summaryrefslogtreecommitdiffstats
path: root/test/test_nat44_ed_output.py
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2021-05-26 13:02:35 +0200
committerKlement Sekera <ksekera@cisco.com>2021-10-14 14:12:26 +0200
commitff334db797c9cede308367ef1c27bd8dfce0baf4 (patch)
tree1c3cf1db09b25f6a4f0c01a3ad369abe66a8bd1f /test/test_nat44_ed_output.py
parent4450b03ba2a69a9e8194c7054dac2c8c19d372cd (diff)
nat: static mappings in flow hash
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
Diffstat (limited to 'test/test_nat44_ed_output.py')
-rw-r--r--test/test_nat44_ed_output.py229
1 files changed, 229 insertions, 0 deletions
diff --git a/test/test_nat44_ed_output.py b/test/test_nat44_ed_output.py
new file mode 100644
index 00000000000..ea5c14e7064
--- /dev/null
+++ b/test/test_nat44_ed_output.py
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+"""NAT44 ED output-feature tests"""
+
+import random
+import unittest
+from scapy.layers.inet import ICMP, Ether, IP, TCP
+from scapy.packet import Raw
+from scapy.data import IP_PROTOS
+from framework import VppTestCase, VppTestRunner
+from vpp_papi import VppEnum
+
+
+def get_nat44_ed_in2out_worker_index(ip, vpp_worker_count):
+ if 0 == vpp_worker_count:
+ return 0
+ numeric = socket.inet_aton(ip)
+ numeric = struct.unpack("!L", numeric)[0]
+ numeric = socket.htonl(numeric)
+ h = numeric + (numeric >> 8) + (numeric >> 16) + (numeric >> 24)
+ return 1 + h % vpp_worker_count
+
+
+class TestNAT44EDOutput(VppTestCase):
+ """ NAT44 ED output feature Test Case """
+ max_sessions = 1024
+
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+ cls.create_pg_interfaces(range(2))
+ cls.interfaces = list(cls.pg_interfaces)
+
+ @classmethod
+ def tearDownClass(cls):
+ super().tearDownClass()
+
+ def setUp(self):
+ super().setUp()
+ for i in self.interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ self.vapi.nat44_ed_plugin_enable_disable(sessions=self.max_sessions,
+ enable=1)
+
+ def tearDown(self):
+ if not self.vpp_dead:
+ self.logger.debug(self.vapi.cli("show nat44 sessions"))
+ super().tearDown()
+ if not self.vpp_dead:
+ for i in self.pg_interfaces:
+ i.unconfig_ip4()
+ i.admin_down()
+ self.vapi.nat44_ed_plugin_enable_disable(enable=0)
+
+ def test_static_dynamic(self):
+ """ Create static mapping which matches existing dynamic mapping """
+
+ old_timeouts = self.vapi.nat_get_timeouts()
+ new_transitory = 2
+ self.vapi.nat_set_timeouts(
+ udp=old_timeouts.udp,
+ tcp_established=old_timeouts.tcp_established,
+ icmp=old_timeouts.icmp,
+ tcp_transitory=new_transitory)
+
+ local_host = self.pg0.remote_ip4
+ remote_host = self.pg1.remote_ip4
+ nat_intf = self.pg1
+ outside_addr = nat_intf.local_ip4
+
+ self.vapi.nat44_add_del_address_range(first_ip_address=outside_addr,
+ last_ip_address=outside_addr,
+ vrf_id=0xffffffff,
+ is_add=1,
+ flags=0)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_INSIDE, is_add=1)
+ self.vapi.nat44_interface_add_del_output_feature(
+ is_add=1,
+ sw_if_index=self.pg1.sw_if_index)
+
+ thread_index = get_nat44_ed_in2out_worker_index(
+ local_host, self.vpp_worker_count)
+ port_per_thread = int((0xffff-1024) / max(1, self.vpp_worker_count))
+ local_sport = 1024 + random.randint(1, port_per_thread)
+ if self.vpp_worker_count > 0:
+ local_sport += port_per_thread * (thread_index - 1)
+
+ remote_dport = 10000
+
+ pg0 = self.pg0
+ pg1 = self.pg1
+
+ # first setup a dynamic TCP session
+
+ # SYN packet in->out
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="S"))
+ p = self.send_and_expect(pg0, [p], pg1)[0]
+
+ self.assertEqual(p[IP].src, outside_addr)
+ self.assertEqual(p[TCP].sport, local_sport)
+ outside_port = p[TCP].sport
+
+ # SYN+ACK packet out->in
+ p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
+ IP(src=remote_host, dst=outside_addr) /
+ TCP(sport=remote_dport, dport=outside_port, flags="SA"))
+ self.send_and_expect(pg1, [p], pg0)
+
+ # ACK packet in->out
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="A"))
+ self.send_and_expect(pg0, [p], pg1)
+
+ # now we have a session up, create a conflicting static mapping
+ self.vapi.nat44_add_del_static_mapping(
+ is_add=1,
+ local_ip_address=local_host,
+ external_ip_address=outside_addr,
+ external_sw_if_index=0xffffffff,
+ local_port=local_sport,
+ external_port=outside_port,
+ protocol=IP_PROTOS.tcp,
+ flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_OUT2IN_ONLY)
+
+ sessions = self.vapi.nat44_user_session_dump(local_host, 0)
+ self.assertEqual(1, len(sessions))
+
+ # now send some more data over existing session - it should pass
+
+ # in->out
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport) /
+ Raw("zippity zap"))
+ self.send_and_expect(pg0, [p], pg1)
+
+ # out->in
+ p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
+ IP(src=remote_host, dst=outside_addr) /
+ TCP(sport=remote_dport, dport=outside_port) /
+ Raw("flippity flop"))
+ self.send_and_expect(pg1, [p], pg0)
+
+ # now close the session
+
+ # FIN packet in -> out
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=100,
+ ack=300))
+ self.send_and_expect(pg0, [p], pg1)
+
+ # FIN+ACK packet out -> in
+ p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
+ IP(src=remote_host, dst=outside_addr) /
+ TCP(sport=remote_dport, dport=outside_port, flags="FA", seq=300,
+ ack=101))
+ self.send_and_expect(pg1, [p], pg0)
+
+ # ACK packet in -> out
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="A", seq=101,
+ ack=301))
+ self.send_and_expect(pg0, [p], pg1)
+
+ # session now in transitory timeout
+ # try SYN packet in->out - should be dropped
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="S"))
+ pg0.add_stream(p)
+ self.pg_enable_capture()
+ self.pg_start()
+
+ self.sleep(new_transitory, "wait for transitory timeout")
+ pg0.assert_nothing_captured(0)
+
+ # session should still exist
+ sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
+ self.assertEqual(1, len(sessions))
+
+ # send FIN+ACK packet in->out - will cause session to be wiped
+ # but won't create a new session
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=300,
+ ack=101))
+ pg1.add_stream(p)
+ self.pg_enable_capture()
+ self.pg_start()
+ pg0.assert_nothing_captured(0)
+
+ sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
+ self.assertEqual(0, len(sessions))
+
+ # create a new session and make sure the outside port is remapped
+ # SYN packet in->out
+
+ p = (Ether(src=pg0.remote_mac, dst=pg0.local_mac) /
+ IP(src=local_host, dst=remote_host) /
+ TCP(sport=local_sport, dport=remote_dport, flags="S"))
+ p = self.send_and_expect(pg0, [p], pg1)[0]
+
+ self.assertEqual(p[IP].src, outside_addr)
+ self.assertNotEqual(p[TCP].sport, local_sport)
+
+ # make sure static mapping works and creates a new session
+ # SYN packet out->in
+ p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
+ IP(src=remote_host, dst=outside_addr) /
+ TCP(sport=remote_dport, dport=outside_port, flags="S"))
+ self.send_and_expect(pg1, [p], pg0)
+
+ sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
+ self.assertEqual(2, len(sessions))
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)
n> rv; clib_memset (&args, 0, sizeof (af_xdp_create_if_args_t)); args.linux_ifname = mp->host_if[0] ? (char *) mp->host_if : 0; args.name = mp->name[0] ? (char *) mp->name : 0; args.prog = mp->prog[0] ? (char *) mp->prog : 0; args.mode = af_xdp_api_mode (mp->mode); args.flags = af_xdp_api_flags (mp->flags); args.rxq_size = ntohs (mp->rxq_size); args.txq_size = ntohs (mp->txq_size); args.rxq_num = ntohs (mp->rxq_num); af_xdp_create_if (vm, &args); rv = args.rv; REPLY_MACRO2 (VL_API_AF_XDP_CREATE_REPLY, ({ rmp->sw_if_index = ntohl (args.sw_if_index); })); } static void vl_api_af_xdp_create_v2_t_handler (vl_api_af_xdp_create_v2_t *mp) { vlib_main_t *vm = vlib_get_main (); af_xdp_main_t *rm = &af_xdp_main; vl_api_af_xdp_create_v2_reply_t *rmp; af_xdp_create_if_args_t args; int rv; clib_memset (&args, 0, sizeof (af_xdp_create_if_args_t)); args.linux_ifname = mp->host_if[0] ? (char *) mp->host_if : 0; args.name = mp->name[0] ? (char *) mp->name : 0; args.prog = mp->prog[0] ? (char *) mp->prog : 0; args.netns = mp->namespace[0] ? (char *) mp->namespace : 0; args.mode = af_xdp_api_mode (mp->mode); args.flags = af_xdp_api_flags (mp->flags); args.rxq_size = ntohs (mp->rxq_size); args.txq_size = ntohs (mp->txq_size); args.rxq_num = ntohs (mp->rxq_num); af_xdp_create_if (vm, &args); rv = args.rv; /* clang-format off */ REPLY_MACRO2 (VL_API_AF_XDP_CREATE_V2_REPLY, ({ rmp->sw_if_index = ntohl (args.sw_if_index); })); /* clang-format on */ } static void vl_api_af_xdp_delete_t_handler (vl_api_af_xdp_delete_t * mp) { vlib_main_t *vm = vlib_get_main (); vnet_main_t *vnm = vnet_get_main (); af_xdp_main_t *rm = &af_xdp_main; vl_api_af_xdp_delete_reply_t *rmp; af_xdp_device_t *rd; vnet_hw_interface_t *hw; int rv = 0; hw = vnet_get_sup_hw_interface_api_visible_or_null (vnm, htonl (mp->sw_if_index)); if (hw == NULL || af_xdp_device_class.index != hw->dev_class_index) { rv = VNET_API_ERROR_INVALID_INTERFACE; goto reply; } rd = pool_elt_at_index (rm->devices, hw->dev_instance); af_xdp_delete_if (vm, rd); reply: REPLY_MACRO (VL_API_AF_XDP_DELETE_REPLY); } /* set tup the API message handling tables */ #include <af_xdp/af_xdp.api.c> static clib_error_t * af_xdp_plugin_api_hookup (vlib_main_t * vm) { af_xdp_main_t *rm = &af_xdp_main; /* ask for a correctly-sized block of API message decode slots */ rm->msg_id_base = setup_message_id_table (); return 0; } VLIB_API_INIT_FUNCTION (af_xdp_plugin_api_hookup); /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */