diff options
author | Matus Fabian <matfabia@cisco.com> | 2018-11-21 04:53:10 -0800 |
---|---|---|
committer | Matus Fabian <matfabia@cisco.com> | 2018-11-22 06:51:53 +0000 |
commit | 1d403abe1baa9d058a99e7113236d93d2bbb93d6 (patch) | |
tree | 071a0354a86a6c51679563c6e57a72076790670d | |
parent | 45ed202905131c0563fcf16aaf9538d9efcd372d (diff) |
NAT44: Apply transitory timeout on TCP RST (VPP-1494)
RFC7857 section 2.2.
Change-Id: I031af5fe379b72262e83fd8565c34fa1b772f2c8
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 15e8e681813a2e88dad107b5fe238bc8abee17d2)
-rw-r--r-- | src/plugins/nat/nat.h | 1 | ||||
-rw-r--r-- | src/plugins/nat/nat_inlines.h | 8 | ||||
-rw-r--r-- | test/test_nat.py | 51 |
3 files changed, 60 insertions, 0 deletions
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index 02d4aaef9f6..3162e41b696 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -165,6 +165,7 @@ typedef enum #define NAT44_SES_O2I_FIN_ACK 8 #define NAT44_SES_I2O_SYN 16 #define NAT44_SES_O2I_SYN 32 +#define NAT44_SES_RST 64 /* Session flags */ #define SNAT_SESSION_FLAG_STATIC_MAPPING 1 diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h index 730d4400e6a..9000a3ddcd3 100644 --- a/src/plugins/nat/nat_inlines.h +++ b/src/plugins/nat/nat_inlines.h @@ -200,6 +200,10 @@ always_inline int nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses, tcp_header_t * tcp, u32 thread_index) { + if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST)) + ses->state = NAT44_SES_RST; + if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST)) + ses->state = 0; if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) && (ses->state & NAT44_SES_O2I_SYN)) ses->state = 0; @@ -231,6 +235,10 @@ always_inline int nat44_set_tcp_session_state_o2i (snat_main_t * sm, snat_session_t * ses, tcp_header_t * tcp, u32 thread_index) { + if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST)) + ses->state = NAT44_SES_RST; + if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST)) + ses->state = 0; if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) && (ses->state & NAT44_SES_O2I_SYN)) ses->state = 0; diff --git a/test/test_nat.py b/test/test_nat.py index bc476239975..d3849da4321 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -5675,6 +5675,57 @@ class TestNAT44EndpointDependent(MethodHolder): self.assertLess(nsessions, 2 * max_sessions) @unittest.skipUnless(running_extended_tests(), "part of extended tests") + def test_session_rst_timeout(self): + """ NAT44 session RST timeouts """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat_set_timeouts(tcp_transitory=5) + + nat44_config = self.vapi.nat_show_config() + + self.initiate_tcp_session(self.pg0, self.pg1) + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="R")) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(1) + + pkts_num = nat44_config.max_translations_per_user - 1 + pkts = [] + for i in range(0, pkts_num): + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + UDP(sport=1025 + i, dport=53)) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(pkts_num) + + sleep(6) + + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1, + flags="S")) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(1) + + nsessions = 0 + users = self.vapi.nat44_user_dump() + self.assertEqual(len(users), 1) + self.assertEqual(users[0].ip_address, self.pg0.remote_ip4n) + self.assertEqual(users[0].nsessions, + nat44_config.max_translations_per_user) + + @unittest.skipUnless(running_extended_tests(), "part of extended tests") def test_session_limit_per_user(self): """ Maximum sessions per user limit """ self.nat44_add_address(self.nat_addr) |