5 from random import randint
8 from framework import tag_fixme_vpp_workers
9 from framework import VppTestCase, VppTestRunner
10 from scapy.data import IP_PROTOS
11 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
12 from scapy.layers.inet import IPerror, TCPerror
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from syslog_rfc5424_parser import SyslogMessage, ParseError
16 from syslog_rfc5424_parser.constants import SyslogSeverity
17 from util import ppp, ip4_range
18 from vpp_acl import AclRule, VppAcl, VppAclInterface
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_papi import VppEnum
23 class NAT44EDTestCase(VppTestCase):
36 tcp_external_port = 80
41 super(NAT44EDTestCase, self).setUp()
45 super(NAT44EDTestCase, self).tearDown()
49 def plugin_enable(self):
50 self.vapi.nat44_ed_plugin_enable_disable(
51 sessions=self.max_sessions, enable=1)
53 def plugin_disable(self):
54 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
57 def config_flags(self):
58 return VppEnum.vl_api_nat_config_flags_t
61 def nat44_config_flags(self):
62 return VppEnum.vl_api_nat44_config_flags_t
65 def syslog_severity(self):
66 return VppEnum.vl_api_syslog_severity_t
69 def server_addr(self):
70 return self.pg1.remote_hosts[0].ip4
74 return randint(1025, 65535)
77 def proto2layer(proto):
78 if proto == IP_PROTOS.tcp:
80 elif proto == IP_PROTOS.udp:
82 elif proto == IP_PROTOS.icmp:
85 raise Exception("Unsupported protocol")
88 def create_and_add_ip4_table(cls, i, table_id=0):
89 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
90 i.set_table_ip4(table_id)
93 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
95 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(
109 sw_if_index=i.sw_if_index, is_add=1)
111 def nat_add_inside_interface(self, i):
112 self.vapi.nat44_interface_add_del_feature(
113 flags=self.config_flags.NAT_IS_INSIDE,
114 sw_if_index=i.sw_if_index, is_add=1)
116 def nat_add_outside_interface(self, i):
117 self.vapi.nat44_interface_add_del_feature(
118 flags=self.config_flags.NAT_IS_OUTSIDE,
119 sw_if_index=i.sw_if_index, is_add=1)
121 def nat_add_address(self, address, twice_nat=0,
122 vrf_id=0xFFFFFFFF, is_add=1):
123 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
124 self.vapi.nat44_add_del_address_range(first_ip_address=address,
125 last_ip_address=address,
130 def nat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
131 local_port=0, external_port=0, vrf_id=0,
132 is_add=1, external_sw_if_index=0xFFFFFFFF,
133 proto=0, tag="", flags=0):
135 if not (local_port and external_port):
136 flags |= self.config_flags.NAT_IS_ADDR_ONLY
138 self.vapi.nat44_add_del_static_mapping(
140 local_ip_address=local_ip,
141 external_ip_address=external_ip,
142 external_sw_if_index=external_sw_if_index,
143 local_port=local_port,
144 external_port=external_port,
145 vrf_id=vrf_id, protocol=proto,
151 super(NAT44EDTestCase, cls).setUpClass()
153 cls.create_pg_interfaces(range(12))
154 cls.interfaces = list(cls.pg_interfaces[:4])
156 cls.create_and_add_ip4_table(cls.pg2, 10)
158 for i in cls.interfaces:
159 cls.configure_ip4_interface(i, hosts=3)
161 # test specific (test-multiple-vrf)
162 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
164 # test specific (test-one-armed-nat44-static)
165 cls.pg4.generate_remote_hosts(2)
167 cls.vapi.sw_interface_add_del_address(
168 sw_if_index=cls.pg4.sw_if_index,
169 prefix="10.0.0.1/24")
171 cls.pg4.resolve_arp()
172 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
173 cls.pg4.resolve_arp()
175 # test specific interface (pg5)
176 cls.pg5._local_ip4 = "10.1.1.1"
177 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
178 cls.pg5.set_table_ip4(1)
181 cls.pg5.resolve_arp()
183 # test specific interface (pg6)
184 cls.pg6._local_ip4 = "10.1.2.1"
185 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
186 cls.pg6.set_table_ip4(1)
189 cls.pg6.resolve_arp()
193 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
194 [VppRoutePath("0.0.0.0", 0xffffffff,
196 register=False, table_id=1))
197 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
198 [VppRoutePath(cls.pg1.local_ip4,
199 cls.pg1.sw_if_index)],
201 rl.append(VppIpRoute(cls, cls.pg5.remote_ip4, 32,
202 [VppRoutePath("0.0.0.0",
203 cls.pg5.sw_if_index)],
204 register=False, table_id=1))
205 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 32,
206 [VppRoutePath("0.0.0.0",
207 cls.pg6.sw_if_index)],
208 register=False, table_id=1))
209 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 16,
210 [VppRoutePath("0.0.0.0", 0xffffffff,
212 register=False, table_id=0))
217 def get_err_counter(self, path):
218 return self.statistics.get_err_counter(path)
220 def get_stats_counter(self, path, worker=0):
221 return self.statistics.get_counter(path)[worker]
223 def reass_hairpinning(self, server_addr, server_in_port, server_out_port,
224 host_in_port, proto=IP_PROTOS.tcp,
226 layer = self.proto2layer(proto)
228 if proto == IP_PROTOS.tcp:
229 data = b"A" * 4 + b"B" * 16 + b"C" * 3
231 data = b"A" * 16 + b"B" * 16 + b"C" * 3
233 # send packet from host to server
234 pkts = self.create_stream_frag(self.pg0,
240 self.pg0.add_stream(pkts)
241 self.pg_enable_capture(self.pg_interfaces)
243 frags = self.pg0.get_capture(len(pkts))
244 p = self.reass_frags_and_verify(frags,
247 if proto != IP_PROTOS.icmp:
249 self.assertNotEqual(p[layer].sport, host_in_port)
250 self.assertEqual(p[layer].dport, server_in_port)
253 self.assertNotEqual(p[layer].id, host_in_port)
254 self.assertEqual(data, p[Raw].load)
256 def frag_out_of_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
258 layer = self.proto2layer(proto)
260 if proto == IP_PROTOS.tcp:
261 data = b"A" * 4 + b"B" * 16 + b"C" * 3
263 data = b"A" * 16 + b"B" * 16 + b"C" * 3
264 self.port_in = self.random_port()
268 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
269 self.port_in, 20, data, proto)
271 self.pg0.add_stream(pkts)
272 self.pg_enable_capture(self.pg_interfaces)
274 frags = self.pg1.get_capture(len(pkts))
275 if not dont_translate:
276 p = self.reass_frags_and_verify(frags,
280 p = self.reass_frags_and_verify(frags,
283 if proto != IP_PROTOS.icmp:
284 if not dont_translate:
285 self.assertEqual(p[layer].dport, 20)
287 self.assertNotEqual(p[layer].sport, self.port_in)
289 self.assertEqual(p[layer].sport, self.port_in)
292 if not dont_translate:
293 self.assertNotEqual(p[layer].id, self.port_in)
295 self.assertEqual(p[layer].id, self.port_in)
296 self.assertEqual(data, p[Raw].load)
299 if not dont_translate:
300 dst_addr = self.nat_addr
302 dst_addr = self.pg0.remote_ip4
303 if proto != IP_PROTOS.icmp:
305 dport = p[layer].sport
309 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport,
310 data, proto, echo_reply=True)
312 self.pg1.add_stream(pkts)
313 self.pg_enable_capture(self.pg_interfaces)
314 self.logger.info(self.vapi.cli("show trace"))
316 frags = self.pg0.get_capture(len(pkts))
317 p = self.reass_frags_and_verify(frags,
320 if proto != IP_PROTOS.icmp:
321 self.assertEqual(p[layer].sport, 20)
322 self.assertEqual(p[layer].dport, self.port_in)
324 self.assertEqual(p[layer].id, self.port_in)
325 self.assertEqual(data, p[Raw].load)
327 def reass_frags_and_verify(self, frags, src, dst):
330 self.assertEqual(p[IP].src, src)
331 self.assertEqual(p[IP].dst, dst)
332 self.assert_ip_checksum_valid(p)
333 buffer.seek(p[IP].frag * 8)
334 buffer.write(bytes(p[IP].payload))
335 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst,
336 proto=frags[0][IP].proto)
337 if ip.proto == IP_PROTOS.tcp:
338 p = (ip / TCP(buffer.getvalue()))
339 self.logger.debug(ppp("Reassembled:", p))
340 self.assert_tcp_checksum_valid(p)
341 elif ip.proto == IP_PROTOS.udp:
342 p = (ip / UDP(buffer.getvalue()[:8]) /
343 Raw(buffer.getvalue()[8:]))
344 elif ip.proto == IP_PROTOS.icmp:
345 p = (ip / ICMP(buffer.getvalue()))
348 def frag_in_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
350 layer = self.proto2layer(proto)
352 if proto == IP_PROTOS.tcp:
353 data = b"A" * 4 + b"B" * 16 + b"C" * 3
355 data = b"A" * 16 + b"B" * 16 + b"C" * 3
356 self.port_in = self.random_port()
359 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
360 self.port_in, 20, data, proto)
361 self.pg0.add_stream(pkts)
362 self.pg_enable_capture(self.pg_interfaces)
364 frags = self.pg1.get_capture(len(pkts))
365 if not dont_translate:
366 p = self.reass_frags_and_verify(frags,
370 p = self.reass_frags_and_verify(frags,
373 if proto != IP_PROTOS.icmp:
374 if not dont_translate:
375 self.assertEqual(p[layer].dport, 20)
377 self.assertNotEqual(p[layer].sport, self.port_in)
379 self.assertEqual(p[layer].sport, self.port_in)
382 if not dont_translate:
383 self.assertNotEqual(p[layer].id, self.port_in)
385 self.assertEqual(p[layer].id, self.port_in)
386 self.assertEqual(data, p[Raw].load)
389 if not dont_translate:
390 dst_addr = self.nat_addr
392 dst_addr = self.pg0.remote_ip4
393 if proto != IP_PROTOS.icmp:
395 dport = p[layer].sport
399 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data,
400 proto, echo_reply=True)
401 self.pg1.add_stream(pkts)
402 self.pg_enable_capture(self.pg_interfaces)
404 frags = self.pg0.get_capture(len(pkts))
405 p = self.reass_frags_and_verify(frags,
408 if proto != IP_PROTOS.icmp:
409 self.assertEqual(p[layer].sport, 20)
410 self.assertEqual(p[layer].dport, self.port_in)
412 self.assertEqual(p[layer].id, self.port_in)
413 self.assertEqual(data, p[Raw].load)
415 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
416 dst_ip=None, ignore_port=False):
418 nat_ip = self.nat_addr
419 for packet in capture:
421 self.assert_packet_checksums_valid(packet)
422 self.assertEqual(packet[IP].src, nat_ip)
423 if dst_ip is not None:
424 self.assertEqual(packet[IP].dst, dst_ip)
425 if packet.haslayer(TCP):
429 packet[TCP].sport, self.tcp_port_in)
432 packet[TCP].sport, self.tcp_port_in)
433 self.tcp_port_out = packet[TCP].sport
434 self.assert_packet_checksums_valid(packet)
435 elif packet.haslayer(UDP):
439 packet[UDP].sport, self.udp_port_in)
442 packet[UDP].sport, self.udp_port_in)
443 self.udp_port_out = packet[UDP].sport
448 packet[ICMP].id, self.icmp_id_in)
451 packet[ICMP].id, self.icmp_id_in)
452 self.icmp_id_out = packet[ICMP].id
453 self.assert_packet_checksums_valid(packet)
455 self.logger.error(ppp("Unexpected or invalid packet "
456 "(outside network):", packet))
459 def verify_capture_in(self, capture, in_if):
460 for packet in capture:
462 self.assert_packet_checksums_valid(packet)
463 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
464 if packet.haslayer(TCP):
465 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
466 elif packet.haslayer(UDP):
467 self.assertEqual(packet[UDP].dport, self.udp_port_in)
469 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
471 self.logger.error(ppp("Unexpected or invalid packet "
472 "(inside network):", packet))
475 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
477 dst_ip = out_if.remote_ip4
481 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
482 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
483 TCP(sport=self.tcp_port_in, dport=20))
487 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
488 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
489 UDP(sport=self.udp_port_in, dport=20))
493 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
494 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
495 ICMP(id=self.icmp_id_in, type='echo-request'))
500 def create_stream_out(self, out_if, dst_ip=None, ttl=64,
501 use_inside_ports=False):
503 dst_ip = self.nat_addr
504 if not use_inside_ports:
505 tcp_port = self.tcp_port_out
506 udp_port = self.udp_port_out
507 icmp_id = self.icmp_id_out
509 tcp_port = self.tcp_port_in
510 udp_port = self.udp_port_in
511 icmp_id = self.icmp_id_in
514 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
515 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
516 TCP(dport=tcp_port, sport=20))
520 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
521 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
522 UDP(dport=udp_port, sport=20))
526 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
527 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
528 ICMP(id=icmp_id, type='echo-reply'))
533 def create_tcp_stream(self, in_if, out_if, count):
537 for i in range(count):
538 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
539 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
540 TCP(sport=port + i, dport=20))
545 def create_stream_frag(self, src_if, dst, sport, dport, data,
546 proto=IP_PROTOS.tcp, echo_reply=False):
547 if proto == IP_PROTOS.tcp:
548 p = (IP(src=src_if.remote_ip4, dst=dst) /
549 TCP(sport=sport, dport=dport) /
551 p = p.__class__(scapy.compat.raw(p))
552 chksum = p[TCP].chksum
553 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
554 elif proto == IP_PROTOS.udp:
555 proto_header = UDP(sport=sport, dport=dport)
556 elif proto == IP_PROTOS.icmp:
558 proto_header = ICMP(id=sport, type='echo-request')
560 proto_header = ICMP(id=sport, type='echo-reply')
562 raise Exception("Unsupported protocol")
563 id = self.random_port()
565 if proto == IP_PROTOS.tcp:
568 raw = Raw(data[0:16])
569 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
570 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id) /
574 if proto == IP_PROTOS.tcp:
575 raw = Raw(data[4:20])
577 raw = Raw(data[16:32])
578 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
579 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id,
583 if proto == IP_PROTOS.tcp:
587 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
588 IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto,
594 def frag_in_order_in_plus_out(self, in_addr, out_addr, in_port, out_port,
595 proto=IP_PROTOS.tcp):
597 layer = self.proto2layer(proto)
599 if proto == IP_PROTOS.tcp:
600 data = b"A" * 4 + b"B" * 16 + b"C" * 3
602 data = b"A" * 16 + b"B" * 16 + b"C" * 3
603 port_in = self.random_port()
607 pkts = self.create_stream_frag(self.pg0, out_addr,
610 self.pg0.add_stream(pkts)
611 self.pg_enable_capture(self.pg_interfaces)
613 frags = self.pg1.get_capture(len(pkts))
614 p = self.reass_frags_and_verify(frags,
617 if proto != IP_PROTOS.icmp:
618 self.assertEqual(p[layer].sport, port_in)
619 self.assertEqual(p[layer].dport, in_port)
621 self.assertEqual(p[layer].id, port_in)
622 self.assertEqual(data, p[Raw].load)
625 if proto != IP_PROTOS.icmp:
626 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
628 p[layer].sport, data, proto)
630 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
631 p[layer].id, 0, data, proto,
633 self.pg1.add_stream(pkts)
634 self.pg_enable_capture(self.pg_interfaces)
636 frags = self.pg0.get_capture(len(pkts))
637 p = self.reass_frags_and_verify(frags,
640 if proto != IP_PROTOS.icmp:
641 self.assertEqual(p[layer].sport, out_port)
642 self.assertEqual(p[layer].dport, port_in)
644 self.assertEqual(p[layer].id, port_in)
645 self.assertEqual(data, p[Raw].load)
647 def frag_out_of_order_in_plus_out(self, in_addr, out_addr, in_port,
648 out_port, proto=IP_PROTOS.tcp):
650 layer = self.proto2layer(proto)
652 if proto == IP_PROTOS.tcp:
653 data = b"A" * 4 + b"B" * 16 + b"C" * 3
655 data = b"A" * 16 + b"B" * 16 + b"C" * 3
656 port_in = self.random_port()
660 pkts = self.create_stream_frag(self.pg0, out_addr,
664 self.pg0.add_stream(pkts)
665 self.pg_enable_capture(self.pg_interfaces)
667 frags = self.pg1.get_capture(len(pkts))
668 p = self.reass_frags_and_verify(frags,
671 if proto != IP_PROTOS.icmp:
672 self.assertEqual(p[layer].dport, in_port)
673 self.assertEqual(p[layer].sport, port_in)
674 self.assertEqual(p[layer].dport, in_port)
676 self.assertEqual(p[layer].id, port_in)
677 self.assertEqual(data, p[Raw].load)
680 if proto != IP_PROTOS.icmp:
681 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
683 p[layer].sport, data, proto)
685 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
686 p[layer].id, 0, data, proto,
689 self.pg1.add_stream(pkts)
690 self.pg_enable_capture(self.pg_interfaces)
692 frags = self.pg0.get_capture(len(pkts))
693 p = self.reass_frags_and_verify(frags,
696 if proto != IP_PROTOS.icmp:
697 self.assertEqual(p[layer].sport, out_port)
698 self.assertEqual(p[layer].dport, port_in)
700 self.assertEqual(p[layer].id, port_in)
701 self.assertEqual(data, p[Raw].load)
703 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
705 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
706 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
707 TCP(sport=in_port, dport=ext_port, flags="S"))
709 self.pg_enable_capture(self.pg_interfaces)
711 capture = out_if.get_capture(1)
713 out_port = p[TCP].sport
715 # SYN + ACK packet out->in
716 p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
717 IP(src=out_if.remote_ip4, dst=self.nat_addr) /
718 TCP(sport=ext_port, dport=out_port, flags="SA"))
720 self.pg_enable_capture(self.pg_interfaces)
725 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
726 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
727 TCP(sport=in_port, dport=ext_port, flags="A"))
729 self.pg_enable_capture(self.pg_interfaces)
731 out_if.get_capture(1)
735 def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
737 twice_nat_addr = '10.0.1.3'
745 port_in1 = port_in + 1
746 port_in2 = port_in + 2
751 server1 = self.pg0.remote_hosts[0]
752 server2 = self.pg0.remote_hosts[1]
764 eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
767 self.nat_add_address(self.nat_addr)
768 self.nat_add_address(twice_nat_addr, twice_nat=1)
772 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
774 flags |= self.config_flags.NAT_IS_TWICE_NAT
777 self.nat_add_static_mapping(pg0.remote_ip4, self.nat_addr,
782 locals = [{'addr': server1.ip4,
786 {'addr': server2.ip4,
790 out_addr = self.nat_addr
792 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
793 external_addr=out_addr,
794 external_port=port_out,
795 protocol=IP_PROTOS.tcp,
796 local_num=len(locals),
798 self.nat_add_inside_interface(pg0)
799 self.nat_add_outside_interface(pg1)
805 assert client_id is not None
807 client = self.pg0.remote_hosts[0]
809 client = self.pg0.remote_hosts[1]
811 client = pg1.remote_hosts[0]
812 p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
813 IP(src=client.ip4, dst=self.nat_addr) /
814 TCP(sport=eh_port_out, dport=port_out))
816 self.pg_enable_capture(self.pg_interfaces)
818 capture = pg0.get_capture(1)
824 if ip.dst == server1.ip4:
830 self.assertEqual(ip.dst, server.ip4)
832 self.assertIn(tcp.dport, [port_in1, port_in2])
834 self.assertEqual(tcp.dport, port_in)
836 self.assertEqual(ip.src, twice_nat_addr)
837 self.assertNotEqual(tcp.sport, eh_port_out)
839 self.assertEqual(ip.src, client.ip4)
840 self.assertEqual(tcp.sport, eh_port_out)
842 eh_port_in = tcp.sport
843 saved_port_in = tcp.dport
844 self.assert_packet_checksums_valid(p)
846 self.logger.error(ppp("Unexpected or invalid packet:", p))
849 p = (Ether(src=server.mac, dst=pg0.local_mac) /
850 IP(src=server.ip4, dst=eh_addr_in) /
851 TCP(sport=saved_port_in, dport=eh_port_in))
853 self.pg_enable_capture(self.pg_interfaces)
855 capture = pg1.get_capture(1)
860 self.assertEqual(ip.dst, client.ip4)
861 self.assertEqual(ip.src, self.nat_addr)
862 self.assertEqual(tcp.dport, eh_port_out)
863 self.assertEqual(tcp.sport, port_out)
864 self.assert_packet_checksums_valid(p)
866 self.logger.error(ppp("Unexpected or invalid packet:", p))
870 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
871 self.assertEqual(len(sessions), 1)
872 self.assertTrue(sessions[0].flags &
873 self.config_flags.NAT_IS_EXT_HOST_VALID)
874 self.assertTrue(sessions[0].flags &
875 self.config_flags.NAT_IS_TWICE_NAT)
876 self.logger.info(self.vapi.cli("show nat44 sessions"))
877 self.vapi.nat44_del_session(
878 address=sessions[0].inside_ip_address,
879 port=sessions[0].inside_port,
880 protocol=sessions[0].protocol,
881 flags=(self.config_flags.NAT_IS_INSIDE |
882 self.config_flags.NAT_IS_EXT_HOST_VALID),
883 ext_host_address=sessions[0].ext_host_nat_address,
884 ext_host_port=sessions[0].ext_host_nat_port)
885 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
886 self.assertEqual(len(sessions), 0)
888 def verify_syslog_sess(self, data, is_add=True, is_ip6=False):
889 message = data.decode('utf-8')
891 message = SyslogMessage.parse(message)
892 except ParseError as e:
896 self.assertEqual(message.severity, SyslogSeverity.info)
897 self.assertEqual(message.appname, 'NAT')
898 self.assertEqual(message.msgid, 'SADD' if is_add else 'SDEL')
899 sd_params = message.sd.get('nsess')
900 self.assertTrue(sd_params is not None)
902 self.assertEqual(sd_params.get('IATYP'), 'IPv6')
903 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
905 self.assertEqual(sd_params.get('IATYP'), 'IPv4')
906 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
907 self.assertTrue(sd_params.get('SSUBIX') is not None)
908 self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
909 self.assertEqual(sd_params.get('XATYP'), 'IPv4')
910 self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
911 self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
912 self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
913 self.assertEqual(sd_params.get('SVLAN'), '0')
914 self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
915 self.assertEqual(sd_params.get('XDPORT'),
916 "%d" % self.tcp_external_port)
919 @tag_fixme_vpp_workers
920 class TestNAT44ED(NAT44EDTestCase):
921 """ NAT44ED Test Case """
923 def test_users_dump(self):
924 """ NAT44ED API test - nat44_user_dump """
926 self.nat_add_address(self.nat_addr)
927 self.nat_add_inside_interface(self.pg0)
928 self.nat_add_outside_interface(self.pg1)
930 self.vapi.nat44_forwarding_enable_disable(enable=1)
932 local_ip = self.pg0.remote_ip4
933 external_ip = self.nat_addr
934 self.nat_add_static_mapping(local_ip, external_ip)
936 users = self.vapi.nat44_user_dump()
937 self.assertEqual(len(users), 0)
939 # in2out - static mapping match
941 pkts = self.create_stream_out(self.pg1)
942 self.pg1.add_stream(pkts)
943 self.pg_enable_capture(self.pg_interfaces)
945 capture = self.pg0.get_capture(len(pkts))
946 self.verify_capture_in(capture, self.pg0)
948 pkts = self.create_stream_in(self.pg0, self.pg1)
949 self.pg0.add_stream(pkts)
950 self.pg_enable_capture(self.pg_interfaces)
952 capture = self.pg1.get_capture(len(pkts))
953 self.verify_capture_out(capture, same_port=True)
955 users = self.vapi.nat44_user_dump()
956 self.assertEqual(len(users), 1)
957 static_user = users[0]
958 self.assertEqual(static_user.nstaticsessions, 3)
959 self.assertEqual(static_user.nsessions, 0)
961 # in2out - no static mapping match (forwarding test)
963 host0 = self.pg0.remote_hosts[0]
964 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
966 pkts = self.create_stream_out(self.pg1,
967 dst_ip=self.pg0.remote_ip4,
968 use_inside_ports=True)
969 self.pg1.add_stream(pkts)
970 self.pg_enable_capture(self.pg_interfaces)
972 capture = self.pg0.get_capture(len(pkts))
973 self.verify_capture_in(capture, self.pg0)
975 pkts = self.create_stream_in(self.pg0, self.pg1)
976 self.pg0.add_stream(pkts)
977 self.pg_enable_capture(self.pg_interfaces)
979 capture = self.pg1.get_capture(len(pkts))
980 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
983 self.pg0.remote_hosts[0] = host0
985 users = self.vapi.nat44_user_dump()
986 self.assertEqual(len(users), 2)
987 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
988 non_static_user = users[1]
989 static_user = users[0]
991 non_static_user = users[0]
992 static_user = users[1]
993 self.assertEqual(static_user.nstaticsessions, 3)
994 self.assertEqual(static_user.nsessions, 0)
995 self.assertEqual(non_static_user.nstaticsessions, 0)
996 self.assertEqual(non_static_user.nsessions, 3)
998 users = self.vapi.nat44_user_dump()
999 self.assertEqual(len(users), 2)
1000 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1001 non_static_user = users[1]
1002 static_user = users[0]
1004 non_static_user = users[0]
1005 static_user = users[1]
1006 self.assertEqual(static_user.nstaticsessions, 3)
1007 self.assertEqual(static_user.nsessions, 0)
1008 self.assertEqual(non_static_user.nstaticsessions, 0)
1009 self.assertEqual(non_static_user.nsessions, 3)
1011 def test_frag_out_of_order_do_not_translate(self):
1012 """ NAT44ED don't translate fragments arriving out of order """
1013 self.nat_add_inside_interface(self.pg0)
1014 self.nat_add_outside_interface(self.pg1)
1015 self.vapi.nat44_forwarding_enable_disable(enable=True)
1016 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1018 def test_forwarding(self):
1019 """ NAT44ED forwarding test """
1021 self.nat_add_inside_interface(self.pg0)
1022 self.nat_add_outside_interface(self.pg1)
1023 self.vapi.nat44_forwarding_enable_disable(enable=1)
1025 real_ip = self.pg0.remote_ip4
1026 alias_ip = self.nat_addr
1027 flags = self.config_flags.NAT_IS_ADDR_ONLY
1028 self.vapi.nat44_add_del_static_mapping(is_add=1,
1029 local_ip_address=real_ip,
1030 external_ip_address=alias_ip,
1031 external_sw_if_index=0xFFFFFFFF,
1035 # in2out - static mapping match
1037 pkts = self.create_stream_out(self.pg1)
1038 self.pg1.add_stream(pkts)
1039 self.pg_enable_capture(self.pg_interfaces)
1041 capture = self.pg0.get_capture(len(pkts))
1042 self.verify_capture_in(capture, self.pg0)
1044 pkts = self.create_stream_in(self.pg0, self.pg1)
1045 self.pg0.add_stream(pkts)
1046 self.pg_enable_capture(self.pg_interfaces)
1048 capture = self.pg1.get_capture(len(pkts))
1049 self.verify_capture_out(capture, same_port=True)
1051 # in2out - no static mapping match
1053 host0 = self.pg0.remote_hosts[0]
1054 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1056 pkts = self.create_stream_out(self.pg1,
1057 dst_ip=self.pg0.remote_ip4,
1058 use_inside_ports=True)
1059 self.pg1.add_stream(pkts)
1060 self.pg_enable_capture(self.pg_interfaces)
1062 capture = self.pg0.get_capture(len(pkts))
1063 self.verify_capture_in(capture, self.pg0)
1065 pkts = self.create_stream_in(self.pg0, self.pg1)
1066 self.pg0.add_stream(pkts)
1067 self.pg_enable_capture(self.pg_interfaces)
1069 capture = self.pg1.get_capture(len(pkts))
1070 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1073 self.pg0.remote_hosts[0] = host0
1075 user = self.pg0.remote_hosts[1]
1076 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1077 self.assertEqual(len(sessions), 3)
1078 self.assertTrue(sessions[0].flags &
1079 self.config_flags.NAT_IS_EXT_HOST_VALID)
1080 self.vapi.nat44_del_session(
1081 address=sessions[0].inside_ip_address,
1082 port=sessions[0].inside_port,
1083 protocol=sessions[0].protocol,
1084 flags=(self.config_flags.NAT_IS_INSIDE |
1085 self.config_flags.NAT_IS_EXT_HOST_VALID),
1086 ext_host_address=sessions[0].ext_host_address,
1087 ext_host_port=sessions[0].ext_host_port)
1088 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1089 self.assertEqual(len(sessions), 2)
1092 self.vapi.nat44_forwarding_enable_disable(enable=0)
1093 flags = self.config_flags.NAT_IS_ADDR_ONLY
1094 self.vapi.nat44_add_del_static_mapping(
1096 local_ip_address=real_ip,
1097 external_ip_address=alias_ip,
1098 external_sw_if_index=0xFFFFFFFF,
1101 def test_output_feature_and_service2(self):
1102 """ NAT44ED interface output feature and service host direct access """
1103 self.vapi.nat44_forwarding_enable_disable(enable=1)
1104 self.nat_add_address(self.nat_addr)
1106 self.vapi.nat44_interface_add_del_output_feature(
1107 sw_if_index=self.pg1.sw_if_index, is_add=1,)
1109 # session initiated from service host - translate
1110 pkts = self.create_stream_in(self.pg0, self.pg1)
1111 self.pg0.add_stream(pkts)
1112 self.pg_enable_capture(self.pg_interfaces)
1114 capture = self.pg1.get_capture(len(pkts))
1115 self.verify_capture_out(capture, ignore_port=True)
1117 pkts = self.create_stream_out(self.pg1)
1118 self.pg1.add_stream(pkts)
1119 self.pg_enable_capture(self.pg_interfaces)
1121 capture = self.pg0.get_capture(len(pkts))
1122 self.verify_capture_in(capture, self.pg0)
1124 # session initiated from remote host - do not translate
1125 tcp_port_in = self.tcp_port_in
1126 udp_port_in = self.udp_port_in
1127 icmp_id_in = self.icmp_id_in
1129 self.tcp_port_in = 60303
1130 self.udp_port_in = 60304
1131 self.icmp_id_in = 60305
1134 pkts = self.create_stream_out(self.pg1,
1135 self.pg0.remote_ip4,
1136 use_inside_ports=True)
1137 self.pg1.add_stream(pkts)
1138 self.pg_enable_capture(self.pg_interfaces)
1140 capture = self.pg0.get_capture(len(pkts))
1141 self.verify_capture_in(capture, self.pg0)
1143 pkts = self.create_stream_in(self.pg0, self.pg1)
1144 self.pg0.add_stream(pkts)
1145 self.pg_enable_capture(self.pg_interfaces)
1147 capture = self.pg1.get_capture(len(pkts))
1148 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1151 self.tcp_port_in = tcp_port_in
1152 self.udp_port_in = udp_port_in
1153 self.icmp_id_in = icmp_id_in
1155 def test_twice_nat(self):
1156 """ NAT44ED Twice NAT """
1157 self.twice_nat_common()
1159 def test_self_twice_nat_positive(self):
1160 """ NAT44ED Self Twice NAT (positive test) """
1161 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1163 def test_self_twice_nat_lb_positive(self):
1164 """ NAT44ED Self Twice NAT local service load balancing (positive test)
1166 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
1169 def test_twice_nat_lb(self):
1170 """ NAT44ED Twice NAT local service load balancing """
1171 self.twice_nat_common(lb=True)
1173 def test_output_feature(self):
1174 """ NAT44ED interface output feature (in2out postrouting) """
1175 self.vapi.nat44_forwarding_enable_disable(enable=1)
1176 self.nat_add_address(self.nat_addr)
1178 self.nat_add_outside_interface(self.pg0)
1179 self.vapi.nat44_interface_add_del_output_feature(
1180 sw_if_index=self.pg1.sw_if_index, is_add=1)
1183 pkts = self.create_stream_in(self.pg0, self.pg1)
1184 self.pg0.add_stream(pkts)
1185 self.pg_enable_capture(self.pg_interfaces)
1187 capture = self.pg1.get_capture(len(pkts))
1188 self.verify_capture_out(capture, ignore_port=True)
1191 pkts = self.create_stream_out(self.pg1)
1192 self.pg1.add_stream(pkts)
1193 self.pg_enable_capture(self.pg_interfaces)
1195 capture = self.pg0.get_capture(len(pkts))
1196 self.verify_capture_in(capture, self.pg0)
1198 def test_static_with_port_out2(self):
1199 """ NAT44ED 1:1 NAPT asymmetrical rule """
1204 self.vapi.nat44_forwarding_enable_disable(enable=1)
1205 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1206 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
1207 local_port, external_port,
1208 proto=IP_PROTOS.tcp, flags=flags)
1210 self.nat_add_inside_interface(self.pg0)
1211 self.nat_add_outside_interface(self.pg1)
1213 # from client to service
1214 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1215 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1216 TCP(sport=12345, dport=external_port))
1217 self.pg1.add_stream(p)
1218 self.pg_enable_capture(self.pg_interfaces)
1220 capture = self.pg0.get_capture(1)
1225 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1226 self.assertEqual(tcp.dport, local_port)
1227 self.assert_packet_checksums_valid(p)
1229 self.logger.error(ppp("Unexpected or invalid packet:", p))
1233 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1234 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1235 ICMP(type=11) / capture[0][IP])
1236 self.pg0.add_stream(p)
1237 self.pg_enable_capture(self.pg_interfaces)
1239 capture = self.pg1.get_capture(1)
1242 self.assertEqual(p[IP].src, self.nat_addr)
1244 self.assertEqual(inner.dst, self.nat_addr)
1245 self.assertEqual(inner[TCPerror].dport, external_port)
1247 self.logger.error(ppp("Unexpected or invalid packet:", p))
1250 # from service back to client
1251 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1252 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1253 TCP(sport=local_port, dport=12345))
1254 self.pg0.add_stream(p)
1255 self.pg_enable_capture(self.pg_interfaces)
1257 capture = self.pg1.get_capture(1)
1262 self.assertEqual(ip.src, self.nat_addr)
1263 self.assertEqual(tcp.sport, external_port)
1264 self.assert_packet_checksums_valid(p)
1266 self.logger.error(ppp("Unexpected or invalid packet:", p))
1270 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1271 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1272 ICMP(type=11) / capture[0][IP])
1273 self.pg1.add_stream(p)
1274 self.pg_enable_capture(self.pg_interfaces)
1276 capture = self.pg0.get_capture(1)
1279 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1281 self.assertEqual(inner.src, self.pg0.remote_ip4)
1282 self.assertEqual(inner[TCPerror].sport, local_port)
1284 self.logger.error(ppp("Unexpected or invalid packet:", p))
1287 # from client to server (no translation)
1288 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1289 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
1290 TCP(sport=12346, dport=local_port))
1291 self.pg1.add_stream(p)
1292 self.pg_enable_capture(self.pg_interfaces)
1294 capture = self.pg0.get_capture(1)
1299 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1300 self.assertEqual(tcp.dport, local_port)
1301 self.assert_packet_checksums_valid(p)
1303 self.logger.error(ppp("Unexpected or invalid packet:", p))
1306 # from service back to client (no translation)
1307 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1308 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1309 TCP(sport=local_port, dport=12346))
1310 self.pg0.add_stream(p)
1311 self.pg_enable_capture(self.pg_interfaces)
1313 capture = self.pg1.get_capture(1)
1318 self.assertEqual(ip.src, self.pg0.remote_ip4)
1319 self.assertEqual(tcp.sport, local_port)
1320 self.assert_packet_checksums_valid(p)
1322 self.logger.error(ppp("Unexpected or invalid packet:", p))
1325 def test_static_lb(self):
1326 """ NAT44ED local service load balancing """
1327 external_addr_n = self.nat_addr
1330 server1 = self.pg0.remote_hosts[0]
1331 server2 = self.pg0.remote_hosts[1]
1333 locals = [{'addr': server1.ip4,
1337 {'addr': server2.ip4,
1342 self.nat_add_address(self.nat_addr)
1343 self.vapi.nat44_add_del_lb_static_mapping(
1345 external_addr=external_addr_n,
1346 external_port=external_port,
1347 protocol=IP_PROTOS.tcp,
1348 local_num=len(locals),
1350 flags = self.config_flags.NAT_IS_INSIDE
1351 self.vapi.nat44_interface_add_del_feature(
1352 sw_if_index=self.pg0.sw_if_index,
1353 flags=flags, is_add=1)
1354 self.vapi.nat44_interface_add_del_feature(
1355 sw_if_index=self.pg1.sw_if_index,
1358 # from client to service
1359 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1360 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1361 TCP(sport=12345, dport=external_port))
1362 self.pg1.add_stream(p)
1363 self.pg_enable_capture(self.pg_interfaces)
1365 capture = self.pg0.get_capture(1)
1371 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1372 if ip.dst == server1.ip4:
1376 self.assertEqual(tcp.dport, local_port)
1377 self.assert_packet_checksums_valid(p)
1379 self.logger.error(ppp("Unexpected or invalid packet:", p))
1382 # from service back to client
1383 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1384 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1385 TCP(sport=local_port, dport=12345))
1386 self.pg0.add_stream(p)
1387 self.pg_enable_capture(self.pg_interfaces)
1389 capture = self.pg1.get_capture(1)
1394 self.assertEqual(ip.src, self.nat_addr)
1395 self.assertEqual(tcp.sport, external_port)
1396 self.assert_packet_checksums_valid(p)
1398 self.logger.error(ppp("Unexpected or invalid packet:", p))
1401 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1402 self.assertEqual(len(sessions), 1)
1403 self.assertTrue(sessions[0].flags &
1404 self.config_flags.NAT_IS_EXT_HOST_VALID)
1405 self.vapi.nat44_del_session(
1406 address=sessions[0].inside_ip_address,
1407 port=sessions[0].inside_port,
1408 protocol=sessions[0].protocol,
1409 flags=(self.config_flags.NAT_IS_INSIDE |
1410 self.config_flags.NAT_IS_EXT_HOST_VALID),
1411 ext_host_address=sessions[0].ext_host_address,
1412 ext_host_port=sessions[0].ext_host_port)
1413 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1414 self.assertEqual(len(sessions), 0)
1416 def test_static_lb_2(self):
1417 """ NAT44ED local service load balancing (asymmetrical rule) """
1418 external_addr = self.nat_addr
1421 server1 = self.pg0.remote_hosts[0]
1422 server2 = self.pg0.remote_hosts[1]
1424 locals = [{'addr': server1.ip4,
1428 {'addr': server2.ip4,
1433 self.vapi.nat44_forwarding_enable_disable(enable=1)
1434 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1435 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
1436 external_addr=external_addr,
1437 external_port=external_port,
1438 protocol=IP_PROTOS.tcp,
1439 local_num=len(locals),
1441 flags = self.config_flags.NAT_IS_INSIDE
1442 self.vapi.nat44_interface_add_del_feature(
1443 sw_if_index=self.pg0.sw_if_index,
1444 flags=flags, is_add=1)
1445 self.vapi.nat44_interface_add_del_feature(
1446 sw_if_index=self.pg1.sw_if_index,
1449 # from client to service
1450 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1451 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1452 TCP(sport=12345, dport=external_port))
1453 self.pg1.add_stream(p)
1454 self.pg_enable_capture(self.pg_interfaces)
1456 capture = self.pg0.get_capture(1)
1462 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1463 if ip.dst == server1.ip4:
1467 self.assertEqual(tcp.dport, local_port)
1468 self.assert_packet_checksums_valid(p)
1470 self.logger.error(ppp("Unexpected or invalid packet:", p))
1473 # from service back to client
1474 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1475 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1476 TCP(sport=local_port, dport=12345))
1477 self.pg0.add_stream(p)
1478 self.pg_enable_capture(self.pg_interfaces)
1480 capture = self.pg1.get_capture(1)
1485 self.assertEqual(ip.src, self.nat_addr)
1486 self.assertEqual(tcp.sport, external_port)
1487 self.assert_packet_checksums_valid(p)
1489 self.logger.error(ppp("Unexpected or invalid packet:", p))
1492 # from client to server (no translation)
1493 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1494 IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
1495 TCP(sport=12346, dport=local_port))
1496 self.pg1.add_stream(p)
1497 self.pg_enable_capture(self.pg_interfaces)
1499 capture = self.pg0.get_capture(1)
1505 self.assertEqual(ip.dst, server1.ip4)
1506 self.assertEqual(tcp.dport, local_port)
1507 self.assert_packet_checksums_valid(p)
1509 self.logger.error(ppp("Unexpected or invalid packet:", p))
1512 # from service back to client (no translation)
1513 p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
1514 IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
1515 TCP(sport=local_port, dport=12346))
1516 self.pg0.add_stream(p)
1517 self.pg_enable_capture(self.pg_interfaces)
1519 capture = self.pg1.get_capture(1)
1524 self.assertEqual(ip.src, server1.ip4)
1525 self.assertEqual(tcp.sport, local_port)
1526 self.assert_packet_checksums_valid(p)
1528 self.logger.error(ppp("Unexpected or invalid packet:", p))
1531 def test_lb_affinity(self):
1532 """ NAT44ED local service load balancing affinity """
1533 external_addr = self.nat_addr
1536 server1 = self.pg0.remote_hosts[0]
1537 server2 = self.pg0.remote_hosts[1]
1539 locals = [{'addr': server1.ip4,
1543 {'addr': server2.ip4,
1548 self.nat_add_address(self.nat_addr)
1549 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
1550 external_addr=external_addr,
1551 external_port=external_port,
1552 protocol=IP_PROTOS.tcp,
1554 local_num=len(locals),
1556 flags = self.config_flags.NAT_IS_INSIDE
1557 self.vapi.nat44_interface_add_del_feature(
1558 sw_if_index=self.pg0.sw_if_index,
1559 flags=flags, is_add=1)
1560 self.vapi.nat44_interface_add_del_feature(
1561 sw_if_index=self.pg1.sw_if_index,
1564 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1565 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1566 TCP(sport=1025, dport=external_port))
1567 self.pg1.add_stream(p)
1568 self.pg_enable_capture(self.pg_interfaces)
1570 capture = self.pg0.get_capture(1)
1571 backend = capture[0][IP].dst
1573 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1574 self.assertEqual(len(sessions), 1)
1575 self.assertTrue(sessions[0].flags &
1576 self.config_flags.NAT_IS_EXT_HOST_VALID)
1577 self.vapi.nat44_del_session(
1578 address=sessions[0].inside_ip_address,
1579 port=sessions[0].inside_port,
1580 protocol=sessions[0].protocol,
1581 flags=(self.config_flags.NAT_IS_INSIDE |
1582 self.config_flags.NAT_IS_EXT_HOST_VALID),
1583 ext_host_address=sessions[0].ext_host_address,
1584 ext_host_port=sessions[0].ext_host_port)
1587 for port in range(1030, 1100):
1588 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1589 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1590 TCP(sport=port, dport=external_port))
1592 self.pg1.add_stream(pkts)
1593 self.pg_enable_capture(self.pg_interfaces)
1595 capture = self.pg0.get_capture(len(pkts))
1597 self.assertEqual(p[IP].dst, backend)
1599 def test_multiple_vrf(self):
1600 """ NAT44ED Multiple VRF setup """
1602 external_addr = '1.2.3.4'
1607 self.vapi.nat44_forwarding_enable_disable(enable=1)
1608 self.nat_add_address(self.nat_addr)
1609 flags = self.config_flags.NAT_IS_INSIDE
1610 self.vapi.nat44_interface_add_del_feature(
1611 sw_if_index=self.pg0.sw_if_index,
1613 self.vapi.nat44_interface_add_del_feature(
1614 sw_if_index=self.pg0.sw_if_index,
1615 is_add=1, flags=flags)
1616 self.vapi.nat44_interface_add_del_output_feature(
1617 sw_if_index=self.pg1.sw_if_index,
1619 self.vapi.nat44_interface_add_del_feature(
1620 sw_if_index=self.pg5.sw_if_index,
1622 self.vapi.nat44_interface_add_del_feature(
1623 sw_if_index=self.pg5.sw_if_index,
1624 is_add=1, flags=flags)
1625 self.vapi.nat44_interface_add_del_feature(
1626 sw_if_index=self.pg6.sw_if_index,
1628 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1629 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1630 local_port, external_port, vrf_id=1,
1631 proto=IP_PROTOS.tcp, flags=flags)
1632 self.nat_add_static_mapping(
1633 self.pg0.remote_ip4,
1634 external_sw_if_index=self.pg0.sw_if_index,
1635 local_port=local_port,
1637 external_port=external_port,
1638 proto=IP_PROTOS.tcp,
1642 # from client to service (both VRF1)
1643 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1644 IP(src=self.pg6.remote_ip4, dst=external_addr) /
1645 TCP(sport=12345, dport=external_port))
1646 self.pg6.add_stream(p)
1647 self.pg_enable_capture(self.pg_interfaces)
1649 capture = self.pg5.get_capture(1)
1654 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1655 self.assertEqual(tcp.dport, local_port)
1656 self.assert_packet_checksums_valid(p)
1658 self.logger.error(ppp("Unexpected or invalid packet:", p))
1661 # from service back to client (both VRF1)
1662 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1663 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1664 TCP(sport=local_port, dport=12345))
1665 self.pg5.add_stream(p)
1666 self.pg_enable_capture(self.pg_interfaces)
1668 capture = self.pg6.get_capture(1)
1673 self.assertEqual(ip.src, external_addr)
1674 self.assertEqual(tcp.sport, external_port)
1675 self.assert_packet_checksums_valid(p)
1677 self.logger.error(ppp("Unexpected or invalid packet:", p))
1680 # dynamic NAT from VRF1 to VRF0 (output-feature)
1681 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1682 IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
1683 TCP(sport=2345, dport=22))
1684 self.pg5.add_stream(p)
1685 self.pg_enable_capture(self.pg_interfaces)
1687 capture = self.pg1.get_capture(1)
1692 self.assertEqual(ip.src, self.nat_addr)
1693 self.assert_packet_checksums_valid(p)
1696 self.logger.error(ppp("Unexpected or invalid packet:", p))
1699 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1700 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1701 TCP(sport=22, dport=port))
1702 self.pg1.add_stream(p)
1703 self.pg_enable_capture(self.pg_interfaces)
1705 capture = self.pg5.get_capture(1)
1710 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1711 self.assertEqual(tcp.dport, 2345)
1712 self.assert_packet_checksums_valid(p)
1714 self.logger.error(ppp("Unexpected or invalid packet:", p))
1717 # from client VRF1 to service VRF0
1718 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1719 IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
1720 TCP(sport=12346, dport=external_port))
1721 self.pg6.add_stream(p)
1722 self.pg_enable_capture(self.pg_interfaces)
1724 capture = self.pg0.get_capture(1)
1729 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1730 self.assertEqual(tcp.dport, local_port)
1731 self.assert_packet_checksums_valid(p)
1733 self.logger.error(ppp("Unexpected or invalid packet:", p))
1736 # from service VRF0 back to client VRF1
1737 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1738 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1739 TCP(sport=local_port, dport=12346))
1740 self.pg0.add_stream(p)
1741 self.pg_enable_capture(self.pg_interfaces)
1743 capture = self.pg6.get_capture(1)
1748 self.assertEqual(ip.src, self.pg0.local_ip4)
1749 self.assertEqual(tcp.sport, external_port)
1750 self.assert_packet_checksums_valid(p)
1752 self.logger.error(ppp("Unexpected or invalid packet:", p))
1755 # from client VRF0 to service VRF1
1756 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1757 IP(src=self.pg0.remote_ip4, dst=external_addr) /
1758 TCP(sport=12347, dport=external_port))
1759 self.pg0.add_stream(p)
1760 self.pg_enable_capture(self.pg_interfaces)
1762 capture = self.pg5.get_capture(1)
1767 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1768 self.assertEqual(tcp.dport, local_port)
1769 self.assert_packet_checksums_valid(p)
1771 self.logger.error(ppp("Unexpected or invalid packet:", p))
1774 # from service VRF1 back to client VRF0
1775 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1776 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1777 TCP(sport=local_port, dport=12347))
1778 self.pg5.add_stream(p)
1779 self.pg_enable_capture(self.pg_interfaces)
1781 capture = self.pg0.get_capture(1)
1786 self.assertEqual(ip.src, external_addr)
1787 self.assertEqual(tcp.sport, external_port)
1788 self.assert_packet_checksums_valid(p)
1790 self.logger.error(ppp("Unexpected or invalid packet:", p))
1793 # from client to server (both VRF1, no translation)
1794 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1795 IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
1796 TCP(sport=12348, dport=local_port))
1797 self.pg6.add_stream(p)
1798 self.pg_enable_capture(self.pg_interfaces)
1800 capture = self.pg5.get_capture(1)
1805 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1806 self.assertEqual(tcp.dport, local_port)
1807 self.assert_packet_checksums_valid(p)
1809 self.logger.error(ppp("Unexpected or invalid packet:", p))
1812 # from server back to client (both VRF1, no translation)
1813 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1814 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1815 TCP(sport=local_port, dport=12348))
1816 self.pg5.add_stream(p)
1817 self.pg_enable_capture(self.pg_interfaces)
1819 capture = self.pg6.get_capture(1)
1824 self.assertEqual(ip.src, self.pg5.remote_ip4)
1825 self.assertEqual(tcp.sport, local_port)
1826 self.assert_packet_checksums_valid(p)
1828 self.logger.error(ppp("Unexpected or invalid packet:", p))
1831 # from client VRF1 to server VRF0 (no translation)
1832 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1833 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1834 TCP(sport=local_port, dport=12349))
1835 self.pg0.add_stream(p)
1836 self.pg_enable_capture(self.pg_interfaces)
1838 capture = self.pg6.get_capture(1)
1843 self.assertEqual(ip.src, self.pg0.remote_ip4)
1844 self.assertEqual(tcp.sport, local_port)
1845 self.assert_packet_checksums_valid(p)
1847 self.logger.error(ppp("Unexpected or invalid packet:", p))
1850 # from server VRF0 back to client VRF1 (no translation)
1851 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1852 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1853 TCP(sport=local_port, dport=12349))
1854 self.pg0.add_stream(p)
1855 self.pg_enable_capture(self.pg_interfaces)
1857 capture = self.pg6.get_capture(1)
1862 self.assertEqual(ip.src, self.pg0.remote_ip4)
1863 self.assertEqual(tcp.sport, local_port)
1864 self.assert_packet_checksums_valid(p)
1866 self.logger.error(ppp("Unexpected or invalid packet:", p))
1869 # from client VRF0 to server VRF1 (no translation)
1870 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1871 IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
1872 TCP(sport=12344, dport=local_port))
1873 self.pg0.add_stream(p)
1874 self.pg_enable_capture(self.pg_interfaces)
1876 capture = self.pg5.get_capture(1)
1881 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1882 self.assertEqual(tcp.dport, local_port)
1883 self.assert_packet_checksums_valid(p)
1885 self.logger.error(ppp("Unexpected or invalid packet:", p))
1888 # from server VRF1 back to client VRF0 (no translation)
1889 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1890 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1891 TCP(sport=local_port, dport=12344))
1892 self.pg5.add_stream(p)
1893 self.pg_enable_capture(self.pg_interfaces)
1895 capture = self.pg0.get_capture(1)
1900 self.assertEqual(ip.src, self.pg5.remote_ip4)
1901 self.assertEqual(tcp.sport, local_port)
1902 self.assert_packet_checksums_valid(p)
1904 self.logger.error(ppp("Unexpected or invalid packet:", p))
1907 def test_outside_address_distribution(self):
1908 """ Outside address distribution based on source address """
1913 for i in range(1, x):
1915 nat_addresses.append(a)
1917 self.nat_add_inside_interface(self.pg0)
1918 self.nat_add_outside_interface(self.pg1)
1920 self.vapi.nat44_add_del_address_range(
1921 first_ip_address=nat_addresses[0],
1922 last_ip_address=nat_addresses[-1],
1923 vrf_id=0xFFFFFFFF, is_add=1, flags=0)
1925 self.pg0.generate_remote_hosts(x)
1929 info = self.create_packet_info(self.pg0, self.pg1)
1930 payload = self.info_to_payload(info)
1931 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1932 IP(src=self.pg0.remote_hosts[i].ip4,
1933 dst=self.pg1.remote_ip4) /
1934 UDP(sport=7000+i, dport=8000+i) /
1939 self.pg0.add_stream(pkts)
1940 self.pg_enable_capture(self.pg_interfaces)
1942 recvd = self.pg1.get_capture(len(pkts))
1943 for p_recvd in recvd:
1944 payload_info = self.payload_to_info(p_recvd[Raw])
1945 packet_index = payload_info.index
1946 info = self._packet_infos[packet_index]
1947 self.assertTrue(info is not None)
1948 self.assertEqual(packet_index, info.index)
1950 packed = socket.inet_aton(p_sent[IP].src)
1951 numeric = struct.unpack("!L", packed)[0]
1952 numeric = socket.htonl(numeric)
1953 a = nat_addresses[(numeric-1) % len(nat_addresses)]
1956 "Invalid packet (src IP %s translated to %s, but expected %s)"
1957 % (p_sent[IP].src, p_recvd[IP].src, a))
1960 class TestNAT44EDMW(TestNAT44ED):
1961 """ NAT44ED MW Test Case """
1962 worker_config = "workers 1"
1964 def get_stats_counter(self, path, worker=1):
1965 return super(TestNAT44EDMW, self).get_stats_counter(path, worker)
1967 @unittest.skip('MW fix required')
1968 def test_users_dump(self):
1969 """ NAT44ED API test - nat44_user_dump """
1971 @unittest.skip('MW fix required')
1972 def test_frag_out_of_order_do_not_translate(self):
1973 """ NAT44ED don't translate fragments arriving out of order """
1975 @unittest.skip('MW fix required')
1976 def test_forwarding(self):
1977 """ NAT44ED forwarding test """
1979 @unittest.skip('MW fix required')
1980 def test_twice_nat(self):
1981 """ NAT44ED Twice NAT """
1983 @unittest.skip('MW fix required')
1984 def test_twice_nat_lb(self):
1985 """ NAT44ED Twice NAT local service load balancing """
1987 @unittest.skip('MW fix required')
1988 def test_output_feature(self):
1989 """ NAT44ED interface output feature (in2out postrouting) """
1991 @unittest.skip('MW fix required')
1992 def test_static_with_port_out2(self):
1993 """ NAT44ED 1:1 NAPT asymmetrical rule """
1995 @unittest.skip('MW fix required')
1996 def test_output_feature_and_service2(self):
1997 """ NAT44ED interface output feature and service host direct access """
1999 @unittest.skip('MW fix required')
2000 def test_static_lb(self):
2001 """ NAT44ED local service load balancing """
2003 @unittest.skip('MW fix required')
2004 def test_static_lb_2(self):
2005 """ NAT44ED local service load balancing (asymmetrical rule) """
2007 @unittest.skip('MW fix required')
2008 def test_lb_affinity(self):
2009 """ NAT44ED local service load balancing affinity """
2011 @unittest.skip('MW fix required')
2012 def test_multiple_vrf(self):
2013 """ NAT44ED Multiple VRF setup """
2015 @unittest.skip('MW fix required')
2016 def test_self_twice_nat_positive(self):
2017 """ NAT44ED Self Twice NAT (positive test) """
2019 @unittest.skip('MW fix required')
2020 def test_self_twice_nat_lb_positive(self):
2021 """ NAT44ED Self Twice NAT local service load balancing (positive test)
2024 def test_dynamic(self):
2025 """ NAT44ED dynamic translation test """
2027 self.nat_add_address(self.nat_addr)
2028 self.nat_add_inside_interface(self.pg0)
2029 self.nat_add_outside_interface(self.pg1)
2032 tc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
2033 uc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
2034 ic1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
2035 dc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
2037 pkts = self.create_stream_in(self.pg0, self.pg1)
2038 # TODO: specify worker=idx, also stats have to
2039 # know from which worker to take capture
2040 self.pg0.add_stream(pkts)
2041 self.pg_enable_capture(self.pg_interfaces)
2043 capture = self.pg1.get_capture(len(pkts))
2044 self.verify_capture_out(capture, ignore_port=True)
2046 if_idx = self.pg0.sw_if_index
2047 tc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
2048 uc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
2049 ic2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
2050 dc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
2052 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2053 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2054 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2055 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2058 tc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2059 uc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2060 ic1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2061 dc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2063 pkts = self.create_stream_out(self.pg1)
2064 self.pg1.add_stream(pkts)
2065 self.pg_enable_capture(self.pg_interfaces)
2067 capture = self.pg0.get_capture(len(pkts))
2068 self.verify_capture_in(capture, self.pg0)
2070 if_idx = self.pg1.sw_if_index
2071 tc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2072 uc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2073 ic2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2074 dc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2076 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2077 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2078 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2079 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2081 sc = self.get_stats_counter('/nat44-ed/total-sessions')
2082 self.assertEqual(sc[0], 3)
2084 def test_frag_in_order(self):
2085 """ NAT44ED translate fragments arriving in order """
2087 self.nat_add_address(self.nat_addr)
2088 self.nat_add_inside_interface(self.pg0)
2089 self.nat_add_outside_interface(self.pg1)
2091 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2092 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2093 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2095 def test_frag_in_order_do_not_translate(self):
2096 """ NAT44ED don't translate fragments arriving in order """
2098 self.nat_add_address(self.nat_addr)
2099 self.nat_add_inside_interface(self.pg0)
2100 self.nat_add_outside_interface(self.pg1)
2101 self.vapi.nat44_forwarding_enable_disable(enable=True)
2103 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2105 def test_frag_out_of_order(self):
2106 """ NAT44ED translate fragments arriving out of order """
2108 self.nat_add_address(self.nat_addr)
2109 self.nat_add_inside_interface(self.pg0)
2110 self.nat_add_outside_interface(self.pg1)
2112 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2113 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2114 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2116 def test_frag_in_order_in_plus_out(self):
2117 """ NAT44ED in+out interface fragments in order """
2119 in_port = self.random_port()
2120 out_port = self.random_port()
2122 self.nat_add_address(self.nat_addr)
2123 self.nat_add_inside_interface(self.pg0)
2124 self.nat_add_outside_interface(self.pg0)
2125 self.nat_add_inside_interface(self.pg1)
2126 self.nat_add_outside_interface(self.pg1)
2128 # add static mappings for server
2129 self.nat_add_static_mapping(self.server_addr,
2133 proto=IP_PROTOS.tcp)
2134 self.nat_add_static_mapping(self.server_addr,
2138 proto=IP_PROTOS.udp)
2139 self.nat_add_static_mapping(self.server_addr,
2141 proto=IP_PROTOS.icmp)
2143 # run tests for each protocol
2144 self.frag_in_order_in_plus_out(self.server_addr,
2149 self.frag_in_order_in_plus_out(self.server_addr,
2154 self.frag_in_order_in_plus_out(self.server_addr,
2160 def test_frag_out_of_order_in_plus_out(self):
2161 """ NAT44ED in+out interface fragments out of order """
2163 in_port = self.random_port()
2164 out_port = self.random_port()
2166 self.nat_add_address(self.nat_addr)
2167 self.nat_add_inside_interface(self.pg0)
2168 self.nat_add_outside_interface(self.pg0)
2169 self.nat_add_inside_interface(self.pg1)
2170 self.nat_add_outside_interface(self.pg1)
2172 # add static mappings for server
2173 self.nat_add_static_mapping(self.server_addr,
2177 proto=IP_PROTOS.tcp)
2178 self.nat_add_static_mapping(self.server_addr,
2182 proto=IP_PROTOS.udp)
2183 self.nat_add_static_mapping(self.server_addr,
2185 proto=IP_PROTOS.icmp)
2187 # run tests for each protocol
2188 self.frag_out_of_order_in_plus_out(self.server_addr,
2193 self.frag_out_of_order_in_plus_out(self.server_addr,
2198 self.frag_out_of_order_in_plus_out(self.server_addr,
2204 def test_reass_hairpinning(self):
2205 """ NAT44ED fragments hairpinning """
2207 server_addr = self.pg0.remote_hosts[1].ip4
2209 host_in_port = self.random_port()
2210 server_in_port = self.random_port()
2211 server_out_port = self.random_port()
2213 self.nat_add_address(self.nat_addr)
2214 self.nat_add_inside_interface(self.pg0)
2215 self.nat_add_outside_interface(self.pg1)
2217 # add static mapping for server
2218 self.nat_add_static_mapping(server_addr, self.nat_addr,
2219 server_in_port, server_out_port,
2220 proto=IP_PROTOS.tcp)
2221 self.nat_add_static_mapping(server_addr, self.nat_addr,
2222 server_in_port, server_out_port,
2223 proto=IP_PROTOS.udp)
2224 self.nat_add_static_mapping(server_addr, self.nat_addr)
2226 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2227 host_in_port, proto=IP_PROTOS.tcp,
2229 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2230 host_in_port, proto=IP_PROTOS.udp,
2232 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2233 host_in_port, proto=IP_PROTOS.icmp,
2236 def test_session_limit_per_vrf(self):
2237 """ NAT44ED per vrf session limit """
2240 inside_vrf10 = self.pg2
2245 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2246 # non existing vrf_id makes process core dump
2247 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2249 self.nat_add_inside_interface(inside)
2250 self.nat_add_inside_interface(inside_vrf10)
2251 self.nat_add_outside_interface(outside)
2254 self.nat_add_interface_address(outside)
2256 # BUG: causing core dump - when bad vrf_id is specified
2257 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2259 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2260 inside_vrf10.add_stream(stream)
2262 self.pg_enable_capture(self.pg_interfaces)
2265 capture = outside.get_capture(limit)
2267 stream = self.create_tcp_stream(inside, outside, limit * 2)
2268 inside.add_stream(stream)
2270 self.pg_enable_capture(self.pg_interfaces)
2273 capture = outside.get_capture(len(stream))
2275 def test_show_max_translations(self):
2276 """ NAT44ED API test - max translations per thread """
2277 nat_config = self.vapi.nat_show_config_2()
2278 self.assertEqual(self.max_sessions,
2279 nat_config.max_translations_per_thread)
2281 def test_lru_cleanup(self):
2282 """ NAT44ED LRU cleanup algorithm """
2284 self.nat_add_address(self.nat_addr)
2285 self.nat_add_inside_interface(self.pg0)
2286 self.nat_add_outside_interface(self.pg1)
2288 self.vapi.nat_set_timeouts(
2289 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
2291 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2293 for i in range(0, self.max_sessions - 1):
2294 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2295 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2296 UDP(sport=7000+i, dport=80))
2299 self.pg0.add_stream(pkts)
2300 self.pg_enable_capture(self.pg_interfaces)
2302 self.pg1.get_capture(len(pkts))
2303 self.sleep(1.5, "wait for timeouts")
2306 for i in range(0, self.max_sessions - 1):
2307 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2308 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2309 ICMP(id=8000+i, type='echo-request'))
2312 self.pg0.add_stream(pkts)
2313 self.pg_enable_capture(self.pg_interfaces)
2315 self.pg1.get_capture(len(pkts))
2317 def test_session_rst_timeout(self):
2318 """ NAT44ED session RST timeouts """
2320 self.nat_add_address(self.nat_addr)
2321 self.nat_add_inside_interface(self.pg0)
2322 self.nat_add_outside_interface(self.pg1)
2324 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2325 tcp_transitory=5, icmp=60)
2327 self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
2328 self.tcp_external_port)
2329 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2330 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2331 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2333 self.pg0.add_stream(p)
2334 self.pg_enable_capture(self.pg_interfaces)
2336 self.pg1.get_capture(1)
2340 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2341 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2342 TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
2344 self.pg0.add_stream(p)
2345 self.pg_enable_capture(self.pg_interfaces)
2347 self.pg1.get_capture(1)
2349 def test_dynamic_out_of_ports(self):
2350 """ NAT44ED dynamic translation test: out of ports """
2352 self.nat_add_inside_interface(self.pg0)
2353 self.nat_add_outside_interface(self.pg1)
2355 # in2out and no NAT addresses added
2356 err_old = self.statistics.get_err_counter(
2357 '/err/nat44-ed-in2out-slowpath/out of ports')
2359 pkts = self.create_stream_in(self.pg0, self.pg1)
2360 self.pg0.add_stream(pkts)
2361 self.pg_enable_capture(self.pg_interfaces)
2363 self.pg1.get_capture(0, timeout=1)
2365 err_new = self.statistics.get_err_counter(
2366 '/err/nat44-ed-in2out-slowpath/out of ports')
2368 self.assertEqual(err_new - err_old, len(pkts))
2370 # in2out after NAT addresses added
2371 self.nat_add_address(self.nat_addr)
2373 err_old = self.statistics.get_err_counter(
2374 '/err/nat44-ed-in2out-slowpath/out of ports')
2376 pkts = self.create_stream_in(self.pg0, self.pg1)
2377 self.pg0.add_stream(pkts)
2378 self.pg_enable_capture(self.pg_interfaces)
2380 capture = self.pg1.get_capture(len(pkts))
2381 self.verify_capture_out(capture, ignore_port=True)
2383 err_new = self.statistics.get_err_counter(
2384 '/err/nat44-ed-in2out-slowpath/out of ports')
2386 self.assertEqual(err_new, err_old)
2388 def test_unknown_proto(self):
2389 """ NAT44ED translate packet with unknown protocol """
2391 self.nat_add_address(self.nat_addr)
2392 self.nat_add_inside_interface(self.pg0)
2393 self.nat_add_outside_interface(self.pg1)
2396 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2397 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2398 TCP(sport=self.tcp_port_in, dport=20))
2399 self.pg0.add_stream(p)
2400 self.pg_enable_capture(self.pg_interfaces)
2402 p = self.pg1.get_capture(1)
2404 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2405 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2407 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2408 TCP(sport=1234, dport=1234))
2409 self.pg0.add_stream(p)
2410 self.pg_enable_capture(self.pg_interfaces)
2412 p = self.pg1.get_capture(1)
2415 self.assertEqual(packet[IP].src, self.nat_addr)
2416 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
2417 self.assertEqual(packet.haslayer(GRE), 1)
2418 self.assert_packet_checksums_valid(packet)
2420 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2424 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2425 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2427 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2428 TCP(sport=1234, dport=1234))
2429 self.pg1.add_stream(p)
2430 self.pg_enable_capture(self.pg_interfaces)
2432 p = self.pg0.get_capture(1)
2435 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
2436 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2437 self.assertEqual(packet.haslayer(GRE), 1)
2438 self.assert_packet_checksums_valid(packet)
2440 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2443 def test_hairpinning_unknown_proto(self):
2444 """ NAT44ED translate packet with unknown protocol - hairpinning """
2445 host = self.pg0.remote_hosts[0]
2446 server = self.pg0.remote_hosts[1]
2448 server_out_port = 8765
2449 server_nat_ip = "10.0.0.11"
2451 self.nat_add_address(self.nat_addr)
2452 self.nat_add_inside_interface(self.pg0)
2453 self.nat_add_outside_interface(self.pg1)
2455 # add static mapping for server
2456 self.nat_add_static_mapping(server.ip4, server_nat_ip)
2459 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
2460 IP(src=host.ip4, dst=server_nat_ip) /
2461 TCP(sport=host_in_port, dport=server_out_port))
2462 self.pg0.add_stream(p)
2463 self.pg_enable_capture(self.pg_interfaces)
2465 self.pg0.get_capture(1)
2467 p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
2468 IP(src=host.ip4, dst=server_nat_ip) /
2470 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2471 TCP(sport=1234, dport=1234))
2472 self.pg0.add_stream(p)
2473 self.pg_enable_capture(self.pg_interfaces)
2475 p = self.pg0.get_capture(1)
2478 self.assertEqual(packet[IP].src, self.nat_addr)
2479 self.assertEqual(packet[IP].dst, server.ip4)
2480 self.assertEqual(packet.haslayer(GRE), 1)
2481 self.assert_packet_checksums_valid(packet)
2483 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2487 p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
2488 IP(src=server.ip4, dst=self.nat_addr) /
2490 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2491 TCP(sport=1234, dport=1234))
2492 self.pg0.add_stream(p)
2493 self.pg_enable_capture(self.pg_interfaces)
2495 p = self.pg0.get_capture(1)
2498 self.assertEqual(packet[IP].src, server_nat_ip)
2499 self.assertEqual(packet[IP].dst, host.ip4)
2500 self.assertEqual(packet.haslayer(GRE), 1)
2501 self.assert_packet_checksums_valid(packet)
2503 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2506 def test_output_feature_and_service(self):
2507 """ NAT44ED interface output feature and services """
2508 external_addr = '1.2.3.4'
2512 self.vapi.nat44_forwarding_enable_disable(enable=1)
2513 self.nat_add_address(self.nat_addr)
2514 flags = self.config_flags.NAT_IS_ADDR_ONLY
2515 self.vapi.nat44_add_del_identity_mapping(
2516 ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
2517 flags=flags, is_add=1)
2518 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2519 self.nat_add_static_mapping(self.pg0.remote_ip4, external_addr,
2520 local_port, external_port,
2521 proto=IP_PROTOS.tcp, flags=flags)
2523 self.nat_add_inside_interface(self.pg0)
2524 self.nat_add_outside_interface(self.pg0)
2525 self.vapi.nat44_interface_add_del_output_feature(
2526 sw_if_index=self.pg1.sw_if_index, is_add=1)
2528 # from client to service
2529 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2530 IP(src=self.pg1.remote_ip4, dst=external_addr) /
2531 TCP(sport=12345, dport=external_port))
2532 self.pg1.add_stream(p)
2533 self.pg_enable_capture(self.pg_interfaces)
2535 capture = self.pg0.get_capture(1)
2540 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2541 self.assertEqual(tcp.dport, local_port)
2542 self.assert_packet_checksums_valid(p)
2544 self.logger.error(ppp("Unexpected or invalid packet:", p))
2547 # from service back to client
2548 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2549 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2550 TCP(sport=local_port, dport=12345))
2551 self.pg0.add_stream(p)
2552 self.pg_enable_capture(self.pg_interfaces)
2554 capture = self.pg1.get_capture(1)
2559 self.assertEqual(ip.src, external_addr)
2560 self.assertEqual(tcp.sport, external_port)
2561 self.assert_packet_checksums_valid(p)
2563 self.logger.error(ppp("Unexpected or invalid packet:", p))
2566 # from local network host to external network
2567 pkts = self.create_stream_in(self.pg0, self.pg1)
2568 self.pg0.add_stream(pkts)
2569 self.pg_enable_capture(self.pg_interfaces)
2571 capture = self.pg1.get_capture(len(pkts))
2572 self.verify_capture_out(capture, ignore_port=True)
2573 pkts = self.create_stream_in(self.pg0, self.pg1)
2574 self.pg0.add_stream(pkts)
2575 self.pg_enable_capture(self.pg_interfaces)
2577 capture = self.pg1.get_capture(len(pkts))
2578 self.verify_capture_out(capture, ignore_port=True)
2580 # from external network back to local network host
2581 pkts = self.create_stream_out(self.pg1)
2582 self.pg1.add_stream(pkts)
2583 self.pg_enable_capture(self.pg_interfaces)
2585 capture = self.pg0.get_capture(len(pkts))
2586 self.verify_capture_in(capture, self.pg0)
2588 def test_output_feature_and_service3(self):
2589 """ NAT44ED interface output feature and DST NAT """
2590 external_addr = '1.2.3.4'
2594 self.vapi.nat44_forwarding_enable_disable(enable=1)
2595 self.nat_add_address(self.nat_addr)
2596 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2597 self.nat_add_static_mapping(self.pg1.remote_ip4, external_addr,
2598 local_port, external_port,
2599 proto=IP_PROTOS.tcp, flags=flags)
2601 self.nat_add_inside_interface(self.pg0)
2602 self.nat_add_outside_interface(self.pg0)
2603 self.vapi.nat44_interface_add_del_output_feature(
2604 sw_if_index=self.pg1.sw_if_index, is_add=1)
2606 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2607 IP(src=self.pg0.remote_ip4, dst=external_addr) /
2608 TCP(sport=12345, dport=external_port))
2609 self.pg0.add_stream(p)
2610 self.pg_enable_capture(self.pg_interfaces)
2612 capture = self.pg1.get_capture(1)
2617 self.assertEqual(ip.src, self.pg0.remote_ip4)
2618 self.assertEqual(tcp.sport, 12345)
2619 self.assertEqual(ip.dst, self.pg1.remote_ip4)
2620 self.assertEqual(tcp.dport, local_port)
2621 self.assert_packet_checksums_valid(p)
2623 self.logger.error(ppp("Unexpected or invalid packet:", p))
2626 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2627 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
2628 TCP(sport=local_port, dport=12345))
2629 self.pg1.add_stream(p)
2630 self.pg_enable_capture(self.pg_interfaces)
2632 capture = self.pg0.get_capture(1)
2637 self.assertEqual(ip.src, external_addr)
2638 self.assertEqual(tcp.sport, external_port)
2639 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2640 self.assertEqual(tcp.dport, 12345)
2641 self.assert_packet_checksums_valid(p)
2643 self.logger.error(ppp("Unexpected or invalid packet:", p))
2646 def test_self_twice_nat_lb_negative(self):
2647 """ NAT44ED Self Twice NAT local service load balancing (negative test)
2649 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
2652 def test_self_twice_nat_negative(self):
2653 """ NAT44ED Self Twice NAT (negative test) """
2654 self.twice_nat_common(self_twice_nat=True)
2656 def test_static_lb_multi_clients(self):
2657 """ NAT44ED local service load balancing - multiple clients"""
2659 external_addr = self.nat_addr
2662 server1 = self.pg0.remote_hosts[0]
2663 server2 = self.pg0.remote_hosts[1]
2664 server3 = self.pg0.remote_hosts[2]
2666 locals = [{'addr': server1.ip4,
2670 {'addr': server2.ip4,
2675 flags = self.config_flags.NAT_IS_INSIDE
2676 self.vapi.nat44_interface_add_del_feature(
2677 sw_if_index=self.pg0.sw_if_index,
2678 flags=flags, is_add=1)
2679 self.vapi.nat44_interface_add_del_feature(
2680 sw_if_index=self.pg1.sw_if_index,
2683 self.nat_add_address(self.nat_addr)
2684 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
2685 external_addr=external_addr,
2686 external_port=external_port,
2687 protocol=IP_PROTOS.tcp,
2688 local_num=len(locals),
2693 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
2695 for client in clients:
2696 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2697 IP(src=client, dst=self.nat_addr) /
2698 TCP(sport=12345, dport=external_port))
2700 self.pg1.add_stream(pkts)
2701 self.pg_enable_capture(self.pg_interfaces)
2703 capture = self.pg0.get_capture(len(pkts))
2705 if p[IP].dst == server1.ip4:
2709 self.assertGreater(server1_n, server2_n)
2712 'addr': server3.ip4,
2719 self.vapi.nat44_lb_static_mapping_add_del_local(
2721 external_addr=external_addr,
2722 external_port=external_port,
2724 protocol=IP_PROTOS.tcp)
2728 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
2730 for client in clients:
2731 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2732 IP(src=client, dst=self.nat_addr) /
2733 TCP(sport=12346, dport=external_port))
2735 self.assertGreater(len(pkts), 0)
2736 self.pg1.add_stream(pkts)
2737 self.pg_enable_capture(self.pg_interfaces)
2739 capture = self.pg0.get_capture(len(pkts))
2741 if p[IP].dst == server1.ip4:
2743 elif p[IP].dst == server2.ip4:
2747 self.assertGreater(server1_n, 0)
2748 self.assertGreater(server2_n, 0)
2749 self.assertGreater(server3_n, 0)
2752 'addr': server2.ip4,
2758 # remove one back-end
2759 self.vapi.nat44_lb_static_mapping_add_del_local(
2761 external_addr=external_addr,
2762 external_port=external_port,
2764 protocol=IP_PROTOS.tcp)
2768 self.pg1.add_stream(pkts)
2769 self.pg_enable_capture(self.pg_interfaces)
2771 capture = self.pg0.get_capture(len(pkts))
2773 if p[IP].dst == server1.ip4:
2775 elif p[IP].dst == server2.ip4:
2779 self.assertGreater(server1_n, 0)
2780 self.assertEqual(server2_n, 0)
2781 self.assertGreater(server3_n, 0)
2783 def test_syslog_sess(self):
2784 """ NAT44ED Test syslog session creation and deletion """
2785 self.vapi.syslog_set_filter(
2786 self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
2787 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
2789 self.nat_add_address(self.nat_addr)
2790 self.nat_add_inside_interface(self.pg0)
2791 self.nat_add_outside_interface(self.pg1)
2793 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2794 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2795 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
2796 self.pg0.add_stream(p)
2797 self.pg_enable_capture(self.pg_interfaces)
2799 capture = self.pg1.get_capture(1)
2800 self.tcp_port_out = capture[0][TCP].sport
2801 capture = self.pg3.get_capture(1)
2802 self.verify_syslog_sess(capture[0][Raw].load)
2804 self.pg_enable_capture(self.pg_interfaces)
2806 self.nat_add_address(self.nat_addr, is_add=0)
2807 capture = self.pg3.get_capture(1)
2808 self.verify_syslog_sess(capture[0][Raw].load, False)
2810 def test_twice_nat_interface_addr(self):
2811 """ NAT44ED Acquire twice NAT addresses from interface """
2812 flags = self.config_flags.NAT_IS_TWICE_NAT
2813 self.vapi.nat44_add_del_interface_addr(
2814 sw_if_index=self.pg11.sw_if_index,
2815 flags=flags, is_add=1)
2817 # no address in NAT pool
2818 adresses = self.vapi.nat44_address_dump()
2819 self.assertEqual(0, len(adresses))
2821 # configure interface address and check NAT address pool
2822 self.pg11.config_ip4()
2823 adresses = self.vapi.nat44_address_dump()
2824 self.assertEqual(1, len(adresses))
2825 self.assertEqual(str(adresses[0].ip_address),
2826 self.pg11.local_ip4)
2827 self.assertEqual(adresses[0].flags, flags)
2829 # remove interface address and check NAT address pool
2830 self.pg11.unconfig_ip4()
2831 adresses = self.vapi.nat44_address_dump()
2832 self.assertEqual(0, len(adresses))
2834 def test_output_feature_stateful_acl(self):
2835 """ NAT44ED output feature works with stateful ACL """
2837 self.nat_add_address(self.nat_addr)
2838 self.vapi.nat44_interface_add_del_output_feature(
2839 sw_if_index=self.pg0.sw_if_index,
2840 flags=self.config_flags.NAT_IS_INSIDE, is_add=1)
2841 self.vapi.nat44_interface_add_del_output_feature(
2842 sw_if_index=self.pg1.sw_if_index,
2843 flags=self.config_flags.NAT_IS_OUTSIDE, is_add=1)
2845 # First ensure that the NAT is working sans ACL
2847 # send packets out2in, no sessions yet so packets should drop
2848 pkts_out2in = self.create_stream_out(self.pg1)
2849 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2851 # send packets into inside intf, ensure received via outside intf
2852 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
2853 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2855 self.verify_capture_out(capture, ignore_port=True)
2857 # send out2in again, with sessions created it should work now
2858 pkts_out2in = self.create_stream_out(self.pg1)
2859 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2861 self.verify_capture_in(capture, self.pg0)
2863 # Create an ACL blocking everything
2864 out2in_deny_rule = AclRule(is_permit=0)
2865 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
2866 out2in_acl.add_vpp_config()
2868 # create an ACL to permit/reflect everything
2869 in2out_reflect_rule = AclRule(is_permit=2)
2870 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
2871 in2out_acl.add_vpp_config()
2873 # apply as input acl on interface and confirm it blocks everything
2874 acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
2875 n_input=1, acls=[out2in_acl])
2876 acl_if.add_vpp_config()
2877 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2880 acl_if.acls = [out2in_acl, in2out_acl]
2881 acl_if.add_vpp_config()
2882 # send in2out to generate ACL state (NAT state was created earlier)
2883 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2885 self.verify_capture_out(capture, ignore_port=True)
2887 # send out2in again. ACL state exists so it should work now.
2888 # TCP packets with the syn flag set also need the ack flag
2889 for p in pkts_out2in:
2890 if p.haslayer(TCP) and p[TCP].flags & 0x02:
2891 p[TCP].flags |= 0x10
2892 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2894 self.verify_capture_in(capture, self.pg0)
2895 self.logger.info(self.vapi.cli("show trace"))
2897 def test_tcp_close(self):
2898 """ NAT44ED Close TCP session from inside network - output feature """
2899 old_timeouts = self.vapi.nat_get_timeouts()
2901 self.vapi.nat_set_timeouts(
2902 udp=old_timeouts.udp,
2903 tcp_established=old_timeouts.tcp_established,
2904 icmp=old_timeouts.icmp,
2905 tcp_transitory=new_transitory)
2907 self.vapi.nat44_forwarding_enable_disable(enable=1)
2908 self.nat_add_address(self.pg1.local_ip4)
2909 twice_nat_addr = '10.0.1.3'
2910 service_ip = '192.168.16.150'
2911 self.nat_add_address(twice_nat_addr, twice_nat=1)
2913 flags = self.config_flags.NAT_IS_INSIDE
2914 self.vapi.nat44_interface_add_del_feature(
2915 sw_if_index=self.pg0.sw_if_index,
2917 self.vapi.nat44_interface_add_del_feature(
2918 sw_if_index=self.pg0.sw_if_index,
2919 flags=flags, is_add=1)
2920 self.vapi.nat44_interface_add_del_output_feature(
2922 sw_if_index=self.pg1.sw_if_index)
2924 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
2925 self.config_flags.NAT_IS_TWICE_NAT)
2926 self.nat_add_static_mapping(self.pg0.remote_ip4,
2928 proto=IP_PROTOS.tcp,
2930 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2931 start_sessnum = len(sessions)
2933 # SYN packet out->in
2934 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2935 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2936 TCP(sport=33898, dport=80, flags="S"))
2937 self.pg1.add_stream(p)
2938 self.pg_enable_capture(self.pg_interfaces)
2940 capture = self.pg0.get_capture(1)
2942 tcp_port = p[TCP].sport
2944 # SYN + ACK packet in->out
2945 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2946 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2947 TCP(sport=80, dport=tcp_port, flags="SA"))
2948 self.pg0.add_stream(p)
2949 self.pg_enable_capture(self.pg_interfaces)
2951 self.pg1.get_capture(1)
2953 # ACK packet out->in
2954 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2955 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2956 TCP(sport=33898, dport=80, flags="A"))
2957 self.pg1.add_stream(p)
2958 self.pg_enable_capture(self.pg_interfaces)
2960 self.pg0.get_capture(1)
2962 # FIN packet in -> out
2963 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2964 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2965 TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
2966 self.pg0.add_stream(p)
2967 self.pg_enable_capture(self.pg_interfaces)
2969 self.pg1.get_capture(1)
2971 # FIN+ACK packet out -> in
2972 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2973 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2974 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
2975 self.pg1.add_stream(p)
2976 self.pg_enable_capture(self.pg_interfaces)
2978 self.pg0.get_capture(1)
2980 # ACK packet in -> out
2981 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2982 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2983 TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
2984 self.pg0.add_stream(p)
2985 self.pg_enable_capture(self.pg_interfaces)
2987 self.pg1.get_capture(1)
2989 # session now in transitory timeout
2990 # try SYN packet out->in - should be dropped
2991 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2992 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2993 TCP(sport=33898, dport=80, flags="S"))
2994 self.pg1.add_stream(p)
2995 self.pg_enable_capture(self.pg_interfaces)
2998 self.sleep(new_transitory, "wait for transitory timeout")
2999 self.pg0.assert_nothing_captured(0)
3001 # session should still exist
3002 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3003 self.assertEqual(len(sessions) - start_sessnum, 1)
3005 # send FIN+ACK packet out -> in - will cause session to be wiped
3006 # but won't create a new session
3007 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3008 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3009 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
3010 self.pg1.add_stream(p)
3011 self.pg_enable_capture(self.pg_interfaces)
3014 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3015 self.assertEqual(len(sessions) - start_sessnum, 0)
3016 self.pg0.assert_nothing_captured(0)
3018 def test_tcp_session_close_in(self):
3019 """ NAT44ED Close TCP session from inside network """
3021 in_port = self.tcp_port_in
3023 ext_port = self.tcp_external_port
3025 self.nat_add_address(self.nat_addr)
3026 self.nat_add_inside_interface(self.pg0)
3027 self.nat_add_outside_interface(self.pg1)
3028 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3029 in_port, out_port, proto=IP_PROTOS.tcp,
3030 flags=self.config_flags.NAT_IS_TWICE_NAT)
3032 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3033 session_n = len(sessions)
3035 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3036 tcp_transitory=2, icmp=5)
3038 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3040 # FIN packet in -> out
3041 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3042 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3043 TCP(sport=in_port, dport=ext_port,
3044 flags="FA", seq=100, ack=300))
3045 self.pg0.add_stream(p)
3046 self.pg_enable_capture(self.pg_interfaces)
3048 self.pg1.get_capture(1)
3052 # ACK packet out -> in
3053 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3054 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3055 TCP(sport=ext_port, dport=out_port,
3056 flags="A", seq=300, ack=101))
3059 # FIN packet out -> in
3060 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3061 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3062 TCP(sport=ext_port, dport=out_port,
3063 flags="FA", seq=300, ack=101))
3066 self.pg1.add_stream(pkts)
3067 self.pg_enable_capture(self.pg_interfaces)
3069 self.pg0.get_capture(2)
3071 # ACK packet in -> out
3072 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3073 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3074 TCP(sport=in_port, dport=ext_port,
3075 flags="A", seq=101, ack=301))
3076 self.pg0.add_stream(p)
3077 self.pg_enable_capture(self.pg_interfaces)
3079 self.pg1.get_capture(1)
3081 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3082 self.assertEqual(len(sessions) - session_n, 1)
3084 out2in_drops = self.get_err_counter(
3085 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3086 in2out_drops = self.get_err_counter(
3087 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3089 # extra FIN packet out -> in - this should be dropped
3090 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3091 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3092 TCP(sport=ext_port, dport=out_port,
3093 flags="FA", seq=300, ack=101))
3095 self.pg1.add_stream(p)
3096 self.pg_enable_capture(self.pg_interfaces)
3098 self.pg0.assert_nothing_captured()
3100 # extra ACK packet in -> out - this should be dropped
3101 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3102 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3103 TCP(sport=in_port, dport=ext_port,
3104 flags="A", seq=101, ack=301))
3105 self.pg0.add_stream(p)
3106 self.pg_enable_capture(self.pg_interfaces)
3108 self.pg1.assert_nothing_captured()
3110 stats = self.get_err_counter(
3111 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3112 self.assertEqual(stats - out2in_drops, 1)
3113 stats = self.get_err_counter(
3114 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3115 self.assertEqual(stats - in2out_drops, 1)
3118 # extra ACK packet in -> out - this will cause session to be wiped
3119 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3120 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3121 TCP(sport=in_port, dport=ext_port,
3122 flags="A", seq=101, ack=301))
3123 self.pg0.add_stream(p)
3124 self.pg_enable_capture(self.pg_interfaces)
3126 self.pg1.assert_nothing_captured()
3127 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3128 self.assertEqual(len(sessions) - session_n, 0)
3130 def test_tcp_session_close_out(self):
3131 """ NAT44ED Close TCP session from outside network """
3133 in_port = self.tcp_port_in
3135 ext_port = self.tcp_external_port
3137 self.nat_add_address(self.nat_addr)
3138 self.nat_add_inside_interface(self.pg0)
3139 self.nat_add_outside_interface(self.pg1)
3140 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3141 in_port, out_port, proto=IP_PROTOS.tcp,
3142 flags=self.config_flags.NAT_IS_TWICE_NAT)
3144 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3145 session_n = len(sessions)
3147 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3148 tcp_transitory=2, icmp=5)
3150 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3152 # FIN packet out -> in
3153 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3154 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3155 TCP(sport=ext_port, dport=out_port,
3156 flags="FA", seq=100, ack=300))
3157 self.pg1.add_stream(p)
3158 self.pg_enable_capture(self.pg_interfaces)
3160 self.pg0.get_capture(1)
3162 # FIN+ACK packet in -> out
3163 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3164 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3165 TCP(sport=in_port, dport=ext_port,
3166 flags="FA", seq=300, ack=101))
3168 self.pg0.add_stream(p)
3169 self.pg_enable_capture(self.pg_interfaces)
3171 self.pg1.get_capture(1)
3173 # ACK packet out -> in
3174 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3175 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3176 TCP(sport=ext_port, dport=out_port,
3177 flags="A", seq=101, ack=301))
3178 self.pg1.add_stream(p)
3179 self.pg_enable_capture(self.pg_interfaces)
3181 self.pg0.get_capture(1)
3183 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3184 self.assertEqual(len(sessions) - session_n, 1)
3186 out2in_drops = self.get_err_counter(
3187 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3188 in2out_drops = self.get_err_counter(
3189 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3191 # extra FIN packet out -> in - this should be dropped
3192 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3193 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3194 TCP(sport=ext_port, dport=out_port,
3195 flags="FA", seq=300, ack=101))
3197 self.pg1.add_stream(p)
3198 self.pg_enable_capture(self.pg_interfaces)
3200 self.pg0.assert_nothing_captured()
3202 # extra ACK packet in -> out - this should be dropped
3203 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3204 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3205 TCP(sport=in_port, dport=ext_port,
3206 flags="A", seq=101, ack=301))
3207 self.pg0.add_stream(p)
3208 self.pg_enable_capture(self.pg_interfaces)
3210 self.pg1.assert_nothing_captured()
3212 stats = self.get_err_counter(
3213 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3214 self.assertEqual(stats - out2in_drops, 1)
3215 stats = self.get_err_counter(
3216 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3217 self.assertEqual(stats - in2out_drops, 1)
3220 # extra ACK packet in -> out - this will cause session to be wiped
3221 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3222 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3223 TCP(sport=in_port, dport=ext_port,
3224 flags="A", seq=101, ack=301))
3225 self.pg0.add_stream(p)
3226 self.pg_enable_capture(self.pg_interfaces)
3228 self.pg1.assert_nothing_captured()
3229 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3230 self.assertEqual(len(sessions) - session_n, 0)
3232 def test_tcp_session_close_simultaneous(self):
3233 """ NAT44ED Close TCP session from inside network """
3235 in_port = self.tcp_port_in
3238 self.nat_add_address(self.nat_addr)
3239 self.nat_add_inside_interface(self.pg0)
3240 self.nat_add_outside_interface(self.pg1)
3241 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3242 in_port, ext_port, proto=IP_PROTOS.tcp,
3243 flags=self.config_flags.NAT_IS_TWICE_NAT)
3245 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3246 session_n = len(sessions)
3248 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3249 tcp_transitory=2, icmp=5)
3251 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3253 # FIN packet in -> out
3254 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3255 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3256 TCP(sport=in_port, dport=ext_port,
3257 flags="FA", seq=100, ack=300))
3258 self.pg0.add_stream(p)
3259 self.pg_enable_capture(self.pg_interfaces)
3261 self.pg1.get_capture(1)
3263 # FIN packet out -> in
3264 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3265 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3266 TCP(sport=ext_port, dport=out_port,
3267 flags="FA", seq=300, ack=100))
3268 self.pg1.add_stream(p)
3269 self.pg_enable_capture(self.pg_interfaces)
3271 self.pg0.get_capture(1)
3273 # ACK packet in -> out
3274 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3275 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3276 TCP(sport=in_port, dport=ext_port,
3277 flags="A", seq=101, ack=301))
3278 self.pg0.add_stream(p)
3279 self.pg_enable_capture(self.pg_interfaces)
3281 self.pg1.get_capture(1)
3283 # ACK packet out -> in
3284 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3285 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3286 TCP(sport=ext_port, dport=out_port,
3287 flags="A", seq=301, ack=101))
3288 self.pg1.add_stream(p)
3289 self.pg_enable_capture(self.pg_interfaces)
3291 self.pg0.get_capture(1)
3293 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3294 self.assertEqual(len(sessions) - session_n, 1)
3296 out2in_drops = self.get_err_counter(
3297 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3298 in2out_drops = self.get_err_counter(
3299 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3301 # extra FIN packet out -> in - this should be dropped
3302 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3303 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3304 TCP(sport=ext_port, dport=out_port,
3305 flags="FA", seq=300, ack=101))
3307 self.pg1.add_stream(p)
3308 self.pg_enable_capture(self.pg_interfaces)
3310 self.pg0.assert_nothing_captured()
3312 # extra ACK packet in -> out - this should be dropped
3313 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3314 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3315 TCP(sport=in_port, dport=ext_port,
3316 flags="A", seq=101, ack=301))
3317 self.pg0.add_stream(p)
3318 self.pg_enable_capture(self.pg_interfaces)
3320 self.pg1.assert_nothing_captured()
3322 stats = self.get_err_counter(
3323 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3324 self.assertEqual(stats - out2in_drops, 1)
3325 stats = self.get_err_counter(
3326 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3327 self.assertEqual(stats - in2out_drops, 1)
3330 # extra ACK packet in -> out - this will cause session to be wiped
3331 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3332 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3333 TCP(sport=in_port, dport=ext_port,
3334 flags="A", seq=101, ack=301))
3335 self.pg0.add_stream(p)
3336 self.pg_enable_capture(self.pg_interfaces)
3338 self.pg1.assert_nothing_captured()
3339 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3340 self.assertEqual(len(sessions) - session_n, 0)
3342 def test_dynamic_output_feature_vrf(self):
3343 """ NAT44ED dynamic translation test: output-feature, VRF"""
3345 # other then default (0)
3348 self.nat_add_address(self.nat_addr)
3349 flags = self.config_flags.NAT_IS_INSIDE
3350 self.vapi.nat44_interface_add_del_output_feature(
3351 sw_if_index=self.pg7.sw_if_index,
3352 flags=flags, is_add=1)
3353 self.vapi.nat44_interface_add_del_output_feature(
3354 sw_if_index=self.pg8.sw_if_index,
3358 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
3359 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
3362 tcpn = self.get_stats_counter(
3363 '/nat44-ed/in2out/slowpath/tcp')
3364 udpn = self.get_stats_counter(
3365 '/nat44-ed/in2out/slowpath/udp')
3366 icmpn = self.get_stats_counter(
3367 '/nat44-ed/in2out/slowpath/icmp')
3368 drops = self.get_stats_counter(
3369 '/nat44-ed/in2out/slowpath/drops')
3371 pkts = self.create_stream_in(self.pg7, self.pg8)
3372 self.pg7.add_stream(pkts)
3373 self.pg_enable_capture(self.pg_interfaces)
3375 capture = self.pg8.get_capture(len(pkts))
3376 self.verify_capture_out(capture, ignore_port=True)
3378 if_idx = self.pg7.sw_if_index
3379 cnt = self.get_stats_counter(
3380 '/nat44-ed/in2out/slowpath/tcp')
3381 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3382 cnt = self.get_stats_counter(
3383 '/nat44-ed/in2out/slowpath/udp')
3384 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3385 cnt = self.get_stats_counter(
3386 '/nat44-ed/in2out/slowpath/icmp')
3387 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3388 cnt = self.get_stats_counter(
3389 '/nat44-ed/in2out/slowpath/drops')
3390 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3393 tcpn = self.get_stats_counter(
3394 '/nat44-ed/out2in/fastpath/tcp')
3395 udpn = self.get_stats_counter(
3396 '/nat44-ed/out2in/fastpath/udp')
3397 icmpn = self.get_stats_counter(
3398 '/nat44-ed/out2in/fastpath/icmp')
3399 drops = self.get_stats_counter(
3400 '/nat44-ed/out2in/fastpath/drops')
3402 pkts = self.create_stream_out(self.pg8)
3403 self.pg8.add_stream(pkts)
3404 self.pg_enable_capture(self.pg_interfaces)
3406 capture = self.pg7.get_capture(len(pkts))
3407 self.verify_capture_in(capture, self.pg7)
3409 if_idx = self.pg8.sw_if_index
3410 cnt = self.get_stats_counter(
3411 '/nat44-ed/out2in/fastpath/tcp')
3412 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3413 cnt = self.get_stats_counter(
3414 '/nat44-ed/out2in/fastpath/udp')
3415 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3416 cnt = self.get_stats_counter(
3417 '/nat44-ed/out2in/fastpath/icmp')
3418 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3419 cnt = self.get_stats_counter(
3420 '/nat44-ed/out2in/fastpath/drops')
3421 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3423 sessions = self.get_stats_counter('/nat44-ed/total-sessions')
3424 self.assertEqual(sessions[0], 3)
3427 self.configure_ip4_interface(self.pg7, table_id=0)
3428 self.configure_ip4_interface(self.pg8, table_id=0)
3430 self.vapi.ip_table_add_del(is_add=0,
3431 table={'table_id': new_vrf_id})
3433 def test_next_src_nat(self):
3434 """ NAT44ED On way back forward packet to nat44-in2out node. """
3436 twice_nat_addr = '10.0.1.3'
3439 post_twice_nat_port = 0
3441 self.vapi.nat44_forwarding_enable_disable(enable=1)
3442 self.nat_add_address(twice_nat_addr, twice_nat=1)
3443 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3444 self.config_flags.NAT_IS_SELF_TWICE_NAT)
3445 self.nat_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
3446 local_port, external_port,
3447 proto=IP_PROTOS.tcp, vrf_id=1,
3449 self.vapi.nat44_interface_add_del_feature(
3450 sw_if_index=self.pg6.sw_if_index,
3453 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3454 IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
3455 TCP(sport=12345, dport=external_port))
3456 self.pg6.add_stream(p)
3457 self.pg_enable_capture(self.pg_interfaces)
3459 capture = self.pg6.get_capture(1)
3464 self.assertEqual(ip.src, twice_nat_addr)
3465 self.assertNotEqual(tcp.sport, 12345)
3466 post_twice_nat_port = tcp.sport
3467 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3468 self.assertEqual(tcp.dport, local_port)
3469 self.assert_packet_checksums_valid(p)
3471 self.logger.error(ppp("Unexpected or invalid packet:", p))
3474 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3475 IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
3476 TCP(sport=local_port, dport=post_twice_nat_port))
3477 self.pg6.add_stream(p)
3478 self.pg_enable_capture(self.pg_interfaces)
3480 capture = self.pg6.get_capture(1)
3485 self.assertEqual(ip.src, self.pg1.remote_ip4)
3486 self.assertEqual(tcp.sport, external_port)
3487 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3488 self.assertEqual(tcp.dport, 12345)
3489 self.assert_packet_checksums_valid(p)
3491 self.logger.error(ppp("Unexpected or invalid packet:", p))
3494 def test_one_armed_nat44_static(self):
3495 """ NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule """
3497 remote_host = self.pg4.remote_hosts[0]
3498 local_host = self.pg4.remote_hosts[1]
3503 self.vapi.nat44_forwarding_enable_disable(enable=1)
3504 self.nat_add_address(self.nat_addr, twice_nat=1)
3505 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3506 self.config_flags.NAT_IS_TWICE_NAT)
3507 self.nat_add_static_mapping(local_host.ip4, self.nat_addr,
3508 local_port, external_port,
3509 proto=IP_PROTOS.tcp, flags=flags)
3510 flags = self.config_flags.NAT_IS_INSIDE
3511 self.vapi.nat44_interface_add_del_feature(
3512 sw_if_index=self.pg4.sw_if_index,
3514 self.vapi.nat44_interface_add_del_feature(
3515 sw_if_index=self.pg4.sw_if_index,
3516 flags=flags, is_add=1)
3518 # from client to service
3519 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3520 IP(src=remote_host.ip4, dst=self.nat_addr) /
3521 TCP(sport=12345, dport=external_port))
3522 self.pg4.add_stream(p)
3523 self.pg_enable_capture(self.pg_interfaces)
3525 capture = self.pg4.get_capture(1)
3530 self.assertEqual(ip.dst, local_host.ip4)
3531 self.assertEqual(ip.src, self.nat_addr)
3532 self.assertEqual(tcp.dport, local_port)
3533 self.assertNotEqual(tcp.sport, 12345)
3534 eh_port_in = tcp.sport
3535 self.assert_packet_checksums_valid(p)
3537 self.logger.error(ppp("Unexpected or invalid packet:", p))
3540 # from service back to client
3541 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3542 IP(src=local_host.ip4, dst=self.nat_addr) /
3543 TCP(sport=local_port, dport=eh_port_in))
3544 self.pg4.add_stream(p)
3545 self.pg_enable_capture(self.pg_interfaces)
3547 capture = self.pg4.get_capture(1)
3552 self.assertEqual(ip.src, self.nat_addr)
3553 self.assertEqual(ip.dst, remote_host.ip4)
3554 self.assertEqual(tcp.sport, external_port)
3555 self.assertEqual(tcp.dport, 12345)
3556 self.assert_packet_checksums_valid(p)
3558 self.logger.error(ppp("Unexpected or invalid packet:", p))
3562 if __name__ == '__main__':
3563 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob