From: Vladimir Isaev <visaev@netgate.com>
Date: Wed, 7 Oct 2020 11:55:11 +0000 (+0300)
Subject: nat: Fix ICMP bypass session creation
X-Git-Tag: v21.06-rc0~357
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=238d3844b210ff09d9092dd3f5d78cde8b7de1aa;p=vpp.git

nat: Fix ICMP bypass session creation

After get_icmp_o2i_ed_key() bihash key may include
IP protocol and addresses from inner ICMP packet.

It is OK for session lookup, but we should not create
a session on ICMP error message receiving.

Type: fix

Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
---

diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 15cf48067d7..e9fbc595f04 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -452,6 +452,12 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
 	pool_elt_at_index (tsm->sessions,
 			   ed_value_get_session_index (&value));
     }
+  else if (ip->protocol == IP_PROTOCOL_ICMP &&
+	   icmp_type_is_error_message
+	   (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+    {
+      return;
+    }
   else
     {
       u32 proto;