aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatus Fabian <matfabia@cisco.com>2018-11-21 04:53:10 -0800
committerMatus Fabian <matfabia@cisco.com>2018-11-22 06:51:53 +0000
commit1d403abe1baa9d058a99e7113236d93d2bbb93d6 (patch)
tree071a0354a86a6c51679563c6e57a72076790670d
parent45ed202905131c0563fcf16aaf9538d9efcd372d (diff)
NAT44: Apply transitory timeout on TCP RST (VPP-1494)
RFC7857 section 2.2. Change-Id: I031af5fe379b72262e83fd8565c34fa1b772f2c8 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 15e8e681813a2e88dad107b5fe238bc8abee17d2)
-rw-r--r--src/plugins/nat/nat.h1
-rw-r--r--src/plugins/nat/nat_inlines.h8
-rw-r--r--test/test_nat.py51
3 files changed, 60 insertions, 0 deletions
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h
index 02d4aaef9f6..3162e41b696 100644
--- a/src/plugins/nat/nat.h
+++ b/src/plugins/nat/nat.h
@@ -165,6 +165,7 @@ typedef enum
#define NAT44_SES_O2I_FIN_ACK 8
#define NAT44_SES_I2O_SYN 16
#define NAT44_SES_O2I_SYN 32
+#define NAT44_SES_RST 64
/* Session flags */
#define SNAT_SESSION_FLAG_STATIC_MAPPING 1
diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h
index 730d4400e6a..9000a3ddcd3 100644
--- a/src/plugins/nat/nat_inlines.h
+++ b/src/plugins/nat/nat_inlines.h
@@ -200,6 +200,10 @@ always_inline int
nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses,
tcp_header_t * tcp, u32 thread_index)
{
+ if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST))
+ ses->state = NAT44_SES_RST;
+ if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST))
+ ses->state = 0;
if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
(ses->state & NAT44_SES_O2I_SYN))
ses->state = 0;
@@ -231,6 +235,10 @@ always_inline int
nat44_set_tcp_session_state_o2i (snat_main_t * sm, snat_session_t * ses,
tcp_header_t * tcp, u32 thread_index)
{
+ if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST))
+ ses->state = NAT44_SES_RST;
+ if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST))
+ ses->state = 0;
if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
(ses->state & NAT44_SES_O2I_SYN))
ses->state = 0;
diff --git a/test/test_nat.py b/test/test_nat.py
index bc476239975..d3849da4321 100644
--- a/test/test_nat.py
+++ b/test/test_nat.py
@@ -5675,6 +5675,57 @@ class TestNAT44EndpointDependent(MethodHolder):
self.assertLess(nsessions, 2 * max_sessions)
@unittest.skipUnless(running_extended_tests(), "part of extended tests")
+ def test_session_rst_timeout(self):
+ """ NAT44 session RST timeouts """
+ self.nat44_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index)
+ self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index,
+ is_inside=0)
+ self.vapi.nat_set_timeouts(tcp_transitory=5)
+
+ nat44_config = self.vapi.nat_show_config()
+
+ self.initiate_tcp_session(self.pg0, self.pg1)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
+ flags="R"))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ pkts_num = nat44_config.max_translations_per_user - 1
+ pkts = []
+ for i in range(0, pkts_num):
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ UDP(sport=1025 + i, dport=53))
+ pkts.append(p)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(pkts_num)
+
+ sleep(6)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
+ flags="S"))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ nsessions = 0
+ users = self.vapi.nat44_user_dump()
+ self.assertEqual(len(users), 1)
+ self.assertEqual(users[0].ip_address, self.pg0.remote_ip4n)
+ self.assertEqual(users[0].nsessions,
+ nat44_config.max_translations_per_user)
+
+ @unittest.skipUnless(running_extended_tests(), "part of extended tests")
def test_session_limit_per_user(self):
""" Maximum sessions per user limit """
self.nat44_add_address(self.nat_addr)