#!/usr/bin/env python3 import unittest from io import BytesIO from random import randint, choice import re import scapy.compat from framework import VppTestCase, VppLoInterface from asfframework import VppTestRunner, tag_fixme_ubuntu2204, is_distro_ubuntu2204 from scapy.data import IP_PROTOS from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE from scapy.layers.inet import IPerror, TCPerror from scapy.layers.l2 import Ether from scapy.packet import Raw from statistics import variance from syslog_rfc5424_parser import SyslogMessage, ParseError from syslog_rfc5424_parser.constants import SyslogSeverity from util import ppp, pr, ip4_range from vpp_acl import AclRule, VppAcl, VppAclInterface from vpp_ip_route import VppIpRoute, VppRoutePath from vpp_papi import VppEnum from util import StatsDiff class TestNAT44ED(VppTestCase): """NAT44ED Test Case""" nat_addr = "10.0.10.3" tcp_port_in = 6303 tcp_port_out = 6303 udp_port_in = 6304 udp_port_out = 6304 icmp_id_in = 6305 icmp_id_out = 6305 tcp_external_port = 80 max_sessions = 100 def setUp(self): super().setUp() self.plugin_enable() def tearDown(self): super().tearDown() if not self.vpp_dead: self.plugin_disable() def plugin_enable(self, max_sessions=None): max_sessions = max_sessions or self.max_sessions self.vapi.nat44_ed_plugin_enable_disable(sessions=max_sessions, enable=1) def plugin_disable(self): self.vapi.nat44_ed_plugin_enable_disable(enable=0) @property def config_flags(self): return VppEnum.vl_api_nat_config_flags_t @property def nat44_config_flags(self): return VppEnum.vl_api_nat44_config_flags_t @property def syslog_severity(self): return VppEnum.vl_api_syslog_severity_t @property def server_addr(self): return self.pg1.remote_hosts[0].ip4 @staticmethod def random_port(): return randint(1024, 65535) @staticmethod def proto2layer(proto): if proto == IP_PROTOS.tcp: return TCP elif proto == IP_PROTOS.udp: return UDP elif proto == IP_PROTOS.icmp: return ICMP else: raise Exception("Unsupported protocol") @classmethod def create_and_add_ip4_table(cls, i, table_id=0): cls.vapi.ip_table_add_del(is_add=1, table={"table_id": table_id}) i.set_table_ip4(table_id) @classmethod def configure_ip4_interface(cls, i, hosts=0, table_id=None): if table_id: cls.create_and_add_ip4_table(i, table_id) i.admin_up() i.config_ip4() i.resolve_arp() if hosts: i.generate_remote_hosts(hosts) i.configure_ipv4_neighbors() @classmethod def nat_add_interface_address(cls, i): cls.vapi.nat44_add_del_interface_addr(sw_if_index=i.sw_if_index, is_add=1) def nat_add_inside_interface(self, i): self.vapi.nat44_interface_add_del_feature( flags=self.config_flags.NAT_IS_INSIDE, sw_if_index=i.sw_if_index, is_add=1 ) def nat_add_outside_interface(self, i): self.vapi.nat44_interface_add_del_feature( flags=self.config_flags.NAT_IS_OUTSIDE, sw_if_index=i.sw_if_index, is_add=1 ) def nat_add_address(self, address, twice_nat=0, vrf_id=0xFFFFFFFF, is_add=1): flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0 self.vapi.nat44_add_del_address_range( first_ip_address=address, last_ip_address=address, vrf_id=vrf_id, is_add=is_add, flags=flags, ) def nat_add_static_mapping( self, local_ip, external_ip="0.0.0.0", local_port=0, external_port=0, vrf_id=0, is_add=1, external_sw_if_index=0xFFFFFFFF, proto=0, tag="", flags=0, ): if not (local_port and external_port): flags |= self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_static_mapping( is_add=is_add, local_ip_address=local_ip, external_ip_address=external_ip, external_sw_if_index=external_sw_if_index, local_port=local_port, external_port=external_port, vrf_id=vrf_id, protocol=proto, flags=flags, tag=tag, ) @classmethod def setUpClass(cls): super().setUpClass() if is_distro_ubuntu2204 == True and not hasattr(cls, "vpp"): return cls.create_pg_interfaces(range(12)) cls.interfaces = list(cls.pg_interfaces[:4]) cls.create_and_add_ip4_table(cls.pg2, 10) for i in cls.interfaces: cls.configure_ip4_interface(i, hosts=3) # test specific (test-multiple-vrf) cls.vapi.ip_table_add_del(is_add=1, table={"table_id": 1}) # test specific (test-one-armed-nat44-static) cls.pg4.generate_remote_hosts(2) cls.pg4.config_ip4() cls.vapi.sw_interface_add_del_address( sw_if_index=cls.pg4.sw_if_index, prefix="10.0.0.1/24" ) cls.pg4.admin_up() cls.pg4.resolve_arp() cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4 cls.pg4.resolve_arp() # test specific interface (pg5) cls.pg5._local_ip4 = "10.1.1.1" cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2" cls.pg5.set_table_ip4(1) cls.pg5.config_ip4() cls.pg5.admin_up() cls.pg5.resolve_arp() # test specific interface (pg6) cls.pg6._local_ip4 = "10.1.2.1" cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2" cls.pg6.set_table_ip4(1) cls.pg6.config_ip4() cls.pg6.admin_up() cls.pg6.resolve_arp() rl = list() rl.append( VppIpRoute( cls, "0.0.0.0", 0, [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=0)], register=False, table_id=1, ) ) rl.append( VppIpRoute( cls, "0.0.0.0", 0, [VppRoutePath(cls.pg1.local_ip4, cls.pg1.sw_if_index)], register=False, ) ) rl.append( VppIpRoute( cls, cls.pg5.remote_ip4, 32, [VppRoutePath("0.0.0.0", cls.pg5.sw_if_index)], register=False, table_id=1, ) ) rl.append( VppIpRoute( cls, cls.pg6.remote_ip4, 32, [VppRoutePath("0.0.0.0", cls.pg6.sw_if_index)], register=False, table_id=1, ) ) rl.append( VppIpRoute( cls, cls.pg6.remote_ip4, 16, [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=1)], register=False, table_id=0, ) ) for r in rl: r.add_vpp_config() cls.no_diff = StatsDiff( { pg.sw_if_index: { "/nat44-ed/in2out/fastpath/tcp": 0, "/nat44-ed/in2out/fastpath/udp": 0, "/nat44-ed/in2out/fastpath/icmp": 0, "/nat44-ed/in2out/fastpath/drops": 0, "/nat44-ed/in2out/slowpath/tcp": 0, "/nat44-ed/in2out/slowpath/udp": 0, "/nat44-ed/in2out/slowpath/icmp": 0, "/nat44-ed/in2out/slowpath/drops": 0, "/nat44-ed/in2out/fastpath/tcp": 0, "/nat44-ed/in2out/fastpath/udp": 0, "/nat44-ed/in2out/fastpath/icmp": 0, "/nat44-ed/in2out/fastpath/drops": 0, "/nat44-ed/in2out/slowpath/tcp": 0, "/nat44-ed/in2out/slowpath/udp": 0, "/nat44-ed/in2out/slowpath/icmp": 0, "/nat44-ed/in2out/slowpath/drops": 0, } for pg in cls.pg_interfaces } ) def get_err_counter(self, path): return self.statistics.get_err_counter(path) def reass_hairpinning( self, server_addr, server_in_port, server_out_port, host_in_port, proto=IP_PROTOS.tcp, ignore_port=False, ): layer = self.proto2layer(proto) if proto == IP_PROTOS.tcp: data = b"A" * 4 + b"B" * 16 + b"C" * 3 else: data = b"A" * 16 + b"B" * 16 + b"C" * 3 # send packet from host to server pkts = self.create_stream_frag( self.pg0, self.nat_addr, host_in_port, server_out_port, data, proto ) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() frags = self.pg0.get_capture(len(pkts)) p = self.reass_frags_and_verify(frags, self.nat_addr, server_addr) if proto != IP_PROTOS.icmp: if not ignore_port: self.assertNotEqual(p[layer].sport, host_in_port) self.assertEqual(p[layer].dport, server_in_port) else: if not ignore_port: self.assertNotEqual(p[layer].id, host_in_port) self.assertEqual(data, p[Raw].load) def frag_out_of_order( self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False ): layer = self.proto2layer(proto) if proto == IP_PROTOS.tcp: data = b"A" * 4 + b"B" * 16 + b"C" * 3 else: data = b"A" * 16 + b"B" * 16 + b"C" * 3 self.port_in = self.random_port() for i in range(2): # in2out pkts = self.create_stream_frag( self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto ) pkts.reverse() self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() frags = self.pg1.get_capture(len(pkts)) if not dont_translate: p = self.reass_frags_and_verify( frags, self.nat_addr, self.pg1.remote_ip4 ) else: p = self.reass_frags_and_verify( frags, self.pg0.remote_ip4, self.pg1.remote_ip4 ) if proto != IP_PROTOS.icmp: if not dont_translate: self.assertEqual(p[layer].dport, 20) if not ignore_port: self.assertNotEqual(p[layer].sport, self.port_in) else: self.assertEqual(p[layer].sport, self.port_in) else: if not ignore_port: if not dont_translate: self.assertNotEqual(p[layer].id, self.port_in) else: self.assertEqual(p[layer].id, self.port_in) self.assertEqual(data, p[Raw].load) # out2in if not dont_translate: dst_addr = self.nat_addr else: dst_addr = self.pg0.remote_ip4 if proto != IP_PROTOS.icmp: sport = 20 dport = p[layer].sport else: sport = p[layer].id dport = 0 pkts = self.create_stream_frag( self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True ) pkts.reverse() self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.logger.info(self.vapi.cli("show trace")) self.pg_start() frags = self.pg0.get_capture(len(pkts)) p = self.reass_frags_and_verify( frags, self.pg1.remote_ip4, self.pg0.remote_ip4 ) if proto != IP_PROTOS.icmp: self.assertEqual(p[layer].sport, 20) self.assertEqual(p[layer].dport, self.port_in) else: self.assertEqual(p[layer].id, self.port_in) self.assertEqual(data, p[Raw].load) def reass_frags_and_verify(self, frags, src, dst): buffer = BytesIO() for p in frags: self.assertEqual(p[IP].src, src) self.assertEqual(p[IP].dst, dst) self.assert_ip_checksum_valid(p) buffer.seek(p[IP].frag * 8) buffer.write(bytes(p[IP].payload)) ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst, proto=frags[0][IP].proto) if ip.proto == IP_PROTOS.tcp: p = ip / TCP(buffer.getvalue()) self.logger.debug(ppp("Reassembled:", p)) self.assert_tcp_checksum_valid(p) elif ip.proto == IP_PROTOS.udp: p = ip / UDP(buffer.getvalue()[:8]) / Raw(buffer.getvalue()[8:]) elif ip.proto == IP_PROTOS.icmp: p = ip / ICMP(buffer.getvalue()) return p def frag_in_order( self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False ): layer = self.proto2layer(proto) if proto == IP_PROTOS.tcp: data = b"A" * 4 + b"B" * 16 + b"C" * 3 else: data = b"A" * 16 + b"B" * 16 + b"C" * 3 self.port_in = self.random_port() # in2out pkts = self.create_stream_frag( self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto ) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() frags = self.pg1.get_capture(len(pkts)) if not dont_translate: p = self.reass_frags_and_verify(frags, self.nat_addr, self.pg1.remote_ip4) else: p = self.reass_frags_and_verify( frags, self.pg0.remote_ip4, self.pg1.remote_ip4 ) if proto != IP_PROTOS.icmp:
"""
  BIER Tables and Routes
"""

import socket
from vpp_object import VppObject
from vpp_ip_route import MPLS_LABEL_INVALID, VppRoutePath, VppMplsLabel


class BIER_HDR_PAYLOAD:
    BIER_HDR_PROTO_MPLS_DOWN_STREAM = 1
    BIER_HDR_PROTO_MPLS_UP_STREAM = 2
    BIER_HDR_PROTO_ETHERNET = 3
    BIER_HDR_PROTO_IPV4 = 4
    BIER_HDR_PROTO_IPV6 = 5
    BIER_HDR_PROTO_VXLAN = 6
    BIER_HDR_PROTO_CTRL = 7
    BIER_HDR_PROTO_OAM = 8


class VppBierTableID():
    def __init__(self, sub_domain_id, set_id, hdr_len_id):
        self.set_id = set_id
        self.sub_domain_id = sub_domain_id
        self.hdr_len_id = hdr_len_id


def find_bier_table(test, bti):
    tables = test.vapi.bier_table_dump()
    for t in tables:
        if bti.set_id == t.bt_tbl_id.bt_set \
           and bti.sub_domain_id == t.bt_tbl_id.bt_sub_domain \
           and bti.hdr_len_id == t.bt_tbl_id.bt_hdr_len_id:
            return True
    return False


def find_bier_route(test, bti, bp):
    routes = test.vapi.bier_route_dump(bti)
    for r in routes:
        if bti.set_id == r.br_route.br_tbl_id.bt_set \
           and bti.sub_domain_id == r.br_route.br_tbl_id.bt_sub_domain \
           and bti.hdr_len_id == r.br_route.br_tbl_id.bt_hdr_len_id \
           and bp == r.br_route.br_bp:
            return True
    return False


def find_bier_disp_table(test, bdti):
    tables = test.vapi.bier_disp_table_dump()
    for t in tables:
        if bdti == t.bdt_tbl_id:
            return True
    return False


def find_bier_disp_entry(test, bdti, bp):
    entries = test.vapi.bier_disp_entry_dump(bdti)
    for e in entries:
        if bp == e.bde_bp \
           and bdti == e.bde_tbl_id:
            return True
    return False


def find_bier_imp(test, bti, bp):
    imps = test.vapi.bier_imp_dump()
    for i in imps:
        if bti.set_id == i.bi_tbl_id.bt_set \
           and bti.sub_domain_id == i.bi_tbl_id.bt_sub_domain \
           and bti.hdr_len_id == i.bi_tbl_id.bt_hdr_len_id \
           and bp == i.bi_src:
            return True
    return False


class VppBierTable(VppObject):
    """
    BIER Table
    """

    def __init__(self, test, id, mpls_label):
        self._test = test
        self.id = id
        self.mpls_label = mpls_label

    def add_vpp_config(self):
        self._test.vapi.bier_table_add_del(
            self.id,
            self.mpls_label,
            is_add=1)
        self._test.registry.register(self, self._test.logger)

    def remove_vpp_config(self):
        self._test.vapi.bier_table_add_del(
            self.id,
            self.mpls_label,
            is_add=0)

    def object_id(self):
        return "bier-table;[%d:%d:%d]" % (self.id.set_id,
                                          self.id.sub_domain_id,
                                          self.id.hdr_len_id)

    def query_vpp_config(self):
        return find_bier_table(self._test, self.id)


class VppBierRoute(VppObject):
    """
    BIER route
    """

    def __init__(self, test, tbl_id, bp, paths):
        self._test = test
        self.tbl_id = tbl_id
        self.bp = bp
        self.paths = paths
        self.encoded_paths = []
        for path in self.paths:
            self.encoded_paths.append(path.encode())

    def add_vpp_config(self):
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            self.encoded_paths,
            is_add=1)
        self._test.registry.register(self, self._test.logger)

    def remove_vpp_config(self):
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            self.encoded_paths,
            is_add=0)

    def update_paths(self, paths):
        self.paths = paths
        self.encoded_paths = []
        for path in self.paths:
            self.encoded_paths.append(path.encode())
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            self.encoded_paths,
            is_replace=1)

    def add_path(self, path):
        self.encoded_paths.append(path.encode())
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            [path.encode()],
            is_add=1,
            is_replace=0)
        self.paths.append(path)
        self._test.registry.register(self, self._test.logger)

    def remove_path(self, path):
        self.encoded_paths.remove(path.encode())
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            [path.encode()],
            is_add=0,
            is_replace=0)
        self.paths.remove(path)

    def remove_all_paths(self):
        self._test.vapi.bier_route_add_del(
            self.tbl_id,
            self.bp,
            [],
            is_add=0,
            is_replace=1)
        self.paths = []

    def object_id(self):
        return "bier-route;[%d:%d:%d:%d]" % (self.tbl_id.set_id,
                                             self.tbl_id.sub_domain_id,
                                             self.tbl_id.hdr_len_id,
                                             self.bp)

    def query_vpp_config(self):
        return find_bier_route(self._test, self.tbl_id, self.bp)


class VppBierImp(VppObject):
    """
    BIER route
    """

    def __init__(self, test, tbl_id, src, ibytes):
        self._test = test
        self.tbl_id = tbl_id
        self.ibytes = ibytes
        self.src = src

    def add_vpp_config(self):
        res = self._test.vapi.bier_imp_add(
            self.tbl_id,
            self.src,
            self.ibytes)
        self.bi_index = res.bi_index
        self._test.registry.register(self, self._test.logger)

    def remove_vpp_config(self):
        self._test.vapi.bier_imp_del(
            self.bi_index)

    def object_id(self):
        return "bier-imp;[%d:%d:%d:%d]" % (self.tbl_id.set_id,
                                           self.tbl_id.sub_domain_id,
                                           self.tbl_id.hdr_len_id,
                                           self.src)

    def query_vpp_config(self):
        return find_bier_imp(self._test, self.tbl_id, self.src)


class VppBierDispTable(VppObject):
    """
    BIER Disposition Table
    """

    def __init__(self, test, id):
        self._test = test
        self.id = id

    def add_vpp_config(self):
        self._test.vapi.bier_disp_table_add_del(
            self.id,
            is_add=1)
        self._test.registry.register(self, self._test.logger)

    def remove_vpp_config(self):
        self._test.vapi.bier_disp_table_add_del(
            self.id,
            is_add=0)

    def object_id(self):
        return "bier-disp-table;[%d]" % (self.id)

    def query_vpp_config(self):
        return find_bier_disp_table(self._test, self.id)


class VppBierDispEntry(VppObject):
    """
    BIER Disposition Entry
    """

    def __init__(self, test, tbl_id, bp, payload_proto, nh_proto,
                 nh, nh_tbl, rpf_id=~0):
        self._test = test
        self.tbl_id = tbl_id
        self.nh_tbl = nh_tbl
        self.nh_proto = nh_proto
        self.bp = bp
        self.payload_proto = payload_proto
        self.rpf_id = rpf_id
        self.nh = socket.inet_pton(socket.AF_INET, nh)

    def add_vpp_config(self):
        self._test.vapi.bier_disp_entry_add_del(
            self.tbl_id,
            self.bp,
            self.payload_proto,
            self.nh_proto,
            self.nh,
            self.nh_tbl,
            self.rpf_id,
            is_add=1)
        self._test.registry.register(self, self._test.logger)

    def remove_vpp_config(self):
        self._test.vapi.bier_disp_entry_add_del(
            self.tbl_id,
            self.bp,
            self.payload_proto,
            self.nh_proto,
            self.nh,
            self.nh_tbl,
            self.rpf_id,
            is_add=0)

    def object_id(self):
        return "bier-disp-entry;[%d:%d]" % (self.tbl_id,
                                            self.bp)

    def query_vpp_config(self):
        return find_bier_disp_entry(self._test, self.tbl_id, self.bp)
f.vapi.nat44_user_session_dump(backend, 0) self.assertEqual(len(sessions), 1) self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID) self.vapi.nat44_del_session( address=sessions[0].inside_ip_address, port=sessions[0].inside_port, protocol=sessions[0].protocol, flags=( self.config_flags.NAT_IS_INSIDE | self.config_flags.NAT_IS_EXT_HOST_VALID ), ext_host_address=sessions[0].ext_host_address, ext_host_port=sessions[0].ext_host_port, ) pkts = [] for port in range(1030, 1100): p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=port, dport=external_port) ) pkts.append(p) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(len(pkts)) for p in capture: self.assertEqual(p[IP].dst, backend) def test_multiple_vrf_1(self): """Multiple VRF - both client & service in VRF1""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 port = 0 flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg6.sw_if_index, is_add=1 ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg5.remote_ip4, external_addr, local_port, external_port, vrf_id=1, proto=IP_PROTOS.tcp, flags=flags, ) p = ( Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / IP(src=self.pg6.remote_ip4, dst=external_addr) / TCP(sport=12345, dport=external_port) ) self.pg6.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg5.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg5.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise p = ( Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) / TCP(sport=local_port, dport=12345) ) self.pg5.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, external_addr) self.assertEqual(tcp.sport, external_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_multiple_vrf_2(self): """Multiple VRF - dynamic NAT from VRF1 to VRF0 (output-feature)""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 port = 0 self.nat_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_ed_add_del_output_interface( sw_if_index=self.pg1.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg5.remote_ip4, external_addr, local_port, external_port, vrf_id=1, proto=IP_PROTOS.tcp, flags=flags, ) p = ( Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=2345, dport=22) ) self.pg5.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.nat_addr) self.assert_packet_checksums_valid(p) port = tcp.sport except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=22, dport=port) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg5.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg5.remote_ip4) self.assertEqual(tcp.dport, 2345) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_multiple_vrf_3(self): """Multiple VRF - client in VRF1, service in VRF0""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 port = 0 flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg6.sw_if_index, is_add=1 ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg0.remote_ip4, external_sw_if_index=self.pg0.sw_if_index, local_port=local_port, vrf_id=0, external_port=external_port, proto=IP_PROTOS.tcp, flags=flags, ) # from client VRF1 to service VRF0 p = ( Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) / TCP(sport=12346, dport=external_port) ) self.pg6.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg0.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from service VRF0 back to client VRF1 p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / TCP(sport=local_port, dport=12346) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg0.local_ip4) self.assertEqual(tcp.sport, external_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_multiple_vrf_4(self): """Multiple VRF - client in VRF0, service in VRF1""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 port = 0 flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg5.remote_ip4, external_addr, local_port, external_port, vrf_id=1, proto=IP_PROTOS.tcp, flags=flags, ) # from client VRF0 to service VRF1 p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=external_addr) / TCP(sport=12347, dport=external_port) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg5.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg5.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from service VRF1 back to client VRF0 p = ( Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) / TCP(sport=local_port, dport=12347) ) self.pg5.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, external_addr) self.assertEqual(tcp.sport, external_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_multiple_vrf_5(self): """Multiple VRF - forwarding - no translation""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 port = 0 self.vapi.nat44_forwarding_enable_disable(enable=1) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg6.sw_if_index, is_add=1 ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg5.remote_ip4, external_addr, local_port, external_port, vrf_id=1, proto=IP_PROTOS.tcp, flags=flags, ) self.nat_add_static_mapping( self.pg0.remote_ip4, external_sw_if_index=self.pg0.sw_if_index, local_port=local_port, vrf_id=0, external_port=external_port, proto=IP_PROTOS.tcp, flags=flags, ) # from client to server (both VRF1, no translation) p = ( Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) / TCP(sport=12348, dport=local_port) ) self.pg6.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg5.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg5.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from server back to client (both VRF1, no translation) p = ( Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) / TCP(sport=local_port, dport=12348) ) self.pg5.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg5.remote_ip4) self.assertEqual(tcp.sport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from client VRF1 to server VRF0 (no translation) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / TCP(sport=local_port, dport=12349) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg0.remote_ip4) self.assertEqual(tcp.sport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from server VRF0 back to client VRF1 (no translation) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / TCP(sport=local_port, dport=12349) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg0.remote_ip4) self.assertEqual(tcp.sport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from client VRF0 to server VRF1 (no translation) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) / TCP(sport=12344, dport=local_port) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg5.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg5.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from server VRF1 back to client VRF0 (no translation) p = ( Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) / TCP(sport=local_port, dport=12344) ) self.pg5.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg5.remote_ip4) self.assertEqual(tcp.sport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_outside_address_distribution(self): """NAT44ED outside address distribution based on source address""" addresses = 65 x = 100 nat_addresses = [] nat_distribution = {} for i in range(1, addresses): a = "10.0.0.%d" % i nat_addresses.append(a) nat_distribution[a] = set() self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat44_add_del_address_range( first_ip_address=nat_addresses[0], last_ip_address=nat_addresses[-1], vrf_id=0xFFFFFFFF, is_add=1, flags=0, ) self.pg0.generate_remote_hosts(x) pkts = [] for i in range(x): info = self.create_packet_info(self.pg0, self.pg1) payload = self.info_to_payload(info) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_hosts[i].ip4, dst=self.pg1.remote_ip4) / UDP(sport=7000 + i, dport=8000 + i) / Raw(payload) ) info.data = p pkts.append(p) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() recvd = self.pg1.get_capture(len(pkts)) for p_recvd in recvd: payload_info = self.payload_to_info(p_recvd[Raw]) packet_index = payload_info.index info = self._packet_infos[packet_index] self.assertTrue(info is not None) self.assertEqual(packet_index, info.index) p_sent = info.data self.assertIn(p_recvd[IP].src, nat_distribution) nat_distribution[p_recvd[IP].src].add(p_sent[IP].src) var = variance(map(len, nat_distribution.values()), x / addresses) self.assertLess(var, 0.33, msg="Bad outside address distribution") def test_dynamic_edge_ports(self): """NAT44ED dynamic translation test: edge ports""" worker_count = self.vpp_worker_count or 1 port_offset = 1024 port_per_thread = (65536 - port_offset) // worker_count port_count = port_per_thread * worker_count # worker thread edge ports thread_edge_ports = {0, port_offset - 1, 65535} for i in range(0, worker_count): port_thread_offset = (port_per_thread * i) + port_offset for port_range_offset in [0, port_per_thread - 1]: port = port_thread_offset + port_range_offset thread_edge_ports.add(port) thread_drop_ports = set( filter( lambda x: x not in range(port_offset, port_offset + port_count), thread_edge_ports, ) ) in_if = self.pg7 out_if = self.pg8 self.nat_add_address(self.nat_addr) try: self.configure_ip4_interface(in_if, hosts=worker_count) self.configure_ip4_interface(out_if) self.nat_add_inside_interface(in_if) self.nat_add_outside_interface(out_if) # in2out tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"] uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"] ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"] dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"] pkt_count = worker_count * len(thread_edge_ports) i2o_pkts = [[] for x in range(0, worker_count)] for i in range(0, worker_count): remote_host = in_if.remote_hosts[i] for port in thread_edge_ports: p = ( Ether(dst=in_if.local_mac, src=in_if.remote_mac) / IP(src=remote_host.ip4, dst=out_if.remote_ip4) / TCP(sport=port, dport=port) ) i2o_pkts[i].append(p) p = ( Ether(dst=in_if.local_mac, src=in_if.remote_mac) / IP(src=remote_host.ip4, dst=out_if.remote_ip4) / UDP(sport=port, dport=port) ) i2o_pkts[i].append(p) p = ( Ether(dst=in_if.local_mac, src=in_if.remote_mac) / IP(src=remote_host.ip4, dst=out_if.remote_ip4) / ICMP(id=port, seq=port, type="echo-request") ) i2o_pkts[i].append(p) for i in range(0, worker_count): if len(i2o_pkts[i]) > 0: in_if.add_stream(i2o_pkts[i], worker=i) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = out_if.get_capture(pkt_count * 3) for packet in capture: self.assert_packet_checksums_valid(packet) if packet.haslayer(TCP): self.assert_in_range( packet[TCP].sport, port_offset, port_offset + port_count, "src TCP port", ) elif packet.haslayer(UDP): self.assert_in_range( packet[UDP].sport, port_offset, port_offset + port_count, "src UDP port", ) elif packet.haslayer(ICMP): self.assert_in_range( packet[ICMP].id, port_offset, port_offset + port_count, "ICMP id", ) else: self.fail( ppp("Unexpected or invalid packet (outside network):", packet) ) if_idx = in_if.sw_if_index tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"] uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"] ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"] dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"] self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count) self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count) self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count) self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0) # out2in tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"] uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"] ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"] dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"] dc3 = self.statistics["/nat44-ed/out2in/slowpath/drops"] # replies to unchanged thread ports should pass on each worker, # excluding packets outside dynamic port range drop_count = worker_count * len(thread_drop_ports) pass_count = worker_count * len(thread_edge_ports) - drop_count o2i_pkts = [[] for x in range(0, worker_count)] for i in range(0, worker_count): for port in thread_edge_ports: p = ( Ether(dst=out_if.local_mac, src=out_if.remote_mac) / IP(src=out_if.remote_ip4, dst=self.nat_addr) / TCP(sport=port, dport=port) ) o2i_pkts[i].append(p) p = ( Ether(dst=out_if.local_mac, src=out_if.remote_mac) / IP(src=out_if.remote_ip4, dst=self.nat_addr) / UDP(sport=port, dport=port) ) o2i_pkts[i].append(p) p = ( Ether(dst=out_if.local_mac, src=out_if.remote_mac) / IP(src=out_if.remote_ip4, dst=self.nat_addr) / ICMP(id=port, seq=port, type="echo-reply") ) o2i_pkts[i].append(p) for i in range(0, worker_count): if len(o2i_pkts[i]) > 0: out_if.add_stream(o2i_pkts[i], worker=i) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = in_if.get_capture(pass_count * 3) for packet in capture: self.assert_packet_checksums_valid(packet) if packet.haslayer(TCP): self.assertIn(packet[TCP].dport, thread_edge_ports, "dst TCP port") self.assertEqual(packet[TCP].dport, packet[TCP].sport, "TCP ports") elif packet.haslayer(UDP): self.assertIn(packet[UDP].dport, thread_edge_ports, "dst UDP port") self.assertEqual(packet[UDP].dport, packet[UDP].sport, "UDP ports") elif packet.haslayer(ICMP): self.assertIn(packet[ICMP].id, thread_edge_ports, "ICMP id") self.assertEqual(packet[ICMP].id, packet[ICMP].seq, "ICMP id & seq") else: self.fail( ppp("Unexpected or invalid packet (inside network):", packet) ) if_idx = out_if.sw_if_index tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"] uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"] ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"] dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"] dc4 = self.statistics["/nat44-ed/out2in/slowpath/drops"] self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pass_count) self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pass_count) self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pass_count) self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0) self.assertEqual( dc4[:, if_idx].sum() - dc3[:, if_idx].sum(), drop_count * 3 ) finally: in_if.unconfig() out_if.unconfig() def test_delete_interface(self): """NAT44ED delete nat interface""" self.nat_add_address(self.nat_addr) interfaces = self.create_loopback_interfaces(4) self.nat_add_outside_interface(interfaces[0]) self.nat_add_inside_interface(interfaces[1]) self.nat_add_outside_interface(interfaces[2]) self.nat_add_inside_interface(interfaces[2]) self.vapi.nat44_ed_add_del_output_interface( sw_if_index=interfaces[3].sw_if_index, is_add=1 ) nat_sw_if_indices = [ i.sw_if_index for i in self.vapi.nat44_interface_dump() + list(self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get)) ] self.assertEqual(len(nat_sw_if_indices), len(interfaces)) loopbacks = [] for i in interfaces: # delete nat-enabled interface self.assertIn(i.sw_if_index, nat_sw_if_indices) i.remove_vpp_config() # create interface with the same index lo = VppLoInterface(self) loopbacks.append(lo) self.assertEqual(lo.sw_if_index, i.sw_if_index) # check interface is not nat-enabled nat_sw_if_indices = [ i.sw_if_index for i in self.vapi.nat44_interface_dump() + list( self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get) ) ] self.assertNotIn(lo.sw_if_index, nat_sw_if_indices) for i in loopbacks: i.remove_vpp_config() @tag_fixme_ubuntu2204 class TestNAT44EDMW(TestNAT44ED): """NAT44ED MW Test Case""" vpp_worker_count = 4 max_sessions = 5000 def test_dynamic(self): """NAT44ED dynamic translation test""" pkt_count = 1500 tcp_port_offset = 20 udp_port_offset = 20 icmp_id_offset = 20 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # in2out tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"] uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"] ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"] dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"] i2o_pkts = [[] for x in range(0, self.vpp_worker_count)] for i in range(pkt_count): p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=tcp_port_offset + i, dport=20) ) i2o_pkts[p[TCP].sport % self.vpp_worker_count].append(p) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / UDP(sport=udp_port_offset + i, dport=20) ) i2o_pkts[p[UDP].sport % self.vpp_worker_count].append(p) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / ICMP(id=icmp_id_offset + i, type="echo-request") ) i2o_pkts[p[ICMP].id % self.vpp_worker_count].append(p) for i in range(0, self.vpp_worker_count): if len(i2o_pkts[i]) > 0: self.pg0.add_stream(i2o_pkts[i], worker=i) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(pkt_count * 3, timeout=5) if_idx = self.pg0.sw_if_index tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"] uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"] ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"] dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"] self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count) self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count) self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count) self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0) self.logger.info(self.vapi.cli("show trace")) # out2in tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"] uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"] ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"] dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"] recvd_tcp_ports = set() recvd_udp_ports = set() recvd_icmp_ids = set() for p in capture: if TCP in p: recvd_tcp_ports.add(p[TCP].sport) if UDP in p: recvd_udp_ports.add(p[UDP].sport) if ICMP in p: recvd_icmp_ids.add(p[ICMP].id) recvd_tcp_ports = list(recvd_tcp_ports) recvd_udp_ports = list(recvd_udp_ports) recvd_icmp_ids = list(recvd_icmp_ids) o2i_pkts = [[] for x in range(0, self.vpp_worker_count)] for i in range(pkt_count): p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(dport=choice(recvd_tcp_ports), sport=20) ) o2i_pkts[p[TCP].dport % self.vpp_worker_count].append(p) p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / UDP(dport=choice(recvd_udp_ports), sport=20) ) o2i_pkts[p[UDP].dport % self.vpp_worker_count].append(p) p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / ICMP(id=choice(recvd_icmp_ids), type="echo-reply") ) o2i_pkts[p[ICMP].id % self.vpp_worker_count].append(p) for i in range(0, self.vpp_worker_count): if len(o2i_pkts[i]) > 0: self.pg1.add_stream(o2i_pkts[i], worker=i) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(pkt_count * 3) for packet in capture: try: self.assert_packet_checksums_valid(packet) self.assertEqual(packet[IP].dst, self.pg0.remote_ip4) if packet.haslayer(TCP): self.assert_in_range( packet[TCP].dport, tcp_port_offset, tcp_port_offset + pkt_count, "dst TCP port", ) elif packet.haslayer(UDP): self.assert_in_range( packet[UDP].dport, udp_port_offset, udp_port_offset + pkt_count, "dst UDP port", ) else: self.assert_in_range( packet[ICMP].id, icmp_id_offset, icmp_id_offset + pkt_count, "ICMP id", ) except: self.logger.error( ppp("Unexpected or invalid packet (inside network):", packet) ) raise if_idx = self.pg1.sw_if_index tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"] uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"] ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"] dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"] self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count) self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count) self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count) self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0) sc = self.statistics["/nat44-ed/total-sessions"] self.assertEqual( sc[:, 0].sum(), len(recvd_tcp_ports) + len(recvd_udp_ports) + len(recvd_icmp_ids), ) def test_frag_in_order(self): """NAT44ED translate fragments arriving in order""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True) self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True) self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True) def test_frag_in_order_do_not_translate(self): """NAT44ED don't translate fragments arriving in order""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat44_forwarding_enable_disable(enable=True) self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True) def test_frag_out_of_order(self): """NAT44ED translate fragments arriving out of order""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True) self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True) self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True) def test_frag_in_order_in_plus_out(self): """NAT44ED in+out interface fragments in order""" in_port = self.random_port() out_port = self.random_port() self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg0) self.nat_add_inside_interface(self.pg1) self.nat_add_outside_interface(self.pg1) # add static mappings for server self.nat_add_static_mapping( self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp ) self.nat_add_static_mapping( self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp ) self.nat_add_static_mapping( self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp ) # run tests for each protocol self.frag_in_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp ) self.frag_in_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp ) self.frag_in_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp ) def test_frag_out_of_order_in_plus_out(self): """NAT44ED in+out interface fragments out of order""" in_port = self.random_port() out_port = self.random_port() self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg0) self.nat_add_inside_interface(self.pg1) self.nat_add_outside_interface(self.pg1) # add static mappings for server self.nat_add_static_mapping( self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp ) self.nat_add_static_mapping( self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp ) self.nat_add_static_mapping( self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp ) # run tests for each protocol self.frag_out_of_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp ) self.frag_out_of_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp ) self.frag_out_of_order_in_plus_out( self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp ) def test_reass_hairpinning(self): """NAT44ED fragments hairpinning""" server_addr = self.pg0.remote_hosts[1].ip4 host_in_port = self.random_port() server_in_port = self.random_port() server_out_port = self.random_port() self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # add static mapping for server self.nat_add_static_mapping( server_addr, self.nat_addr, server_in_port, server_out_port, proto=IP_PROTOS.tcp, ) self.nat_add_static_mapping( server_addr, self.nat_addr, server_in_port, server_out_port, proto=IP_PROTOS.udp, ) self.nat_add_static_mapping(server_addr, self.nat_addr) self.reass_hairpinning( server_addr, server_in_port, server_out_port, host_in_port, proto=IP_PROTOS.tcp, ignore_port=True, ) self.reass_hairpinning( server_addr, server_in_port, server_out_port, host_in_port, proto=IP_PROTOS.udp, ignore_port=True, ) self.reass_hairpinning( server_addr, server_in_port, server_out_port, host_in_port, proto=IP_PROTOS.icmp, ignore_port=True, ) def test_session_limit_per_vrf(self): """NAT44ED per vrf session limit""" inside = self.pg0 inside_vrf10 = self.pg2 outside = self.pg1 limit = 5 # 2 interfaces pg0, pg1 (vrf10, limit 5 tcp sessions) self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10) # expect error when bad is specified with self.vapi.assert_negative_api_retval(): self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=20) self.nat_add_inside_interface(inside) self.nat_add_inside_interface(inside_vrf10) self.nat_add_outside_interface(outside) # vrf independent self.nat_add_interface_address(outside) # BUG: causing core dump - when bad vrf_id is specified # self.nat_add_address(outside.local_ip4, vrf_id=20) stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2) inside_vrf10.add_stream(stream) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = outside.get_capture(limit) stream = self.create_tcp_stream(inside, outside, limit * 2) inside.add_stream(stream) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = outside.get_capture(len(stream)) def test_show_max_translations(self): """NAT44ED API test - max translations per thread""" config = self.vapi.nat44_show_running_config() self.assertEqual(self.max_sessions, config.sessions) def test_lru_cleanup(self): """NAT44ED LRU cleanup algorithm""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat_set_timeouts( udp=1, tcp_established=7440, tcp_transitory=30, icmp=1 ) tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80) pkts = [] for i in range(0, self.max_sessions - 1): p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) / UDP(sport=7000 + i, dport=80) ) pkts.append(p) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg1.get_capture(len(pkts)) self.virtual_sleep(1.5, "wait for timeouts") pkts = [] for i in range(0, self.max_sessions - 1): p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) / ICMP(id=8000 + i, type="echo-request") ) pkts.append(p) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg1.get_capture(len(pkts)) def test_session_rst_timeout(self): """NAT44ED session RST timeouts""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=5, icmp=60 ) self.init_tcp_session( self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port ) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R") ) self.send_and_expect(self.pg0, p, self.pg1) self.virtual_sleep(6) # The session is already closed p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P") ) self.send_and_assert_no_replies(self.pg0, p, self.pg1) # The session can be re-opened p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="S") ) self.send_and_expect(self.pg0, p, self.pg1) def test_session_rst_established_timeout(self): """NAT44ED session RST timeouts""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=5, icmp=60 ) self.init_tcp_session( self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port ) # Wait at least the transitory time, the session is in established # state anyway. RST followed by a data packet should move it to # transitory state. self.virtual_sleep(6) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R") ) self.send_and_expect(self.pg0, p, self.pg1) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P") ) self.send_and_expect(self.pg0, p, self.pg1) # State is transitory, session should be closed after 6 seconds self.virtual_sleep(6) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P") ) self.send_and_assert_no_replies(self.pg0, p, self.pg1) def test_dynamic_out_of_ports(self): """NAT44ED dynamic translation test: out of ports""" self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # in2out and no NAT addresses added pkts = self.create_stream_in(self.pg0, self.pg1) self.send_and_assert_no_replies( self.pg0, pkts, msg="i2o pkts", stats_diff=self.no_diff | { "err": { "/err/nat44-ed-in2out-slowpath/out of ports": len(pkts), }, self.pg0.sw_if_index: { "/nat44-ed/in2out/slowpath/drops": len(pkts), }, }, ) # in2out after NAT addresses added self.nat_add_address(self.nat_addr) tcpn, udpn, icmpn = ( sum(x) for x in zip(*((TCP in p, UDP in p, ICMP in p) for p in pkts)) ) self.send_and_expect( self.pg0, pkts, self.pg1, msg="i2o pkts", stats_diff=self.no_diff | { "err": { "/err/nat44-ed-in2out-slowpath/out of ports": 0, }, self.pg0.sw_if_index: { "/nat44-ed/in2out/slowpath/drops": 0, "/nat44-ed/in2out/slowpath/tcp": tcpn, "/nat44-ed/in2out/slowpath/udp": udpn, "/nat44-ed/in2out/slowpath/icmp": icmpn, }, }, ) def test_unknown_proto(self): """NAT44ED translate packet with unknown protocol""" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # in2out p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=20) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() p = self.pg1.get_capture(1) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / GRE() / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) / TCP(sport=1234, dport=1234) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() p = self.pg1.get_capture(1) packet = p[0] try: self.assertEqual(packet[IP].src, self.nat_addr) self.assertEqual(packet[IP].dst, self.pg1.remote_ip4) self.assertEqual(packet.haslayer(GRE), 1) self.assert_packet_checksums_valid(packet) except: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise # out2in p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / GRE() / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) / TCP(sport=1234, dport=1234) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() p = self.pg0.get_capture(1) packet = p[0] try: self.assertEqual(packet[IP].src, self.pg1.remote_ip4) self.assertEqual(packet[IP].dst, self.pg0.remote_ip4) self.assertEqual(packet.haslayer(GRE), 1) self.assert_packet_checksums_valid(packet) except: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise def test_hairpinning_unknown_proto(self): """NAT44ED translate packet with unknown protocol - hairpinning""" host = self.pg0.remote_hosts[0] server = self.pg0.remote_hosts[1] host_in_port = 1234 server_out_port = 8765 server_nat_ip = "10.0.0.11" self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # add static mapping for server self.nat_add_static_mapping(server.ip4, server_nat_ip) # host to server p = ( Ether(src=host.mac, dst=self.pg0.local_mac) / IP(src=host.ip4, dst=server_nat_ip) / TCP(sport=host_in_port, dport=server_out_port) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg0.get_capture(1) p = ( Ether(dst=self.pg0.local_mac, src=host.mac) / IP(src=host.ip4, dst=server_nat_ip) / GRE() / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) / TCP(sport=1234, dport=1234) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() p = self.pg0.get_capture(1) packet = p[0] try: self.assertEqual(packet[IP].src, self.nat_addr) self.assertEqual(packet[IP].dst, server.ip4) self.assertEqual(packet.haslayer(GRE), 1) self.assert_packet_checksums_valid(packet) except: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise # server to host p = ( Ether(dst=self.pg0.local_mac, src=server.mac) / IP(src=server.ip4, dst=self.nat_addr) / GRE() / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) / TCP(sport=1234, dport=1234) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() p = self.pg0.get_capture(1) packet = p[0] try: self.assertEqual(packet[IP].src, server_nat_ip) self.assertEqual(packet[IP].dst, host.ip4) self.assertEqual(packet.haslayer(GRE), 1) self.assert_packet_checksums_valid(packet) except: self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise def test_output_feature_and_service(self): """NAT44ED interface output feature and services""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 self.vapi.nat44_forwarding_enable_disable(enable=1) self.nat_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_identity_mapping( ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF, flags=flags, is_add=1, ) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg0.remote_ip4, external_addr, local_port, external_port, proto=IP_PROTOS.tcp, flags=flags, ) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg0) self.vapi.nat44_ed_add_del_output_interface( sw_if_index=self.pg1.sw_if_index, is_add=1 ) # from client to service p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=external_addr) / TCP(sport=12345, dport=external_port) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, self.pg0.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from service back to client p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=local_port, dport=12345) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, external_addr) self.assertEqual(tcp.sport, external_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from local network host to external network pkts = self.create_stream_in(self.pg0, self.pg1) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(len(pkts)) self.verify_capture_out(capture, ignore_port=True) pkts = self.create_stream_in(self.pg0, self.pg1) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(len(pkts)) self.verify_capture_out(capture, ignore_port=True) # from external network back to local network host pkts = self.create_stream_out(self.pg1) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(len(pkts)) self.verify_capture_in(capture, self.pg0) def test_output_feature_and_service3(self): """NAT44ED interface output feature and DST NAT""" external_addr = "1.2.3.4" external_port = 80 local_port = 8080 self.vapi.nat44_forwarding_enable_disable(enable=1) self.nat_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat_add_static_mapping( self.pg1.remote_ip4, external_addr, local_port, external_port, proto=IP_PROTOS.tcp, flags=flags, ) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg0) self.vapi.nat44_ed_add_del_output_interface( sw_if_index=self.pg1.sw_if_index, is_add=1 ) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=external_addr) / TCP(sport=12345, dport=external_port) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg0.remote_ip4) self.assertEqual(tcp.sport, 12345) self.assertEqual(ip.dst, self.pg1.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) / TCP(sport=local_port, dport=12345) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, external_addr) self.assertEqual(tcp.sport, external_port) self.assertEqual(ip.dst, self.pg0.remote_ip4) self.assertEqual(tcp.dport, 12345) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_self_twice_nat_lb_negative(self): """NAT44ED Self Twice NAT local service load balancing (negative test)""" self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=2) def test_self_twice_nat_negative(self): """NAT44ED Self Twice NAT (negative test)""" self.twice_nat_common(self_twice_nat=True) def test_static_lb_multi_clients(self): """NAT44ED local service load balancing - multiple clients""" external_addr = self.nat_addr external_port = 80 local_port = 8080 server1 = self.pg0.remote_hosts[0] server2 = self.pg0.remote_hosts[1] server3 = self.pg0.remote_hosts[2] locals = [ {"addr": server1.ip4, "port": local_port, "probability": 90, "vrf_id": 0}, {"addr": server2.ip4, "port": local_port, "probability": 10, "vrf_id": 0}, ] flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg1.sw_if_index, is_add=1 ) self.nat_add_address(self.nat_addr) self.vapi.nat44_add_del_lb_static_mapping( is_add=1, external_addr=external_addr, external_port=external_port, protocol=IP_PROTOS.tcp, local_num=len(locals), locals=locals, ) server1_n = 0 server2_n = 0 clients = ip4_range(self.pg1.remote_ip4, 10, 50) pkts = [] for client in clients: p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=client, dst=self.nat_addr) / TCP(sport=12345, dport=external_port) ) pkts.append(p) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(len(pkts)) for p in capture: if p[IP].dst == server1.ip4: server1_n += 1 else: server2_n += 1 self.assertGreaterEqual(server1_n, server2_n) local = { "addr": server3.ip4, "port": local_port, "probability": 20, "vrf_id": 0, } # add new back-end self.vapi.nat44_lb_static_mapping_add_del_local( is_add=1, external_addr=external_addr, external_port=external_port, local=local, protocol=IP_PROTOS.tcp, ) server1_n = 0 server2_n = 0 server3_n = 0 clients = ip4_range(self.pg1.remote_ip4, 60, 110) pkts = [] for client in clients: p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=client, dst=self.nat_addr) / TCP(sport=12346, dport=external_port) ) pkts.append(p) self.assertGreater(len(pkts), 0) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(len(pkts)) for p in capture: if p[IP].dst == server1.ip4: server1_n += 1 elif p[IP].dst == server2.ip4: server2_n += 1 else: server3_n += 1 self.assertGreater(server1_n, 0) self.assertGreater(server2_n, 0) self.assertGreater(server3_n, 0) local = { "addr": server2.ip4, "port": local_port, "probability": 10, "vrf_id": 0, } # remove one back-end self.vapi.nat44_lb_static_mapping_add_del_local( is_add=0, external_addr=external_addr, external_port=external_port, local=local, protocol=IP_PROTOS.tcp, ) server1_n = 0 server2_n = 0 server3_n = 0 self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(len(pkts)) for p in capture: if p[IP].dst == server1.ip4: server1_n += 1 elif p[IP].dst == server2.ip4: server2_n += 1 else: server3_n += 1 self.assertGreater(server1_n, 0) self.assertEqual(server2_n, 0) self.assertGreater(server3_n, 0) # put zzz in front of syslog test name so that it runs as a last test # setting syslog sender cannot be undone and if it is set, it messes # with self.send_and_assert_no_replies functionality def test_zzz_syslog_sess(self): """NAT44ED Test syslog session creation and deletion""" self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO) self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4) self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) self.tcp_port_out = capture[0][TCP].sport capture = self.pg3.get_capture(1) self.verify_syslog_sess(capture[0][Raw].load, "SADD") self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.nat_add_address(self.nat_addr, is_add=0) capture = self.pg3.get_capture(1) self.verify_syslog_sess(capture[0][Raw].load, "SDEL") # put zzz in front of syslog test name so that it runs as a last test # setting syslog sender cannot be undone and if it is set, it messes # with self.send_and_assert_no_replies functionality def test_zzz_syslog_sess_reopen(self): """Syslog events for session reopen""" self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO) self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4) self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # SYN in2out p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port) ) capture = self.send_and_expect(self.pg0, p, self.pg1)[0] self.tcp_port_out = capture[0][TCP].sport capture = self.pg3.get_capture(1) self.verify_syslog_sess(capture[0][Raw].load, "SADD") # SYN out2in p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="SA") ) self.send_and_expect(self.pg1, p, self.pg0) p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="A") ) self.send_and_expect(self.pg0, p, self.pg1) # FIN in2out p = ( Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="F") ) self.send_and_expect(self.pg0, p, self.pg1) # FIN out2in p = ( Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="F") ) self.send_and_expect(self.pg1, p, self.pg0) self.init_tcp_session( self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port ) # 2 records should be produced - first one del & add capture = self.pg3.get_capture(2) self.verify_syslog_sess(capture[0][Raw].load, "SDEL") self.verify_syslog_sess(capture[1][Raw].load, "SADD") def test_twice_nat_interface_addr(self): """NAT44ED Acquire twice NAT addresses from interface""" flags = self.config_flags.NAT_IS_TWICE_NAT self.vapi.nat44_add_del_interface_addr( sw_if_index=self.pg11.sw_if_index, flags=flags, is_add=1 ) # no address in NAT pool adresses = self.vapi.nat44_address_dump() self.assertEqual(0, len(adresses)) # configure interface address and check NAT address pool self.pg11.config_ip4() adresses = self.vapi.nat44_address_dump() self.assertEqual(1, len(adresses)) self.assertEqual(str(adresses[0].ip_address), self.pg11.local_ip4) self.assertEqual(adresses[0].flags, flags) # remove interface address and check NAT address pool self.pg11.unconfig_ip4() adresses = self.vapi.nat44_address_dump() self.assertEqual(0, len(adresses)) def test_output_feature_stateful_acl(self): """NAT44ED output feature works with stateful ACL""" self.nat_add_address(self.nat_addr) self.vapi.nat44_ed_add_del_output_interface( sw_if_index=self.pg1.sw_if_index, is_add=1 ) # First ensure that the NAT is working sans ACL # send packets out2in, no sessions yet so packets should drop pkts_out2in = self.create_stream_out(self.pg1) self.send_and_assert_no_replies(self.pg1, pkts_out2in) # send packets into inside intf, ensure received via outside intf pkts_in2out = self.create_stream_in(self.pg0, self.pg1) capture = self.send_and_expect( self.pg0, pkts_in2out, self.pg1, len(pkts_in2out) ) self.verify_capture_out(capture, ignore_port=True) # send out2in again, with sessions created it should work now pkts_out2in = self.create_stream_out(self.pg1) capture = self.send_and_expect( self.pg1, pkts_out2in, self.pg0, len(pkts_out2in) ) self.verify_capture_in(capture, self.pg0) # Create an ACL blocking everything out2in_deny_rule = AclRule(is_permit=0) out2in_acl = VppAcl(self, rules=[out2in_deny_rule]) out2in_acl.add_vpp_config() # create an ACL to permit/reflect everything in2out_reflect_rule = AclRule(is_permit=2) in2out_acl = VppAcl(self, rules=[in2out_reflect_rule]) in2out_acl.add_vpp_config() # apply as input acl on interface and confirm it blocks everything acl_if = VppAclInterface( self, sw_if_index=self.pg1.sw_if_index, n_input=1, acls=[out2in_acl] ) acl_if.add_vpp_config() self.send_and_assert_no_replies(self.pg1, pkts_out2in) # apply output acl acl_if.acls = [out2in_acl, in2out_acl] acl_if.add_vpp_config() # send in2out to generate ACL state (NAT state was created earlier) capture = self.send_and_expect( self.pg0, pkts_in2out, self.pg1, len(pkts_in2out) ) self.verify_capture_out(capture, ignore_port=True) # send out2in again. ACL state exists so it should work now. # TCP packets with the syn flag set also need the ack flag for p in pkts_out2in: if p.haslayer(TCP) and p[TCP].flags & 0x02: p[TCP].flags |= 0x10 capture = self.send_and_expect( self.pg1, pkts_out2in, self.pg0, len(pkts_out2in) ) self.verify_capture_in(capture, self.pg0) self.logger.info(self.vapi.cli("show trace")) def test_tcp_close(self): """NAT44ED Close TCP session from inside network - output feature""" config = self.vapi.nat44_show_running_config() old_timeouts = config.timeouts new_transitory = 2 self.vapi.nat_set_timeouts( udp=old_timeouts.udp, tcp_established=old_timeouts.tcp_established, icmp=old_timeouts.icmp, tcp_transitory=new_transitory, ) self.vapi.nat44_forwarding_enable_disable(enable=1) self.nat_add_address(self.pg1.local_ip4) twice_nat_addr = "10.0.1.3" service_ip = "192.168.16.150" self.nat_add_address(twice_nat_addr, twice_nat=1) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1 ) self.vapi.nat44_ed_add_del_output_interface( is_add=1, sw_if_index=self.pg1.sw_if_index ) flags = ( self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT ) self.nat_add_static_mapping( self.pg0.remote_ip4, service_ip, 80, 80, proto=IP_PROTOS.tcp, flags=flags ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) start_sessnum = len(sessions) # SYN packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=service_ip) / TCP(sport=33898, dport=80, flags="S") ) capture = self.send_and_expect(self.pg1, p, self.pg0, n_rx=1) p = capture[0] tcp_port = p[TCP].sport # SYN + ACK packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) / TCP(sport=80, dport=tcp_port, flags="SA") ) self.send_and_expect(self.pg0, p, self.pg1, n_rx=1) # ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=service_ip) / TCP(sport=33898, dport=80, flags="A") ) self.send_and_expect(self.pg1, p, self.pg0, n_rx=1) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) / TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1, n_rx=1) # FIN+ACK packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=service_ip) / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0, n_rx=1) # ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) / TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1, n_rx=1) # session now in transitory timeout, but traffic still flows # try FIN packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=service_ip) / TCP(sport=33898, dport=80, flags="F") ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.virtual_sleep(new_transitory, "wait for transitory timeout") self.pg0.get_capture(1) # session should still exist sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - start_sessnum, 1) # send FIN+ACK packet out -> in - will cause session to be wiped # but won't create a new session p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=service_ip) / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101) ) self.send_and_assert_no_replies(self.pg1, p) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - start_sessnum, 0) def test_tcp_session_close_in(self): """NAT44ED Close TCP session from inside network""" in_port = self.tcp_port_in out_port = 10505 ext_port = self.tcp_external_port self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1) pkts = [] # ACK packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101) ) pkts.append(p) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101) ) pkts.append(p) self.send_and_expect(self.pg1, pkts, self.pg0) # ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # retransmit FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) # retransmit ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) self.virtual_sleep(3) # retransmit ACK packet in -> out - this will cause session to be wiped p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_assert_no_replies(self.pg0, p) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 0) def test_tcp_session_close_out(self): """NAT44ED Close TCP session from outside network""" in_port = self.tcp_port_in out_port = 10505 ext_port = self.tcp_external_port self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=100, ack=300) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg0.get_capture(1) # FIN+ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=300, ack=101) ) self.pg0.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg1.get_capture(1) # ACK packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="A", seq=101, ack=301) ) self.pg1.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg0.get_capture(1) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # retransmit FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) # retransmit ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) self.virtual_sleep(3) # retransmit ACK packet in -> out - this will cause session to be wiped p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_assert_no_replies(self.pg0, p) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 0) def test_tcp_session_close_simultaneous(self): """Simultaneous TCP close from both sides""" in_port = self.tcp_port_in ext_port = 10505 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, ext_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100) ) self.send_and_expect(self.pg1, p, self.pg0) # ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) # ACK packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="A", seq=301, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # retransmit FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) # retransmit ACK packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) self.virtual_sleep(3) # retransmit ACK packet in -> out - this will cause session to be wiped p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.pg_send(self.pg0, p) self.send_and_assert_no_replies(self.pg0, p) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 0) def test_tcp_session_half_reopen_inside(self): """TCP session in FIN/FIN state not reopened by in2out SYN only""" in_port = self.tcp_port_in ext_port = 10505 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, ext_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100) ) self.send_and_expect(self.pg1, p, self.pg0) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # send SYN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="S", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) self.virtual_sleep(3) # send ACK packet in -> out - session should be wiped p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_assert_no_replies(self.pg0, p, self.pg1) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 0) def test_tcp_session_half_reopen_outside(self): """TCP session in FIN/FIN state not reopened by out2in SYN only""" in_port = self.tcp_port_in ext_port = 10505 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, ext_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100) ) self.send_and_expect(self.pg1, p, self.pg0) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # send SYN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) self.virtual_sleep(3) # send ACK packet in -> out - session should be wiped p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_assert_no_replies(self.pg0, p, self.pg1) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 0) def test_tcp_session_reopen(self): """TCP session in FIN/FIN state reopened by SYN from both sides""" in_port = self.tcp_port_in ext_port = 10505 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.nat_add_static_mapping( self.pg0.remote_ip4, self.nat_addr, in_port, ext_port, proto=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_TWICE_NAT, ) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) session_n = len(sessions) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=2, icmp=5 ) out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port) # FIN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300) ) self.send_and_expect(self.pg0, p, self.pg1) # FIN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100) ) self.send_and_expect(self.pg1, p, self.pg0) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) # send SYN packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) # send SYN packet in -> out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="SA", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) # send ACK packet out -> in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101) ) self.send_and_expect(self.pg1, p, self.pg0) self.virtual_sleep(3) # send ACK packet in -> out - should be forwarded and session alive p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301) ) self.send_and_expect(self.pg0, p, self.pg1) sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - session_n, 1) def test_dynamic_vrf(self): """NAT44ED dynamic translation test: different VRF""" vrf_id_in = 33 vrf_id_out = 34 self.nat_add_address(self.nat_addr, vrf_id=vrf_id_in) try: self.configure_ip4_interface(self.pg7, table_id=vrf_id_in) self.configure_ip4_interface(self.pg8, table_id=vrf_id_out) self.nat_add_inside_interface(self.pg7) self.nat_add_outside_interface(self.pg8) # just basic stuff nothing special pkts = self.create_stream_in(self.pg7, self.pg8) self.pg7.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg8.get_capture(len(pkts)) self.verify_capture_out(capture, ignore_port=True) pkts = self.create_stream_out(self.pg8) self.pg8.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg7.get_capture(len(pkts)) self.verify_capture_in(capture, self.pg7) finally: self.pg7.unconfig() self.pg8.unconfig() self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_in}) self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_out}) def test_dynamic_output_feature_vrf(self): """NAT44ED dynamic translation test: output-feature, VRF""" # other then default (0) new_vrf_id = 22 self.nat_add_address(self.nat_addr) self.vapi.nat44_ed_add_del_output_interface( sw_if_index=self.pg8.sw_if_index, is_add=1 ) try: self.configure_ip4_interface(self.pg7, table_id=new_vrf_id) self.configure_ip4_interface(self.pg8, table_id=new_vrf_id) # in2out tcpn = self.statistics["/nat44-ed/in2out/slowpath/tcp"] udpn = self.statistics["/nat44-ed/in2out/slowpath/udp"] icmpn = self.statistics["/nat44-ed/in2out/slowpath/icmp"] drops = self.statistics["/nat44-ed/in2out/slowpath/drops"] pkts = self.create_stream_in(self.pg7, self.pg8) self.pg7.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg8.get_capture(len(pkts)) self.verify_capture_out(capture, ignore_port=True) if_idx = self.pg8.sw_if_index cnt = self.statistics["/nat44-ed/in2out/slowpath/tcp"] self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2) cnt = self.statistics["/nat44-ed/in2out/slowpath/udp"] self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1) cnt = self.statistics["/nat44-ed/in2out/slowpath/icmp"] self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1) cnt = self.statistics["/nat44-ed/in2out/slowpath/drops"] self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0) # out2in tcpn = self.statistics["/nat44-ed/out2in/fastpath/tcp"] udpn = self.statistics["/nat44-ed/out2in/fastpath/udp"] icmpn = self.statistics["/nat44-ed/out2in/fastpath/icmp"] drops = self.statistics["/nat44-ed/out2in/fastpath/drops"] pkts = self.create_stream_out(self.pg8) self.pg8.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg7.get_capture(len(pkts)) self.verify_capture_in(capture, self.pg7) if_idx = self.pg8.sw_if_index cnt = self.statistics["/nat44-ed/out2in/fastpath/tcp"] self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2) cnt = self.statistics["/nat44-ed/out2in/fastpath/udp"] self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1) cnt = self.statistics["/nat44-ed/out2in/fastpath/icmp"] self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1) cnt = self.statistics["/nat44-ed/out2in/fastpath/drops"] self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0) sessions = self.statistics["/nat44-ed/total-sessions"] self.assertEqual(sessions[:, 0].sum(), 3) finally: self.pg7.unconfig() self.pg8.unconfig() self.vapi.ip_table_add_del(is_add=0, table={"table_id": new_vrf_id}) def test_next_src_nat(self): """NAT44ED On way back forward packet to nat44-in2out node.""" twice_nat_addr = "10.0.1.3" external_port = 80 local_port = 8080 post_twice_nat_port = 0 self.vapi.nat44_forwarding_enable_disable(enable=1) self.nat_add_address(twice_nat_addr, twice_nat=1) flags = ( self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_SELF_TWICE_NAT ) self.nat_add_static_mapping( self.pg6.remote_ip4, self.pg1.remote_ip4, local_port, external_port, proto=IP_PROTOS.tcp, vrf_id=1, flags=flags, ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg6.sw_if_index, is_add=1 ) p = ( Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=12345, dport=external_port) ) self.pg6.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, twice_nat_addr) self.assertNotEqual(tcp.sport, 12345) post_twice_nat_port = tcp.sport self.assertEqual(ip.dst, self.pg6.remote_ip4) self.assertEqual(tcp.dport, local_port) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise p = ( Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) / TCP(sport=local_port, dport=post_twice_nat_port) ) self.pg6.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg6.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.pg1.remote_ip4) self.assertEqual(tcp.sport, external_port) self.assertEqual(ip.dst, self.pg6.remote_ip4) self.assertEqual(tcp.dport, 12345) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_one_armed_nat44_static(self): """NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule""" remote_host = self.pg4.remote_hosts[0] local_host = self.pg4.remote_hosts[1] external_port = 80 local_port = 8080 eh_port_in = 0 self.vapi.nat44_forwarding_enable_disable(enable=1) self.nat_add_address(self.nat_addr, twice_nat=1) flags = ( self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT ) self.nat_add_static_mapping( local_host.ip4, self.nat_addr, local_port, external_port, proto=IP_PROTOS.tcp, flags=flags, ) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg4.sw_if_index, is_add=1 ) self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg4.sw_if_index, flags=flags, is_add=1 ) # from client to service p = ( Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) / IP(src=remote_host.ip4, dst=self.nat_addr) / TCP(sport=12345, dport=external_port) ) self.pg4.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg4.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.dst, local_host.ip4) self.assertEqual(ip.src, self.nat_addr) self.assertEqual(tcp.dport, local_port) self.assertNotEqual(tcp.sport, 12345) eh_port_in = tcp.sport self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise # from service back to client p = ( Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) / IP(src=local_host.ip4, dst=self.nat_addr) / TCP(sport=local_port, dport=eh_port_in) ) self.pg4.add_stream(p) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg4.get_capture(1) p = capture[0] try: ip = p[IP] tcp = p[TCP] self.assertEqual(ip.src, self.nat_addr) self.assertEqual(ip.dst, remote_host.ip4) self.assertEqual(tcp.sport, external_port) self.assertEqual(tcp.dport, 12345) self.assert_packet_checksums_valid(p) except: self.logger.error(ppp("Unexpected or invalid packet:", p)) raise def test_icmp_error_fwd_outbound(self): """NAT44ED ICMP error outbound with forwarding enabled""" # Ensure that an outbound ICMP error message is properly associated # with the inbound forward bypass session it is related to. payload = "H" * 10 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # enable forwarding and initiate connection out2in self.vapi.nat44_forwarding_enable_disable(enable=1) p1 = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) / UDP(sport=21, dport=20) / payload ) self.pg1.add_stream(p1) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1)[0] self.logger.info(self.vapi.cli("show nat44 sessions")) # reply with ICMP error message in2out # We cannot reliably retrieve forward bypass sessions via the API. # session dumps for a user will only look on the worker that the # user is supposed to be mapped to in2out. The forward bypass session # is not necessarily created on that worker. p2 = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / ICMP(type="dest-unreach", code="port-unreachable") / capture[IP:] ) self.pg0.add_stream(p2) self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1)[0] self.logger.info(self.vapi.cli("show nat44 sessions")) self.logger.info(ppp("p1 packet:", p1)) self.logger.info(ppp("p2 packet:", p2)) self.logger.info(ppp("capture packet:", capture)) def test_tcp_session_open_retransmit1(self): """NAT44ED Open TCP session with SYN,ACK retransmit 1 The client does not receive the [SYN,ACK] or the ACK from the client is lost. Therefore, the [SYN, ACK] is retransmitted by the server. """ in_port = self.tcp_port_in ext_port = self.tcp_external_port payload = "H" * 10 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=5, icmp=60 ) # SYN packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="S") ) p = self.send_and_expect(self.pg0, p, self.pg1)[0] out_port = p[TCP].sport # SYN + ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="SA") ) self.send_and_expect(self.pg1, p, self.pg0) # ACK in->out does not arrive # resent SYN + ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="SA") ) self.send_and_expect(self.pg1, p, self.pg0) # ACK packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A") ) self.send_and_expect(self.pg0, p, self.pg1) # Verify that the data can be transmitted after the transitory time self.virtual_sleep(6) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="PA") / Raw(payload) ) self.send_and_expect(self.pg0, p, self.pg1) def test_tcp_session_open_retransmit2(self): """NAT44ED Open TCP session with SYN,ACK retransmit 2 The ACK is lost to the server after the TCP session is opened. Data is sent by the client, then the [SYN,ACK] is retransmitted by the server. """ in_port = self.tcp_port_in ext_port = self.tcp_external_port payload = "H" * 10 self.nat_add_address(self.nat_addr) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) self.vapi.nat_set_timeouts( udp=300, tcp_established=7440, tcp_transitory=5, icmp=60 ) # SYN packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="S") ) p = self.send_and_expect(self.pg0, p, self.pg1)[0] out_port = p[TCP].sport # SYN + ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="SA") ) self.send_and_expect(self.pg1, p, self.pg0) # ACK packet in->out -- not received by the server p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A") ) self.send_and_expect(self.pg0, p, self.pg1) # PUSH + ACK packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="PA") / Raw(payload) ) self.send_and_expect(self.pg0, p, self.pg1) # resent SYN + ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="SA") ) self.send_and_expect(self.pg1, p, self.pg0) # resent ACK packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="A") ) self.send_and_expect(self.pg0, p, self.pg1) # resent PUSH + ACK packet in->out p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="PA") / Raw(payload) ) self.send_and_expect(self.pg0, p, self.pg1) # ACK packet out->in p = ( Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / TCP(sport=ext_port, dport=out_port, flags="A") ) self.send_and_expect(self.pg1, p, self.pg0) # Verify that the data can be transmitted after the transitory time self.virtual_sleep(6) p = ( Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / TCP(sport=in_port, dport=ext_port, flags="PA") / Raw(payload) ) self.send_and_expect(self.pg0, p, self.pg1) def test_dynamic_ports_exhausted(self): """NAT44ED dynamic translation test: address ports exhaused""" sessions_per_batch = 128 n_available_ports = 65536 - 1024 n_sessions = n_available_ports + 2 * sessions_per_batch # set high enough session limit for ports to be exhausted self.plugin_disable() self.plugin_enable(max_sessions=n_sessions) self.nat_add_inside_interface(self.pg0) self.nat_add_outside_interface(self.pg1) # set timeouts to high for sessions to reallistically expire config = self.vapi.nat44_show_running_config() old_timeouts = config.timeouts self.vapi.nat_set_timeouts( udp=21600, tcp_established=old_timeouts.tcp_established, tcp_transitory=old_timeouts.tcp_transitory, icmp=old_timeouts.icmp, ) # in2out after NAT addresses added self.nat_add_address(self.nat_addr) for i in range(n_sessions // sessions_per_batch): pkts = self.create_udp_stream( self.pg0, self.pg1, sessions_per_batch, base_port=i * sessions_per_batch + 100, ) self.pg0.add_stream(pkts) self.pg_start() err = self.statistics.get_err_counter( "/err/nat44-ed-in2out-slowpath/out of ports" ) if err > sessions_per_batch: break # Check for ports to be used no more than once ports = set() sessions = self.vapi.cli("show nat44 sessions") rx = re.compile( f" *o2i flow: match: saddr {self.pg1.remote_ip4} sport [0-9]+ daddr {self.nat_addr} dport ([0-9]+) proto UDP.*" ) for line in sessions.splitlines(): m = rx.match(line) if m: port = int(m.groups()[0]) self.assertNotIn(port, ports) ports.add(port) self.assertGreaterEqual(err, sessions_per_batch) if __name__ == "__main__": unittest.main(testRunner=VppTestRunner)