Support ping from outside network in 1:1 NAT (VPP-695)
Change-Id: Iec8fd4c2bd26874bd8bda82172af797e9b92592c
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
diff --git a/src/plugins/snat/in2out.c b/src/plugins/snat/in2out.c
index 5a2e2b7..4970fce 100644
--- a/src/plugins/snat/in2out.c
+++ b/src/plugins/snat/in2out.c
@@ -94,7 +94,7 @@
_(IN2OUT_PACKETS, "Good in2out packets processed") \
_(OUT_OF_PORTS, "Out of ports") \
_(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
-_(BAD_ICMP_TYPE, "icmp type not echo-request") \
+_(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(NO_TRANSLATION, "No translation")
typedef enum {
@@ -194,7 +194,7 @@
if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
{
/* or is static mappings */
- if (!snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
return 0;
}
else
@@ -332,7 +332,7 @@
u8 static_mapping = 1;
/* First try to match static mapping by local address and port */
- if (snat_static_mapping_match (sm, *key0, &key1, 0))
+ if (snat_static_mapping_match (sm, *key0, &key1, 0, 0))
{
static_mapping = 0;
/* Try to create dynamic translation */
@@ -515,8 +515,9 @@
goto out;
}
- if (icmp_is_error_message (icmp0))
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request))
{
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_IN2OUT_NEXT_DROP;
goto out;
}
@@ -528,15 +529,18 @@
goto out;
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
- value0.value);
-
- if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
- !icmp_is_error_message (icmp0)))
{
- b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto out;
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
+ icmp0->type != ICMP4_echo_reply &&
+ !icmp_is_error_message (icmp0)))
+ {
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_IN2OUT_NEXT_DROP;
+ goto out;
+ }
+
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
+ value0.value);
}
out:
@@ -574,6 +578,7 @@
snat_session_key_t key0;
snat_session_key_t sm0;
u8 dont_translate = 0;
+ u8 is_addr_only;
u32 next0 = ~0;
int err;
@@ -591,7 +596,7 @@
}
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 0))
+ if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only))
{
if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
IP_PROTOCOL_ICMP, rx_fib_index0)))
@@ -612,14 +617,12 @@
}
if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
+ (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
!icmp_is_error_message (icmp0)))
{
- if (icmp0->type != ICMP4_echo_reply || key0.port != sm0.port)
- {
- b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto out;
- }
+ b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_IN2OUT_NEXT_DROP;
+ goto out;
}
out:
@@ -792,7 +795,7 @@
if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
{
/* or static mappings */
- if (!snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
{
new_dst_addr0 = sm0.addr.as_u32;
new_dst_port0 = sm0.port;
@@ -2489,7 +2492,7 @@
key0.port = udp0->src_port;
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 0))
+ if (snat_static_mapping_match(sm, key0, &sm0, 0, 0))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
next0= SNAT_IN2OUT_NEXT_DROP;
diff --git a/src/plugins/snat/out2in.c b/src/plugins/snat/out2in.c
index f9f8def..3d7b106 100644
--- a/src/plugins/snat/out2in.c
+++ b/src/plugins/snat/out2in.c
@@ -86,7 +86,7 @@
#define foreach_snat_out2in_error \
_(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
_(OUT2IN_PACKETS, "Good out2in packets processed") \
-_(BAD_ICMP_TYPE, "icmp type not echo-reply") \
+_(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(NO_TRANSLATION, "No translation")
typedef enum {
@@ -299,6 +299,7 @@
snat_session_t *s0 = 0;
u8 dont_translate = 0;
clib_bihash_kv_8_8_t kv0, value0;
+ u8 is_addr_only;
u32 next0 = ~0;
int err;
@@ -322,7 +323,7 @@
{
/* Try to match static mapping by external address and port,
destination address and port in packet */
- if (snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
{
/* Don't NAT packet aimed at the intfc address */
if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
@@ -336,8 +337,10 @@
goto out;
}
- if (icmp_is_error_message (icmp0))
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
+ (icmp0->type != ICMP4_echo_request || !is_addr_only)))
{
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_OUT2IN_NEXT_DROP;
goto out;
}
@@ -353,15 +356,18 @@
}
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
- value0.value);
-
- if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
- !icmp_is_error_message (icmp0)))
{
- b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto out;
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
+ icmp0->type != ICMP4_echo_request &&
+ !icmp_is_error_message (icmp0)))
+ {
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto out;
+ }
+
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
+ value0.value);
}
out:
@@ -399,6 +405,7 @@
snat_session_key_t key0;
snat_session_key_t sm0;
u8 dont_translate = 0;
+ u8 is_addr_only;
u32 next0 = ~0;
int err;
@@ -416,7 +423,7 @@
}
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
{
/* Don't NAT packet aimed at the intfc address */
if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
@@ -430,14 +437,12 @@
}
if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
+ (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
!icmp_is_error_message (icmp0)))
{
- if (icmp0->type != ICMP4_echo_request || key0.port != sm0.port)
- {
- b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto out;
- }
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto out;
}
out:
@@ -717,7 +722,7 @@
{
/* Try to match static mapping by external address and port,
destination address and port in packet */
- if (snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
/*
@@ -852,7 +857,7 @@
{
/* Try to match static mapping by external address and port,
destination address and port in packet */
- if (snat_static_mapping_match(sm, key1, &sm1, 1))
+ if (snat_static_mapping_match(sm, key1, &sm1, 1, 0))
{
b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
/*
@@ -1021,7 +1026,7 @@
{
/* Try to match static mapping by external address and port,
destination address and port in packet */
- if (snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
/*
@@ -2025,7 +2030,7 @@
key0.port = udp0->dst_port;
key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match(sm, key0, &sm0, 1))
+ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
goto trace00;
diff --git a/src/plugins/snat/snat.c b/src/plugins/snat/snat.c
index 24ef5df..8569b04 100644
--- a/src/plugins/snat/snat.c
+++ b/src/plugins/snat/snat.c
@@ -1903,13 +1903,15 @@
* @param mapping External or local address and port of the matched mapping.
* @param by_external If 0 match by local address otherwise match by external
* address.
+ * @param is_addr_only If matched mapping is address only
*
* @returns 0 if match found otherwise 1.
*/
int snat_static_mapping_match (snat_main_t * sm,
snat_session_key_t match,
snat_session_key_t * mapping,
- u8 by_external)
+ u8 by_external,
+ u8 *is_addr_only)
{
clib_bihash_kv_8_8_t kv, value;
snat_static_mapping_t *m;
@@ -1955,6 +1957,9 @@
mapping->fib_index = sm->outside_fib_index;
}
+ if (PREDICT_FALSE(is_addr_only != 0))
+ *is_addr_only = m->addr_only;
+
return 0;
}
diff --git a/src/plugins/snat/snat.h b/src/plugins/snat/snat.h
index 92bc8d1..ee355a4 100644
--- a/src/plugins/snat/snat.h
+++ b/src/plugins/snat/snat.h
@@ -351,7 +351,8 @@
int snat_static_mapping_match (snat_main_t * sm,
snat_session_key_t match,
snat_session_key_t * mapping,
- u8 by_external);
+ u8 by_external,
+ u8 *is_addr_only);
void snat_add_del_addr_to_fib (ip4_address_t * addr,
u8 p_len,