nat: Check the authentication bit later...

When moving it up here the code started to reject
the identity responses of the bsc and we would
never authenticate. Move it back down.

1 files changed, 12 insertions, 6 deletions

diff --git a/openbsc/src/nat/bsc_nat.c b/openbsc/src/nat/bsc_nat.c
index b135bfec6..badbc9a53 100644
--- a/openbsc/src/nat/bsc_nat.c
+++ b/openbsc/src/nat/bsc_nat.c
@@ -385,12 +385,6 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
 	struct sccp_connections *con;
 	struct bsc_nat_parsed *parsed;
 
-	if (!bsc->authenticated) {
-		LOGP(DNAT, LOGL_ERROR, "BSC is not authenticated.\n");
-		msgb_free(msg);
-		return -1;
-	}
-
 	/* Parse and filter messages */
 	parsed = bsc_nat_parse(msg);
 	if (!parsed) {
@@ -402,6 +396,18 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg)
 	if (bsc_nat_filter_ipa(DIR_MSC, msg, parsed))
 		goto exit;
 
+	/*
+	 * check authentication after filtering to not reject auth
+	 * responses coming from the BSC. We have to make sure that
+	 * nothing from the exit path will forward things to the MSC
+	 */
+	if (!bsc->authenticated) {
+		LOGP(DNAT, LOGL_ERROR, "BSC is not authenticated.\n");
+		msgb_free(msg);
+		return -1;
+	}
+
+
 	/* modify the SCCP entries */
 	if (parsed->ipa_proto == IPAC_PROTO_SCCP) {
 		switch (parsed->sccp_type) {