5 from random import randint, choice
9 from framework import tag_fixme_ubuntu2204, is_distro_ubuntu2204
10 from framework import VppTestCase, VppTestRunner, VppLoInterface
11 from scapy.data import IP_PROTOS
12 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
13 from scapy.layers.inet import IPerror, TCPerror
14 from scapy.layers.l2 import Ether
15 from scapy.packet import Raw
16 from syslog_rfc5424_parser import SyslogMessage, ParseError
17 from syslog_rfc5424_parser.constants import SyslogSeverity
18 from util import ppp, pr, ip4_range
19 from vpp_acl import AclRule, VppAcl, VppAclInterface
20 from vpp_ip_route import VppIpRoute, VppRoutePath
21 from vpp_papi import VppEnum
22 from util import StatsDiff
25 class TestNAT44ED(VppTestCase):
26 """NAT44ED Test Case"""
28 nat_addr = "10.0.10.3"
39 tcp_external_port = 80
52 def plugin_enable(self, max_sessions=None):
53 max_sessions = max_sessions or self.max_sessions
54 self.vapi.nat44_ed_plugin_enable_disable(sessions=max_sessions, enable=1)
56 def plugin_disable(self):
57 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
60 def config_flags(self):
61 return VppEnum.vl_api_nat_config_flags_t
64 def nat44_config_flags(self):
65 return VppEnum.vl_api_nat44_config_flags_t
68 def syslog_severity(self):
69 return VppEnum.vl_api_syslog_severity_t
72 def server_addr(self):
73 return self.pg1.remote_hosts[0].ip4
77 return randint(1024, 65535)
80 def proto2layer(proto):
81 if proto == IP_PROTOS.tcp:
83 elif proto == IP_PROTOS.udp:
85 elif proto == IP_PROTOS.icmp:
88 raise Exception("Unsupported protocol")
91 def create_and_add_ip4_table(cls, i, table_id=0):
92 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": table_id})
93 i.set_table_ip4(table_id)
96 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
98 cls.create_and_add_ip4_table(i, table_id)
105 i.generate_remote_hosts(hosts)
106 i.configure_ipv4_neighbors()
109 def nat_add_interface_address(cls, i):
110 cls.vapi.nat44_add_del_interface_addr(sw_if_index=i.sw_if_index, is_add=1)
112 def nat_add_inside_interface(self, i):
113 self.vapi.nat44_interface_add_del_feature(
114 flags=self.config_flags.NAT_IS_INSIDE, sw_if_index=i.sw_if_index, is_add=1
117 def nat_add_outside_interface(self, i):
118 self.vapi.nat44_interface_add_del_feature(
119 flags=self.config_flags.NAT_IS_OUTSIDE, sw_if_index=i.sw_if_index, is_add=1
122 def nat_add_address(self, address, twice_nat=0, vrf_id=0xFFFFFFFF, is_add=1):
123 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
124 self.vapi.nat44_add_del_address_range(
125 first_ip_address=address,
126 last_ip_address=address,
132 def nat_add_static_mapping(
135 external_ip="0.0.0.0",
140 external_sw_if_index=0xFFFFFFFF,
145 if not (local_port and external_port):
146 flags |= self.config_flags.NAT_IS_ADDR_ONLY
148 self.vapi.nat44_add_del_static_mapping(
150 local_ip_address=local_ip,
151 external_ip_address=external_ip,
152 external_sw_if_index=external_sw_if_index,
153 local_port=local_port,
154 external_port=external_port,
164 if is_distro_ubuntu2204 == True and not hasattr(cls, "vpp"):
167 cls.create_pg_interfaces(range(12))
168 cls.interfaces = list(cls.pg_interfaces[:4])
170 cls.create_and_add_ip4_table(cls.pg2, 10)
172 for i in cls.interfaces:
173 cls.configure_ip4_interface(i, hosts=3)
175 # test specific (test-multiple-vrf)
176 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": 1})
178 # test specific (test-one-armed-nat44-static)
179 cls.pg4.generate_remote_hosts(2)
181 cls.vapi.sw_interface_add_del_address(
182 sw_if_index=cls.pg4.sw_if_index, prefix="10.0.0.1/24"
185 cls.pg4.resolve_arp()
186 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
187 cls.pg4.resolve_arp()
189 # test specific interface (pg5)
190 cls.pg5._local_ip4 = "10.1.1.1"
191 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
192 cls.pg5.set_table_ip4(1)
195 cls.pg5.resolve_arp()
197 # test specific interface (pg6)
198 cls.pg6._local_ip4 = "10.1.2.1"
199 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
200 cls.pg6.set_table_ip4(1)
203 cls.pg6.resolve_arp()
212 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=0)],
222 [VppRoutePath(cls.pg1.local_ip4, cls.pg1.sw_if_index)],
231 [VppRoutePath("0.0.0.0", cls.pg5.sw_if_index)],
241 [VppRoutePath("0.0.0.0", cls.pg6.sw_if_index)],
251 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=1)],
260 cls.no_diff = StatsDiff(
263 "/nat44-ed/in2out/fastpath/tcp": 0,
264 "/nat44-ed/in2out/fastpath/udp": 0,
265 "/nat44-ed/in2out/fastpath/icmp": 0,
266 "/nat44-ed/in2out/fastpath/drops": 0,
267 "/nat44-ed/in2out/slowpath/tcp": 0,
268 "/nat44-ed/in2out/slowpath/udp": 0,
269 "/nat44-ed/in2out/slowpath/icmp": 0,
270 "/nat44-ed/in2out/slowpath/drops": 0,
271 "/nat44-ed/in2out/fastpath/tcp": 0,
272 "/nat44-ed/in2out/fastpath/udp": 0,
273 "/nat44-ed/in2out/fastpath/icmp": 0,
274 "/nat44-ed/in2out/fastpath/drops": 0,
275 "/nat44-ed/in2out/slowpath/tcp": 0,
276 "/nat44-ed/in2out/slowpath/udp": 0,
277 "/nat44-ed/in2out/slowpath/icmp": 0,
278 "/nat44-ed/in2out/slowpath/drops": 0,
280 for pg in cls.pg_interfaces
284 def get_err_counter(self, path):
285 return self.statistics.get_err_counter(path)
287 def reass_hairpinning(
296 layer = self.proto2layer(proto)
298 if proto == IP_PROTOS.tcp:
299 data = b"A" * 4 + b"B" * 16 + b"C" * 3
301 data = b"A" * 16 + b"B" * 16 + b"C" * 3
303 # send packet from host to server
304 pkts = self.create_stream_frag(
305 self.pg0, self.nat_addr, host_in_port, server_out_port, data, proto
307 self.pg0.add_stream(pkts)
308 self.pg_enable_capture(self.pg_interfaces)
310 frags = self.pg0.get_capture(len(pkts))
311 p = self.reass_frags_and_verify(frags, self.nat_addr, server_addr)
312 if proto != IP_PROTOS.icmp:
314 self.assertNotEqual(p[layer].sport, host_in_port)
315 self.assertEqual(p[layer].dport, server_in_port)
318 self.assertNotEqual(p[layer].id, host_in_port)
319 self.assertEqual(data, p[Raw].load)
321 def frag_out_of_order(
322 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
324 layer = self.proto2layer(proto)
326 if proto == IP_PROTOS.tcp:
327 data = b"A" * 4 + b"B" * 16 + b"C" * 3
329 data = b"A" * 16 + b"B" * 16 + b"C" * 3
330 self.port_in = self.random_port()
334 pkts = self.create_stream_frag(
335 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
338 self.pg0.add_stream(pkts)
339 self.pg_enable_capture(self.pg_interfaces)
341 frags = self.pg1.get_capture(len(pkts))
342 if not dont_translate:
343 p = self.reass_frags_and_verify(
344 frags, self.nat_addr, self.pg1.remote_ip4
347 p = self.reass_frags_and_verify(
348 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
350 if proto != IP_PROTOS.icmp:
351 if not dont_translate:
352 self.assertEqual(p[layer].dport, 20)
354 self.assertNotEqual(p[layer].sport, self.port_in)
356 self.assertEqual(p[layer].sport, self.port_in)
359 if not dont_translate:
360 self.assertNotEqual(p[layer].id, self.port_in)
362 self.assertEqual(p[layer].id, self.port_in)
363 self.assertEqual(data, p[Raw].load)
366 if not dont_translate:
367 dst_addr = self.nat_addr
369 dst_addr = self.pg0.remote_ip4
370 if proto != IP_PROTOS.icmp:
372 dport = p[layer].sport
376 pkts = self.create_stream_frag(
377 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
380 self.pg1.add_stream(pkts)
381 self.pg_enable_capture(self.pg_interfaces)
382 self.logger.info(self.vapi.cli("show trace"))
384 frags = self.pg0.get_capture(len(pkts))
385 p = self.reass_frags_and_verify(
386 frags, self.pg1.remote_ip4, self.pg0.remote_ip4
388 if proto != IP_PROTOS.icmp:
389 self.assertEqual(p[layer].sport, 20)
390 self.assertEqual(p[layer].dport, self.port_in)
392 self.assertEqual(p[layer].id, self.port_in)
393 self.assertEqual(data, p[Raw].load)
395 def reass_frags_and_verify(self, frags, src, dst):
398 self.assertEqual(p[IP].src, src)
399 self.assertEqual(p[IP].dst, dst)
400 self.assert_ip_checksum_valid(p)
401 buffer.seek(p[IP].frag * 8)
402 buffer.write(bytes(p[IP].payload))
403 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst, proto=frags[0][IP].proto)
404 if ip.proto == IP_PROTOS.tcp:
405 p = ip / TCP(buffer.getvalue())
406 self.logger.debug(ppp("Reassembled:", p))
407 self.assert_tcp_checksum_valid(p)
408 elif ip.proto == IP_PROTOS.udp:
409 p = ip / UDP(buffer.getvalue()[:8]) / Raw(buffer.getvalue()[8:])
410 elif ip.proto == IP_PROTOS.icmp:
411 p = ip / ICMP(buffer.getvalue())
415 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
417 layer = self.proto2layer(proto)
419 if proto == IP_PROTOS.tcp:
420 data = b"A" * 4 + b"B" * 16 + b"C" * 3
422 data = b"A" * 16 + b"B" * 16 + b"C" * 3
423 self.port_in = self.random_port()
426 pkts = self.create_stream_frag(
427 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
429 self.pg0.add_stream(pkts)
430 self.pg_enable_capture(self.pg_interfaces)
432 frags = self.pg1.get_capture(len(pkts))
433 if not dont_translate:
434 p = self.reass_frags_and_verify(frags, self.nat_addr, self.pg1.remote_ip4)
436 p = self.reass_frags_and_verify(
437 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
439 if proto != IP_PROTOS.icmp:
440 if not dont_translate:
441 self.assertEqual(p[layer].dport, 20)
443 self.assertNotEqual(p[layer].sport, self.port_in)
445 self.assertEqual(p[layer].sport, self.port_in)
448 if not dont_translate:
449 self.assertNotEqual(p[layer].id, self.port_in)
451 self.assertEqual(p[layer].id, self.port_in)
452 self.assertEqual(data, p[Raw].load)
455 if not dont_translate:
456 dst_addr = self.nat_addr
458 dst_addr = self.pg0.remote_ip4
459 if proto != IP_PROTOS.icmp:
461 dport = p[layer].sport
465 pkts = self.create_stream_frag(
466 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
468 self.pg1.add_stream(pkts)
469 self.pg_enable_capture(self.pg_interfaces)
471 frags = self.pg0.get_capture(len(pkts))
472 p = self.reass_frags_and_verify(frags, self.pg1.remote_ip4, self.pg0.remote_ip4)
473 if proto != IP_PROTOS.icmp:
474 self.assertEqual(p[layer].sport, 20)
475 self.assertEqual(p[layer].dport, self.port_in)
477 self.assertEqual(p[layer].id, self.port_in)
478 self.assertEqual(data, p[Raw].load)
480 def verify_capture_out(
481 self, capture, nat_ip=None, same_port=False, dst_ip=None, ignore_port=False
484 nat_ip = self.nat_addr
485 for packet in capture:
487 self.assert_packet_checksums_valid(packet)
488 self.assertEqual(packet[IP].src, nat_ip)
489 if dst_ip is not None:
490 self.assertEqual(packet[IP].dst, dst_ip)
491 if packet.haslayer(TCP):
494 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
496 self.assertNotEqual(packet[TCP].sport, self.tcp_port_in)
497 self.tcp_port_out = packet[TCP].sport
498 self.assert_packet_checksums_valid(packet)
499 elif packet.haslayer(UDP):
502 self.assertEqual(packet[UDP].sport, self.udp_port_in)
504 self.assertNotEqual(packet[UDP].sport, self.udp_port_in)
505 self.udp_port_out = packet[UDP].sport
509 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
511 self.assertNotEqual(packet[ICMP].id, self.icmp_id_in)
512 self.icmp_id_out = packet[ICMP].id
513 self.assert_packet_checksums_valid(packet)
516 ppp("Unexpected or invalid packet (outside network):", packet)
520 def verify_capture_in(self, capture, in_if):
521 for packet in capture:
523 self.assert_packet_checksums_valid(packet)
524 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
525 if packet.haslayer(TCP):
526 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
527 elif packet.haslayer(UDP):
528 self.assertEqual(packet[UDP].dport, self.udp_port_in)
530 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
533 ppp("Unexpected or invalid packet (inside network):", packet)
537 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
539 dst_ip = out_if.remote_ip4
544 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
545 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
546 / TCP(sport=self.tcp_port_in, dport=20)
552 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
553 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
554 / UDP(sport=self.udp_port_in, dport=20)
560 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
561 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
562 / ICMP(id=self.icmp_id_in, type="echo-request")
568 def create_stream_out(self, out_if, dst_ip=None, ttl=64, use_inside_ports=False):
570 dst_ip = self.nat_addr
571 if not use_inside_ports:
572 tcp_port = self.tcp_port_out
573 udp_port = self.udp_port_out
574 icmp_id = self.icmp_id_out
576 tcp_port = self.tcp_port_in
577 udp_port = self.udp_port_in
578 icmp_id = self.icmp_id_in
582 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
583 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
584 / TCP(dport=tcp_port, sport=20)
590 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
591 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
592 / UDP(dport=udp_port, sport=20)
598 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
599 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
600 / ICMP(id=icmp_id, type="echo-reply")
606 def create_tcp_stream(self, in_if, out_if, count):
610 for i in range(count):
612 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
613 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64)
614 / TCP(sport=port + i, dport=20)
620 def create_udp_stream(self, in_if, out_if, count, base_port=6303):
623 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
624 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64)
625 / UDP(sport=base_port + i, dport=20)
627 for i in range(count)
630 def create_stream_frag(
631 self, src_if, dst, sport, dport, data, proto=IP_PROTOS.tcp, echo_reply=False
633 if proto == IP_PROTOS.tcp:
635 IP(src=src_if.remote_ip4, dst=dst)
636 / TCP(sport=sport, dport=dport)
639 p = p.__class__(scapy.compat.raw(p))
640 chksum = p[TCP].chksum
641 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
642 elif proto == IP_PROTOS.udp:
643 proto_header = UDP(sport=sport, dport=dport)
644 elif proto == IP_PROTOS.icmp:
646 proto_header = ICMP(id=sport, type="echo-request")
648 proto_header = ICMP(id=sport, type="echo-reply")
650 raise Exception("Unsupported protocol")
651 id = self.random_port()
653 if proto == IP_PROTOS.tcp:
656 raw = Raw(data[0:16])
658 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
659 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id)
664 if proto == IP_PROTOS.tcp:
665 raw = Raw(data[4:20])
667 raw = Raw(data[16:32])
669 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
670 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id, proto=proto)
674 if proto == IP_PROTOS.tcp:
679 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
680 / IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto, id=id)
686 def frag_in_order_in_plus_out(
687 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
689 layer = self.proto2layer(proto)
691 if proto == IP_PROTOS.tcp:
692 data = b"A" * 4 + b"B" * 16 + b"C" * 3
694 data = b"A" * 16 + b"B" * 16 + b"C" * 3
695 port_in = self.random_port()
699 pkts = self.create_stream_frag(
700 self.pg0, out_addr, port_in, out_port, data, proto
702 self.pg0.add_stream(pkts)
703 self.pg_enable_capture(self.pg_interfaces)
705 frags = self.pg1.get_capture(len(pkts))
706 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
707 if proto != IP_PROTOS.icmp:
708 self.assertEqual(p[layer].sport, port_in)
709 self.assertEqual(p[layer].dport, in_port)
711 self.assertEqual(p[layer].id, port_in)
712 self.assertEqual(data, p[Raw].load)
715 if proto != IP_PROTOS.icmp:
716 pkts = self.create_stream_frag(
717 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
720 pkts = self.create_stream_frag(
729 self.pg1.add_stream(pkts)
730 self.pg_enable_capture(self.pg_interfaces)
732 frags = self.pg0.get_capture(len(pkts))
733 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
734 if proto != IP_PROTOS.icmp:
735 self.assertEqual(p[layer].sport, out_port)
736 self.assertEqual(p[layer].dport, port_in)
738 self.assertEqual(p[layer].id, port_in)
739 self.assertEqual(data, p[Raw].load)
741 def frag_out_of_order_in_plus_out(
742 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
744 layer = self.proto2layer(proto)
746 if proto == IP_PROTOS.tcp:
747 data = b"A" * 4 + b"B" * 16 + b"C" * 3
749 data = b"A" * 16 + b"B" * 16 + b"C" * 3
750 port_in = self.random_port()
754 pkts = self.create_stream_frag(
755 self.pg0, out_addr, port_in, out_port, data, proto
758 self.pg0.add_stream(pkts)
759 self.pg_enable_capture(self.pg_interfaces)
761 frags = self.pg1.get_capture(len(pkts))
762 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
763 if proto != IP_PROTOS.icmp:
764 self.assertEqual(p[layer].dport, in_port)
765 self.assertEqual(p[layer].sport, port_in)
766 self.assertEqual(p[layer].dport, in_port)
768 self.assertEqual(p[layer].id, port_in)
769 self.assertEqual(data, p[Raw].load)
772 if proto != IP_PROTOS.icmp:
773 pkts = self.create_stream_frag(
774 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
777 pkts = self.create_stream_frag(
787 self.pg1.add_stream(pkts)
788 self.pg_enable_capture(self.pg_interfaces)
790 frags = self.pg0.get_capture(len(pkts))
791 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
792 if proto != IP_PROTOS.icmp:
793 self.assertEqual(p[layer].sport, out_port)
794 self.assertEqual(p[layer].dport, port_in)
796 self.assertEqual(p[layer].id, port_in)
797 self.assertEqual(data, p[Raw].load)
799 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
802 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
803 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
804 / TCP(sport=in_port, dport=ext_port, flags="S")
807 self.pg_enable_capture(self.pg_interfaces)
809 capture = out_if.get_capture(1)
811 out_port = p[TCP].sport
813 # SYN + ACK packet out->in
815 Ether(src=out_if.remote_mac, dst=out_if.local_mac)
816 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
817 / TCP(sport=ext_port, dport=out_port, flags="SA")
820 self.pg_enable_capture(self.pg_interfaces)
826 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
827 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
828 / TCP(sport=in_port, dport=ext_port, flags="A")
831 self.pg_enable_capture(self.pg_interfaces)
833 out_if.get_capture(1)
837 def twice_nat_common(
838 self, self_twice_nat=False, same_pg=False, lb=False, client_id=None
840 twice_nat_addr = "10.0.1.3"
848 port_in1 = port_in + 1
849 port_in2 = port_in + 2
854 server1 = self.pg0.remote_hosts[0]
855 server2 = self.pg0.remote_hosts[1]
867 eh_translate = (not self_twice_nat) or (not lb and same_pg) or client_id == 1
869 self.nat_add_address(self.nat_addr)
870 self.nat_add_address(twice_nat_addr, twice_nat=1)
874 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
876 flags |= self.config_flags.NAT_IS_TWICE_NAT
879 self.nat_add_static_mapping(
889 {"addr": server1.ip4, "port": port_in1, "probability": 50, "vrf_id": 0},
890 {"addr": server2.ip4, "port": port_in2, "probability": 50, "vrf_id": 0},
892 out_addr = self.nat_addr
894 self.vapi.nat44_add_del_lb_static_mapping(
897 external_addr=out_addr,
898 external_port=port_out,
899 protocol=IP_PROTOS.tcp,
900 local_num=len(locals),
903 self.nat_add_inside_interface(pg0)
904 self.nat_add_outside_interface(pg1)
910 assert client_id is not None
912 client = self.pg0.remote_hosts[0]
914 client = self.pg0.remote_hosts[1]
916 client = pg1.remote_hosts[0]
918 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
919 / IP(src=client.ip4, dst=self.nat_addr)
920 / TCP(sport=eh_port_out, dport=port_out)
923 self.pg_enable_capture(self.pg_interfaces)
925 capture = pg0.get_capture(1)
931 if ip.dst == server1.ip4:
937 self.assertEqual(ip.dst, server.ip4)
939 self.assertIn(tcp.dport, [port_in1, port_in2])
941 self.assertEqual(tcp.dport, port_in)
943 self.assertEqual(ip.src, twice_nat_addr)
944 self.assertNotEqual(tcp.sport, eh_port_out)
946 self.assertEqual(ip.src, client.ip4)
947 self.assertEqual(tcp.sport, eh_port_out)
949 eh_port_in = tcp.sport
950 saved_port_in = tcp.dport
951 self.assert_packet_checksums_valid(p)
953 self.logger.error(ppp("Unexpected or invalid packet:", p))
957 Ether(src=server.mac, dst=pg0.local_mac)
958 / IP(src=server.ip4, dst=eh_addr_in)
959 / TCP(sport=saved_port_in, dport=eh_port_in)
962 self.pg_enable_capture(self.pg_interfaces)
964 capture = pg1.get_capture(1)
969 self.assertEqual(ip.dst, client.ip4)
970 self.assertEqual(ip.src, self.nat_addr)
971 self.assertEqual(tcp.dport, eh_port_out)
972 self.assertEqual(tcp.sport, port_out)
973 self.assert_packet_checksums_valid(p)
975 self.logger.error(ppp("Unexpected or invalid packet:", p))
979 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
980 self.assertEqual(len(sessions), 1)
981 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
982 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_TWICE_NAT)
983 self.logger.info(self.vapi.cli("show nat44 sessions"))
984 self.vapi.nat44_del_session(
985 address=sessions[0].inside_ip_address,
986 port=sessions[0].inside_port,
987 protocol=sessions[0].protocol,
989 self.config_flags.NAT_IS_INSIDE
990 | self.config_flags.NAT_IS_EXT_HOST_VALID
992 ext_host_address=sessions[0].ext_host_nat_address,
993 ext_host_port=sessions[0].ext_host_nat_port,
995 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
996 self.assertEqual(len(sessions), 0)
998 def verify_syslog_sess(self, data, msgid, is_ip6=False):
999 message = data.decode("utf-8")
1001 message = SyslogMessage.parse(message)
1002 except ParseError as e:
1003 self.logger.error(e)
1006 self.assertEqual(message.severity, SyslogSeverity.info)
1007 self.assertEqual(message.appname, "NAT")
1008 self.assertEqual(message.msgid, msgid)
1009 sd_params = message.sd.get("nsess")
1010 self.assertTrue(sd_params is not None)
1012 self.assertEqual(sd_params.get("IATYP"), "IPv6")
1013 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip6)
1015 self.assertEqual(sd_params.get("IATYP"), "IPv4")
1016 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip4)
1017 self.assertTrue(sd_params.get("SSUBIX") is not None)
1018 self.assertEqual(sd_params.get("ISPORT"), "%d" % self.tcp_port_in)
1019 self.assertEqual(sd_params.get("XATYP"), "IPv4")
1020 self.assertEqual(sd_params.get("XSADDR"), self.nat_addr)
1021 self.assertEqual(sd_params.get("XSPORT"), "%d" % self.tcp_port_out)
1022 self.assertEqual(sd_params.get("PROTO"), "%d" % IP_PROTOS.tcp)
1023 self.assertEqual(sd_params.get("SVLAN"), "0")
1024 self.assertEqual(sd_params.get("XDADDR"), self.pg1.remote_ip4)
1025 self.assertEqual(sd_params.get("XDPORT"), "%d" % self.tcp_external_port)
1027 def test_icmp_error(self):
1028 """NAT44ED test ICMP error message with inner header"""
1032 self.nat_add_address(self.nat_addr)
1033 self.nat_add_inside_interface(self.pg0)
1034 self.nat_add_outside_interface(self.pg1)
1036 # in2out (initiate connection)
1038 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1039 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1040 / UDP(sport=21, dport=20)
1042 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1043 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1044 / TCP(sport=21, dport=20, flags="S")
1046 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1047 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1048 / ICMP(type="echo-request", id=7777)
1052 capture = self.send_and_expect(self.pg0, p1, self.pg1)
1054 # out2in (send error message)
1056 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1057 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1058 / ICMP(type="dest-unreach", code="port-unreachable")
1063 capture = self.send_and_expect(self.pg1, p2, self.pg0)
1067 assert c[IP].dst == self.pg0.remote_ip4
1068 assert c[IPerror].src == self.pg0.remote_ip4
1069 except AssertionError as a:
1070 raise AssertionError(f"Packet {pr(c)} not translated properly") from a
1072 def test_icmp_echo_reply_trailer(self):
1073 """ICMP echo reply with ethernet trailer"""
1075 self.nat_add_address(self.nat_addr)
1076 self.nat_add_inside_interface(self.pg0)
1077 self.nat_add_outside_interface(self.pg1)
1081 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1082 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1083 / ICMP(type=8, id=0xABCD, seq=0)
1086 self.pg0.add_stream(p1)
1087 self.pg_enable_capture(self.pg_interfaces)
1089 c = self.pg1.get_capture(1)[0]
1091 self.logger.debug(self.vapi.cli("show trace"))
1095 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1096 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr, id=0xEE59)
1097 / ICMP(type=0, id=c[ICMP].id, seq=0)
1100 # force checksum calculation
1101 p2 = p2.__class__(bytes(p2))
1103 self.logger.debug(ppp("Packet before modification:", p2))
1105 # hex representation of vss monitoring ethernet trailer
1106 # this seems to be just added to end of packet without modifying
1107 # IP or ICMP lengths / checksums
1108 p2 = p2 / Raw("\x00\x00\x52\x54\x00\x46\xab\x04\x84\x18")
1109 # change it so that IP/ICMP is unaffected
1112 self.logger.debug(ppp("Packet with added trailer:", p2))
1114 self.pg1.add_stream(p2)
1115 self.pg_enable_capture(self.pg_interfaces)
1118 self.pg0.get_capture(1)
1120 def test_users_dump(self):
1121 """NAT44ED API test - nat44_user_dump"""
1123 self.nat_add_address(self.nat_addr)
1124 self.nat_add_inside_interface(self.pg0)
1125 self.nat_add_outside_interface(self.pg1)
1127 self.vapi.nat44_forwarding_enable_disable(enable=1)
1129 local_ip = self.pg0.remote_ip4
1130 external_ip = self.nat_addr
1131 self.nat_add_static_mapping(local_ip, external_ip)
1133 users = self.vapi.nat44_user_dump()
1134 self.assertEqual(len(users), 0)
1136 # in2out - static mapping match
1138 pkts = self.create_stream_out(self.pg1)
1139 self.pg1.add_stream(pkts)
1140 self.pg_enable_capture(self.pg_interfaces)
1142 capture = self.pg0.get_capture(len(pkts))
1143 self.verify_capture_in(capture, self.pg0)
1145 pkts = self.create_stream_in(self.pg0, self.pg1)
1146 self.pg0.add_stream(pkts)
1147 self.pg_enable_capture(self.pg_interfaces)
1149 capture = self.pg1.get_capture(len(pkts))
1150 self.verify_capture_out(capture, same_port=True)
1152 users = self.vapi.nat44_user_dump()
1153 self.assertEqual(len(users), 1)
1154 static_user = users[0]
1155 self.assertEqual(static_user.nstaticsessions, 3)
1156 self.assertEqual(static_user.nsessions, 0)
1158 # in2out - no static mapping match (forwarding test)
1160 host0 = self.pg0.remote_hosts[0]
1161 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1163 pkts = self.create_stream_out(
1164 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1166 self.pg1.add_stream(pkts)
1167 self.pg_enable_capture(self.pg_interfaces)
1169 capture = self.pg0.get_capture(len(pkts))
1170 self.verify_capture_in(capture, self.pg0)
1172 pkts = self.create_stream_in(self.pg0, self.pg1)
1173 self.pg0.add_stream(pkts)
1174 self.pg_enable_capture(self.pg_interfaces)
1176 capture = self.pg1.get_capture(len(pkts))
1177 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1179 self.pg0.remote_hosts[0] = host0
1181 users = self.vapi.nat44_user_dump()
1182 self.assertEqual(len(users), 2)
1183 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1184 non_static_user = users[1]
1185 static_user = users[0]
1187 non_static_user = users[0]
1188 static_user = users[1]
1189 self.assertEqual(static_user.nstaticsessions, 3)
1190 self.assertEqual(static_user.nsessions, 0)
1191 self.assertEqual(non_static_user.nstaticsessions, 0)
1192 self.assertEqual(non_static_user.nsessions, 3)
1194 users = self.vapi.nat44_user_dump()
1195 self.assertEqual(len(users), 2)
1196 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1197 non_static_user = users[1]
1198 static_user = users[0]
1200 non_static_user = users[0]
1201 static_user = users[1]
1202 self.assertEqual(static_user.nstaticsessions, 3)
1203 self.assertEqual(static_user.nsessions, 0)
1204 self.assertEqual(non_static_user.nstaticsessions, 0)
1205 self.assertEqual(non_static_user.nsessions, 3)
1207 def test_frag_out_of_order_do_not_translate(self):
1208 """NAT44ED don't translate fragments arriving out of order"""
1209 self.nat_add_inside_interface(self.pg0)
1210 self.nat_add_outside_interface(self.pg1)
1211 self.vapi.nat44_forwarding_enable_disable(enable=True)
1212 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1214 def test_forwarding(self):
1215 """NAT44ED forwarding test"""
1217 self.nat_add_inside_interface(self.pg0)
1218 self.nat_add_outside_interface(self.pg1)
1219 self.vapi.nat44_forwarding_enable_disable(enable=1)
1221 real_ip = self.pg0.remote_ip4
1222 alias_ip = self.nat_addr
1223 flags = self.config_flags.NAT_IS_ADDR_ONLY
1224 self.vapi.nat44_add_del_static_mapping(
1226 local_ip_address=real_ip,
1227 external_ip_address=alias_ip,
1228 external_sw_if_index=0xFFFFFFFF,
1233 # in2out - static mapping match
1235 pkts = self.create_stream_out(self.pg1)
1236 self.pg1.add_stream(pkts)
1237 self.pg_enable_capture(self.pg_interfaces)
1239 capture = self.pg0.get_capture(len(pkts))
1240 self.verify_capture_in(capture, self.pg0)
1242 pkts = self.create_stream_in(self.pg0, self.pg1)
1243 self.pg0.add_stream(pkts)
1244 self.pg_enable_capture(self.pg_interfaces)
1246 capture = self.pg1.get_capture(len(pkts))
1247 self.verify_capture_out(capture, same_port=True)
1249 # in2out - no static mapping match
1251 host0 = self.pg0.remote_hosts[0]
1252 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1254 pkts = self.create_stream_out(
1255 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1257 self.pg1.add_stream(pkts)
1258 self.pg_enable_capture(self.pg_interfaces)
1260 capture = self.pg0.get_capture(len(pkts))
1261 self.verify_capture_in(capture, self.pg0)
1263 pkts = self.create_stream_in(self.pg0, self.pg1)
1264 self.pg0.add_stream(pkts)
1265 self.pg_enable_capture(self.pg_interfaces)
1267 capture = self.pg1.get_capture(len(pkts))
1268 self.verify_capture_out(
1269 capture, nat_ip=self.pg0.remote_ip4, same_port=True
1272 self.pg0.remote_hosts[0] = host0
1274 user = self.pg0.remote_hosts[1]
1275 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1276 self.assertEqual(len(sessions), 3)
1277 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1278 self.vapi.nat44_del_session(
1279 address=sessions[0].inside_ip_address,
1280 port=sessions[0].inside_port,
1281 protocol=sessions[0].protocol,
1283 self.config_flags.NAT_IS_INSIDE
1284 | self.config_flags.NAT_IS_EXT_HOST_VALID
1286 ext_host_address=sessions[0].ext_host_address,
1287 ext_host_port=sessions[0].ext_host_port,
1289 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1290 self.assertEqual(len(sessions), 2)
1293 self.vapi.nat44_forwarding_enable_disable(enable=0)
1294 flags = self.config_flags.NAT_IS_ADDR_ONLY
1295 self.vapi.nat44_add_del_static_mapping(
1297 local_ip_address=real_ip,
1298 external_ip_address=alias_ip,
1299 external_sw_if_index=0xFFFFFFFF,
1303 def test_output_feature_and_service2(self):
1304 """NAT44ED interface output feature and service host direct access"""
1305 self.vapi.nat44_forwarding_enable_disable(enable=1)
1306 self.nat_add_address(self.nat_addr)
1308 self.vapi.nat44_ed_add_del_output_interface(
1309 sw_if_index=self.pg1.sw_if_index, is_add=1
1312 # session initiated from service host - translate
1313 pkts = self.create_stream_in(self.pg0, self.pg1)
1314 self.pg0.add_stream(pkts)
1315 self.pg_enable_capture(self.pg_interfaces)
1317 capture = self.pg1.get_capture(len(pkts))
1318 self.verify_capture_out(capture, ignore_port=True)
1320 pkts = self.create_stream_out(self.pg1)
1321 self.pg1.add_stream(pkts)
1322 self.pg_enable_capture(self.pg_interfaces)
1324 capture = self.pg0.get_capture(len(pkts))
1325 self.verify_capture_in(capture, self.pg0)
1327 # session initiated from remote host - do not translate
1328 tcp_port_in = self.tcp_port_in
1329 udp_port_in = self.udp_port_in
1330 icmp_id_in = self.icmp_id_in
1332 self.tcp_port_in = 60303
1333 self.udp_port_in = 60304
1334 self.icmp_id_in = 60305
1337 pkts = self.create_stream_out(
1338 self.pg1, self.pg0.remote_ip4, use_inside_ports=True
1340 self.pg1.add_stream(pkts)
1341 self.pg_enable_capture(self.pg_interfaces)
1343 capture = self.pg0.get_capture(len(pkts))
1344 self.verify_capture_in(capture, self.pg0)
1346 pkts = self.create_stream_in(self.pg0, self.pg1)
1347 self.pg0.add_stream(pkts)
1348 self.pg_enable_capture(self.pg_interfaces)
1350 capture = self.pg1.get_capture(len(pkts))
1351 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1353 self.tcp_port_in = tcp_port_in
1354 self.udp_port_in = udp_port_in
1355 self.icmp_id_in = icmp_id_in
1357 def test_twice_nat(self):
1358 """NAT44ED Twice NAT"""
1359 self.twice_nat_common()
1361 def test_self_twice_nat_positive(self):
1362 """NAT44ED Self Twice NAT (positive test)"""
1363 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1365 def test_self_twice_nat_lb_positive(self):
1366 """NAT44ED Self Twice NAT local service load balancing (positive test)"""
1367 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=1)
1369 def test_twice_nat_lb(self):
1370 """NAT44ED Twice NAT local service load balancing"""
1371 self.twice_nat_common(lb=True)
1373 def test_output_feature(self):
1374 """NAT44ED interface output feature (in2out postrouting)"""
1375 self.vapi.nat44_forwarding_enable_disable(enable=1)
1376 self.nat_add_address(self.nat_addr)
1378 self.nat_add_outside_interface(self.pg0)
1379 self.vapi.nat44_ed_add_del_output_interface(
1380 sw_if_index=self.pg1.sw_if_index, is_add=1
1384 pkts = self.create_stream_in(self.pg0, self.pg1)
1385 self.pg0.add_stream(pkts)
1386 self.pg_enable_capture(self.pg_interfaces)
1388 capture = self.pg1.get_capture(len(pkts))
1389 self.verify_capture_out(capture, ignore_port=True)
1390 self.logger.debug(self.vapi.cli("show trace"))
1393 pkts = self.create_stream_out(self.pg1)
1394 self.pg1.add_stream(pkts)
1395 self.pg_enable_capture(self.pg_interfaces)
1397 capture = self.pg0.get_capture(len(pkts))
1398 self.verify_capture_in(capture, self.pg0)
1399 self.logger.debug(self.vapi.cli("show trace"))
1402 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
1403 self.pg0.add_stream(pkts)
1404 self.pg_enable_capture(self.pg_interfaces)
1406 capture = self.pg1.get_capture(len(pkts))
1407 self.verify_capture_out(capture, ignore_port=True)
1408 self.logger.debug(self.vapi.cli("show trace"))
1411 pkts = self.create_stream_out(self.pg1, ttl=2)
1412 self.pg1.add_stream(pkts)
1413 self.pg_enable_capture(self.pg_interfaces)
1415 capture = self.pg0.get_capture(len(pkts))
1416 self.verify_capture_in(capture, self.pg0)
1417 self.logger.debug(self.vapi.cli("show trace"))
1420 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
1421 capture = self.send_and_expect_some(self.pg0, pkts, self.pg0)
1423 self.assertIn(ICMP, p)
1424 self.assertEqual(p[ICMP].type, 11) # 11 == time-exceeded
1426 def test_static_with_port_out2(self):
1427 """NAT44ED 1:1 NAPT asymmetrical rule"""
1432 self.vapi.nat44_forwarding_enable_disable(enable=1)
1433 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1434 self.nat_add_static_mapping(
1435 self.pg0.remote_ip4,
1439 proto=IP_PROTOS.tcp,
1443 self.nat_add_inside_interface(self.pg0)
1444 self.nat_add_outside_interface(self.pg1)
1446 # from client to service
1448 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1449 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1450 / TCP(sport=12345, dport=external_port)
1452 self.pg1.add_stream(p)
1453 self.pg_enable_capture(self.pg_interfaces)
1455 capture = self.pg0.get_capture(1)
1460 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1461 self.assertEqual(tcp.dport, local_port)
1462 self.assert_packet_checksums_valid(p)
1464 self.logger.error(ppp("Unexpected or invalid packet:", p))
1469 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
1470 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1474 self.pg0.add_stream(p)
1475 self.pg_enable_capture(self.pg_interfaces)
1477 capture = self.pg1.get_capture(1)
1480 self.assertEqual(p[IP].src, self.nat_addr)
1482 self.assertEqual(inner.dst, self.nat_addr)
1483 self.assertEqual(inner[TCPerror].dport, external_port)
1485 self.logger.error(ppp("Unexpected or invalid packet:", p))
1488 # from service back to client
1490 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1491 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1492 / TCP(sport=local_port, dport=12345)
1494 self.pg0.add_stream(p)
1495 self.pg_enable_capture(self.pg_interfaces)
1497 capture = self.pg1.get_capture(1)
1502 self.assertEqual(ip.src, self.nat_addr)
1503 self.assertEqual(tcp.sport, external_port)
1504 self.assert_packet_checksums_valid(p)
1506 self.logger.error(ppp("Unexpected or invalid packet:", p))
1511 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1512 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1516 self.pg1.add_stream(p)
1517 self.pg_enable_capture(self.pg_interfaces)
1519 capture = self.pg0.get_capture(1)
1522 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1524 self.assertEqual(inner.src, self.pg0.remote_ip4)
1525 self.assertEqual(inner[TCPerror].sport, local_port)
1527 self.logger.error(ppp("Unexpected or invalid packet:", p))
1530 # from client to server (no translation)
1532 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1533 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
1534 / TCP(sport=12346, dport=local_port)
1536 self.pg1.add_stream(p)
1537 self.pg_enable_capture(self.pg_interfaces)
1539 capture = self.pg0.get_capture(1)
1544 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1545 self.assertEqual(tcp.dport, local_port)
1546 self.assert_packet_checksums_valid(p)
1548 self.logger.error(ppp("Unexpected or invalid packet:", p))
1551 # from service back to client (no translation)
1553 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1554 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1555 / TCP(sport=local_port, dport=12346)
1557 self.pg0.add_stream(p)
1558 self.pg_enable_capture(self.pg_interfaces)
1560 capture = self.pg1.get_capture(1)
1565 self.assertEqual(ip.src, self.pg0.remote_ip4)
1566 self.assertEqual(tcp.sport, local_port)
1567 self.assert_packet_checksums_valid(p)
1569 self.logger.error(ppp("Unexpected or invalid packet:", p))
1572 def test_static_lb(self):
1573 """NAT44ED local service load balancing"""
1574 external_addr_n = self.nat_addr
1577 server1 = self.pg0.remote_hosts[0]
1578 server2 = self.pg0.remote_hosts[1]
1581 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1582 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1585 self.nat_add_address(self.nat_addr)
1586 self.vapi.nat44_add_del_lb_static_mapping(
1588 external_addr=external_addr_n,
1589 external_port=external_port,
1590 protocol=IP_PROTOS.tcp,
1591 local_num=len(locals),
1594 flags = self.config_flags.NAT_IS_INSIDE
1595 self.vapi.nat44_interface_add_del_feature(
1596 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1598 self.vapi.nat44_interface_add_del_feature(
1599 sw_if_index=self.pg1.sw_if_index, is_add=1
1602 # from client to service
1604 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1605 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1606 / TCP(sport=12345, dport=external_port)
1608 self.pg1.add_stream(p)
1609 self.pg_enable_capture(self.pg_interfaces)
1611 capture = self.pg0.get_capture(1)
1617 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1618 if ip.dst == server1.ip4:
1622 self.assertEqual(tcp.dport, local_port)
1623 self.assert_packet_checksums_valid(p)
1625 self.logger.error(ppp("Unexpected or invalid packet:", p))
1628 # from service back to client
1630 Ether(src=server.mac, dst=self.pg0.local_mac)
1631 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1632 / TCP(sport=local_port, dport=12345)
1634 self.pg0.add_stream(p)
1635 self.pg_enable_capture(self.pg_interfaces)
1637 capture = self.pg1.get_capture(1)
1642 self.assertEqual(ip.src, self.nat_addr)
1643 self.assertEqual(tcp.sport, external_port)
1644 self.assert_packet_checksums_valid(p)
1646 self.logger.error(ppp("Unexpected or invalid packet:", p))
1649 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1650 self.assertEqual(len(sessions), 1)
1651 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1652 self.vapi.nat44_del_session(
1653 address=sessions[0].inside_ip_address,
1654 port=sessions[0].inside_port,
1655 protocol=sessions[0].protocol,
1657 self.config_flags.NAT_IS_INSIDE
1658 | self.config_flags.NAT_IS_EXT_HOST_VALID
1660 ext_host_address=sessions[0].ext_host_address,
1661 ext_host_port=sessions[0].ext_host_port,
1663 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1664 self.assertEqual(len(sessions), 0)
1666 def test_static_lb_2(self):
1667 """NAT44ED local service load balancing (asymmetrical rule)"""
1668 external_addr = self.nat_addr
1671 server1 = self.pg0.remote_hosts[0]
1672 server2 = self.pg0.remote_hosts[1]
1675 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1676 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1679 self.vapi.nat44_forwarding_enable_disable(enable=1)
1680 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1681 self.vapi.nat44_add_del_lb_static_mapping(
1684 external_addr=external_addr,
1685 external_port=external_port,
1686 protocol=IP_PROTOS.tcp,
1687 local_num=len(locals),
1690 flags = self.config_flags.NAT_IS_INSIDE
1691 self.vapi.nat44_interface_add_del_feature(
1692 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1694 self.vapi.nat44_interface_add_del_feature(
1695 sw_if_index=self.pg1.sw_if_index, is_add=1
1698 # from client to service
1700 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1701 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1702 / TCP(sport=12345, dport=external_port)
1704 self.pg1.add_stream(p)
1705 self.pg_enable_capture(self.pg_interfaces)
1707 capture = self.pg0.get_capture(1)
1713 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1714 if ip.dst == server1.ip4:
1718 self.assertEqual(tcp.dport, local_port)
1719 self.assert_packet_checksums_valid(p)
1721 self.logger.error(ppp("Unexpected or invalid packet:", p))
1724 # from service back to client
1726 Ether(src=server.mac, dst=self.pg0.local_mac)
1727 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1728 / TCP(sport=local_port, dport=12345)
1730 self.pg0.add_stream(p)
1731 self.pg_enable_capture(self.pg_interfaces)
1733 capture = self.pg1.get_capture(1)
1738 self.assertEqual(ip.src, self.nat_addr)
1739 self.assertEqual(tcp.sport, external_port)
1740 self.assert_packet_checksums_valid(p)
1742 self.logger.error(ppp("Unexpected or invalid packet:", p))
1745 # from client to server (no translation)
1747 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1748 / IP(src=self.pg1.remote_ip4, dst=server1.ip4)
1749 / TCP(sport=12346, dport=local_port)
1751 self.pg1.add_stream(p)
1752 self.pg_enable_capture(self.pg_interfaces)
1754 capture = self.pg0.get_capture(1)
1760 self.assertEqual(ip.dst, server1.ip4)
1761 self.assertEqual(tcp.dport, local_port)
1762 self.assert_packet_checksums_valid(p)
1764 self.logger.error(ppp("Unexpected or invalid packet:", p))
1767 # from service back to client (no translation)
1769 Ether(src=server1.mac, dst=self.pg0.local_mac)
1770 / IP(src=server1.ip4, dst=self.pg1.remote_ip4)
1771 / TCP(sport=local_port, dport=12346)
1773 self.pg0.add_stream(p)
1774 self.pg_enable_capture(self.pg_interfaces)
1776 capture = self.pg1.get_capture(1)
1781 self.assertEqual(ip.src, server1.ip4)
1782 self.assertEqual(tcp.sport, local_port)
1783 self.assert_packet_checksums_valid(p)
1785 self.logger.error(ppp("Unexpected or invalid packet:", p))
1788 def test_lb_affinity(self):
1789 """NAT44ED local service load balancing affinity"""
1790 external_addr = self.nat_addr
1793 server1 = self.pg0.remote_hosts[0]
1794 server2 = self.pg0.remote_hosts[1]
1797 {"addr": server1.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1798 {"addr": server2.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1801 self.nat_add_address(self.nat_addr)
1802 self.vapi.nat44_add_del_lb_static_mapping(
1804 external_addr=external_addr,
1805 external_port=external_port,
1806 protocol=IP_PROTOS.tcp,
1808 local_num=len(locals),
1811 flags = self.config_flags.NAT_IS_INSIDE
1812 self.vapi.nat44_interface_add_del_feature(
1813 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1815 self.vapi.nat44_interface_add_del_feature(
1816 sw_if_index=self.pg1.sw_if_index, is_add=1
1820 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1821 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1822 / TCP(sport=1025, dport=external_port)
1824 self.pg1.add_stream(p)
1825 self.pg_enable_capture(self.pg_interfaces)
1827 capture = self.pg0.get_capture(1)
1828 backend = capture[0][IP].dst
1830 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1831 self.assertEqual(len(sessions), 1)
1832 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1833 self.vapi.nat44_del_session(
1834 address=sessions[0].inside_ip_address,
1835 port=sessions[0].inside_port,
1836 protocol=sessions[0].protocol,
1838 self.config_flags.NAT_IS_INSIDE
1839 | self.config_flags.NAT_IS_EXT_HOST_VALID
1841 ext_host_address=sessions[0].ext_host_address,
1842 ext_host_port=sessions[0].ext_host_port,
1846 for port in range(1030, 1100):
1848 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1849 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1850 / TCP(sport=port, dport=external_port)
1853 self.pg1.add_stream(pkts)
1854 self.pg_enable_capture(self.pg_interfaces)
1856 capture = self.pg0.get_capture(len(pkts))
1858 self.assertEqual(p[IP].dst, backend)
1860 def test_multiple_vrf_1(self):
1861 """Multiple VRF - both client & service in VRF1"""
1863 external_addr = "1.2.3.4"
1868 flags = self.config_flags.NAT_IS_INSIDE
1869 self.vapi.nat44_interface_add_del_feature(
1870 sw_if_index=self.pg5.sw_if_index, is_add=1
1872 self.vapi.nat44_interface_add_del_feature(
1873 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1875 self.vapi.nat44_interface_add_del_feature(
1876 sw_if_index=self.pg6.sw_if_index, is_add=1
1878 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1879 self.nat_add_static_mapping(
1880 self.pg5.remote_ip4,
1885 proto=IP_PROTOS.tcp,
1890 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
1891 / IP(src=self.pg6.remote_ip4, dst=external_addr)
1892 / TCP(sport=12345, dport=external_port)
1894 self.pg6.add_stream(p)
1895 self.pg_enable_capture(self.pg_interfaces)
1897 capture = self.pg5.get_capture(1)
1902 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1903 self.assertEqual(tcp.dport, local_port)
1904 self.assert_packet_checksums_valid(p)
1906 self.logger.error(ppp("Unexpected or invalid packet:", p))
1910 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1911 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
1912 / TCP(sport=local_port, dport=12345)
1914 self.pg5.add_stream(p)
1915 self.pg_enable_capture(self.pg_interfaces)
1917 capture = self.pg6.get_capture(1)
1922 self.assertEqual(ip.src, external_addr)
1923 self.assertEqual(tcp.sport, external_port)
1924 self.assert_packet_checksums_valid(p)
1926 self.logger.error(ppp("Unexpected or invalid packet:", p))
1929 def test_multiple_vrf_2(self):
1930 """Multiple VRF - dynamic NAT from VRF1 to VRF0 (output-feature)"""
1932 external_addr = "1.2.3.4"
1937 self.nat_add_address(self.nat_addr)
1938 flags = self.config_flags.NAT_IS_INSIDE
1939 self.vapi.nat44_ed_add_del_output_interface(
1940 sw_if_index=self.pg1.sw_if_index, is_add=1
1942 self.vapi.nat44_interface_add_del_feature(
1943 sw_if_index=self.pg5.sw_if_index, is_add=1
1945 self.vapi.nat44_interface_add_del_feature(
1946 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1948 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1949 self.nat_add_static_mapping(
1950 self.pg5.remote_ip4,
1955 proto=IP_PROTOS.tcp,
1960 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1961 / IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4)
1962 / TCP(sport=2345, dport=22)
1964 self.pg5.add_stream(p)
1965 self.pg_enable_capture(self.pg_interfaces)
1967 capture = self.pg1.get_capture(1)
1972 self.assertEqual(ip.src, self.nat_addr)
1973 self.assert_packet_checksums_valid(p)
1976 self.logger.error(ppp("Unexpected or invalid packet:", p))
1980 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1981 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1982 / TCP(sport=22, dport=port)
1984 self.pg1.add_stream(p)
1985 self.pg_enable_capture(self.pg_interfaces)
1987 capture = self.pg5.get_capture(1)
1992 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1993 self.assertEqual(tcp.dport, 2345)
1994 self.assert_packet_checksums_valid(p)
1996 self.logger.error(ppp("Unexpected or invalid packet:", p))
1999 def test_multiple_vrf_3(self):
2000 """Multiple VRF - client in VRF1, service in VRF0"""
2002 external_addr = "1.2.3.4"
2007 flags = self.config_flags.NAT_IS_INSIDE
2008 self.vapi.nat44_interface_add_del_feature(
2009 sw_if_index=self.pg0.sw_if_index, is_add=1
2011 self.vapi.nat44_interface_add_del_feature(
2012 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2014 self.vapi.nat44_interface_add_del_feature(
2015 sw_if_index=self.pg6.sw_if_index, is_add=1
2017 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2018 self.nat_add_static_mapping(
2019 self.pg0.remote_ip4,
2020 external_sw_if_index=self.pg0.sw_if_index,
2021 local_port=local_port,
2023 external_port=external_port,
2024 proto=IP_PROTOS.tcp,
2028 # from client VRF1 to service VRF0
2030 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2031 / IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4)
2032 / TCP(sport=12346, dport=external_port)
2034 self.pg6.add_stream(p)
2035 self.pg_enable_capture(self.pg_interfaces)
2037 capture = self.pg0.get_capture(1)
2042 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2043 self.assertEqual(tcp.dport, local_port)
2044 self.assert_packet_checksums_valid(p)
2046 self.logger.error(ppp("Unexpected or invalid packet:", p))
2049 # from service VRF0 back to client VRF1
2051 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2052 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2053 / TCP(sport=local_port, dport=12346)
2055 self.pg0.add_stream(p)
2056 self.pg_enable_capture(self.pg_interfaces)
2058 capture = self.pg6.get_capture(1)
2063 self.assertEqual(ip.src, self.pg0.local_ip4)
2064 self.assertEqual(tcp.sport, external_port)
2065 self.assert_packet_checksums_valid(p)
2067 self.logger.error(ppp("Unexpected or invalid packet:", p))
2070 def test_multiple_vrf_4(self):
2071 """Multiple VRF - client in VRF0, service in VRF1"""
2073 external_addr = "1.2.3.4"
2078 flags = self.config_flags.NAT_IS_INSIDE
2079 self.vapi.nat44_interface_add_del_feature(
2080 sw_if_index=self.pg0.sw_if_index, is_add=1
2082 self.vapi.nat44_interface_add_del_feature(
2083 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2085 self.vapi.nat44_interface_add_del_feature(
2086 sw_if_index=self.pg5.sw_if_index, is_add=1
2088 self.vapi.nat44_interface_add_del_feature(
2089 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2091 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2092 self.nat_add_static_mapping(
2093 self.pg5.remote_ip4,
2098 proto=IP_PROTOS.tcp,
2102 # from client VRF0 to service VRF1
2104 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2105 / IP(src=self.pg0.remote_ip4, dst=external_addr)
2106 / TCP(sport=12347, dport=external_port)
2108 self.pg0.add_stream(p)
2109 self.pg_enable_capture(self.pg_interfaces)
2111 capture = self.pg5.get_capture(1)
2116 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2117 self.assertEqual(tcp.dport, local_port)
2118 self.assert_packet_checksums_valid(p)
2120 self.logger.error(ppp("Unexpected or invalid packet:", p))
2123 # from service VRF1 back to client VRF0
2125 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2126 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2127 / TCP(sport=local_port, dport=12347)
2129 self.pg5.add_stream(p)
2130 self.pg_enable_capture(self.pg_interfaces)
2132 capture = self.pg0.get_capture(1)
2137 self.assertEqual(ip.src, external_addr)
2138 self.assertEqual(tcp.sport, external_port)
2139 self.assert_packet_checksums_valid(p)
2141 self.logger.error(ppp("Unexpected or invalid packet:", p))
2144 def test_multiple_vrf_5(self):
2145 """Multiple VRF - forwarding - no translation"""
2147 external_addr = "1.2.3.4"
2152 self.vapi.nat44_forwarding_enable_disable(enable=1)
2153 flags = self.config_flags.NAT_IS_INSIDE
2154 self.vapi.nat44_interface_add_del_feature(
2155 sw_if_index=self.pg0.sw_if_index, is_add=1
2157 self.vapi.nat44_interface_add_del_feature(
2158 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2160 self.vapi.nat44_interface_add_del_feature(
2161 sw_if_index=self.pg5.sw_if_index, is_add=1
2163 self.vapi.nat44_interface_add_del_feature(
2164 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2166 self.vapi.nat44_interface_add_del_feature(
2167 sw_if_index=self.pg6.sw_if_index, is_add=1
2169 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2170 self.nat_add_static_mapping(
2171 self.pg5.remote_ip4,
2176 proto=IP_PROTOS.tcp,
2179 self.nat_add_static_mapping(
2180 self.pg0.remote_ip4,
2181 external_sw_if_index=self.pg0.sw_if_index,
2182 local_port=local_port,
2184 external_port=external_port,
2185 proto=IP_PROTOS.tcp,
2189 # from client to server (both VRF1, no translation)
2191 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2192 / IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4)
2193 / TCP(sport=12348, dport=local_port)
2195 self.pg6.add_stream(p)
2196 self.pg_enable_capture(self.pg_interfaces)
2198 capture = self.pg5.get_capture(1)
2203 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2204 self.assertEqual(tcp.dport, local_port)
2205 self.assert_packet_checksums_valid(p)
2207 self.logger.error(ppp("Unexpected or invalid packet:", p))
2210 # from server back to client (both VRF1, no translation)
2212 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2213 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
2214 / TCP(sport=local_port, dport=12348)
2216 self.pg5.add_stream(p)
2217 self.pg_enable_capture(self.pg_interfaces)
2219 capture = self.pg6.get_capture(1)
2224 self.assertEqual(ip.src, self.pg5.remote_ip4)
2225 self.assertEqual(tcp.sport, local_port)
2226 self.assert_packet_checksums_valid(p)
2228 self.logger.error(ppp("Unexpected or invalid packet:", p))
2231 # from client VRF1 to server VRF0 (no translation)
2233 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2234 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2235 / TCP(sport=local_port, dport=12349)
2237 self.pg0.add_stream(p)
2238 self.pg_enable_capture(self.pg_interfaces)
2240 capture = self.pg6.get_capture(1)
2245 self.assertEqual(ip.src, self.pg0.remote_ip4)
2246 self.assertEqual(tcp.sport, local_port)
2247 self.assert_packet_checksums_valid(p)
2249 self.logger.error(ppp("Unexpected or invalid packet:", p))
2252 # from server VRF0 back to client VRF1 (no translation)
2254 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2255 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2256 / TCP(sport=local_port, dport=12349)
2258 self.pg0.add_stream(p)
2259 self.pg_enable_capture(self.pg_interfaces)
2261 capture = self.pg6.get_capture(1)
2266 self.assertEqual(ip.src, self.pg0.remote_ip4)
2267 self.assertEqual(tcp.sport, local_port)
2268 self.assert_packet_checksums_valid(p)
2270 self.logger.error(ppp("Unexpected or invalid packet:", p))
2273 # from client VRF0 to server VRF1 (no translation)
2275 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2276 / IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4)
2277 / TCP(sport=12344, dport=local_port)
2279 self.pg0.add_stream(p)
2280 self.pg_enable_capture(self.pg_interfaces)
2282 capture = self.pg5.get_capture(1)
2287 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2288 self.assertEqual(tcp.dport, local_port)
2289 self.assert_packet_checksums_valid(p)
2291 self.logger.error(ppp("Unexpected or invalid packet:", p))
2294 # from server VRF1 back to client VRF0 (no translation)
2296 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2297 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2298 / TCP(sport=local_port, dport=12344)
2300 self.pg5.add_stream(p)
2301 self.pg_enable_capture(self.pg_interfaces)
2303 capture = self.pg0.get_capture(1)
2308 self.assertEqual(ip.src, self.pg5.remote_ip4)
2309 self.assertEqual(tcp.sport, local_port)
2310 self.assert_packet_checksums_valid(p)
2312 self.logger.error(ppp("Unexpected or invalid packet:", p))
2315 def test_outside_address_distribution(self):
2316 """Outside address distribution based on source address"""
2321 for i in range(1, x):
2323 nat_addresses.append(a)
2325 self.nat_add_inside_interface(self.pg0)
2326 self.nat_add_outside_interface(self.pg1)
2328 self.vapi.nat44_add_del_address_range(
2329 first_ip_address=nat_addresses[0],
2330 last_ip_address=nat_addresses[-1],
2336 self.pg0.generate_remote_hosts(x)
2340 info = self.create_packet_info(self.pg0, self.pg1)
2341 payload = self.info_to_payload(info)
2343 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2344 / IP(src=self.pg0.remote_hosts[i].ip4, dst=self.pg1.remote_ip4)
2345 / UDP(sport=7000 + i, dport=8000 + i)
2351 self.pg0.add_stream(pkts)
2352 self.pg_enable_capture(self.pg_interfaces)
2354 recvd = self.pg1.get_capture(len(pkts))
2355 for p_recvd in recvd:
2356 payload_info = self.payload_to_info(p_recvd[Raw])
2357 packet_index = payload_info.index
2358 info = self._packet_infos[packet_index]
2359 self.assertTrue(info is not None)
2360 self.assertEqual(packet_index, info.index)
2362 packed = socket.inet_aton(p_sent[IP].src)
2363 numeric = struct.unpack("!L", packed)[0]
2364 numeric = socket.htonl(numeric)
2365 a = nat_addresses[(numeric - 1) % len(nat_addresses)]
2369 "Invalid packet (src IP %s translated to %s, but expected %s)"
2370 % (p_sent[IP].src, p_recvd[IP].src, a),
2373 def test_dynamic_edge_ports(self):
2374 """NAT44ED dynamic translation test: edge ports"""
2376 worker_count = self.vpp_worker_count or 1
2378 port_per_thread = (65536 - port_offset) // worker_count
2379 port_count = port_per_thread * worker_count
2381 # worker thread edge ports
2382 thread_edge_ports = {0, port_offset - 1, 65535}
2383 for i in range(0, worker_count):
2384 port_thread_offset = (port_per_thread * i) + port_offset
2385 for port_range_offset in [0, port_per_thread - 1]:
2386 port = port_thread_offset + port_range_offset
2387 thread_edge_ports.add(port)
2388 thread_drop_ports = set(
2390 lambda x: x not in range(port_offset, port_offset + port_count),
2398 self.nat_add_address(self.nat_addr)
2401 self.configure_ip4_interface(in_if, hosts=worker_count)
2402 self.configure_ip4_interface(out_if)
2404 self.nat_add_inside_interface(in_if)
2405 self.nat_add_outside_interface(out_if)
2408 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2409 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2410 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2411 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2413 pkt_count = worker_count * len(thread_edge_ports)
2415 i2o_pkts = [[] for x in range(0, worker_count)]
2416 for i in range(0, worker_count):
2417 remote_host = in_if.remote_hosts[i]
2418 for port in thread_edge_ports:
2420 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2421 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2422 / TCP(sport=port, dport=port)
2424 i2o_pkts[i].append(p)
2427 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2428 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2429 / UDP(sport=port, dport=port)
2431 i2o_pkts[i].append(p)
2434 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2435 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2436 / ICMP(id=port, seq=port, type="echo-request")
2438 i2o_pkts[i].append(p)
2440 for i in range(0, worker_count):
2441 if len(i2o_pkts[i]) > 0:
2442 in_if.add_stream(i2o_pkts[i], worker=i)
2444 self.pg_enable_capture(self.pg_interfaces)
2446 capture = out_if.get_capture(pkt_count * 3)
2447 for packet in capture:
2448 self.assert_packet_checksums_valid(packet)
2449 if packet.haslayer(TCP):
2450 self.assert_in_range(
2453 port_offset + port_count,
2456 elif packet.haslayer(UDP):
2457 self.assert_in_range(
2460 port_offset + port_count,
2463 elif packet.haslayer(ICMP):
2464 self.assert_in_range(
2467 port_offset + port_count,
2472 ppp("Unexpected or invalid packet (outside network):", packet)
2475 if_idx = in_if.sw_if_index
2476 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2477 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2478 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2479 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2481 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2482 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2483 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2484 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2487 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2488 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2489 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2490 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2491 dc3 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2493 # replies to unchanged thread ports should pass on each worker,
2494 # excluding packets outside dynamic port range
2495 drop_count = worker_count * len(thread_drop_ports)
2496 pass_count = worker_count * len(thread_edge_ports) - drop_count
2498 o2i_pkts = [[] for x in range(0, worker_count)]
2499 for i in range(0, worker_count):
2500 for port in thread_edge_ports:
2502 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2503 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2504 / TCP(sport=port, dport=port)
2506 o2i_pkts[i].append(p)
2509 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2510 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2511 / UDP(sport=port, dport=port)
2513 o2i_pkts[i].append(p)
2516 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2517 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2518 / ICMP(id=port, seq=port, type="echo-reply")
2520 o2i_pkts[i].append(p)
2522 for i in range(0, worker_count):
2523 if len(o2i_pkts[i]) > 0:
2524 out_if.add_stream(o2i_pkts[i], worker=i)
2526 self.pg_enable_capture(self.pg_interfaces)
2528 capture = in_if.get_capture(pass_count * 3)
2529 for packet in capture:
2530 self.assert_packet_checksums_valid(packet)
2531 if packet.haslayer(TCP):
2532 self.assertIn(packet[TCP].dport, thread_edge_ports, "dst TCP port")
2533 self.assertEqual(packet[TCP].dport, packet[TCP].sport, "TCP ports")
2534 elif packet.haslayer(UDP):
2535 self.assertIn(packet[UDP].dport, thread_edge_ports, "dst UDP port")
2536 self.assertEqual(packet[UDP].dport, packet[UDP].sport, "UDP ports")
2537 elif packet.haslayer(ICMP):
2538 self.assertIn(packet[ICMP].id, thread_edge_ports, "ICMP id")
2539 self.assertEqual(packet[ICMP].id, packet[ICMP].seq, "ICMP id & seq")
2542 ppp("Unexpected or invalid packet (inside network):", packet)
2545 if_idx = out_if.sw_if_index
2546 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2547 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2548 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2549 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2550 dc4 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2552 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pass_count)
2553 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pass_count)
2554 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pass_count)
2555 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2557 dc4[:, if_idx].sum() - dc3[:, if_idx].sum(), drop_count * 3
2564 def test_delete_interface(self):
2565 """NAT44ED delete nat interface"""
2567 self.nat_add_address(self.nat_addr)
2569 interfaces = self.create_loopback_interfaces(4)
2570 self.nat_add_outside_interface(interfaces[0])
2571 self.nat_add_inside_interface(interfaces[1])
2572 self.nat_add_outside_interface(interfaces[2])
2573 self.nat_add_inside_interface(interfaces[2])
2574 self.vapi.nat44_ed_add_del_output_interface(
2575 sw_if_index=interfaces[3].sw_if_index, is_add=1
2578 nat_sw_if_indices = [
2580 for i in self.vapi.nat44_interface_dump()
2581 + list(self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get))
2583 self.assertEqual(len(nat_sw_if_indices), len(interfaces))
2586 for i in interfaces:
2587 # delete nat-enabled interface
2588 self.assertIn(i.sw_if_index, nat_sw_if_indices)
2589 i.remove_vpp_config()
2591 # create interface with the same index
2592 lo = VppLoInterface(self)
2593 loopbacks.append(lo)
2594 self.assertEqual(lo.sw_if_index, i.sw_if_index)
2596 # check interface is not nat-enabled
2597 nat_sw_if_indices = [
2599 for i in self.vapi.nat44_interface_dump()
2601 self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get)
2604 self.assertNotIn(lo.sw_if_index, nat_sw_if_indices)
2607 i.remove_vpp_config()
2610 @tag_fixme_ubuntu2204
2611 class TestNAT44EDMW(TestNAT44ED):
2612 """NAT44ED MW Test Case"""
2614 vpp_worker_count = 4
2617 def test_dynamic(self):
2618 """NAT44ED dynamic translation test"""
2620 tcp_port_offset = 20
2621 udp_port_offset = 20
2624 self.nat_add_address(self.nat_addr)
2625 self.nat_add_inside_interface(self.pg0)
2626 self.nat_add_outside_interface(self.pg1)
2629 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2630 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2631 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2632 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2634 i2o_pkts = [[] for x in range(0, self.vpp_worker_count)]
2636 for i in range(pkt_count):
2638 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2639 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2640 / TCP(sport=tcp_port_offset + i, dport=20)
2642 i2o_pkts[p[TCP].sport % self.vpp_worker_count].append(p)
2645 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2646 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2647 / UDP(sport=udp_port_offset + i, dport=20)
2649 i2o_pkts[p[UDP].sport % self.vpp_worker_count].append(p)
2652 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2653 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2654 / ICMP(id=icmp_id_offset + i, type="echo-request")
2656 i2o_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2658 for i in range(0, self.vpp_worker_count):
2659 if len(i2o_pkts[i]) > 0:
2660 self.pg0.add_stream(i2o_pkts[i], worker=i)
2662 self.pg_enable_capture(self.pg_interfaces)
2664 capture = self.pg1.get_capture(pkt_count * 3, timeout=5)
2666 if_idx = self.pg0.sw_if_index
2667 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2668 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2669 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2670 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2672 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2673 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2674 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2675 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2677 self.logger.info(self.vapi.cli("show trace"))
2680 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2681 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2682 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2683 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2685 recvd_tcp_ports = set()
2686 recvd_udp_ports = set()
2687 recvd_icmp_ids = set()
2691 recvd_tcp_ports.add(p[TCP].sport)
2693 recvd_udp_ports.add(p[UDP].sport)
2695 recvd_icmp_ids.add(p[ICMP].id)
2697 recvd_tcp_ports = list(recvd_tcp_ports)
2698 recvd_udp_ports = list(recvd_udp_ports)
2699 recvd_icmp_ids = list(recvd_icmp_ids)
2701 o2i_pkts = [[] for x in range(0, self.vpp_worker_count)]
2702 for i in range(pkt_count):
2704 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2705 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2706 / TCP(dport=choice(recvd_tcp_ports), sport=20)
2708 o2i_pkts[p[TCP].dport % self.vpp_worker_count].append(p)
2711 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2712 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2713 / UDP(dport=choice(recvd_udp_ports), sport=20)
2715 o2i_pkts[p[UDP].dport % self.vpp_worker_count].append(p)
2718 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2719 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2720 / ICMP(id=choice(recvd_icmp_ids), type="echo-reply")
2722 o2i_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2724 for i in range(0, self.vpp_worker_count):
2725 if len(o2i_pkts[i]) > 0:
2726 self.pg1.add_stream(o2i_pkts[i], worker=i)
2728 self.pg_enable_capture(self.pg_interfaces)
2730 capture = self.pg0.get_capture(pkt_count * 3)
2731 for packet in capture:
2733 self.assert_packet_checksums_valid(packet)
2734 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2735 if packet.haslayer(TCP):
2736 self.assert_in_range(
2739 tcp_port_offset + pkt_count,
2742 elif packet.haslayer(UDP):
2743 self.assert_in_range(
2746 udp_port_offset + pkt_count,
2750 self.assert_in_range(
2753 icmp_id_offset + pkt_count,
2758 ppp("Unexpected or invalid packet (inside network):", packet)
2762 if_idx = self.pg1.sw_if_index
2763 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2764 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2765 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2766 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2768 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2769 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2770 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2771 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2773 sc = self.statistics["/nat44-ed/total-sessions"]
2776 len(recvd_tcp_ports) + len(recvd_udp_ports) + len(recvd_icmp_ids),
2779 def test_frag_in_order(self):
2780 """NAT44ED translate fragments arriving in order"""
2782 self.nat_add_address(self.nat_addr)
2783 self.nat_add_inside_interface(self.pg0)
2784 self.nat_add_outside_interface(self.pg1)
2786 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2787 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2788 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2790 def test_frag_in_order_do_not_translate(self):
2791 """NAT44ED don't translate fragments arriving in order"""
2793 self.nat_add_address(self.nat_addr)
2794 self.nat_add_inside_interface(self.pg0)
2795 self.nat_add_outside_interface(self.pg1)
2796 self.vapi.nat44_forwarding_enable_disable(enable=True)
2798 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2800 def test_frag_out_of_order(self):
2801 """NAT44ED translate fragments arriving out of order"""
2803 self.nat_add_address(self.nat_addr)
2804 self.nat_add_inside_interface(self.pg0)
2805 self.nat_add_outside_interface(self.pg1)
2807 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2808 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2809 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2811 def test_frag_in_order_in_plus_out(self):
2812 """NAT44ED in+out interface fragments in order"""
2814 in_port = self.random_port()
2815 out_port = self.random_port()
2817 self.nat_add_address(self.nat_addr)
2818 self.nat_add_inside_interface(self.pg0)
2819 self.nat_add_outside_interface(self.pg0)
2820 self.nat_add_inside_interface(self.pg1)
2821 self.nat_add_outside_interface(self.pg1)
2823 # add static mappings for server
2824 self.nat_add_static_mapping(
2825 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2827 self.nat_add_static_mapping(
2828 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2830 self.nat_add_static_mapping(
2831 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2834 # run tests for each protocol
2835 self.frag_in_order_in_plus_out(
2836 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2838 self.frag_in_order_in_plus_out(
2839 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2841 self.frag_in_order_in_plus_out(
2842 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2845 def test_frag_out_of_order_in_plus_out(self):
2846 """NAT44ED in+out interface fragments out of order"""
2848 in_port = self.random_port()
2849 out_port = self.random_port()
2851 self.nat_add_address(self.nat_addr)
2852 self.nat_add_inside_interface(self.pg0)
2853 self.nat_add_outside_interface(self.pg0)
2854 self.nat_add_inside_interface(self.pg1)
2855 self.nat_add_outside_interface(self.pg1)
2857 # add static mappings for server
2858 self.nat_add_static_mapping(
2859 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2861 self.nat_add_static_mapping(
2862 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2864 self.nat_add_static_mapping(
2865 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2868 # run tests for each protocol
2869 self.frag_out_of_order_in_plus_out(
2870 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2872 self.frag_out_of_order_in_plus_out(
2873 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2875 self.frag_out_of_order_in_plus_out(
2876 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2879 def test_reass_hairpinning(self):
2880 """NAT44ED fragments hairpinning"""
2882 server_addr = self.pg0.remote_hosts[1].ip4
2884 host_in_port = self.random_port()
2885 server_in_port = self.random_port()
2886 server_out_port = self.random_port()
2888 self.nat_add_address(self.nat_addr)
2889 self.nat_add_inside_interface(self.pg0)
2890 self.nat_add_outside_interface(self.pg1)
2892 # add static mapping for server
2893 self.nat_add_static_mapping(
2898 proto=IP_PROTOS.tcp,
2900 self.nat_add_static_mapping(
2905 proto=IP_PROTOS.udp,
2907 self.nat_add_static_mapping(server_addr, self.nat_addr)
2909 self.reass_hairpinning(
2914 proto=IP_PROTOS.tcp,
2917 self.reass_hairpinning(
2922 proto=IP_PROTOS.udp,
2925 self.reass_hairpinning(
2930 proto=IP_PROTOS.icmp,
2934 def test_session_limit_per_vrf(self):
2935 """NAT44ED per vrf session limit"""
2938 inside_vrf10 = self.pg2
2943 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2944 # non existing vrf_id makes process core dump
2945 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2947 self.nat_add_inside_interface(inside)
2948 self.nat_add_inside_interface(inside_vrf10)
2949 self.nat_add_outside_interface(outside)
2952 self.nat_add_interface_address(outside)
2954 # BUG: causing core dump - when bad vrf_id is specified
2955 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2957 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2958 inside_vrf10.add_stream(stream)
2960 self.pg_enable_capture(self.pg_interfaces)
2963 capture = outside.get_capture(limit)
2965 stream = self.create_tcp_stream(inside, outside, limit * 2)
2966 inside.add_stream(stream)
2968 self.pg_enable_capture(self.pg_interfaces)
2971 capture = outside.get_capture(len(stream))
2973 def test_show_max_translations(self):
2974 """NAT44ED API test - max translations per thread"""
2975 config = self.vapi.nat44_show_running_config()
2976 self.assertEqual(self.max_sessions, config.sessions)
2978 def test_lru_cleanup(self):
2979 """NAT44ED LRU cleanup algorithm"""
2981 self.nat_add_address(self.nat_addr)
2982 self.nat_add_inside_interface(self.pg0)
2983 self.nat_add_outside_interface(self.pg1)
2985 self.vapi.nat_set_timeouts(
2986 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1
2989 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2991 for i in range(0, self.max_sessions - 1):
2993 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2994 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
2995 / UDP(sport=7000 + i, dport=80)
2999 self.pg0.add_stream(pkts)
3000 self.pg_enable_capture(self.pg_interfaces)
3002 self.pg1.get_capture(len(pkts))
3003 self.virtual_sleep(1.5, "wait for timeouts")
3006 for i in range(0, self.max_sessions - 1):
3008 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3009 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
3010 / ICMP(id=8000 + i, type="echo-request")
3014 self.pg0.add_stream(pkts)
3015 self.pg_enable_capture(self.pg_interfaces)
3017 self.pg1.get_capture(len(pkts))
3019 def test_session_rst_timeout(self):
3020 """NAT44ED session RST timeouts"""
3022 self.nat_add_address(self.nat_addr)
3023 self.nat_add_inside_interface(self.pg0)
3024 self.nat_add_outside_interface(self.pg1)
3026 self.vapi.nat_set_timeouts(
3027 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
3030 self.init_tcp_session(
3031 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3034 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3035 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3036 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
3038 self.send_and_expect(self.pg0, p, self.pg1)
3040 self.virtual_sleep(6)
3042 # The session is already closed
3044 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3045 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3046 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3048 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3050 # The session can be re-opened
3052 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3053 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3054 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="S")
3056 self.send_and_expect(self.pg0, p, self.pg1)
3058 def test_session_rst_established_timeout(self):
3059 """NAT44ED session RST timeouts"""
3061 self.nat_add_address(self.nat_addr)
3062 self.nat_add_inside_interface(self.pg0)
3063 self.nat_add_outside_interface(self.pg1)
3065 self.vapi.nat_set_timeouts(
3066 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
3069 self.init_tcp_session(
3070 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3073 # Wait at least the transitory time, the session is in established
3074 # state anyway. RST followed by a data packet should move it to
3076 self.virtual_sleep(6)
3078 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3079 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3080 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
3082 self.send_and_expect(self.pg0, p, self.pg1)
3085 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3086 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3087 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3089 self.send_and_expect(self.pg0, p, self.pg1)
3091 # State is transitory, session should be closed after 6 seconds
3092 self.virtual_sleep(6)
3095 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3096 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3097 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3099 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3101 def test_dynamic_out_of_ports(self):
3102 """NAT44ED dynamic translation test: out of ports"""
3104 self.nat_add_inside_interface(self.pg0)
3105 self.nat_add_outside_interface(self.pg1)
3107 # in2out and no NAT addresses added
3108 pkts = self.create_stream_in(self.pg0, self.pg1)
3110 self.send_and_assert_no_replies(
3114 stats_diff=self.no_diff
3117 "/err/nat44-ed-in2out-slowpath/out of ports": len(pkts),
3119 self.pg0.sw_if_index: {
3120 "/nat44-ed/in2out/slowpath/drops": len(pkts),
3125 # in2out after NAT addresses added
3126 self.nat_add_address(self.nat_addr)
3128 tcpn, udpn, icmpn = (
3129 sum(x) for x in zip(*((TCP in p, UDP in p, ICMP in p) for p in pkts))
3132 self.send_and_expect(
3137 stats_diff=self.no_diff
3140 "/err/nat44-ed-in2out-slowpath/out of ports": 0,
3142 self.pg0.sw_if_index: {
3143 "/nat44-ed/in2out/slowpath/drops": 0,
3144 "/nat44-ed/in2out/slowpath/tcp": tcpn,
3145 "/nat44-ed/in2out/slowpath/udp": udpn,
3146 "/nat44-ed/in2out/slowpath/icmp": icmpn,
3151 def test_unknown_proto(self):
3152 """NAT44ED translate packet with unknown protocol"""
3154 self.nat_add_address(self.nat_addr)
3155 self.nat_add_inside_interface(self.pg0)
3156 self.nat_add_outside_interface(self.pg1)
3160 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3161 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3162 / TCP(sport=self.tcp_port_in, dport=20)
3164 self.pg0.add_stream(p)
3165 self.pg_enable_capture(self.pg_interfaces)
3167 p = self.pg1.get_capture(1)
3170 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3171 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3173 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3174 / TCP(sport=1234, dport=1234)
3176 self.pg0.add_stream(p)
3177 self.pg_enable_capture(self.pg_interfaces)
3179 p = self.pg1.get_capture(1)
3182 self.assertEqual(packet[IP].src, self.nat_addr)
3183 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
3184 self.assertEqual(packet.haslayer(GRE), 1)
3185 self.assert_packet_checksums_valid(packet)
3187 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3192 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3193 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3195 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3196 / TCP(sport=1234, dport=1234)
3198 self.pg1.add_stream(p)
3199 self.pg_enable_capture(self.pg_interfaces)
3201 p = self.pg0.get_capture(1)
3204 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
3205 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
3206 self.assertEqual(packet.haslayer(GRE), 1)
3207 self.assert_packet_checksums_valid(packet)
3209 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3212 def test_hairpinning_unknown_proto(self):
3213 """NAT44ED translate packet with unknown protocol - hairpinning"""
3214 host = self.pg0.remote_hosts[0]
3215 server = self.pg0.remote_hosts[1]
3217 server_out_port = 8765
3218 server_nat_ip = "10.0.0.11"
3220 self.nat_add_address(self.nat_addr)
3221 self.nat_add_inside_interface(self.pg0)
3222 self.nat_add_outside_interface(self.pg1)
3224 # add static mapping for server
3225 self.nat_add_static_mapping(server.ip4, server_nat_ip)
3229 Ether(src=host.mac, dst=self.pg0.local_mac)
3230 / IP(src=host.ip4, dst=server_nat_ip)
3231 / TCP(sport=host_in_port, dport=server_out_port)
3233 self.pg0.add_stream(p)
3234 self.pg_enable_capture(self.pg_interfaces)
3236 self.pg0.get_capture(1)
3239 Ether(dst=self.pg0.local_mac, src=host.mac)
3240 / IP(src=host.ip4, dst=server_nat_ip)
3242 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3243 / TCP(sport=1234, dport=1234)
3245 self.pg0.add_stream(p)
3246 self.pg_enable_capture(self.pg_interfaces)
3248 p = self.pg0.get_capture(1)
3251 self.assertEqual(packet[IP].src, self.nat_addr)
3252 self.assertEqual(packet[IP].dst, server.ip4)
3253 self.assertEqual(packet.haslayer(GRE), 1)
3254 self.assert_packet_checksums_valid(packet)
3256 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3261 Ether(dst=self.pg0.local_mac, src=server.mac)
3262 / IP(src=server.ip4, dst=self.nat_addr)
3264 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3265 / TCP(sport=1234, dport=1234)
3267 self.pg0.add_stream(p)
3268 self.pg_enable_capture(self.pg_interfaces)
3270 p = self.pg0.get_capture(1)
3273 self.assertEqual(packet[IP].src, server_nat_ip)
3274 self.assertEqual(packet[IP].dst, host.ip4)
3275 self.assertEqual(packet.haslayer(GRE), 1)
3276 self.assert_packet_checksums_valid(packet)
3278 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3281 def test_output_feature_and_service(self):
3282 """NAT44ED interface output feature and services"""
3283 external_addr = "1.2.3.4"
3287 self.vapi.nat44_forwarding_enable_disable(enable=1)
3288 self.nat_add_address(self.nat_addr)
3289 flags = self.config_flags.NAT_IS_ADDR_ONLY
3290 self.vapi.nat44_add_del_identity_mapping(
3291 ip_address=self.pg1.remote_ip4,
3292 sw_if_index=0xFFFFFFFF,
3296 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3297 self.nat_add_static_mapping(
3298 self.pg0.remote_ip4,
3302 proto=IP_PROTOS.tcp,
3306 self.nat_add_inside_interface(self.pg0)
3307 self.nat_add_outside_interface(self.pg0)
3308 self.vapi.nat44_ed_add_del_output_interface(
3309 sw_if_index=self.pg1.sw_if_index, is_add=1
3312 # from client to service
3314 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3315 / IP(src=self.pg1.remote_ip4, dst=external_addr)
3316 / TCP(sport=12345, dport=external_port)
3318 self.pg1.add_stream(p)
3319 self.pg_enable_capture(self.pg_interfaces)
3321 capture = self.pg0.get_capture(1)
3326 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3327 self.assertEqual(tcp.dport, local_port)
3328 self.assert_packet_checksums_valid(p)
3330 self.logger.error(ppp("Unexpected or invalid packet:", p))
3333 # from service back to client
3335 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3336 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3337 / TCP(sport=local_port, dport=12345)
3339 self.pg0.add_stream(p)
3340 self.pg_enable_capture(self.pg_interfaces)
3342 capture = self.pg1.get_capture(1)
3347 self.assertEqual(ip.src, external_addr)
3348 self.assertEqual(tcp.sport, external_port)
3349 self.assert_packet_checksums_valid(p)
3351 self.logger.error(ppp("Unexpected or invalid packet:", p))
3354 # from local network host to external network
3355 pkts = self.create_stream_in(self.pg0, self.pg1)
3356 self.pg0.add_stream(pkts)
3357 self.pg_enable_capture(self.pg_interfaces)
3359 capture = self.pg1.get_capture(len(pkts))
3360 self.verify_capture_out(capture, ignore_port=True)
3361 pkts = self.create_stream_in(self.pg0, self.pg1)
3362 self.pg0.add_stream(pkts)
3363 self.pg_enable_capture(self.pg_interfaces)
3365 capture = self.pg1.get_capture(len(pkts))
3366 self.verify_capture_out(capture, ignore_port=True)
3368 # from external network back to local network host
3369 pkts = self.create_stream_out(self.pg1)
3370 self.pg1.add_stream(pkts)
3371 self.pg_enable_capture(self.pg_interfaces)
3373 capture = self.pg0.get_capture(len(pkts))
3374 self.verify_capture_in(capture, self.pg0)
3376 def test_output_feature_and_service3(self):
3377 """NAT44ED interface output feature and DST NAT"""
3378 external_addr = "1.2.3.4"
3382 self.vapi.nat44_forwarding_enable_disable(enable=1)
3383 self.nat_add_address(self.nat_addr)
3384 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3385 self.nat_add_static_mapping(
3386 self.pg1.remote_ip4,
3390 proto=IP_PROTOS.tcp,
3394 self.nat_add_inside_interface(self.pg0)
3395 self.nat_add_outside_interface(self.pg0)
3396 self.vapi.nat44_ed_add_del_output_interface(
3397 sw_if_index=self.pg1.sw_if_index, is_add=1
3401 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3402 / IP(src=self.pg0.remote_ip4, dst=external_addr)
3403 / TCP(sport=12345, dport=external_port)
3405 self.pg0.add_stream(p)
3406 self.pg_enable_capture(self.pg_interfaces)
3408 capture = self.pg1.get_capture(1)
3413 self.assertEqual(ip.src, self.pg0.remote_ip4)
3414 self.assertEqual(tcp.sport, 12345)
3415 self.assertEqual(ip.dst, self.pg1.remote_ip4)
3416 self.assertEqual(tcp.dport, local_port)
3417 self.assert_packet_checksums_valid(p)
3419 self.logger.error(ppp("Unexpected or invalid packet:", p))
3423 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3424 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
3425 / TCP(sport=local_port, dport=12345)
3427 self.pg1.add_stream(p)
3428 self.pg_enable_capture(self.pg_interfaces)
3430 capture = self.pg0.get_capture(1)
3435 self.assertEqual(ip.src, external_addr)
3436 self.assertEqual(tcp.sport, external_port)
3437 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3438 self.assertEqual(tcp.dport, 12345)
3439 self.assert_packet_checksums_valid(p)
3441 self.logger.error(ppp("Unexpected or invalid packet:", p))
3444 def test_self_twice_nat_lb_negative(self):
3445 """NAT44ED Self Twice NAT local service load balancing (negative test)"""
3446 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=2)
3448 def test_self_twice_nat_negative(self):
3449 """NAT44ED Self Twice NAT (negative test)"""
3450 self.twice_nat_common(self_twice_nat=True)
3452 def test_static_lb_multi_clients(self):
3453 """NAT44ED local service load balancing - multiple clients"""
3455 external_addr = self.nat_addr
3458 server1 = self.pg0.remote_hosts[0]
3459 server2 = self.pg0.remote_hosts[1]
3460 server3 = self.pg0.remote_hosts[2]
3463 {"addr": server1.ip4, "port": local_port, "probability": 90, "vrf_id": 0},
3464 {"addr": server2.ip4, "port": local_port, "probability": 10, "vrf_id": 0},
3467 flags = self.config_flags.NAT_IS_INSIDE
3468 self.vapi.nat44_interface_add_del_feature(
3469 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3471 self.vapi.nat44_interface_add_del_feature(
3472 sw_if_index=self.pg1.sw_if_index, is_add=1
3475 self.nat_add_address(self.nat_addr)
3476 self.vapi.nat44_add_del_lb_static_mapping(
3478 external_addr=external_addr,
3479 external_port=external_port,
3480 protocol=IP_PROTOS.tcp,
3481 local_num=len(locals),
3487 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
3489 for client in clients:
3491 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3492 / IP(src=client, dst=self.nat_addr)
3493 / TCP(sport=12345, dport=external_port)
3496 self.pg1.add_stream(pkts)
3497 self.pg_enable_capture(self.pg_interfaces)
3499 capture = self.pg0.get_capture(len(pkts))
3501 if p[IP].dst == server1.ip4:
3505 self.assertGreaterEqual(server1_n, server2_n)
3508 "addr": server3.ip4,
3515 self.vapi.nat44_lb_static_mapping_add_del_local(
3517 external_addr=external_addr,
3518 external_port=external_port,
3520 protocol=IP_PROTOS.tcp,
3525 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
3527 for client in clients:
3529 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3530 / IP(src=client, dst=self.nat_addr)
3531 / TCP(sport=12346, dport=external_port)
3534 self.assertGreater(len(pkts), 0)
3535 self.pg1.add_stream(pkts)
3536 self.pg_enable_capture(self.pg_interfaces)
3538 capture = self.pg0.get_capture(len(pkts))
3540 if p[IP].dst == server1.ip4:
3542 elif p[IP].dst == server2.ip4:
3546 self.assertGreater(server1_n, 0)
3547 self.assertGreater(server2_n, 0)
3548 self.assertGreater(server3_n, 0)
3551 "addr": server2.ip4,
3557 # remove one back-end
3558 self.vapi.nat44_lb_static_mapping_add_del_local(
3560 external_addr=external_addr,
3561 external_port=external_port,
3563 protocol=IP_PROTOS.tcp,
3568 self.pg1.add_stream(pkts)
3569 self.pg_enable_capture(self.pg_interfaces)
3571 capture = self.pg0.get_capture(len(pkts))
3573 if p[IP].dst == server1.ip4:
3575 elif p[IP].dst == server2.ip4:
3579 self.assertGreater(server1_n, 0)
3580 self.assertEqual(server2_n, 0)
3581 self.assertGreater(server3_n, 0)
3583 # put zzz in front of syslog test name so that it runs as a last test
3584 # setting syslog sender cannot be undone and if it is set, it messes
3585 # with self.send_and_assert_no_replies functionality
3586 def test_zzz_syslog_sess(self):
3587 """NAT44ED Test syslog session creation and deletion"""
3588 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3589 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3591 self.nat_add_address(self.nat_addr)
3592 self.nat_add_inside_interface(self.pg0)
3593 self.nat_add_outside_interface(self.pg1)
3596 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3597 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3598 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3600 self.pg0.add_stream(p)
3601 self.pg_enable_capture(self.pg_interfaces)
3603 capture = self.pg1.get_capture(1)
3604 self.tcp_port_out = capture[0][TCP].sport
3605 capture = self.pg3.get_capture(1)
3606 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3608 self.pg_enable_capture(self.pg_interfaces)
3610 self.nat_add_address(self.nat_addr, is_add=0)
3611 capture = self.pg3.get_capture(1)
3612 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3614 # put zzz in front of syslog test name so that it runs as a last test
3615 # setting syslog sender cannot be undone and if it is set, it messes
3616 # with self.send_and_assert_no_replies functionality
3617 def test_zzz_syslog_sess_reopen(self):
3618 """Syslog events for session reopen"""
3619 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3620 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3622 self.nat_add_address(self.nat_addr)
3623 self.nat_add_inside_interface(self.pg0)
3624 self.nat_add_outside_interface(self.pg1)
3628 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3629 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3630 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3632 capture = self.send_and_expect(self.pg0, p, self.pg1)[0]
3633 self.tcp_port_out = capture[0][TCP].sport
3634 capture = self.pg3.get_capture(1)
3635 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3639 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3640 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3641 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="SA")
3643 self.send_and_expect(self.pg1, p, self.pg0)
3646 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3647 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3648 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="A")
3650 self.send_and_expect(self.pg0, p, self.pg1)
3654 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3655 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3656 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="F")
3658 self.send_and_expect(self.pg0, p, self.pg1)
3662 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3663 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3664 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="F")
3666 self.send_and_expect(self.pg1, p, self.pg0)
3668 self.init_tcp_session(
3669 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3672 # 2 records should be produced - first one del & add
3673 capture = self.pg3.get_capture(2)
3674 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3675 self.verify_syslog_sess(capture[1][Raw].load, "SADD")
3677 def test_twice_nat_interface_addr(self):
3678 """NAT44ED Acquire twice NAT addresses from interface"""
3679 flags = self.config_flags.NAT_IS_TWICE_NAT
3680 self.vapi.nat44_add_del_interface_addr(
3681 sw_if_index=self.pg11.sw_if_index, flags=flags, is_add=1
3684 # no address in NAT pool
3685 adresses = self.vapi.nat44_address_dump()
3686 self.assertEqual(0, len(adresses))
3688 # configure interface address and check NAT address pool
3689 self.pg11.config_ip4()
3690 adresses = self.vapi.nat44_address_dump()
3691 self.assertEqual(1, len(adresses))
3692 self.assertEqual(str(adresses[0].ip_address), self.pg11.local_ip4)
3693 self.assertEqual(adresses[0].flags, flags)
3695 # remove interface address and check NAT address pool
3696 self.pg11.unconfig_ip4()
3697 adresses = self.vapi.nat44_address_dump()
3698 self.assertEqual(0, len(adresses))
3700 def test_output_feature_stateful_acl(self):
3701 """NAT44ED output feature works with stateful ACL"""
3703 self.nat_add_address(self.nat_addr)
3704 self.vapi.nat44_ed_add_del_output_interface(
3705 sw_if_index=self.pg1.sw_if_index, is_add=1
3708 # First ensure that the NAT is working sans ACL
3710 # send packets out2in, no sessions yet so packets should drop
3711 pkts_out2in = self.create_stream_out(self.pg1)
3712 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3714 # send packets into inside intf, ensure received via outside intf
3715 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
3716 capture = self.send_and_expect(
3717 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3719 self.verify_capture_out(capture, ignore_port=True)
3721 # send out2in again, with sessions created it should work now
3722 pkts_out2in = self.create_stream_out(self.pg1)
3723 capture = self.send_and_expect(
3724 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3726 self.verify_capture_in(capture, self.pg0)
3728 # Create an ACL blocking everything
3729 out2in_deny_rule = AclRule(is_permit=0)
3730 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
3731 out2in_acl.add_vpp_config()
3733 # create an ACL to permit/reflect everything
3734 in2out_reflect_rule = AclRule(is_permit=2)
3735 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
3736 in2out_acl.add_vpp_config()
3738 # apply as input acl on interface and confirm it blocks everything
3739 acl_if = VppAclInterface(
3740 self, sw_if_index=self.pg1.sw_if_index, n_input=1, acls=[out2in_acl]
3742 acl_if.add_vpp_config()
3743 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3746 acl_if.acls = [out2in_acl, in2out_acl]
3747 acl_if.add_vpp_config()
3748 # send in2out to generate ACL state (NAT state was created earlier)
3749 capture = self.send_and_expect(
3750 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3752 self.verify_capture_out(capture, ignore_port=True)
3754 # send out2in again. ACL state exists so it should work now.
3755 # TCP packets with the syn flag set also need the ack flag
3756 for p in pkts_out2in:
3757 if p.haslayer(TCP) and p[TCP].flags & 0x02:
3758 p[TCP].flags |= 0x10
3759 capture = self.send_and_expect(
3760 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3762 self.verify_capture_in(capture, self.pg0)
3763 self.logger.info(self.vapi.cli("show trace"))
3765 def test_tcp_close(self):
3766 """NAT44ED Close TCP session from inside network - output feature"""
3767 config = self.vapi.nat44_show_running_config()
3768 old_timeouts = config.timeouts
3770 self.vapi.nat_set_timeouts(
3771 udp=old_timeouts.udp,
3772 tcp_established=old_timeouts.tcp_established,
3773 icmp=old_timeouts.icmp,
3774 tcp_transitory=new_transitory,
3777 self.vapi.nat44_forwarding_enable_disable(enable=1)
3778 self.nat_add_address(self.pg1.local_ip4)
3779 twice_nat_addr = "10.0.1.3"
3780 service_ip = "192.168.16.150"
3781 self.nat_add_address(twice_nat_addr, twice_nat=1)
3783 flags = self.config_flags.NAT_IS_INSIDE
3784 self.vapi.nat44_interface_add_del_feature(
3785 sw_if_index=self.pg0.sw_if_index, is_add=1
3787 self.vapi.nat44_interface_add_del_feature(
3788 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3790 self.vapi.nat44_ed_add_del_output_interface(
3791 is_add=1, sw_if_index=self.pg1.sw_if_index
3795 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
3797 self.nat_add_static_mapping(
3798 self.pg0.remote_ip4, service_ip, 80, 80, proto=IP_PROTOS.tcp, flags=flags
3800 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3801 start_sessnum = len(sessions)
3803 # SYN packet out->in
3805 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3806 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3807 / TCP(sport=33898, dport=80, flags="S")
3809 capture = self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3811 tcp_port = p[TCP].sport
3813 # SYN + ACK packet in->out
3815 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3816 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3817 / TCP(sport=80, dport=tcp_port, flags="SA")
3819 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3821 # ACK packet out->in
3823 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3824 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3825 / TCP(sport=33898, dport=80, flags="A")
3827 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3829 # FIN packet in -> out
3831 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3832 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3833 / TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300)
3835 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3837 # FIN+ACK packet out -> in
3839 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3840 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3841 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3843 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3845 # ACK packet in -> out
3847 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3848 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3849 / TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301)
3851 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3853 # session now in transitory timeout, but traffic still flows
3854 # try FIN packet out->in
3856 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3857 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3858 / TCP(sport=33898, dport=80, flags="F")
3860 self.pg1.add_stream(p)
3861 self.pg_enable_capture(self.pg_interfaces)
3864 self.virtual_sleep(new_transitory, "wait for transitory timeout")
3865 self.pg0.get_capture(1)
3867 # session should still exist
3868 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3869 self.assertEqual(len(sessions) - start_sessnum, 1)
3871 # send FIN+ACK packet out -> in - will cause session to be wiped
3872 # but won't create a new session
3874 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3875 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3876 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3878 self.send_and_assert_no_replies(self.pg1, p)
3879 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3880 self.assertEqual(len(sessions) - start_sessnum, 0)
3882 def test_tcp_session_close_in(self):
3883 """NAT44ED Close TCP session from inside network"""
3885 in_port = self.tcp_port_in
3887 ext_port = self.tcp_external_port
3889 self.nat_add_address(self.nat_addr)
3890 self.nat_add_inside_interface(self.pg0)
3891 self.nat_add_outside_interface(self.pg1)
3892 self.nat_add_static_mapping(
3893 self.pg0.remote_ip4,
3897 proto=IP_PROTOS.tcp,
3898 flags=self.config_flags.NAT_IS_TWICE_NAT,
3901 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3902 session_n = len(sessions)
3904 self.vapi.nat_set_timeouts(
3905 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
3908 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3910 # FIN packet in -> out
3912 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3913 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3914 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
3916 self.send_and_expect(self.pg0, p, self.pg1)
3919 # ACK packet out -> in
3921 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3922 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3923 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
3927 # FIN packet out -> in
3929 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3930 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3931 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3935 self.send_and_expect(self.pg1, pkts, self.pg0)
3937 # ACK packet in -> out
3939 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3940 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3941 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3943 self.send_and_expect(self.pg0, p, self.pg1)
3945 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3946 self.assertEqual(len(sessions) - session_n, 1)
3948 # retransmit FIN packet out -> in
3950 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3951 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3952 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3955 self.send_and_expect(self.pg1, p, self.pg0)
3957 # retransmit ACK packet in -> out
3959 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3960 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3961 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3963 self.send_and_expect(self.pg0, p, self.pg1)
3965 self.virtual_sleep(3)
3966 # retransmit ACK packet in -> out - this will cause session to be wiped
3968 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3969 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3970 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3972 self.send_and_assert_no_replies(self.pg0, p)
3973 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3974 self.assertEqual(len(sessions) - session_n, 0)
3976 def test_tcp_session_close_out(self):
3977 """NAT44ED Close TCP session from outside network"""
3979 in_port = self.tcp_port_in
3981 ext_port = self.tcp_external_port
3983 self.nat_add_address(self.nat_addr)
3984 self.nat_add_inside_interface(self.pg0)
3985 self.nat_add_outside_interface(self.pg1)
3986 self.nat_add_static_mapping(
3987 self.pg0.remote_ip4,
3991 proto=IP_PROTOS.tcp,
3992 flags=self.config_flags.NAT_IS_TWICE_NAT,
3995 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3996 session_n = len(sessions)
3998 self.vapi.nat_set_timeouts(
3999 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4002 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4004 # FIN packet out -> in
4006 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4007 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4008 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=100, ack=300)
4010 self.pg1.add_stream(p)
4011 self.pg_enable_capture(self.pg_interfaces)
4013 self.pg0.get_capture(1)
4015 # FIN+ACK packet in -> out
4017 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4018 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4019 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=300, ack=101)
4022 self.pg0.add_stream(p)
4023 self.pg_enable_capture(self.pg_interfaces)
4025 self.pg1.get_capture(1)
4027 # ACK packet out -> in
4029 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4030 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4031 / TCP(sport=ext_port, dport=out_port, flags="A", seq=101, ack=301)
4033 self.pg1.add_stream(p)
4034 self.pg_enable_capture(self.pg_interfaces)
4036 self.pg0.get_capture(1)
4038 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4039 self.assertEqual(len(sessions) - session_n, 1)
4041 # retransmit FIN packet out -> in
4043 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4044 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4045 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
4047 self.send_and_expect(self.pg1, p, self.pg0)
4049 # retransmit ACK packet in -> out
4051 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4052 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4053 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4055 self.send_and_expect(self.pg0, p, self.pg1)
4057 self.virtual_sleep(3)
4058 # retransmit ACK packet in -> out - this will cause session to be wiped
4060 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4061 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4062 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4064 self.send_and_assert_no_replies(self.pg0, p)
4065 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4066 self.assertEqual(len(sessions) - session_n, 0)
4068 def test_tcp_session_close_simultaneous(self):
4069 """Simultaneous TCP close from both sides"""
4071 in_port = self.tcp_port_in
4074 self.nat_add_address(self.nat_addr)
4075 self.nat_add_inside_interface(self.pg0)
4076 self.nat_add_outside_interface(self.pg1)
4077 self.nat_add_static_mapping(
4078 self.pg0.remote_ip4,
4082 proto=IP_PROTOS.tcp,
4083 flags=self.config_flags.NAT_IS_TWICE_NAT,
4086 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4087 session_n = len(sessions)
4089 self.vapi.nat_set_timeouts(
4090 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4093 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4095 # FIN packet in -> out
4097 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4098 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4099 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4101 self.send_and_expect(self.pg0, p, self.pg1)
4103 # FIN packet out -> in
4105 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4106 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4107 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4109 self.send_and_expect(self.pg1, p, self.pg0)
4111 # ACK packet in -> out
4113 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4114 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4115 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4117 self.send_and_expect(self.pg0, p, self.pg1)
4119 # ACK packet out -> in
4121 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4122 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4123 / TCP(sport=ext_port, dport=out_port, flags="A", seq=301, ack=101)
4125 self.send_and_expect(self.pg1, p, self.pg0)
4127 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4128 self.assertEqual(len(sessions) - session_n, 1)
4130 # retransmit FIN packet out -> in
4132 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4133 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4134 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
4136 self.send_and_expect(self.pg1, p, self.pg0)
4138 # retransmit ACK packet in -> out
4140 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4141 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4142 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4144 self.send_and_expect(self.pg0, p, self.pg1)
4146 self.virtual_sleep(3)
4147 # retransmit ACK packet in -> out - this will cause session to be wiped
4149 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4150 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4151 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4153 self.pg_send(self.pg0, p)
4154 self.send_and_assert_no_replies(self.pg0, p)
4155 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4156 self.assertEqual(len(sessions) - session_n, 0)
4158 def test_tcp_session_half_reopen_inside(self):
4159 """TCP session in FIN/FIN state not reopened by in2out SYN only"""
4160 in_port = self.tcp_port_in
4163 self.nat_add_address(self.nat_addr)
4164 self.nat_add_inside_interface(self.pg0)
4165 self.nat_add_outside_interface(self.pg1)
4166 self.nat_add_static_mapping(
4167 self.pg0.remote_ip4,
4171 proto=IP_PROTOS.tcp,
4172 flags=self.config_flags.NAT_IS_TWICE_NAT,
4175 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4176 session_n = len(sessions)
4178 self.vapi.nat_set_timeouts(
4179 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4182 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4184 # FIN packet in -> out
4186 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4187 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4188 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4190 self.send_and_expect(self.pg0, p, self.pg1)
4192 # FIN packet out -> in
4194 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4195 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4196 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4198 self.send_and_expect(self.pg1, p, self.pg0)
4200 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4201 self.assertEqual(len(sessions) - session_n, 1)
4203 # send SYN packet in -> out
4205 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4206 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4207 / TCP(sport=in_port, dport=ext_port, flags="S", seq=101, ack=301)
4209 self.send_and_expect(self.pg0, p, self.pg1)
4211 self.virtual_sleep(3)
4212 # send ACK packet in -> out - session should be wiped
4214 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4215 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4216 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4218 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4219 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4220 self.assertEqual(len(sessions) - session_n, 0)
4222 def test_tcp_session_half_reopen_outside(self):
4223 """TCP session in FIN/FIN state not reopened by out2in SYN only"""
4224 in_port = self.tcp_port_in
4227 self.nat_add_address(self.nat_addr)
4228 self.nat_add_inside_interface(self.pg0)
4229 self.nat_add_outside_interface(self.pg1)
4230 self.nat_add_static_mapping(
4231 self.pg0.remote_ip4,
4235 proto=IP_PROTOS.tcp,
4236 flags=self.config_flags.NAT_IS_TWICE_NAT,
4239 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4240 session_n = len(sessions)
4242 self.vapi.nat_set_timeouts(
4243 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4246 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4248 # FIN packet in -> out
4250 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4251 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4252 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4254 self.send_and_expect(self.pg0, p, self.pg1)
4256 # FIN packet out -> in
4258 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4259 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4260 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4262 self.send_and_expect(self.pg1, p, self.pg0)
4264 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4265 self.assertEqual(len(sessions) - session_n, 1)
4267 # send SYN packet out -> in
4269 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4270 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4271 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4273 self.send_and_expect(self.pg1, p, self.pg0)
4275 self.virtual_sleep(3)
4276 # send ACK packet in -> out - session should be wiped
4278 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4279 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4280 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4282 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4283 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4284 self.assertEqual(len(sessions) - session_n, 0)
4286 def test_tcp_session_reopen(self):
4287 """TCP session in FIN/FIN state reopened by SYN from both sides"""
4288 in_port = self.tcp_port_in
4291 self.nat_add_address(self.nat_addr)
4292 self.nat_add_inside_interface(self.pg0)
4293 self.nat_add_outside_interface(self.pg1)
4294 self.nat_add_static_mapping(
4295 self.pg0.remote_ip4,
4299 proto=IP_PROTOS.tcp,
4300 flags=self.config_flags.NAT_IS_TWICE_NAT,
4303 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4304 session_n = len(sessions)
4306 self.vapi.nat_set_timeouts(
4307 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4310 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4312 # FIN packet in -> out
4314 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4315 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4316 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4318 self.send_and_expect(self.pg0, p, self.pg1)
4320 # FIN packet out -> in
4322 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4323 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4324 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4326 self.send_and_expect(self.pg1, p, self.pg0)
4328 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4329 self.assertEqual(len(sessions) - session_n, 1)
4331 # send SYN packet out -> in
4333 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4334 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4335 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4337 self.send_and_expect(self.pg1, p, self.pg0)
4339 # send SYN packet in -> out
4341 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4342 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4343 / TCP(sport=in_port, dport=ext_port, flags="SA", seq=101, ack=301)
4345 self.send_and_expect(self.pg0, p, self.pg1)
4347 # send ACK packet out -> in
4349 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4350 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4351 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
4353 self.send_and_expect(self.pg1, p, self.pg0)
4355 self.virtual_sleep(3)
4356 # send ACK packet in -> out - should be forwarded and session alive
4358 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4359 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4360 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4362 self.send_and_expect(self.pg0, p, self.pg1)
4363 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4364 self.assertEqual(len(sessions) - session_n, 1)
4366 def test_dynamic_vrf(self):
4367 """NAT44ED dynamic translation test: different VRF"""
4372 self.nat_add_address(self.nat_addr, vrf_id=vrf_id_in)
4375 self.configure_ip4_interface(self.pg7, table_id=vrf_id_in)
4376 self.configure_ip4_interface(self.pg8, table_id=vrf_id_out)
4378 self.nat_add_inside_interface(self.pg7)
4379 self.nat_add_outside_interface(self.pg8)
4381 # just basic stuff nothing special
4382 pkts = self.create_stream_in(self.pg7, self.pg8)
4383 self.pg7.add_stream(pkts)
4384 self.pg_enable_capture(self.pg_interfaces)
4386 capture = self.pg8.get_capture(len(pkts))
4387 self.verify_capture_out(capture, ignore_port=True)
4389 pkts = self.create_stream_out(self.pg8)
4390 self.pg8.add_stream(pkts)
4391 self.pg_enable_capture(self.pg_interfaces)
4393 capture = self.pg7.get_capture(len(pkts))
4394 self.verify_capture_in(capture, self.pg7)
4400 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_in})
4401 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_out})
4403 def test_dynamic_output_feature_vrf(self):
4404 """NAT44ED dynamic translation test: output-feature, VRF"""
4406 # other then default (0)
4409 self.nat_add_address(self.nat_addr)
4410 self.vapi.nat44_ed_add_del_output_interface(
4411 sw_if_index=self.pg8.sw_if_index, is_add=1
4414 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
4415 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
4418 tcpn = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4419 udpn = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4420 icmpn = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4421 drops = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4423 pkts = self.create_stream_in(self.pg7, self.pg8)
4424 self.pg7.add_stream(pkts)
4425 self.pg_enable_capture(self.pg_interfaces)
4427 capture = self.pg8.get_capture(len(pkts))
4428 self.verify_capture_out(capture, ignore_port=True)
4430 if_idx = self.pg8.sw_if_index
4431 cnt = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4432 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4433 cnt = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4434 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4435 cnt = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4436 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4437 cnt = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4438 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4441 tcpn = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4442 udpn = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4443 icmpn = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4444 drops = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4446 pkts = self.create_stream_out(self.pg8)
4447 self.pg8.add_stream(pkts)
4448 self.pg_enable_capture(self.pg_interfaces)
4450 capture = self.pg7.get_capture(len(pkts))
4451 self.verify_capture_in(capture, self.pg7)
4453 if_idx = self.pg8.sw_if_index
4454 cnt = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4455 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4456 cnt = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4457 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4458 cnt = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4459 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4460 cnt = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4461 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4463 sessions = self.statistics["/nat44-ed/total-sessions"]
4464 self.assertEqual(sessions[:, 0].sum(), 3)
4470 self.vapi.ip_table_add_del(is_add=0, table={"table_id": new_vrf_id})
4472 def test_next_src_nat(self):
4473 """NAT44ED On way back forward packet to nat44-in2out node."""
4475 twice_nat_addr = "10.0.1.3"
4478 post_twice_nat_port = 0
4480 self.vapi.nat44_forwarding_enable_disable(enable=1)
4481 self.nat_add_address(twice_nat_addr, twice_nat=1)
4483 self.config_flags.NAT_IS_OUT2IN_ONLY
4484 | self.config_flags.NAT_IS_SELF_TWICE_NAT
4486 self.nat_add_static_mapping(
4487 self.pg6.remote_ip4,
4488 self.pg1.remote_ip4,
4491 proto=IP_PROTOS.tcp,
4495 self.vapi.nat44_interface_add_del_feature(
4496 sw_if_index=self.pg6.sw_if_index, is_add=1
4500 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4501 / IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4)
4502 / TCP(sport=12345, dport=external_port)
4504 self.pg6.add_stream(p)
4505 self.pg_enable_capture(self.pg_interfaces)
4507 capture = self.pg6.get_capture(1)
4512 self.assertEqual(ip.src, twice_nat_addr)
4513 self.assertNotEqual(tcp.sport, 12345)
4514 post_twice_nat_port = tcp.sport
4515 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4516 self.assertEqual(tcp.dport, local_port)
4517 self.assert_packet_checksums_valid(p)
4519 self.logger.error(ppp("Unexpected or invalid packet:", p))
4523 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4524 / IP(src=self.pg6.remote_ip4, dst=twice_nat_addr)
4525 / TCP(sport=local_port, dport=post_twice_nat_port)
4527 self.pg6.add_stream(p)
4528 self.pg_enable_capture(self.pg_interfaces)
4530 capture = self.pg6.get_capture(1)
4535 self.assertEqual(ip.src, self.pg1.remote_ip4)
4536 self.assertEqual(tcp.sport, external_port)
4537 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4538 self.assertEqual(tcp.dport, 12345)
4539 self.assert_packet_checksums_valid(p)
4541 self.logger.error(ppp("Unexpected or invalid packet:", p))
4544 def test_one_armed_nat44_static(self):
4545 """NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule"""
4547 remote_host = self.pg4.remote_hosts[0]
4548 local_host = self.pg4.remote_hosts[1]
4553 self.vapi.nat44_forwarding_enable_disable(enable=1)
4554 self.nat_add_address(self.nat_addr, twice_nat=1)
4556 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
4558 self.nat_add_static_mapping(
4563 proto=IP_PROTOS.tcp,
4566 flags = self.config_flags.NAT_IS_INSIDE
4567 self.vapi.nat44_interface_add_del_feature(
4568 sw_if_index=self.pg4.sw_if_index, is_add=1
4570 self.vapi.nat44_interface_add_del_feature(
4571 sw_if_index=self.pg4.sw_if_index, flags=flags, is_add=1
4574 # from client to service
4576 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4577 / IP(src=remote_host.ip4, dst=self.nat_addr)
4578 / TCP(sport=12345, dport=external_port)
4580 self.pg4.add_stream(p)
4581 self.pg_enable_capture(self.pg_interfaces)
4583 capture = self.pg4.get_capture(1)
4588 self.assertEqual(ip.dst, local_host.ip4)
4589 self.assertEqual(ip.src, self.nat_addr)
4590 self.assertEqual(tcp.dport, local_port)
4591 self.assertNotEqual(tcp.sport, 12345)
4592 eh_port_in = tcp.sport
4593 self.assert_packet_checksums_valid(p)
4595 self.logger.error(ppp("Unexpected or invalid packet:", p))
4598 # from service back to client
4600 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4601 / IP(src=local_host.ip4, dst=self.nat_addr)
4602 / TCP(sport=local_port, dport=eh_port_in)
4604 self.pg4.add_stream(p)
4605 self.pg_enable_capture(self.pg_interfaces)
4607 capture = self.pg4.get_capture(1)
4612 self.assertEqual(ip.src, self.nat_addr)
4613 self.assertEqual(ip.dst, remote_host.ip4)
4614 self.assertEqual(tcp.sport, external_port)
4615 self.assertEqual(tcp.dport, 12345)
4616 self.assert_packet_checksums_valid(p)
4618 self.logger.error(ppp("Unexpected or invalid packet:", p))
4621 def test_icmp_error_fwd_outbound(self):
4622 """NAT44ED ICMP error outbound with forwarding enabled"""
4624 # Ensure that an outbound ICMP error message is properly associated
4625 # with the inbound forward bypass session it is related to.
4628 self.nat_add_address(self.nat_addr)
4629 self.nat_add_inside_interface(self.pg0)
4630 self.nat_add_outside_interface(self.pg1)
4632 # enable forwarding and initiate connection out2in
4633 self.vapi.nat44_forwarding_enable_disable(enable=1)
4635 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4636 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
4637 / UDP(sport=21, dport=20)
4641 self.pg1.add_stream(p1)
4642 self.pg_enable_capture(self.pg_interfaces)
4644 capture = self.pg0.get_capture(1)[0]
4646 self.logger.info(self.vapi.cli("show nat44 sessions"))
4648 # reply with ICMP error message in2out
4649 # We cannot reliably retrieve forward bypass sessions via the API.
4650 # session dumps for a user will only look on the worker that the
4651 # user is supposed to be mapped to in2out. The forward bypass session
4652 # is not necessarily created on that worker.
4654 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4655 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4656 / ICMP(type="dest-unreach", code="port-unreachable")
4660 self.pg0.add_stream(p2)
4661 self.pg_enable_capture(self.pg_interfaces)
4663 capture = self.pg1.get_capture(1)[0]
4665 self.logger.info(self.vapi.cli("show nat44 sessions"))
4667 self.logger.info(ppp("p1 packet:", p1))
4668 self.logger.info(ppp("p2 packet:", p2))
4669 self.logger.info(ppp("capture packet:", capture))
4671 def test_tcp_session_open_retransmit1(self):
4672 """NAT44ED Open TCP session with SYN,ACK retransmit 1
4674 The client does not receive the [SYN,ACK] or the
4675 ACK from the client is lost. Therefore, the [SYN, ACK]
4676 is retransmitted by the server.
4679 in_port = self.tcp_port_in
4680 ext_port = self.tcp_external_port
4683 self.nat_add_address(self.nat_addr)
4684 self.nat_add_inside_interface(self.pg0)
4685 self.nat_add_outside_interface(self.pg1)
4687 self.vapi.nat_set_timeouts(
4688 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4690 # SYN packet in->out
4692 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4693 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4694 / TCP(sport=in_port, dport=ext_port, flags="S")
4696 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4697 out_port = p[TCP].sport
4699 # SYN + ACK packet out->in
4701 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4702 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4703 / TCP(sport=ext_port, dport=out_port, flags="SA")
4705 self.send_and_expect(self.pg1, p, self.pg0)
4707 # ACK in->out does not arrive
4709 # resent SYN + ACK packet out->in
4711 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4712 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4713 / TCP(sport=ext_port, dport=out_port, flags="SA")
4715 self.send_and_expect(self.pg1, p, self.pg0)
4717 # ACK packet in->out
4719 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4720 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4721 / TCP(sport=in_port, dport=ext_port, flags="A")
4723 self.send_and_expect(self.pg0, p, self.pg1)
4725 # Verify that the data can be transmitted after the transitory time
4726 self.virtual_sleep(6)
4729 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4730 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4731 / TCP(sport=in_port, dport=ext_port, flags="PA")
4734 self.send_and_expect(self.pg0, p, self.pg1)
4736 def test_tcp_session_open_retransmit2(self):
4737 """NAT44ED Open TCP session with SYN,ACK retransmit 2
4739 The ACK is lost to the server after the TCP session is opened.
4740 Data is sent by the client, then the [SYN,ACK] is
4741 retransmitted by the server.
4744 in_port = self.tcp_port_in
4745 ext_port = self.tcp_external_port
4748 self.nat_add_address(self.nat_addr)
4749 self.nat_add_inside_interface(self.pg0)
4750 self.nat_add_outside_interface(self.pg1)
4752 self.vapi.nat_set_timeouts(
4753 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4755 # SYN packet in->out
4757 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4758 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4759 / TCP(sport=in_port, dport=ext_port, flags="S")
4761 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4762 out_port = p[TCP].sport
4764 # SYN + ACK packet out->in
4766 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4767 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4768 / TCP(sport=ext_port, dport=out_port, flags="SA")
4770 self.send_and_expect(self.pg1, p, self.pg0)
4772 # ACK packet in->out -- not received by the server
4774 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4775 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4776 / TCP(sport=in_port, dport=ext_port, flags="A")
4778 self.send_and_expect(self.pg0, p, self.pg1)
4780 # PUSH + ACK packet in->out
4782 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4783 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4784 / TCP(sport=in_port, dport=ext_port, flags="PA")
4787 self.send_and_expect(self.pg0, p, self.pg1)
4789 # resent SYN + ACK packet out->in
4791 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4792 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4793 / TCP(sport=ext_port, dport=out_port, flags="SA")
4795 self.send_and_expect(self.pg1, p, self.pg0)
4797 # resent ACK packet in->out
4799 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4800 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4801 / TCP(sport=in_port, dport=ext_port, flags="A")
4803 self.send_and_expect(self.pg0, p, self.pg1)
4805 # resent PUSH + ACK packet in->out
4807 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4808 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4809 / TCP(sport=in_port, dport=ext_port, flags="PA")
4812 self.send_and_expect(self.pg0, p, self.pg1)
4814 # ACK packet out->in
4816 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4817 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4818 / TCP(sport=ext_port, dport=out_port, flags="A")
4820 self.send_and_expect(self.pg1, p, self.pg0)
4822 # Verify that the data can be transmitted after the transitory time
4823 self.virtual_sleep(6)
4826 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4827 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4828 / TCP(sport=in_port, dport=ext_port, flags="PA")
4831 self.send_and_expect(self.pg0, p, self.pg1)
4833 def test_dynamic_ports_exhausted(self):
4834 """NAT44ED dynamic translation test: address ports exhaused"""
4836 sessions_per_batch = 128
4837 n_available_ports = 65536 - 1024
4838 n_sessions = n_available_ports + 2 * sessions_per_batch
4840 # set high enough session limit for ports to be exhausted
4841 self.plugin_disable()
4842 self.plugin_enable(max_sessions=n_sessions)
4844 self.nat_add_inside_interface(self.pg0)
4845 self.nat_add_outside_interface(self.pg1)
4847 # set timeouts to high for sessions to reallistically expire
4848 config = self.vapi.nat44_show_running_config()
4849 old_timeouts = config.timeouts
4850 self.vapi.nat_set_timeouts(
4852 tcp_established=old_timeouts.tcp_established,
4853 tcp_transitory=old_timeouts.tcp_transitory,
4854 icmp=old_timeouts.icmp,
4857 # in2out after NAT addresses added
4858 self.nat_add_address(self.nat_addr)
4860 for i in range(n_sessions // sessions_per_batch):
4861 pkts = self.create_udp_stream(
4865 base_port=i * sessions_per_batch + 100,
4868 self.pg0.add_stream(pkts)
4871 err = self.statistics.get_err_counter(
4872 "/err/nat44-ed-in2out-slowpath/out of ports"
4874 if err > sessions_per_batch:
4877 # Check for ports to be used no more than once
4879 sessions = self.vapi.cli("show nat44 sessions")
4881 f" *o2i flow: match: saddr {self.pg1.remote_ip4} sport [0-9]+ daddr {self.nat_addr} dport ([0-9]+) proto UDP.*"
4883 for line in sessions.splitlines():
4886 port = int(m.groups()[0])
4887 self.assertNotIn(port, ports)
4890 self.assertGreaterEqual(err, sessions_per_batch)
4893 if __name__ == "__main__":
4894 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob