Gitiles
Code Review Sign In
gerrit.nordix.org / codeaurora / quic / qsdk / oss / lklm / qca-nss-ecm / 52189fec94b12cb2d6b0a537a8098c9d3b862f69^! / .
commit52189fec94b12cb2d6b0a537a8098c9d3b862f69[log] [tgz]
authorMurat Sezgin <msezgin@codeaurora.org>Tue Feb 14 16:52:46 2017 -0800
committerGerrit - the friendly Code Review server <code-review@localhost>Tue Feb 21 10:31:13 2017 -0800
treeaef12e211a01cfbfba6667dbc780332f6cd08c1e
parentd1f8730473d9840f0423b9d777881a66b3b1cce3 [diff]
[qca-nss-ecm] is_routed flag and ecm_dir should match

Check if is_router flag and ethe ecm_dir direction
are consistent with each other. If the packet comes from
bridge post routing hook, is_routed flag is false and
the ecm_dir calculation must be bridge direction.
This becomes an issue in hairpin NAT scenario, where
the LAN client accesses to the LAN server with its
private IP address instead of the WAN IP address of the
device. In this case, SNAT is applied to the bridge
packet and ECM calculates the direction of the packet
as egress NAT which is wrong. So, we shouldn't process
these packets and wait for them to hit to the IPv4 post
routing hook.

Change-Id: Ie89f5d16708e7b8235a2419c8f9bb4a197ca5e82
Signed-off-by: Murat Sezgin <msezgin@codeaurora.org>

diff --git a/frontends/nss/ecm_nss_ipv4.c b/frontends/nss/ecm_nss_ipv4.c
index 7cb2d25..fc711d1 100644
--- a/frontends/nss/ecm_nss_ipv4.c
+++ b/frontends/nss/ecm_nss_ipv4.c

@@ -1,6 +1,6 @@
 /*
  **************************************************************************
- * Copyright (c) 2014-2016 The Linux Foundation.  All rights reserved.
+ * Copyright (c) 2014-2017 The Linux Foundation.  All rights reserved.
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
  * above copyright notice and this permission notice appear in all copies.
@@ -1042,6 +1042,20 @@
 		ecm_dir = ECM_DB_DIRECTION_BRIDGED;
 	}
 
+	/*
+	 * Is ecm_dir consistent with is_routed flag?
+	 * In SNAT and hairpin NAT scenario, while accessing the LAN side server with its private
+	 * IP address from another client in the same LAN, the packets come through the bridge post routing hook
+	 * have the WAN interface IP address as the SNAT address. Then in the above ecm_dir calculation,
+	 * it is calculated as ECM_DB_DIRECTION_EGRESS_NAT. So, we shouldn't accelerate the flow this time
+	 * and wait for the packet to pass through the post routing hook.
+	 *
+	 */
+	if (!is_routed && (ecm_dir != ECM_DB_DIRECTION_BRIDGED)) {
+		DEBUG_TRACE("Packet comes from bridge post routing hook but ecm_dir is not bridge\n");
+		return NF_ACCEPT;
+	}
+
 	DEBUG_TRACE("IP Packet ORIGINAL src: %pI4 ORIGINAL dst: %pI4 protocol: %u, sender: %d ecm_dir: %d\n", &orig_tuple.src.u3.ip, &orig_tuple.dst.u3.ip, orig_tuple.dst.protonum, sender, ecm_dir);
 
 	/*