diff options
| author |   Matus Fabian <matfabia@cisco.com> | 2018-09-13 02:36:25 -0700 |
|---|---|---|
| committer | Matus Fabian <matfabia@cisco.com> | 2018-09-13 02:36:25 -0700 |
| commit | bb4e022502dd7f76d4f1cd705a7bac628d8c098c (patch) | |
| tree | e8b5f13cbea161f66aad347fc7175edabd337f72 /test | |
| parent | c2b4dbe48a01e746bfa89c4208d6e6b686270ac0 (diff) | |
NAT: TCP MSS clamping
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation.
If the negotiated MSS value is greater than the configured value it is changed
to the configured value. If the negotiated MSS value is smaller than the
configured value it remains unchanged.
Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/test_nat.py | 52 | ||||
| -rw-r--r-- | test/vpp_papi_provider.py | 14 |
2 files changed, 66 insertions, 0 deletions
diff --git a/test/test_nat.py b/test/test_nat.py index 5baadd89863..a705bd98fc0 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -139,6 +139,7 @@ class MethodHolder(VppTestCase): self.verify_no_nat44_user() self.vapi.nat_set_timeouts() self.vapi.nat_set_addr_and_port_alloc_alg() + self.vapi.nat_set_mss_clamping() def nat44_add_static_mapping(self, local_ip, external_ip='0.0.0.0', local_port=0, external_port=0, vrf_id=0, @@ -1002,6 +1003,21 @@ class MethodHolder(VppTestCase): # sourceIPv4Address self.assertEqual(src_addr, record[8]) + def verify_mss_value(self, pkt, mss): + """ + Verify TCP MSS value + + :param pkt: + :param mss: + """ + if not pkt.haslayer(IP) or not pkt.haslayer(TCP): + raise TypeError("Not a TCP/IP packet") + + for option in pkt[TCP].options: + if option[0] == 'MSS': + self.assertEqual(option[1], mss) + self.assert_tcp_checksum_valid(pkt) + class TestNAT44(MethodHolder): """ NAT44 Test Cases """ @@ -3295,6 +3311,42 @@ class TestNAT44(MethodHolder): nsessions = nsessions + user.nsessions self.assertLess(nsessions, 2 * max_sessions) + def test_mss_clamping(self): + """ TCP MSS clamping """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="S", options=[('MSS', 1400)])) + + self.vapi.nat_set_mss_clamping(enable=1, mss_value=1000) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # Negotiated MSS value greater than configured - changed + self.verify_mss_value(capture[0], 1000) + + self.vapi.nat_set_mss_clamping(enable=0) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # MSS clamping disabled - negotiated MSS unchanged + self.verify_mss_value(capture[0], 1400) + + self.vapi.nat_set_mss_clamping(enable=1, mss_value=1500) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # Negotiated MSS value smaller than configured - unchanged + self.verify_mss_value(capture[0], 1400) + def tearDown(self): super(TestNAT44, self).tearDown() if not self.vpp_dead: diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 13d0d933ea1..61d80b21fb5 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -1827,6 +1827,20 @@ class VppPapiProvider(object): """Get address and port assignment algorithm""" return self.api(self.papi.nat_get_addr_and_port_alloc_alg, {}) + def nat_set_mss_clamping(self, enable=0, mss_value=1500): + """Set TCP MSS rewriting configuration + + :param enable: disable(0)/enable(1) MSS rewriting feature + :param mss_value: MSS value to be used for MSS rewriting + """ + return self.api( + self.papi.nat_set_mss_clamping, + {'enable': enable, 'mss_value': mss_value}) + + def nat_get_mss_clamping(self): + """Get TCP MSS rewriting configuration""" + return self.api(self.papi.nat_get_mss_clamping, {}) + def nat_det_close_session_out( self, out_addr, |