conntrack: ignore port for ICMP/ICMPv6 NAT.

ICMP/ICMPv6 fails, if the src/dst port is set in a common NAT rule.
For example:
actions=ct(nat(dst=172.16.1.100:5000),commit,table=40)

Fixes: 4cd0481c9e8b ("conntrack: Fix wasted work for ICMP NAT.")
CC: Darrell Ball <dlu998@gmail.com>
Signed-off-by: solomon <liwei.solomon@gmail.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Co-authored-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

1 files changed, 8 insertions, 4 deletions

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 67c3a5833..5f60fea18 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2051,14 +2051,18 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn,
     while (true) {
         if (conn->nat_info->nat_action & NAT_ACTION_SRC) {
             nat_conn->rev_key.dst.addr = ct_addr;
-            nat_conn->rev_key.dst.port = htons(port);
+            if (pat_enabled) {
+                nat_conn->rev_key.dst.port = htons(port);
+            }
         } else {
             nat_conn->rev_key.src.addr = ct_addr;
-            nat_conn->rev_key.src.port = htons(port);
+            if (pat_enabled) {
+                nat_conn->rev_key.src.port = htons(port);
+            }
         }
 
-        bool found = conn_lookup(ct, &nat_conn->rev_key, time_msec(),
-                                     NULL, NULL);
+        bool found = conn_lookup(ct, &nat_conn->rev_key, time_msec(), NULL,
+                                 NULL);
         if (!found) {
             return true;
         } else if (pat_enabled && !all_ports_tried) {