_(IN2OUT_PACKETS, "Good in2out packets processed") \
_(OUT_OF_PORTS, "Out of ports") \
_(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
-_(BAD_ICMP_TYPE, "icmp type not echo-request") \
+_(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(NO_TRANSLATION, "No translation")
typedef enum {
if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
{
/* or is static mappings */
- if (!snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
return 0;
}
else
u8 static_mapping = 1;
/* First try to match static mapping by local address and port */
- if (snat_static_mapping_match (sm, *key0, &key1, 0))
+ if (snat_static_mapping_match (sm, *key0, &key1, 0, 0))
{
static_mapping = 0;
/* Try to create dynamic translation */
goto out;
}
- if (icmp_is_error_message (icmp0))
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request))
{
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_IN2OUT_NEXT_DROP;
goto out;
}
goto out;
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
- value0.value);
-
- if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
- !icmp_is_error_message (icmp0)))
{
- b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto out;
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
+ icmp0->type != ICMP4_echo_reply &&
+ !icmp_is_error_message (icmp0)))
+ {
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_IN2OUT_NEXT_DROP;
+ goto out;
+ }
+
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
+ value0.value);
}
out:
snat_session_key_t key0;
snat_session_key_t sm0;
u8 dont_translate = 0;
+ u8 is_addr_only;
u32 next0 = ~0;
int err;
}
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 0))
+ if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only))
{
if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
IP_PROTOCOL_ICMP, rx_fib_index0)))
}
if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
+ (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
!icmp_is_error_message (icmp0)))
{
- if (icmp0->type != ICMP4_echo_reply || key0.port != sm0.port)
- {
- b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto out;
- }
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_IN2OUT_NEXT_DROP;
+ goto out;
}
out:
if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
{
/* or static mappings */
- if (!snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
{
new_dst_addr0 = sm0.addr.as_u32;
new_dst_port0 = sm0.port;
snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
- ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src);
+ key0.ext_host_addr = ip0->dst_address;
+ key0.ext_host_port = tcp0->dst;
+
+ ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
if (PREDICT_FALSE(!ses0))
{
- key0.ext_host_addr = ip0->dst_address;
- key0.ext_host_port = tcp0->dst;
for (i0 = 0; i0 < dm0->ports_per_host; i0++)
{
key0.out_port = clib_host_to_net_u16 (lo_port0 +
}
if (PREDICT_FALSE(!ses0))
{
- next0 = SNAT_IN2OUT_NEXT_DROP;
- b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
+ /* too many sessions for user, send ICMP error packet */
+
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_destination_unreachable_host,
+ 0);
+ next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
goto trace0;
}
}
snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
- ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src);
+ key1.ext_host_addr = ip1->dst_address;
+ key1.ext_host_port = tcp1->dst;
+
+ ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
if (PREDICT_FALSE(!ses1))
{
- key1.ext_host_addr = ip1->dst_address;
- key1.ext_host_port = tcp1->dst;
for (i1 = 0; i1 < dm1->ports_per_host; i1++)
{
key1.out_port = clib_host_to_net_u16 (lo_port1 +
}
if (PREDICT_FALSE(!ses1))
{
- next1 = SNAT_IN2OUT_NEXT_DROP;
- b1->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
+ /* too many sessions for user, send ICMP error packet */
+
+ vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_destination_unreachable_host,
+ 0);
+ next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
goto trace1;
}
}
snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
- ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src);
+ key0.ext_host_addr = ip0->dst_address;
+ key0.ext_host_port = tcp0->dst;
+
+ ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
if (PREDICT_FALSE(!ses0))
{
- key0.ext_host_addr = ip0->dst_address;
- key0.ext_host_port = tcp0->dst;
for (i0 = 0; i0 < dm0->ports_per_host; i0++)
{
key0.out_port = clib_host_to_net_u16 (lo_port0 +
}
if (PREDICT_FALSE(!ses0))
{
- next0 = SNAT_IN2OUT_NEXT_DROP;
- b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
+ /* too many sessions for user, send ICMP error packet */
+
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
+ ICMP4_destination_unreachable_destination_unreachable_host,
+ 0);
+ next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
goto trace00;
}
}
snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
- ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port);
+ key0.ext_host_addr = ip0->dst_address;
+ key0.ext_host_port = 0;
+
+ ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
if (PREDICT_FALSE(!ses0))
{
if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
next0 = SNAT_IN2OUT_NEXT_DROP;
goto out;
}
- key0.ext_host_addr = ip0->dst_address;
- key0.ext_host_port = 0;
for (i0 = 0; i0 < dm0->ports_per_host; i0++)
{
key0.out_port = clib_host_to_net_u16 (lo_port0 +
key0.port = udp0->src_port;
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 0))
+ if (snat_static_mapping_match(sm, key0, &sm0, 0, 0))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
next0= SNAT_IN2OUT_NEXT_DROP;
Code Review / vpp.git / blobdiff