6 from framework import VppTestCase, VppTestRunner
7 from vpp_ip import DpoProto
8 from vpp_ip_route import VppIpRoute, VppRoutePath
9 from util import fragment_rfc791, fragment_rfc8200
12 from scapy.layers.l2 import Ether
13 from scapy.packet import Raw
14 from scapy.layers.inet import IP, UDP, ICMP, TCP
15 from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment, \
16 ICMPv6EchoRequest, ICMPv6DestUnreach
19 class TestMAP(VppTestCase):
24 super(TestMAP, cls).setUpClass()
27 def tearDownClass(cls):
28 super(TestMAP, cls).tearDownClass()
31 super(TestMAP, self).setUp()
33 # create 2 pg interfaces
34 self.create_pg_interfaces(range(4))
36 # pg0 is 'inside' IPv4
39 self.pg0.resolve_arp()
40 self.pg0.generate_remote_hosts(2)
41 self.pg0.configure_ipv4_neighbors()
43 # pg1 is 'outside' IPv6
46 self.pg1.generate_remote_hosts(4)
47 self.pg1.configure_ipv6_neighbors()
50 super(TestMAP, self).tearDown()
51 for i in self.pg_interfaces:
56 def send_and_assert_encapped(self, packets, ip6_src, ip6_dst, dmac=None):
58 dmac = self.pg1.remote_mac
60 self.pg0.add_stream(packets)
62 self.pg_enable_capture(self.pg_interfaces)
65 capture = self.pg1.get_capture(len(packets))
66 for rx, tx in zip(capture, packets):
67 self.assertEqual(rx[Ether].dst, dmac)
68 self.assertEqual(rx[IP].src, tx[IP].src)
69 self.assertEqual(rx[IPv6].src, ip6_src)
70 self.assertEqual(rx[IPv6].dst, ip6_dst)
72 def send_and_assert_encapped_one(self, packet, ip6_src, ip6_dst,
74 return self.send_and_assert_encapped([packet], ip6_src, ip6_dst, dmac)
76 def test_api_map_domain_dump(self):
78 map_src = '3000::1/128'
79 client_pfx = '192.168.0.0/16'
81 index = self.vapi.map_add_domain(ip4_prefix=client_pfx,
85 rv = self.vapi.map_domain_dump()
87 # restore the state early so as to not impact subsequent tests.
88 # If an assert fails, we will not get the chance to do it at the end.
89 self.vapi.map_del_domain(index=index)
91 self.assertGreater(len(rv), 0,
92 "Expected output from 'map_domain_dump'")
94 # typedefs are returned as ipaddress objects.
95 # wrap results in str() ugh! to avoid the need to call unicode.
96 self.assertEqual(str(rv[0].ip4_prefix), client_pfx)
97 self.assertEqual(str(rv[0].ip6_prefix), map_dst)
98 self.assertEqual(str(rv[0].ip6_src), map_src)
100 self.assertEqual(rv[0].tag, tag,
101 "output produced incorrect tag value.")
103 def create_domains(self, ip4_pfx_str, ip6_pfx_str, ip6_src_str):
104 ip4_pfx = ipaddress.ip_network(ip4_pfx_str)
105 ip6_dst = ipaddress.ip_network(ip6_pfx_str)
106 mod = ip4_pfx.num_addresses / 1024
108 for i in range(ip4_pfx.num_addresses):
109 rv = self.vapi.map_add_domain(ip6_prefix=ip6_pfx_str,
110 ip4_prefix=str(ip4_pfx[i]) + "/32",
112 indicies.append(rv.index)
115 def test_api_map_domains_get(self):
116 # Create a bunch of domains
117 no_domains = 4096 # This must be large enough to ensure VPP suspends
118 domains = self.create_domains('130.67.0.0/20', '2001::/32',
120 self.assertEqual(len(domains), no_domains)
126 rv, details = self.vapi.map_domains_get(cursor=no_domains+10)
127 self.assertEqual(rv.retval, -7)
129 # Delete a domain in the middle of walk
130 rv, details = self.vapi.map_domains_get(cursor=0)
131 self.assertEqual(rv.retval, -165)
132 self.vapi.map_del_domain(index=rv.cursor)
133 domains.remove(rv.cursor)
135 # Continue at point of deleted cursor
136 rv, details = self.vapi.map_domains_get(cursor=rv.cursor)
137 self.assertIn(rv.retval, [0, -165])
139 d = list(self.vapi.vpp.details_iter(self.vapi.map_domains_get))
140 self.assertEqual(len(d), no_domains - 1)
144 self.vapi.map_del_domain(index=i)
146 def test_map_e_udp(self):
150 # Add a route to the MAP-BR
152 map_br_pfx = "2001::"
154 map_route = VppIpRoute(self,
157 [VppRoutePath(self.pg1.remote_ip6,
158 self.pg1.sw_if_index)])
159 map_route.add_vpp_config()
162 # Add a domain that maps from pg0 to pg1
164 map_dst = '2001::/32'
165 map_src = '3000::1/128'
166 client_pfx = '192.168.0.0/16'
167 map_translated_addr = '2001:0:101:7000:0:c0a8:101:7'
169 self.vapi.map_add_domain(ip4_prefix=client_pfx,
177 self.vapi.map_param_set_security_check(enable=1, fragments=1)
179 # Enable MAP on interface.
180 self.vapi.map_if_enable_disable(is_enable=1,
181 sw_if_index=self.pg0.sw_if_index,
184 # Ensure MAP doesn't steal all packets!
185 v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
186 IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4) /
187 UDP(sport=20000, dport=10000) /
189 rx = self.send_and_expect(self.pg0, v4 * 4, self.pg0)
193 self.validate(p[1], v4_reply)
196 # Fire in a v4 packet that will be encapped to the BR
198 v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
199 IP(src=self.pg0.remote_ip4, dst='192.168.1.1') /
200 UDP(sport=20000, dport=10000) /
203 self.send_and_assert_encapped(v4 * 4, "3000::1", map_translated_addr)
206 # Verify reordered fragments are able to pass as well
208 v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
209 IP(id=1, src=self.pg0.remote_ip4, dst='192.168.1.1') /
210 UDP(sport=20000, dport=10000) /
213 frags = fragment_rfc791(v4, 400)
216 self.send_and_assert_encapped(frags, "3000::1", map_translated_addr)
218 # Enable MAP on interface.
219 self.vapi.map_if_enable_disable(is_enable=1,
220 sw_if_index=self.pg1.sw_if_index,
223 # Ensure MAP doesn't steal all packets
224 v6 = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
225 IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6) /
226 UDP(sport=20000, dport=10000) /
228 rx = self.send_and_expect(self.pg1, v6*1, self.pg1)
232 self.validate(p[1], v6_reply)
235 # Fire in a V6 encapped packet.
236 # expect a decapped packet on the inside ip4 link
238 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
239 IPv6(dst='3000::1', src=map_translated_addr) /
240 IP(dst=self.pg0.remote_ip4, src='192.168.1.1') /
241 UDP(sport=10000, dport=20000) /
244 self.pg1.add_stream(p)
246 self.pg_enable_capture(self.pg_interfaces)
249 rx = self.pg0.get_capture(1)
252 self.assertFalse(rx.haslayer(IPv6))
253 self.assertEqual(rx[IP].src, p[IP].src)
254 self.assertEqual(rx[IP].dst, p[IP].dst)
257 # Verify encapped reordered fragments pass as well
259 p = (IP(id=1, dst=self.pg0.remote_ip4, src='192.168.1.1') /
260 UDP(sport=10000, dport=20000) /
262 frags = fragment_rfc791(p, 400)
265 stream = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
266 IPv6(dst='3000::1', src=map_translated_addr) /
269 self.pg1.add_stream(stream)
271 self.pg_enable_capture(self.pg_interfaces)
274 rx = self.pg0.get_capture(len(frags))
277 self.assertFalse(r.haslayer(IPv6))
278 self.assertEqual(r[IP].src, p[IP].src)
279 self.assertEqual(r[IP].dst, p[IP].dst)
281 # Verify that fragments pass even if ipv6 layer is fragmented
282 stream = (IPv6(dst='3000::1', src=map_translated_addr) / x
286 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / x
287 for i in range(len(frags))
288 for x in fragment_rfc8200(
289 IPv6(dst='3000::1', src=map_translated_addr) / frags[i],
292 self.pg1.add_stream(v6_stream)
294 self.pg_enable_capture(self.pg_interfaces)
297 rx = self.pg0.get_capture(len(frags))
300 self.assertFalse(r.haslayer(IPv6))
301 self.assertEqual(r[IP].src, p[IP].src)
302 self.assertEqual(r[IP].dst, p[IP].dst)
305 # Pre-resolve. No API for this!!
307 self.vapi.ppcli("map params pre-resolve ip6-nh 4001::1")
309 self.send_and_assert_no_replies(self.pg0, v4,
310 "resolved via default route")
313 # Add a route to 4001::1. Expect the encapped traffic to be
314 # sent via that routes next-hop
316 pre_res_route = VppIpRoute(self, "4001::1", 128,
317 [VppRoutePath(self.pg1.remote_hosts[2].ip6,
318 self.pg1.sw_if_index)])
319 pre_res_route.add_vpp_config()
321 self.send_and_assert_encapped_one(v4, "3000::1",
323 dmac=self.pg1.remote_hosts[2].mac)
326 # change the route to the pre-solved next-hop
328 pre_res_route.modify([VppRoutePath(self.pg1.remote_hosts[3].ip6,
329 self.pg1.sw_if_index)])
330 pre_res_route.add_vpp_config()
332 self.send_and_assert_encapped_one(v4, "3000::1",
334 dmac=self.pg1.remote_hosts[3].mac)
337 # cleanup. The test infra's object registry will ensure
338 # the route is really gone and thus that the unresolve worked.
340 pre_res_route.remove_vpp_config()
341 self.vapi.ppcli("map params pre-resolve del ip6-nh 4001::1")
343 def test_map_e_inner_frag(self):
344 """ MAP-E Inner fragmentation """
347 # Add a route to the MAP-BR
349 map_br_pfx = "2001::"
351 map_route = VppIpRoute(self,
354 [VppRoutePath(self.pg1.remote_ip6,
355 self.pg1.sw_if_index)])
356 map_route.add_vpp_config()
359 # Add a domain that maps from pg0 to pg1
361 map_dst = '2001::/32'
362 map_src = '3000::1/128'
363 client_pfx = '192.168.0.0/16'
364 map_translated_addr = '2001:0:101:7000:0:c0a8:101:7'
366 self.vapi.map_add_domain(ip4_prefix=client_pfx,
375 # Enable MAP on interface.
376 self.vapi.map_if_enable_disable(is_enable=1,
377 sw_if_index=self.pg0.sw_if_index,
380 # Enable inner fragmentation
381 self.vapi.map_param_set_fragmentation(inner=1)
383 v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
384 IP(src=self.pg0.remote_ip4, dst='192.168.1.1') /
385 UDP(sport=20000, dport=10000) /
388 self.pg_send(self.pg0, v4*1)
389 rx = self.pg1.get_capture(2)
391 # 1000-sizeof(ip6_header_t) = 960.
392 frags = fragment_rfc791(v4[1], 960)
400 v6_reply1 = (IPv6(src='3000::1', dst=map_translated_addr, hlim=63) /
402 v6_reply2 = (IPv6(src='3000::1', dst=map_translated_addr, hlim=63) /
408 rx[0][1][IP].chksum = 0
409 rx[1][1][IP].chksum = 0
411 self.validate(rx[0][1], v6_reply1)
412 self.validate(rx[1][1], v6_reply2)
414 def test_map_e_tcp_mss(self):
418 # Add a route to the MAP-BR
420 map_br_pfx = "2001::"
422 map_route = VppIpRoute(self,
425 [VppRoutePath(self.pg1.remote_ip6,
426 self.pg1.sw_if_index)])
427 map_route.add_vpp_config()
430 # Add a domain that maps from pg0 to pg1
432 map_dst = '2001::/32'
433 map_src = '3000::1/128'
434 client_pfx = '192.168.0.0/16'
435 map_translated_addr = '2001:0:101:5000:0:c0a8:101:5'
436 tag = 'MAP-E TCP tag.'
437 self.vapi.map_add_domain(ip4_prefix=client_pfx,
445 # Enable MAP on pg0 interface.
446 self.vapi.map_if_enable_disable(is_enable=1,
447 sw_if_index=self.pg0.sw_if_index,
450 # Enable MAP on pg1 interface.
451 self.vapi.map_if_enable_disable(is_enable=1,
452 sw_if_index=self.pg1.sw_if_index,
457 self.vapi.map_param_set_tcp(mss_clamp)
460 # Send a v4 packet that will be encapped.
462 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
463 p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.1.1')
464 p_tcp = TCP(sport=20000, dport=30000, flags="S",
465 options=[("MSS", 1455)])
466 p4 = p_ether / p_ip4 / p_tcp
468 self.pg1.add_stream(p4)
469 self.pg_enable_capture(self.pg_interfaces)
472 rx = self.pg1.get_capture(1)
475 self.assertTrue(rx.haslayer(IPv6))
476 self.assertEqual(rx[IP].src, p4[IP].src)
477 self.assertEqual(rx[IP].dst, p4[IP].dst)
478 self.assertEqual(rx[IPv6].src, "3000::1")
479 self.assertEqual(rx[TCP].options,
480 TCP(options=[('MSS', mss_clamp)]).options)
482 def validate(self, rx, expected):
483 self.assertEqual(rx, expected.__class__(scapy.compat.raw(expected)))
485 def validate_frag6(self, p6_frag, p_ip6_expected):
486 self.assertFalse(p6_frag.haslayer(IP))
487 self.assertTrue(p6_frag.haslayer(IPv6))
488 self.assertTrue(p6_frag.haslayer(IPv6ExtHdrFragment))
489 self.assertEqual(p6_frag[IPv6].src, p_ip6_expected.src)
490 self.assertEqual(p6_frag[IPv6].dst, p_ip6_expected.dst)
492 def validate_frag_payload_len6(self, rx, proto, payload_len_expected):
495 payload_total += p[IPv6].plen
497 # First fragment has proto
498 payload_total -= len(proto())
500 # Every fragment has IPv6 fragment header
501 payload_total -= len(IPv6ExtHdrFragment()) * len(rx)
503 self.assertEqual(payload_total, payload_len_expected)
505 def validate_frag4(self, p4_frag, p_ip4_expected):
506 self.assertFalse(p4_frag.haslayer(IPv6))
507 self.assertTrue(p4_frag.haslayer(IP))
508 self.assertTrue(p4_frag[IP].frag != 0 or p4_frag[IP].flags.MF)
509 self.assertEqual(p4_frag[IP].src, p_ip4_expected.src)
510 self.assertEqual(p4_frag[IP].dst, p_ip4_expected.dst)
512 def validate_frag_payload_len4(self, rx, proto, payload_len_expected):
515 payload_total += len(p[IP].payload)
517 # First fragment has proto
518 payload_total -= len(proto())
520 self.assertEqual(payload_total, payload_len_expected)
522 def payload(self, len):
525 def test_map_t(self):
529 # Add a domain that maps from pg0 to pg1
531 map_dst = '2001:db8::/32'
532 map_src = '1234:5678:90ab:cdef::/64'
533 ip4_pfx = '192.168.0.0/24'
536 self.vapi.map_add_domain(ip6_prefix=map_dst,
545 # Enable MAP-T on interfaces.
546 self.vapi.map_if_enable_disable(is_enable=1,
547 sw_if_index=self.pg0.sw_if_index,
549 self.vapi.map_if_enable_disable(is_enable=1,
550 sw_if_index=self.pg1.sw_if_index,
553 # Ensure MAP doesn't steal all packets!
554 v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
555 IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4) /
556 UDP(sport=20000, dport=10000) /
558 rx = self.send_and_expect(self.pg0, v4*1, self.pg0)
562 self.validate(p[1], v4_reply)
563 # Ensure MAP doesn't steal all packets
564 v6 = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
565 IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6) /
566 UDP(sport=20000, dport=10000) /
568 rx = self.send_and_expect(self.pg1, v6*1, self.pg1)
572 self.validate(p[1], v6_reply)
574 map_route = VppIpRoute(self,
577 [VppRoutePath(self.pg1.remote_ip6,
578 self.pg1.sw_if_index,
579 proto=DpoProto.DPO_PROTO_IP6)])
580 map_route.add_vpp_config()
583 # Send a v4 packet that will be translated
585 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
586 p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
587 payload = TCP(sport=0xabcd, dport=0xabcd)
589 p4 = (p_ether / p_ip4 / payload)
590 p6_translated = (IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0",
591 dst="2001:db8:1f0::c0a8:1:f") / payload)
592 p6_translated.hlim -= 1
593 rx = self.send_and_expect(self.pg0, p4*1, self.pg1)
595 self.validate(p[1], p6_translated)
597 # Send back an IPv6 packet that will be "untranslated"
598 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
599 p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
600 dst='1234:5678:90ab:cdef:ac:1001:200:0')
601 p6 = (p_ether6 / p_ip6 / payload)
602 p4_translated = (IP(src='192.168.0.1',
603 dst=self.pg0.remote_ip4) / payload)
605 p4_translated.ttl -= 1
606 rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
608 self.validate(p[1], p4_translated)
611 ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=0)
612 p4 = (p_ether / ip4_ttl_expired / payload)
614 icmp4_reply = (IP(id=0, ttl=254, src=self.pg0.local_ip4,
615 dst=self.pg0.remote_ip4) /
616 ICMP(type='time-exceeded',
617 code='ttl-zero-during-transit') /
618 IP(src=self.pg0.remote_ip4,
619 dst='192.168.0.1', ttl=0) / payload)
620 rx = self.send_and_expect(self.pg0, p4*1, self.pg0)
622 self.validate(p[1], icmp4_reply)
625 ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=1)
626 p4 = (p_ether / ip4_ttl_expired / payload)
628 icmp4_reply = (IP(id=0, ttl=254, src=self.pg0.local_ip4,
629 dst=self.pg0.remote_ip4) /
630 ICMP(type='time-exceeded',
631 code='ttl-zero-during-transit') /
632 IP(src=self.pg0.remote_ip4,
633 dst='192.168.0.1', ttl=1) / payload)
634 rx = self.send_and_expect(self.pg0, p4*1, self.pg0)
636 self.validate(p[1], icmp4_reply)
638 # IPv6 Hop limit at BR
639 ip6_hlim_expired = IPv6(hlim=1, src='2001:db8:1ab::c0a8:1:ab',
640 dst='1234:5678:90ab:cdef:ac:1001:200:0')
641 p6 = (p_ether6 / ip6_hlim_expired / payload)
643 icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
644 dst="2001:db8:1ab::c0a8:1:ab") /
645 ICMPv6TimeExceeded(code=0) /
646 IPv6(src="2001:db8:1ab::c0a8:1:ab",
647 dst='1234:5678:90ab:cdef:ac:1001:200:0',
649 rx = self.send_and_expect(self.pg1, p6*1, self.pg1)
651 self.validate(p[1], icmp6_reply)
653 # IPv6 Hop limit beyond BR
654 ip6_hlim_expired = IPv6(hlim=0, src='2001:db8:1ab::c0a8:1:ab',
655 dst='1234:5678:90ab:cdef:ac:1001:200:0')
656 p6 = (p_ether6 / ip6_hlim_expired / payload)
658 icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
659 dst="2001:db8:1ab::c0a8:1:ab") /
660 ICMPv6TimeExceeded(code=0) /
661 IPv6(src="2001:db8:1ab::c0a8:1:ab",
662 dst='1234:5678:90ab:cdef:ac:1001:200:0',
664 rx = self.send_and_expect(self.pg1, p6*1, self.pg1)
666 self.validate(p[1], icmp6_reply)
668 # IPv4 Well-known port
669 p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
670 payload = UDP(sport=200, dport=200)
671 p4 = (p_ether / p_ip4 / payload)
672 self.send_and_assert_no_replies(self.pg0, p4*1)
674 # IPv6 Well-known port
675 payload = UDP(sport=200, dport=200)
676 p6 = (p_ether6 / p_ip6 / payload)
677 self.send_and_assert_no_replies(self.pg1, p6*1)
679 # UDP packet fragmentation
681 payload = UDP(sport=40000, dport=4000) / self.payload(payload_len)
682 p4 = (p_ether / p_ip4 / payload)
683 self.pg_enable_capture()
684 self.pg0.add_stream(p4)
686 rx = self.pg1.get_capture(2)
688 p_ip6_translated = IPv6(src='1234:5678:90ab:cdef:ac:1001:200:0',
689 dst='2001:db8:1e0::c0a8:1:e')
691 self.validate_frag6(p, p_ip6_translated)
693 self.validate_frag_payload_len6(rx, UDP, payload_len)
695 # UDP packet fragmentation send fragments
697 payload = UDP(sport=40000, dport=4000) / self.payload(payload_len)
698 p4 = (p_ether / p_ip4 / payload)
699 frags = fragment_rfc791(p4, fragsize=1000)
700 self.pg_enable_capture()
701 self.pg0.add_stream(frags)
703 rx = self.pg1.get_capture(2)
706 self.validate_frag6(p, p_ip6_translated)
708 self.validate_frag_payload_len6(rx, UDP, payload_len)
710 # Send back an fragmented IPv6 UDP packet that will be "untranslated"
711 payload = UDP(sport=4000, dport=40000) / self.payload(payload_len)
712 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
713 p_ip6 = IPv6(src='2001:db8:1e0::c0a8:1:e',
714 dst='1234:5678:90ab:cdef:ac:1001:200:0')
715 p6 = (p_ether6 / p_ip6 / payload)
716 frags6 = fragment_rfc8200(p6, identification=0xdcba, fragsize=1000)
718 p_ip4_translated = IP(src='192.168.0.1', dst=self.pg0.remote_ip4)
719 p4_translated = (p_ip4_translated / payload)
721 p4_translated.ttl -= 1
723 self.pg_enable_capture()
724 self.pg1.add_stream(frags6)
726 rx = self.pg0.get_capture(2)
729 self.validate_frag4(p, p4_translated)
731 self.validate_frag_payload_len4(rx, UDP, payload_len)
733 # ICMP packet fragmentation
734 payload = ICMP(id=6529) / self.payload(payload_len)
735 p4 = (p_ether / p_ip4 / payload)
736 self.pg_enable_capture()
737 self.pg0.add_stream(p4)
739 rx = self.pg1.get_capture(2)
741 p_ip6_translated = IPv6(src='1234:5678:90ab:cdef:ac:1001:200:0',
742 dst='2001:db8:160::c0a8:1:6')
744 self.validate_frag6(p, p_ip6_translated)
746 self.validate_frag_payload_len6(rx, ICMPv6EchoRequest, payload_len)
748 # ICMP packet fragmentation send fragments
749 payload = ICMP(id=6529) / self.payload(payload_len)
750 p4 = (p_ether / p_ip4 / payload)
751 frags = fragment_rfc791(p4, fragsize=1000)
752 self.pg_enable_capture()
753 self.pg0.add_stream(frags)
755 rx = self.pg1.get_capture(2)
758 self.validate_frag6(p, p_ip6_translated)
760 self.validate_frag_payload_len6(rx, ICMPv6EchoRequest, payload_len)
763 self.vapi.map_param_set_tcp(1300)
766 # Send a v4 TCP SYN packet that will be translated and MSS clamped
768 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
769 p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
770 payload = TCP(sport=0xabcd, dport=0xabcd, flags="S",
771 options=[('MSS', 1460)])
773 p4 = (p_ether / p_ip4 / payload)
774 p6_translated = (IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0",
775 dst="2001:db8:1f0::c0a8:1:f") / payload)
776 p6_translated.hlim -= 1
777 p6_translated[TCP].options = [('MSS', 1300)]
778 rx = self.send_and_expect(self.pg0, p4*1, self.pg1)
780 self.validate(p[1], p6_translated)
782 # Send back an IPv6 packet that will be "untranslated"
783 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
784 p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
785 dst='1234:5678:90ab:cdef:ac:1001:200:0')
786 p6 = (p_ether6 / p_ip6 / payload)
787 p4_translated = (IP(src='192.168.0.1',
788 dst=self.pg0.remote_ip4) / payload)
790 p4_translated.ttl -= 1
791 p4_translated[TCP].options = [('MSS', 1300)]
792 rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
794 self.validate(p[1], p4_translated)
796 # TCP MSS clamping cleanup
797 self.vapi.map_param_set_tcp(0)
799 # Enable icmp6 param to get back ICMPv6 unreachable messages in case
800 # of security check fails
801 self.vapi.map_param_set_icmp6(enable_unreachable=1)
803 # Send back an IPv6 packet that will be droppped due to security
805 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
806 p_ip6_sec_check_fail = IPv6(src='2001:db8:1fe::c0a8:1:f',
807 dst='1234:5678:90ab:cdef:ac:1001:200:0')
808 payload = TCP(sport=0xabcd, dport=0xabcd)
809 p6 = (p_ether6 / p_ip6_sec_check_fail / payload)
811 self.pg_send(self.pg1, p6*1)
812 self.pg0.get_capture(0, timeout=1)
813 rx = self.pg1.get_capture(1)
815 icmp6_reply = (IPv6(hlim=255, src=self.pg1.local_ip6,
816 dst='2001:db8:1fe::c0a8:1:f') /
817 ICMPv6DestUnreach(code=5) /
818 p_ip6_sec_check_fail / payload)
821 self.validate(p[1], icmp6_reply)
823 # ICMPv6 unreachable messages cleanup
824 self.vapi.map_param_set_icmp6(enable_unreachable=0)
826 def test_map_t_ip6_psid(self):
827 """ MAP-T v6->v4 PSID validation"""
830 # Add a domain that maps from pg0 to pg1
832 map_dst = '2001:db8::/32'
833 map_src = '1234:5678:90ab:cdef::/64'
834 ip4_pfx = '192.168.0.0/24'
835 tag = 'MAP-T Test Domain'
837 self.vapi.map_add_domain(ip6_prefix=map_dst,
846 # Enable MAP-T on interfaces.
847 self.vapi.map_if_enable_disable(is_enable=1,
848 sw_if_index=self.pg0.sw_if_index,
850 self.vapi.map_if_enable_disable(is_enable=1,
851 sw_if_index=self.pg1.sw_if_index,
854 map_route = VppIpRoute(self,
857 [VppRoutePath(self.pg1.remote_ip6,
858 self.pg1.sw_if_index,
859 proto=DpoProto.DPO_PROTO_IP6)])
860 map_route.add_vpp_config()
862 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
863 p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
864 dst='1234:5678:90ab:cdef:ac:1001:200:0')
866 # Send good IPv6 source port, ensure translated IPv4 received
867 payload = TCP(sport=0xabcd, dport=80)
868 p6 = (p_ether6 / p_ip6 / payload)
869 p4_translated = (IP(src='192.168.0.1',
870 dst=self.pg0.remote_ip4) / payload)
872 p4_translated.ttl -= 1
873 rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
875 self.validate(p[1], p4_translated)
877 # Send bad IPv6 source port, ensure translated IPv4 not received
878 payload = TCP(sport=0xdcba, dport=80)
879 p6 = (p_ether6 / p_ip6 / payload)
880 self.send_and_assert_no_replies(self.pg1, p6*1)
882 def test_map_t_pre_resolve(self):
883 """ MAP-T pre-resolve"""
885 # Add a domain that maps from pg0 to pg1
886 map_dst = '2001:db8::/32'
887 map_src = '1234:5678:90ab:cdef::/64'
888 ip4_pfx = '192.168.0.0/24'
889 tag = 'MAP-T Test Domain.'
891 self.vapi.map_add_domain(ip6_prefix=map_dst,
900 # Enable MAP-T on interfaces.
901 self.vapi.map_if_enable_disable(is_enable=1,
902 sw_if_index=self.pg0.sw_if_index,
904 self.vapi.map_if_enable_disable(is_enable=1,
905 sw_if_index=self.pg1.sw_if_index,
908 # Enable pre-resolve option
909 self.vapi.map_param_add_del_pre_resolve(ip4_nh_address="10.1.2.3",
910 ip6_nh_address="4001::1",
913 # Add a route to 4001::1 and expect the translated traffic to be
914 # sent via that route next-hop.
915 pre_res_route6 = VppIpRoute(self, "4001::1", 128,
916 [VppRoutePath(self.pg1.remote_hosts[2].ip6,
917 self.pg1.sw_if_index)])
918 pre_res_route6.add_vpp_config()
920 # Add a route to 10.1.2.3 and expect the "untranslated" traffic to be
921 # sent via that route next-hop.
922 pre_res_route4 = VppIpRoute(self, "10.1.2.3", 32,
923 [VppRoutePath(self.pg0.remote_hosts[1].ip4,
924 self.pg0.sw_if_index)])
925 pre_res_route4.add_vpp_config()
927 # Send an IPv4 packet that will be translated
928 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
929 p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
930 payload = TCP(sport=0xabcd, dport=0xabcd)
931 p4 = (p_ether / p_ip4 / payload)
933 p6_translated = (IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0",
934 dst="2001:db8:1f0::c0a8:1:f") / payload)
935 p6_translated.hlim -= 1
937 rx = self.send_and_expect(self.pg0, p4*1, self.pg1)
939 self.assertEqual(p[Ether].dst, self.pg1.remote_hosts[2].mac)
940 self.validate(p[1], p6_translated)
942 # Send back an IPv6 packet that will be "untranslated"
943 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
944 p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
945 dst='1234:5678:90ab:cdef:ac:1001:200:0')
946 p6 = (p_ether6 / p_ip6 / payload)
948 p4_translated = (IP(src='192.168.0.1',
949 dst=self.pg0.remote_ip4) / payload)
951 p4_translated.ttl -= 1
953 rx = self.send_and_expect(self.pg1, p6*1, self.pg0)
955 self.assertEqual(p[Ether].dst, self.pg0.remote_hosts[1].mac)
956 self.validate(p[1], p4_translated)
958 # Cleanup pre-resolve option
959 self.vapi.map_param_add_del_pre_resolve(ip4_nh_address="10.1.2.3",
960 ip6_nh_address="4001::1",
964 if __name__ == '__main__':
965 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob