5 from random import randint
8 from framework import tag_fixme_vpp_workers
9 from framework import VppTestCase, VppTestRunner
10 from scapy.data import IP_PROTOS
11 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
12 from scapy.layers.inet import IPerror, TCPerror
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from syslog_rfc5424_parser import SyslogMessage, ParseError
16 from syslog_rfc5424_parser.constants import SyslogSeverity
17 from util import ppp, ip4_range
18 from vpp_acl import AclRule, VppAcl, VppAclInterface
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_papi import VppEnum
23 class NAT44EDTestCase(VppTestCase):
36 tcp_external_port = 80
41 super(NAT44EDTestCase, self).setUp()
45 super(NAT44EDTestCase, self).tearDown()
49 def plugin_enable(self):
50 self.vapi.nat44_ed_plugin_enable_disable(
51 sessions=self.max_sessions, enable=1)
53 def plugin_disable(self):
54 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
57 def config_flags(self):
58 return VppEnum.vl_api_nat_config_flags_t
61 def nat44_config_flags(self):
62 return VppEnum.vl_api_nat44_config_flags_t
65 def syslog_severity(self):
66 return VppEnum.vl_api_syslog_severity_t
69 def server_addr(self):
70 return self.pg1.remote_hosts[0].ip4
74 return randint(1025, 65535)
77 def proto2layer(proto):
78 if proto == IP_PROTOS.tcp:
80 elif proto == IP_PROTOS.udp:
82 elif proto == IP_PROTOS.icmp:
85 raise Exception("Unsupported protocol")
88 def create_and_add_ip4_table(cls, i, table_id=0):
89 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
90 i.set_table_ip4(table_id)
93 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
95 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(
109 sw_if_index=i.sw_if_index, is_add=1)
111 def nat_add_inside_interface(self, i):
112 self.vapi.nat44_interface_add_del_feature(
113 flags=self.config_flags.NAT_IS_INSIDE,
114 sw_if_index=i.sw_if_index, is_add=1)
116 def nat_add_outside_interface(self, i):
117 self.vapi.nat44_interface_add_del_feature(
118 flags=self.config_flags.NAT_IS_OUTSIDE,
119 sw_if_index=i.sw_if_index, is_add=1)
121 def nat_add_address(self, address, twice_nat=0,
122 vrf_id=0xFFFFFFFF, is_add=1):
123 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
124 self.vapi.nat44_add_del_address_range(first_ip_address=address,
125 last_ip_address=address,
130 def nat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
131 local_port=0, external_port=0, vrf_id=0,
132 is_add=1, external_sw_if_index=0xFFFFFFFF,
133 proto=0, tag="", flags=0):
135 if not (local_port and external_port):
136 flags |= self.config_flags.NAT_IS_ADDR_ONLY
138 self.vapi.nat44_add_del_static_mapping(
140 local_ip_address=local_ip,
141 external_ip_address=external_ip,
142 external_sw_if_index=external_sw_if_index,
143 local_port=local_port,
144 external_port=external_port,
145 vrf_id=vrf_id, protocol=proto,
151 super(NAT44EDTestCase, cls).setUpClass()
153 cls.create_pg_interfaces(range(12))
154 cls.interfaces = list(cls.pg_interfaces[:4])
156 cls.create_and_add_ip4_table(cls.pg2, 10)
158 for i in cls.interfaces:
159 cls.configure_ip4_interface(i, hosts=3)
161 # test specific (test-multiple-vrf)
162 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
164 # test specific (test-one-armed-nat44-static)
165 cls.pg4.generate_remote_hosts(2)
167 cls.vapi.sw_interface_add_del_address(
168 sw_if_index=cls.pg4.sw_if_index,
169 prefix="10.0.0.1/24")
171 cls.pg4.resolve_arp()
172 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
173 cls.pg4.resolve_arp()
175 # test specific interface (pg5)
176 cls.pg5._local_ip4 = "10.1.1.1"
177 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
178 cls.pg5.set_table_ip4(1)
181 cls.pg5.resolve_arp()
183 # test specific interface (pg6)
184 cls.pg6._local_ip4 = "10.1.2.1"
185 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
186 cls.pg6.set_table_ip4(1)
189 cls.pg6.resolve_arp()
193 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
194 [VppRoutePath("0.0.0.0", 0xffffffff,
196 register=False, table_id=1))
197 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
198 [VppRoutePath(cls.pg1.local_ip4,
199 cls.pg1.sw_if_index)],
201 rl.append(VppIpRoute(cls, cls.pg5.remote_ip4, 32,
202 [VppRoutePath("0.0.0.0",
203 cls.pg5.sw_if_index)],
204 register=False, table_id=1))
205 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 32,
206 [VppRoutePath("0.0.0.0",
207 cls.pg6.sw_if_index)],
208 register=False, table_id=1))
209 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 16,
210 [VppRoutePath("0.0.0.0", 0xffffffff,
212 register=False, table_id=0))
217 def get_err_counter(self, path):
218 return self.statistics.get_err_counter(path)
220 def get_stats_counter(self, path, worker=0):
221 return self.statistics.get_counter(path)[worker]
223 def reass_hairpinning(self, server_addr, server_in_port, server_out_port,
224 host_in_port, proto=IP_PROTOS.tcp,
226 layer = self.proto2layer(proto)
228 if proto == IP_PROTOS.tcp:
229 data = b"A" * 4 + b"B" * 16 + b"C" * 3
231 data = b"A" * 16 + b"B" * 16 + b"C" * 3
233 # send packet from host to server
234 pkts = self.create_stream_frag(self.pg0,
240 self.pg0.add_stream(pkts)
241 self.pg_enable_capture(self.pg_interfaces)
243 frags = self.pg0.get_capture(len(pkts))
244 p = self.reass_frags_and_verify(frags,
247 if proto != IP_PROTOS.icmp:
249 self.assertNotEqual(p[layer].sport, host_in_port)
250 self.assertEqual(p[layer].dport, server_in_port)
253 self.assertNotEqual(p[layer].id, host_in_port)
254 self.assertEqual(data, p[Raw].load)
256 def frag_out_of_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
258 layer = self.proto2layer(proto)
260 if proto == IP_PROTOS.tcp:
261 data = b"A" * 4 + b"B" * 16 + b"C" * 3
263 data = b"A" * 16 + b"B" * 16 + b"C" * 3
264 self.port_in = self.random_port()
268 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
269 self.port_in, 20, data, proto)
271 self.pg0.add_stream(pkts)
272 self.pg_enable_capture(self.pg_interfaces)
274 frags = self.pg1.get_capture(len(pkts))
275 if not dont_translate:
276 p = self.reass_frags_and_verify(frags,
280 p = self.reass_frags_and_verify(frags,
283 if proto != IP_PROTOS.icmp:
284 if not dont_translate:
285 self.assertEqual(p[layer].dport, 20)
287 self.assertNotEqual(p[layer].sport, self.port_in)
289 self.assertEqual(p[layer].sport, self.port_in)
292 if not dont_translate:
293 self.assertNotEqual(p[layer].id, self.port_in)
295 self.assertEqual(p[layer].id, self.port_in)
296 self.assertEqual(data, p[Raw].load)
299 if not dont_translate:
300 dst_addr = self.nat_addr
302 dst_addr = self.pg0.remote_ip4
303 if proto != IP_PROTOS.icmp:
305 dport = p[layer].sport
309 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport,
310 data, proto, echo_reply=True)
312 self.pg1.add_stream(pkts)
313 self.pg_enable_capture(self.pg_interfaces)
314 self.logger.info(self.vapi.cli("show trace"))
316 frags = self.pg0.get_capture(len(pkts))
317 p = self.reass_frags_and_verify(frags,
320 if proto != IP_PROTOS.icmp:
321 self.assertEqual(p[layer].sport, 20)
322 self.assertEqual(p[layer].dport, self.port_in)
324 self.assertEqual(p[layer].id, self.port_in)
325 self.assertEqual(data, p[Raw].load)
327 def reass_frags_and_verify(self, frags, src, dst):
330 self.assertEqual(p[IP].src, src)
331 self.assertEqual(p[IP].dst, dst)
332 self.assert_ip_checksum_valid(p)
333 buffer.seek(p[IP].frag * 8)
334 buffer.write(bytes(p[IP].payload))
335 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst,
336 proto=frags[0][IP].proto)
337 if ip.proto == IP_PROTOS.tcp:
338 p = (ip / TCP(buffer.getvalue()))
339 self.logger.debug(ppp("Reassembled:", p))
340 self.assert_tcp_checksum_valid(p)
341 elif ip.proto == IP_PROTOS.udp:
342 p = (ip / UDP(buffer.getvalue()[:8]) /
343 Raw(buffer.getvalue()[8:]))
344 elif ip.proto == IP_PROTOS.icmp:
345 p = (ip / ICMP(buffer.getvalue()))
348 def frag_in_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
350 layer = self.proto2layer(proto)
352 if proto == IP_PROTOS.tcp:
353 data = b"A" * 4 + b"B" * 16 + b"C" * 3
355 data = b"A" * 16 + b"B" * 16 + b"C" * 3
356 self.port_in = self.random_port()
359 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
360 self.port_in, 20, data, proto)
361 self.pg0.add_stream(pkts)
362 self.pg_enable_capture(self.pg_interfaces)
364 frags = self.pg1.get_capture(len(pkts))
365 if not dont_translate:
366 p = self.reass_frags_and_verify(frags,
370 p = self.reass_frags_and_verify(frags,
373 if proto != IP_PROTOS.icmp:
374 if not dont_translate:
375 self.assertEqual(p[layer].dport, 20)
377 self.assertNotEqual(p[layer].sport, self.port_in)
379 self.assertEqual(p[layer].sport, self.port_in)
382 if not dont_translate:
383 self.assertNotEqual(p[layer].id, self.port_in)
385 self.assertEqual(p[layer].id, self.port_in)
386 self.assertEqual(data, p[Raw].load)
389 if not dont_translate:
390 dst_addr = self.nat_addr
392 dst_addr = self.pg0.remote_ip4
393 if proto != IP_PROTOS.icmp:
395 dport = p[layer].sport
399 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data,
400 proto, echo_reply=True)
401 self.pg1.add_stream(pkts)
402 self.pg_enable_capture(self.pg_interfaces)
404 frags = self.pg0.get_capture(len(pkts))
405 p = self.reass_frags_and_verify(frags,
408 if proto != IP_PROTOS.icmp:
409 self.assertEqual(p[layer].sport, 20)
410 self.assertEqual(p[layer].dport, self.port_in)
412 self.assertEqual(p[layer].id, self.port_in)
413 self.assertEqual(data, p[Raw].load)
415 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
416 dst_ip=None, ignore_port=False):
418 nat_ip = self.nat_addr
419 for packet in capture:
421 self.assert_packet_checksums_valid(packet)
422 self.assertEqual(packet[IP].src, nat_ip)
423 if dst_ip is not None:
424 self.assertEqual(packet[IP].dst, dst_ip)
425 if packet.haslayer(TCP):
429 packet[TCP].sport, self.tcp_port_in)
432 packet[TCP].sport, self.tcp_port_in)
433 self.tcp_port_out = packet[TCP].sport
434 self.assert_packet_checksums_valid(packet)
435 elif packet.haslayer(UDP):
439 packet[UDP].sport, self.udp_port_in)
442 packet[UDP].sport, self.udp_port_in)
443 self.udp_port_out = packet[UDP].sport
448 packet[ICMP].id, self.icmp_id_in)
451 packet[ICMP].id, self.icmp_id_in)
452 self.icmp_id_out = packet[ICMP].id
453 self.assert_packet_checksums_valid(packet)
455 self.logger.error(ppp("Unexpected or invalid packet "
456 "(outside network):", packet))
459 def verify_capture_in(self, capture, in_if):
460 for packet in capture:
462 self.assert_packet_checksums_valid(packet)
463 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
464 if packet.haslayer(TCP):
465 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
466 elif packet.haslayer(UDP):
467 self.assertEqual(packet[UDP].dport, self.udp_port_in)
469 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
471 self.logger.error(ppp("Unexpected or invalid packet "
472 "(inside network):", packet))
475 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
477 dst_ip = out_if.remote_ip4
481 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
482 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
483 TCP(sport=self.tcp_port_in, dport=20))
487 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
488 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
489 UDP(sport=self.udp_port_in, dport=20))
493 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
494 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
495 ICMP(id=self.icmp_id_in, type='echo-request'))
500 def create_stream_out(self, out_if, dst_ip=None, ttl=64,
501 use_inside_ports=False):
503 dst_ip = self.nat_addr
504 if not use_inside_ports:
505 tcp_port = self.tcp_port_out
506 udp_port = self.udp_port_out
507 icmp_id = self.icmp_id_out
509 tcp_port = self.tcp_port_in
510 udp_port = self.udp_port_in
511 icmp_id = self.icmp_id_in
514 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
515 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
516 TCP(dport=tcp_port, sport=20))
520 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
521 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
522 UDP(dport=udp_port, sport=20))
526 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
527 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
528 ICMP(id=icmp_id, type='echo-reply'))
533 def create_tcp_stream(self, in_if, out_if, count):
537 for i in range(count):
538 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
539 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
540 TCP(sport=port + i, dport=20))
545 def create_stream_frag(self, src_if, dst, sport, dport, data,
546 proto=IP_PROTOS.tcp, echo_reply=False):
547 if proto == IP_PROTOS.tcp:
548 p = (IP(src=src_if.remote_ip4, dst=dst) /
549 TCP(sport=sport, dport=dport) /
551 p = p.__class__(scapy.compat.raw(p))
552 chksum = p[TCP].chksum
553 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
554 elif proto == IP_PROTOS.udp:
555 proto_header = UDP(sport=sport, dport=dport)
556 elif proto == IP_PROTOS.icmp:
558 proto_header = ICMP(id=sport, type='echo-request')
560 proto_header = ICMP(id=sport, type='echo-reply')
562 raise Exception("Unsupported protocol")
563 id = self.random_port()
565 if proto == IP_PROTOS.tcp:
568 raw = Raw(data[0:16])
569 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
570 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id) /
574 if proto == IP_PROTOS.tcp:
575 raw = Raw(data[4:20])
577 raw = Raw(data[16:32])
578 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
579 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id,
583 if proto == IP_PROTOS.tcp:
587 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
588 IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto,
594 def frag_in_order_in_plus_out(self, in_addr, out_addr, in_port, out_port,
595 proto=IP_PROTOS.tcp):
597 layer = self.proto2layer(proto)
599 if proto == IP_PROTOS.tcp:
600 data = b"A" * 4 + b"B" * 16 + b"C" * 3
602 data = b"A" * 16 + b"B" * 16 + b"C" * 3
603 port_in = self.random_port()
607 pkts = self.create_stream_frag(self.pg0, out_addr,
610 self.pg0.add_stream(pkts)
611 self.pg_enable_capture(self.pg_interfaces)
613 frags = self.pg1.get_capture(len(pkts))
614 p = self.reass_frags_and_verify(frags,
617 if proto != IP_PROTOS.icmp:
618 self.assertEqual(p[layer].sport, port_in)
619 self.assertEqual(p[layer].dport, in_port)
621 self.assertEqual(p[layer].id, port_in)
622 self.assertEqual(data, p[Raw].load)
625 if proto != IP_PROTOS.icmp:
626 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
628 p[layer].sport, data, proto)
630 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
631 p[layer].id, 0, data, proto,
633 self.pg1.add_stream(pkts)
634 self.pg_enable_capture(self.pg_interfaces)
636 frags = self.pg0.get_capture(len(pkts))
637 p = self.reass_frags_and_verify(frags,
640 if proto != IP_PROTOS.icmp:
641 self.assertEqual(p[layer].sport, out_port)
642 self.assertEqual(p[layer].dport, port_in)
644 self.assertEqual(p[layer].id, port_in)
645 self.assertEqual(data, p[Raw].load)
647 def frag_out_of_order_in_plus_out(self, in_addr, out_addr, in_port,
648 out_port, proto=IP_PROTOS.tcp):
650 layer = self.proto2layer(proto)
652 if proto == IP_PROTOS.tcp:
653 data = b"A" * 4 + b"B" * 16 + b"C" * 3
655 data = b"A" * 16 + b"B" * 16 + b"C" * 3
656 port_in = self.random_port()
660 pkts = self.create_stream_frag(self.pg0, out_addr,
664 self.pg0.add_stream(pkts)
665 self.pg_enable_capture(self.pg_interfaces)
667 frags = self.pg1.get_capture(len(pkts))
668 p = self.reass_frags_and_verify(frags,
671 if proto != IP_PROTOS.icmp:
672 self.assertEqual(p[layer].dport, in_port)
673 self.assertEqual(p[layer].sport, port_in)
674 self.assertEqual(p[layer].dport, in_port)
676 self.assertEqual(p[layer].id, port_in)
677 self.assertEqual(data, p[Raw].load)
680 if proto != IP_PROTOS.icmp:
681 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
683 p[layer].sport, data, proto)
685 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
686 p[layer].id, 0, data, proto,
689 self.pg1.add_stream(pkts)
690 self.pg_enable_capture(self.pg_interfaces)
692 frags = self.pg0.get_capture(len(pkts))
693 p = self.reass_frags_and_verify(frags,
696 if proto != IP_PROTOS.icmp:
697 self.assertEqual(p[layer].sport, out_port)
698 self.assertEqual(p[layer].dport, port_in)
700 self.assertEqual(p[layer].id, port_in)
701 self.assertEqual(data, p[Raw].load)
703 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
705 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
706 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
707 TCP(sport=in_port, dport=ext_port, flags="S"))
709 self.pg_enable_capture(self.pg_interfaces)
711 capture = out_if.get_capture(1)
713 out_port = p[TCP].sport
715 # SYN + ACK packet out->in
716 p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
717 IP(src=out_if.remote_ip4, dst=self.nat_addr) /
718 TCP(sport=ext_port, dport=out_port, flags="SA"))
720 self.pg_enable_capture(self.pg_interfaces)
725 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
726 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
727 TCP(sport=in_port, dport=ext_port, flags="A"))
729 self.pg_enable_capture(self.pg_interfaces)
731 out_if.get_capture(1)
735 def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
737 twice_nat_addr = '10.0.1.3'
745 port_in1 = port_in + 1
746 port_in2 = port_in + 2
751 server1 = self.pg0.remote_hosts[0]
752 server2 = self.pg0.remote_hosts[1]
764 eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
767 self.nat_add_address(self.nat_addr)
768 self.nat_add_address(twice_nat_addr, twice_nat=1)
772 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
774 flags |= self.config_flags.NAT_IS_TWICE_NAT
777 self.nat_add_static_mapping(pg0.remote_ip4, self.nat_addr,
782 locals = [{'addr': server1.ip4,
786 {'addr': server2.ip4,
790 out_addr = self.nat_addr
792 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
793 external_addr=out_addr,
794 external_port=port_out,
795 protocol=IP_PROTOS.tcp,
796 local_num=len(locals),
798 self.nat_add_inside_interface(pg0)
799 self.nat_add_outside_interface(pg1)
805 assert client_id is not None
807 client = self.pg0.remote_hosts[0]
809 client = self.pg0.remote_hosts[1]
811 client = pg1.remote_hosts[0]
812 p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
813 IP(src=client.ip4, dst=self.nat_addr) /
814 TCP(sport=eh_port_out, dport=port_out))
816 self.pg_enable_capture(self.pg_interfaces)
818 capture = pg0.get_capture(1)
824 if ip.dst == server1.ip4:
830 self.assertEqual(ip.dst, server.ip4)
832 self.assertIn(tcp.dport, [port_in1, port_in2])
834 self.assertEqual(tcp.dport, port_in)
836 self.assertEqual(ip.src, twice_nat_addr)
837 self.assertNotEqual(tcp.sport, eh_port_out)
839 self.assertEqual(ip.src, client.ip4)
840 self.assertEqual(tcp.sport, eh_port_out)
842 eh_port_in = tcp.sport
843 saved_port_in = tcp.dport
844 self.assert_packet_checksums_valid(p)
846 self.logger.error(ppp("Unexpected or invalid packet:", p))
849 p = (Ether(src=server.mac, dst=pg0.local_mac) /
850 IP(src=server.ip4, dst=eh_addr_in) /
851 TCP(sport=saved_port_in, dport=eh_port_in))
853 self.pg_enable_capture(self.pg_interfaces)
855 capture = pg1.get_capture(1)
860 self.assertEqual(ip.dst, client.ip4)
861 self.assertEqual(ip.src, self.nat_addr)
862 self.assertEqual(tcp.dport, eh_port_out)
863 self.assertEqual(tcp.sport, port_out)
864 self.assert_packet_checksums_valid(p)
866 self.logger.error(ppp("Unexpected or invalid packet:", p))
870 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
871 self.assertEqual(len(sessions), 1)
872 self.assertTrue(sessions[0].flags &
873 self.config_flags.NAT_IS_EXT_HOST_VALID)
874 self.assertTrue(sessions[0].flags &
875 self.config_flags.NAT_IS_TWICE_NAT)
876 self.logger.info(self.vapi.cli("show nat44 sessions"))
877 self.vapi.nat44_del_session(
878 address=sessions[0].inside_ip_address,
879 port=sessions[0].inside_port,
880 protocol=sessions[0].protocol,
881 flags=(self.config_flags.NAT_IS_INSIDE |
882 self.config_flags.NAT_IS_EXT_HOST_VALID),
883 ext_host_address=sessions[0].ext_host_nat_address,
884 ext_host_port=sessions[0].ext_host_nat_port)
885 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
886 self.assertEqual(len(sessions), 0)
888 def verify_syslog_sess(self, data, is_add=True, is_ip6=False):
889 message = data.decode('utf-8')
891 message = SyslogMessage.parse(message)
892 except ParseError as e:
896 self.assertEqual(message.severity, SyslogSeverity.info)
897 self.assertEqual(message.appname, 'NAT')
898 self.assertEqual(message.msgid, 'SADD' if is_add else 'SDEL')
899 sd_params = message.sd.get('nsess')
900 self.assertTrue(sd_params is not None)
902 self.assertEqual(sd_params.get('IATYP'), 'IPv6')
903 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
905 self.assertEqual(sd_params.get('IATYP'), 'IPv4')
906 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
907 self.assertTrue(sd_params.get('SSUBIX') is not None)
908 self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
909 self.assertEqual(sd_params.get('XATYP'), 'IPv4')
910 self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
911 self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
912 self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
913 self.assertEqual(sd_params.get('SVLAN'), '0')
914 self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
915 self.assertEqual(sd_params.get('XDPORT'),
916 "%d" % self.tcp_external_port)
919 class TestNAT44ED(NAT44EDTestCase):
920 """ NAT44ED Test Case """
922 def test_users_dump(self):
923 """ NAT44ED API test - nat44_user_dump """
925 self.nat_add_address(self.nat_addr)
926 self.nat_add_inside_interface(self.pg0)
927 self.nat_add_outside_interface(self.pg1)
929 self.vapi.nat44_forwarding_enable_disable(enable=1)
931 local_ip = self.pg0.remote_ip4
932 external_ip = self.nat_addr
933 self.nat_add_static_mapping(local_ip, external_ip)
935 users = self.vapi.nat44_user_dump()
936 self.assertEqual(len(users), 0)
938 # in2out - static mapping match
940 pkts = self.create_stream_out(self.pg1)
941 self.pg1.add_stream(pkts)
942 self.pg_enable_capture(self.pg_interfaces)
944 capture = self.pg0.get_capture(len(pkts))
945 self.verify_capture_in(capture, self.pg0)
947 pkts = self.create_stream_in(self.pg0, self.pg1)
948 self.pg0.add_stream(pkts)
949 self.pg_enable_capture(self.pg_interfaces)
951 capture = self.pg1.get_capture(len(pkts))
952 self.verify_capture_out(capture, same_port=True)
954 users = self.vapi.nat44_user_dump()
955 self.assertEqual(len(users), 1)
956 static_user = users[0]
957 self.assertEqual(static_user.nstaticsessions, 3)
958 self.assertEqual(static_user.nsessions, 0)
960 # in2out - no static mapping match (forwarding test)
962 host0 = self.pg0.remote_hosts[0]
963 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
965 pkts = self.create_stream_out(self.pg1,
966 dst_ip=self.pg0.remote_ip4,
967 use_inside_ports=True)
968 self.pg1.add_stream(pkts)
969 self.pg_enable_capture(self.pg_interfaces)
971 capture = self.pg0.get_capture(len(pkts))
972 self.verify_capture_in(capture, self.pg0)
974 pkts = self.create_stream_in(self.pg0, self.pg1)
975 self.pg0.add_stream(pkts)
976 self.pg_enable_capture(self.pg_interfaces)
978 capture = self.pg1.get_capture(len(pkts))
979 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
982 self.pg0.remote_hosts[0] = host0
984 users = self.vapi.nat44_user_dump()
985 self.assertEqual(len(users), 2)
986 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
987 non_static_user = users[1]
988 static_user = users[0]
990 non_static_user = users[0]
991 static_user = users[1]
992 self.assertEqual(static_user.nstaticsessions, 3)
993 self.assertEqual(static_user.nsessions, 0)
994 self.assertEqual(non_static_user.nstaticsessions, 0)
995 self.assertEqual(non_static_user.nsessions, 3)
997 users = self.vapi.nat44_user_dump()
998 self.assertEqual(len(users), 2)
999 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1000 non_static_user = users[1]
1001 static_user = users[0]
1003 non_static_user = users[0]
1004 static_user = users[1]
1005 self.assertEqual(static_user.nstaticsessions, 3)
1006 self.assertEqual(static_user.nsessions, 0)
1007 self.assertEqual(non_static_user.nstaticsessions, 0)
1008 self.assertEqual(non_static_user.nsessions, 3)
1010 def test_frag_out_of_order_do_not_translate(self):
1011 """ NAT44ED don't translate fragments arriving out of order """
1012 self.nat_add_inside_interface(self.pg0)
1013 self.nat_add_outside_interface(self.pg1)
1014 self.vapi.nat44_forwarding_enable_disable(enable=True)
1015 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1017 def test_forwarding(self):
1018 """ NAT44ED forwarding test """
1020 self.nat_add_inside_interface(self.pg0)
1021 self.nat_add_outside_interface(self.pg1)
1022 self.vapi.nat44_forwarding_enable_disable(enable=1)
1024 real_ip = self.pg0.remote_ip4
1025 alias_ip = self.nat_addr
1026 flags = self.config_flags.NAT_IS_ADDR_ONLY
1027 self.vapi.nat44_add_del_static_mapping(is_add=1,
1028 local_ip_address=real_ip,
1029 external_ip_address=alias_ip,
1030 external_sw_if_index=0xFFFFFFFF,
1034 # in2out - static mapping match
1036 pkts = self.create_stream_out(self.pg1)
1037 self.pg1.add_stream(pkts)
1038 self.pg_enable_capture(self.pg_interfaces)
1040 capture = self.pg0.get_capture(len(pkts))
1041 self.verify_capture_in(capture, self.pg0)
1043 pkts = self.create_stream_in(self.pg0, self.pg1)
1044 self.pg0.add_stream(pkts)
1045 self.pg_enable_capture(self.pg_interfaces)
1047 capture = self.pg1.get_capture(len(pkts))
1048 self.verify_capture_out(capture, same_port=True)
1050 # in2out - no static mapping match
1052 host0 = self.pg0.remote_hosts[0]
1053 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1055 pkts = self.create_stream_out(self.pg1,
1056 dst_ip=self.pg0.remote_ip4,
1057 use_inside_ports=True)
1058 self.pg1.add_stream(pkts)
1059 self.pg_enable_capture(self.pg_interfaces)
1061 capture = self.pg0.get_capture(len(pkts))
1062 self.verify_capture_in(capture, self.pg0)
1064 pkts = self.create_stream_in(self.pg0, self.pg1)
1065 self.pg0.add_stream(pkts)
1066 self.pg_enable_capture(self.pg_interfaces)
1068 capture = self.pg1.get_capture(len(pkts))
1069 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1072 self.pg0.remote_hosts[0] = host0
1074 user = self.pg0.remote_hosts[1]
1075 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1076 self.assertEqual(len(sessions), 3)
1077 self.assertTrue(sessions[0].flags &
1078 self.config_flags.NAT_IS_EXT_HOST_VALID)
1079 self.vapi.nat44_del_session(
1080 address=sessions[0].inside_ip_address,
1081 port=sessions[0].inside_port,
1082 protocol=sessions[0].protocol,
1083 flags=(self.config_flags.NAT_IS_INSIDE |
1084 self.config_flags.NAT_IS_EXT_HOST_VALID),
1085 ext_host_address=sessions[0].ext_host_address,
1086 ext_host_port=sessions[0].ext_host_port)
1087 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1088 self.assertEqual(len(sessions), 2)
1091 self.vapi.nat44_forwarding_enable_disable(enable=0)
1092 flags = self.config_flags.NAT_IS_ADDR_ONLY
1093 self.vapi.nat44_add_del_static_mapping(
1095 local_ip_address=real_ip,
1096 external_ip_address=alias_ip,
1097 external_sw_if_index=0xFFFFFFFF,
1100 def test_output_feature_and_service2(self):
1101 """ NAT44ED interface output feature and service host direct access """
1102 self.vapi.nat44_forwarding_enable_disable(enable=1)
1103 self.nat_add_address(self.nat_addr)
1105 self.vapi.nat44_interface_add_del_output_feature(
1106 sw_if_index=self.pg1.sw_if_index, is_add=1,)
1108 # session initiated from service host - translate
1109 pkts = self.create_stream_in(self.pg0, self.pg1)
1110 self.pg0.add_stream(pkts)
1111 self.pg_enable_capture(self.pg_interfaces)
1113 capture = self.pg1.get_capture(len(pkts))
1114 self.verify_capture_out(capture, ignore_port=True)
1116 pkts = self.create_stream_out(self.pg1)
1117 self.pg1.add_stream(pkts)
1118 self.pg_enable_capture(self.pg_interfaces)
1120 capture = self.pg0.get_capture(len(pkts))
1121 self.verify_capture_in(capture, self.pg0)
1123 # session initiated from remote host - do not translate
1124 tcp_port_in = self.tcp_port_in
1125 udp_port_in = self.udp_port_in
1126 icmp_id_in = self.icmp_id_in
1128 self.tcp_port_in = 60303
1129 self.udp_port_in = 60304
1130 self.icmp_id_in = 60305
1133 pkts = self.create_stream_out(self.pg1,
1134 self.pg0.remote_ip4,
1135 use_inside_ports=True)
1136 self.pg1.add_stream(pkts)
1137 self.pg_enable_capture(self.pg_interfaces)
1139 capture = self.pg0.get_capture(len(pkts))
1140 self.verify_capture_in(capture, self.pg0)
1142 pkts = self.create_stream_in(self.pg0, self.pg1)
1143 self.pg0.add_stream(pkts)
1144 self.pg_enable_capture(self.pg_interfaces)
1146 capture = self.pg1.get_capture(len(pkts))
1147 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1150 self.tcp_port_in = tcp_port_in
1151 self.udp_port_in = udp_port_in
1152 self.icmp_id_in = icmp_id_in
1154 def test_twice_nat(self):
1155 """ NAT44ED Twice NAT """
1156 self.twice_nat_common()
1158 def test_self_twice_nat_positive(self):
1159 """ NAT44ED Self Twice NAT (positive test) """
1160 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1162 def test_self_twice_nat_lb_positive(self):
1163 """ NAT44ED Self Twice NAT local service load balancing (positive test)
1165 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
1168 def test_twice_nat_lb(self):
1169 """ NAT44ED Twice NAT local service load balancing """
1170 self.twice_nat_common(lb=True)
1172 def test_output_feature(self):
1173 """ NAT44ED interface output feature (in2out postrouting) """
1174 self.vapi.nat44_forwarding_enable_disable(enable=1)
1175 self.nat_add_address(self.nat_addr)
1177 self.nat_add_outside_interface(self.pg0)
1178 self.vapi.nat44_interface_add_del_output_feature(
1179 sw_if_index=self.pg1.sw_if_index, is_add=1)
1182 pkts = self.create_stream_in(self.pg0, self.pg1)
1183 self.pg0.add_stream(pkts)
1184 self.pg_enable_capture(self.pg_interfaces)
1186 capture = self.pg1.get_capture(len(pkts))
1187 self.verify_capture_out(capture, ignore_port=True)
1190 pkts = self.create_stream_out(self.pg1)
1191 self.pg1.add_stream(pkts)
1192 self.pg_enable_capture(self.pg_interfaces)
1194 capture = self.pg0.get_capture(len(pkts))
1195 self.verify_capture_in(capture, self.pg0)
1197 def test_static_with_port_out2(self):
1198 """ NAT44ED 1:1 NAPT asymmetrical rule """
1203 self.vapi.nat44_forwarding_enable_disable(enable=1)
1204 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1205 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
1206 local_port, external_port,
1207 proto=IP_PROTOS.tcp, flags=flags)
1209 self.nat_add_inside_interface(self.pg0)
1210 self.nat_add_outside_interface(self.pg1)
1212 # from client to service
1213 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1214 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1215 TCP(sport=12345, dport=external_port))
1216 self.pg1.add_stream(p)
1217 self.pg_enable_capture(self.pg_interfaces)
1219 capture = self.pg0.get_capture(1)
1224 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1225 self.assertEqual(tcp.dport, local_port)
1226 self.assert_packet_checksums_valid(p)
1228 self.logger.error(ppp("Unexpected or invalid packet:", p))
1232 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1233 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1234 ICMP(type=11) / capture[0][IP])
1235 self.pg0.add_stream(p)
1236 self.pg_enable_capture(self.pg_interfaces)
1238 capture = self.pg1.get_capture(1)
1241 self.assertEqual(p[IP].src, self.nat_addr)
1243 self.assertEqual(inner.dst, self.nat_addr)
1244 self.assertEqual(inner[TCPerror].dport, external_port)
1246 self.logger.error(ppp("Unexpected or invalid packet:", p))
1249 # from service back to client
1250 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1251 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1252 TCP(sport=local_port, dport=12345))
1253 self.pg0.add_stream(p)
1254 self.pg_enable_capture(self.pg_interfaces)
1256 capture = self.pg1.get_capture(1)
1261 self.assertEqual(ip.src, self.nat_addr)
1262 self.assertEqual(tcp.sport, external_port)
1263 self.assert_packet_checksums_valid(p)
1265 self.logger.error(ppp("Unexpected or invalid packet:", p))
1269 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1270 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1271 ICMP(type=11) / capture[0][IP])
1272 self.pg1.add_stream(p)
1273 self.pg_enable_capture(self.pg_interfaces)
1275 capture = self.pg0.get_capture(1)
1278 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1280 self.assertEqual(inner.src, self.pg0.remote_ip4)
1281 self.assertEqual(inner[TCPerror].sport, local_port)
1283 self.logger.error(ppp("Unexpected or invalid packet:", p))
1286 # from client to server (no translation)
1287 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1288 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
1289 TCP(sport=12346, dport=local_port))
1290 self.pg1.add_stream(p)
1291 self.pg_enable_capture(self.pg_interfaces)
1293 capture = self.pg0.get_capture(1)
1298 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1299 self.assertEqual(tcp.dport, local_port)
1300 self.assert_packet_checksums_valid(p)
1302 self.logger.error(ppp("Unexpected or invalid packet:", p))
1305 # from service back to client (no translation)
1306 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1307 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1308 TCP(sport=local_port, dport=12346))
1309 self.pg0.add_stream(p)
1310 self.pg_enable_capture(self.pg_interfaces)
1312 capture = self.pg1.get_capture(1)
1317 self.assertEqual(ip.src, self.pg0.remote_ip4)
1318 self.assertEqual(tcp.sport, local_port)
1319 self.assert_packet_checksums_valid(p)
1321 self.logger.error(ppp("Unexpected or invalid packet:", p))
1324 def test_static_lb(self):
1325 """ NAT44ED local service load balancing """
1326 external_addr_n = self.nat_addr
1329 server1 = self.pg0.remote_hosts[0]
1330 server2 = self.pg0.remote_hosts[1]
1332 locals = [{'addr': server1.ip4,
1336 {'addr': server2.ip4,
1341 self.nat_add_address(self.nat_addr)
1342 self.vapi.nat44_add_del_lb_static_mapping(
1344 external_addr=external_addr_n,
1345 external_port=external_port,
1346 protocol=IP_PROTOS.tcp,
1347 local_num=len(locals),
1349 flags = self.config_flags.NAT_IS_INSIDE
1350 self.vapi.nat44_interface_add_del_feature(
1351 sw_if_index=self.pg0.sw_if_index,
1352 flags=flags, is_add=1)
1353 self.vapi.nat44_interface_add_del_feature(
1354 sw_if_index=self.pg1.sw_if_index,
1357 # from client to service
1358 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1359 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1360 TCP(sport=12345, dport=external_port))
1361 self.pg1.add_stream(p)
1362 self.pg_enable_capture(self.pg_interfaces)
1364 capture = self.pg0.get_capture(1)
1370 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1371 if ip.dst == server1.ip4:
1375 self.assertEqual(tcp.dport, local_port)
1376 self.assert_packet_checksums_valid(p)
1378 self.logger.error(ppp("Unexpected or invalid packet:", p))
1381 # from service back to client
1382 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1383 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1384 TCP(sport=local_port, dport=12345))
1385 self.pg0.add_stream(p)
1386 self.pg_enable_capture(self.pg_interfaces)
1388 capture = self.pg1.get_capture(1)
1393 self.assertEqual(ip.src, self.nat_addr)
1394 self.assertEqual(tcp.sport, external_port)
1395 self.assert_packet_checksums_valid(p)
1397 self.logger.error(ppp("Unexpected or invalid packet:", p))
1400 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1401 self.assertEqual(len(sessions), 1)
1402 self.assertTrue(sessions[0].flags &
1403 self.config_flags.NAT_IS_EXT_HOST_VALID)
1404 self.vapi.nat44_del_session(
1405 address=sessions[0].inside_ip_address,
1406 port=sessions[0].inside_port,
1407 protocol=sessions[0].protocol,
1408 flags=(self.config_flags.NAT_IS_INSIDE |
1409 self.config_flags.NAT_IS_EXT_HOST_VALID),
1410 ext_host_address=sessions[0].ext_host_address,
1411 ext_host_port=sessions[0].ext_host_port)
1412 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1413 self.assertEqual(len(sessions), 0)
1415 def test_static_lb_2(self):
1416 """ NAT44ED local service load balancing (asymmetrical rule) """
1417 external_addr = self.nat_addr
1420 server1 = self.pg0.remote_hosts[0]
1421 server2 = self.pg0.remote_hosts[1]
1423 locals = [{'addr': server1.ip4,
1427 {'addr': server2.ip4,
1432 self.vapi.nat44_forwarding_enable_disable(enable=1)
1433 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1434 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
1435 external_addr=external_addr,
1436 external_port=external_port,
1437 protocol=IP_PROTOS.tcp,
1438 local_num=len(locals),
1440 flags = self.config_flags.NAT_IS_INSIDE
1441 self.vapi.nat44_interface_add_del_feature(
1442 sw_if_index=self.pg0.sw_if_index,
1443 flags=flags, is_add=1)
1444 self.vapi.nat44_interface_add_del_feature(
1445 sw_if_index=self.pg1.sw_if_index,
1448 # from client to service
1449 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1450 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1451 TCP(sport=12345, dport=external_port))
1452 self.pg1.add_stream(p)
1453 self.pg_enable_capture(self.pg_interfaces)
1455 capture = self.pg0.get_capture(1)
1461 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1462 if ip.dst == server1.ip4:
1466 self.assertEqual(tcp.dport, local_port)
1467 self.assert_packet_checksums_valid(p)
1469 self.logger.error(ppp("Unexpected or invalid packet:", p))
1472 # from service back to client
1473 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1474 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1475 TCP(sport=local_port, dport=12345))
1476 self.pg0.add_stream(p)
1477 self.pg_enable_capture(self.pg_interfaces)
1479 capture = self.pg1.get_capture(1)
1484 self.assertEqual(ip.src, self.nat_addr)
1485 self.assertEqual(tcp.sport, external_port)
1486 self.assert_packet_checksums_valid(p)
1488 self.logger.error(ppp("Unexpected or invalid packet:", p))
1491 # from client to server (no translation)
1492 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1493 IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
1494 TCP(sport=12346, dport=local_port))
1495 self.pg1.add_stream(p)
1496 self.pg_enable_capture(self.pg_interfaces)
1498 capture = self.pg0.get_capture(1)
1504 self.assertEqual(ip.dst, server1.ip4)
1505 self.assertEqual(tcp.dport, local_port)
1506 self.assert_packet_checksums_valid(p)
1508 self.logger.error(ppp("Unexpected or invalid packet:", p))
1511 # from service back to client (no translation)
1512 p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
1513 IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
1514 TCP(sport=local_port, dport=12346))
1515 self.pg0.add_stream(p)
1516 self.pg_enable_capture(self.pg_interfaces)
1518 capture = self.pg1.get_capture(1)
1523 self.assertEqual(ip.src, server1.ip4)
1524 self.assertEqual(tcp.sport, local_port)
1525 self.assert_packet_checksums_valid(p)
1527 self.logger.error(ppp("Unexpected or invalid packet:", p))
1530 def test_lb_affinity(self):
1531 """ NAT44ED local service load balancing affinity """
1532 external_addr = self.nat_addr
1535 server1 = self.pg0.remote_hosts[0]
1536 server2 = self.pg0.remote_hosts[1]
1538 locals = [{'addr': server1.ip4,
1542 {'addr': server2.ip4,
1547 self.nat_add_address(self.nat_addr)
1548 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
1549 external_addr=external_addr,
1550 external_port=external_port,
1551 protocol=IP_PROTOS.tcp,
1553 local_num=len(locals),
1555 flags = self.config_flags.NAT_IS_INSIDE
1556 self.vapi.nat44_interface_add_del_feature(
1557 sw_if_index=self.pg0.sw_if_index,
1558 flags=flags, is_add=1)
1559 self.vapi.nat44_interface_add_del_feature(
1560 sw_if_index=self.pg1.sw_if_index,
1563 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1564 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1565 TCP(sport=1025, dport=external_port))
1566 self.pg1.add_stream(p)
1567 self.pg_enable_capture(self.pg_interfaces)
1569 capture = self.pg0.get_capture(1)
1570 backend = capture[0][IP].dst
1572 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1573 self.assertEqual(len(sessions), 1)
1574 self.assertTrue(sessions[0].flags &
1575 self.config_flags.NAT_IS_EXT_HOST_VALID)
1576 self.vapi.nat44_del_session(
1577 address=sessions[0].inside_ip_address,
1578 port=sessions[0].inside_port,
1579 protocol=sessions[0].protocol,
1580 flags=(self.config_flags.NAT_IS_INSIDE |
1581 self.config_flags.NAT_IS_EXT_HOST_VALID),
1582 ext_host_address=sessions[0].ext_host_address,
1583 ext_host_port=sessions[0].ext_host_port)
1586 for port in range(1030, 1100):
1587 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1588 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1589 TCP(sport=port, dport=external_port))
1591 self.pg1.add_stream(pkts)
1592 self.pg_enable_capture(self.pg_interfaces)
1594 capture = self.pg0.get_capture(len(pkts))
1596 self.assertEqual(p[IP].dst, backend)
1598 def test_multiple_vrf(self):
1599 """ NAT44ED Multiple VRF setup """
1601 external_addr = '1.2.3.4'
1606 self.vapi.nat44_forwarding_enable_disable(enable=1)
1607 self.nat_add_address(self.nat_addr)
1608 flags = self.config_flags.NAT_IS_INSIDE
1609 self.vapi.nat44_interface_add_del_feature(
1610 sw_if_index=self.pg0.sw_if_index,
1612 self.vapi.nat44_interface_add_del_feature(
1613 sw_if_index=self.pg0.sw_if_index,
1614 is_add=1, flags=flags)
1615 self.vapi.nat44_interface_add_del_output_feature(
1616 sw_if_index=self.pg1.sw_if_index,
1618 self.vapi.nat44_interface_add_del_feature(
1619 sw_if_index=self.pg5.sw_if_index,
1621 self.vapi.nat44_interface_add_del_feature(
1622 sw_if_index=self.pg5.sw_if_index,
1623 is_add=1, flags=flags)
1624 self.vapi.nat44_interface_add_del_feature(
1625 sw_if_index=self.pg6.sw_if_index,
1627 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1628 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1629 local_port, external_port, vrf_id=1,
1630 proto=IP_PROTOS.tcp, flags=flags)
1631 self.nat_add_static_mapping(
1632 self.pg0.remote_ip4,
1633 external_sw_if_index=self.pg0.sw_if_index,
1634 local_port=local_port,
1636 external_port=external_port,
1637 proto=IP_PROTOS.tcp,
1641 # from client to service (both VRF1)
1642 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1643 IP(src=self.pg6.remote_ip4, dst=external_addr) /
1644 TCP(sport=12345, dport=external_port))
1645 self.pg6.add_stream(p)
1646 self.pg_enable_capture(self.pg_interfaces)
1648 capture = self.pg5.get_capture(1)
1653 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1654 self.assertEqual(tcp.dport, local_port)
1655 self.assert_packet_checksums_valid(p)
1657 self.logger.error(ppp("Unexpected or invalid packet:", p))
1660 # from service back to client (both VRF1)
1661 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1662 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1663 TCP(sport=local_port, dport=12345))
1664 self.pg5.add_stream(p)
1665 self.pg_enable_capture(self.pg_interfaces)
1667 capture = self.pg6.get_capture(1)
1672 self.assertEqual(ip.src, external_addr)
1673 self.assertEqual(tcp.sport, external_port)
1674 self.assert_packet_checksums_valid(p)
1676 self.logger.error(ppp("Unexpected or invalid packet:", p))
1679 # dynamic NAT from VRF1 to VRF0 (output-feature)
1680 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1681 IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
1682 TCP(sport=2345, dport=22))
1683 self.pg5.add_stream(p)
1684 self.pg_enable_capture(self.pg_interfaces)
1686 capture = self.pg1.get_capture(1)
1691 self.assertEqual(ip.src, self.nat_addr)
1692 self.assert_packet_checksums_valid(p)
1695 self.logger.error(ppp("Unexpected or invalid packet:", p))
1698 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1699 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1700 TCP(sport=22, dport=port))
1701 self.pg1.add_stream(p)
1702 self.pg_enable_capture(self.pg_interfaces)
1704 capture = self.pg5.get_capture(1)
1709 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1710 self.assertEqual(tcp.dport, 2345)
1711 self.assert_packet_checksums_valid(p)
1713 self.logger.error(ppp("Unexpected or invalid packet:", p))
1716 # from client VRF1 to service VRF0
1717 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1718 IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
1719 TCP(sport=12346, dport=external_port))
1720 self.pg6.add_stream(p)
1721 self.pg_enable_capture(self.pg_interfaces)
1723 capture = self.pg0.get_capture(1)
1728 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1729 self.assertEqual(tcp.dport, local_port)
1730 self.assert_packet_checksums_valid(p)
1732 self.logger.error(ppp("Unexpected or invalid packet:", p))
1735 # from service VRF0 back to client VRF1
1736 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1737 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1738 TCP(sport=local_port, dport=12346))
1739 self.pg0.add_stream(p)
1740 self.pg_enable_capture(self.pg_interfaces)
1742 capture = self.pg6.get_capture(1)
1747 self.assertEqual(ip.src, self.pg0.local_ip4)
1748 self.assertEqual(tcp.sport, external_port)
1749 self.assert_packet_checksums_valid(p)
1751 self.logger.error(ppp("Unexpected or invalid packet:", p))
1754 # from client VRF0 to service VRF1
1755 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1756 IP(src=self.pg0.remote_ip4, dst=external_addr) /
1757 TCP(sport=12347, dport=external_port))
1758 self.pg0.add_stream(p)
1759 self.pg_enable_capture(self.pg_interfaces)
1761 capture = self.pg5.get_capture(1)
1766 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1767 self.assertEqual(tcp.dport, local_port)
1768 self.assert_packet_checksums_valid(p)
1770 self.logger.error(ppp("Unexpected or invalid packet:", p))
1773 # from service VRF1 back to client VRF0
1774 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1775 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1776 TCP(sport=local_port, dport=12347))
1777 self.pg5.add_stream(p)
1778 self.pg_enable_capture(self.pg_interfaces)
1780 capture = self.pg0.get_capture(1)
1785 self.assertEqual(ip.src, external_addr)
1786 self.assertEqual(tcp.sport, external_port)
1787 self.assert_packet_checksums_valid(p)
1789 self.logger.error(ppp("Unexpected or invalid packet:", p))
1792 # from client to server (both VRF1, no translation)
1793 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1794 IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
1795 TCP(sport=12348, dport=local_port))
1796 self.pg6.add_stream(p)
1797 self.pg_enable_capture(self.pg_interfaces)
1799 capture = self.pg5.get_capture(1)
1804 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1805 self.assertEqual(tcp.dport, local_port)
1806 self.assert_packet_checksums_valid(p)
1808 self.logger.error(ppp("Unexpected or invalid packet:", p))
1811 # from server back to client (both VRF1, no translation)
1812 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1813 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1814 TCP(sport=local_port, dport=12348))
1815 self.pg5.add_stream(p)
1816 self.pg_enable_capture(self.pg_interfaces)
1818 capture = self.pg6.get_capture(1)
1823 self.assertEqual(ip.src, self.pg5.remote_ip4)
1824 self.assertEqual(tcp.sport, local_port)
1825 self.assert_packet_checksums_valid(p)
1827 self.logger.error(ppp("Unexpected or invalid packet:", p))
1830 # from client VRF1 to server VRF0 (no translation)
1831 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1832 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1833 TCP(sport=local_port, dport=12349))
1834 self.pg0.add_stream(p)
1835 self.pg_enable_capture(self.pg_interfaces)
1837 capture = self.pg6.get_capture(1)
1842 self.assertEqual(ip.src, self.pg0.remote_ip4)
1843 self.assertEqual(tcp.sport, local_port)
1844 self.assert_packet_checksums_valid(p)
1846 self.logger.error(ppp("Unexpected or invalid packet:", p))
1849 # from server VRF0 back to client VRF1 (no translation)
1850 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1851 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1852 TCP(sport=local_port, dport=12349))
1853 self.pg0.add_stream(p)
1854 self.pg_enable_capture(self.pg_interfaces)
1856 capture = self.pg6.get_capture(1)
1861 self.assertEqual(ip.src, self.pg0.remote_ip4)
1862 self.assertEqual(tcp.sport, local_port)
1863 self.assert_packet_checksums_valid(p)
1865 self.logger.error(ppp("Unexpected or invalid packet:", p))
1868 # from client VRF0 to server VRF1 (no translation)
1869 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1870 IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
1871 TCP(sport=12344, dport=local_port))
1872 self.pg0.add_stream(p)
1873 self.pg_enable_capture(self.pg_interfaces)
1875 capture = self.pg5.get_capture(1)
1880 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1881 self.assertEqual(tcp.dport, local_port)
1882 self.assert_packet_checksums_valid(p)
1884 self.logger.error(ppp("Unexpected or invalid packet:", p))
1887 # from server VRF1 back to client VRF0 (no translation)
1888 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1889 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1890 TCP(sport=local_port, dport=12344))
1891 self.pg5.add_stream(p)
1892 self.pg_enable_capture(self.pg_interfaces)
1894 capture = self.pg0.get_capture(1)
1899 self.assertEqual(ip.src, self.pg5.remote_ip4)
1900 self.assertEqual(tcp.sport, local_port)
1901 self.assert_packet_checksums_valid(p)
1903 self.logger.error(ppp("Unexpected or invalid packet:", p))
1906 def test_outside_address_distribution(self):
1907 """ Outside address distribution based on source address """
1912 for i in range(1, x):
1914 nat_addresses.append(a)
1916 self.nat_add_inside_interface(self.pg0)
1917 self.nat_add_outside_interface(self.pg1)
1919 self.vapi.nat44_add_del_address_range(
1920 first_ip_address=nat_addresses[0],
1921 last_ip_address=nat_addresses[-1],
1922 vrf_id=0xFFFFFFFF, is_add=1, flags=0)
1924 self.pg0.generate_remote_hosts(x)
1928 info = self.create_packet_info(self.pg0, self.pg1)
1929 payload = self.info_to_payload(info)
1930 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1931 IP(src=self.pg0.remote_hosts[i].ip4,
1932 dst=self.pg1.remote_ip4) /
1933 UDP(sport=7000+i, dport=8000+i) /
1938 self.pg0.add_stream(pkts)
1939 self.pg_enable_capture(self.pg_interfaces)
1941 recvd = self.pg1.get_capture(len(pkts))
1942 for p_recvd in recvd:
1943 payload_info = self.payload_to_info(p_recvd[Raw])
1944 packet_index = payload_info.index
1945 info = self._packet_infos[packet_index]
1946 self.assertTrue(info is not None)
1947 self.assertEqual(packet_index, info.index)
1949 packed = socket.inet_aton(p_sent[IP].src)
1950 numeric = struct.unpack("!L", packed)[0]
1951 numeric = socket.htonl(numeric)
1952 a = nat_addresses[(numeric-1) % len(nat_addresses)]
1955 "Invalid packet (src IP %s translated to %s, but expected %s)"
1956 % (p_sent[IP].src, p_recvd[IP].src, a))
1959 class TestNAT44EDMW(TestNAT44ED):
1960 """ NAT44ED MW Test Case """
1961 worker_config = "workers 1"
1963 def get_stats_counter(self, path, worker=1):
1964 return super(TestNAT44EDMW, self).get_stats_counter(path, worker)
1966 @unittest.skip('MW fix required')
1967 def test_users_dump(self):
1968 """ NAT44ED API test - nat44_user_dump """
1970 @unittest.skip('MW fix required')
1971 def test_frag_out_of_order_do_not_translate(self):
1972 """ NAT44ED don't translate fragments arriving out of order """
1974 @unittest.skip('MW fix required')
1975 def test_forwarding(self):
1976 """ NAT44ED forwarding test """
1978 @unittest.skip('MW fix required')
1979 def test_twice_nat(self):
1980 """ NAT44ED Twice NAT """
1982 @unittest.skip('MW fix required')
1983 def test_twice_nat_lb(self):
1984 """ NAT44ED Twice NAT local service load balancing """
1986 @unittest.skip('MW fix required')
1987 def test_output_feature(self):
1988 """ NAT44ED interface output feature (in2out postrouting) """
1990 @unittest.skip('MW fix required')
1991 def test_static_with_port_out2(self):
1992 """ NAT44ED 1:1 NAPT asymmetrical rule """
1994 @unittest.skip('MW fix required')
1995 def test_output_feature_and_service2(self):
1996 """ NAT44ED interface output feature and service host direct access """
1998 @unittest.skip('MW fix required')
1999 def test_static_lb(self):
2000 """ NAT44ED local service load balancing """
2002 @unittest.skip('MW fix required')
2003 def test_static_lb_2(self):
2004 """ NAT44ED local service load balancing (asymmetrical rule) """
2006 @unittest.skip('MW fix required')
2007 def test_lb_affinity(self):
2008 """ NAT44ED local service load balancing affinity """
2010 @unittest.skip('MW fix required')
2011 def test_multiple_vrf(self):
2012 """ NAT44ED Multiple VRF setup """
2014 @unittest.skip('MW fix required')
2015 def test_self_twice_nat_positive(self):
2016 """ NAT44ED Self Twice NAT (positive test) """
2018 @unittest.skip('MW fix required')
2019 def test_self_twice_nat_lb_positive(self):
2020 """ NAT44ED Self Twice NAT local service load balancing (positive test)
2023 def test_dynamic(self):
2024 """ NAT44ED dynamic translation test """
2026 self.nat_add_address(self.nat_addr)
2027 self.nat_add_inside_interface(self.pg0)
2028 self.nat_add_outside_interface(self.pg1)
2031 tc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
2032 uc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
2033 ic1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
2034 dc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
2036 pkts = self.create_stream_in(self.pg0, self.pg1)
2037 # TODO: specify worker=idx, also stats have to
2038 # know from which worker to take capture
2039 self.pg0.add_stream(pkts)
2040 self.pg_enable_capture(self.pg_interfaces)
2042 capture = self.pg1.get_capture(len(pkts))
2043 self.verify_capture_out(capture, ignore_port=True)
2045 if_idx = self.pg0.sw_if_index
2046 tc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
2047 uc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
2048 ic2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
2049 dc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
2051 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2052 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2053 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2054 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2057 tc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2058 uc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2059 ic1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2060 dc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2062 pkts = self.create_stream_out(self.pg1)
2063 self.pg1.add_stream(pkts)
2064 self.pg_enable_capture(self.pg_interfaces)
2066 capture = self.pg0.get_capture(len(pkts))
2067 self.verify_capture_in(capture, self.pg0)
2069 if_idx = self.pg1.sw_if_index
2070 tc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2071 uc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2072 ic2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2073 dc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2075 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2076 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2077 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2078 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2080 sc = self.get_stats_counter('/nat44-ed/total-sessions')
2081 self.assertEqual(sc[0], 3)
2083 def test_frag_in_order(self):
2084 """ NAT44ED translate fragments arriving in order """
2086 self.nat_add_address(self.nat_addr)
2087 self.nat_add_inside_interface(self.pg0)
2088 self.nat_add_outside_interface(self.pg1)
2090 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2091 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2092 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2094 def test_frag_in_order_do_not_translate(self):
2095 """ NAT44ED don't translate fragments arriving in order """
2097 self.nat_add_address(self.nat_addr)
2098 self.nat_add_inside_interface(self.pg0)
2099 self.nat_add_outside_interface(self.pg1)
2100 self.vapi.nat44_forwarding_enable_disable(enable=True)
2102 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2104 def test_frag_out_of_order(self):
2105 """ NAT44ED translate fragments arriving out of order """
2107 self.nat_add_address(self.nat_addr)
2108 self.nat_add_inside_interface(self.pg0)
2109 self.nat_add_outside_interface(self.pg1)
2111 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2112 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2113 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2115 def test_frag_in_order_in_plus_out(self):
2116 """ NAT44ED in+out interface fragments in order """
2118 in_port = self.random_port()
2119 out_port = self.random_port()
2121 self.nat_add_address(self.nat_addr)
2122 self.nat_add_inside_interface(self.pg0)
2123 self.nat_add_outside_interface(self.pg0)
2124 self.nat_add_inside_interface(self.pg1)
2125 self.nat_add_outside_interface(self.pg1)
2127 # add static mappings for server
2128 self.nat_add_static_mapping(self.server_addr,
2132 proto=IP_PROTOS.tcp)
2133 self.nat_add_static_mapping(self.server_addr,
2137 proto=IP_PROTOS.udp)
2138 self.nat_add_static_mapping(self.server_addr,
2140 proto=IP_PROTOS.icmp)
2142 # run tests for each protocol
2143 self.frag_in_order_in_plus_out(self.server_addr,
2148 self.frag_in_order_in_plus_out(self.server_addr,
2153 self.frag_in_order_in_plus_out(self.server_addr,
2159 def test_frag_out_of_order_in_plus_out(self):
2160 """ NAT44ED in+out interface fragments out of order """
2162 in_port = self.random_port()
2163 out_port = self.random_port()
2165 self.nat_add_address(self.nat_addr)
2166 self.nat_add_inside_interface(self.pg0)
2167 self.nat_add_outside_interface(self.pg0)
2168 self.nat_add_inside_interface(self.pg1)
2169 self.nat_add_outside_interface(self.pg1)
2171 # add static mappings for server
2172 self.nat_add_static_mapping(self.server_addr,
2176 proto=IP_PROTOS.tcp)
2177 self.nat_add_static_mapping(self.server_addr,
2181 proto=IP_PROTOS.udp)
2182 self.nat_add_static_mapping(self.server_addr,
2184 proto=IP_PROTOS.icmp)
2186 # run tests for each protocol
2187 self.frag_out_of_order_in_plus_out(self.server_addr,
2192 self.frag_out_of_order_in_plus_out(self.server_addr,
2197 self.frag_out_of_order_in_plus_out(self.server_addr,
2203 def test_reass_hairpinning(self):
2204 """ NAT44ED fragments hairpinning """
2206 server_addr = self.pg0.remote_hosts[1].ip4
2208 host_in_port = self.random_port()
2209 server_in_port = self.random_port()
2210 server_out_port = self.random_port()
2212 self.nat_add_address(self.nat_addr)
2213 self.nat_add_inside_interface(self.pg0)
2214 self.nat_add_outside_interface(self.pg1)
2216 # add static mapping for server
2217 self.nat_add_static_mapping(server_addr, self.nat_addr,
2218 server_in_port, server_out_port,
2219 proto=IP_PROTOS.tcp)
2220 self.nat_add_static_mapping(server_addr, self.nat_addr,
2221 server_in_port, server_out_port,
2222 proto=IP_PROTOS.udp)
2223 self.nat_add_static_mapping(server_addr, self.nat_addr)
2225 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2226 host_in_port, proto=IP_PROTOS.tcp,
2228 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2229 host_in_port, proto=IP_PROTOS.udp,
2231 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2232 host_in_port, proto=IP_PROTOS.icmp,
2235 def test_session_limit_per_vrf(self):
2236 """ NAT44ED per vrf session limit """
2239 inside_vrf10 = self.pg2
2244 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2245 # non existing vrf_id makes process core dump
2246 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2248 self.nat_add_inside_interface(inside)
2249 self.nat_add_inside_interface(inside_vrf10)
2250 self.nat_add_outside_interface(outside)
2253 self.nat_add_interface_address(outside)
2255 # BUG: causing core dump - when bad vrf_id is specified
2256 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2258 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2259 inside_vrf10.add_stream(stream)
2261 self.pg_enable_capture(self.pg_interfaces)
2264 capture = outside.get_capture(limit)
2266 stream = self.create_tcp_stream(inside, outside, limit * 2)
2267 inside.add_stream(stream)
2269 self.pg_enable_capture(self.pg_interfaces)
2272 capture = outside.get_capture(len(stream))
2274 def test_show_max_translations(self):
2275 """ NAT44ED API test - max translations per thread """
2276 nat_config = self.vapi.nat_show_config_2()
2277 self.assertEqual(self.max_sessions,
2278 nat_config.max_translations_per_thread)
2280 def test_lru_cleanup(self):
2281 """ NAT44ED LRU cleanup algorithm """
2283 self.nat_add_address(self.nat_addr)
2284 self.nat_add_inside_interface(self.pg0)
2285 self.nat_add_outside_interface(self.pg1)
2287 self.vapi.nat_set_timeouts(
2288 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
2290 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2292 for i in range(0, self.max_sessions - 1):
2293 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2294 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2295 UDP(sport=7000+i, dport=80))
2298 self.pg0.add_stream(pkts)
2299 self.pg_enable_capture(self.pg_interfaces)
2301 self.pg1.get_capture(len(pkts))
2302 self.sleep(1.5, "wait for timeouts")
2305 for i in range(0, self.max_sessions - 1):
2306 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2307 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2308 ICMP(id=8000+i, type='echo-request'))
2311 self.pg0.add_stream(pkts)
2312 self.pg_enable_capture(self.pg_interfaces)
2314 self.pg1.get_capture(len(pkts))
2316 def test_session_rst_timeout(self):
2317 """ NAT44ED session RST timeouts """
2319 self.nat_add_address(self.nat_addr)
2320 self.nat_add_inside_interface(self.pg0)
2321 self.nat_add_outside_interface(self.pg1)
2323 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2324 tcp_transitory=5, icmp=60)
2326 self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
2327 self.tcp_external_port)
2328 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2329 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2330 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2332 self.pg0.add_stream(p)
2333 self.pg_enable_capture(self.pg_interfaces)
2335 self.pg1.get_capture(1)
2339 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2340 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2341 TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
2343 self.pg0.add_stream(p)
2344 self.pg_enable_capture(self.pg_interfaces)
2346 self.pg1.get_capture(1)
2348 def test_dynamic_out_of_ports(self):
2349 """ NAT44ED dynamic translation test: out of ports """
2351 self.nat_add_inside_interface(self.pg0)
2352 self.nat_add_outside_interface(self.pg1)
2354 # in2out and no NAT addresses added
2355 err_old = self.statistics.get_err_counter(
2356 '/err/nat44-ed-in2out-slowpath/out of ports')
2358 pkts = self.create_stream_in(self.pg0, self.pg1)
2359 self.pg0.add_stream(pkts)
2360 self.pg_enable_capture(self.pg_interfaces)
2362 self.pg1.get_capture(0, timeout=1)
2364 err_new = self.statistics.get_err_counter(
2365 '/err/nat44-ed-in2out-slowpath/out of ports')
2367 self.assertEqual(err_new - err_old, len(pkts))
2369 # in2out after NAT addresses added
2370 self.nat_add_address(self.nat_addr)
2372 err_old = self.statistics.get_err_counter(
2373 '/err/nat44-ed-in2out-slowpath/out of ports')
2375 pkts = self.create_stream_in(self.pg0, self.pg1)
2376 self.pg0.add_stream(pkts)
2377 self.pg_enable_capture(self.pg_interfaces)
2379 capture = self.pg1.get_capture(len(pkts))
2380 self.verify_capture_out(capture, ignore_port=True)
2382 err_new = self.statistics.get_err_counter(
2383 '/err/nat44-ed-in2out-slowpath/out of ports')
2385 self.assertEqual(err_new, err_old)
2387 def test_unknown_proto(self):
2388 """ NAT44ED translate packet with unknown protocol """
2390 self.nat_add_address(self.nat_addr)
2391 self.nat_add_inside_interface(self.pg0)
2392 self.nat_add_outside_interface(self.pg1)
2395 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2396 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2397 TCP(sport=self.tcp_port_in, dport=20))
2398 self.pg0.add_stream(p)
2399 self.pg_enable_capture(self.pg_interfaces)
2401 p = self.pg1.get_capture(1)
2403 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2404 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2406 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2407 TCP(sport=1234, dport=1234))
2408 self.pg0.add_stream(p)
2409 self.pg_enable_capture(self.pg_interfaces)
2411 p = self.pg1.get_capture(1)
2414 self.assertEqual(packet[IP].src, self.nat_addr)
2415 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
2416 self.assertEqual(packet.haslayer(GRE), 1)
2417 self.assert_packet_checksums_valid(packet)
2419 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2423 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2424 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2426 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2427 TCP(sport=1234, dport=1234))
2428 self.pg1.add_stream(p)
2429 self.pg_enable_capture(self.pg_interfaces)
2431 p = self.pg0.get_capture(1)
2434 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
2435 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2436 self.assertEqual(packet.haslayer(GRE), 1)
2437 self.assert_packet_checksums_valid(packet)
2439 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2442 def test_hairpinning_unknown_proto(self):
2443 """ NAT44ED translate packet with unknown protocol - hairpinning """
2444 host = self.pg0.remote_hosts[0]
2445 server = self.pg0.remote_hosts[1]
2447 server_out_port = 8765
2448 server_nat_ip = "10.0.0.11"
2450 self.nat_add_address(self.nat_addr)
2451 self.nat_add_inside_interface(self.pg0)
2452 self.nat_add_outside_interface(self.pg1)
2454 # add static mapping for server
2455 self.nat_add_static_mapping(server.ip4, server_nat_ip)
2458 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
2459 IP(src=host.ip4, dst=server_nat_ip) /
2460 TCP(sport=host_in_port, dport=server_out_port))
2461 self.pg0.add_stream(p)
2462 self.pg_enable_capture(self.pg_interfaces)
2464 self.pg0.get_capture(1)
2466 p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
2467 IP(src=host.ip4, dst=server_nat_ip) /
2469 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2470 TCP(sport=1234, dport=1234))
2471 self.pg0.add_stream(p)
2472 self.pg_enable_capture(self.pg_interfaces)
2474 p = self.pg0.get_capture(1)
2477 self.assertEqual(packet[IP].src, self.nat_addr)
2478 self.assertEqual(packet[IP].dst, server.ip4)
2479 self.assertEqual(packet.haslayer(GRE), 1)
2480 self.assert_packet_checksums_valid(packet)
2482 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2486 p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
2487 IP(src=server.ip4, dst=self.nat_addr) /
2489 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2490 TCP(sport=1234, dport=1234))
2491 self.pg0.add_stream(p)
2492 self.pg_enable_capture(self.pg_interfaces)
2494 p = self.pg0.get_capture(1)
2497 self.assertEqual(packet[IP].src, server_nat_ip)
2498 self.assertEqual(packet[IP].dst, host.ip4)
2499 self.assertEqual(packet.haslayer(GRE), 1)
2500 self.assert_packet_checksums_valid(packet)
2502 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2505 def test_output_feature_and_service(self):
2506 """ NAT44ED interface output feature and services """
2507 external_addr = '1.2.3.4'
2511 self.vapi.nat44_forwarding_enable_disable(enable=1)
2512 self.nat_add_address(self.nat_addr)
2513 flags = self.config_flags.NAT_IS_ADDR_ONLY
2514 self.vapi.nat44_add_del_identity_mapping(
2515 ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
2516 flags=flags, is_add=1)
2517 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2518 self.nat_add_static_mapping(self.pg0.remote_ip4, external_addr,
2519 local_port, external_port,
2520 proto=IP_PROTOS.tcp, flags=flags)
2522 self.nat_add_inside_interface(self.pg0)
2523 self.nat_add_outside_interface(self.pg0)
2524 self.vapi.nat44_interface_add_del_output_feature(
2525 sw_if_index=self.pg1.sw_if_index, is_add=1)
2527 # from client to service
2528 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2529 IP(src=self.pg1.remote_ip4, dst=external_addr) /
2530 TCP(sport=12345, dport=external_port))
2531 self.pg1.add_stream(p)
2532 self.pg_enable_capture(self.pg_interfaces)
2534 capture = self.pg0.get_capture(1)
2539 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2540 self.assertEqual(tcp.dport, local_port)
2541 self.assert_packet_checksums_valid(p)
2543 self.logger.error(ppp("Unexpected or invalid packet:", p))
2546 # from service back to client
2547 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2548 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2549 TCP(sport=local_port, dport=12345))
2550 self.pg0.add_stream(p)
2551 self.pg_enable_capture(self.pg_interfaces)
2553 capture = self.pg1.get_capture(1)
2558 self.assertEqual(ip.src, external_addr)
2559 self.assertEqual(tcp.sport, external_port)
2560 self.assert_packet_checksums_valid(p)
2562 self.logger.error(ppp("Unexpected or invalid packet:", p))
2565 # from local network host to external network
2566 pkts = self.create_stream_in(self.pg0, self.pg1)
2567 self.pg0.add_stream(pkts)
2568 self.pg_enable_capture(self.pg_interfaces)
2570 capture = self.pg1.get_capture(len(pkts))
2571 self.verify_capture_out(capture, ignore_port=True)
2572 pkts = self.create_stream_in(self.pg0, self.pg1)
2573 self.pg0.add_stream(pkts)
2574 self.pg_enable_capture(self.pg_interfaces)
2576 capture = self.pg1.get_capture(len(pkts))
2577 self.verify_capture_out(capture, ignore_port=True)
2579 # from external network back to local network host
2580 pkts = self.create_stream_out(self.pg1)
2581 self.pg1.add_stream(pkts)
2582 self.pg_enable_capture(self.pg_interfaces)
2584 capture = self.pg0.get_capture(len(pkts))
2585 self.verify_capture_in(capture, self.pg0)
2587 def test_output_feature_and_service3(self):
2588 """ NAT44ED interface output feature and DST NAT """
2589 external_addr = '1.2.3.4'
2593 self.vapi.nat44_forwarding_enable_disable(enable=1)
2594 self.nat_add_address(self.nat_addr)
2595 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2596 self.nat_add_static_mapping(self.pg1.remote_ip4, external_addr,
2597 local_port, external_port,
2598 proto=IP_PROTOS.tcp, flags=flags)
2600 self.nat_add_inside_interface(self.pg0)
2601 self.nat_add_outside_interface(self.pg0)
2602 self.vapi.nat44_interface_add_del_output_feature(
2603 sw_if_index=self.pg1.sw_if_index, is_add=1)
2605 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2606 IP(src=self.pg0.remote_ip4, dst=external_addr) /
2607 TCP(sport=12345, dport=external_port))
2608 self.pg0.add_stream(p)
2609 self.pg_enable_capture(self.pg_interfaces)
2611 capture = self.pg1.get_capture(1)
2616 self.assertEqual(ip.src, self.pg0.remote_ip4)
2617 self.assertEqual(tcp.sport, 12345)
2618 self.assertEqual(ip.dst, self.pg1.remote_ip4)
2619 self.assertEqual(tcp.dport, local_port)
2620 self.assert_packet_checksums_valid(p)
2622 self.logger.error(ppp("Unexpected or invalid packet:", p))
2625 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2626 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
2627 TCP(sport=local_port, dport=12345))
2628 self.pg1.add_stream(p)
2629 self.pg_enable_capture(self.pg_interfaces)
2631 capture = self.pg0.get_capture(1)
2636 self.assertEqual(ip.src, external_addr)
2637 self.assertEqual(tcp.sport, external_port)
2638 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2639 self.assertEqual(tcp.dport, 12345)
2640 self.assert_packet_checksums_valid(p)
2642 self.logger.error(ppp("Unexpected or invalid packet:", p))
2645 def test_self_twice_nat_lb_negative(self):
2646 """ NAT44ED Self Twice NAT local service load balancing (negative test)
2648 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
2651 def test_self_twice_nat_negative(self):
2652 """ NAT44ED Self Twice NAT (negative test) """
2653 self.twice_nat_common(self_twice_nat=True)
2655 def test_static_lb_multi_clients(self):
2656 """ NAT44ED local service load balancing - multiple clients"""
2658 external_addr = self.nat_addr
2661 server1 = self.pg0.remote_hosts[0]
2662 server2 = self.pg0.remote_hosts[1]
2663 server3 = self.pg0.remote_hosts[2]
2665 locals = [{'addr': server1.ip4,
2669 {'addr': server2.ip4,
2674 flags = self.config_flags.NAT_IS_INSIDE
2675 self.vapi.nat44_interface_add_del_feature(
2676 sw_if_index=self.pg0.sw_if_index,
2677 flags=flags, is_add=1)
2678 self.vapi.nat44_interface_add_del_feature(
2679 sw_if_index=self.pg1.sw_if_index,
2682 self.nat_add_address(self.nat_addr)
2683 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
2684 external_addr=external_addr,
2685 external_port=external_port,
2686 protocol=IP_PROTOS.tcp,
2687 local_num=len(locals),
2692 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
2694 for client in clients:
2695 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2696 IP(src=client, dst=self.nat_addr) /
2697 TCP(sport=12345, dport=external_port))
2699 self.pg1.add_stream(pkts)
2700 self.pg_enable_capture(self.pg_interfaces)
2702 capture = self.pg0.get_capture(len(pkts))
2704 if p[IP].dst == server1.ip4:
2708 self.assertGreater(server1_n, server2_n)
2711 'addr': server3.ip4,
2718 self.vapi.nat44_lb_static_mapping_add_del_local(
2720 external_addr=external_addr,
2721 external_port=external_port,
2723 protocol=IP_PROTOS.tcp)
2727 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
2729 for client in clients:
2730 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2731 IP(src=client, dst=self.nat_addr) /
2732 TCP(sport=12346, dport=external_port))
2734 self.assertGreater(len(pkts), 0)
2735 self.pg1.add_stream(pkts)
2736 self.pg_enable_capture(self.pg_interfaces)
2738 capture = self.pg0.get_capture(len(pkts))
2740 if p[IP].dst == server1.ip4:
2742 elif p[IP].dst == server2.ip4:
2746 self.assertGreater(server1_n, 0)
2747 self.assertGreater(server2_n, 0)
2748 self.assertGreater(server3_n, 0)
2751 'addr': server2.ip4,
2757 # remove one back-end
2758 self.vapi.nat44_lb_static_mapping_add_del_local(
2760 external_addr=external_addr,
2761 external_port=external_port,
2763 protocol=IP_PROTOS.tcp)
2767 self.pg1.add_stream(pkts)
2768 self.pg_enable_capture(self.pg_interfaces)
2770 capture = self.pg0.get_capture(len(pkts))
2772 if p[IP].dst == server1.ip4:
2774 elif p[IP].dst == server2.ip4:
2778 self.assertGreater(server1_n, 0)
2779 self.assertEqual(server2_n, 0)
2780 self.assertGreater(server3_n, 0)
2782 def test_syslog_sess(self):
2783 """ NAT44ED Test syslog session creation and deletion """
2784 self.vapi.syslog_set_filter(
2785 self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
2786 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
2788 self.nat_add_address(self.nat_addr)
2789 self.nat_add_inside_interface(self.pg0)
2790 self.nat_add_outside_interface(self.pg1)
2792 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2793 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2794 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
2795 self.pg0.add_stream(p)
2796 self.pg_enable_capture(self.pg_interfaces)
2798 capture = self.pg1.get_capture(1)
2799 self.tcp_port_out = capture[0][TCP].sport
2800 capture = self.pg3.get_capture(1)
2801 self.verify_syslog_sess(capture[0][Raw].load)
2803 self.pg_enable_capture(self.pg_interfaces)
2805 self.nat_add_address(self.nat_addr, is_add=0)
2806 capture = self.pg3.get_capture(1)
2807 self.verify_syslog_sess(capture[0][Raw].load, False)
2809 def test_twice_nat_interface_addr(self):
2810 """ NAT44ED Acquire twice NAT addresses from interface """
2811 flags = self.config_flags.NAT_IS_TWICE_NAT
2812 self.vapi.nat44_add_del_interface_addr(
2813 sw_if_index=self.pg11.sw_if_index,
2814 flags=flags, is_add=1)
2816 # no address in NAT pool
2817 adresses = self.vapi.nat44_address_dump()
2818 self.assertEqual(0, len(adresses))
2820 # configure interface address and check NAT address pool
2821 self.pg11.config_ip4()
2822 adresses = self.vapi.nat44_address_dump()
2823 self.assertEqual(1, len(adresses))
2824 self.assertEqual(str(adresses[0].ip_address),
2825 self.pg11.local_ip4)
2826 self.assertEqual(adresses[0].flags, flags)
2828 # remove interface address and check NAT address pool
2829 self.pg11.unconfig_ip4()
2830 adresses = self.vapi.nat44_address_dump()
2831 self.assertEqual(0, len(adresses))
2833 def test_output_feature_stateful_acl(self):
2834 """ NAT44ED output feature works with stateful ACL """
2836 self.nat_add_address(self.nat_addr)
2837 self.vapi.nat44_interface_add_del_output_feature(
2838 sw_if_index=self.pg0.sw_if_index,
2839 flags=self.config_flags.NAT_IS_INSIDE, is_add=1)
2840 self.vapi.nat44_interface_add_del_output_feature(
2841 sw_if_index=self.pg1.sw_if_index,
2842 flags=self.config_flags.NAT_IS_OUTSIDE, is_add=1)
2844 # First ensure that the NAT is working sans ACL
2846 # send packets out2in, no sessions yet so packets should drop
2847 pkts_out2in = self.create_stream_out(self.pg1)
2848 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2850 # send packets into inside intf, ensure received via outside intf
2851 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
2852 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2854 self.verify_capture_out(capture, ignore_port=True)
2856 # send out2in again, with sessions created it should work now
2857 pkts_out2in = self.create_stream_out(self.pg1)
2858 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2860 self.verify_capture_in(capture, self.pg0)
2862 # Create an ACL blocking everything
2863 out2in_deny_rule = AclRule(is_permit=0)
2864 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
2865 out2in_acl.add_vpp_config()
2867 # create an ACL to permit/reflect everything
2868 in2out_reflect_rule = AclRule(is_permit=2)
2869 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
2870 in2out_acl.add_vpp_config()
2872 # apply as input acl on interface and confirm it blocks everything
2873 acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
2874 n_input=1, acls=[out2in_acl])
2875 acl_if.add_vpp_config()
2876 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2879 acl_if.acls = [out2in_acl, in2out_acl]
2880 acl_if.add_vpp_config()
2881 # send in2out to generate ACL state (NAT state was created earlier)
2882 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2884 self.verify_capture_out(capture, ignore_port=True)
2886 # send out2in again. ACL state exists so it should work now.
2887 # TCP packets with the syn flag set also need the ack flag
2888 for p in pkts_out2in:
2889 if p.haslayer(TCP) and p[TCP].flags & 0x02:
2890 p[TCP].flags |= 0x10
2891 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2893 self.verify_capture_in(capture, self.pg0)
2894 self.logger.info(self.vapi.cli("show trace"))
2896 def test_tcp_close(self):
2897 """ NAT44ED Close TCP session from inside network - output feature """
2898 old_timeouts = self.vapi.nat_get_timeouts()
2900 self.vapi.nat_set_timeouts(
2901 udp=old_timeouts.udp,
2902 tcp_established=old_timeouts.tcp_established,
2903 icmp=old_timeouts.icmp,
2904 tcp_transitory=new_transitory)
2906 self.vapi.nat44_forwarding_enable_disable(enable=1)
2907 self.nat_add_address(self.pg1.local_ip4)
2908 twice_nat_addr = '10.0.1.3'
2909 service_ip = '192.168.16.150'
2910 self.nat_add_address(twice_nat_addr, twice_nat=1)
2912 flags = self.config_flags.NAT_IS_INSIDE
2913 self.vapi.nat44_interface_add_del_feature(
2914 sw_if_index=self.pg0.sw_if_index,
2916 self.vapi.nat44_interface_add_del_feature(
2917 sw_if_index=self.pg0.sw_if_index,
2918 flags=flags, is_add=1)
2919 self.vapi.nat44_interface_add_del_output_feature(
2921 sw_if_index=self.pg1.sw_if_index)
2923 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
2924 self.config_flags.NAT_IS_TWICE_NAT)
2925 self.nat_add_static_mapping(self.pg0.remote_ip4,
2927 proto=IP_PROTOS.tcp,
2929 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2930 start_sessnum = len(sessions)
2932 # SYN packet out->in
2933 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2934 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2935 TCP(sport=33898, dport=80, flags="S"))
2936 self.pg1.add_stream(p)
2937 self.pg_enable_capture(self.pg_interfaces)
2939 capture = self.pg0.get_capture(1)
2941 tcp_port = p[TCP].sport
2943 # SYN + ACK packet in->out
2944 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2945 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2946 TCP(sport=80, dport=tcp_port, flags="SA"))
2947 self.pg0.add_stream(p)
2948 self.pg_enable_capture(self.pg_interfaces)
2950 self.pg1.get_capture(1)
2952 # ACK packet out->in
2953 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2954 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2955 TCP(sport=33898, dport=80, flags="A"))
2956 self.pg1.add_stream(p)
2957 self.pg_enable_capture(self.pg_interfaces)
2959 self.pg0.get_capture(1)
2961 # FIN packet in -> out
2962 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2963 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2964 TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
2965 self.pg0.add_stream(p)
2966 self.pg_enable_capture(self.pg_interfaces)
2968 self.pg1.get_capture(1)
2970 # FIN+ACK packet out -> in
2971 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2972 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2973 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
2974 self.pg1.add_stream(p)
2975 self.pg_enable_capture(self.pg_interfaces)
2977 self.pg0.get_capture(1)
2979 # ACK packet in -> out
2980 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2981 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2982 TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
2983 self.pg0.add_stream(p)
2984 self.pg_enable_capture(self.pg_interfaces)
2986 self.pg1.get_capture(1)
2988 # session now in transitory timeout
2989 # try SYN packet out->in - should be dropped
2990 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2991 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2992 TCP(sport=33898, dport=80, flags="S"))
2993 self.pg1.add_stream(p)
2994 self.pg_enable_capture(self.pg_interfaces)
2997 self.sleep(new_transitory, "wait for transitory timeout")
2998 self.pg0.assert_nothing_captured(0)
3000 # session should still exist
3001 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3002 self.assertEqual(len(sessions) - start_sessnum, 1)
3004 # send FIN+ACK packet out -> in - will cause session to be wiped
3005 # but won't create a new session
3006 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3007 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3008 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
3009 self.pg1.add_stream(p)
3010 self.pg_enable_capture(self.pg_interfaces)
3013 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3014 self.assertEqual(len(sessions) - start_sessnum, 0)
3015 self.pg0.assert_nothing_captured(0)
3017 def test_tcp_session_close_in(self):
3018 """ NAT44ED Close TCP session from inside network """
3020 in_port = self.tcp_port_in
3022 ext_port = self.tcp_external_port
3024 self.nat_add_address(self.nat_addr)
3025 self.nat_add_inside_interface(self.pg0)
3026 self.nat_add_outside_interface(self.pg1)
3027 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3028 in_port, out_port, proto=IP_PROTOS.tcp,
3029 flags=self.config_flags.NAT_IS_TWICE_NAT)
3031 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3032 session_n = len(sessions)
3034 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3035 tcp_transitory=2, icmp=5)
3037 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3039 # FIN packet in -> out
3040 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3041 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3042 TCP(sport=in_port, dport=ext_port,
3043 flags="FA", seq=100, ack=300))
3044 self.pg0.add_stream(p)
3045 self.pg_enable_capture(self.pg_interfaces)
3047 self.pg1.get_capture(1)
3051 # ACK packet out -> in
3052 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3053 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3054 TCP(sport=ext_port, dport=out_port,
3055 flags="A", seq=300, ack=101))
3058 # FIN packet out -> in
3059 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3060 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3061 TCP(sport=ext_port, dport=out_port,
3062 flags="FA", seq=300, ack=101))
3065 self.pg1.add_stream(pkts)
3066 self.pg_enable_capture(self.pg_interfaces)
3068 self.pg0.get_capture(2)
3070 # ACK packet in -> out
3071 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3072 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3073 TCP(sport=in_port, dport=ext_port,
3074 flags="A", seq=101, ack=301))
3075 self.pg0.add_stream(p)
3076 self.pg_enable_capture(self.pg_interfaces)
3078 self.pg1.get_capture(1)
3080 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3081 self.assertEqual(len(sessions) - session_n, 1)
3083 out2in_drops = self.get_err_counter(
3084 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3085 in2out_drops = self.get_err_counter(
3086 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3088 # extra FIN packet out -> in - this should be dropped
3089 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3090 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3091 TCP(sport=ext_port, dport=out_port,
3092 flags="FA", seq=300, ack=101))
3094 self.pg1.add_stream(p)
3095 self.pg_enable_capture(self.pg_interfaces)
3097 self.pg0.assert_nothing_captured()
3099 # extra ACK packet in -> out - this should be dropped
3100 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3101 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3102 TCP(sport=in_port, dport=ext_port,
3103 flags="A", seq=101, ack=301))
3104 self.pg0.add_stream(p)
3105 self.pg_enable_capture(self.pg_interfaces)
3107 self.pg1.assert_nothing_captured()
3109 stats = self.get_err_counter(
3110 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3111 self.assertEqual(stats - out2in_drops, 1)
3112 stats = self.get_err_counter(
3113 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3114 self.assertEqual(stats - in2out_drops, 1)
3117 # extra ACK packet in -> out - this will cause session to be wiped
3118 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3119 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3120 TCP(sport=in_port, dport=ext_port,
3121 flags="A", seq=101, ack=301))
3122 self.pg0.add_stream(p)
3123 self.pg_enable_capture(self.pg_interfaces)
3125 self.pg1.assert_nothing_captured()
3126 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3127 self.assertEqual(len(sessions) - session_n, 0)
3129 def test_tcp_session_close_out(self):
3130 """ NAT44ED Close TCP session from outside network """
3132 in_port = self.tcp_port_in
3134 ext_port = self.tcp_external_port
3136 self.nat_add_address(self.nat_addr)
3137 self.nat_add_inside_interface(self.pg0)
3138 self.nat_add_outside_interface(self.pg1)
3139 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3140 in_port, out_port, proto=IP_PROTOS.tcp,
3141 flags=self.config_flags.NAT_IS_TWICE_NAT)
3143 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3144 session_n = len(sessions)
3146 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3147 tcp_transitory=2, icmp=5)
3149 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3151 # FIN packet out -> in
3152 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3153 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3154 TCP(sport=ext_port, dport=out_port,
3155 flags="FA", seq=100, ack=300))
3156 self.pg1.add_stream(p)
3157 self.pg_enable_capture(self.pg_interfaces)
3159 self.pg0.get_capture(1)
3161 # FIN+ACK packet in -> out
3162 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3163 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3164 TCP(sport=in_port, dport=ext_port,
3165 flags="FA", seq=300, ack=101))
3167 self.pg0.add_stream(p)
3168 self.pg_enable_capture(self.pg_interfaces)
3170 self.pg1.get_capture(1)
3172 # ACK packet out -> in
3173 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3174 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3175 TCP(sport=ext_port, dport=out_port,
3176 flags="A", seq=101, ack=301))
3177 self.pg1.add_stream(p)
3178 self.pg_enable_capture(self.pg_interfaces)
3180 self.pg0.get_capture(1)
3182 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3183 self.assertEqual(len(sessions) - session_n, 1)
3185 out2in_drops = self.get_err_counter(
3186 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3187 in2out_drops = self.get_err_counter(
3188 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3190 # extra FIN packet out -> in - this should be dropped
3191 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3192 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3193 TCP(sport=ext_port, dport=out_port,
3194 flags="FA", seq=300, ack=101))
3196 self.pg1.add_stream(p)
3197 self.pg_enable_capture(self.pg_interfaces)
3199 self.pg0.assert_nothing_captured()
3201 # extra ACK packet in -> out - this should be dropped
3202 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3203 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3204 TCP(sport=in_port, dport=ext_port,
3205 flags="A", seq=101, ack=301))
3206 self.pg0.add_stream(p)
3207 self.pg_enable_capture(self.pg_interfaces)
3209 self.pg1.assert_nothing_captured()
3211 stats = self.get_err_counter(
3212 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3213 self.assertEqual(stats - out2in_drops, 1)
3214 stats = self.get_err_counter(
3215 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3216 self.assertEqual(stats - in2out_drops, 1)
3219 # extra ACK packet in -> out - this will cause session to be wiped
3220 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3221 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3222 TCP(sport=in_port, dport=ext_port,
3223 flags="A", seq=101, ack=301))
3224 self.pg0.add_stream(p)
3225 self.pg_enable_capture(self.pg_interfaces)
3227 self.pg1.assert_nothing_captured()
3228 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3229 self.assertEqual(len(sessions) - session_n, 0)
3231 def test_tcp_session_close_simultaneous(self):
3232 """ NAT44ED Close TCP session from inside network """
3234 in_port = self.tcp_port_in
3237 self.nat_add_address(self.nat_addr)
3238 self.nat_add_inside_interface(self.pg0)
3239 self.nat_add_outside_interface(self.pg1)
3240 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3241 in_port, ext_port, proto=IP_PROTOS.tcp,
3242 flags=self.config_flags.NAT_IS_TWICE_NAT)
3244 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3245 session_n = len(sessions)
3247 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3248 tcp_transitory=2, icmp=5)
3250 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3252 # FIN packet in -> out
3253 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3254 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3255 TCP(sport=in_port, dport=ext_port,
3256 flags="FA", seq=100, ack=300))
3257 self.pg0.add_stream(p)
3258 self.pg_enable_capture(self.pg_interfaces)
3260 self.pg1.get_capture(1)
3262 # FIN packet out -> in
3263 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3264 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3265 TCP(sport=ext_port, dport=out_port,
3266 flags="FA", seq=300, ack=100))
3267 self.pg1.add_stream(p)
3268 self.pg_enable_capture(self.pg_interfaces)
3270 self.pg0.get_capture(1)
3272 # ACK packet in -> out
3273 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3274 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3275 TCP(sport=in_port, dport=ext_port,
3276 flags="A", seq=101, ack=301))
3277 self.pg0.add_stream(p)
3278 self.pg_enable_capture(self.pg_interfaces)
3280 self.pg1.get_capture(1)
3282 # ACK packet out -> in
3283 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3284 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3285 TCP(sport=ext_port, dport=out_port,
3286 flags="A", seq=301, ack=101))
3287 self.pg1.add_stream(p)
3288 self.pg_enable_capture(self.pg_interfaces)
3290 self.pg0.get_capture(1)
3292 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3293 self.assertEqual(len(sessions) - session_n, 1)
3295 out2in_drops = self.get_err_counter(
3296 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3297 in2out_drops = self.get_err_counter(
3298 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3300 # extra FIN packet out -> in - this should be dropped
3301 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3302 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3303 TCP(sport=ext_port, dport=out_port,
3304 flags="FA", seq=300, ack=101))
3306 self.pg1.add_stream(p)
3307 self.pg_enable_capture(self.pg_interfaces)
3309 self.pg0.assert_nothing_captured()
3311 # extra ACK packet in -> out - this should be dropped
3312 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3313 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3314 TCP(sport=in_port, dport=ext_port,
3315 flags="A", seq=101, ack=301))
3316 self.pg0.add_stream(p)
3317 self.pg_enable_capture(self.pg_interfaces)
3319 self.pg1.assert_nothing_captured()
3321 stats = self.get_err_counter(
3322 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3323 self.assertEqual(stats - out2in_drops, 1)
3324 stats = self.get_err_counter(
3325 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3326 self.assertEqual(stats - in2out_drops, 1)
3329 # extra ACK packet in -> out - this will cause session to be wiped
3330 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3331 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3332 TCP(sport=in_port, dport=ext_port,
3333 flags="A", seq=101, ack=301))
3334 self.pg0.add_stream(p)
3335 self.pg_enable_capture(self.pg_interfaces)
3337 self.pg1.assert_nothing_captured()
3338 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3339 self.assertEqual(len(sessions) - session_n, 0)
3341 def test_dynamic_output_feature_vrf(self):
3342 """ NAT44ED dynamic translation test: output-feature, VRF"""
3344 # other then default (0)
3347 self.nat_add_address(self.nat_addr)
3348 flags = self.config_flags.NAT_IS_INSIDE
3349 self.vapi.nat44_interface_add_del_output_feature(
3350 sw_if_index=self.pg7.sw_if_index,
3351 flags=flags, is_add=1)
3352 self.vapi.nat44_interface_add_del_output_feature(
3353 sw_if_index=self.pg8.sw_if_index,
3357 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
3358 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
3361 tcpn = self.get_stats_counter(
3362 '/nat44-ed/in2out/slowpath/tcp')
3363 udpn = self.get_stats_counter(
3364 '/nat44-ed/in2out/slowpath/udp')
3365 icmpn = self.get_stats_counter(
3366 '/nat44-ed/in2out/slowpath/icmp')
3367 drops = self.get_stats_counter(
3368 '/nat44-ed/in2out/slowpath/drops')
3370 pkts = self.create_stream_in(self.pg7, self.pg8)
3371 self.pg7.add_stream(pkts)
3372 self.pg_enable_capture(self.pg_interfaces)
3374 capture = self.pg8.get_capture(len(pkts))
3375 self.verify_capture_out(capture, ignore_port=True)
3377 if_idx = self.pg7.sw_if_index
3378 cnt = self.get_stats_counter(
3379 '/nat44-ed/in2out/slowpath/tcp')
3380 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3381 cnt = self.get_stats_counter(
3382 '/nat44-ed/in2out/slowpath/udp')
3383 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3384 cnt = self.get_stats_counter(
3385 '/nat44-ed/in2out/slowpath/icmp')
3386 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3387 cnt = self.get_stats_counter(
3388 '/nat44-ed/in2out/slowpath/drops')
3389 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3392 tcpn = self.get_stats_counter(
3393 '/nat44-ed/out2in/fastpath/tcp')
3394 udpn = self.get_stats_counter(
3395 '/nat44-ed/out2in/fastpath/udp')
3396 icmpn = self.get_stats_counter(
3397 '/nat44-ed/out2in/fastpath/icmp')
3398 drops = self.get_stats_counter(
3399 '/nat44-ed/out2in/fastpath/drops')
3401 pkts = self.create_stream_out(self.pg8)
3402 self.pg8.add_stream(pkts)
3403 self.pg_enable_capture(self.pg_interfaces)
3405 capture = self.pg7.get_capture(len(pkts))
3406 self.verify_capture_in(capture, self.pg7)
3408 if_idx = self.pg8.sw_if_index
3409 cnt = self.get_stats_counter(
3410 '/nat44-ed/out2in/fastpath/tcp')
3411 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3412 cnt = self.get_stats_counter(
3413 '/nat44-ed/out2in/fastpath/udp')
3414 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3415 cnt = self.get_stats_counter(
3416 '/nat44-ed/out2in/fastpath/icmp')
3417 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3418 cnt = self.get_stats_counter(
3419 '/nat44-ed/out2in/fastpath/drops')
3420 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3422 sessions = self.get_stats_counter('/nat44-ed/total-sessions')
3423 self.assertEqual(sessions[0], 3)
3426 self.configure_ip4_interface(self.pg7, table_id=0)
3427 self.configure_ip4_interface(self.pg8, table_id=0)
3429 self.vapi.ip_table_add_del(is_add=0,
3430 table={'table_id': new_vrf_id})
3432 def test_next_src_nat(self):
3433 """ NAT44ED On way back forward packet to nat44-in2out node. """
3435 twice_nat_addr = '10.0.1.3'
3438 post_twice_nat_port = 0
3440 self.vapi.nat44_forwarding_enable_disable(enable=1)
3441 self.nat_add_address(twice_nat_addr, twice_nat=1)
3442 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3443 self.config_flags.NAT_IS_SELF_TWICE_NAT)
3444 self.nat_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
3445 local_port, external_port,
3446 proto=IP_PROTOS.tcp, vrf_id=1,
3448 self.vapi.nat44_interface_add_del_feature(
3449 sw_if_index=self.pg6.sw_if_index,
3452 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3453 IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
3454 TCP(sport=12345, dport=external_port))
3455 self.pg6.add_stream(p)
3456 self.pg_enable_capture(self.pg_interfaces)
3458 capture = self.pg6.get_capture(1)
3463 self.assertEqual(ip.src, twice_nat_addr)
3464 self.assertNotEqual(tcp.sport, 12345)
3465 post_twice_nat_port = tcp.sport
3466 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3467 self.assertEqual(tcp.dport, local_port)
3468 self.assert_packet_checksums_valid(p)
3470 self.logger.error(ppp("Unexpected or invalid packet:", p))
3473 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3474 IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
3475 TCP(sport=local_port, dport=post_twice_nat_port))
3476 self.pg6.add_stream(p)
3477 self.pg_enable_capture(self.pg_interfaces)
3479 capture = self.pg6.get_capture(1)
3484 self.assertEqual(ip.src, self.pg1.remote_ip4)
3485 self.assertEqual(tcp.sport, external_port)
3486 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3487 self.assertEqual(tcp.dport, 12345)
3488 self.assert_packet_checksums_valid(p)
3490 self.logger.error(ppp("Unexpected or invalid packet:", p))
3493 def test_one_armed_nat44_static(self):
3494 """ NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule """
3496 remote_host = self.pg4.remote_hosts[0]
3497 local_host = self.pg4.remote_hosts[1]
3502 self.vapi.nat44_forwarding_enable_disable(enable=1)
3503 self.nat_add_address(self.nat_addr, twice_nat=1)
3504 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3505 self.config_flags.NAT_IS_TWICE_NAT)
3506 self.nat_add_static_mapping(local_host.ip4, self.nat_addr,
3507 local_port, external_port,
3508 proto=IP_PROTOS.tcp, flags=flags)
3509 flags = self.config_flags.NAT_IS_INSIDE
3510 self.vapi.nat44_interface_add_del_feature(
3511 sw_if_index=self.pg4.sw_if_index,
3513 self.vapi.nat44_interface_add_del_feature(
3514 sw_if_index=self.pg4.sw_if_index,
3515 flags=flags, is_add=1)
3517 # from client to service
3518 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3519 IP(src=remote_host.ip4, dst=self.nat_addr) /
3520 TCP(sport=12345, dport=external_port))
3521 self.pg4.add_stream(p)
3522 self.pg_enable_capture(self.pg_interfaces)
3524 capture = self.pg4.get_capture(1)
3529 self.assertEqual(ip.dst, local_host.ip4)
3530 self.assertEqual(ip.src, self.nat_addr)
3531 self.assertEqual(tcp.dport, local_port)
3532 self.assertNotEqual(tcp.sport, 12345)
3533 eh_port_in = tcp.sport
3534 self.assert_packet_checksums_valid(p)
3536 self.logger.error(ppp("Unexpected or invalid packet:", p))
3539 # from service back to client
3540 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3541 IP(src=local_host.ip4, dst=self.nat_addr) /
3542 TCP(sport=local_port, dport=eh_port_in))
3543 self.pg4.add_stream(p)
3544 self.pg_enable_capture(self.pg_interfaces)
3546 capture = self.pg4.get_capture(1)
3551 self.assertEqual(ip.src, self.nat_addr)
3552 self.assertEqual(ip.dst, remote_host.ip4)
3553 self.assertEqual(tcp.sport, external_port)
3554 self.assertEqual(tcp.dport, 12345)
3555 self.assert_packet_checksums_valid(p)
3557 self.logger.error(ppp("Unexpected or invalid packet:", p))
3561 if __name__ == '__main__':
3562 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob