From 0891b6aa449cca525b61d0cc23759b2efcd158dc Mon Sep 17 00:00:00 2001 From: Fahad Naeem Date: Tue, 10 May 2022 01:03:52 -0500 Subject: pnat: add support to wildcard IP Protocol field if not specified - add pnat_binding_add_v2 which explicitly requires match mask to set to PNAT_PROTO if we want to match on IP Protocol - fix pnat_binding_add backward compatibility i.e. no need to set match mast to PNAT_PROTO Type: improvement Signed-off-by: Fahad Naeem Change-Id: I5a23244be55b7d4c10552c555881527a4b2f325f --- src/plugins/nat/pnat/pnat.api | 18 ++++++++ src/plugins/nat/pnat/pnat.c | 4 +- src/plugins/nat/pnat/pnat_api.c | 15 +++++++ src/plugins/nat/pnat/pnat_cli.c | 6 +-- test/test_pnat.py | 99 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 138 insertions(+), 4 deletions(-) diff --git a/src/plugins/nat/pnat/pnat.api b/src/plugins/nat/pnat/pnat.api index b6632159d7c..de555c41412 100644 --- a/src/plugins/nat/pnat/pnat.api +++ b/src/plugins/nat/pnat/pnat.api @@ -26,6 +26,7 @@ enum pnat_mask PNAT_DPORT = 0x8, PNAT_COPY_BYTE = 0x10, PNAT_CLEAR_BYTE = 0x20, + PNAT_PROTO = 0x40, }; enum pnat_attachment_point @@ -65,6 +66,7 @@ autoendian define pnat_binding_add vl_api_pnat_rewrite_tuple_t rewrite; }; + autoendian define pnat_binding_add_reply { u32 context; @@ -72,6 +74,22 @@ autoendian define pnat_binding_add_reply u32 binding_index; }; +autoendian define pnat_binding_add_v2 +{ + u32 client_index; + u32 context; + vl_api_pnat_match_tuple_t match; + vl_api_pnat_rewrite_tuple_t rewrite; +}; + + +autoendian define pnat_binding_add_v2_reply +{ + u32 context; + i32 retval; + u32 binding_index; +}; + autoendian autoreply define pnat_binding_del { u32 client_index; diff --git a/src/plugins/nat/pnat/pnat.c b/src/plugins/nat/pnat/pnat.c index 547b063f286..2b4a6b49e96 100644 --- a/src/plugins/nat/pnat/pnat.c +++ b/src/plugins/nat/pnat/pnat.c @@ -56,7 +56,9 @@ static pnat_mask_fast_t pnat_mask2fast(pnat_mask_t lookup_mask) { m.as_u64[0] = 0xffffffff00000000; if (lookup_mask & PNAT_DA) m.as_u64[0] |= 0x00000000ffffffff; - m.as_u64[1] = 0xffffffff00000000; + m.as_u64[1] = 0x00ffffff00000000; + if (lookup_mask & PNAT_PROTO) + m.as_u64[1] |= 0xff00000000000000; if (lookup_mask & PNAT_SPORT) m.as_u64[1] |= 0x00000000ffff0000; if (lookup_mask & PNAT_DPORT) diff --git a/src/plugins/nat/pnat/pnat_api.c b/src/plugins/nat/pnat/pnat_api.c index 35a73955b33..02e61219d1e 100644 --- a/src/plugins/nat/pnat/pnat_api.c +++ b/src/plugins/nat/pnat/pnat_api.c @@ -36,11 +36,26 @@ static void vl_api_pnat_binding_add_t_handler(vl_api_pnat_binding_add_t *mp) { pnat_main_t *pm = &pnat_main; vl_api_pnat_binding_add_reply_t *rmp; u32 binding_index; + + // for backward compatibility + if (mp->match.proto == 0) + mp->match.mask |= PNAT_PROTO; + int rv = pnat_binding_add(&mp->match, &mp->rewrite, &binding_index); REPLY_MACRO2_END(VL_API_PNAT_BINDING_ADD_REPLY, ({ rmp->binding_index = binding_index; })); } +static void +vl_api_pnat_binding_add_v2_t_handler(vl_api_pnat_binding_add_t *mp) { + pnat_main_t *pm = &pnat_main; + vl_api_pnat_binding_add_reply_t *rmp; + u32 binding_index; + int rv = pnat_binding_add(&mp->match, &mp->rewrite, &binding_index); + REPLY_MACRO2_END(VL_API_PNAT_BINDING_ADD_V2_REPLY, + ({ rmp->binding_index = binding_index; })); +} + static void vl_api_pnat_binding_attach_t_handler(vl_api_pnat_binding_attach_t *mp) { pnat_main_t *pm = &pnat_main; diff --git a/src/plugins/nat/pnat/pnat_cli.c b/src/plugins/nat/pnat/pnat_cli.c index 082f0778acb..ce9beee540d 100644 --- a/src/plugins/nat/pnat/pnat_cli.c +++ b/src/plugins/nat/pnat/pnat_cli.c @@ -122,6 +122,8 @@ uword unformat_pnat_match_tuple(unformat_input_t *input, va_list *args) { t->mask |= PNAT_SA; else if (unformat(input, "dst %U", unformat_ip4_address, &t->dst)) t->mask |= PNAT_DA; + else if (unformat(input, "proto %U", unformat_ip_protocol, &t->proto)) + t->mask |= PNAT_PROTO; else if (unformat(input, "sport %d", &sport)) { if (sport == 0 || sport > 65535) return 0; @@ -132,9 +134,7 @@ uword unformat_pnat_match_tuple(unformat_input_t *input, va_list *args) { return 0; t->mask |= PNAT_DPORT; t->dport = dport; - } else if (unformat(input, "proto %U", unformat_ip_protocol, &t->proto)) - ; - else + } else break; } return 1; diff --git a/test/test_pnat.py b/test/test_pnat.py index faf66e6ed53..2bf34052325 100644 --- a/test/test_pnat.py +++ b/test/test_pnat.py @@ -242,6 +242,105 @@ class TestPNAT(VppTestCase): ) self.vapi.pnat_binding_del(binding_index=binding_index[i]) + def test_pnat_wildcard_proto(self): + """ + PNAT test wildcard IP protocol, PNAT_PROTO for mask should be set by + handler + """ + + PNAT_IP4_INPUT = VppEnum.vl_api_pnat_attachment_point_t.PNAT_IP4_INPUT + PNAT_IP4_OUTPUT = \ + VppEnum.vl_api_pnat_attachment_point_t.PNAT_IP4_OUTPUT + + tests = [ + { + 'input': PNAT_IP4_INPUT, + 'sw_if_index': self.pg0.sw_if_index, + 'match': {'mask': 0x2, 'dst': '10.10.10.10'}, + 'rewrite': {'mask': 0x2, 'dst': self.pg1.remote_ip4}, + 'send': (IP(src=self.pg0.remote_ip4, dst='10.10.10.10')), + 'reply': (IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)) + }, + { + 'input': PNAT_IP4_OUTPUT, + 'sw_if_index': self.pg1.sw_if_index, + 'match': {'mask': 0x1, 'src': self.pg0.remote_ip4}, + 'rewrite': {'mask': 0x1, 'src': '11.11.11.11'}, + 'send': (IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)), + 'reply': (IP(src='11.11.11.11', dst=self.pg1.remote_ip4)) + }, + ] + + p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + for t in tests: + rv = self.vapi.pnat_binding_add(match=t['match'], + rewrite=t['rewrite']) + self.vapi.pnat_binding_attach(sw_if_index=t['sw_if_index'], + attachment=t['input'], + binding_index=rv.binding_index) + + reply = t['reply'] + reply[IP].ttl -= 1 + rx = self.send_and_expect(self.pg0, p_ether / t['send'] * 1, + self.pg1) + for p in rx: + self.validate(p[1], reply) + + self.ping_check() + + self.vapi.pnat_binding_detach(sw_if_index=t['sw_if_index'], + attachment=t['input'], + binding_index=rv.binding_index) + self.vapi.pnat_binding_del(binding_index=rv.binding_index) + + def test_pnat_wildcard_proto_v2(self): + """ PNAT test wildcard IP protocol using pnat_binding_add_v2""" + + PNAT_IP4_INPUT = VppEnum.vl_api_pnat_attachment_point_t.PNAT_IP4_INPUT + PNAT_IP4_OUTPUT = \ + VppEnum.vl_api_pnat_attachment_point_t.PNAT_IP4_OUTPUT + + tests = [ + { + 'input': PNAT_IP4_INPUT, + 'sw_if_index': self.pg0.sw_if_index, + 'match': {'mask': 0x42, 'dst': '10.10.10.10'}, + 'rewrite': {'mask': 0x42, 'dst': self.pg1.remote_ip4}, + 'send': (IP(src=self.pg0.remote_ip4, dst='10.10.10.10')), + 'reply': (IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)) + }, + { + 'input': PNAT_IP4_OUTPUT, + 'sw_if_index': self.pg1.sw_if_index, + 'match': {'mask': 0x41, 'src': self.pg0.remote_ip4}, + 'rewrite': {'mask': 0x41, 'src': '11.11.11.11'}, + 'send': (IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)), + 'reply': (IP(src='11.11.11.11', dst=self.pg1.remote_ip4)) + }, + ] + + p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + for t in tests: + rv = self.vapi.pnat_binding_add_v2(match=t['match'], + rewrite=t['rewrite']) + self.vapi.pnat_binding_attach(sw_if_index=t['sw_if_index'], + attachment=t['input'], + binding_index=rv.binding_index) + + reply = t['reply'] + reply[IP].ttl -= 1 + rx = self.send_and_expect(self.pg0, p_ether / t['send'] * 1, + self.pg1) + for p in rx: + self.validate(p[1], reply) + + self.ping_check() + + self.vapi.pnat_binding_detach(sw_if_index=t['sw_if_index'], + attachment=t['input'], + binding_index=rv.binding_index) + self.vapi.pnat_binding_del(binding_index=rv.binding_index) + if __name__ == "__main__": unittest.main(testRunner=VppTestRunner) -- cgit 1.2.3-korg