aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/plugins/nat/nat.c9
-rw-r--r--src/plugins/nat/test/test_nat44_ed.py3532
-rw-r--r--src/plugins/nat/test/test_nat44_ei.py (renamed from src/plugins/nat/test/test_nat44.py)3719
3 files changed, 3662 insertions, 3598 deletions
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index e02a11a604f..eeaa443bfe4 100644
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -4388,16 +4388,13 @@ nat44_sessions_clear ()
/* *INDENT-OFF* */
vec_foreach (tsm, sm->per_thread_data)
{
- u32 ti;
-
nat44_db_free (tsm);
nat44_db_init (tsm);
-
- ti = tsm->snat_thread_index;
- vlib_set_simple_counter (&sm->total_users, ti, 0, 0);
- vlib_set_simple_counter (&sm->total_sessions, ti, 0, 0);
}
/* *INDENT-ON* */
+
+ vlib_zero_simple_counter (&sm->total_users, 0);
+ vlib_zero_simple_counter (&sm->total_sessions, 0);
}
static void
diff --git a/src/plugins/nat/test/test_nat44_ed.py b/src/plugins/nat/test/test_nat44_ed.py
new file mode 100644
index 00000000000..0f4a7371048
--- /dev/null
+++ b/src/plugins/nat/test/test_nat44_ed.py
@@ -0,0 +1,3532 @@
+#!/usr/bin/env python3
+
+import unittest
+from io import BytesIO
+from random import randint
+
+import scapy.compat
+from framework import VppTestCase, VppTestRunner
+from scapy.data import IP_PROTOS
+from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
+from scapy.layers.inet import IPerror, TCPerror
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
+from syslog_rfc5424_parser import SyslogMessage, ParseError
+from syslog_rfc5424_parser.constants import SyslogSeverity
+from util import ppp, ip4_range
+from vpp_acl import AclRule, VppAcl, VppAclInterface
+from vpp_ip_route import VppIpRoute, VppRoutePath
+from vpp_papi import VppEnum
+
+
+class NAT44EDTestCase(VppTestCase):
+
+ nat_addr = '10.0.0.3'
+
+ tcp_port_in = 6303
+ tcp_port_out = 6303
+
+ udp_port_in = 6304
+ udp_port_out = 6304
+
+ icmp_id_in = 6305
+ icmp_id_out = 6305
+
+ tcp_external_port = 80
+
+ max_sessions = 100
+
+ def setUp(self):
+ super(NAT44EDTestCase, self).setUp()
+ self.plugin_enable()
+
+ def tearDown(self):
+ super(NAT44EDTestCase, self).tearDown()
+ if not self.vpp_dead:
+ self.plugin_disable()
+
+ def plugin_enable(self):
+ self.vapi.nat44_plugin_enable_disable(
+ flags=self.nat44_config_flags.NAT44_IS_ENDPOINT_DEPENDENT,
+ sessions=self.max_sessions, enable=1)
+
+ def plugin_disable(self):
+ self.vapi.nat44_plugin_enable_disable(enable=0)
+
+ @property
+ def config_flags(self):
+ return VppEnum.vl_api_nat_config_flags_t
+
+ @property
+ def nat44_config_flags(self):
+ return VppEnum.vl_api_nat44_config_flags_t
+
+ @property
+ def syslog_severity(self):
+ return VppEnum.vl_api_syslog_severity_t
+
+ @property
+ def server_addr(self):
+ return self.pg1.remote_hosts[0].ip4
+
+ @staticmethod
+ def random_port():
+ return randint(1025, 65535)
+
+ @staticmethod
+ def proto2layer(proto):
+ if proto == IP_PROTOS.tcp:
+ return TCP
+ elif proto == IP_PROTOS.udp:
+ return UDP
+ elif proto == IP_PROTOS.icmp:
+ return ICMP
+ else:
+ raise Exception("Unsupported protocol")
+
+ @classmethod
+ def create_and_add_ip4_table(cls, i, table_id=0):
+ cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
+ i.set_table_ip4(table_id)
+
+ @classmethod
+ def configure_ip4_interface(cls, i, hosts=0, table_id=None):
+ if table_id:
+ cls.create_and_add_ip4_table(i, table_id)
+
+ i.admin_up()
+ i.unconfig_ip4()
+ i.config_ip4()
+ i.resolve_arp()
+
+ if hosts:
+ i.generate_remote_hosts(hosts)
+ i.configure_ipv4_neighbors()
+
+ @classmethod
+ def nat_add_interface_address(cls, i):
+ cls.vapi.nat44_add_del_interface_addr(
+ sw_if_index=i.sw_if_index, is_add=1)
+
+ def nat_add_inside_interface(self, i):
+ self.vapi.nat44_interface_add_del_feature(
+ flags=self.config_flags.NAT_IS_INSIDE,
+ sw_if_index=i.sw_if_index, is_add=1)
+
+ def nat_add_outside_interface(self, i):
+ self.vapi.nat44_interface_add_del_feature(
+ flags=self.config_flags.NAT_IS_OUTSIDE,
+ sw_if_index=i.sw_if_index, is_add=1)
+
+ def nat_add_address(self, address, twice_nat=0,
+ vrf_id=0xFFFFFFFF, is_add=1):
+ flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
+ self.vapi.nat44_add_del_address_range(first_ip_address=address,
+ last_ip_address=address,
+ vrf_id=vrf_id,
+ is_add=is_add,
+ flags=flags)
+
+ def nat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
+ local_port=0, external_port=0, vrf_id=0,
+ is_add=1, external_sw_if_index=0xFFFFFFFF,
+ proto=0, tag="", flags=0):
+
+ if not (local_port and external_port):
+ flags |= self.config_flags.NAT_IS_ADDR_ONLY
+
+ self.vapi.nat44_add_del_static_mapping(
+ is_add=is_add,
+ local_ip_address=local_ip,
+ external_ip_address=external_ip,
+ external_sw_if_index=external_sw_if_index,
+ local_port=local_port,
+ external_port=external_port,
+ vrf_id=vrf_id, protocol=proto,
+ flags=flags,
+ tag=tag)
+
+ @classmethod
+ def setUpClass(cls):
+ super(NAT44EDTestCase, cls).setUpClass()
+ cls.vapi.cli("set log class nat level debug")
+
+ cls.create_pg_interfaces(range(12))
+ cls.interfaces = list(cls.pg_interfaces[:4])
+
+ cls.create_and_add_ip4_table(cls.pg2, 10)
+
+ for i in cls.interfaces:
+ cls.configure_ip4_interface(i, hosts=3)
+
+ # test specific (test-multiple-vrf)
+ cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
+
+ # test specific (test-one-armed-nat44-static)
+ cls.pg4.generate_remote_hosts(2) @media only all and (prefers-color-scheme: dark) { .highlight .hll { background-color: #49483e } .highlight .c { color: #75715e } /* Comment */ .highlight .err { color: #960050; background-color: #1e0010 } /* Error */ .highlight .k { color: #66d9ef } /* Keyword */ .highlight .l { color: #ae81ff } /* Literal */ .highlight .n { color: #f8f8f2 } /* Name */ .highlight .o { color: #f92672 } /* Operator */ .highlight .p { color: #f8f8f2 } /* Punctuation */ .highlight .ch { color: #75715e } /* Comment.Hashbang */ .highlight .cm { color: #75715e } /* Comment.Multiline */ .highlight .cp { color: #75715e } /* Comment.Preproc */ .highlight .cpf { color: #75715e } /* Comment.PreprocFile */ .highlight .c1 { color: #75715e } /* Comment.Single */ .highlight .cs { color: #75715e } /* Comment.Special */ .highlight .gd { color: #f92672 } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gi { color: #a6e22e } /* Generic.Inserted */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #75715e } /* Generic.Subheading */ .highlight .kc { color: #66d9ef } /* Keyword.Constant */ .highlight .kd { color: #66d9ef } /* Keyword.Declaration */ .highlight .kn { color: #f92672 } /* Keyword.Namespace */ .highlight .kp { color: #66d9ef } /* Keyword.Pseudo */ .highlight .kr { color: #66d9ef } /* Keyword.Reserved */ .highlight .kt { color: #66d9ef } /* Keyword.Type */ .highlight .ld { color: #e6db74 } /* Literal.Date */ .highlight .m { color: #ae81ff } /* Literal.Number */ .highlight .s { color: #e6db74 } /* Literal.String */ .highlight .na { color: #a6e22e } /* Name.Attribute */ .highlight .nb { color: #f8f8f2 } /* Name.Builtin */ .highlight .nc { color: #a6e22e } /* Name.Class */ .highlight .no { color: #66d9ef } /* Name.Constant */ .highlight .nd { color: #a6e22e } /* Name.Decorator */ .highlight .ni { color: #f8f8f2 } /* Name.Entity */ .highlight .ne { color: #a6e22e } /* Name.Exception */ .highlight .nf { color: #a6e22e } /* Name.Function */ .highlight .nl { color: #f8f8f2 } /* Name.Label */ .highlight .nn { color: #f8f8f2 } /* Name.Namespace */ .highlight .nx { color: #a6e22e } /* Name.Other */ .highlight .py { color: #f8f8f2 } /* Name.Property */ .highlight .nt { color: #f92672 } /* Name.Tag */ .highlight .nv { color: #f8f8f2 } /* Name.Variable */ .highlight .ow { color: #f92672 } /* Operator.Word */ .highlight .w { color: #f8f8f2 } /* Text.Whitespace */ .highlight .mb { color: #ae81ff } /* Literal.Number.Bin */ .highlight .mf { color: #ae81ff } /* Literal.Number.Float */ .highlight .mh { color: #ae81ff } /* Literal.Number.Hex */ .highlight .mi { color: #ae81ff } /* Literal.Number.Integer */ .highlight .mo { color: #ae81ff } /* Literal.Number.Oct */ .highlight .sa { color: #e6db74 } /* Literal.String.Affix */ .highlight .sb { color: #e6db74 } /* Literal.String.Backtick */ .highlight .sc { color: #e6db74 } /* Literal.String.Char */ .highlight .dl { color: #e6db74 } /* Literal.String.Delimiter */ .highlight .sd { color: #e6db74 } /* Literal.String.Doc */ .highlight .s2 { color: #e6db74 } /* Literal.String.Double */ .highlight .se { color: #ae81ff } /* Literal.String.Escape */ .highlight .sh { color: #e6db74 } /* Literal.String.Heredoc */ .highlight .si { color: #e6db74 } /* Literal.String.Interpol */ .highlight .sx { color: #e6db74 } /* Literal.String.Other */ .highlight .sr { color: #e6db74 } /* Literal.String.Regex */ .highlight .s1 { color: #e6db74 } /* Literal.String.Single */ .highlight .ss { color: #e6db74 } /* Literal.String.Symbol */ .highlight .bp { color: #f8f8f2 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #a6e22e } /* Name.Function.Magic */ .highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */ .highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */ .highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */ .highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */ .highlight .il { color: #ae81ff } /* Literal.Number.Integer.Long */ } @media (prefers-color-scheme: light) { .highlight .hll { background-color: #ffffcc } .highlight .c { color: #888888 } /* Comment */ .highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */ .highlight .k { color: #008800; font-weight: bold } /* Keyword */ .highlight .ch { color: #888888 } /* Comment.Hashbang */ .highlight .cm { color: #888888 } /* Comment.Multiline */ .highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */ .highlight .cpf { color: #888888 } /* Comment.PreprocFile */ .highlight .c1 { color: #888888 } /* Comment.Single */ .highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */ .highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gr { color: #aa0000 } /* Generic.Error */ .highlight .gh { color: #333333 } /* Generic.Heading */ .highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */ .highlight .go { color: #888888 } /* Generic.Output */ .highlight .gp { color: #555555 } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #666666 } /* Generic.Subheading */ .highlight .gt { color: #aa0000 } /* Generic.Traceback */ .highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008800 } /* Keyword.Pseudo */ .highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */ .highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */ .highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */ .highlight .na { color: #336699 } /* Name.Attribute */ .highlight .nb { color: #003388 } /* Name.Builtin */ .highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */ .highlight .no { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */lass='add'>+ if proto != IP_PROTOS.icmp:
+ sport = 20
+ dport = p[layer].sport
+ else:
+ sport = p[layer].id
+ dport = 0
+ pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport,
+ data, proto, echo_reply=True)
+ pkts.reverse()
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg0.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ self.pg1.remote_ip4,
+ self.pg0.remote_ip4)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].sport, 20)
+ self.assertEqual(p[layer].dport, self.port_in)
+ else:
+ self.assertEqual(p[layer].id, self.port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ def reass_frags_and_verify(self, frags, src, dst):
+ buffer = BytesIO()
+ for p in frags:
+ self.assertEqual(p[IP].src, src)
+ self.assertEqual(p[IP].dst, dst)
+ self.assert_ip_checksum_valid(p)
+ buffer.seek(p[IP].frag * 8)
+ buffer.write(bytes(p[IP].payload))
+ ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst,
+ proto=frags[0][IP].proto)
+ if ip.proto == IP_PROTOS.tcp:
+ p = (ip / TCP(buffer.getvalue()))
+ self.logger.debug(ppp("Reassembled:", p))
+ self.assert_tcp_checksum_valid(p)
+ elif ip.proto == IP_PROTOS.udp:
+ p = (ip / UDP(buffer.getvalue()[:8]) /
+ Raw(buffer.getvalue()[8:]))
+ elif ip.proto == IP_PROTOS.icmp:
+ p = (ip / ICMP(buffer.getvalue()))
+ return p
+
+ def frag_in_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
+ ignore_port=False):
+ layer = self.proto2layer(proto)
+
+ if proto == IP_PROTOS.tcp:
+ data = b"A" * 4 + b"B" * 16 + b"C" * 3
+ else:
+ data = b"A" * 16 + b"B" * 16 + b"C" * 3
+ self.port_in = self.random_port()
+
+ # in2out
+ pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
+ self.port_in, 20, data, proto)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg1.get_capture(len(pkts))
+ if not dont_translate:
+ p = self.reass_frags_and_verify(frags,
+ self.nat_addr,
+ self.pg1.remote_ip4)
+ else:
+ p = self.reass_frags_and_verify(frags,
+ self.pg0.remote_ip4,
+ self.pg1.remote_ip4)
+ if proto != IP_PROTOS.icmp:
+ if not dont_translate:
+ self.assertEqual(p[layer].dport, 20)
+ if not ignore_port:
+ self.assertNotEqual(p[layer].sport, self.port_in)
+ else:
+ self.assertEqual(p[layer].sport, self.port_in)
+ else:
+ if not ignore_port:
+ if not dont_translate:
+ self.assertNotEqual(p[layer].id, self.port_in)
+ else:
+ self.assertEqual(p[layer].id, self.port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ # out2in
+ if not dont_translate:
+ dst_addr = self.nat_addr
+ else:
+ dst_addr = self.pg0.remote_ip4
+ if proto != IP_PROTOS.icmp:
+ sport = 20
+ dport = p[layer].sport
+ else:
+ sport = p[layer].id
+ dport = 0
+ pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data,
+ proto, echo_reply=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg0.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ self.pg1.remote_ip4,
+ self.pg0.remote_ip4)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].sport, 20)
+ self.assertEqual(p[layer].dport, self.port_in)
+ else:
+ self.assertEqual(p[layer].id, self.port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ def verify_capture_out(self, capture, nat_ip=None, same_port=False,
+ dst_ip=None, ignore_port=False):
+ if nat_ip is None:
+ nat_ip = self.nat_addr
+ for packet in capture:
+ try:
+ self.assert_packet_checksums_valid(packet)
+ self.assertEqual(packet[IP].src, nat_ip)
+ if dst_ip is not None:
+ self.assertEqual(packet[IP].dst, dst_ip)
+ if packet.haslayer(TCP):
+ if not ignore_port:
+ if same_port:
+ self.assertEqual(
+ packet[TCP].sport, self.tcp_port_in)
+ else:
+ self.assertNotEqual(
+ packet[TCP].sport, self.tcp_port_in)
+ self.tcp_port_out = packet[TCP].sport
+ self.assert_packet_checksums_valid(packet)
+ elif packet.haslayer(UDP):
+ if not ignore_port:
+ if same_port:
+ self.assertEqual(
+ packet[UDP].sport, self.udp_port_in)
+ else:
+ self.assertNotEqual(
+ packet[UDP].sport, self.udp_port_in)
+ self.udp_port_out = packet[UDP].sport
+ else:
+ if not ignore_port:
+ if same_port:
+ self.assertEqual(
+ packet[ICMP].id, self.icmp_id_in)
+ else:
+ self.assertNotEqual(
+ packet[ICMP].id, self.icmp_id_in)
+ self.icmp_id_out = packet[ICMP].id
+ self.assert_packet_checksums_valid(packet)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet "
+ "(outside network):", packet))
+ raise
+
+ def verify_capture_in(self, capture, in_if):
+ for packet in capture:
+ try:
+ self.assert_packet_checksums_valid(packet)
+ self.assertEqual(packet[IP].dst, in_if.remote_ip4)
+ if packet.haslayer(TCP):
+ self.assertEqual(packet[TCP].dport, self.tcp_port_in)
+ elif packet.haslayer(UDP):
+ self.assertEqual(packet[UDP].dport, self.udp_port_in)
+ else:
+ self.assertEqual(packet[ICMP].id, self.icmp_id_in)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet "
+ "(inside network):", packet))
+ raise
+
+ def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
+ if dst_ip is None:
+ dst_ip = out_if.remote_ip4
+
+ pkts = []
+ # TCP
+ p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
+ IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ TCP(sport=self.tcp_port_in, dport=20))
+ pkts.extend([p, p])
+
+ # UDP
+ p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
+ IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ UDP(sport=self.udp_port_in, dport=20))
+ pkts.append(p)
+
+ # ICMP
+ p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
+ IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ ICMP(id=self.icmp_id_in, type='echo-request'))
+ pkts.append(p)
+
+ return pkts
+
+ def create_stream_out(self, out_if, dst_ip=None, ttl=64,
+ use_inside_ports=False):
+ if dst_ip is None:
+ dst_ip = self.nat_addr
+ if not use_inside_ports:
+ tcp_port = self.tcp_port_out
+ udp_port = self.udp_port_out
+ icmp_id = self.icmp_id_out
+ else:
+ tcp_port = self.tcp_port_in
+ udp_port = self.udp_port_in
+ icmp_id = self.icmp_id_in
+ pkts = []
+ # TCP
+ p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
+ IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ TCP(dport=tcp_port, sport=20))
+ pkts.extend([p, p])
+
+ # UDP
+ p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
+ IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ UDP(dport=udp_port, sport=20))
+ pkts.append(p)
+
+ # ICMP
+ p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
+ IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
+ ICMP(id=icmp_id, type='echo-reply'))
+ pkts.append(p)
+
+ return pkts
+
+ def create_tcp_stream(self, in_if, out_if, count):
+ pkts = []
+ port = 6303
+
+ for i in range(count):
+ p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
+ IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
+ TCP(sport=port + i, dport=20))
+ pkts.append(p)
+
+ return pkts
+
+ def create_stream_frag(self, src_if, dst, sport, dport, data,
+ proto=IP_PROTOS.tcp, echo_reply=False):
+ if proto == IP_PROTOS.tcp:
+ p = (IP(src=src_if.remote_ip4, dst=dst) /
+ TCP(sport=sport, dport=dport) /
+ Raw(data))
+ p = p.__class__(scapy.compat.raw(p))
+ chksum = p[TCP].chksum
+ proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
+ elif proto == IP_PROTOS.udp:
+ proto_header = UDP(sport=sport, dport=dport)
+ elif proto == IP_PROTOS.icmp:
+ if not echo_reply:
+ proto_header = ICMP(id=sport, type='echo-request')
+ else:
+ proto_header = ICMP(id=sport, type='echo-reply')
+ else:
+ raise Exception("Unsupported protocol")
+ id = self.random_port()
+ pkts = []
+ if proto == IP_PROTOS.tcp:
+ raw = Raw(data[0:4])
+ else:
+ raw = Raw(data[0:16])
+ p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
+ IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id) /
+ proto_header /
+ raw)
+ pkts.append(p)
+ if proto == IP_PROTOS.tcp:
+ raw = Raw(data[4:20])
+ else:
+ raw = Raw(data[16:32])
+ p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
+ IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id,
+ proto=proto) /
+ raw)
+ pkts.append(p)
+ if proto == IP_PROTOS.tcp:
+ raw = Raw(data[20:])
+ else:
+ raw = Raw(data[32:])
+ p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
+ IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto,
+ id=id) /
+ raw)
+ pkts.append(p)
+ return pkts
+
+ def frag_in_order_in_plus_out(self, in_addr, out_addr, in_port, out_port,
+ proto=IP_PROTOS.tcp):
+
+ layer = self.proto2layer(proto)
+
+ if proto == IP_PROTOS.tcp:
+ data = b"A" * 4 + b"B" * 16 + b"C" * 3
+ else:
+ data = b"A" * 16 + b"B" * 16 + b"C" * 3
+ port_in = self.random_port()
+
+ for i in range(2):
+ # out2in
+ pkts = self.create_stream_frag(self.pg0, out_addr,
+ port_in, out_port,
+ data, proto)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg1.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ self.pg0.remote_ip4,
+ in_addr)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].sport, port_in)
+ self.assertEqual(p[layer].dport, in_port)
+ else:
+ self.assertEqual(p[layer].id, port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ # in2out
+ if proto != IP_PROTOS.icmp:
+ pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
+ in_port,
+ p[layer].sport, data, proto)
+ else:
+ pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
+ p[layer].id, 0, data, proto,
+ echo_reply=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg0.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ out_addr,
+ self.pg0.remote_ip4)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].sport, out_port)
+ self.assertEqual(p[layer].dport, port_in)
+ else:
+ self.assertEqual(p[layer].id, port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ def frag_out_of_order_in_plus_out(self, in_addr, out_addr, in_port,
+ out_port, proto=IP_PROTOS.tcp):
+
+ layer = self.proto2layer(proto)
+
+ if proto == IP_PROTOS.tcp:
+ data = b"A" * 4 + b"B" * 16 + b"C" * 3
+ else:
+ data = b"A" * 16 + b"B" * 16 + b"C" * 3
+ port_in = self.random_port()
+
+ for i in range(2):
+ # out2in
+ pkts = self.create_stream_frag(self.pg0, out_addr,
+ port_in, out_port,
+ data, proto)
+ pkts.reverse()
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg1.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ self.pg0.remote_ip4,
+ in_addr)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].dport, in_port)
+ self.assertEqual(p[layer].sport, port_in)
+ self.assertEqual(p[layer].dport, in_port)
+ else:
+ self.assertEqual(p[layer].id, port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ # in2out
+ if proto != IP_PROTOS.icmp:
+ pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
+ in_port,
+ p[layer].sport, data, proto)
+ else:
+ pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
+ p[layer].id, 0, data, proto,
+ echo_reply=True)
+ pkts.reverse()
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg0.get_capture(len(pkts))
+ p = self.reass_frags_and_verify(frags,
+ out_addr,
+ self.pg0.remote_ip4)
+ if proto != IP_PROTOS.icmp:
+ self.assertEqual(p[layer].sport, out_port)
+ self.assertEqual(p[layer].dport, port_in)
+ else:
+ self.assertEqual(p[layer].id, port_in)
+ self.assertEqual(data, p[Raw].load)
+
+ def init_tcp_session(self, in_if, out_if, in_port, ext_port):
+ # SYN packet in->out
+ p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
+ IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port, flags="S"))
+ in_if.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = out_if.get_capture(1)
+ p = capture[0]
+ out_port = p[TCP].sport
+
+ # SYN + ACK packet out->in
+ p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
+ IP(src=out_if.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port, flags="SA"))
+ out_if.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ in_if.get_capture(1)
+
+ # ACK packet in->out
+ p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
+ IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port, flags="A"))
+ in_if.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ out_if.get_capture(1)
+
+ return out_port
+
+ def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
+ client_id=None):
+ twice_nat_addr = '10.0.1.3'
+
+ port_in = 8080
+ if lb:
+ if not same_pg:
+ port_in1 = port_in
+ port_in2 = port_in
+ else:
+ port_in1 = port_in + 1
+ port_in2 = port_in + 2
+
+ port_out = 80
+ eh_port_out = 4567
+
+ server1 = self.pg0.remote_hosts[0]
+ server2 = self.pg0.remote_hosts[1]
+ if lb and same_pg:
+ server2 = server1
+ if not lb:
+ server = server1
+
+ pg0 = self.pg0
+ if same_pg:
+ pg1 = self.pg0
+ else:
+ pg1 = self.pg1
+
+ eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
+ client_id == 1)
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_address(twice_nat_addr, twice_nat=1)
+
+ flags = 0
+ if self_twice_nat:
+ flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
+ else:
+ flags |= self.config_flags.NAT_IS_TWICE_NAT
+
+ if not lb:
+ self.nat_add_static_mapping(pg0.remote_ip4, self.nat_addr,
+ port_in, port_out,
+ proto=IP_PROTOS.tcp,
+ flags=flags)
+ else:
+ locals = [{'addr': server1.ip4,
+ 'port': port_in1,
+ 'probability': 50,
+ 'vrf_id': 0},
+ {'addr': server2.ip4,
+ 'port': port_in2,
+ 'probability': 50,
+ 'vrf_id': 0}]
+ out_addr = self.nat_addr
+
+ self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
+ external_addr=out_addr,
+ external_port=port_out,
+ protocol=IP_PROTOS.tcp,
+ local_num=len(locals),
+ locals=locals)
+ self.nat_add_inside_interface(pg0)
+ self.nat_add_outside_interface(pg1)
+
+ if same_pg:
+ if not lb:
+ client = server
+ else:
+ assert client_id is not None
+ if client_id == 1:
+ client = self.pg0.remote_hosts[0]
+ elif client_id == 2:
+ client = self.pg0.remote_hosts[1]
+ else:
+ client = pg1.remote_hosts[0]
+ p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
+ IP(src=client.ip4, dst=self.nat_addr) /
+ TCP(sport=eh_port_out, dport=port_out))
+ pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ if lb:
+ if ip.dst == server1.ip4:
+ server = server1
+ port_in = port_in1
+ else:
+ server = server2
+ port_in = port_in2
+ self.assertEqual(ip.dst, server.ip4)
+ if lb and same_pg:
+ self.assertIn(tcp.dport, [port_in1, port_in2])
+ else:
+ self.assertEqual(tcp.dport, port_in)
+ if eh_translate:
+ self.assertEqual(ip.src, twice_nat_addr)
+ self.assertNotEqual(tcp.sport, eh_port_out)
+ else:
+ self.assertEqual(ip.src, client.ip4)
+ self.assertEqual(tcp.sport, eh_port_out)
+ eh_addr_in = ip.src
+ eh_port_in = tcp.sport
+ saved_port_in = tcp.dport
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ p = (Ether(src=server.mac, dst=pg0.local_mac) /
+ IP(src=server.ip4, dst=eh_addr_in) /
+ TCP(sport=saved_port_in, dport=eh_port_in))
+ pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, client.ip4)
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.dport, eh_port_out)
+ self.assertEqual(tcp.sport, port_out)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ if eh_translate:
+ sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
+ self.assertEqual(len(sessions), 1)
+ self.assertTrue(sessions[0].flags &
+ self.config_flags.NAT_IS_EXT_HOST_VALID)
+ self.assertTrue(sessions[0].flags &
+ self.config_flags.NAT_IS_TWICE_NAT)
+ self.logger.info(self.vapi.cli("show nat44 sessions detail"))
+ self.vapi.nat44_del_session(
+ address=sessions[0].inside_ip_address,
+ port=sessions[0].inside_port,
+ protocol=sessions[0].protocol,
+ flags=(self.config_flags.NAT_IS_INSIDE |
+ self.config_flags.NAT_IS_EXT_HOST_VALID),
+ ext_host_address=sessions[0].ext_host_nat_address,
+ ext_host_port=sessions[0].ext_host_nat_port)
+ sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
+ self.assertEqual(len(sessions), 0)
+
+ def verify_syslog_sess(self, data, is_add=True, is_ip6=False):
+ message = data.decode('utf-8')
+ try:
+ message = SyslogMessage.parse(message)
+ except ParseError as e:
+ self.logger.error(e)
+ raise
+ else:
+ self.assertEqual(message.severity, SyslogSeverity.info)
+ self.assertEqual(message.appname, 'NAT')
+ self.assertEqual(message.msgid, 'SADD' if is_add else 'SDEL')
+ sd_params = message.sd.get('nsess')
+ self.assertTrue(sd_params is not None)
+ if is_ip6:
+ self.assertEqual(sd_params.get('IATYP'), 'IPv6')
+ self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
+ else:
+ self.assertEqual(sd_params.get('IATYP'), 'IPv4')
+ self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
+ self.assertTrue(sd_params.get('SSUBIX') is not None)
+ self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
+ self.assertEqual(sd_params.get('XATYP'), 'IPv4')
+ self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
+ self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
+ self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
+ self.assertEqual(sd_params.get('SVLAN'), '0')
+ self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
+ self.assertEqual(sd_params.get('XDPORT'),
+ "%d" % self.tcp_external_port)
+
+
+class TestNAT44ED(NAT44EDTestCase):
+ """ NAT44ED Test Case """
+
+ def test_users_dump(self):
+ """ NAT44ED API test - nat44_user_dump """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+
+ local_ip = self.pg0.remote_ip4
+ external_ip = self.nat_addr
+ self.nat_add_static_mapping(local_ip, external_ip)
+
+ users = self.vapi.nat44_user_dump()
+ self.assertEqual(len(users), 0)
+
+ # in2out - static mapping match
+
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, same_port=True)
+
+ users = self.vapi.nat44_user_dump()
+ self.assertEqual(len(users), 1)
+ static_user = users[0]
+ self.assertEqual(static_user.nstaticsessions, 3)
+ self.assertEqual(static_user.nsessions, 0)
+
+ # in2out - no static mapping match (forwarding test)
+
+ host0 = self.pg0.remote_hosts[0]
+ self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
+ try:
+ pkts = self.create_stream_out(self.pg1,
+ dst_ip=self.pg0.remote_ip4,
+ use_inside_ports=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
+ same_port=True)
+ finally:
+ self.pg0.remote_hosts[0] = host0
+
+ users = self.vapi.nat44_user_dump()
+ self.assertEqual(len(users), 2)
+ if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
+ non_static_user = users[1]
+ static_user = users[0]
+ else:
+ non_static_user = users[0]
+ static_user = users[1]
+ self.assertEqual(static_user.nstaticsessions, 3)
+ self.assertEqual(static_user.nsessions, 0)
+ self.assertEqual(non_static_user.nstaticsessions, 0)
+ self.assertEqual(non_static_user.nsessions, 3)
+
+ users = self.vapi.nat44_user_dump()
+ self.assertEqual(len(users), 2)
+ if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
+ non_static_user = users[1]
+ static_user = users[0]
+ else:
+ non_static_user = users[0]
+ static_user = users[1]
+ self.assertEqual(static_user.nstaticsessions, 3)
+ self.assertEqual(static_user.nsessions, 0)
+ self.assertEqual(non_static_user.nstaticsessions, 0)
+ self.assertEqual(non_static_user.nsessions, 3)
+
+ def test_frag_out_of_order_do_not_translate(self):
+ """ NAT44ED don't translate fragments arriving out of order """
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.vapi.nat44_forwarding_enable_disable(enable=True)
+ self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
+
+ def test_forwarding(self):
+ """ NAT44ED forwarding test """
+
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+
+ real_ip = self.pg0.remote_ip4
+ alias_ip = self.nat_addr
+ flags = self.config_flags.NAT_IS_ADDR_ONLY
+ self.vapi.nat44_add_del_static_mapping(is_add=1,
+ local_ip_address=real_ip,
+ external_ip_address=alias_ip,
+ external_sw_if_index=0xFFFFFFFF,
+ flags=flags)
+
+ try:
+ # in2out - static mapping match
+
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, same_port=True)
+
+ # in2out - no static mapping match
+
+ host0 = self.pg0.remote_hosts[0]
+ self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
+ try:
+ pkts = self.create_stream_out(self.pg1,
+ dst_ip=self.pg0.remote_ip4,
+ use_inside_ports=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
+ same_port=True)
+ finally:
+ self.pg0.remote_hosts[0] = host0
+
+ user = self.pg0.remote_hosts[1]
+ sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
+ self.assertEqual(len(sessions), 3)
+ self.assertTrue(sessions[0].flags &
+ self.config_flags.NAT_IS_EXT_HOST_VALID)
+ self.vapi.nat44_del_session(
+ address=sessions[0].inside_ip_address,
+ port=sessions[0].inside_port,
+ protocol=sessions[0].protocol,
+ flags=(self.config_flags.NAT_IS_INSIDE |
+ self.config_flags.NAT_IS_EXT_HOST_VALID),
+ ext_host_address=sessions[0].ext_host_address,
+ ext_host_port=sessions[0].ext_host_port)
+ sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
+ self.assertEqual(len(sessions), 2)
+
+ finally:
+ self.vapi.nat44_forwarding_enable_disable(enable=0)
+ flags = self.config_flags.NAT_IS_ADDR_ONLY
+ self.vapi.nat44_add_del_static_mapping(
+ is_add=0,
+ local_ip_address=real_ip,
+ external_ip_address=alias_ip,
+ external_sw_if_index=0xFFFFFFFF,
+ flags=flags)
+
+ def test_output_feature_and_service2(self):
+ """ NAT44ED interface output feature and service host direct access """
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr)
+
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index, is_add=1,)
+
+ # session initiated from service host - translate
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ # session initiated from remote host - do not translate
+ tcp_port_in = self.tcp_port_in
+ udp_port_in = self.udp_port_in
+ icmp_id_in = self.icmp_id_in
+
+ self.tcp_port_in = 60303
+ self.udp_port_in = 60304
+ self.icmp_id_in = 60305
+
+ try:
+ pkts = self.create_stream_out(self.pg1,
+ self.pg0.remote_ip4,
+ use_inside_ports=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
+ same_port=True)
+ finally:
+ self.tcp_port_in = tcp_port_in
+ self.udp_port_in = udp_port_in
+ self.icmp_id_in = icmp_id_in
+
+ def test_twice_nat(self):
+ """ NAT44ED Twice NAT """
+ self.twice_nat_common()
+
+ def test_self_twice_nat_positive(self):
+ """ NAT44ED Self Twice NAT (positive test) """
+ self.twice_nat_common(self_twice_nat=True, same_pg=True)
+
+ def test_self_twice_nat_lb_positive(self):
+ """ NAT44ED Self Twice NAT local service load balancing (positive test)
+ """
+ self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
+ client_id=1)
+
+ def test_twice_nat_lb(self):
+ """ NAT44ED Twice NAT local service load balancing """
+ self.twice_nat_common(lb=True)
+
+ def test_output_feature(self):
+ """ NAT44ED interface output feature (in2out postrouting) """
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr)
+
+ self.nat_add_outside_interface(self.pg0)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index, is_add=1)
+
+ # in2out
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ # out2in
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ def test_static_with_port_out2(self):
+ """ NAT44ED 1:1 NAPT asymmetrical rule """
+
+ external_port = 80
+ local_port = 8080
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ flags = self.config_flags.NAT_IS_OUT2IN_ONLY
+ self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, flags=flags)
+
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # from client to service
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # ICMP error
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ ICMP(type=11) / capture[0][IP])
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ self.assertEqual(p[IP].src, self.nat_addr)
+ inner = p[IPerror]
+ self.assertEqual(inner.dst, self.nat_addr)
+ self.assertEqual(inner[TCPerror].dport, external_port)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # ICMP error
+ p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ ICMP(type=11) / capture[0][IP])
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
+ inner = p[IPerror]
+ self.assertEqual(inner.src, self.pg0.remote_ip4)
+ self.assertEqual(inner[TCPerror].sport, local_port)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client to server (no translation)
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
+ TCP(sport=12346, dport=local_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client (no translation)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12346))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ def test_static_lb(self):
+ """ NAT44ED local service load balancing """
+ external_addr_n = self.nat_addr
+ external_port = 80
+ local_port = 8080
+ server1 = self.pg0.remote_hosts[0]
+ server2 = self.pg0.remote_hosts[1]
+
+ locals = [{'addr': server1.ip4,
+ 'port': local_port,
+ 'probability': 70,
+ 'vrf_id': 0},
+ {'addr': server2.ip4,
+ 'port': local_port,
+ 'probability': 30,
+ 'vrf_id': 0}]
+
+ self.nat_add_address(self.nat_addr)
+ self.vapi.nat44_add_del_lb_static_mapping(
+ is_add=1,
+ external_addr=external_addr_n,
+ external_port=external_port,
+ protocol=IP_PROTOS.tcp,
+ local_num=len(locals),
+ locals=locals)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ is_add=1)
+
+ # from client to service
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ server = None
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertIn(ip.dst, [server1.ip4, server2.ip4])
+ if ip.dst == server1.ip4:
+ server = server1
+ else:
+ server = server2
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
+ IP(src=server.ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
+ self.assertEqual(len(sessions), 1)
+ self.assertTrue(sessions[0].flags &
+ self.config_flags.NAT_IS_EXT_HOST_VALID)
+ self.vapi.nat44_del_session(
+ address=sessions[0].inside_ip_address,
+ port=sessions[0].inside_port,
+ protocol=sessions[0].protocol,
+ flags=(self.config_flags.NAT_IS_INSIDE |
+ self.config_flags.NAT_IS_EXT_HOST_VALID),
+ ext_host_address=sessions[0].ext_host_address,
+ ext_host_port=sessions[0].ext_host_port)
+ sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
+ self.assertEqual(len(sessions), 0)
+
+ def test_static_lb_2(self):
+ """ NAT44ED local service load balancing (asymmetrical rule) """
+ external_addr = self.nat_addr
+ external_port = 80
+ local_port = 8080
+ server1 = self.pg0.remote_hosts[0]
+ server2 = self.pg0.remote_hosts[1]
+
+ locals = [{'addr': server1.ip4,
+ 'port': local_port,
+ 'probability': 70,
+ 'vrf_id': 0},
+ {'addr': server2.ip4,
+ 'port': local_port,
+ 'probability': 30,
+ 'vrf_id': 0}]
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ flags = self.config_flags.NAT_IS_OUT2IN_ONLY
+ self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
+ external_addr=external_addr,
+ external_port=external_port,
+ protocol=IP_PROTOS.tcp,
+ local_num=len(locals),
+ locals=locals)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ is_add=1)
+
+ # from client to service
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ server = None
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertIn(ip.dst, [server1.ip4, server2.ip4])
+ if ip.dst == server1.ip4:
+ server = server1
+ else:
+ server = server2
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
+ IP(src=server.ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client to server (no translation)
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
+ TCP(sport=12346, dport=local_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ server = None
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, server1.ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client (no translation)
+ p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
+ IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12346))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, server1.ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ def test_lb_affinity(self):
+ """ NAT44ED local service load balancing affinity """
+ external_addr = self.nat_addr
+ external_port = 80
+ local_port = 8080
+ server1 = self.pg0.remote_hosts[0]
+ server2 = self.pg0.remote_hosts[1]
+
+ locals = [{'addr': server1.ip4,
+ 'port': local_port,
+ 'probability': 50,
+ 'vrf_id': 0},
+ {'addr': server2.ip4,
+ 'port': local_port,
+ 'probability': 50,
+ 'vrf_id': 0}]
+
+ self.nat_add_address(self.nat_addr)
+ self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
+ external_addr=external_addr,
+ external_port=external_port,
+ protocol=IP_PROTOS.tcp,
+ affinity=10800,
+ local_num=len(locals),
+ locals=locals)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ is_add=1)
+
+ p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=1025, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ backend = capture[0][IP].dst
+
+ sessions = self.vapi.nat44_user_session_dump(backend, 0)
+ self.assertEqual(len(sessions), 1)
+ self.assertTrue(sessions[0].flags &
+ self.config_flags.NAT_IS_EXT_HOST_VALID)
+ self.vapi.nat44_del_session(
+ address=sessions[0].inside_ip_address,
+ port=sessions[0].inside_port,
+ protocol=sessions[0].protocol,
+ flags=(self.config_flags.NAT_IS_INSIDE |
+ self.config_flags.NAT_IS_EXT_HOST_VALID),
+ ext_host_address=sessions[0].ext_host_address,
+ ext_host_port=sessions[0].ext_host_port)
+
+ pkts = []
+ for port in range(1030, 1100):
+ p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=port, dport=external_port))
+ pkts.append(p)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ for p in capture:
+ self.assertEqual(p[IP].dst, backend)
+
+ def test_multiple_vrf(self):
+ """ NAT44ED Multiple VRF setup """
+
+ external_addr = '1.2.3.4'
+ external_port = 80
+ local_port = 8080
+ port = 0
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ is_add=1, flags=flags)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg5.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg5.sw_if_index,
+ is_add=1, flags=flags)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg6.sw_if_index,
+ is_add=1)
+ flags = self.config_flags.NAT_IS_OUT2IN_ONLY
+ self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
+ local_port, external_port, vrf_id=1,
+ proto=IP_PROTOS.tcp, flags=flags)
+ self.nat_add_static_mapping(
+ self.pg0.remote_ip4,
+ external_sw_if_index=self.pg0.sw_if_index,
+ local_port=local_port,
+ vrf_id=0,
+ external_port=external_port,
+ proto=IP_PROTOS.tcp,
+ flags=flags
+ )
+
+ # from client to service (both VRF1)
+ p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
+ IP(src=self.pg6.remote_ip4, dst=external_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg6.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg5.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client (both VRF1)
+ p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
+ IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg5.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, external_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # dynamic NAT from VRF1 to VRF0 (output-feature)
+ p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
+ IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=2345, dport=22))
+ self.pg5.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assert_packet_checksums_valid(p)
+ port = tcp.sport
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=22, dport=port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg5.remote_ip4)
+ self.assertEqual(tcp.dport, 2345)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client VRF1 to service VRF0
+ p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
+ IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
+ TCP(sport=12346, dport=external_port))
+ self.pg6.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service VRF0 back to client VRF1
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
+ TCP(sport=local_port, dport=12346))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.local_ip4)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client VRF0 to service VRF1
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=external_addr) /
+ TCP(sport=12347, dport=external_port))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg5.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service VRF1 back to client VRF0
+ p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
+ IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
+ TCP(sport=local_port, dport=12347))
+ self.pg5.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, external_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client to server (both VRF1, no translation)
+ p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
+ IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
+ TCP(sport=12348, dport=local_port))
+ self.pg6.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg5.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from server back to client (both VRF1, no translation)
+ p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
+ IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
+ TCP(sport=local_port, dport=12348))
+ self.pg5.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg5.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client VRF1 to server VRF0 (no translation)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
+ TCP(sport=local_port, dport=12349))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from server VRF0 back to client VRF1 (no translation)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
+ TCP(sport=local_port, dport=12349))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client VRF0 to server VRF1 (no translation)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
+ TCP(sport=12344, dport=local_port))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg5.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from server VRF1 back to client VRF0 (no translation)
+ p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
+ IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
+ TCP(sport=local_port, dport=12344))
+ self.pg5.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg5.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+
+class TestNAT44EDMW(TestNAT44ED):
+ """ NAT44ED MW Test Case """
+ worker_config = "workers 1"
+
+ def get_stats_counter(self, path, worker=1):
+ return super(TestNAT44EDMW, self).get_stats_counter(path, worker)
+
+ @unittest.skip('MW fix required')
+ def test_users_dump(self):
+ """ NAT44ED API test - nat44_user_dump """
+
+ @unittest.skip('MW fix required')
+ def test_frag_out_of_order_do_not_translate(self):
+ """ NAT44ED don't translate fragments arriving out of order """
+
+ @unittest.skip('MW fix required')
+ def test_forwarding(self):
+ """ NAT44ED forwarding test """
+
+ @unittest.skip('MW fix required')
+ def test_twice_nat(self):
+ """ NAT44ED Twice NAT """
+
+ @unittest.skip('MW fix required')
+ def test_twice_nat_lb(self):
+ """ NAT44ED Twice NAT local service load balancing """
+
+ @unittest.skip('MW fix required')
+ def test_output_feature(self):
+ """ NAT44ED interface output feature (in2out postrouting) """
+
+ @unittest.skip('MW fix required')
+ def test_static_with_port_out2(self):
+ """ NAT44ED 1:1 NAPT asymmetrical rule """
+
+ @unittest.skip('MW fix required')
+ def test_output_feature_and_service2(self):
+ """ NAT44ED interface output feature and service host direct access """
+
+ @unittest.skip('MW fix required')
+ def test_static_lb(self):
+ """ NAT44ED local service load balancing """
+
+ @unittest.skip('MW fix required')
+ def test_static_lb_2(self):
+ """ NAT44ED local service load balancing (asymmetrical rule) """
+
+ @unittest.skip('MW fix required')
+ def test_lb_affinity(self):
+ """ NAT44ED local service load balancing affinity """
+
+ @unittest.skip('MW fix required')
+ def test_multiple_vrf(self):
+ """ NAT44ED Multiple VRF setup """
+
+ @unittest.skip('MW fix required')
+ def test_self_twice_nat_positive(self):
+ """ NAT44ED Self Twice NAT (positive test) """
+
+ @unittest.skip('MW fix required')
+ def test_self_twice_nat_lb_positive(self):
+ """ NAT44ED Self Twice NAT local service load balancing (positive test)
+ """
+
+ def test_dynamic(self):
+ """ NAT44ED dynamic translation test """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # in2out
+ tc1 = self.get_stats_counter('/nat44/ed/in2out/slowpath/tcp')
+ uc1 = self.get_stats_counter('/nat44/ed/in2out/slowpath/udp')
+ ic1 = self.get_stats_counter('/nat44/ed/in2out/slowpath/icmp')
+ dc1 = self.get_stats_counter('/nat44/ed/in2out/slowpath/drops')
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ # TODO: specify worker=idx, also stats have to
+ # know from which worker to take capture
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ if_idx = self.pg0.sw_if_index
+ tc2 = self.get_stats_counter('/nat44/ed/in2out/slowpath/tcp')
+ uc2 = self.get_stats_counter('/nat44/ed/in2out/slowpath/udp')
+ ic2 = self.get_stats_counter('/nat44/ed/in2out/slowpath/icmp')
+ dc2 = self.get_stats_counter('/nat44/ed/in2out/slowpath/drops')
+
+ self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
+ self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
+ self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
+ self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
+
+ # out2in
+ tc1 = self.get_stats_counter('/nat44/ed/out2in/fastpath/tcp')
+ uc1 = self.get_stats_counter('/nat44/ed/out2in/fastpath/udp')
+ ic1 = self.get_stats_counter('/nat44/ed/out2in/slowpath/icmp')
+ dc1 = self.get_stats_counter('/nat44/ed/out2in/fastpath/drops')
+
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ if_idx = self.pg1.sw_if_index
+ tc2 = self.get_stats_counter('/nat44/ed/out2in/fastpath/tcp')
+ uc2 = self.get_stats_counter('/nat44/ed/out2in/fastpath/udp')
+ ic2 = self.get_stats_counter('/nat44/ed/out2in/slowpath/icmp')
+ dc2 = self.get_stats_counter('/nat44/ed/out2in/fastpath/drops')
+
+ self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
+ self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
+ self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
+ self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
+
+ sc = self.get_stats_counter('/nat44/total-sessions')
+ self.assertEqual(sc[0], 3)
+
+ def test_frag_in_order(self):
+ """ NAT44ED translate fragments arriving in order """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
+ self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
+ self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
+
+ def test_frag_in_order_do_not_translate(self):
+ """ NAT44ED don't translate fragments arriving in order """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.vapi.nat44_forwarding_enable_disable(enable=True)
+
+ self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
+
+ def test_frag_out_of_order(self):
+ """ NAT44ED translate fragments arriving out of order """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
+ self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
+ self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
+
+ def test_frag_in_order_in_plus_out(self):
+ """ NAT44ED in+out interface fragments in order """
+
+ in_port = self.random_port()
+ out_port = self.random_port()
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg0)
+ self.nat_add_inside_interface(self.pg1)
+ self.nat_add_outside_interface(self.pg1)
+
+ # add static mappings for server
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ proto=IP_PROTOS.tcp)
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ proto=IP_PROTOS.udp)
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ proto=IP_PROTOS.icmp)
+
+ # run tests for each protocol
+ self.frag_in_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.tcp)
+ self.frag_in_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.udp)
+ self.frag_in_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.icmp)
+
+ def test_frag_out_of_order_in_plus_out(self):
+ """ NAT44ED in+out interface fragments out of order """
+
+ in_port = self.random_port()
+ out_port = self.random_port()
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg0)
+ self.nat_add_inside_interface(self.pg1)
+ self.nat_add_outside_interface(self.pg1)
+
+ # add static mappings for server
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ proto=IP_PROTOS.tcp)
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ proto=IP_PROTOS.udp)
+ self.nat_add_static_mapping(self.server_addr,
+ self.nat_addr,
+ proto=IP_PROTOS.icmp)
+
+ # run tests for each protocol
+ self.frag_out_of_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.tcp)
+ self.frag_out_of_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.udp)
+ self.frag_out_of_order_in_plus_out(self.server_addr,
+ self.nat_addr,
+ in_port,
+ out_port,
+ IP_PROTOS.icmp)
+
+ def test_reass_hairpinning(self):
+ """ NAT44ED fragments hairpinning """
+
+ server_addr = self.pg0.remote_hosts[1].ip4
+
+ host_in_port = self.random_port()
+ server_in_port = self.random_port()
+ server_out_port = self.random_port()
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # add static mapping for server
+ self.nat_add_static_mapping(server_addr, self.nat_addr,
+ server_in_port, server_out_port,
+ proto=IP_PROTOS.tcp)
+ self.nat_add_static_mapping(server_addr, self.nat_addr,
+ server_in_port, server_out_port,
+ proto=IP_PROTOS.udp)
+ self.nat_add_static_mapping(server_addr, self.nat_addr)
+
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.tcp,
+ ignore_port=True)
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.udp,
+ ignore_port=True)
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.icmp,
+ ignore_port=True)
+
+ def test_session_limit_per_vrf(self):
+ """ NAT44ED per vrf session limit """
+
+ inside = self.pg0
+ inside_vrf10 = self.pg2
+ outside = self.pg1
+
+ limit = 5
+
+ # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
+ # non existing vrf_id makes process core dump
+ self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
+
+ self.nat_add_inside_interface(inside)
+ self.nat_add_inside_interface(inside_vrf10)
+ self.nat_add_outside_interface(outside)
+
+ # vrf independent
+ self.nat_add_interface_address(outside)
+
+ # BUG: causing core dump - when bad vrf_id is specified
+ # self.nat_add_address(outside.local_ip4, vrf_id=20)
+
+ stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
+ inside_vrf10.add_stream(stream)
+
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+
+ capture = outside.get_capture(limit)
+
+ stream = self.create_tcp_stream(inside, outside, limit * 2)
+ inside.add_stream(stream)
+
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+
+ capture = outside.get_capture(len(stream))
+
+ def test_clear_sessions(self):
+ """ NAT44ED session clearing test """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ sessions = self.get_stats_counter('/nat44/total-sessions')
+ self.assertTrue(sessions[0] > 0)
+
+ self.vapi.cli("clear nat44 sessions")
+
+ sessions = self.get_stats_counter('/nat44/total-sessions')
+ self.assertEqual(sessions[0], 0)
+
+ def test_show_max_translations(self):
+ """ NAT44ED API test - max translations per thread """
+ nat_config = self.vapi.nat_show_config_2()
+ self.assertEqual(self.max_sessions,
+ nat_config.max_translations_per_thread)
+
+ def test_lru_cleanup(self):
+ """ NAT44ED LRU cleanup algorithm """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ self.vapi.nat_set_timeouts(
+ udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
+
+ tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
+ pkts = []
+ for i in range(0, self.max_sessions - 1):
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
+ UDP(sport=7000+i, dport=80))
+ pkts.append(p)
+
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(len(pkts))
+ self.sleep(1.5, "wait for timeouts")
+
+ pkts = []
+ for i in range(0, self.max_sessions - 1):
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
+ ICMP(id=8000+i, type='echo-request'))
+ pkts.append(p)
+
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(len(pkts))
+
+ def test_session_rst_timeout(self):
+ """ NAT44ED session RST timeouts """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
+ tcp_transitory=5, icmp=60)
+
+ self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
+ self.tcp_external_port)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
+ flags="R"))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ self.sleep(6)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
+ flags="S"))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ def test_dynamic_out_of_ports(self):
+ """ NAT44ED dynamic translation test: out of ports """
+
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # in2out and no NAT addresses added
+ err_old = self.statistics.get_err_counter(
+ '/err/nat44-ed-in2out-slowpath/out of ports')
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(0, timeout=1)
+
+ err_new = self.statistics.get_err_counter(
+ '/err/nat44-ed-in2out-slowpath/out of ports')
+
+ self.assertEqual(err_new - err_old, len(pkts))
+
+ # in2out after NAT addresses added
+ self.nat_add_address(self.nat_addr)
+
+ err_old = self.statistics.get_err_counter(
+ '/err/nat44-ed-in2out-slowpath/out of ports')
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ err_new = self.statistics.get_err_counter(
+ '/err/nat44-ed-in2out-slowpath/out of ports')
+
+ self.assertEqual(err_new, err_old)
+
+ def test_unknown_proto(self):
+ """ NAT44ED translate packet with unknown protocol """
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # in2out
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in, dport=20))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg1.get_capture(1)
+
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ GRE() /
+ IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
+ TCP(sport=1234, dport=1234))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg1.get_capture(1)
+ packet = p[0]
+ try:
+ self.assertEqual(packet[IP].src, self.nat_addr)
+ self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
+ self.assertEqual(packet.haslayer(GRE), 1)
+ self.assert_packet_checksums_valid(packet)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", packet))
+ raise
+
+ # out2in
+ p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ GRE() /
+ IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
+ TCP(sport=1234, dport=1234))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg0.get_capture(1)
+ packet = p[0]
+ try:
+ self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
+ self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
+ self.assertEqual(packet.haslayer(GRE), 1)
+ self.assert_packet_checksums_valid(packet)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", packet))
+ raise
+
+ def test_hairpinning_unknown_proto(self):
+ """ NAT44ED translate packet with unknown protocol - hairpinning """
+ host = self.pg0.remote_hosts[0]
+ server = self.pg0.remote_hosts[1]
+ host_in_port = 1234
+ server_out_port = 8765
+ server_nat_ip = "10.0.0.11"
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ # add static mapping for server
+ self.nat_add_static_mapping(server.ip4, server_nat_ip)
+
+ # host to server
+ p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
+ IP(src=host.ip4, dst=server_nat_ip) /
+ TCP(sport=host_in_port, dport=server_out_port))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
+ IP(src=host.ip4, dst=server_nat_ip) /
+ GRE() /
+ IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
+ TCP(sport=1234, dport=1234))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg0.get_capture(1)
+ packet = p[0]
+ try:
+ self.assertEqual(packet[IP].src, self.nat_addr)
+ self.assertEqual(packet[IP].dst, server.ip4)
+ self.assertEqual(packet.haslayer(GRE), 1)
+ self.assert_packet_checksums_valid(packet)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", packet))
+ raise
+
+ # server to host
+ p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
+ IP(src=server.ip4, dst=self.nat_addr) /
+ GRE() /
+ IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
+ TCP(sport=1234, dport=1234))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg0.get_capture(1)
+ packet = p[0]
+ try:
+ self.assertEqual(packet[IP].src, server_nat_ip)
+ self.assertEqual(packet[IP].dst, host.ip4)
+ self.assertEqual(packet.haslayer(GRE), 1)
+ self.assert_packet_checksums_valid(packet)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", packet))
+ raise
+
+ def test_output_feature_and_service(self):
+ """ NAT44ED interface output feature and services """
+ external_addr = '1.2.3.4'
+ external_port = 80
+ local_port = 8080
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr)
+ flags = self.config_flags.NAT_IS_ADDR_ONLY
+ self.vapi.nat44_add_del_identity_mapping(
+ ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
+ flags=flags, is_add=1)
+ flags = self.config_flags.NAT_IS_OUT2IN_ONLY
+ self.nat_add_static_mapping(self.pg0.remote_ip4, external_addr,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, flags=flags)
+
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg0)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index, is_add=1)
+
+ # from client to service
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=external_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, external_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from local network host to external network
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ # from external network back to local network host
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ def test_output_feature_and_service3(self):
+ """ NAT44ED interface output feature and DST NAT """
+ external_addr = '1.2.3.4'
+ external_port = 80
+ local_port = 8080
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr)
+ flags = self.config_flags.NAT_IS_OUT2IN_ONLY
+ self.nat_add_static_mapping(self.pg1.remote_ip4, external_addr,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, flags=flags)
+
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg0)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index, is_add=1)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=external_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.remote_ip4)
+ self.assertEqual(tcp.sport, 12345)
+ self.assertEqual(ip.dst, self.pg1.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, external_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, 12345)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ def test_self_twice_nat_lb_negative(self):
+ """ NAT44ED Self Twice NAT local service load balancing (negative test)
+ """
+ self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
+ client_id=2)
+
+ def test_self_twice_nat_negative(self):
+ """ NAT44ED Self Twice NAT (negative test) """
+ self.twice_nat_common(self_twice_nat=True)
+
+ def test_static_lb_multi_clients(self):
+ """ NAT44ED local service load balancing - multiple clients"""
+
+ external_addr = self.nat_addr
+ external_port = 80
+ local_port = 8080
+ server1 = self.pg0.remote_hosts[0]
+ server2 = self.pg0.remote_hosts[1]
+ server3 = self.pg0.remote_hosts[2]
+
+ locals = [{'addr': server1.ip4,
+ 'port': local_port,
+ 'probability': 90,
+ 'vrf_id': 0},
+ {'addr': server2.ip4,
+ 'port': local_port,
+ 'probability': 10,
+ 'vrf_id': 0}]
+
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ is_add=1)
+
+ self.nat_add_address(self.nat_addr)
+ self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
+ external_addr=external_addr,
+ external_port=external_port,
+ protocol=IP_PROTOS.tcp,
+ local_num=len(locals),
+ locals=locals)
+
+ server1_n = 0
+ server2_n = 0
+ clients = ip4_range(self.pg1.remote_ip4, 10, 50)
+ pkts = []
+ for client in clients:
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=client, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ pkts.append(p)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ for p in capture:
+ if p[IP].dst == server1.ip4:
+ server1_n += 1
+ else:
+ server2_n += 1
+ self.assertGreater(server1_n, server2_n)
+
+ local = {
+ 'addr': server3.ip4,
+ 'port': local_port,
+ 'probability': 20,
+ 'vrf_id': 0
+ }
+
+ # add new back-end
+ self.vapi.nat44_lb_static_mapping_add_del_local(
+ is_add=1,
+ external_addr=external_addr,
+ external_port=external_port,
+ local=local,
+ protocol=IP_PROTOS.tcp)
+ server1_n = 0
+ server2_n = 0
+ server3_n = 0
+ clients = ip4_range(self.pg1.remote_ip4, 60, 110)
+ pkts = []
+ for client in clients:
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=client, dst=self.nat_addr) /
+ TCP(sport=12346, dport=external_port))
+ pkts.append(p)
+ self.assertGreater(len(pkts), 0)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ for p in capture:
+ if p[IP].dst == server1.ip4:
+ server1_n += 1
+ elif p[IP].dst == server2.ip4:
+ server2_n += 1
+ else:
+ server3_n += 1
+ self.assertGreater(server1_n, 0)
+ self.assertGreater(server2_n, 0)
+ self.assertGreater(server3_n, 0)
+
+ local = {
+ 'addr': server2.ip4,
+ 'port': local_port,
+ 'probability': 10,
+ 'vrf_id': 0
+ }
+
+ # remove one back-end
+ self.vapi.nat44_lb_static_mapping_add_del_local(
+ is_add=0,
+ external_addr=external_addr,
+ external_port=external_port,
+ local=local,
+ protocol=IP_PROTOS.tcp)
+ server1_n = 0
+ server2_n = 0
+ server3_n = 0
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ for p in capture:
+ if p[IP].dst == server1.ip4:
+ server1_n += 1
+ elif p[IP].dst == server2.ip4:
+ server2_n += 1
+ else:
+ server3_n += 1
+ self.assertGreater(server1_n, 0)
+ self.assertEqual(server2_n, 0)
+ self.assertGreater(server3_n, 0)
+
+ def test_syslog_sess(self):
+ """ NAT44ED Test syslog session creation and deletion """
+ self.vapi.syslog_set_filter(
+ self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
+ self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ self.tcp_port_out = capture[0][TCP].sport
+ capture = self.pg3.get_capture(1)
+ self.verify_syslog_sess(capture[0][Raw].load)
+
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.nat_add_address(self.nat_addr, is_add=0)
+ capture = self.pg3.get_capture(1)
+ self.verify_syslog_sess(capture[0][Raw].load, False)
+
+ def test_twice_nat_interface_addr(self):
+ """ NAT44ED Acquire twice NAT addresses from interface """
+ flags = self.config_flags.NAT_IS_TWICE_NAT
+ self.vapi.nat44_add_del_interface_addr(
+ sw_if_index=self.pg11.sw_if_index,
+ flags=flags, is_add=1)
+
+ # no address in NAT pool
+ adresses = self.vapi.nat44_address_dump()
+ self.assertEqual(0, len(adresses))
+
+ # configure interface address and check NAT address pool
+ self.pg11.config_ip4()
+ adresses = self.vapi.nat44_address_dump()
+ self.assertEqual(1, len(adresses))
+ self.assertEqual(str(adresses[0].ip_address),
+ self.pg11.local_ip4)
+ self.assertEqual(adresses[0].flags, flags)
+
+ # remove interface address and check NAT address pool
+ self.pg11.unconfig_ip4()
+ adresses = self.vapi.nat44_address_dump()
+ self.assertEqual(0, len(adresses))
+
+ def test_output_feature_stateful_acl(self):
+ """ NAT44ED output feature works with stateful ACL """
+
+ self.nat_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=self.config_flags.NAT_IS_INSIDE, is_add=1)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg1.sw_if_index,
+ flags=self.config_flags.NAT_IS_OUTSIDE, is_add=1)
+
+ # First ensure that the NAT is working sans ACL
+
+ # send packets out2in, no sessions yet so packets should drop
+ pkts_out2in = self.create_stream_out(self.pg1)
+ self.send_and_assert_no_replies(self.pg1, pkts_out2in)
+
+ # send packets into inside intf, ensure received via outside intf
+ pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
+ capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
+ len(pkts_in2out))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ # send out2in again, with sessions created it should work now
+ pkts_out2in = self.create_stream_out(self.pg1)
+ capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
+ len(pkts_out2in))
+ self.verify_capture_in(capture, self.pg0)
+
+ # Create an ACL blocking everything
+ out2in_deny_rule = AclRule(is_permit=0)
+ out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
+ out2in_acl.add_vpp_config()
+
+ # create an ACL to permit/reflect everything
+ in2out_reflect_rule = AclRule(is_permit=2)
+ in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
+ in2out_acl.add_vpp_config()
+
+ # apply as input acl on interface and confirm it blocks everything
+ acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
+ n_input=1, acls=[out2in_acl])
+ acl_if.add_vpp_config()
+ self.send_and_assert_no_replies(self.pg1, pkts_out2in)
+
+ # apply output acl
+ acl_if.acls = [out2in_acl, in2out_acl]
+ acl_if.add_vpp_config()
+ # send in2out to generate ACL state (NAT state was created earlier)
+ capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
+ len(pkts_in2out))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ # send out2in again. ACL state exists so it should work now.
+ # TCP packets with the syn flag set also need the ack flag
+ for p in pkts_out2in:
+ if p.haslayer(TCP) and p[TCP].flags & 0x02:
+ p[TCP].flags |= 0x10
+ capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
+ len(pkts_out2in))
+ self.verify_capture_in(capture, self.pg0)
+ self.logger.info(self.vapi.cli("show trace"))
+
+ def test_tcp_close(self):
+ """ NAT44ED Close TCP session from inside network - output feature """
+ old_timeouts = self.vapi.nat_get_timeouts()
+ new_transitory = 2
+ self.vapi.nat_set_timeouts(
+ udp=old_timeouts.udp,
+ tcp_established=old_timeouts.tcp_established,
+ icmp=old_timeouts.icmp,
+ tcp_transitory=new_transitory)
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.pg1.local_ip4)
+ twice_nat_addr = '10.0.1.3'
+ service_ip = '192.168.16.150'
+ self.nat_add_address(twice_nat_addr, twice_nat=1)
+
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg0.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_output_feature(
+ is_add=1,
+ sw_if_index=self.pg1.sw_if_index)
+
+ flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
+ self.config_flags.NAT_IS_TWICE_NAT)
+ self.nat_add_static_mapping(self.pg0.remote_ip4,
+ service_ip, 80, 80,
+ proto=IP_PROTOS.tcp,
+ flags=flags)
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ start_sessnum = len(sessions)
+
+ # SYN packet out->in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=service_ip) /
+ TCP(sport=33898, dport=80, flags="S"))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ tcp_port = p[TCP].sport
+
+ # SYN + ACK packet in->out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
+ TCP(sport=80, dport=tcp_port, flags="SA"))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # ACK packet out->in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=service_ip) /
+ TCP(sport=33898, dport=80, flags="A"))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ # FIN packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
+ TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # FIN+ACK packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=service_ip) /
+ TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ # ACK packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
+ TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # session now in transitory timeout
+ # try SYN packet out->in - should be dropped
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=service_ip) /
+ TCP(sport=33898, dport=80, flags="S"))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+
+ self.sleep(new_transitory, "wait for transitory timeout")
+ self.pg0.assert_nothing_captured(0)
+
+ # session should still exist
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - start_sessnum, 1)
+
+ # send FIN+ACK packet out -> in - will cause session to be wiped
+ # but won't create a new session
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=service_ip) /
+ TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - start_sessnum, 0)
+ self.pg0.assert_nothing_captured(0)
+
+ def test_tcp_session_close_in(self):
+ """ NAT44ED Close TCP session from inside network """
+
+ in_port = self.tcp_port_in
+ out_port = 10505
+ ext_port = self.tcp_external_port
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
+ in_port, out_port, proto=IP_PROTOS.tcp,
+ flags=self.config_flags.NAT_IS_TWICE_NAT)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ session_n = len(sessions)
+
+ self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
+ tcp_transitory=2, icmp=5)
+
+ self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
+
+ # FIN packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="FA", seq=100, ack=300))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ pkts = []
+
+ # ACK packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="A", seq=300, ack=101))
+ pkts.append(p)
+
+ # FIN packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=300, ack=101))
+ pkts.append(p)
+
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(2)
+
+ # ACK packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 1)
+
+ out2in_drops = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ in2out_drops = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+
+ # extra FIN packet out -> in - this should be dropped
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=300, ack=101))
+
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.assert_nothing_captured()
+
+ # extra ACK packet in -> out - this should be dropped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+
+ stats = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - out2in_drops, 1)
+ stats = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - in2out_drops, 1)
+
+ self.sleep(3)
+ # extra ACK packet in -> out - this will cause session to be wiped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 0)
+
+ def test_tcp_session_close_out(self):
+ """ NAT44ED Close TCP session from outside network """
+
+ in_port = self.tcp_port_in
+ out_port = 10505
+ ext_port = self.tcp_external_port
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
+ in_port, out_port, proto=IP_PROTOS.tcp,
+ flags=self.config_flags.NAT_IS_TWICE_NAT)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ session_n = len(sessions)
+
+ self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
+ tcp_transitory=2, icmp=5)
+
+ _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
+
+ # FIN packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=100, ack=300))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ # FIN+ACK packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="FA", seq=300, ack=101))
+
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # ACK packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="A", seq=101, ack=301))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 1)
+
+ out2in_drops = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ in2out_drops = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+
+ # extra FIN packet out -> in - this should be dropped
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=300, ack=101))
+
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.assert_nothing_captured()
+
+ # extra ACK packet in -> out - this should be dropped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+
+ stats = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - out2in_drops, 1)
+ stats = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - in2out_drops, 1)
+
+ self.sleep(3)
+ # extra ACK packet in -> out - this will cause session to be wiped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 0)
+
+ def test_tcp_session_close_simultaneous(self):
+ """ NAT44ED Close TCP session from inside network """
+
+ in_port = self.tcp_port_in
+ ext_port = 10505
+
+ self.nat_add_address(self.nat_addr)
+ self.nat_add_inside_interface(self.pg0)
+ self.nat_add_outside_interface(self.pg1)
+ self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
+ in_port, ext_port, proto=IP_PROTOS.tcp,
+ flags=self.config_flags.NAT_IS_TWICE_NAT)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ session_n = len(sessions)
+
+ self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
+ tcp_transitory=2, icmp=5)
+
+ out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
+
+ # FIN packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="FA", seq=100, ack=300))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # FIN packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=300, ack=100))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ # ACK packet in -> out
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(1)
+
+ # ACK packet out -> in
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="A", seq=301, ack=101))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.get_capture(1)
+
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 1)
+
+ out2in_drops = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ in2out_drops = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+
+ # extra FIN packet out -> in - this should be dropped
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=ext_port, dport=out_port,
+ flags="FA", seq=300, ack=101))
+
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg0.assert_nothing_captured()
+
+ # extra ACK packet in -> out - this should be dropped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+
+ stats = self.get_err_counter(
+ '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - out2in_drops, 1)
+ stats = self.get_err_counter(
+ '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
+ self.assertEqual(stats - in2out_drops, 1)
+
+ self.sleep(3)
+ # extra ACK packet in -> out - this will cause session to be wiped
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=in_port, dport=ext_port,
+ flags="A", seq=101, ack=301))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.assert_nothing_captured()
+ sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
+ self.assertEqual(len(sessions) - session_n, 0)
+
+ def test_dynamic_output_feature_vrf(self):
+ """ NAT44ED dynamic translation test: output-feature, VRF"""
+
+ # other then default (0)
+ new_vrf_id = 22
+
+ self.nat_add_address(self.nat_addr)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg7.sw_if_index,
+ flags=flags, is_add=1)
+ self.vapi.nat44_interface_add_del_output_feature(
+ sw_if_index=self.pg8.sw_if_index,
+ is_add=1)
+
+ try:
+ self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
+ self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
+
+ # in2out
+ tcpn = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/tcp')
+ udpn = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/udp')
+ icmpn = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/icmp')
+ drops = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/drops')
+
+ pkts = self.create_stream_in(self.pg7, self.pg8)
+ self.pg7.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg8.get_capture(len(pkts))
+ self.verify_capture_out(capture, ignore_port=True)
+
+ if_idx = self.pg7.sw_if_index
+ cnt = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/tcp')
+ self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/udp')
+ self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/icmp')
+ self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/in2out/slowpath/drops')
+ self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
+
+ # out2in
+ tcpn = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/tcp')
+ udpn = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/udp')
+ icmpn = self.get_stats_counter(
+ '/nat44/ed/out2in/slowpath/icmp')
+ drops = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/drops')
+
+ pkts = self.create_stream_out(self.pg8)
+ self.pg8.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg7.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg7)
+
+ if_idx = self.pg8.sw_if_index
+ cnt = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/tcp')
+ self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/udp')
+ self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/out2in/slowpath/icmp')
+ self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
+ cnt = self.get_stats_counter(
+ '/nat44/ed/out2in/fastpath/drops')
+ self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
+
+ sessions = self.get_stats_counter('/nat44/total-sessions')
+ self.assertEqual(sessions[0], 3)
+
+ finally:
+ self.configure_ip4_interface(self.pg7, table_id=0)
+ self.configure_ip4_interface(self.pg8, table_id=0)
+
+ self.vapi.ip_table_add_del(is_add=0,
+ table={'table_id': new_vrf_id})
+
+ def test_next_src_nat(self):
+ """ NAT44ED On way back forward packet to nat44-in2out node. """
+
+ twice_nat_addr = '10.0.1.3'
+ external_port = 80
+ local_port = 8080
+ post_twice_nat_port = 0
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(twice_nat_addr, twice_nat=1)
+ flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
+ self.config_flags.NAT_IS_SELF_TWICE_NAT)
+ self.nat_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, vrf_id=1,
+ flags=flags)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg6.sw_if_index,
+ is_add=1)
+
+ p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
+ IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=12345, dport=external_port))
+ self.pg6.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, twice_nat_addr)
+ self.assertNotEqual(tcp.sport, 12345)
+ post_twice_nat_port = tcp.sport
+ self.assertEqual(ip.dst, self.pg6.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
+ IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
+ TCP(sport=local_port, dport=post_twice_nat_port))
+ self.pg6.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg1.remote_ip4)
+ self.assertEqual(tcp.sport, external_port)
+ self.assertEqual(ip.dst, self.pg6.remote_ip4)
+ self.assertEqual(tcp.dport, 12345)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ def test_one_armed_nat44_static(self):
+ """ NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule """
+
+ remote_host = self.pg4.remote_hosts[0]
+ local_host = self.pg4.remote_hosts[1]
+ external_port = 80
+ local_port = 8080
+ eh_port_in = 0
+
+ self.vapi.nat44_forwarding_enable_disable(enable=1)
+ self.nat_add_address(self.nat_addr, twice_nat=1)
+ flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
+ self.config_flags.NAT_IS_TWICE_NAT)
+ self.nat_add_static_mapping(local_host.ip4, self.nat_addr,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, flags=flags)
+ flags = self.config_flags.NAT_IS_INSIDE
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg4.sw_if_index,
+ is_add=1)
+ self.vapi.nat44_interface_add_del_feature(
+ sw_if_index=self.pg4.sw_if_index,
+ flags=flags, is_add=1)
+
+ # from client to service
+ p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
+ IP(src=remote_host.ip4, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg4.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg4.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, local_host.ip4)
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.dport, local_port)
+ self.assertNotEqual(tcp.sport, 12345)
+ eh_port_in = tcp.sport
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
+ IP(src=local_host.ip4, dst=self.nat_addr) /
+ TCP(sport=local_port, dport=eh_port_in))
+ self.pg4.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg4.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(ip.dst, remote_host.ip4)
+ self.assertEqual(tcp.sport, external_port)
+ self.assertEqual(tcp.dport, 12345)
+ self.assert_packet_checksums_valid(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)
diff --git a/src/plugins/nat/test/test_nat44.py b/src/plugins/nat/test/test_nat44_ei.py
index 0dcf6d5f2ab..16a3376e9b2 100644
--- a/src/plugins/nat/test/test_nat44.py
+++ b/src/plugins/nat/test/test_nat44_ei.py
@@ -9,7 +9,7 @@ from io import BytesIO
from time import sleep
import scapy.compat
-from framework import VppTestCase, VppTestRunner, running_extended_tests
+from framework import VppTestCase, VppTestRunner
from ipfix import IPFIX, Set, Template, Data, IPFIXDecoder
from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \
IPField, IntField, LongField, XByteField, FlagsField, FieldLenField, \
@@ -17,16 +17,12 @@ from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \
from scapy.data import IP_PROTOS
from scapy.layers.inet import IP, TCP, UDP, ICMP
from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror
-from scapy.layers.inet6 import ICMPv6DestUnreach, IPerror6, IPv6ExtHdrFragment
-from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, ICMPv6EchoReply, \
- ICMPv6ND_NS, ICMPv6ND_NA, ICMPv6NDOptDstLLAddr, fragment6
+from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, ICMPv6EchoReply
from scapy.layers.l2 import Ether, ARP, GRE
from scapy.packet import Raw
from syslog_rfc5424_parser import SyslogMessage, ParseError
from syslog_rfc5424_parser.constants import SyslogSeverity
-from util import ip4_range
-from util import ppc, ppp
-from vpp_acl import AclRule, VppAcl, VppAclInterface
+from util import ppp
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_neighbor import VppNeighbor
from vpp_papi import VppEnum
@@ -88,7 +84,7 @@ class MethodHolder(VppTestCase):
is_add=1, external_sw_if_index=0xFFFFFFFF,
proto=0, tag="", flags=0):
"""
- Add/delete NAT44 static mapping
+ Add/delete NAT44EI static mapping
:param local_ip: Local IP address
:param external_ip: External IP address
@@ -118,7 +114,7 @@ class MethodHolder(VppTestCase):
def nat44_add_address(self, ip, is_add=1, vrf_id=0xFFFFFFFF, twice_nat=0):
"""
- Add/delete NAT44 address
+ Add/delete NAT44EI address
:param ip: IP address
:param is_add: 1 if add, 0 if delete (Default add)
@@ -131,6 +127,29 @@ class MethodHolder(VppTestCase):
is_add=is_add,
flags=flags)
+ def create_routes_and_neigbors(self):
+ r1 = VppIpRoute(self, self.pg7.remote_ip4, 32,
+ [VppRoutePath(self.pg7.remote_ip4,
+ self.pg7.sw_if_index)])
+ r2 = VppIpRoute(self, self.pg8.remote_ip4, 32,
+ [VppRoutePath(self.pg8.remote_ip4,
+ self.pg8.sw_if_index)])
+ r1.add_vpp_config()
+ r2.add_vpp_config()
+
+ n1 = VppNeighbor(self,
+ self.pg7.sw_if_index,
+ self.pg7.remote_mac,
+ self.pg7.remote_ip4,
+ is_static=1)
+ n2 = VppNeighbor(self,
+ self.pg8.sw_if_index,
+ self.pg8.remote_mac,
+ self.pg8.remote_ip4,
+ is_static=1)
+ n1.add_vpp_config()
+ n2.add_vpp_config()
+
def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
"""
Create packet stream for inside network
@@ -208,48 +227,6 @@ class MethodHolder(VppTestCase):
packed_pref_n = b''.join([scapy.compat.chb(x) for x in pref_n])
return socket.inet_ntop(socket.AF_INET6, packed_pref_n)
- def extract_ip4(self, ip6, plen):
- """
- Extract IPv4 address embedded in IPv6 addresses
-
- :param ip6: IPv6 address
- :param plen: IPv6 prefix length
- :returns: extracted IPv4 address
- """
- ip6_n = list(socket.inet_pton(socket.AF_INET6, ip6))
- ip4_n = [None] * 4
- if plen == 32:
- ip4_n[0] = ip6_n[4]
- ip4_n[1] = ip6_n[5]
- ip4_n[2] = ip6_n[6]
- ip4_n[3] = ip6_n[7]
- elif plen == 40:
- ip4_n[0] = ip6_n[5]
- ip4_n[1] = ip6_n[6]
- ip4_n[2] = ip6_n[7]
- ip4_n[3] = ip6_n[9]
- elif plen == 48:
- ip4_n[0] = ip6_n[6]
- ip4_n[1] = ip6_n[7]
- ip4_n[2] = ip6_n[9]
- ip4_n[3] = ip6_n[10]
- elif plen == 56:
- ip4_n[0] = ip6_n[7]
- ip4_n[1] = ip6_n[9]
- ip4_n[2] = ip6_n[10]
- ip4_n[3] = ip6_n[11]
- elif plen == 64:
- ip4_n[0] = ip6_n[9]
- ip4_n[1] = ip6_n[10]
- ip4_n[2] = ip6_n[11]
- ip4_n[3] = ip6_n[12]
- elif plen == 96:
- ip4_n[0] = ip6_n[12]
- ip4_n[1] = ip6_n[13]
- ip4_n[2] = ip6_n[14]
- ip4_n[3] = ip6_n[15]
- return socket.inet_ntop(socket.AF_INET, ''.join(ip4_n))
-
def create_stream_out(self, out_if, dst_ip=None, ttl=64,
use_inside_ports=False):
"""
@@ -416,31 +393,6 @@ class MethodHolder(VppTestCase):
"(inside network):", packet))
raise
- def verify_capture_in_ip6(self, capture, src_ip, dst_ip):
- """
- Verify captured IPv6 packets on inside network
-
- :param capture: Captured packets
- :param src_ip: Source IP
- :param dst_ip: Destination IP address
- """
- for packet in capture:
- try:
- self.assertEqual(packet[IPv6].src, src_ip)
- self.assertEqual(packet[IPv6].dst, dst_ip)
- self.assert_packet_checksums_valid(packet)
- if packet.haslayer(TCP):
- self.assertEqual(packet[TCP].dport, self.tcp_port_in)
- elif packet.haslayer(UDP):
- self.assertEqual(packet[UDP].dport, self.udp_port_in)
- else:
- self.assertEqual(packet[ICMPv6EchoReply].id,
- self.icmp_id_in)
- except:
- self.logger.error(ppp("Unexpected or invalid packet "
- "(inside network):", packet))
- raise
-
def verify_capture_no_translation(self, capture, ingress_if, egress_if):
"""
Verify captured packet that don't have to be translated
@@ -619,79 +571,9 @@ class MethodHolder(VppTestCase):
p = (ip / ICMP(buffer.getvalue()))
return p
- def reass_frags_and_verify_ip6(self, frags, src, dst):
- """
- Reassemble and verify fragmented packet
-
- :param frags: Captured fragments
- :param src: Source IPv6 address to verify
- :param dst: Destination IPv6 address to verify
-
- :returns: Reassembled IPv6 packet
- """
- buffer = BytesIO()
- for p in frags:
- self.assertEqual(p[IPv6].src, src)
- self.assertEqual(p[IPv6].dst, dst)
- buffer.seek(p[IPv6ExtHdrFragment].offset * 8)
- buffer.write(bytes(p[IPv6ExtHdrFragment].payload))
- ip = IPv6(src=frags[0][IPv6].src, dst=frags[0][IPv6].dst,
- nh=frags[0][IPv6ExtHdrFragment].nh)
- if ip.nh == IP_PROTOS.tcp:
- p = (ip / TCP(buffer.getvalue()))
- elif ip.nh == IP_PROTOS.udp:
- p = (ip / UDP(buffer.getvalue()))
- self.logger.debug(ppp("Reassembled:", p))
- self.assert_packet_checksums_valid(p)
- return p
-
- def initiate_tcp_session(self, in_if, out_if):
- """
- Initiates TCP session
-
- :param in_if: Inside interface
- :param out_if: Outside interface
- """
- try:
- # SYN packet in->out
- p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
- IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="S"))
- in_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = out_if.get_capture(1)
- p = capture[0]
- self.tcp_port_out = p[TCP].sport
-
- # SYN + ACK packet out->in
- p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
- IP(src=out_if.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="SA"))
- out_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- in_if.get_capture(1)
-
- # ACK packet in->out
- p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
- IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A"))
- in_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- out_if.get_capture(1)
-
- except:
- self.logger.error("TCP 3 way handshake failed")
- raise
-
def verify_ipfix_nat44_ses(self, data):
"""
- Verify IPFIX NAT44 session create/delete event
+ Verify IPFIX NAT44EI session create/delete event
:param data: Decoded IPFIX data records
"""
@@ -735,11 +617,6 @@ class MethodHolder(VppTestCase):
self.assertEqual(3, nat44_ses_delete_num)
def verify_ipfix_addr_exhausted(self, data):
- """
- Verify IPFIX NAT addresses event
-
- :param data: Decoded IPFIX data records
- """
self.assertEqual(1, len(data))
record = data[0]
# natEvent
@@ -748,12 +625,6 @@ class MethodHolder(VppTestCase):
self.assertEqual(struct.pack("!I", 0), record[283])
def verify_ipfix_max_sessions(self, data, limit):
- """
- Verify IPFIX maximum session entries exceeded event
-
- :param data: Decoded IPFIX data records
- :param limit: Number of maximum session entries that can be created.
- """
self.assertEqual(1, len(data))
record = data[0]
# natEvent
@@ -763,24 +634,8 @@ class MethodHolder(VppTestCase):
# maxSessionEntries
self.assertEqual(struct.pack("I", limit), record[471])
- def verify_ipfix_max_bibs(self, data, limit):
- """
- Verify IPFIX maximum BIB entries exceeded event
-
- :param data: Decoded IPFIX data records
- :param limit: Number of maximum BIB entries that can be created.
- """
- self.assertEqual(1, len(data))
- record = data[0]
- # natEvent
- self.assertEqual(scapy.compat.orb(record[230]), 13)
- # natQuotaExceededEvent
- self.assertEqual(struct.pack("I", 2), record[466])
- # maxBIBEntries
- self.assertEqual(struct.pack("I", limit), record[472])
-
def verify_no_nat44_user(self):
- """ Verify that there is no NAT44 user """
+ """ Verify that there is no NAT44EI user """
users = self.vapi.nat44_user_dump()
self.assertEqual(len(users), 0)
users = self.statistics.get_counter('/nat44/total-users')
@@ -788,25 +643,6 @@ class MethodHolder(VppTestCase):
sessions = self.statistics.get_counter('/nat44/total-sessions')
self.assertEqual(sessions[0][0], 0)
- def verify_ipfix_max_entries_per_user(self, data, limit, src_addr):
- """
- Verify IPFIX maximum entries per user exceeded event
-
- :param data: Decoded IPFIX data records
- :param limit: Number of maximum entries per user
- :param src_addr: IPv4 source address
- """
- self.assertEqual(1, len(data))
- record = data[0]
- # natEvent
- self.assertEqual(scapy.compat.orb(record[230]), 13)
- # natQuotaExceededEvent
- self.assertEqual(struct.pack("I", 3), record[466])
- # maxEntriesPerUser
- self.assertEqual(struct.pack("I", limit), record[473])
- # sourceIPv4Address
- self.assertEqual(socket.inet_pton(socket.AF_INET, src_addr), record[8])
-
def verify_syslog_apmap(self, data, is_add=True):
message = data.decode('utf-8')
try:
@@ -830,43 +666,7 @@ class MethodHolder(VppTestCase):
self.assertTrue(sd_params.get('SSUBIX') is not None)
self.assertEqual(sd_params.get('SVLAN'), '0')
- def verify_syslog_sess(self, data, is_add=True, is_ip6=False):
- message = data.decode('utf-8')
- try:
- message = SyslogMessage.parse(message)
- except ParseError as e:
- self.logger.error(e)
- raise
- else:
- self.assertEqual(message.severity, SyslogSeverity.info)
- self.assertEqual(message.appname, 'NAT')
- self.assertEqual(message.msgid, 'SADD' if is_add else 'SDEL')
- sd_params = message.sd.get('nsess')
- self.assertTrue(sd_params is not None)
- if is_ip6:
- self.assertEqual(sd_params.get('IATYP'), 'IPv6')
- self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
- else:
- self.assertEqual(sd_params.get('IATYP'), 'IPv4')
- self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
- self.assertTrue(sd_params.get('SSUBIX') is not None)
- self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
- self.assertEqual(sd_params.get('XATYP'), 'IPv4')
- self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
- self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
- self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
- self.assertEqual(sd_params.get('SVLAN'), '0')
- self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
- self.assertEqual(sd_params.get('XDPORT'),
- "%d" % self.tcp_external_port)
-
def verify_mss_value(self, pkt, mss):
- """
- Verify TCP MSS value
-
- :param pkt:
- :param mss:
- """
if not pkt.haslayer(IP) or not pkt.haslayer(TCP):
raise TypeError("Not a TCP/IP packet")
@@ -953,58 +753,10 @@ class MethodHolder(VppTestCase):
self.assertEqual(p[layer].id, self.port_in)
self.assertEqual(data, p[Raw].load)
- def frag_in_order_in_plus_out(self, proto=IP_PROTOS.tcp):
- layer = self.proto2layer(proto)
-
- if proto == IP_PROTOS.tcp:
- data = b"A" * 4 + b"B" * 16 + b"C" * 3
- else:
- data = b"A" * 16 + b"B" * 16 + b"C" * 3
- self.port_in = random.randint(1025, 65535)
-
- for i in range(2):
- # out2in
- pkts = self.create_stream_frag(self.pg0, self.server_out_addr,
- self.port_in, self.server_out_port,
- data, proto)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- frags = self.pg1.get_capture(len(pkts))
- p = self.reass_frags_and_verify(frags,
- self.pg0.remote_ip4,
- self.server_in_addr)
- if proto != IP_PROTOS.icmp:
- self.assertEqual(p[layer].sport, self.port_in)
- self.assertEqual(p[layer].dport, self.server_in_port)
- else:
- self.assertEqual(p[layer].id, self.port_in)
- self.assertEqual(data, p[Raw].load)
-
- # in2out
- if proto != IP_PROTOS.icmp:
- pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
- self.server_in_port,
- p[layer].sport, data, proto)
- else:
- pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
- p[layer].id, 0, data, proto,
- echo_reply=True)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- frags = self.pg0.get_capture(len(pkts))
- p = self.reass_frags_and_verify(frags,
- self.server_out_addr,
- self.pg0.remote_ip4)
- if proto != IP_PROTOS.icmp:
- self.assertEqual(p[layer].sport, self.server_out_port)
- self.assertEqual(p[layer].dport, self.port_in)
- else:
- self.assertEqual(p[layer].id, self.port_in)
- self.assertEqual(data, p[Raw].load)
+ def reass_hairpinning(self, server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.tcp,
+ ignore_port=False):
- def reass_hairpinning(self, proto=IP_PROTOS.tcp, ignore_port=False):
layer = self.proto2layer(proto)
if proto == IP_PROTOS.tcp:
@@ -1015,8 +767,8 @@ class MethodHolder(VppTestCase):
# send packet from host to server
pkts = self.create_stream_frag(self.pg0,
self.nat_addr,
- self.host_in_port,
- self.server_out_port,
+ host_in_port,
+ server_out_port,
data,
proto)
self.pg0.add_stream(pkts)
@@ -1025,14 +777,14 @@ class MethodHolder(VppTestCase):
frags = self.pg0.get_capture(len(pkts))
p = self.reass_frags_and_verify(frags,
self.nat_addr,
- self.server.ip4)
+ server_addr)
if proto != IP_PROTOS.icmp:
if not ignore_port:
- self.assertNotEqual(p[layer].sport, self.host_in_port)
- self.assertEqual(p[layer].dport, self.server_in_port)
+ self.assertNotEqual(p[layer].sport, host_in_port)
+ self.assertEqual(p[layer].dport, server_in_port)
else:
if not ignore_port:
- self.assertNotEqual(p[layer].id, self.host_in_port)
+ self.assertNotEqual(p[layer].id, host_in_port)
self.assertEqual(data, p[Raw].load)
def frag_out_of_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
@@ -1105,95 +857,16 @@ class MethodHolder(VppTestCase):
self.assertEqual(p[layer].id, self.port_in)
self.assertEqual(data, p[Raw].load)
- def frag_out_of_order_in_plus_out(self, proto=IP_PROTOS.tcp):
- layer = self.proto2layer(proto)
-
- if proto == IP_PROTOS.tcp:
- data = b"A" * 4 + b"B" * 16 + b"C" * 3
- else:
- data = b"A" * 16 + b"B" * 16 + b"C" * 3
- self.port_in = random.randint(1025, 65535)
- for i in range(2):
- # out2in
- pkts = self.create_stream_frag(self.pg0, self.server_out_addr,
- self.port_in, self.server_out_port,
- data, proto)
- pkts.reverse()
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- frags = self.pg1.get_capture(len(pkts))
- p = self.reass_frags_and_verify(frags,
- self.pg0.remote_ip4,
- self.server_in_addr)
- if proto != IP_PROTOS.icmp:
- self.assertEqual(p[layer].dport, self.server_in_port)
- self.assertEqual(p[layer].sport, self.port_in)
- self.assertEqual(p[layer].dport, self.server_in_port)
- else:
- self.assertEqual(p[layer].id, self.port_in)
- self.assertEqual(data, p[Raw].load)
-
- # in2out
- if proto != IP_PROTOS.icmp:
- pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
- self.server_in_port,
- p[layer].sport, data, proto)
- else:
- pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
- p[layer].id, 0, data, proto,
- echo_reply=True)
- pkts.reverse()
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- frags = self.pg0.get_capture(len(pkts))
- p = self.reass_frags_and_verify(frags,
- self.server_out_addr,
- self.pg0.remote_ip4)
- if proto != IP_PROTOS.icmp:
- self.assertEqual(p[layer].sport, self.server_out_port)
- self.assertEqual(p[layer].dport, self.port_in)
- else:
- self.assertEqual(p[layer].id, self.port_in)
- self.assertEqual(data, p[Raw].load)
-
-
-class TestNATMisc(MethodHolder):
- """ NAT misc Test Cases """
-
- max_translations = 10240
- max_users = 10240
-
- def setUp(self):
- super(TestNATMisc, self).setUp()
- self.vapi.nat44_plugin_enable_disable(
- sessions=self.max_translations,
- users=self.max_users, enable=1)
-
- def tearDown(self):
- super(TestNATMisc, self).tearDown()
- if not self.vpp_dead:
- self.vapi.nat44_plugin_enable_disable(enable=0)
- self.vapi.cli("clear logging")
-
- def test_show_max_translations(self):
- """ API test - max translations per thread """
- nat_config = self.vapi.nat_show_config_2()
- self.assertEqual(self.max_translations,
- nat_config.max_translations_per_thread)
-
-
-class TestNAT44(MethodHolder):
- """ NAT44 Test Cases """
+class TestNAT44EI(MethodHolder):
+ """ NAT44EI Test Cases """
max_translations = 10240
max_users = 10240
@classmethod
def setUpClass(cls):
- super(TestNAT44, cls).setUpClass()
+ super(TestNAT44EI, cls).setUpClass()
cls.vapi.cli("set log class nat level debug")
cls.tcp_port_in = 6303
@@ -1256,17 +929,13 @@ class TestNAT44(MethodHolder):
cls.pg9.resolve_arp()
def setUp(self):
- super(TestNAT44, self).setUp()
+ super(TestNAT44EI, self).setUp()
self.vapi.nat44_plugin_enable_disable(
sessions=self.max_translations,
users=self.max_users, enable=1)
- @classmethod
- def tearDownClass(cls):
- super(TestNAT44, cls).tearDownClass()
-
def tearDown(self):
- super(TestNAT44, self).tearDown()
+ super(TestNAT44EI, self).tearDown()
if not self.vpp_dead:
self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id,
src_port=self.ipfix_src_port,
@@ -1278,7 +947,7 @@ class TestNAT44(MethodHolder):
self.vapi.cli("clear logging")
def test_clear_sessions(self):
- """ NAT44 session clearing test """
+ """ NAT44EI session clearing test """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1310,7 +979,7 @@ class TestNAT44(MethodHolder):
self.logger.info("sessions after clearing: %s" % sessions[0][0])
def test_dynamic(self):
- """ NAT44 dynamic translation test """
+ """ NAT44EI dynamic translation test """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -1372,7 +1041,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(sessions[0][0], 3)
def test_dynamic_icmp_errors_in2out_ttl_1(self):
- """ NAT44 handling of client packets with TTL=1 """
+ """ NAT44EI handling of client packets with TTL=1 """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1394,7 +1063,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_in_with_icmp_errors(capture, self.pg0)
def test_dynamic_icmp_errors_out2in_ttl_1(self):
- """ NAT44 handling of server packets with TTL=1 """
+ """ NAT44EI handling of server packets with TTL=1 """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1425,7 +1094,8 @@ class TestNAT44(MethodHolder):
src_ip=self.pg1.local_ip4)
def test_dynamic_icmp_errors_in2out_ttl_2(self):
- """ NAT44 handling of error responses to client packets with TTL=2 """
+ """ NAT44EI handling of error responses to client packets with TTL=2
+ """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1456,7 +1126,8 @@ class TestNAT44(MethodHolder):
self.verify_capture_in_with_icmp_errors(capture, self.pg0)
def test_dynamic_icmp_errors_out2in_ttl_2(self):
- """ NAT44 handling of error responses to server packets with TTL=2 """
+ """ NAT44EI handling of error responses to server packets with TTL=2
+ """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1495,7 +1166,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out_with_icmp_errors(capture)
def test_ping_out_interface_from_outside(self):
- """ Ping NAT44 out interface from outside network """
+ """ NAT44EI ping out interface from outside network """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1526,7 +1197,7 @@ class TestNAT44(MethodHolder):
raise
def test_ping_internal_host_from_outside(self):
- """ Ping internal host from outside network """
+ """ NAT44EI ping internal host from outside network """
self.nat44_add_static_mapping(self.pg0.remote_ip4, self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1560,7 +1231,7 @@ class TestNAT44(MethodHolder):
self.assert_equal(capture[0][IP].proto, IP_PROTOS.icmp)
def test_forwarding(self):
- """ NAT44 forwarding test """
+ """ NAT44EI forwarding test """
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -1632,7 +1303,7 @@ class TestNAT44(MethodHolder):
flags=flags)
def test_static_in(self):
- """ 1:1 NAT initialized from inside network """
+ """ NAT44EI 1:1 NAT initialized from inside network """
nat_ip = "10.0.0.10"
self.tcp_port_out = 6303
@@ -1671,7 +1342,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_in(capture, self.pg0)
def test_static_out(self):
- """ 1:1 NAT initialized from outside network """
+ """ NAT44EI 1:1 NAT initialized from outside network """
nat_ip = "10.0.0.20"
self.tcp_port_out = 6303
@@ -1708,7 +1379,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out(capture, nat_ip, True)
def test_static_with_port_in(self):
- """ 1:1 NAPT initialized from inside network """
+ """ NAT44EI 1:1 NAPT initialized from inside network """
self.tcp_port_out = 3606
self.udp_port_out = 3607
@@ -1749,7 +1420,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_in(capture, self.pg0)
def test_static_with_port_out(self):
- """ 1:1 NAPT initialized from outside network """
+ """ NAT44EI 1:1 NAPT initialized from outside network """
self.tcp_port_out = 30606
self.udp_port_out = 30607
@@ -1790,7 +1461,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out(capture)
def test_static_vrf_aware(self):
- """ 1:1 NAT VRF awareness """
+ """ NAT44EI 1:1 NAT VRF awareness """
nat_ip1 = "10.0.0.30"
nat_ip2 = "10.0.0.40"
@@ -1813,7 +1484,7 @@ class TestNAT44(MethodHolder):
sw_if_index=self.pg4.sw_if_index,
flags=flags, is_add=1)
- # inside interface VRF match NAT44 static mapping VRF
+ # inside interface VRF match NAT44EI static mapping VRF
pkts = self.create_stream_in(self.pg4, self.pg3)
self.pg4.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
@@ -1821,7 +1492,7 @@ class TestNAT44(MethodHolder):
capture = self.pg3.get_capture(len(pkts))
self.verify_capture_out(capture, nat_ip1, True)
- # inside interface VRF don't match NAT44 static mapping VRF (packets
+ # inside interface VRF don't match NAT44EI static mapping VRF (packets
# are dropped)
pkts = self.create_stream_in(self.pg0, self.pg3)
self.pg0.add_stream(pkts)
@@ -1830,7 +1501,7 @@ class TestNAT44(MethodHolder):
self.pg3.assert_nothing_captured()
def test_dynamic_to_static(self):
- """ Switch from dynamic translation to 1:1NAT """
+ """ NAT44EI Switch from dynamic translation to 1:1NAT """
nat_ip = "10.0.0.10"
self.tcp_port_out = 6303
self.udp_port_out = 6304
@@ -1865,7 +1536,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out(capture, nat_ip, True)
def test_identity_nat(self):
- """ Identity NAT """
+ """ NAT44EI Identity NAT """
flags = self.config_flags.NAT_IS_ADDR_ONLY
self.vapi.nat44_add_del_identity_mapping(
ip_address=self.pg0.remote_ip4, sw_if_index=0xFFFFFFFF,
@@ -1908,7 +1579,8 @@ class TestNAT44(MethodHolder):
self.assertEqual(len(identity_mappings), 2)
def test_multiple_inside_interfaces(self):
- """ NAT44 multiple non-overlapping address space inside interfaces """
+ """ NAT44EI multiple non-overlapping address space inside interfaces
+ """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -1922,7 +1594,7 @@ class TestNAT44(MethodHolder):
sw_if_index=self.pg3.sw_if_index,
is_add=1)
- # between two NAT44 inside interfaces (no translation)
+ # between two NAT44EI inside interfaces (no translation)
pkts = self.create_stream_in(self.pg0, self.pg1)
self.pg0.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
@@ -1930,7 +1602,7 @@ class TestNAT44(MethodHolder):
capture = self.pg1.get_capture(len(pkts))
self.verify_capture_no_translation(capture, self.pg0, self.pg1)
- # from NAT44 inside to interface without NAT44 feature (no translation)
+ # from inside to interface without translation
pkts = self.create_stream_in(self.pg0, self.pg2)
self.pg0.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
@@ -1971,7 +1643,8 @@ class TestNAT44(MethodHolder):
self.verify_capture_in(capture, self.pg1)
def test_inside_overlapping_interfaces(self):
- """ NAT44 multiple inside interfaces with overlapping address space """
+ """ NAT44EI multiple inside interfaces with overlapping address space
+ """
static_nat_ip = "10.0.0.10"
self.nat44_add_address(self.nat_addr)
@@ -1991,7 +1664,7 @@ class TestNAT44(MethodHolder):
self.nat44_add_static_mapping(self.pg6.remote_ip4, static_nat_ip,
vrf_id=20)
- # between NAT44 inside interfaces with same VRF (no translation)
+ # between NAT44EI inside interfaces with same VRF (no translation)
pkts = self.create_stream_in(self.pg4, self.pg5)
self.pg4.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
@@ -1999,7 +1672,7 @@ class TestNAT44(MethodHolder):
capture = self.pg5.get_capture(len(pkts))
self.verify_capture_no_translation(capture, self.pg4, self.pg5)
- # between NAT44 inside interfaces with different VRF (hairpinning)
+ # between NAT44EI inside interfaces with different VRF (hairpinning)
p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
IP(src=self.pg4.remote_ip4, dst=static_nat_ip) /
TCP(sport=1234, dport=5678))
@@ -2129,7 +1802,7 @@ class TestNAT44(MethodHolder):
self.icmp_id_in])
def test_hairpinning(self):
- """ NAT44 hairpinning - 1:1 NAPT """
+ """ NAT44EI hairpinning - 1:1 NAPT """
host = self.pg0.remote_hosts[0]
server = self.pg0.remote_hosts[1]
@@ -2205,7 +1878,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(after[if_idx] - cnt[if_idx], 2)
def test_hairpinning2(self):
- """ NAT44 hairpinning - 1:1 NAT"""
+ """ NAT44EI hairpinning - 1:1 NAT"""
server1_nat_ip = "10.0.0.10"
server2_nat_ip = "10.0.0.11"
@@ -2463,7 +2136,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(after[if_idx] - cnt[if_idx], 2)
def test_interface_addr(self):
- """ Acquire NAT44 addresses from interface """
+ """ NAT44EI acquire addresses from interface """
self.vapi.nat44_add_del_interface_addr(
is_add=1,
sw_if_index=self.pg7.sw_if_index)
@@ -2484,7 +2157,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(0, len(addresses))
def test_interface_addr_static_mapping(self):
- """ Static mapping with addresses from interface """
+ """ NAT44EI Static mapping with addresses from interface """
tag = "testTAG"
self.vapi.nat44_add_del_interface_addr(
@@ -2546,7 +2219,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(0, len(static_mappings))
def test_interface_addr_identity_nat(self):
- """ Identity NAT with addresses from interface """
+ """ NAT44EI Identity NAT with addresses from interface """
port = 53053
self.vapi.nat44_add_del_interface_addr(
@@ -2587,7 +2260,7 @@ class TestNAT44(MethodHolder):
identity_mappings[0].sw_if_index)
def test_ipfix_nat44_sess(self):
- """ IPFIX logging NAT44 session created/deleted """
+ """ NAT44EI IPFIX logging NAT44EI session created/deleted """
self.ipfix_domain_id = 10
self.ipfix_src_port = 20202
collector_port = 30303
@@ -2637,7 +2310,7 @@ class TestNAT44(MethodHolder):
self.verify_ipfix_nat44_ses(data)
def test_ipfix_addr_exhausted(self):
- """ IPFIX logging NAT addresses exhausted """
+ """ NAT44EI IPFIX logging NAT addresses exhausted """
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
sw_if_index=self.pg0.sw_if_index,
@@ -2682,7 +2355,7 @@ class TestNAT44(MethodHolder):
self.verify_ipfix_addr_exhausted(data)
def test_ipfix_max_sessions(self):
- """ IPFIX logging maximum session entries exceeded """
+ """ NAT44EI IPFIX logging maximum session entries exceeded """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -2743,7 +2416,7 @@ class TestNAT44(MethodHolder):
self.verify_ipfix_max_sessions(data, max_sessions)
def test_syslog_apmap(self):
- """ Test syslog address and port mapping creation and deletion """
+ """ NAT44EI syslog address and port mapping creation and deletion """
self.vapi.syslog_set_filter(
self.SYSLOG_SEVERITY.SYSLOG_API_SEVERITY_INFO)
self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
@@ -2774,7 +2447,7 @@ class TestNAT44(MethodHolder):
self.verify_syslog_apmap(capture[0][Raw].load, False)
def test_pool_addr_fib(self):
- """ NAT44 add pool addresses to FIB """
+ """ NAT44EI add pool addresses to FIB """
static_addr = '10.0.0.10'
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -2786,7 +2459,7 @@ class TestNAT44(MethodHolder):
is_add=1)
self.nat44_add_static_mapping(self.pg0.remote_ip4, static_addr)
- # NAT44 address
+ # NAT44EI address
p = (Ether(src=self.pg1.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
ARP(op=ARP.who_has, pdst=self.nat_addr,
psrc=self.pg1.remote_ip4, hwsrc=self.pg1.remote_mac))
@@ -2808,7 +2481,7 @@ class TestNAT44(MethodHolder):
self.assertTrue(capture[0].haslayer(ARP))
self.assertTrue(capture[0][ARP].op, ARP.is_at)
- # send ARP to non-NAT44 interface
+ # send ARP to non-NAT44EI interface
p = (Ether(src=self.pg2.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
ARP(op=ARP.who_has, pdst=self.nat_addr,
psrc=self.pg2.remote_ip4, hwsrc=self.pg2.remote_mac))
@@ -2839,7 +2512,7 @@ class TestNAT44(MethodHolder):
self.pg1.assert_nothing_captured()
def test_vrf_mode(self):
- """ NAT44 tenant VRF aware address pool mode """
+ """ NAT44EI tenant VRF aware address pool mode """
vrf_id1 = 1
vrf_id2 = 2
@@ -2900,7 +2573,7 @@ class TestNAT44(MethodHolder):
self.vapi.ip_table_add_del(is_add=0, table={'table_id': vrf_id2})
def test_vrf_feature_independent(self):
- """ NAT44 tenant VRF independent address pool mode """
+ """ NAT44EI tenant VRF independent address pool mode """
nat_ip1 = "10.0.0.10"
nat_ip2 = "10.0.0.11"
@@ -2934,31 +2607,8 @@ class TestNAT44(MethodHolder):
capture = self.pg2.get_capture(len(pkts))
self.verify_capture_out(capture, nat_ip1)
- def create_routes_and_neigbors(self):
- r1 = VppIpRoute(self, self.pg7.remote_ip4, 32,
- [VppRoutePath(self.pg7.remote_ip4,
- self.pg7.sw_if_index)])
- r2 = VppIpRoute(self, self.pg8.remote_ip4, 32,
- [VppRoutePath(self.pg8.remote_ip4,
- self.pg8.sw_if_index)])
- r1.add_vpp_config()
- r2.add_vpp_config()
-
- n1 = VppNeighbor(self,
- self.pg7.sw_if_index,
- self.pg7.remote_mac,
- self.pg7.remote_ip4,
- is_static=1)
- n2 = VppNeighbor(self,
- self.pg8.sw_if_index,
- self.pg8.remote_mac,
- self.pg8.remote_ip4,
- is_static=1)
- n1.add_vpp_config()
- n2.add_vpp_config()
-
def test_dynamic_ipless_interfaces(self):
- """ NAT44 interfaces without configured IP address """
+ """ NAT44EI interfaces without configured IP address """
self.create_routes_and_neigbors()
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -2986,7 +2636,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_in(capture, self.pg7)
def test_static_ipless_interfaces(self):
- """ NAT44 interfaces without configured IP address - 1:1 NAT """
+ """ NAT44EI interfaces without configured IP address - 1:1 NAT """
self.create_routes_and_neigbors()
self.nat44_add_static_mapping(self.pg7.remote_ip4, self.nat_addr)
@@ -3015,7 +2665,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out(capture, self.nat_addr, True)
def test_static_with_port_ipless_interfaces(self):
- """ NAT44 interfaces without configured IP address - 1:1 NAPT """
+ """ NAT44EI interfaces without configured IP address - 1:1 NAPT """
self.tcp_port_out = 30606
self.udp_port_out = 30607
@@ -3057,7 +2707,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_out(capture)
def test_static_unknown_proto(self):
- """ 1:1 NAT translate packet with unknown protocol """
+ """ NAT44EI 1:1 translate packet with unknown protocol """
nat_ip = "10.0.0.10"
self.nat44_add_static_mapping(self.pg0.remote_ip4, nat_ip)
flags = self.config_flags.NAT_IS_INSIDE
@@ -3109,7 +2759,8 @@ class TestNAT44(MethodHolder):
raise
def test_hairpinning_static_unknown_proto(self):
- """ 1:1 NAT translate packet with unknown protocol - hairpinning """
+ """ NAT44EI 1:1 translate packet with unknown protocol - hairpinning
+ """
host = self.pg0.remote_hosts[0]
server = self.pg0.remote_hosts[1]
@@ -3168,7 +2819,7 @@ class TestNAT44(MethodHolder):
raise
def test_output_feature(self):
- """ NAT44 interface output feature (in2out postrouting) """
+ """ NAT44EI output feature (in2out postrouting) """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_output_feature(
@@ -3206,7 +2857,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_no_translation(capture, self.pg2, self.pg0)
def test_output_feature_vrf_aware(self):
- """ NAT44 interface output feature VRF aware (in2out postrouting) """
+ """ NAT44EI output feature VRF aware (in2out postrouting) """
nat_ip_vrf10 = "10.0.0.10"
nat_ip_vrf20 = "10.0.0.20"
@@ -3267,7 +2918,7 @@ class TestNAT44(MethodHolder):
self.verify_capture_in(capture, self.pg6)
def test_output_feature_hairpinning(self):
- """ NAT44 interface output feature hairpinning (in2out postrouting) """
+ """ NAT44EI output feature hairpinning (in2out postrouting) """
host = self.pg0.remote_hosts[0]
server = self.pg0.remote_hosts[1]
host_in_port = 1234
@@ -3333,7 +2984,7 @@ class TestNAT44(MethodHolder):
raise
def test_one_armed_nat44(self):
- """ One armed NAT44 """
+ """ NAT44EI One armed NAT """
remote_host = self.pg9.remote_hosts[0]
local_host = self.pg9.remote_hosts[1]
external_port = 0
@@ -3398,7 +3049,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(err, 1)
def test_del_session(self):
- """ Delete NAT44 session """
+ """ NAT44EI delete session """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -3436,7 +3087,7 @@ class TestNAT44(MethodHolder):
self.verify_no_nat44_user()
def test_frag_in_order(self):
- """ NAT44 translate fragments arriving in order """
+ """ NAT44EI translate fragments arriving in order """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -3452,7 +3103,7 @@ class TestNAT44(MethodHolder):
self.frag_in_order(proto=IP_PROTOS.icmp)
def test_frag_forwarding(self):
- """ NAT44 forwarding fragment test """
+ """ NAT44EI forwarding fragment test """
self.vapi.nat44_add_del_interface_addr(
is_add=1,
sw_if_index=self.pg1.sw_if_index)
@@ -3484,12 +3135,12 @@ class TestNAT44(MethodHolder):
self.assertEqual(data, p[Raw].load)
def test_reass_hairpinning(self):
- """ NAT44 fragments hairpinning """
+ """ NAT44EI fragments hairpinning """
- self.server = self.pg0.remote_hosts[1]
- self.host_in_port = random.randint(1025, 65535)
- self.server_in_port = random.randint(1025, 65535)
- self.server_out_port = random.randint(1025, 65535)
+ server_addr = self.pg0.remote_hosts[1].ip4
+ host_in_port = random.randint(1025, 65535)
+ server_in_port = random.randint(1025, 65535)
+ server_out_port = random.randint(1025, 65535)
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -3500,22 +3151,25 @@ class TestNAT44(MethodHolder):
sw_if_index=self.pg1.sw_if_index,
is_add=1)
# add static mapping for server
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr,
- self.server_in_port,
- self.server_out_port,
+ self.nat44_add_static_mapping(server_addr, self.nat_addr,
+ server_in_port,
+ server_out_port,
proto=IP_PROTOS.tcp)
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr,
- self.server_in_port,
- self.server_out_port,
+ self.nat44_add_static_mapping(server_addr, self.nat_addr,
+ server_in_port,
+ server_out_port,
proto=IP_PROTOS.udp)
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr)
+ self.nat44_add_static_mapping(server_addr, self.nat_addr)
- self.reass_hairpinning(proto=IP_PROTOS.tcp)
- self.reass_hairpinning(proto=IP_PROTOS.udp)
- self.reass_hairpinning(proto=IP_PROTOS.icmp)
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.tcp)
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.udp)
+ self.reass_hairpinning(server_addr, server_in_port, server_out_port,
+ host_in_port, proto=IP_PROTOS.icmp)
def test_frag_out_of_order(self):
- """ NAT44 translate fragments arriving out of order """
+ """ NAT44EI translate fragments arriving out of order """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
@@ -3531,7 +3185,7 @@ class TestNAT44(MethodHolder):
self.frag_out_of_order(proto=IP_PROTOS.icmp)
def test_port_restricted(self):
- """ Port restricted NAT44 (MAP-E CE) """
+ """ NAT44EI Port restricted NAT44EI (MAP-E CE) """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -3567,7 +3221,7 @@ class TestNAT44(MethodHolder):
raise
def test_port_range(self):
- """ External address port range """
+ """ NAT44EI External address port range """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -3596,7 +3250,7 @@ class TestNAT44(MethodHolder):
self.assertLessEqual(tcp.sport, 1027)
def test_multiple_outside_vrf(self):
- """ Multiple outside VRF """
+ """ NAT44EI Multiple outside VRF """
vrf_id1 = 1
vrf_id2 = 2
@@ -3670,7 +3324,7 @@ class TestNAT44(MethodHolder):
self.pg2.resolve_arp()
def test_mss_clamping(self):
- """ TCP MSS clamping """
+ """ NAT44EI TCP MSS clamping """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -3710,7 +3364,7 @@ class TestNAT44(MethodHolder):
self.verify_mss_value(capture[0], 1400)
def test_ha_send(self):
- """ Send HA session synchronization events (active) """
+ """ NAT44EI Send HA session synchronization events (active) """
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
sw_if_index=self.pg0.sw_if_index,
@@ -3847,7 +3501,7 @@ class TestNAT44(MethodHolder):
self.assertEqual(stats[0][0], 2)
def test_ha_recv(self):
- """ Receive HA session synchronization events (passive) """
+ """ NAT44EI Receive HA session synchronization events (passive) """
self.nat44_add_address(self.nat_addr)
flags = self.config_flags.NAT_IS_INSIDE
self.vapi.nat44_interface_add_del_feature(
@@ -4047,3123 +3701,8 @@ class TestNAT44(MethodHolder):
self.logger.info(self.vapi.cli("show nat ha"))
-class TestNAT44EndpointDependent2(MethodHolder):
- """ Endpoint-Dependent mapping and filtering test cases """
-
- @classmethod
- def tearDownClass(cls):
- super(TestNAT44EndpointDependent2, cls).tearDownClass()
-
- def tearDown(self):
- super(TestNAT44EndpointDependent2, self).tearDown()
-
- @classmethod
- def create_and_add_ip4_table(cls, i, table_id):
- cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
- i.set_table_ip4(table_id)
-
- @classmethod
- def setUpClass(cls):
- super(TestNAT44EndpointDependent2, cls).setUpClass()
-
- cls.create_pg_interfaces(range(3))
- cls.interfaces = list(cls.pg_interfaces)
-
- cls.create_and_add_ip4_table(cls.pg1, 10)
-
- for i in cls.interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
-
- i.generate_remote_hosts(1)
- i.configure_ipv4_neighbors()
-
- def setUp(self):
- super(TestNAT44EndpointDependent2, self).setUp()
- flags = self.nat44_config_flags.NAT44_IS_ENDPOINT_DEPENDENT
- self.vapi.nat44_plugin_enable_disable(enable=1, flags=flags)
-
- def tearDown(self):
- super(TestNAT44EndpointDependent2, self).tearDown()
- if not self.vpp_dead:
- self.vapi.nat44_plugin_enable_disable(enable=0)
- self.vapi.cli("clear logging")
-
- def nat_add_inside_interface(self, i):
- self.vapi.nat44_interface_add_del_feature(
- flags=self.config_flags.NAT_IS_INSIDE,
- sw_if_index=i.sw_if_index, is_add=1)
-
- def nat_add_outside_interface(self, i):
- self.vapi.nat44_interface_add_del_feature(
- flags=self.config_flags.NAT_IS_OUTSIDE,
- sw_if_index=i.sw_if_index, is_add=1)
-
- def nat_add_interface_address(self, i):
- self.nat_addr = i.local_ip4
- self.vapi.nat44_add_del_interface_addr(
- sw_if_index=i.sw_if_index, is_add=1)
-
- def nat_add_address(self, address, vrf_id=0xFFFFFFFF):
- self.nat_addr = address
- self.nat44_add_address(address, vrf_id=vrf_id)
-
- def cli(self, command):
- result = self.vapi.cli(command)
- self.logger.info(result)
- # print(result)
-
- def show_configuration(self):
- self.cli("show interface")
- self.cli("show interface address")
- self.cli("show nat44 addresses")
- self.cli("show nat44 interfaces")
-
- def create_tcp_stream(self, in_if, out_if, count):
- """
- Create tcp packet stream
-
- :param in_if: Inside interface
- :param out_if: Outside interface
- :param count: count of packets to generate
- """
- pkts = []
- port = 6303
-
- for i in range(count):
- p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
- IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
- TCP(sport=port + i, dport=20))
- pkts.append(p)
-
- return pkts
-
- def test_session_limit_per_vrf(self):
-
- inside = self.pg0
- inside_vrf10 = self.pg1
- outside = self.pg2
-
- limit = 5
-
- # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
- # non existing vrf_id makes process core dump
- self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
-
- self.nat_add_inside_interface(inside)
- self.nat_add_inside_interface(inside_vrf10)
- self.nat_add_outside_interface(outside)
-
- # vrf independent
- self.nat_add_interface_address(outside)
-
- # BUG: causing core dump - when bad vrf_id is specified
- # self.nat44_add_address(outside.local_ip4, vrf_id=20)
-
- self.show_configuration()
-
- stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
- inside_vrf10.add_stream(stream)
-
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
-
- capture = outside.get_capture(limit)
-
- stream = self.create_tcp_stream(inside, outside, limit * 2)
- inside.add_stream(stream)
-
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
-
- capture = outside.get_capture(len(stream))
-
-
-class TestNAT44EndpointDependent(MethodHolder):
- """ Endpoint-Dependent mapping and filtering test cases """
-
- @classmethod
- def setUpClass(cls):
- super(TestNAT44EndpointDependent, cls).setUpClass()
- cls.vapi.cli("set log class nat level debug")
-
- cls.tcp_port_in = 6303
- cls.tcp_port_out = 6303
- cls.udp_port_in = 6304
- cls.udp_port_out = 6304
- cls.icmp_id_in = 6305
- cls.icmp_id_out = 6305
- cls.nat_addr = '10.0.0.3'
- cls.ipfix_src_port = 4739
- cls.ipfix_domain_id = 1
- cls.tcp_external_port = 80
-
- cls.create_pg_interfaces(range(9))
- cls.interfaces = list(cls.pg_interfaces[0:3])
-
- for i in cls.interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
-
- cls.pg0.generate_remote_hosts(3)
- cls.pg0.configure_ipv4_neighbors()
-
- cls.pg3.admin_up()
-
- cls.pg4.generate_remote_hosts(2)
- cls.pg4.config_ip4()
- cls.vapi.sw_interface_add_del_address(
- sw_if_index=cls.pg4.sw_if_index,
- prefix="10.0.0.1/24")
-
- cls.pg4.admin_up()
- cls.pg4.resolve_arp()
- cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
- cls.pg4.resolve_arp()
-
- zero_ip4 = socket.inet_pton(socket.AF_INET, "0.0.0.0")
- cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
-
- cls.pg5._local_ip4 = "10.1.1.1"
- cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
- cls.pg5.set_table_ip4(1)
- cls.pg5.config_ip4()
- cls.pg5.admin_up()
- r1 = VppIpRoute(cls, cls.pg5.remote_ip4, 32,
- [VppRoutePath("0.0.0.0",
- cls.pg5.sw_if_index)],
- table_id=1,
- register=False)
- r1.add_vpp_config()
-
- cls.pg6._local_ip4 = "10.1.2.1"
- cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
- cls.pg6.set_table_ip4(1)
- cls.pg6.config_ip4()
- cls.pg6.admin_up()
-
- r2 = VppIpRoute(cls, cls.pg6.remote_ip4, 32,
- [VppRoutePath("0.0.0.0",
- cls.pg6.sw_if_index)],
- table_id=1,
- register=False)
- r3 = VppIpRoute(cls, cls.pg6.remote_ip4, 16,
- [VppRoutePath("0.0.0.0",
- 0xffffffff,
- nh_table_id=1)],
- table_id=0,
- register=False)
- r4 = VppIpRoute(cls, "0.0.0.0", 0,
- [VppRoutePath("0.0.0.0", 0xffffffff,
- nh_table_id=0)],
- table_id=1,
- register=False)
- r5 = VppIpRoute(cls, "0.0.0.0", 0,
- [VppRoutePath(cls.pg1.local_ip4,
- cls.pg1.sw_if_index)],
- register=False)
- r2.add_vpp_config()
- r3.add_vpp_config()
- r4.add_vpp_config()
- r5.add_vpp_config()
-
- cls.pg5.resolve_arp()
- cls.pg6.resolve_arp()
-
- cls.pg7.admin_up()
- cls.pg7.config_ip4()
- cls.pg7.resolve_arp()
- cls.pg7.generate_remote_hosts(3)
- cls.pg7.configure_ipv4_neighbors()
-
- cls.pg8.admin_up()
- cls.pg8.config_ip4()
- cls.pg8.resolve_arp()
-
- @classmethod
- def tearDownClass(cls):
- super(TestNAT44EndpointDependent, cls).tearDownClass()
-
- def setUp(self):
- super(TestNAT44EndpointDependent, self).setUp()
- flags = self.nat44_config_flags.NAT44_IS_ENDPOINT_DEPENDENT
- self.vapi.nat44_plugin_enable_disable(enable=1, flags=flags)
- self.vapi.nat_set_timeouts(
- udp=300, tcp_established=7440,
- tcp_transitory=240, icmp=60)
-
- def tearDown(self):
- super(TestNAT44EndpointDependent, self).tearDown()
- if not self.vpp_dead:
- self.vapi.nat44_plugin_enable_disable(enable=0)
- self.vapi.cli("clear logging")
-
- def test_frag_in_order(self):
- """ NAT44 translate fragments arriving in order """
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
- self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
- self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
-
- def test_frag_in_order_dont_translate(self):
- """ NAT44 don't translate fragments arriving in order """
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_forwarding_enable_disable(enable=True)
- self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
-
- def test_frag_out_of_order(self):
- """ NAT44 translate fragments arriving out of order """
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
- self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
- self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
-
- def test_frag_out_of_order_dont_translate(self):
- """ NAT44 don't translate fragments arriving out of order """
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_forwarding_enable_disable(enable=True)
- self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
-
- def test_frag_in_order_in_plus_out(self):
- """ in+out interface fragments in order """
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- flags=flags, is_add=1)
-
- self.server = self.pg1.remote_hosts[0]
-
- self.server_in_addr = self.server.ip4
- self.server_out_addr = '11.11.11.11'
- self.server_in_port = random.randint(1025, 65535)
- self.server_out_port = random.randint(1025, 65535)
-
- self.nat44_add_address(self.server_out_addr)
-
- # add static mappings for server
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.tcp)
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.udp)
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- proto=IP_PROTOS.icmp)
-
- self.frag_in_order_in_plus_out(proto=IP_PROTOS.tcp)
- self.frag_in_order_in_plus_out(proto=IP_PROTOS.udp)
- self.frag_in_order_in_plus_out(proto=IP_PROTOS.icmp)
-
- def test_frag_out_of_order_in_plus_out(self):
- """ in+out interface fragments out of order """
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- flags=flags, is_add=1)
-
- self.server = self.pg1.remote_hosts[0]
-
- self.server_in_addr = self.server.ip4
- self.server_out_addr = '11.11.11.11'
- self.server_in_port = random.randint(1025, 65535)
- self.server_out_port = random.randint(1025, 65535)
-
- self.nat44_add_address(self.server_out_addr)
-
- # add static mappings for server
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.tcp)
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.udp)
- self.nat44_add_static_mapping(self.server_in_addr,
- self.server_out_addr,
- proto=IP_PROTOS.icmp)
-
- self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.tcp)
- self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.udp)
- self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.icmp)
-
- def test_reass_hairpinning(self):
- """ NAT44 fragments hairpinning """
- self.server = self.pg0.remote_hosts[1]
- self.host_in_port = random.randint(1025, 65535)
- self.server_in_port = random.randint(1025, 65535)
- self.server_out_port = random.randint(1025, 65535)
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- # add static mapping for server
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.tcp)
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr,
- self.server_in_port,
- self.server_out_port,
- proto=IP_PROTOS.udp)
- self.nat44_add_static_mapping(self.server.ip4, self.nat_addr)
-
- self.reass_hairpinning(proto=IP_PROTOS.tcp, ignore_port=True)
- self.reass_hairpinning(proto=IP_PROTOS.udp, ignore_port=True)
- self.reass_hairpinning(proto=IP_PROTOS.icmp, ignore_port=True)
-
- def test_clear_sessions(self):
- """ NAT44 ED session clearing test """
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- nat_config = self.vapi.nat_show_config()
- self.assertEqual(1, nat_config.endpoint_dependent)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- sessions = self.statistics.get_counter('/nat44/total-sessions')
- self.assertTrue(sessions[0][0] > 0)
- self.logger.info("sessions before clearing: %s" % sessions[0][0])
-
- # just for testing purposes
- self.logger.info(self.vapi.cli("show nat44 summary"))
-
- self.vapi.cli("clear nat44 sessions")
-
- self.logger.info(self.vapi.cli("show nat44 summary"))
-
- sessions = self.statistics.get_counter('/nat44/total-sessions')
- self.assertEqual(sessions[0][0], 0)
- self.logger.info("sessions after clearing: %s" % sessions[0][0])
-
- def test_dynamic(self):
- """ NAT44 dynamic translation test """
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- nat_config = self.vapi.nat_show_config()
- self.assertEqual(1, nat_config.endpoint_dependent)
-
- # in2out
- tcpn = self.statistics.get_counter('/nat44/ed/in2out/slowpath/tcp')[0]
- udpn = self.statistics.get_counter('/nat44/ed/in2out/slowpath/udp')[0]
- icmpn = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/icmp')[0]
- drops = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/drops')[0]
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- if_idx = self.pg0.sw_if_index
- cnt = self.statistics.get_counter('/nat44/ed/in2out/slowpath/tcp')[0]
- self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
- cnt = self.statistics.get_counter('/nat44/ed/in2out/slowpath/udp')[0]
- self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
- cnt = self.statistics.get_counter('/nat44/ed/in2out/slowpath/icmp')[0]
- self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
- cnt = self.statistics.get_counter('/nat44/ed/in2out/slowpath/drops')[0]
- self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
-
- # out2in
- tcpn = self.statistics.get_counter('/nat44/ed/out2in/fastpath/tcp')[0]
- udpn = self.statistics.get_counter('/nat44/ed/out2in/fastpath/udp')[0]
- icmpn = self.statistics.get_counter(
- '/nat44/ed/out2in/slowpath/icmp')[0]
- drops = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/drops')[0]
-
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- if_idx = self.pg1.sw_if_index
- cnt = self.statistics.get_counter('/nat44/ed/out2in/fastpath/tcp')[0]
- self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
- cnt = self.statistics.get_counter('/nat44/ed/out2in/fastpath/udp')[0]
- self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
- cnt = self.statistics.get_counter('/nat44/ed/out2in/slowpath/icmp')[0]
- self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
- cnt = self.statistics.get_counter('/nat44/ed/out2in/fastpath/drops')[0]
- self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
-
- sessions = self.statistics.get_counter('/nat44/total-sessions')
- self.assertEqual(sessions[0][0], 3)
-
- def test_dynamic_out_of_ports(self):
- """ NAT44 dynamic translation test: out of ports """
-
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- nat_config = self.vapi.nat_show_config()
- self.assertEqual(1, nat_config.endpoint_dependent)
-
- # in2out and no NAT addresses added
- err_old = self.statistics.get_err_counter(
- '/err/nat44-ed-in2out-slowpath/out of ports')
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(0, timeout=1)
-
- err_new = self.statistics.get_err_counter(
- '/err/nat44-ed-in2out-slowpath/out of ports')
-
- self.assertEqual(err_new - err_old, len(pkts))
-
- # in2out after NAT addresses added
- self.nat44_add_address(self.nat_addr)
-
- err_old = self.statistics.get_err_counter(
- '/err/nat44-ed-in2out-slowpath/out of ports')
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- err_new = self.statistics.get_err_counter(
- '/err/nat44-ed-in2out-slowpath/out of ports')
-
- self.assertEqual(err_new, err_old)
-
- def test_dynamic_output_feature_vrf(self):
- """ NAT44 dynamic translation test: output-feature, VRF"""
-
- # other then default (0)
- new_vrf_id = 22
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_output_feature(
- sw_if_index=self.pg7.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- sw_if_index=self.pg8.sw_if_index,
- is_add=1)
-
- try:
- self.vapi.ip_table_add_del(is_add=1,
- table={'table_id': new_vrf_id})
-
- self.pg7.unconfig_ip4()
- self.pg7.set_table_ip4(new_vrf_id)
- self.pg7.config_ip4()
- self.pg7.resolve_arp()
-
- self.pg8.unconfig_ip4()
- self.pg8.set_table_ip4(new_vrf_id)
- self.pg8.config_ip4()
- self.pg8.resolve_arp()
-
- nat_config = self.vapi.nat_show_config()
- self.assertEqual(1, nat_config.endpoint_dependent)
-
- # in2out
- tcpn = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/tcp')[0]
- udpn = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/udp')[0]
- icmpn = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/icmp')[0]
- drops = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/drops')[0]
-
- pkts = self.create_stream_in(self.pg7, self.pg8)
- self.pg7.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg8.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- if_idx = self.pg7.sw_if_index
- cnt = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/tcp')[0]
- self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
- cnt = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/udp')[0]
- self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
- cnt = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/icmp')[0]
- self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
- cnt = self.statistics.get_counter(
- '/nat44/ed/in2out/slowpath/drops')[0]
- self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
-
- # out2in
- tcpn = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/tcp')[0]
- udpn = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/udp')[0]
- icmpn = self.statistics.get_counter(
- '/nat44/ed/out2in/slowpath/icmp')[0]
- drops = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/drops')[0]
-
- pkts = self.create_stream_out(self.pg8)
- self.pg8.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg7.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg7)
-
- if_idx = self.pg8.sw_if_index
- cnt = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/tcp')[0]
- self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
- cnt = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/udp')[0]
- self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
- cnt = self.statistics.get_counter(
- '/nat44/ed/out2in/slowpath/icmp')[0]
- self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
- cnt = self.statistics.get_counter(
- '/nat44/ed/out2in/fastpath/drops')[0]
- self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
-
- sessions = self.statistics.get_counter('/nat44/total-sessions')
- self.assertEqual(sessions[0][0], 3)
-
- finally:
- self.pg7.unconfig_ip4()
- self.pg7.set_table_ip4(1)
- self.pg7.config_ip4()
- self.pg7.resolve_arp()
-
- self.pg8.unconfig_ip4()
- self.pg8.set_table_ip4(1)
- self.pg8.config_ip4()
- self.pg8.resolve_arp()
-
- self.vapi.ip_table_add_del(is_add=0,
- table={'table_id': new_vrf_id})
-
- def test_forwarding(self):
- """ NAT44 forwarding test """
-
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_forwarding_enable_disable(enable=1)
-
- real_ip = self.pg0.remote_ip4
- alias_ip = self.nat_addr
- flags = self.config_flags.NAT_IS_ADDR_ONLY
- self.vapi.nat44_add_del_static_mapping(is_add=1,
- local_ip_address=real_ip,
- external_ip_address=alias_ip,
- external_sw_if_index=0xFFFFFFFF,
- flags=flags)
-
- try:
- # in2out - static mapping match
-
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, same_port=True)
-
- # in2out - no static mapping match
-
- host0 = self.pg0.remote_hosts[0]
- self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
- try:
- pkts = self.create_stream_out(self.pg1,
- dst_ip=self.pg0.remote_ip4,
- use_inside_ports=True)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
- same_port=True)
- finally:
- self.pg0.remote_hosts[0] = host0
-
- user = self.pg0.remote_hosts[1]
- sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
- self.assertEqual(len(sessions), 3)
- self.assertTrue(sessions[0].flags &
- self.config_flags.NAT_IS_EXT_HOST_VALID)
- self.vapi.nat44_del_session(
- address=sessions[0].inside_ip_address,
- port=sessions[0].inside_port,
- protocol=sessions[0].protocol,
- flags=(self.config_flags.NAT_IS_INSIDE |
- self.config_flags.NAT_IS_EXT_HOST_VALID),
- ext_host_address=sessions[0].ext_host_address,
- ext_host_port=sessions[0].ext_host_port)
- sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
- self.assertEqual(len(sessions), 2)
-
- finally:
- self.vapi.nat44_forwarding_enable_disable(enable=0)
- flags = self.config_flags.NAT_IS_ADDR_ONLY
- self.vapi.nat44_add_del_static_mapping(
- is_add=0,
- local_ip_address=real_ip,
- external_ip_address=alias_ip,
- external_sw_if_index=0xFFFFFFFF,
- flags=flags)
-
- def test_static_lb(self):
- """ NAT44 local service load balancing """
- external_addr_n = self.nat_addr
- external_port = 80
- local_port = 8080
- server1 = self.pg0.remote_hosts[0]
- server2 = self.pg0.remote_hosts[1]
-
- locals = [{'addr': server1.ip4,
- 'port': local_port,
- 'probability': 70,
- 'vrf_id': 0},
- {'addr': server2.ip4,
- 'port': local_port,
- 'probability': 30,
- 'vrf_id': 0}]
-
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_add_del_lb_static_mapping(
- is_add=1,
- external_addr=external_addr_n,
- external_port=external_port,
- protocol=IP_PROTOS.tcp,
- local_num=len(locals),
- locals=locals)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- # from client to service
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- server = None
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertIn(ip.dst, [server1.ip4, server2.ip4])
- if ip.dst == server1.ip4:
- server = server1
- else:
- server = server2
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client
- p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
- IP(src=server.ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
- self.assertEqual(len(sessions), 1)
- self.assertTrue(sessions[0].flags &
- self.config_flags.NAT_IS_EXT_HOST_VALID)
- self.vapi.nat44_del_session(
- address=sessions[0].inside_ip_address,
- port=sessions[0].inside_port,
- protocol=sessions[0].protocol,
- flags=(self.config_flags.NAT_IS_INSIDE |
- self.config_flags.NAT_IS_EXT_HOST_VALID),
- ext_host_address=sessions[0].ext_host_address,
- ext_host_port=sessions[0].ext_host_port)
- sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
- self.assertEqual(len(sessions), 0)
-
- def test_static_lb_multi_clients(self):
- """ NAT44 local service load balancing - multiple clients"""
-
- external_addr = self.nat_addr
- external_port = 80
- local_port = 8080
- server1 = self.pg0.remote_hosts[0]
- server2 = self.pg0.remote_hosts[1]
- server3 = self.pg0.remote_hosts[2]
-
- locals = [{'addr': server1.ip4,
- 'port': local_port,
- 'probability': 90,
- 'vrf_id': 0},
- {'addr': server2.ip4,
- 'port': local_port,
- 'probability': 10,
- 'vrf_id': 0}]
-
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
- external_addr=external_addr,
- external_port=external_port,
- protocol=IP_PROTOS.tcp,
- local_num=len(locals),
- locals=locals)
-
- server1_n = 0
- server2_n = 0
- clients = ip4_range(self.pg1.remote_ip4, 10, 50)
- pkts = []
- for client in clients:
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=client, dst=self.nat_addr) /
- TCP(sport=12345, dport=external_port))
- pkts.append(p)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- for p in capture:
- if p[IP].dst == server1.ip4:
- server1_n += 1
- else:
- server2_n += 1
- self.assertGreater(server1_n, server2_n)
-
- local = {
- 'addr': server3.ip4,
- 'port': local_port,
- 'probability': 20,
- 'vrf_id': 0
- }
-
- # add new back-end
- self.vapi.nat44_lb_static_mapping_add_del_local(
- is_add=1,
- external_addr=external_addr,
- external_port=external_port,
- local=local,
- protocol=IP_PROTOS.tcp)
- server1_n = 0
- server2_n = 0
- server3_n = 0
- clients = ip4_range(self.pg1.remote_ip4, 60, 110)
- pkts = []
- for client in clients:
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=client, dst=self.nat_addr) /
- TCP(sport=12346, dport=external_port))
- pkts.append(p)
- self.assertGreater(len(pkts), 0)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- for p in capture:
- if p[IP].dst == server1.ip4:
- server1_n += 1
- elif p[IP].dst == server2.ip4:
- server2_n += 1
- else:
- server3_n += 1
- self.assertGreater(server1_n, 0)
- self.assertGreater(server2_n, 0)
- self.assertGreater(server3_n, 0)
-
- local = {
- 'addr': server2.ip4,
- 'port': local_port,
- 'probability': 10,
- 'vrf_id': 0
- }
-
- # remove one back-end
- self.vapi.nat44_lb_static_mapping_add_del_local(
- is_add=0,
- external_addr=external_addr,
- external_port=external_port,
- local=local,
- protocol=IP_PROTOS.tcp)
- server1_n = 0
- server2_n = 0
- server3_n = 0
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- for p in capture:
- if p[IP].dst == server1.ip4:
- server1_n += 1
- elif p[IP].dst == server2.ip4:
- server2_n += 1
- else:
- server3_n += 1
- self.assertGreater(server1_n, 0)
- self.assertEqual(server2_n, 0)
- self.assertGreater(server3_n, 0)
-
- def test_static_lb_2(self):
- """ NAT44 local service load balancing (asymmetrical rule) """
- external_addr = self.nat_addr
- external_port = 80
- local_port = 8080
- server1 = self.pg0.remote_hosts[0]
- server2 = self.pg0.remote_hosts[1]
-
- locals = [{'addr': server1.ip4,
- 'port': local_port,
- 'probability': 70,
- 'vrf_id': 0},
- {'addr': server2.ip4,
- 'port': local_port,
- 'probability': 30,
- 'vrf_id': 0}]
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- flags = self.config_flags.NAT_IS_OUT2IN_ONLY
- self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
- external_addr=external_addr,
- external_port=external_port,
- protocol=IP_PROTOS.tcp,
- local_num=len(locals),
- locals=locals)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- # from client to service
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- server = None
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertIn(ip.dst, [server1.ip4, server2.ip4])
- if ip.dst == server1.ip4:
- server = server1
- else:
- server = server2
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client
- p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
- IP(src=server.ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client to server (no translation)
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
- TCP(sport=12346, dport=local_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- server = None
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, server1.ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client (no translation)
- p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
- IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12346))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, server1.ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def test_lb_affinity(self):
- """ NAT44 local service load balancing affinity """
- external_addr = self.nat_addr
- external_port = 80
- local_port = 8080
- server1 = self.pg0.remote_hosts[0]
- server2 = self.pg0.remote_hosts[1]
-
- locals = [{'addr': server1.ip4,
- 'port': local_port,
- 'probability': 50,
- 'vrf_id': 0},
- {'addr': server2.ip4,
- 'port': local_port,
- 'probability': 50,
- 'vrf_id': 0}]
-
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
- external_addr=external_addr,
- external_port=external_port,
- protocol=IP_PROTOS.tcp,
- affinity=10800,
- local_num=len(locals),
- locals=locals)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=1025, dport=external_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- backend = capture[0][IP].dst
-
- sessions = self.vapi.nat44_user_session_dump(backend, 0)
- self.assertEqual(len(sessions), 1)
- self.assertTrue(sessions[0].flags &
- self.config_flags.NAT_IS_EXT_HOST_VALID)
- self.vapi.nat44_del_session(
- address=sessions[0].inside_ip_address,
- port=sessions[0].inside_port,
- protocol=sessions[0].protocol,
- flags=(self.config_flags.NAT_IS_INSIDE |
- self.config_flags.NAT_IS_EXT_HOST_VALID),
- ext_host_address=sessions[0].ext_host_address,
- ext_host_port=sessions[0].ext_host_port)
-
- pkts = []
- for port in range(1030, 1100):
- p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=port, dport=external_port))
- pkts.append(p)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- for p in capture:
- self.assertEqual(p[IP].dst, backend)
-
- def test_unknown_proto(self):
- """ NAT44 translate packet with unknown protocol """
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- # in2out
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=20))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- p = self.pg1.get_capture(1)
-
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- GRE() /
- IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
- TCP(sport=1234, dport=1234))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- p = self.pg1.get_capture(1)
- packet = p[0]
- try:
- self.assertEqual(packet[IP].src, self.nat_addr)
- self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
- self.assertEqual(packet.haslayer(GRE), 1)
- self.assert_packet_checksums_valid(packet)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", packet))
- raise
-
- # out2in
- p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- GRE() /
- IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
- TCP(sport=1234, dport=1234))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- p = self.pg0.get_capture(1)
- packet = p[0]
- try:
- self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
- self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
- self.assertEqual(packet.haslayer(GRE), 1)
- self.assert_packet_checksums_valid(packet)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", packet))
- raise
-
- def test_hairpinning_unknown_proto(self):
- """ NAT44 translate packet with unknown protocol - hairpinning """
- host = self.pg0.remote_hosts[0]
- server = self.pg0.remote_hosts[1]
- host_in_port = 1234
- server_out_port = 8765
- server_nat_ip = "10.0.0.11"
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- # add static mapping for server
- self.nat44_add_static_mapping(server.ip4, server_nat_ip)
-
- # host to server
- p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
- IP(src=host.ip4, dst=server_nat_ip) /
- TCP(sport=host_in_port, dport=server_out_port))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
- IP(src=host.ip4, dst=server_nat_ip) /
- GRE() /
- IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
- TCP(sport=1234, dport=1234))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- p = self.pg0.get_capture(1)
- packet = p[0]
- try:
- self.assertEqual(packet[IP].src, self.nat_addr)
- self.assertEqual(packet[IP].dst, server.ip4)
- self.assertEqual(packet.haslayer(GRE), 1)
- self.assert_packet_checksums_valid(packet)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", packet))
- raise
-
- # server to host
- p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
- IP(src=server.ip4, dst=self.nat_addr) /
- GRE() /
- IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
- TCP(sport=1234, dport=1234))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- p = self.pg0.get_capture(1)
- packet = p[0]
- try:
- self.assertEqual(packet[IP].src, server_nat_ip)
- self.assertEqual(packet[IP].dst, host.ip4)
- self.assertEqual(packet.haslayer(GRE), 1)
- self.assert_packet_checksums_valid(packet)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", packet))
- raise
-
- def test_output_feature_and_service(self):
- """ NAT44 interface output feature and services """
- external_addr = '1.2.3.4'
- external_port = 80
- local_port = 8080
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_ADDR_ONLY
- self.vapi.nat44_add_del_identity_mapping(
- ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
- flags=flags, is_add=1)
- flags = self.config_flags.NAT_IS_OUT2IN_ONLY
- self.nat44_add_static_mapping(self.pg0.remote_ip4, external_addr,
- local_port, external_port,
- proto=IP_PROTOS.tcp, flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- is_add=1,
- sw_if_index=self.pg1.sw_if_index)
-
- # from client to service
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=external_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg0.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, external_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from local network host to external network
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- # from external network back to local network host
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- def test_output_feature_and_service2(self):
- """ NAT44 interface output feature and service host direct access """
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_interface_add_del_output_feature(
- is_add=1,
- sw_if_index=self.pg1.sw_if_index)
-
- # session initiated from service host - translate
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- # session initiated from remote host - do not translate
- self.tcp_port_in = 60303
- self.udp_port_in = 60304
- self.icmp_id_in = 60305
- pkts = self.create_stream_out(self.pg1,
- self.pg0.remote_ip4,
- use_inside_ports=True)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
- same_port=True)
-
- def test_output_feature_and_service3(self):
- """ NAT44 interface output feature and DST NAT """
- external_addr = '1.2.3.4'
- external_port = 80
- local_port = 8080
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_OUT2IN_ONLY
- self.nat44_add_static_mapping(self.pg1.remote_ip4, external_addr,
- local_port, external_port,
- proto=IP_PROTOS.tcp, flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- is_add=1,
- sw_if_index=self.pg1.sw_if_index)
-
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=external_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg0.remote_ip4)
- self.assertEqual(tcp.sport, 12345)
- self.assertEqual(ip.dst, self.pg1.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, external_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assertEqual(ip.dst, self.pg0.remote_ip4)
- self.assertEqual(tcp.dport, 12345)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def test_next_src_nat(self):
- """ On way back forward packet to nat44-in2out node. """
- twice_nat_addr = '10.0.1.3'
- external_port = 80
- local_port = 8080
- post_twice_nat_port = 0
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(twice_nat_addr, twice_nat=1)
- flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
- self.config_flags.NAT_IS_SELF_TWICE_NAT)
- self.nat44_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
- local_port, external_port,
- proto=IP_PROTOS.tcp, vrf_id=1,
- flags=flags)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg6.sw_if_index,
- is_add=1)
-
- p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
- IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=12345, dport=external_port))
- self.pg6.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, twice_nat_addr)
- self.assertNotEqual(tcp.sport, 12345)
- post_twice_nat_port = tcp.sport
- self.assertEqual(ip.dst, self.pg6.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
- IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
- TCP(sport=local_port, dport=post_twice_nat_port))
- self.pg6.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg1.remote_ip4)
- self.assertEqual(tcp.sport, external_port)
- self.assertEqual(ip.dst, self.pg6.remote_ip4)
- self.assertEqual(tcp.dport, 12345)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
- client_id=None):
- twice_nat_addr = '10.0.1.3'
-
- port_in = 8080
- if lb:
- if not same_pg:
- port_in1 = port_in
- port_in2 = port_in
- else:
- port_in1 = port_in + 1
- port_in2 = port_in + 2
-
- port_out = 80
- eh_port_out = 4567
-
- server1 = self.pg0.remote_hosts[0]
- server2 = self.pg0.remote_hosts[1]
- if lb and same_pg:
- server2 = server1
- if not lb:
- server = server1
-
- pg0 = self.pg0
- if same_pg:
- pg1 = self.pg0
- else:
- pg1 = self.pg1
-
- eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
- client_id == 1)
-
- self.nat44_add_address(self.nat_addr)
- self.nat44_add_address(twice_nat_addr, twice_nat=1)
-
- flags = 0
- if self_twice_nat:
- flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
- else:
- flags |= self.config_flags.NAT_IS_TWICE_NAT
-
- if not lb:
- self.nat44_add_static_mapping(pg0.remote_ip4, self.nat_addr,
- port_in, port_out,
- proto=IP_PROTOS.tcp,
- flags=flags)
- else:
- locals = [{'addr': server1.ip4,
- 'port': port_in1,
- 'probability': 50,
- 'vrf_id': 0},
- {'addr': server2.ip4,
- 'port': port_in2,
- 'probability': 50,
- 'vrf_id': 0}]
- out_addr = self.nat_addr
-
- self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
- external_addr=out_addr,
- external_port=port_out,
- protocol=IP_PROTOS.tcp,
- local_num=len(locals),
- locals=locals)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=pg1.sw_if_index,
- is_add=1)
-
- if same_pg:
- if not lb:
- client = server
- else:
- assert client_id is not None
- if client_id == 1:
- client = self.pg0.remote_hosts[0]
- elif client_id == 2:
- client = self.pg0.remote_hosts[1]
- else:
- client = pg1.remote_hosts[0]
- p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
- IP(src=client.ip4, dst=self.nat_addr) /
- TCP(sport=eh_port_out, dport=port_out))
- pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- if lb:
- if ip.dst == server1.ip4:
- server = server1
- port_in = port_in1
- else:
- server = server2
- port_in = port_in2
- self.assertEqual(ip.dst, server.ip4)
- if lb and same_pg:
- self.assertIn(tcp.dport, [port_in1, port_in2])
- else:
- self.assertEqual(tcp.dport, port_in)
- if eh_translate:
- self.assertEqual(ip.src, twice_nat_addr)
- self.assertNotEqual(tcp.sport, eh_port_out)
- else:
- self.assertEqual(ip.src, client.ip4)
- self.assertEqual(tcp.sport, eh_port_out)
- eh_addr_in = ip.src
- eh_port_in = tcp.sport
- saved_port_in = tcp.dport
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- p = (Ether(src=server.mac, dst=pg0.local_mac) /
- IP(src=server.ip4, dst=eh_addr_in) /
- TCP(sport=saved_port_in, dport=eh_port_in))
- pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, client.ip4)
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(tcp.dport, eh_port_out)
- self.assertEqual(tcp.sport, port_out)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- if eh_translate:
- sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
- self.assertEqual(len(sessions), 1)
- self.assertTrue(sessions[0].flags &
- self.config_flags.NAT_IS_EXT_HOST_VALID)
- self.assertTrue(sessions[0].flags &
- self.config_flags.NAT_IS_TWICE_NAT)
- self.logger.info(self.vapi.cli("show nat44 sessions detail"))
- self.vapi.nat44_del_session(
- address=sessions[0].inside_ip_address,
- port=sessions[0].inside_port,
- protocol=sessions[0].protocol,
- flags=(self.config_flags.NAT_IS_INSIDE |
- self.config_flags.NAT_IS_EXT_HOST_VALID),
- ext_host_address=sessions[0].ext_host_nat_address,
- ext_host_port=sessions[0].ext_host_nat_port)
- sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
- self.assertEqual(len(sessions), 0)
-
- def test_twice_nat(self):
- """ Twice NAT44 """
- self.twice_nat_common()
-
- def test_self_twice_nat_positive(self):
- """ Self Twice NAT44 (positive test) """
- self.twice_nat_common(self_twice_nat=True, same_pg=True)
-
- def test_self_twice_nat_negative(self):
- """ Self Twice NAT44 (negative test) """
- self.twice_nat_common(self_twice_nat=True)
-
- def test_twice_nat_lb(self):
- """ Twice NAT44 local service load balancing """
- self.twice_nat_common(lb=True)
-
- def test_self_twice_nat_lb_positive(self):
- """ Self Twice NAT44 local service load balancing (positive test) """
- self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
- client_id=1)
-
- def test_self_twice_nat_lb_negative(self):
- """ Self Twice NAT44 local service load balancing (negative test) """
- self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
- client_id=2)
-
- def test_twice_nat_interface_addr(self):
- """ Acquire twice NAT44 addresses from interface """
- flags = self.config_flags.NAT_IS_TWICE_NAT
- self.vapi.nat44_add_del_interface_addr(
- is_add=1,
- sw_if_index=self.pg3.sw_if_index,
- flags=flags)
-
- # no address in NAT pool
- adresses = self.vapi.nat44_address_dump()
- self.assertEqual(0, len(adresses))
-
- # configure interface address and check NAT address pool
- self.pg3.config_ip4()
- adresses = self.vapi.nat44_address_dump()
- self.assertEqual(1, len(adresses))
- self.assertEqual(str(adresses[0].ip_address),
- self.pg3.local_ip4)
- self.assertEqual(adresses[0].flags, flags)
-
- # remove interface address and check NAT address pool
- self.pg3.unconfig_ip4()
- adresses = self.vapi.nat44_address_dump()
- self.assertEqual(0, len(adresses))
-
- def test_tcp_close(self):
- """ Close TCP session from inside network - output feature """
- old_timeouts = self.vapi.nat_get_timeouts()
- new_transitory = 2
- self.vapi.nat_set_timeouts(
- udp=old_timeouts.udp,
- tcp_established=old_timeouts.tcp_established,
- icmp=old_timeouts.icmp,
- tcp_transitory=new_transitory)
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.pg1.local_ip4)
- twice_nat_addr = '10.0.1.3'
- service_ip = '192.168.16.150'
- self.nat44_add_address(twice_nat_addr, twice_nat=1)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- is_add=1,
- sw_if_index=self.pg1.sw_if_index)
- flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
- self.config_flags.NAT_IS_TWICE_NAT)
- self.nat44_add_static_mapping(self.pg0.remote_ip4,
- service_ip,
- 80,
- 80,
- proto=IP_PROTOS.tcp,
- flags=flags)
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- start_sessnum = len(sessions)
-
- # SYN packet out->in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=service_ip) /
- TCP(sport=33898, dport=80, flags="S"))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- tcp_port = p[TCP].sport
-
- # SYN + ACK packet in->out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
- TCP(sport=80, dport=tcp_port, flags="SA"))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # ACK packet out->in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=service_ip) /
- TCP(sport=33898, dport=80, flags="A"))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- # FIN packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
- TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # FIN+ACK packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=service_ip) /
- TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- # ACK packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
- TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # session now in transitory timeout
- # try SYN packet out->in - should be dropped
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=service_ip) /
- TCP(sport=33898, dport=80, flags="S"))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
-
- self.sleep(new_transitory, "wait for transitory timeout")
- self.pg0.assert_nothing_captured(0)
-
- # session should still exist
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 1)
-
- # send FIN+ACK packet out -> in - will cause session to be wiped
- # but won't create a new session
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=service_ip) /
- TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 0)
- self.pg0.assert_nothing_captured(0)
-
- def test_tcp_session_close_in(self):
- """ Close TCP session from inside network """
- self.tcp_port_out = 10505
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_TWICE_NAT
- self.nat44_add_static_mapping(self.pg0.remote_ip4,
- self.nat_addr,
- self.tcp_port_in,
- self.tcp_port_out,
- proto=IP_PROTOS.tcp,
- flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- start_sessnum = len(sessions)
-
- self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
- tcp_transitory=2, icmp=5)
-
- self.initiate_tcp_session(self.pg0, self.pg1)
-
- # FIN packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="FA", seq=100, ack=300))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- pkts = []
-
- # ACK packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="A", seq=300, ack=101))
- pkts.append(p)
-
- # FIN packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=300, ack=101))
- pkts.append(p)
-
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(2)
-
- # ACK packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 1)
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- out2in_drops = stats[0]
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- in2out_drops = stats[0]
-
- # extra FIN packet out -> in - this should be dropped
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=300, ack=101))
-
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.assert_nothing_captured()
-
- # extra ACK packet in -> out - this should be dropped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - out2in_drops, 1)
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - in2out_drops, 1)
-
- self.sleep(3)
- # extra ACK packet in -> out - this will cause session to be wiped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 0)
-
- def test_tcp_session_close_out(self):
- """ Close TCP session from outside network """
- self.tcp_port_out = 10505
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_TWICE_NAT
- self.nat44_add_static_mapping(self.pg0.remote_ip4,
- self.nat_addr,
- self.tcp_port_in,
- self.tcp_port_out,
- proto=IP_PROTOS.tcp,
- flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- start_sessnum = len(sessions)
-
- self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
- tcp_transitory=2, icmp=5)
-
- self.initiate_tcp_session(self.pg0, self.pg1)
-
- # FIN packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=100, ack=300))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- # FIN+ACK packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="FA", seq=300, ack=101))
-
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # ACK packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="A", seq=101, ack=301))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 1)
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- out2in_drops = stats[0]
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- in2out_drops = stats[0]
-
- # extra FIN packet out -> in - this should be dropped
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=300, ack=101))
-
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.assert_nothing_captured()
-
- # extra ACK packet in -> out - this should be dropped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - out2in_drops, 1)
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - in2out_drops, 1)
-
- self.sleep(3)
- # extra ACK packet in -> out - this will cause session to be wiped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 0)
-
- def test_tcp_session_close_simultaneous(self):
- """ Close TCP session from inside network """
- self.tcp_port_out = 10505
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_TWICE_NAT
- self.nat44_add_static_mapping(self.pg0.remote_ip4,
- self.nat_addr,
- self.tcp_port_in,
- self.tcp_port_out,
- proto=IP_PROTOS.tcp,
- flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- start_sessnum = len(sessions)
-
- self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
- tcp_transitory=2, icmp=5)
-
- self.initiate_tcp_session(self.pg0, self.pg1)
-
- # FIN packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="FA", seq=100, ack=300))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # FIN packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=300, ack=100))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- # ACK packet in -> out
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- # ACK packet out -> in
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="A", seq=301, ack=101))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.get_capture(1)
-
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 1)
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- out2in_drops = stats[0]
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- in2out_drops = stats[0]
-
- # extra FIN packet out -> in - this should be dropped
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
- flags="FA", seq=300, ack=101))
-
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg0.assert_nothing_captured()
-
- # extra ACK packet in -> out - this should be dropped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
-
- stats = self.statistics.get_counter(
- '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - out2in_drops, 1)
- stats = self.statistics.get_counter(
- '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
- self.assertEqual(stats[0] - in2out_drops, 1)
-
- self.sleep(3)
- # extra ACK packet in -> out - this will cause session to be wiped
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="A", seq=101, ack=301))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
- sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
- self.assertEqual(len(sessions) - start_sessnum, 0)
-
- def test_one_armed_nat44_static(self):
- """ One armed NAT44 and 1:1 NAPT asymmetrical rule """
- remote_host = self.pg4.remote_hosts[0]
- local_host = self.pg4.remote_hosts[1]
- external_port = 80
- local_port = 8080
- eh_port_in = 0
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr, twice_nat=1)
- flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
- self.config_flags.NAT_IS_TWICE_NAT)
- self.nat44_add_static_mapping(local_host.ip4, self.nat_addr,
- local_port, external_port,
- proto=IP_PROTOS.tcp, flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg4.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg4.sw_if_index,
- flags=flags, is_add=1)
-
- # from client to service
- p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
- IP(src=remote_host.ip4, dst=self.nat_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg4.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg4.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, local_host.ip4)
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(tcp.dport, local_port)
- self.assertNotEqual(tcp.sport, 12345)
- eh_port_in = tcp.sport
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client
- p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
- IP(src=local_host.ip4, dst=self.nat_addr) /
- TCP(sport=local_port, dport=eh_port_in))
- self.pg4.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg4.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(ip.dst, remote_host.ip4)
- self.assertEqual(tcp.sport, external_port)
- self.assertEqual(tcp.dport, 12345)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def test_static_with_port_out2(self):
- """ 1:1 NAPT asymmetrical rule """
-
- external_port = 80
- local_port = 8080
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- flags = self.config_flags.NAT_IS_OUT2IN_ONLY
- self.nat44_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
- local_port, external_port,
- proto=IP_PROTOS.tcp, flags=flags)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- # from client to service
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg0.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # ICMP error
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- ICMP(type=11) / capture[0][IP])
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- self.assertEqual(p[IP].src, self.nat_addr)
- inner = p[IPerror]
- self.assertEqual(inner.dst, self.nat_addr)
- self.assertEqual(inner[TCPerror].dport, external_port)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.nat_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # ICMP error
- p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- ICMP(type=11) / capture[0][IP])
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
- inner = p[IPerror]
- self.assertEqual(inner.src, self.pg0.remote_ip4)
- self.assertEqual(inner[TCPerror].sport, local_port)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client to server (no translation)
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
- TCP(sport=12346, dport=local_port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg0.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client (no translation)
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=local_port, dport=12346))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg0.remote_ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def test_output_feature(self):
- """ NAT44 interface output feature (in2out postrouting) """
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- is_add=1,
- sw_if_index=self.pg1.sw_if_index)
-
- # in2out
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, ignore_port=True)
-
- # out2in
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- def test_output_feature_stateful_acl(self):
- """ NAT44 endpoint-dependent output feature works with stateful ACL """
- self.nat44_add_address(self.nat_addr)
- self.vapi.nat44_interface_add_del_output_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=self.config_flags.NAT_IS_INSIDE,
- is_add=1)
- self.vapi.nat44_interface_add_del_output_feature(
- sw_if_index=self.pg1.sw_if_index,
- flags=self.config_flags.NAT_IS_OUTSIDE,
- is_add=1)
-
- # First ensure that the NAT is working sans ACL
-
- # send packets out2in, no sessions yet so packets should drop
- pkts_out2in = self.create_stream_out(self.pg1)
- self.send_and_assert_no_replies(self.pg1, pkts_out2in)
-
- # send packets into inside intf, ensure received via outside intf
- pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
- capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
- len(pkts_in2out))
- self.verify_capture_out(capture, ignore_port=True)
-
- # send out2in again, with sessions created it should work now
- pkts_out2in = self.create_stream_out(self.pg1)
- capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
- len(pkts_out2in))
- self.verify_capture_in(capture, self.pg0)
-
- # Create an ACL blocking everything
- out2in_deny_rule = AclRule(is_permit=0)
- out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
- out2in_acl.add_vpp_config()
-
- # create an ACL to permit/reflect everything
- in2out_reflect_rule = AclRule(is_permit=2)
- in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
- in2out_acl.add_vpp_config()
-
- # apply as input acl on interface and confirm it blocks everything
- acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
- n_input=1, acls=[out2in_acl])
- acl_if.add_vpp_config()
- self.send_and_assert_no_replies(self.pg1, pkts_out2in)
-
- # apply output acl
- acl_if.acls = [out2in_acl, in2out_acl]
- acl_if.add_vpp_config()
- # send in2out to generate ACL state (NAT state was created earlier)
- capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
- len(pkts_in2out))
- self.verify_capture_out(capture, ignore_port=True)
-
- # send out2in again. ACL state exists so it should work now.
- # TCP packets with the syn flag set also need the ack flag
- for p in pkts_out2in:
- if p.haslayer(TCP) and p[TCP].flags & 0x02:
- p[TCP].flags |= 0x10
- capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
- len(pkts_out2in))
- self.verify_capture_in(capture, self.pg0)
- self.logger.info(self.vapi.cli("show trace"))
-
- def test_multiple_vrf(self):
- """ Multiple VRF setup """
- external_addr = '1.2.3.4'
- external_port = 80
- local_port = 8080
- port = 0
-
- self.vapi.nat44_forwarding_enable_disable(enable=1)
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- is_add=1, flags=flags)
- self.vapi.nat44_interface_add_del_output_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg5.sw_if_index,
- is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg5.sw_if_index,
- is_add=1, flags=flags)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg6.sw_if_index,
- is_add=1)
- flags = self.config_flags.NAT_IS_OUT2IN_ONLY
- self.nat44_add_static_mapping(self.pg5.remote_ip4, external_addr,
- local_port, external_port, vrf_id=1,
- proto=IP_PROTOS.tcp, flags=flags)
- self.nat44_add_static_mapping(
- self.pg0.remote_ip4,
- external_sw_if_index=self.pg0.sw_if_index,
- local_port=local_port,
- vrf_id=0,
- external_port=external_port,
- proto=IP_PROTOS.tcp,
- flags=flags
- )
-
- # from client to service (both VRF1)
- p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
- IP(src=self.pg6.remote_ip4, dst=external_addr) /
- TCP(sport=12345, dport=external_port))
- self.pg6.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg5.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg5.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service back to client (both VRF1)
- p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
- IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
- TCP(sport=local_port, dport=12345))
- self.pg5.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, external_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # dynamic NAT from VRF1 to VRF0 (output-feature)
- p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
- IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=2345, dport=22))
- self.pg5.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.nat_addr)
- self.assert_packet_checksums_valid(p)
- port = tcp.sport
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
- IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
- TCP(sport=22, dport=port))
- self.pg1.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg5.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg5.remote_ip4)
- self.assertEqual(tcp.dport, 2345)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client VRF1 to service VRF0
- p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
- IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
- TCP(sport=12346, dport=external_port))
- self.pg6.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg0.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service VRF0 back to client VRF1
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
- TCP(sport=local_port, dport=12346))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg0.local_ip4)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client VRF0 to service VRF1
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=external_addr) /
- TCP(sport=12347, dport=external_port))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg5.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg5.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from service VRF1 back to client VRF0
- p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
- IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
- TCP(sport=local_port, dport=12347))
- self.pg5.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, external_addr)
- self.assertEqual(tcp.sport, external_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client to server (both VRF1, no translation)
- p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
- IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
- TCP(sport=12348, dport=local_port))
- self.pg6.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg5.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg5.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from server back to client (both VRF1, no translation)
- p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
- IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
- TCP(sport=local_port, dport=12348))
- self.pg5.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg5.remote_ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client VRF1 to server VRF0 (no translation)
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
- TCP(sport=local_port, dport=12349))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg0.remote_ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from server VRF0 back to client VRF1 (no translation)
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
- TCP(sport=local_port, dport=12349))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg6.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg0.remote_ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from client VRF0 to server VRF1 (no translation)
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
- TCP(sport=12344, dport=local_port))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg5.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.dst, self.pg5.remote_ip4)
- self.assertEqual(tcp.dport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- # from server VRF1 back to client VRF0 (no translation)
- p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
- IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
- TCP(sport=local_port, dport=12344))
- self.pg5.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(1)
- p = capture[0]
- try:
- ip = p[IP]
- tcp = p[TCP]
- self.assertEqual(ip.src, self.pg5.remote_ip4)
- self.assertEqual(tcp.sport, local_port)
- self.assert_packet_checksums_valid(p)
- except:
- self.logger.error(ppp("Unexpected or invalid packet:", p))
- raise
-
- def test_session_rst_timeout(self):
- """ NAT44 session RST timeouts """
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
- tcp_transitory=5, icmp=60)
-
- self.initiate_tcp_session(self.pg0, self.pg1)
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
- flags="R"))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- sleep(6)
-
- p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
- flags="S"))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(1)
-
- def test_syslog_sess(self):
- """ Test syslog session creation and deletion """
- self.vapi.syslog_set_filter(
- self.SYSLOG_SEVERITY.SYSLOG_API_SEVERITY_INFO)
- self.vapi.syslog_set_sender(self.pg2.local_ip4, self.pg2.remote_ip4)
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
-
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
- TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
- self.pg0.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(1)
- self.tcp_port_out = capture[0][TCP].sport
- capture = self.pg2.get_capture(1)
- self.verify_syslog_sess(capture[0][Raw].load)
-
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.nat44_add_address(self.nat_addr, is_add=0)
- capture = self.pg2.get_capture(1)
- self.verify_syslog_sess(capture[0][Raw].load, False)
-
- def test_ed_users_dump(self):
- """ API test - nat44_user_dump """
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat44_forwarding_enable_disable(enable=1)
-
- real_ip = self.pg0.remote_ip4
- alias_ip = self.nat_addr
- flags = self.config_flags.NAT_IS_ADDR_ONLY
- self.vapi.nat44_add_del_static_mapping(is_add=1,
- local_ip_address=real_ip,
- external_ip_address=alias_ip,
- external_sw_if_index=0xFFFFFFFF,
- flags=flags)
-
- users = self.vapi.nat44_user_dump()
- self.assertEqual(len(users), 0)
- try:
- # in2out - static mapping match
-
- pkts = self.create_stream_out(self.pg1)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, same_port=True)
-
- users = self.vapi.nat44_user_dump()
- self.assertEqual(len(users), 1)
- static_user = users[0]
- self.assertEqual(static_user.nstaticsessions, 3)
- self.assertEqual(static_user.nsessions, 0)
-
- # in2out - no static mapping match
-
- host0 = self.pg0.remote_hosts[0]
- self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
- try:
- pkts = self.create_stream_out(self.pg1,
- dst_ip=self.pg0.remote_ip4,
- use_inside_ports=True)
- self.pg1.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg0.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg0)
-
- pkts = self.create_stream_in(self.pg0, self.pg1)
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg1.get_capture(len(pkts))
- self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
- same_port=True)
- finally:
- self.pg0.remote_hosts[0] = host0
-
- users = self.vapi.nat44_user_dump()
- self.assertEqual(len(users), 2)
- if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
- non_static_user = users[1]
- static_user = users[0]
- else:
- non_static_user = users[0]
- static_user = users[1]
- self.assertEqual(static_user.nstaticsessions, 3)
- self.assertEqual(static_user.nsessions, 0)
- self.assertEqual(non_static_user.nstaticsessions, 0)
- self.assertEqual(non_static_user.nsessions, 3)
-
- users = self.vapi.nat44_user_dump()
- self.assertEqual(len(users), 2)
- if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
- non_static_user = users[1]
- static_user = users[0]
- else:
- non_static_user = users[0]
- static_user = users[1]
- self.assertEqual(static_user.nstaticsessions, 3)
- self.assertEqual(static_user.nsessions, 0)
- self.assertEqual(non_static_user.nstaticsessions, 0)
- self.assertEqual(non_static_user.nsessions, 3)
-
- finally:
- self.vapi.nat44_forwarding_enable_disable(enable=0)
- flags = self.config_flags.NAT_IS_ADDR_ONLY
- self.vapi.nat44_add_del_static_mapping(
- is_add=0,
- local_ip_address=real_ip,
- external_ip_address=alias_ip,
- external_sw_if_index=0xFFFFFFFF,
- flags=flags)
-
- def show_commands_at_teardown(self):
- self.logger.info(self.vapi.cli("show errors"))
- self.logger.info(self.vapi.cli("show nat44 addresses"))
- self.logger.info(self.vapi.cli("show nat44 interfaces"))
- self.logger.info(self.vapi.cli("show nat44 static mappings"))
- self.logger.info(self.vapi.cli("show nat44 interface address"))
- self.logger.info(self.vapi.cli("show nat44 sessions detail"))
- self.logger.info(self.vapi.cli("show nat44 hash tables detail"))
- self.logger.info(self.vapi.cli("show nat timeouts"))
- self.logger.info(self.vapi.cli("debug nat44 fib registration"))
-
-
-class TestNAT44EndpointDependent3(MethodHolder):
- """ Endpoint-Dependent mapping and filtering extra test cases """
-
- max_translations = 50
-
- @classmethod
- def setUpClass(cls):
- super(TestNAT44EndpointDependent3, cls).setUpClass()
- cls.vapi.cli("set log class nat level debug")
-
- cls.nat_addr = '10.0.0.3'
-
- cls.create_pg_interfaces(range(2))
-
- for i in cls.pg_interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
-
- def setUp(self):
- super(TestNAT44EndpointDependent3, self).setUp()
- flags = self.nat44_config_flags.NAT44_IS_ENDPOINT_DEPENDENT
- self.vapi.nat44_plugin_enable_disable(
- sessions=self.max_translations,
- flags=flags, enable=1)
- self.vapi.nat_set_timeouts(
- udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
-
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index, is_add=1)
-
- @classmethod
- def tearDownClass(cls):
- super(TestNAT44EndpointDependent3, cls).tearDownClass()
-
- def tearDown(self):
- super(TestNAT44EndpointDependent3, self).tearDown()
- if not self.vpp_dead:
- self.vapi.nat44_plugin_enable_disable(enable=0)
- self.vapi.cli("clear logging")
-
- def init_tcp_session(self, in_if, out_if, sport, ext_dport):
- # SYN packet in->out
- p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
- IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
- TCP(sport=sport, dport=ext_dport, flags="S"))
- in_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = out_if.get_capture(1)
- p = capture[0]
- tcp_port_out = p[TCP].sport
-
- # SYN + ACK packet out->in
- p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
- IP(src=out_if.remote_ip4, dst=self.nat_addr) /
- TCP(sport=ext_dport, dport=tcp_port_out, flags="SA"))
- out_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- in_if.get_capture(1)
-
- # ACK packet in->out
- p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
- IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
- TCP(sport=sport, dport=ext_dport, flags="A"))
- in_if.add_stream(p)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- out_if.get_capture(1)
-
- return tcp_port_out
-
- def test_lru_cleanup(self):
- """ LRU cleanup algorithm """
- tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
- pkts = []
- for i in range(0, self.max_translations - 1):
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
- UDP(sport=7000+i, dport=80))
- pkts.append(p)
-
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(len(pkts))
- self.sleep(1.5, "wait for timeouts")
-
- pkts = []
- for i in range(0, self.max_translations - 1):
- p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
- ICMP(id=8000+i, type='echo-request'))
- pkts.append(p)
-
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.get_capture(len(pkts))
-
-
class TestNAT44Out2InDPO(MethodHolder):
- """ NAT44 Test Cases using out2in DPO """
+ """ NAT44EI Test Cases using out2in DPO """
@classmethod
def setUpClass(cls):
@@ -7195,10 +3734,6 @@ class TestNAT44Out2InDPO(MethodHolder):
register=False)
r1.add_vpp_config()
- @classmethod
- def tearDownClass(cls):
- super(TestNAT44Out2InDPO, cls).tearDownClass()
-
def setUp(self):
super(TestNAT44Out2InDPO, self).setUp()
flags = self.nat44_config_flags.NAT44_API_IS_OUT2IN_DPO
@@ -7225,7 +3760,7 @@ class TestNAT44Out2InDPO(MethodHolder):
@unittest.skip('Temporary disabled')
def test_464xlat_ce(self):
- """ Test 464XLAT CE with NAT44 """
+ """ Test 464XLAT CE with NAT44EI """
nat_config = self.vapi.nat_show_config()
self.assertEqual(1, nat_config.out2in_dpo)
@@ -7272,7 +3807,7 @@ class TestNAT44Out2InDPO(MethodHolder):
@unittest.skip('Temporary disabled')
def test_464xlat_ce_no_nat(self):
- """ Test 464XLAT CE without NAT44 """
+ """ Test 464XLAT CE without NAT44EI """
self.configure_xlat()