Yes, it works with ip0:
vnet_buffer (b0)->ip.reass.is_non_first_fragment =
! !ip4_get_fragment_offset (ip0);
Thanks,
Miklos
________________________________
From: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco)
<ksek...@cisco.com>
Sent: Tuesday, May 26, 2020 12:14 PM
To: Miklós Tirpák <miklos.tir...@emnify.com>
Cc: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] NAT44 does not work with fragmented ICMP packets
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
I think it’s enough if instead of vlib_buffer_get_current(b0) we just use ip0
(that already takes save_rewrite_length into consideration). Can you please
test with this modification?
Thanks,
Klement
> On 26 May 2020, at 11:51, Miklos Tirpak <miklos.tir...@emnify.com> wrote:
>
> Hi,
>
> I think there is a problem in ip4_sv_reass_inline(), it does not consider
> ip.save_rewrite_length when it calculates is_non_first_fragment at line 619
> (master):
> vnet_buffer (b0)->ip.reass.is_non_first_fragment =
> ! !ip4_get_fragment_offset (vlib_buffer_get_current (b0));
>
> Let me open a pull request to fix this.
>
> Thanks,
> Miklos
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Miklos Tirpak
> via lists.fd.io <miklos.tirpak=emnify....@lists.fd.io>
> Sent: Tuesday, May 26, 2020 9:25 AM
> To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
> Subject: [vpp-dev] NAT44 does not work with fragmented ICMP packets
>
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> Hi,
>
> we have a scenario where an ICMP packet arrives fragmented over a GTP-U
> tunnel. The outer IP packets are not fragmented, only the inner ones are.
> After GTP-U decapsulation, the packets are routed via an interface where
> NAT44 output-feature is configured.
>
> In the outgoing packets, the source IP is correctly NATed but the ICMP
> identifier (port) is not changed. Hence, the NAT session cannot be found for
> the ICMP reply. This works correctly with smaller packets, the problem is
> only with fragmented ones.
>
> I could reproduce this with both VPP 20.01 and master, and could see that
> ip.reass.is_non_first_fragment is true for every packet. Therefore,
> icmp_in2out() does not update the ICMP header I think.
>
> 712 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
> (gdb) p ((vnet_buffer_opaque_t *) (b0)->opaque)->ip.reass
> $17 = {{{next_index = 1056456440, error_next_index = 0}, {owner_thread_index
> = 270}}, {{{l4_src_port = 16120,
> l4_dst_port = 16120, tcp_ack_number = 0, save_rewrite_length = 14
> '\016', ip_proto = 1 '\001',
> icmp_type_or_tcp_flags = 8 '\b', is_non_first_fragment = 1 '\001',
> tcp_seq_number = 0}, {estimated_mtu = 16120}}}, {
> fragment_first = 16120, fragment_last = 16120, range_first = 0,
> range_last = 0, next_range_bi = 17301774,
> ip6_frag_hdr_offset = 0}}
>
> The node trace seems to be fine:
> ... ip4-lookup -> ip4-rewrite -> ip4-sv-reassembly-output-feature ->
> nat44-in2out-output -> nat44-in2out-output-slowpath
>
> The NAT session is also correct, it includes the new port:
>
> DBGvpp# sh nat44 sessions detail
> NAT44 sessions:
> -------- thread 0 vpp_main: 0 sessions --------
> -------- thread 1 vpp_wk_0: 1 sessions --------
> 100.64.100.1: 1 dynamic translations, 0 static translations
> i2o 100.64.100.1 proto icmp port 63550 fib 1
> o2i 172.16.17.2 proto icmp port 16253 fib 0
> index 0
> last heard 44.16
> total pkts 80, total bytes 63040
> dynamic translation
>
> Do you know if this is a configuration issue or a possible bug? Thank you!
>
> Thanks,
> Miklos
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16491): https://lists.fd.io/g/vpp-dev/message/16491
Mute This Topic: https://lists.fd.io/mt/74473306/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
