nat: Fix ICMP bypass session creation

After get_icmp_o2i_ed_key() bihash key may include
IP protocol and addresses from inner ICMP packet.

It is OK for session lookup, but we should not create
a session on ICMP error message receiving.

Type: fix

Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a

diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 15cf480..e9fbc59 100644 (file)
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -452,6 +452,12 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
        pool_elt_at_index (tsm->sessions,
                           ed_value_get_session_index (&value));
     }
+  else if (ip->protocol == IP_PROTOCOL_ICMP &&
+          icmp_type_is_error_message
+          (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+    {
+      return;
+    }
   else
     {
       u32 proto;