Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
nat: harden ICMP handling
[vpp.git] / src / plugins / nat / nat44-ed / nat44_ed_out2in.c
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_out2in.c b/src/plugins/nat/nat44-ed/nat44_ed_out2in.c
index e8cf7c9..124b64e 100644 (file)
--- a/src/plugins/nat/nat44-ed/nat44_ed_out2in.c
+++ b/src/plugins/nat/nat44-ed/nat44_ed_out2in.c
@@ -614,8 +614,8 @@ create_bypass_for_fwd (snat_main_t *sm, vlib_buffer_t *b, snat_session_t *s,
 
   if (ip->protocol == IP_PROTOCOL_ICMP)
     {
-      if (nat_get_icmp_session_lookup_values (b, ip, &lookup_saddr,
-                                             &lookup_sport, &lookup_daddr,
+      if (nat_get_icmp_session_lookup_values (b, ip, &lookup_daddr,
+                                             &lookup_sport, &lookup_saddr,
                                              &lookup_dport, &lookup_protocol))
        return;
     }
@@ -838,7 +838,7 @@ nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
 
          vlib_prefetch_buffer_header (p2, LOAD);
 
-         CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, LOAD);
+         clib_prefetch_load (p2->data);
        }
 
       next[0] = vnet_buffer2 (b0)->nat.arc_next;
@@ -933,6 +933,8 @@ nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
                           ed_value_get_session_index (&value0));
     skip_lookup:
 
+      ASSERT (thread_index == s0->thread_index);
+
       if (PREDICT_FALSE (per_vrf_sessions_is_expired (s0, thread_index)))
        {
          // session is closed, go slow path
@@ -1018,16 +1020,18 @@ nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
                  nat_free_session_data (sm, s0, thread_index, 0);
                  nat_ed_session_delete (sm, s0, thread_index, 1);
                  next[0] = NAT_NEXT_DROP;
+                 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
                  goto trace0;
                }
            }
        }
 
       if (NAT_ED_TRNSL_ERR_SUCCESS !=
-         (translation_error = nat_6t_flow_buf_translate (
-            sm, b0, ip0, f, proto0, 0 /* is_output_feature */)))
+         (translation_error = nat_6t_flow_buf_translate_o2i (
+            vm, sm, b0, ip0, f, proto0, 0 /* is_output_feature */)))
        {
          next[0] = NAT_NEXT_DROP;
+         b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
          goto trace0;
        }
 
@@ -1178,11 +1182,14 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
              if (!s0)
                next[0] = NAT_NEXT_DROP;
            }
-         if (NAT_NEXT_DROP != next[0] &&
+         if (NAT_NEXT_DROP != next[0] && s0 &&
              NAT_ED_TRNSL_ERR_SUCCESS !=
-               (translation_error = nat_6t_flow_buf_translate (
-                  sm, b0, ip0, &s0->o2i, proto0, 0 /* is_output_feature */)))
+               (translation_error = nat_6t_flow_buf_translate_o2i (
+                  vm, sm, b0, ip0, &s0->o2i, proto0,
+                  0 /* is_output_feature */)))
            {
+             next[0] = NAT_NEXT_DROP;
+             b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
              goto trace0;
            }
 
@@ -1199,9 +1206,12 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
 
          if (NAT_NEXT_DROP != next[0] && s0 &&
              NAT_ED_TRNSL_ERR_SUCCESS !=
-               (translation_error = nat_6t_flow_buf_translate (
-                  sm, b0, ip0, &s0->o2i, proto0, 0 /* is_output_feature */)))
+               (translation_error = nat_6t_flow_buf_translate_o2i (
+                  vm, sm, b0, ip0, &s0->o2i, proto0,
+                  0 /* is_output_feature */)))
            {
+             next[0] = NAT_NEXT_DROP;
+             b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
              goto trace0;
            }
 
@@ -1309,8 +1319,8 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
        }
 
       if (NAT_ED_TRNSL_ERR_SUCCESS !=
-         (translation_error = nat_6t_flow_buf_translate (
-            sm, b0, ip0, &s0->o2i, proto0, 0 /* is_output_feature */)))
+         (translation_error = nat_6t_flow_buf_translate_o2i (
+            vm, sm, b0, ip0, &s0->o2i, proto0, 0 /* is_output_feature */)))
        {
          next[0] = NAT_NEXT_DROP;
          goto trace0;
Vector Packet Processing