Issue
Currently, VPP allows setting NAT44 rules with a port but without specifying a protocol and vice versa:
set vpp nat44 exclude rule 10 external-interface 'eth1' set vpp nat44 exclude rule 10 local-port '22'
set vpp nat44 static rule 10 external address '192.168.99.1' set vpp nat44 static rule 10 external port '88' set vpp nat44 static rule 10 local address '192.168.1.1' set vpp nat44 static rule 10 local port '22'
While this combination is valid from an API perspective and raises no errors, it is invalid according to VPP's internal logic. This leads to the creation of a rule with IP protocol 0 (IP6_HOP_BY_HOP_OPTIONS):
NAT44 static mappings: identity mapping IP6_HOP_BY_HOP_OPTIONS 192.168.99.1:22 vrf 0 IP6_HOP_BY_HOP_OPTIONS local 200.204.216.114:22 external eth1:22 vrf 0
Also, a protocol without ports is valid as an API command (but not in CLI, by the way):
set vpp nat44 static rule 100 external address '192.168.99.1' set vpp nat44 static rule 100 local address '192.168.102.2' set vpp nat44 static rule 100 protocol 'tcp'
NAT44 static mappings: TCP local 192.168.102.2:0 external 192.168.99.1:0 vrf 0
But such a rule cannot match real traffic:
00:11:54:104491: nat44-ed-out2in NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 1, next index 7 search key local 192.168.99.3:45338 remote 192.168.99.1:22 proto TCP fib 0 thread-index 0 session-index 0 slow path because lookup failed 00:11:54:104495: nat44-ed-out2in-slowpath NAT44_OUT2IN_ED_SLOW_PATH: sw_if_index 1, next index 0 00:11:54:104498: error-drop rx:eth1 00:11:54:104499: drop nat44-ed-out2in-slowpath: no translation
Expected Behavior
The "all protocols" and "all ports" default logic should only apply if an IP address (and nothing else) is configured in a rule. Rules that include ports should require a protocol to be explicitly specified and vice versa.
Proposed Fix
We should enforce protocol specification for any NAT44 rule that includes a port, and ports for any with a protocol.