On Thu, May 14, 2020 at 11:23 AM Jon Loeliger via lists.fd.io <jdl= netgate....@lists.fd.io> wrote:
> Did the ICMP mapping open more than was expected or intended here? > > I chased this down in the code a bit, but I'm not sure what the _intent_ > is supposed to be. > When "address only" is true (ie, both ports are 0), then the protocol > appears not to be > used in any of the NAT-entry lookups. Is that somehow allowing UDP and > TCP to slide > through? > > Thanks, > jdl > So, here is the same scenario using vppctl to set up the test case. vpp# nat44 add static mapping icmp local 192.168.0.53 external outside vpp# show nat44 static mappings NAT44 static mappings: local 192.168.0.53 external 192.168.0.53 vrf 0 local 192.168.0.53 external outside vrf -1 NO reference to ICMP in the output of "show nat44 static mappings" Here is confirmation that the outside interface (192.168.0.53) is permitting the inbound SSH session: tcp 0 0 192.168.0.53:22 192.168.0.120:50445 ESTABLISHED - Outside tcp 0 0 172.21.89.1:22 172.21.89.123:51289 ESTABLISHED - Inside
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16412): https://lists.fd.io/g/vpp-dev/message/16412 Mute This Topic: https://lists.fd.io/mt/74208726/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
