nat: don't drop packet with ttl=1 if output feature

TTL was already decremented in ip4-rewrite so it's okay if it's 1.

Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc

diff --git a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
index f3f3ffa..426b6ee 100644 (file)
--- a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
+++ b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c
@@ -1030,7 +1030,7 @@ nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm,
        fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
       lookup.fib_index = rx_fib_index0;
 
-      if (PREDICT_FALSE (ip0->ttl == 1))
+      if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
        {
          vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
          icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
@@ -1308,7 +1308,7 @@ nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
       rx_fib_index0 =
        fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
 
-      if (PREDICT_FALSE (ip0->ttl == 1))
+      if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
        {
          vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
          icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,

diff --git a/test/test_nat44_ed.py b/test/test_nat44_ed.py
index 8fba019..9eea7c8 100644 (file)
--- a/test/test_nat44_ed.py
+++ b/test/test_nat44_ed.py
@@ -1189,6 +1189,32 @@ class TestNAT44ED(NAT44EDTestCase):
         capture = self.pg0.get_capture(len(pkts))
         self.verify_capture_in(capture, self.pg0)
 
+        # in2out
+        pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
+        self.pg0.add_stream(pkts)
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+        capture = self.pg1.get_capture(len(pkts))
+        self.verify_capture_out(capture, ignore_port=True)
+
+        # out2in
+        pkts = self.create_stream_out(self.pg1, ttl=2)
+        self.pg1.add_stream(pkts)
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+        capture = self.pg0.get_capture(len(pkts))
+        self.verify_capture_in(capture, self.pg0)
+
+        # in2out
+        pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
+        self.pg0.add_stream(pkts)
+        self.pg_enable_capture(self.pg_interfaces)
+        self.pg_start()
+        capture = self.pg0.get_capture(len(pkts))
+        for p in capture:
+            self.assertIn(ICMP, p)
+            self.assertEqual(p[ICMP].type, 11)  # 11 == time-exceeded
+
     def test_static_with_port_out2(self):
         """ NAT44ED 1:1 NAPT asymmetrical rule """