353,13
@@
nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
now, thread_index, proto0, &s0, is_multi_worker);
if (NAT_NEXT_DROP != next[0] && s0 &&
NAT_ED_TRNSL_ERR_SUCCESS !=
now, thread_index, proto0, &s0, is_multi_worker);
if (NAT_NEXT_DROP != next[0] && s0 &&
NAT_ED_TRNSL_ERR_SUCCESS !=
- (translation_error = nat_6t_flow_buf_translate (
- sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
+ (translation_error = nat_6t_flow_buf_translate
_i2o
(
+
vm,
sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
{
{
+ nat_free_session_data (sm, s0, thread_index, 0);
+ nat_ed_session_delete (sm, s0, thread_index, 1);
+ next[0] = NAT_NEXT_DROP;
+ b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
goto trace0;
}
goto trace0;
}
@@
-1425,12
+1434,13
@@
nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
b0->flags |= VNET_BUFFER_F_IS_NATED;
if (NAT_ED_TRNSL_ERR_SUCCESS !=
b0->flags |= VNET_BUFFER_F_IS_NATED;
if (NAT_ED_TRNSL_ERR_SUCCESS !=
- (translation_error = nat_6t_flow_buf_translate (
- sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
+ (translation_error = nat_6t_flow_buf_translate
_i2o
(
+
vm,
sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
{
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
{
nat_free_session_data (sm, s0, thread_index, 0);
nat_ed_session_delete (sm, s0, thread_index, 1);
- s0 = NULL;
+ next[0] = NAT_NEXT_DROP;
+ b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
goto trace0;
}
goto trace0;
}