cnat: Fix snat with dhcp

Type: fix

We didn't check that the srcEndpoint was resolved
when creating the session, we could end up sNATing
with 0.0.0.0 as src_addr

Change-Id: If8dfa577e659cfe90b148657a44c0390a7d383e9
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

diff --git a/src/plugins/cnat/cnat_node_feature.c b/src/plugins/cnat/cnat_node_feature.c
index 10293de..c99160c 100644 (file)
--- a/src/plugins/cnat/cnat_node_feature.c
+++ b/src/plugins/cnat/cnat_node_feature.c
@@ -72,6 +72,7 @@ cnat_input_feature_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
       cc = cnat_client_ip6_find (&ip6->dst_address); /* TODO: same as above */
     }
 
+  /* Wrong session key */
   if (session->key.cs_proto == 0)
     goto trace;
 
@@ -265,6 +266,7 @@ cnat_output_feature_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
       udp0 = (udp_header_t *) (ip6 + 1);
     }
 
+  /* Wrong session key */
   if (session->key.cs_proto == 0)
     goto trace;
 

diff --git a/src/plugins/cnat/cnat_node_snat.c b/src/plugins/cnat/cnat_node_snat.c
index ef784a6..5cc84c4 100644 (file)
--- a/src/plugins/cnat/cnat_node_snat.c
+++ b/src/plugins/cnat/cnat_node_snat.c
@@ -64,12 +64,9 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
   vnet_feature_next (&arc_next0, b);
   next0 = arc_next0;
 
-  if (iproto != IP_PROTOCOL_UDP && iproto != IP_PROTOCOL_TCP
-      && iproto != IP_PROTOCOL_ICMP && iproto != IP_PROTOCOL_ICMP6)
-    {
-      /* Dont translate */
-      goto trace;
-    }
+  /* Wrong session key */
+  if (session->key.cs_proto == 0)
+    goto trace;
 
   if (!session_not_found)
     {
@@ -96,6 +93,8 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
          a VIP) */
       if (AF_IP4 == ctx->af)
        {
+         if (!(cm->snat_ip4.ce_flags & CNAT_EP_FLAG_RESOLVED))
+           goto trace;
          ip46_address_set_ip4 (&session->value.cs_ip[VLIB_RX],
                                &ip_addr_v4 (&cm->snat_ip4.ce_ip));
          ip46_address_set_ip4 (&session->value.cs_ip[VLIB_TX],
@@ -103,6 +102,8 @@ cnat_snat_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
        }
       else
        {
+         if (!(cm->snat_ip6.ce_flags & CNAT_EP_FLAG_RESOLVED))
+           goto trace;
          ip46_address_set_ip6 (&session->value.cs_ip[VLIB_RX],
                                &ip_addr_v6 (&cm->snat_ip6.ce_ip));
          ip46_address_set_ip6 (&session->value.cs_ip[VLIB_TX],

diff --git a/src/plugins/cnat/cnat_node_vip.c b/src/plugins/cnat/cnat_node_vip.c
index bc7d303..f0a4ad7 100644 (file)
--- a/src/plugins/cnat/cnat_node_vip.c
+++ b/src/plugins/cnat/cnat_node_vip.c
@@ -62,8 +62,8 @@ cnat_vip_node_fn (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_buffer_t *b,
 
   cc = cnat_client_get (vnet_buffer (b)->ip.adj_index[VLIB_TX]);
 
-  if (iproto != IP_PROTOCOL_UDP && iproto != IP_PROTOCOL_TCP
-      && iproto != IP_PROTOCOL_ICMP && iproto != IP_PROTOCOL_ICMP6)
+  /* Wrong session key */
+  if (session->key.cs_proto == 0)
     {
       /* Dont translate & follow the fib programming */
       next0 = cc->cc_parent.dpoi_next_node;

diff --git a/src/plugins/cnat/test/test_cnat.py b/src/plugins/cnat/test/test_cnat.py
index 4398a63..ce32644 100644 (file)
--- a/src/plugins/cnat/test/test_cnat.py
+++ b/src/plugins/cnat/test/test_cnat.py
@@ -527,8 +527,10 @@ class TestCNatTranslation(VppTestCase):
 class TestCNatSourceNAT(VppTestCase):
     """ CNat Source NAT """
     extra_vpp_punt_config = ["cnat", "{",
+                             "session-cleanup-timeout", "0.1",
                              "session-max-age", "1",
-                             "tcp-max-age", "1", "}"]
+                             "tcp-max-age", "1",
+                             "scanner", "off", "}"]
 
     @classmethod
     def setUpClass(cls):
@@ -556,10 +558,10 @@ class TestCNatSourceNAT(VppTestCase):
         self.pg1.configure_ipv4_neighbors()
         self.pg1.configure_ipv6_neighbors()
 
-        self.vapi.cli("test cnat scanner off")
         self.vapi.cnat_set_snat_addresses(
             snat_ip4=self.pg2.remote_hosts[0].ip4,
-            snat_ip6=self.pg2.remote_hosts[0].ip6)
+            snat_ip6=self.pg2.remote_hosts[0].ip6,
+            sw_if_index=INVALID_INDEX)
         self.vapi.feature_enable_disable(
             enable=1,
             arc_name="ip6-unicast",
@@ -953,6 +955,7 @@ class TestCNatDHCP(VppTestCase):
             self.pg0.sw_if_index, 1, True))
         self.config_ips([1], is_add=0, is_v6=False)
         self.config_ips([1], is_add=0, is_v6=True)
+        self.vapi.cnat_set_snat_addresses(sw_if_index=INVALID_INDEX)
 
 
 if __name__ == '__main__':