5 from random import randint, choice
8 from framework import tag_fixme_ubuntu2204, is_distro_ubuntu2204
9 from framework import VppTestCase, VppTestRunner
10 from scapy.data import IP_PROTOS
11 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
12 from scapy.layers.inet import IPerror, TCPerror
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from syslog_rfc5424_parser import SyslogMessage, ParseError
16 from syslog_rfc5424_parser.constants import SyslogSeverity
17 from util import ppp, pr, ip4_range
18 from vpp_acl import AclRule, VppAcl, VppAclInterface
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_papi import VppEnum
21 from util import StatsDiff
24 class TestNAT44ED(VppTestCase):
25 """NAT44ED Test Case"""
27 nat_addr = "10.0.10.3"
38 tcp_external_port = 80
51 def plugin_enable(self):
52 self.vapi.nat44_ed_plugin_enable_disable(sessions=self.max_sessions, enable=1)
54 def plugin_disable(self):
55 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
58 def config_flags(self):
59 return VppEnum.vl_api_nat_config_flags_t
62 def nat44_config_flags(self):
63 return VppEnum.vl_api_nat44_config_flags_t
66 def syslog_severity(self):
67 return VppEnum.vl_api_syslog_severity_t
70 def server_addr(self):
71 return self.pg1.remote_hosts[0].ip4
75 return randint(1024, 65535)
78 def proto2layer(proto):
79 if proto == IP_PROTOS.tcp:
81 elif proto == IP_PROTOS.udp:
83 elif proto == IP_PROTOS.icmp:
86 raise Exception("Unsupported protocol")
89 def create_and_add_ip4_table(cls, i, table_id=0):
90 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": table_id})
91 i.set_table_ip4(table_id)
94 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
96 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(sw_if_index=i.sw_if_index, is_add=1)
110 def nat_add_inside_interface(self, i):
111 self.vapi.nat44_interface_add_del_feature(
112 flags=self.config_flags.NAT_IS_INSIDE, sw_if_index=i.sw_if_index, is_add=1
115 def nat_add_outside_interface(self, i):
116 self.vapi.nat44_interface_add_del_feature(
117 flags=self.config_flags.NAT_IS_OUTSIDE, sw_if_index=i.sw_if_index, is_add=1
120 def nat_add_address(self, address, twice_nat=0, vrf_id=0xFFFFFFFF, is_add=1):
121 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
122 self.vapi.nat44_add_del_address_range(
123 first_ip_address=address,
124 last_ip_address=address,
130 def nat_add_static_mapping(
133 external_ip="0.0.0.0",
138 external_sw_if_index=0xFFFFFFFF,
144 if not (local_port and external_port):
145 flags |= self.config_flags.NAT_IS_ADDR_ONLY
147 self.vapi.nat44_add_del_static_mapping(
149 local_ip_address=local_ip,
150 external_ip_address=external_ip,
151 external_sw_if_index=external_sw_if_index,
152 local_port=local_port,
153 external_port=external_port,
163 if is_distro_ubuntu2204 == True and not hasattr(cls, "vpp"):
166 cls.create_pg_interfaces(range(12))
167 cls.interfaces = list(cls.pg_interfaces[:4])
169 cls.create_and_add_ip4_table(cls.pg2, 10)
171 for i in cls.interfaces:
172 cls.configure_ip4_interface(i, hosts=3)
174 # test specific (test-multiple-vrf)
175 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": 1})
177 # test specific (test-one-armed-nat44-static)
178 cls.pg4.generate_remote_hosts(2)
180 cls.vapi.sw_interface_add_del_address(
181 sw_if_index=cls.pg4.sw_if_index, prefix="10.0.0.1/24"
184 cls.pg4.resolve_arp()
185 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
186 cls.pg4.resolve_arp()
188 # test specific interface (pg5)
189 cls.pg5._local_ip4 = "10.1.1.1"
190 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
191 cls.pg5.set_table_ip4(1)
194 cls.pg5.resolve_arp()
196 # test specific interface (pg6)
197 cls.pg6._local_ip4 = "10.1.2.1"
198 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
199 cls.pg6.set_table_ip4(1)
202 cls.pg6.resolve_arp()
211 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=0)],
221 [VppRoutePath(cls.pg1.local_ip4, cls.pg1.sw_if_index)],
230 [VppRoutePath("0.0.0.0", cls.pg5.sw_if_index)],
240 [VppRoutePath("0.0.0.0", cls.pg6.sw_if_index)],
250 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=1)],
259 cls.no_diff = StatsDiff(
262 "/nat44-ed/in2out/fastpath/tcp": 0,
263 "/nat44-ed/in2out/fastpath/udp": 0,
264 "/nat44-ed/in2out/fastpath/icmp": 0,
265 "/nat44-ed/in2out/fastpath/drops": 0,
266 "/nat44-ed/in2out/slowpath/tcp": 0,
267 "/nat44-ed/in2out/slowpath/udp": 0,
268 "/nat44-ed/in2out/slowpath/icmp": 0,
269 "/nat44-ed/in2out/slowpath/drops": 0,
270 "/nat44-ed/in2out/fastpath/tcp": 0,
271 "/nat44-ed/in2out/fastpath/udp": 0,
272 "/nat44-ed/in2out/fastpath/icmp": 0,
273 "/nat44-ed/in2out/fastpath/drops": 0,
274 "/nat44-ed/in2out/slowpath/tcp": 0,
275 "/nat44-ed/in2out/slowpath/udp": 0,
276 "/nat44-ed/in2out/slowpath/icmp": 0,
277 "/nat44-ed/in2out/slowpath/drops": 0,
279 for pg in cls.pg_interfaces
283 def get_err_counter(self, path):
284 return self.statistics.get_err_counter(path)
286 def reass_hairpinning(
295 layer = self.proto2layer(proto)
297 if proto == IP_PROTOS.tcp:
298 data = b"A" * 4 + b"B" * 16 + b"C" * 3
300 data = b"A" * 16 + b"B" * 16 + b"C" * 3
302 # send packet from host to server
303 pkts = self.create_stream_frag(
304 self.pg0, self.nat_addr, host_in_port, server_out_port, data, proto
306 self.pg0.add_stream(pkts)
307 self.pg_enable_capture(self.pg_interfaces)
309 frags = self.pg0.get_capture(len(pkts))
310 p = self.reass_frags_and_verify(frags, self.nat_addr, server_addr)
311 if proto != IP_PROTOS.icmp:
313 self.assertNotEqual(p[layer].sport, host_in_port)
314 self.assertEqual(p[layer].dport, server_in_port)
317 self.assertNotEqual(p[layer].id, host_in_port)
318 self.assertEqual(data, p[Raw].load)
320 def frag_out_of_order(
321 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
323 layer = self.proto2layer(proto)
325 if proto == IP_PROTOS.tcp:
326 data = b"A" * 4 + b"B" * 16 + b"C" * 3
328 data = b"A" * 16 + b"B" * 16 + b"C" * 3
329 self.port_in = self.random_port()
333 pkts = self.create_stream_frag(
334 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
337 self.pg0.add_stream(pkts)
338 self.pg_enable_capture(self.pg_interfaces)
340 frags = self.pg1.get_capture(len(pkts))
341 if not dont_translate:
342 p = self.reass_frags_and_verify(
343 frags, self.nat_addr, self.pg1.remote_ip4
346 p = self.reass_frags_and_verify(
347 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
349 if proto != IP_PROTOS.icmp:
350 if not dont_translate:
351 self.assertEqual(p[layer].dport, 20)
353 self.assertNotEqual(p[layer].sport, self.port_in)
355 self.assertEqual(p[layer].sport, self.port_in)
358 if not dont_translate:
359 self.assertNotEqual(p[layer].id, self.port_in)
361 self.assertEqual(p[layer].id, self.port_in)
362 self.assertEqual(data, p[Raw].load)
365 if not dont_translate:
366 dst_addr = self.nat_addr
368 dst_addr = self.pg0.remote_ip4
369 if proto != IP_PROTOS.icmp:
371 dport = p[layer].sport
375 pkts = self.create_stream_frag(
376 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
379 self.pg1.add_stream(pkts)
380 self.pg_enable_capture(self.pg_interfaces)
381 self.logger.info(self.vapi.cli("show trace"))
383 frags = self.pg0.get_capture(len(pkts))
384 p = self.reass_frags_and_verify(
385 frags, self.pg1.remote_ip4, self.pg0.remote_ip4
387 if proto != IP_PROTOS.icmp:
388 self.assertEqual(p[layer].sport, 20)
389 self.assertEqual(p[layer].dport, self.port_in)
391 self.assertEqual(p[layer].id, self.port_in)
392 self.assertEqual(data, p[Raw].load)
394 def reass_frags_and_verify(self, frags, src, dst):
397 self.assertEqual(p[IP].src, src)
398 self.assertEqual(p[IP].dst, dst)
399 self.assert_ip_checksum_valid(p)
400 buffer.seek(p[IP].frag * 8)
401 buffer.write(bytes(p[IP].payload))
402 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst, proto=frags[0][IP].proto)
403 if ip.proto == IP_PROTOS.tcp:
404 p = ip / TCP(buffer.getvalue())
405 self.logger.debug(ppp("Reassembled:", p))
406 self.assert_tcp_checksum_valid(p)
407 elif ip.proto == IP_PROTOS.udp:
408 p = ip / UDP(buffer.getvalue()[:8]) / Raw(buffer.getvalue()[8:])
409 elif ip.proto == IP_PROTOS.icmp:
410 p = ip / ICMP(buffer.getvalue())
414 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
416 layer = self.proto2layer(proto)
418 if proto == IP_PROTOS.tcp:
419 data = b"A" * 4 + b"B" * 16 + b"C" * 3
421 data = b"A" * 16 + b"B" * 16 + b"C" * 3
422 self.port_in = self.random_port()
425 pkts = self.create_stream_frag(
426 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
428 self.pg0.add_stream(pkts)
429 self.pg_enable_capture(self.pg_interfaces)
431 frags = self.pg1.get_capture(len(pkts))
432 if not dont_translate:
433 p = self.reass_frags_and_verify(frags, self.nat_addr, self.pg1.remote_ip4)
435 p = self.reass_frags_and_verify(
436 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
438 if proto != IP_PROTOS.icmp:
439 if not dont_translate:
440 self.assertEqual(p[layer].dport, 20)
442 self.assertNotEqual(p[layer].sport, self.port_in)
444 self.assertEqual(p[layer].sport, self.port_in)
447 if not dont_translate:
448 self.assertNotEqual(p[layer].id, self.port_in)
450 self.assertEqual(p[layer].id, self.port_in)
451 self.assertEqual(data, p[Raw].load)
454 if not dont_translate:
455 dst_addr = self.nat_addr
457 dst_addr = self.pg0.remote_ip4
458 if proto != IP_PROTOS.icmp:
460 dport = p[layer].sport
464 pkts = self.create_stream_frag(
465 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
467 self.pg1.add_stream(pkts)
468 self.pg_enable_capture(self.pg_interfaces)
470 frags = self.pg0.get_capture(len(pkts))
471 p = self.reass_frags_and_verify(frags, self.pg1.remote_ip4, self.pg0.remote_ip4)
472 if proto != IP_PROTOS.icmp:
473 self.assertEqual(p[layer].sport, 20)
474 self.assertEqual(p[layer].dport, self.port_in)
476 self.assertEqual(p[layer].id, self.port_in)
477 self.assertEqual(data, p[Raw].load)
479 def verify_capture_out(
480 self, capture, nat_ip=None, same_port=False, dst_ip=None, ignore_port=False
483 nat_ip = self.nat_addr
484 for packet in capture:
486 self.assert_packet_checksums_valid(packet)
487 self.assertEqual(packet[IP].src, nat_ip)
488 if dst_ip is not None:
489 self.assertEqual(packet[IP].dst, dst_ip)
490 if packet.haslayer(TCP):
493 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
495 self.assertNotEqual(packet[TCP].sport, self.tcp_port_in)
496 self.tcp_port_out = packet[TCP].sport
497 self.assert_packet_checksums_valid(packet)
498 elif packet.haslayer(UDP):
501 self.assertEqual(packet[UDP].sport, self.udp_port_in)
503 self.assertNotEqual(packet[UDP].sport, self.udp_port_in)
504 self.udp_port_out = packet[UDP].sport
508 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
510 self.assertNotEqual(packet[ICMP].id, self.icmp_id_in)
511 self.icmp_id_out = packet[ICMP].id
512 self.assert_packet_checksums_valid(packet)
515 ppp("Unexpected or invalid packet (outside network):", packet)
519 def verify_capture_in(self, capture, in_if):
520 for packet in capture:
522 self.assert_packet_checksums_valid(packet)
523 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
524 if packet.haslayer(TCP):
525 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
526 elif packet.haslayer(UDP):
527 self.assertEqual(packet[UDP].dport, self.udp_port_in)
529 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
532 ppp("Unexpected or invalid packet (inside network):", packet)
536 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
538 dst_ip = out_if.remote_ip4
543 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
544 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
545 / TCP(sport=self.tcp_port_in, dport=20)
551 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
552 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
553 / UDP(sport=self.udp_port_in, dport=20)
559 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
560 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
561 / ICMP(id=self.icmp_id_in, type="echo-request")
567 def create_stream_out(self, out_if, dst_ip=None, ttl=64, use_inside_ports=False):
569 dst_ip = self.nat_addr
570 if not use_inside_ports:
571 tcp_port = self.tcp_port_out
572 udp_port = self.udp_port_out
573 icmp_id = self.icmp_id_out
575 tcp_port = self.tcp_port_in
576 udp_port = self.udp_port_in
577 icmp_id = self.icmp_id_in
581 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
582 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
583 / TCP(dport=tcp_port, sport=20)
589 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
590 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
591 / UDP(dport=udp_port, sport=20)
597 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
598 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
599 / ICMP(id=icmp_id, type="echo-reply")
605 def create_tcp_stream(self, in_if, out_if, count):
609 for i in range(count):
611 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
612 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64)
613 / TCP(sport=port + i, dport=20)
619 def create_stream_frag(
620 self, src_if, dst, sport, dport, data, proto=IP_PROTOS.tcp, echo_reply=False
622 if proto == IP_PROTOS.tcp:
624 IP(src=src_if.remote_ip4, dst=dst)
625 / TCP(sport=sport, dport=dport)
628 p = p.__class__(scapy.compat.raw(p))
629 chksum = p[TCP].chksum
630 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
631 elif proto == IP_PROTOS.udp:
632 proto_header = UDP(sport=sport, dport=dport)
633 elif proto == IP_PROTOS.icmp:
635 proto_header = ICMP(id=sport, type="echo-request")
637 proto_header = ICMP(id=sport, type="echo-reply")
639 raise Exception("Unsupported protocol")
640 id = self.random_port()
642 if proto == IP_PROTOS.tcp:
645 raw = Raw(data[0:16])
647 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
648 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id)
653 if proto == IP_PROTOS.tcp:
654 raw = Raw(data[4:20])
656 raw = Raw(data[16:32])
658 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
659 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id, proto=proto)
663 if proto == IP_PROTOS.tcp:
668 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
669 / IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto, id=id)
675 def frag_in_order_in_plus_out(
676 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
679 layer = self.proto2layer(proto)
681 if proto == IP_PROTOS.tcp:
682 data = b"A" * 4 + b"B" * 16 + b"C" * 3
684 data = b"A" * 16 + b"B" * 16 + b"C" * 3
685 port_in = self.random_port()
689 pkts = self.create_stream_frag(
690 self.pg0, out_addr, port_in, out_port, data, proto
692 self.pg0.add_stream(pkts)
693 self.pg_enable_capture(self.pg_interfaces)
695 frags = self.pg1.get_capture(len(pkts))
696 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
697 if proto != IP_PROTOS.icmp:
698 self.assertEqual(p[layer].sport, port_in)
699 self.assertEqual(p[layer].dport, in_port)
701 self.assertEqual(p[layer].id, port_in)
702 self.assertEqual(data, p[Raw].load)
705 if proto != IP_PROTOS.icmp:
706 pkts = self.create_stream_frag(
707 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
710 pkts = self.create_stream_frag(
719 self.pg1.add_stream(pkts)
720 self.pg_enable_capture(self.pg_interfaces)
722 frags = self.pg0.get_capture(len(pkts))
723 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
724 if proto != IP_PROTOS.icmp:
725 self.assertEqual(p[layer].sport, out_port)
726 self.assertEqual(p[layer].dport, port_in)
728 self.assertEqual(p[layer].id, port_in)
729 self.assertEqual(data, p[Raw].load)
731 def frag_out_of_order_in_plus_out(
732 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
735 layer = self.proto2layer(proto)
737 if proto == IP_PROTOS.tcp:
738 data = b"A" * 4 + b"B" * 16 + b"C" * 3
740 data = b"A" * 16 + b"B" * 16 + b"C" * 3
741 port_in = self.random_port()
745 pkts = self.create_stream_frag(
746 self.pg0, out_addr, port_in, out_port, data, proto
749 self.pg0.add_stream(pkts)
750 self.pg_enable_capture(self.pg_interfaces)
752 frags = self.pg1.get_capture(len(pkts))
753 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
754 if proto != IP_PROTOS.icmp:
755 self.assertEqual(p[layer].dport, in_port)
756 self.assertEqual(p[layer].sport, port_in)
757 self.assertEqual(p[layer].dport, in_port)
759 self.assertEqual(p[layer].id, port_in)
760 self.assertEqual(data, p[Raw].load)
763 if proto != IP_PROTOS.icmp:
764 pkts = self.create_stream_frag(
765 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
768 pkts = self.create_stream_frag(
778 self.pg1.add_stream(pkts)
779 self.pg_enable_capture(self.pg_interfaces)
781 frags = self.pg0.get_capture(len(pkts))
782 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
783 if proto != IP_PROTOS.icmp:
784 self.assertEqual(p[layer].sport, out_port)
785 self.assertEqual(p[layer].dport, port_in)
787 self.assertEqual(p[layer].id, port_in)
788 self.assertEqual(data, p[Raw].load)
790 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
793 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
794 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
795 / TCP(sport=in_port, dport=ext_port, flags="S")
798 self.pg_enable_capture(self.pg_interfaces)
800 capture = out_if.get_capture(1)
802 out_port = p[TCP].sport
804 # SYN + ACK packet out->in
806 Ether(src=out_if.remote_mac, dst=out_if.local_mac)
807 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
808 / TCP(sport=ext_port, dport=out_port, flags="SA")
811 self.pg_enable_capture(self.pg_interfaces)
817 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
818 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
819 / TCP(sport=in_port, dport=ext_port, flags="A")
822 self.pg_enable_capture(self.pg_interfaces)
824 out_if.get_capture(1)
828 def twice_nat_common(
829 self, self_twice_nat=False, same_pg=False, lb=False, client_id=None
831 twice_nat_addr = "10.0.1.3"
839 port_in1 = port_in + 1
840 port_in2 = port_in + 2
845 server1 = self.pg0.remote_hosts[0]
846 server2 = self.pg0.remote_hosts[1]
858 eh_translate = (not self_twice_nat) or (not lb and same_pg) or client_id == 1
860 self.nat_add_address(self.nat_addr)
861 self.nat_add_address(twice_nat_addr, twice_nat=1)
865 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
867 flags |= self.config_flags.NAT_IS_TWICE_NAT
870 self.nat_add_static_mapping(
880 {"addr": server1.ip4, "port": port_in1, "probability": 50, "vrf_id": 0},
881 {"addr": server2.ip4, "port": port_in2, "probability": 50, "vrf_id": 0},
883 out_addr = self.nat_addr
885 self.vapi.nat44_add_del_lb_static_mapping(
888 external_addr=out_addr,
889 external_port=port_out,
890 protocol=IP_PROTOS.tcp,
891 local_num=len(locals),
894 self.nat_add_inside_interface(pg0)
895 self.nat_add_outside_interface(pg1)
901 assert client_id is not None
903 client = self.pg0.remote_hosts[0]
905 client = self.pg0.remote_hosts[1]
907 client = pg1.remote_hosts[0]
909 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
910 / IP(src=client.ip4, dst=self.nat_addr)
911 / TCP(sport=eh_port_out, dport=port_out)
914 self.pg_enable_capture(self.pg_interfaces)
916 capture = pg0.get_capture(1)
922 if ip.dst == server1.ip4:
928 self.assertEqual(ip.dst, server.ip4)
930 self.assertIn(tcp.dport, [port_in1, port_in2])
932 self.assertEqual(tcp.dport, port_in)
934 self.assertEqual(ip.src, twice_nat_addr)
935 self.assertNotEqual(tcp.sport, eh_port_out)
937 self.assertEqual(ip.src, client.ip4)
938 self.assertEqual(tcp.sport, eh_port_out)
940 eh_port_in = tcp.sport
941 saved_port_in = tcp.dport
942 self.assert_packet_checksums_valid(p)
944 self.logger.error(ppp("Unexpected or invalid packet:", p))
948 Ether(src=server.mac, dst=pg0.local_mac)
949 / IP(src=server.ip4, dst=eh_addr_in)
950 / TCP(sport=saved_port_in, dport=eh_port_in)
953 self.pg_enable_capture(self.pg_interfaces)
955 capture = pg1.get_capture(1)
960 self.assertEqual(ip.dst, client.ip4)
961 self.assertEqual(ip.src, self.nat_addr)
962 self.assertEqual(tcp.dport, eh_port_out)
963 self.assertEqual(tcp.sport, port_out)
964 self.assert_packet_checksums_valid(p)
966 self.logger.error(ppp("Unexpected or invalid packet:", p))
970 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
971 self.assertEqual(len(sessions), 1)
972 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
973 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_TWICE_NAT)
974 self.logger.info(self.vapi.cli("show nat44 sessions"))
975 self.vapi.nat44_del_session(
976 address=sessions[0].inside_ip_address,
977 port=sessions[0].inside_port,
978 protocol=sessions[0].protocol,
980 self.config_flags.NAT_IS_INSIDE
981 | self.config_flags.NAT_IS_EXT_HOST_VALID
983 ext_host_address=sessions[0].ext_host_nat_address,
984 ext_host_port=sessions[0].ext_host_nat_port,
986 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
987 self.assertEqual(len(sessions), 0)
989 def verify_syslog_sess(self, data, msgid, is_ip6=False):
990 message = data.decode("utf-8")
992 message = SyslogMessage.parse(message)
993 except ParseError as e:
997 self.assertEqual(message.severity, SyslogSeverity.info)
998 self.assertEqual(message.appname, "NAT")
999 self.assertEqual(message.msgid, msgid)
1000 sd_params = message.sd.get("nsess")
1001 self.assertTrue(sd_params is not None)
1003 self.assertEqual(sd_params.get("IATYP"), "IPv6")
1004 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip6)
1006 self.assertEqual(sd_params.get("IATYP"), "IPv4")
1007 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip4)
1008 self.assertTrue(sd_params.get("SSUBIX") is not None)
1009 self.assertEqual(sd_params.get("ISPORT"), "%d" % self.tcp_port_in)
1010 self.assertEqual(sd_params.get("XATYP"), "IPv4")
1011 self.assertEqual(sd_params.get("XSADDR"), self.nat_addr)
1012 self.assertEqual(sd_params.get("XSPORT"), "%d" % self.tcp_port_out)
1013 self.assertEqual(sd_params.get("PROTO"), "%d" % IP_PROTOS.tcp)
1014 self.assertEqual(sd_params.get("SVLAN"), "0")
1015 self.assertEqual(sd_params.get("XDADDR"), self.pg1.remote_ip4)
1016 self.assertEqual(sd_params.get("XDPORT"), "%d" % self.tcp_external_port)
1018 def test_icmp_error(self):
1019 """NAT44ED test ICMP error message with inner header"""
1023 self.nat_add_address(self.nat_addr)
1024 self.nat_add_inside_interface(self.pg0)
1025 self.nat_add_outside_interface(self.pg1)
1027 # in2out (initiate connection)
1029 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1030 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1031 / UDP(sport=21, dport=20)
1033 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1034 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1035 / TCP(sport=21, dport=20, flags="S")
1037 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1038 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1039 / ICMP(type="echo-request", id=7777)
1043 capture = self.send_and_expect(self.pg0, p1, self.pg1)
1045 # out2in (send error message)
1047 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1048 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1049 / ICMP(type="dest-unreach", code="port-unreachable")
1054 capture = self.send_and_expect(self.pg1, p2, self.pg0)
1058 assert c[IP].dst == self.pg0.remote_ip4
1059 assert c[IPerror].src == self.pg0.remote_ip4
1060 except AssertionError as a:
1061 raise AssertionError(f"Packet {pr(c)} not translated properly") from a
1063 def test_icmp_echo_reply_trailer(self):
1064 """ICMP echo reply with ethernet trailer"""
1066 self.nat_add_address(self.nat_addr)
1067 self.nat_add_inside_interface(self.pg0)
1068 self.nat_add_outside_interface(self.pg1)
1072 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1073 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1074 / ICMP(type=8, id=0xABCD, seq=0)
1077 self.pg0.add_stream(p1)
1078 self.pg_enable_capture(self.pg_interfaces)
1080 c = self.pg1.get_capture(1)[0]
1082 self.logger.debug(self.vapi.cli("show trace"))
1086 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1087 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr, id=0xEE59)
1088 / ICMP(type=0, id=c[ICMP].id, seq=0)
1091 # force checksum calculation
1092 p2 = p2.__class__(bytes(p2))
1094 self.logger.debug(ppp("Packet before modification:", p2))
1096 # hex representation of vss monitoring ethernet trailer
1097 # this seems to be just added to end of packet without modifying
1098 # IP or ICMP lengths / checksums
1099 p2 = p2 / Raw("\x00\x00\x52\x54\x00\x46\xab\x04\x84\x18")
1100 # change it so that IP/ICMP is unaffected
1103 self.logger.debug(ppp("Packet with added trailer:", p2))
1105 self.pg1.add_stream(p2)
1106 self.pg_enable_capture(self.pg_interfaces)
1109 self.pg0.get_capture(1)
1111 def test_users_dump(self):
1112 """NAT44ED API test - nat44_user_dump"""
1114 self.nat_add_address(self.nat_addr)
1115 self.nat_add_inside_interface(self.pg0)
1116 self.nat_add_outside_interface(self.pg1)
1118 self.vapi.nat44_forwarding_enable_disable(enable=1)
1120 local_ip = self.pg0.remote_ip4
1121 external_ip = self.nat_addr
1122 self.nat_add_static_mapping(local_ip, external_ip)
1124 users = self.vapi.nat44_user_dump()
1125 self.assertEqual(len(users), 0)
1127 # in2out - static mapping match
1129 pkts = self.create_stream_out(self.pg1)
1130 self.pg1.add_stream(pkts)
1131 self.pg_enable_capture(self.pg_interfaces)
1133 capture = self.pg0.get_capture(len(pkts))
1134 self.verify_capture_in(capture, self.pg0)
1136 pkts = self.create_stream_in(self.pg0, self.pg1)
1137 self.pg0.add_stream(pkts)
1138 self.pg_enable_capture(self.pg_interfaces)
1140 capture = self.pg1.get_capture(len(pkts))
1141 self.verify_capture_out(capture, same_port=True)
1143 users = self.vapi.nat44_user_dump()
1144 self.assertEqual(len(users), 1)
1145 static_user = users[0]
1146 self.assertEqual(static_user.nstaticsessions, 3)
1147 self.assertEqual(static_user.nsessions, 0)
1149 # in2out - no static mapping match (forwarding test)
1151 host0 = self.pg0.remote_hosts[0]
1152 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1154 pkts = self.create_stream_out(
1155 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1157 self.pg1.add_stream(pkts)
1158 self.pg_enable_capture(self.pg_interfaces)
1160 capture = self.pg0.get_capture(len(pkts))
1161 self.verify_capture_in(capture, self.pg0)
1163 pkts = self.create_stream_in(self.pg0, self.pg1)
1164 self.pg0.add_stream(pkts)
1165 self.pg_enable_capture(self.pg_interfaces)
1167 capture = self.pg1.get_capture(len(pkts))
1168 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1170 self.pg0.remote_hosts[0] = host0
1172 users = self.vapi.nat44_user_dump()
1173 self.assertEqual(len(users), 2)
1174 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1175 non_static_user = users[1]
1176 static_user = users[0]
1178 non_static_user = users[0]
1179 static_user = users[1]
1180 self.assertEqual(static_user.nstaticsessions, 3)
1181 self.assertEqual(static_user.nsessions, 0)
1182 self.assertEqual(non_static_user.nstaticsessions, 0)
1183 self.assertEqual(non_static_user.nsessions, 3)
1185 users = self.vapi.nat44_user_dump()
1186 self.assertEqual(len(users), 2)
1187 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1188 non_static_user = users[1]
1189 static_user = users[0]
1191 non_static_user = users[0]
1192 static_user = users[1]
1193 self.assertEqual(static_user.nstaticsessions, 3)
1194 self.assertEqual(static_user.nsessions, 0)
1195 self.assertEqual(non_static_user.nstaticsessions, 0)
1196 self.assertEqual(non_static_user.nsessions, 3)
1198 def test_frag_out_of_order_do_not_translate(self):
1199 """NAT44ED don't translate fragments arriving out of order"""
1200 self.nat_add_inside_interface(self.pg0)
1201 self.nat_add_outside_interface(self.pg1)
1202 self.vapi.nat44_forwarding_enable_disable(enable=True)
1203 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1205 def test_forwarding(self):
1206 """NAT44ED forwarding test"""
1208 self.nat_add_inside_interface(self.pg0)
1209 self.nat_add_outside_interface(self.pg1)
1210 self.vapi.nat44_forwarding_enable_disable(enable=1)
1212 real_ip = self.pg0.remote_ip4
1213 alias_ip = self.nat_addr
1214 flags = self.config_flags.NAT_IS_ADDR_ONLY
1215 self.vapi.nat44_add_del_static_mapping(
1217 local_ip_address=real_ip,
1218 external_ip_address=alias_ip,
1219 external_sw_if_index=0xFFFFFFFF,
1224 # in2out - static mapping match
1226 pkts = self.create_stream_out(self.pg1)
1227 self.pg1.add_stream(pkts)
1228 self.pg_enable_capture(self.pg_interfaces)
1230 capture = self.pg0.get_capture(len(pkts))
1231 self.verify_capture_in(capture, self.pg0)
1233 pkts = self.create_stream_in(self.pg0, self.pg1)
1234 self.pg0.add_stream(pkts)
1235 self.pg_enable_capture(self.pg_interfaces)
1237 capture = self.pg1.get_capture(len(pkts))
1238 self.verify_capture_out(capture, same_port=True)
1240 # in2out - no static mapping match
1242 host0 = self.pg0.remote_hosts[0]
1243 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1245 pkts = self.create_stream_out(
1246 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1248 self.pg1.add_stream(pkts)
1249 self.pg_enable_capture(self.pg_interfaces)
1251 capture = self.pg0.get_capture(len(pkts))
1252 self.verify_capture_in(capture, self.pg0)
1254 pkts = self.create_stream_in(self.pg0, self.pg1)
1255 self.pg0.add_stream(pkts)
1256 self.pg_enable_capture(self.pg_interfaces)
1258 capture = self.pg1.get_capture(len(pkts))
1259 self.verify_capture_out(
1260 capture, nat_ip=self.pg0.remote_ip4, same_port=True
1263 self.pg0.remote_hosts[0] = host0
1265 user = self.pg0.remote_hosts[1]
1266 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1267 self.assertEqual(len(sessions), 3)
1268 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1269 self.vapi.nat44_del_session(
1270 address=sessions[0].inside_ip_address,
1271 port=sessions[0].inside_port,
1272 protocol=sessions[0].protocol,
1274 self.config_flags.NAT_IS_INSIDE
1275 | self.config_flags.NAT_IS_EXT_HOST_VALID
1277 ext_host_address=sessions[0].ext_host_address,
1278 ext_host_port=sessions[0].ext_host_port,
1280 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1281 self.assertEqual(len(sessions), 2)
1284 self.vapi.nat44_forwarding_enable_disable(enable=0)
1285 flags = self.config_flags.NAT_IS_ADDR_ONLY
1286 self.vapi.nat44_add_del_static_mapping(
1288 local_ip_address=real_ip,
1289 external_ip_address=alias_ip,
1290 external_sw_if_index=0xFFFFFFFF,
1294 def test_output_feature_and_service2(self):
1295 """NAT44ED interface output feature and service host direct access"""
1296 self.vapi.nat44_forwarding_enable_disable(enable=1)
1297 self.nat_add_address(self.nat_addr)
1299 self.vapi.nat44_ed_add_del_output_interface(
1300 sw_if_index=self.pg1.sw_if_index, is_add=1
1303 # session initiated from service host - translate
1304 pkts = self.create_stream_in(self.pg0, self.pg1)
1305 self.pg0.add_stream(pkts)
1306 self.pg_enable_capture(self.pg_interfaces)
1308 capture = self.pg1.get_capture(len(pkts))
1309 self.verify_capture_out(capture, ignore_port=True)
1311 pkts = self.create_stream_out(self.pg1)
1312 self.pg1.add_stream(pkts)
1313 self.pg_enable_capture(self.pg_interfaces)
1315 capture = self.pg0.get_capture(len(pkts))
1316 self.verify_capture_in(capture, self.pg0)
1318 # session initiated from remote host - do not translate
1319 tcp_port_in = self.tcp_port_in
1320 udp_port_in = self.udp_port_in
1321 icmp_id_in = self.icmp_id_in
1323 self.tcp_port_in = 60303
1324 self.udp_port_in = 60304
1325 self.icmp_id_in = 60305
1328 pkts = self.create_stream_out(
1329 self.pg1, self.pg0.remote_ip4, use_inside_ports=True
1331 self.pg1.add_stream(pkts)
1332 self.pg_enable_capture(self.pg_interfaces)
1334 capture = self.pg0.get_capture(len(pkts))
1335 self.verify_capture_in(capture, self.pg0)
1337 pkts = self.create_stream_in(self.pg0, self.pg1)
1338 self.pg0.add_stream(pkts)
1339 self.pg_enable_capture(self.pg_interfaces)
1341 capture = self.pg1.get_capture(len(pkts))
1342 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1344 self.tcp_port_in = tcp_port_in
1345 self.udp_port_in = udp_port_in
1346 self.icmp_id_in = icmp_id_in
1348 def test_twice_nat(self):
1349 """NAT44ED Twice NAT"""
1350 self.twice_nat_common()
1352 def test_self_twice_nat_positive(self):
1353 """NAT44ED Self Twice NAT (positive test)"""
1354 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1356 def test_self_twice_nat_lb_positive(self):
1357 """NAT44ED Self Twice NAT local service load balancing (positive test)"""
1358 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=1)
1360 def test_twice_nat_lb(self):
1361 """NAT44ED Twice NAT local service load balancing"""
1362 self.twice_nat_common(lb=True)
1364 def test_output_feature(self):
1365 """NAT44ED interface output feature (in2out postrouting)"""
1366 self.vapi.nat44_forwarding_enable_disable(enable=1)
1367 self.nat_add_address(self.nat_addr)
1369 self.nat_add_outside_interface(self.pg0)
1370 self.vapi.nat44_ed_add_del_output_interface(
1371 sw_if_index=self.pg1.sw_if_index, is_add=1
1375 pkts = self.create_stream_in(self.pg0, self.pg1)
1376 self.pg0.add_stream(pkts)
1377 self.pg_enable_capture(self.pg_interfaces)
1379 capture = self.pg1.get_capture(len(pkts))
1380 self.verify_capture_out(capture, ignore_port=True)
1381 self.logger.debug(self.vapi.cli("show trace"))
1384 pkts = self.create_stream_out(self.pg1)
1385 self.pg1.add_stream(pkts)
1386 self.pg_enable_capture(self.pg_interfaces)
1388 capture = self.pg0.get_capture(len(pkts))
1389 self.verify_capture_in(capture, self.pg0)
1390 self.logger.debug(self.vapi.cli("show trace"))
1393 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
1394 self.pg0.add_stream(pkts)
1395 self.pg_enable_capture(self.pg_interfaces)
1397 capture = self.pg1.get_capture(len(pkts))
1398 self.verify_capture_out(capture, ignore_port=True)
1399 self.logger.debug(self.vapi.cli("show trace"))
1402 pkts = self.create_stream_out(self.pg1, ttl=2)
1403 self.pg1.add_stream(pkts)
1404 self.pg_enable_capture(self.pg_interfaces)
1406 capture = self.pg0.get_capture(len(pkts))
1407 self.verify_capture_in(capture, self.pg0)
1408 self.logger.debug(self.vapi.cli("show trace"))
1411 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
1412 capture = self.send_and_expect_some(self.pg0, pkts, self.pg0)
1414 self.assertIn(ICMP, p)
1415 self.assertEqual(p[ICMP].type, 11) # 11 == time-exceeded
1417 def test_static_with_port_out2(self):
1418 """NAT44ED 1:1 NAPT asymmetrical rule"""
1423 self.vapi.nat44_forwarding_enable_disable(enable=1)
1424 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1425 self.nat_add_static_mapping(
1426 self.pg0.remote_ip4,
1430 proto=IP_PROTOS.tcp,
1434 self.nat_add_inside_interface(self.pg0)
1435 self.nat_add_outside_interface(self.pg1)
1437 # from client to service
1439 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1440 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1441 / TCP(sport=12345, dport=external_port)
1443 self.pg1.add_stream(p)
1444 self.pg_enable_capture(self.pg_interfaces)
1446 capture = self.pg0.get_capture(1)
1451 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1452 self.assertEqual(tcp.dport, local_port)
1453 self.assert_packet_checksums_valid(p)
1455 self.logger.error(ppp("Unexpected or invalid packet:", p))
1460 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
1461 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1465 self.pg0.add_stream(p)
1466 self.pg_enable_capture(self.pg_interfaces)
1468 capture = self.pg1.get_capture(1)
1471 self.assertEqual(p[IP].src, self.nat_addr)
1473 self.assertEqual(inner.dst, self.nat_addr)
1474 self.assertEqual(inner[TCPerror].dport, external_port)
1476 self.logger.error(ppp("Unexpected or invalid packet:", p))
1479 # from service back to client
1481 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1482 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1483 / TCP(sport=local_port, dport=12345)
1485 self.pg0.add_stream(p)
1486 self.pg_enable_capture(self.pg_interfaces)
1488 capture = self.pg1.get_capture(1)
1493 self.assertEqual(ip.src, self.nat_addr)
1494 self.assertEqual(tcp.sport, external_port)
1495 self.assert_packet_checksums_valid(p)
1497 self.logger.error(ppp("Unexpected or invalid packet:", p))
1502 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1503 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1507 self.pg1.add_stream(p)
1508 self.pg_enable_capture(self.pg_interfaces)
1510 capture = self.pg0.get_capture(1)
1513 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1515 self.assertEqual(inner.src, self.pg0.remote_ip4)
1516 self.assertEqual(inner[TCPerror].sport, local_port)
1518 self.logger.error(ppp("Unexpected or invalid packet:", p))
1521 # from client to server (no translation)
1523 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1524 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
1525 / TCP(sport=12346, dport=local_port)
1527 self.pg1.add_stream(p)
1528 self.pg_enable_capture(self.pg_interfaces)
1530 capture = self.pg0.get_capture(1)
1535 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1536 self.assertEqual(tcp.dport, local_port)
1537 self.assert_packet_checksums_valid(p)
1539 self.logger.error(ppp("Unexpected or invalid packet:", p))
1542 # from service back to client (no translation)
1544 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1545 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1546 / TCP(sport=local_port, dport=12346)
1548 self.pg0.add_stream(p)
1549 self.pg_enable_capture(self.pg_interfaces)
1551 capture = self.pg1.get_capture(1)
1556 self.assertEqual(ip.src, self.pg0.remote_ip4)
1557 self.assertEqual(tcp.sport, local_port)
1558 self.assert_packet_checksums_valid(p)
1560 self.logger.error(ppp("Unexpected or invalid packet:", p))
1563 def test_static_lb(self):
1564 """NAT44ED local service load balancing"""
1565 external_addr_n = self.nat_addr
1568 server1 = self.pg0.remote_hosts[0]
1569 server2 = self.pg0.remote_hosts[1]
1572 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1573 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1576 self.nat_add_address(self.nat_addr)
1577 self.vapi.nat44_add_del_lb_static_mapping(
1579 external_addr=external_addr_n,
1580 external_port=external_port,
1581 protocol=IP_PROTOS.tcp,
1582 local_num=len(locals),
1585 flags = self.config_flags.NAT_IS_INSIDE
1586 self.vapi.nat44_interface_add_del_feature(
1587 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1589 self.vapi.nat44_interface_add_del_feature(
1590 sw_if_index=self.pg1.sw_if_index, is_add=1
1593 # from client to service
1595 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1596 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1597 / TCP(sport=12345, dport=external_port)
1599 self.pg1.add_stream(p)
1600 self.pg_enable_capture(self.pg_interfaces)
1602 capture = self.pg0.get_capture(1)
1608 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1609 if ip.dst == server1.ip4:
1613 self.assertEqual(tcp.dport, local_port)
1614 self.assert_packet_checksums_valid(p)
1616 self.logger.error(ppp("Unexpected or invalid packet:", p))
1619 # from service back to client
1621 Ether(src=server.mac, dst=self.pg0.local_mac)
1622 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1623 / TCP(sport=local_port, dport=12345)
1625 self.pg0.add_stream(p)
1626 self.pg_enable_capture(self.pg_interfaces)
1628 capture = self.pg1.get_capture(1)
1633 self.assertEqual(ip.src, self.nat_addr)
1634 self.assertEqual(tcp.sport, external_port)
1635 self.assert_packet_checksums_valid(p)
1637 self.logger.error(ppp("Unexpected or invalid packet:", p))
1640 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1641 self.assertEqual(len(sessions), 1)
1642 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1643 self.vapi.nat44_del_session(
1644 address=sessions[0].inside_ip_address,
1645 port=sessions[0].inside_port,
1646 protocol=sessions[0].protocol,
1648 self.config_flags.NAT_IS_INSIDE
1649 | self.config_flags.NAT_IS_EXT_HOST_VALID
1651 ext_host_address=sessions[0].ext_host_address,
1652 ext_host_port=sessions[0].ext_host_port,
1654 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1655 self.assertEqual(len(sessions), 0)
1657 def test_static_lb_2(self):
1658 """NAT44ED local service load balancing (asymmetrical rule)"""
1659 external_addr = self.nat_addr
1662 server1 = self.pg0.remote_hosts[0]
1663 server2 = self.pg0.remote_hosts[1]
1666 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1667 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1670 self.vapi.nat44_forwarding_enable_disable(enable=1)
1671 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1672 self.vapi.nat44_add_del_lb_static_mapping(
1675 external_addr=external_addr,
1676 external_port=external_port,
1677 protocol=IP_PROTOS.tcp,
1678 local_num=len(locals),
1681 flags = self.config_flags.NAT_IS_INSIDE
1682 self.vapi.nat44_interface_add_del_feature(
1683 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1685 self.vapi.nat44_interface_add_del_feature(
1686 sw_if_index=self.pg1.sw_if_index, is_add=1
1689 # from client to service
1691 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1692 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1693 / TCP(sport=12345, dport=external_port)
1695 self.pg1.add_stream(p)
1696 self.pg_enable_capture(self.pg_interfaces)
1698 capture = self.pg0.get_capture(1)
1704 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1705 if ip.dst == server1.ip4:
1709 self.assertEqual(tcp.dport, local_port)
1710 self.assert_packet_checksums_valid(p)
1712 self.logger.error(ppp("Unexpected or invalid packet:", p))
1715 # from service back to client
1717 Ether(src=server.mac, dst=self.pg0.local_mac)
1718 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1719 / TCP(sport=local_port, dport=12345)
1721 self.pg0.add_stream(p)
1722 self.pg_enable_capture(self.pg_interfaces)
1724 capture = self.pg1.get_capture(1)
1729 self.assertEqual(ip.src, self.nat_addr)
1730 self.assertEqual(tcp.sport, external_port)
1731 self.assert_packet_checksums_valid(p)
1733 self.logger.error(ppp("Unexpected or invalid packet:", p))
1736 # from client to server (no translation)
1738 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1739 / IP(src=self.pg1.remote_ip4, dst=server1.ip4)
1740 / TCP(sport=12346, dport=local_port)
1742 self.pg1.add_stream(p)
1743 self.pg_enable_capture(self.pg_interfaces)
1745 capture = self.pg0.get_capture(1)
1751 self.assertEqual(ip.dst, server1.ip4)
1752 self.assertEqual(tcp.dport, local_port)
1753 self.assert_packet_checksums_valid(p)
1755 self.logger.error(ppp("Unexpected or invalid packet:", p))
1758 # from service back to client (no translation)
1760 Ether(src=server1.mac, dst=self.pg0.local_mac)
1761 / IP(src=server1.ip4, dst=self.pg1.remote_ip4)
1762 / TCP(sport=local_port, dport=12346)
1764 self.pg0.add_stream(p)
1765 self.pg_enable_capture(self.pg_interfaces)
1767 capture = self.pg1.get_capture(1)
1772 self.assertEqual(ip.src, server1.ip4)
1773 self.assertEqual(tcp.sport, local_port)
1774 self.assert_packet_checksums_valid(p)
1776 self.logger.error(ppp("Unexpected or invalid packet:", p))
1779 def test_lb_affinity(self):
1780 """NAT44ED local service load balancing affinity"""
1781 external_addr = self.nat_addr
1784 server1 = self.pg0.remote_hosts[0]
1785 server2 = self.pg0.remote_hosts[1]
1788 {"addr": server1.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1789 {"addr": server2.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1792 self.nat_add_address(self.nat_addr)
1793 self.vapi.nat44_add_del_lb_static_mapping(
1795 external_addr=external_addr,
1796 external_port=external_port,
1797 protocol=IP_PROTOS.tcp,
1799 local_num=len(locals),
1802 flags = self.config_flags.NAT_IS_INSIDE
1803 self.vapi.nat44_interface_add_del_feature(
1804 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1806 self.vapi.nat44_interface_add_del_feature(
1807 sw_if_index=self.pg1.sw_if_index, is_add=1
1811 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1812 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1813 / TCP(sport=1025, dport=external_port)
1815 self.pg1.add_stream(p)
1816 self.pg_enable_capture(self.pg_interfaces)
1818 capture = self.pg0.get_capture(1)
1819 backend = capture[0][IP].dst
1821 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1822 self.assertEqual(len(sessions), 1)
1823 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1824 self.vapi.nat44_del_session(
1825 address=sessions[0].inside_ip_address,
1826 port=sessions[0].inside_port,
1827 protocol=sessions[0].protocol,
1829 self.config_flags.NAT_IS_INSIDE
1830 | self.config_flags.NAT_IS_EXT_HOST_VALID
1832 ext_host_address=sessions[0].ext_host_address,
1833 ext_host_port=sessions[0].ext_host_port,
1837 for port in range(1030, 1100):
1839 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1840 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1841 / TCP(sport=port, dport=external_port)
1844 self.pg1.add_stream(pkts)
1845 self.pg_enable_capture(self.pg_interfaces)
1847 capture = self.pg0.get_capture(len(pkts))
1849 self.assertEqual(p[IP].dst, backend)
1851 def test_multiple_vrf_1(self):
1852 """Multiple VRF - both client & service in VRF1"""
1854 external_addr = "1.2.3.4"
1859 flags = self.config_flags.NAT_IS_INSIDE
1860 self.vapi.nat44_interface_add_del_feature(
1861 sw_if_index=self.pg5.sw_if_index, is_add=1
1863 self.vapi.nat44_interface_add_del_feature(
1864 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1866 self.vapi.nat44_interface_add_del_feature(
1867 sw_if_index=self.pg6.sw_if_index, is_add=1
1869 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1870 self.nat_add_static_mapping(
1871 self.pg5.remote_ip4,
1876 proto=IP_PROTOS.tcp,
1881 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
1882 / IP(src=self.pg6.remote_ip4, dst=external_addr)
1883 / TCP(sport=12345, dport=external_port)
1885 self.pg6.add_stream(p)
1886 self.pg_enable_capture(self.pg_interfaces)
1888 capture = self.pg5.get_capture(1)
1893 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1894 self.assertEqual(tcp.dport, local_port)
1895 self.assert_packet_checksums_valid(p)
1897 self.logger.error(ppp("Unexpected or invalid packet:", p))
1901 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1902 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
1903 / TCP(sport=local_port, dport=12345)
1905 self.pg5.add_stream(p)
1906 self.pg_enable_capture(self.pg_interfaces)
1908 capture = self.pg6.get_capture(1)
1913 self.assertEqual(ip.src, external_addr)
1914 self.assertEqual(tcp.sport, external_port)
1915 self.assert_packet_checksums_valid(p)
1917 self.logger.error(ppp("Unexpected or invalid packet:", p))
1920 def test_multiple_vrf_2(self):
1921 """Multiple VRF - dynamic NAT from VRF1 to VRF0 (output-feature)"""
1923 external_addr = "1.2.3.4"
1928 self.nat_add_address(self.nat_addr)
1929 flags = self.config_flags.NAT_IS_INSIDE
1930 self.vapi.nat44_ed_add_del_output_interface(
1931 sw_if_index=self.pg1.sw_if_index, is_add=1
1933 self.vapi.nat44_interface_add_del_feature(
1934 sw_if_index=self.pg5.sw_if_index, is_add=1
1936 self.vapi.nat44_interface_add_del_feature(
1937 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1939 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1940 self.nat_add_static_mapping(
1941 self.pg5.remote_ip4,
1946 proto=IP_PROTOS.tcp,
1951 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1952 / IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4)
1953 / TCP(sport=2345, dport=22)
1955 self.pg5.add_stream(p)
1956 self.pg_enable_capture(self.pg_interfaces)
1958 capture = self.pg1.get_capture(1)
1963 self.assertEqual(ip.src, self.nat_addr)
1964 self.assert_packet_checksums_valid(p)
1967 self.logger.error(ppp("Unexpected or invalid packet:", p))
1971 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1972 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1973 / TCP(sport=22, dport=port)
1975 self.pg1.add_stream(p)
1976 self.pg_enable_capture(self.pg_interfaces)
1978 capture = self.pg5.get_capture(1)
1983 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1984 self.assertEqual(tcp.dport, 2345)
1985 self.assert_packet_checksums_valid(p)
1987 self.logger.error(ppp("Unexpected or invalid packet:", p))
1990 def test_multiple_vrf_3(self):
1991 """Multiple VRF - client in VRF1, service in VRF0"""
1993 external_addr = "1.2.3.4"
1998 flags = self.config_flags.NAT_IS_INSIDE
1999 self.vapi.nat44_interface_add_del_feature(
2000 sw_if_index=self.pg0.sw_if_index, is_add=1
2002 self.vapi.nat44_interface_add_del_feature(
2003 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2005 self.vapi.nat44_interface_add_del_feature(
2006 sw_if_index=self.pg6.sw_if_index, is_add=1
2008 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2009 self.nat_add_static_mapping(
2010 self.pg0.remote_ip4,
2011 external_sw_if_index=self.pg0.sw_if_index,
2012 local_port=local_port,
2014 external_port=external_port,
2015 proto=IP_PROTOS.tcp,
2019 # from client VRF1 to service VRF0
2021 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2022 / IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4)
2023 / TCP(sport=12346, dport=external_port)
2025 self.pg6.add_stream(p)
2026 self.pg_enable_capture(self.pg_interfaces)
2028 capture = self.pg0.get_capture(1)
2033 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2034 self.assertEqual(tcp.dport, local_port)
2035 self.assert_packet_checksums_valid(p)
2037 self.logger.error(ppp("Unexpected or invalid packet:", p))
2040 # from service VRF0 back to client VRF1
2042 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2043 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2044 / TCP(sport=local_port, dport=12346)
2046 self.pg0.add_stream(p)
2047 self.pg_enable_capture(self.pg_interfaces)
2049 capture = self.pg6.get_capture(1)
2054 self.assertEqual(ip.src, self.pg0.local_ip4)
2055 self.assertEqual(tcp.sport, external_port)
2056 self.assert_packet_checksums_valid(p)
2058 self.logger.error(ppp("Unexpected or invalid packet:", p))
2061 def test_multiple_vrf_4(self):
2062 """Multiple VRF - client in VRF0, service in VRF1"""
2064 external_addr = "1.2.3.4"
2069 flags = self.config_flags.NAT_IS_INSIDE
2070 self.vapi.nat44_interface_add_del_feature(
2071 sw_if_index=self.pg0.sw_if_index, is_add=1
2073 self.vapi.nat44_interface_add_del_feature(
2074 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2076 self.vapi.nat44_interface_add_del_feature(
2077 sw_if_index=self.pg5.sw_if_index, is_add=1
2079 self.vapi.nat44_interface_add_del_feature(
2080 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2082 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2083 self.nat_add_static_mapping(
2084 self.pg5.remote_ip4,
2089 proto=IP_PROTOS.tcp,
2093 # from client VRF0 to service VRF1
2095 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2096 / IP(src=self.pg0.remote_ip4, dst=external_addr)
2097 / TCP(sport=12347, dport=external_port)
2099 self.pg0.add_stream(p)
2100 self.pg_enable_capture(self.pg_interfaces)
2102 capture = self.pg5.get_capture(1)
2107 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2108 self.assertEqual(tcp.dport, local_port)
2109 self.assert_packet_checksums_valid(p)
2111 self.logger.error(ppp("Unexpected or invalid packet:", p))
2114 # from service VRF1 back to client VRF0
2116 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2117 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2118 / TCP(sport=local_port, dport=12347)
2120 self.pg5.add_stream(p)
2121 self.pg_enable_capture(self.pg_interfaces)
2123 capture = self.pg0.get_capture(1)
2128 self.assertEqual(ip.src, external_addr)
2129 self.assertEqual(tcp.sport, external_port)
2130 self.assert_packet_checksums_valid(p)
2132 self.logger.error(ppp("Unexpected or invalid packet:", p))
2135 def test_multiple_vrf_5(self):
2136 """Multiple VRF - forwarding - no translation"""
2138 external_addr = "1.2.3.4"
2143 self.vapi.nat44_forwarding_enable_disable(enable=1)
2144 flags = self.config_flags.NAT_IS_INSIDE
2145 self.vapi.nat44_interface_add_del_feature(
2146 sw_if_index=self.pg0.sw_if_index, is_add=1
2148 self.vapi.nat44_interface_add_del_feature(
2149 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2151 self.vapi.nat44_interface_add_del_feature(
2152 sw_if_index=self.pg5.sw_if_index, is_add=1
2154 self.vapi.nat44_interface_add_del_feature(
2155 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2157 self.vapi.nat44_interface_add_del_feature(
2158 sw_if_index=self.pg6.sw_if_index, is_add=1
2160 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2161 self.nat_add_static_mapping(
2162 self.pg5.remote_ip4,
2167 proto=IP_PROTOS.tcp,
2170 self.nat_add_static_mapping(
2171 self.pg0.remote_ip4,
2172 external_sw_if_index=self.pg0.sw_if_index,
2173 local_port=local_port,
2175 external_port=external_port,
2176 proto=IP_PROTOS.tcp,
2180 # from client to server (both VRF1, no translation)
2182 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2183 / IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4)
2184 / TCP(sport=12348, dport=local_port)
2186 self.pg6.add_stream(p)
2187 self.pg_enable_capture(self.pg_interfaces)
2189 capture = self.pg5.get_capture(1)
2194 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2195 self.assertEqual(tcp.dport, local_port)
2196 self.assert_packet_checksums_valid(p)
2198 self.logger.error(ppp("Unexpected or invalid packet:", p))
2201 # from server back to client (both VRF1, no translation)
2203 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2204 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
2205 / TCP(sport=local_port, dport=12348)
2207 self.pg5.add_stream(p)
2208 self.pg_enable_capture(self.pg_interfaces)
2210 capture = self.pg6.get_capture(1)
2215 self.assertEqual(ip.src, self.pg5.remote_ip4)
2216 self.assertEqual(tcp.sport, local_port)
2217 self.assert_packet_checksums_valid(p)
2219 self.logger.error(ppp("Unexpected or invalid packet:", p))
2222 # from client VRF1 to server VRF0 (no translation)
2224 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2225 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2226 / TCP(sport=local_port, dport=12349)
2228 self.pg0.add_stream(p)
2229 self.pg_enable_capture(self.pg_interfaces)
2231 capture = self.pg6.get_capture(1)
2236 self.assertEqual(ip.src, self.pg0.remote_ip4)
2237 self.assertEqual(tcp.sport, local_port)
2238 self.assert_packet_checksums_valid(p)
2240 self.logger.error(ppp("Unexpected or invalid packet:", p))
2243 # from server VRF0 back to client VRF1 (no translation)
2245 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2246 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2247 / TCP(sport=local_port, dport=12349)
2249 self.pg0.add_stream(p)
2250 self.pg_enable_capture(self.pg_interfaces)
2252 capture = self.pg6.get_capture(1)
2257 self.assertEqual(ip.src, self.pg0.remote_ip4)
2258 self.assertEqual(tcp.sport, local_port)
2259 self.assert_packet_checksums_valid(p)
2261 self.logger.error(ppp("Unexpected or invalid packet:", p))
2264 # from client VRF0 to server VRF1 (no translation)
2266 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2267 / IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4)
2268 / TCP(sport=12344, dport=local_port)
2270 self.pg0.add_stream(p)
2271 self.pg_enable_capture(self.pg_interfaces)
2273 capture = self.pg5.get_capture(1)
2278 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2279 self.assertEqual(tcp.dport, local_port)
2280 self.assert_packet_checksums_valid(p)
2282 self.logger.error(ppp("Unexpected or invalid packet:", p))
2285 # from server VRF1 back to client VRF0 (no translation)
2287 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2288 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2289 / TCP(sport=local_port, dport=12344)
2291 self.pg5.add_stream(p)
2292 self.pg_enable_capture(self.pg_interfaces)
2294 capture = self.pg0.get_capture(1)
2299 self.assertEqual(ip.src, self.pg5.remote_ip4)
2300 self.assertEqual(tcp.sport, local_port)
2301 self.assert_packet_checksums_valid(p)
2303 self.logger.error(ppp("Unexpected or invalid packet:", p))
2306 def test_outside_address_distribution(self):
2307 """Outside address distribution based on source address"""
2312 for i in range(1, x):
2314 nat_addresses.append(a)
2316 self.nat_add_inside_interface(self.pg0)
2317 self.nat_add_outside_interface(self.pg1)
2319 self.vapi.nat44_add_del_address_range(
2320 first_ip_address=nat_addresses[0],
2321 last_ip_address=nat_addresses[-1],
2327 self.pg0.generate_remote_hosts(x)
2331 info = self.create_packet_info(self.pg0, self.pg1)
2332 payload = self.info_to_payload(info)
2334 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2335 / IP(src=self.pg0.remote_hosts[i].ip4, dst=self.pg1.remote_ip4)
2336 / UDP(sport=7000 + i, dport=8000 + i)
2342 self.pg0.add_stream(pkts)
2343 self.pg_enable_capture(self.pg_interfaces)
2345 recvd = self.pg1.get_capture(len(pkts))
2346 for p_recvd in recvd:
2347 payload_info = self.payload_to_info(p_recvd[Raw])
2348 packet_index = payload_info.index
2349 info = self._packet_infos[packet_index]
2350 self.assertTrue(info is not None)
2351 self.assertEqual(packet_index, info.index)
2353 packed = socket.inet_aton(p_sent[IP].src)
2354 numeric = struct.unpack("!L", packed)[0]
2355 numeric = socket.htonl(numeric)
2356 a = nat_addresses[(numeric - 1) % len(nat_addresses)]
2360 "Invalid packet (src IP %s translated to %s, but expected %s)"
2361 % (p_sent[IP].src, p_recvd[IP].src, a),
2364 def test_dynamic_edge_ports(self):
2365 """NAT44ED dynamic translation test: edge ports"""
2367 worker_count = self.vpp_worker_count or 1
2369 port_per_thread = (65536 - port_offset) // worker_count
2370 port_count = port_per_thread * worker_count
2372 # worker thread edge ports
2373 thread_edge_ports = {0, port_offset - 1, 65535}
2374 for i in range(0, worker_count):
2375 port_thread_offset = (port_per_thread * i) + port_offset
2376 for port_range_offset in [0, port_per_thread - 1]:
2377 port = port_thread_offset + port_range_offset
2378 thread_edge_ports.add(port)
2379 thread_drop_ports = set(
2381 lambda x: x not in range(port_offset, port_offset + port_count),
2389 self.nat_add_address(self.nat_addr)
2392 self.configure_ip4_interface(in_if, hosts=worker_count)
2393 self.configure_ip4_interface(out_if)
2395 self.nat_add_inside_interface(in_if)
2396 self.nat_add_outside_interface(out_if)
2399 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2400 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2401 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2402 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2404 pkt_count = worker_count * len(thread_edge_ports)
2406 i2o_pkts = [[] for x in range(0, worker_count)]
2407 for i in range(0, worker_count):
2408 remote_host = in_if.remote_hosts[i]
2409 for port in thread_edge_ports:
2411 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2412 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2413 / TCP(sport=port, dport=port)
2415 i2o_pkts[i].append(p)
2418 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2419 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2420 / UDP(sport=port, dport=port)
2422 i2o_pkts[i].append(p)
2425 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2426 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2427 / ICMP(id=port, seq=port, type="echo-request")
2429 i2o_pkts[i].append(p)
2431 for i in range(0, worker_count):
2432 if len(i2o_pkts[i]) > 0:
2433 in_if.add_stream(i2o_pkts[i], worker=i)
2435 self.pg_enable_capture(self.pg_interfaces)
2437 capture = out_if.get_capture(pkt_count * 3)
2438 for packet in capture:
2439 self.assert_packet_checksums_valid(packet)
2440 if packet.haslayer(TCP):
2441 self.assert_in_range(
2444 port_offset + port_count,
2447 elif packet.haslayer(UDP):
2448 self.assert_in_range(
2451 port_offset + port_count,
2454 elif packet.haslayer(ICMP):
2455 self.assert_in_range(
2458 port_offset + port_count,
2463 ppp("Unexpected or invalid packet (outside network):", packet)
2466 if_idx = in_if.sw_if_index
2467 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2468 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2469 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2470 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2472 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2473 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2474 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2475 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2478 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2479 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2480 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2481 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2482 dc3 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2484 # replies to unchanged thread ports should pass on each worker,
2485 # excluding packets outside dynamic port range
2486 drop_count = worker_count * len(thread_drop_ports)
2487 pass_count = worker_count * len(thread_edge_ports) - drop_count
2489 o2i_pkts = [[] for x in range(0, worker_count)]
2490 for i in range(0, worker_count):
2491 for port in thread_edge_ports:
2493 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2494 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2495 / TCP(sport=port, dport=port)
2497 o2i_pkts[i].append(p)
2500 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2501 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2502 / UDP(sport=port, dport=port)
2504 o2i_pkts[i].append(p)
2507 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2508 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2509 / ICMP(id=port, seq=port, type="echo-reply")
2511 o2i_pkts[i].append(p)
2513 for i in range(0, worker_count):
2514 if len(o2i_pkts[i]) > 0:
2515 out_if.add_stream(o2i_pkts[i], worker=i)
2517 self.pg_enable_capture(self.pg_interfaces)
2519 capture = in_if.get_capture(pass_count * 3)
2520 for packet in capture:
2521 self.assert_packet_checksums_valid(packet)
2522 if packet.haslayer(TCP):
2523 self.assertIn(packet[TCP].dport, thread_edge_ports, "dst TCP port")
2524 self.assertEqual(packet[TCP].dport, packet[TCP].sport, "TCP ports")
2525 elif packet.haslayer(UDP):
2526 self.assertIn(packet[UDP].dport, thread_edge_ports, "dst UDP port")
2527 self.assertEqual(packet[UDP].dport, packet[UDP].sport, "UDP ports")
2528 elif packet.haslayer(ICMP):
2529 self.assertIn(packet[ICMP].id, thread_edge_ports, "ICMP id")
2530 self.assertEqual(packet[ICMP].id, packet[ICMP].seq, "ICMP id & seq")
2533 ppp("Unexpected or invalid packet (inside network):", packet)
2536 if_idx = out_if.sw_if_index
2537 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2538 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2539 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2540 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2541 dc4 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2543 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pass_count)
2544 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pass_count)
2545 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pass_count)
2546 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2548 dc4[:, if_idx].sum() - dc3[:, if_idx].sum(), drop_count * 3
2556 @tag_fixme_ubuntu2204
2557 class TestNAT44EDMW(TestNAT44ED):
2558 """NAT44ED MW Test Case"""
2560 vpp_worker_count = 4
2563 def test_dynamic(self):
2564 """NAT44ED dynamic translation test"""
2566 tcp_port_offset = 20
2567 udp_port_offset = 20
2570 self.nat_add_address(self.nat_addr)
2571 self.nat_add_inside_interface(self.pg0)
2572 self.nat_add_outside_interface(self.pg1)
2575 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2576 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2577 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2578 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2580 i2o_pkts = [[] for x in range(0, self.vpp_worker_count)]
2582 for i in range(pkt_count):
2584 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2585 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2586 / TCP(sport=tcp_port_offset + i, dport=20)
2588 i2o_pkts[p[TCP].sport % self.vpp_worker_count].append(p)
2591 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2592 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2593 / UDP(sport=udp_port_offset + i, dport=20)
2595 i2o_pkts[p[UDP].sport % self.vpp_worker_count].append(p)
2598 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2599 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2600 / ICMP(id=icmp_id_offset + i, type="echo-request")
2602 i2o_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2604 for i in range(0, self.vpp_worker_count):
2605 if len(i2o_pkts[i]) > 0:
2606 self.pg0.add_stream(i2o_pkts[i], worker=i)
2608 self.pg_enable_capture(self.pg_interfaces)
2610 capture = self.pg1.get_capture(pkt_count * 3, timeout=5)
2612 if_idx = self.pg0.sw_if_index
2613 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2614 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2615 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2616 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2618 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2619 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2620 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2621 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2623 self.logger.info(self.vapi.cli("show trace"))
2626 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2627 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2628 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2629 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2631 recvd_tcp_ports = set()
2632 recvd_udp_ports = set()
2633 recvd_icmp_ids = set()
2637 recvd_tcp_ports.add(p[TCP].sport)
2639 recvd_udp_ports.add(p[UDP].sport)
2641 recvd_icmp_ids.add(p[ICMP].id)
2643 recvd_tcp_ports = list(recvd_tcp_ports)
2644 recvd_udp_ports = list(recvd_udp_ports)
2645 recvd_icmp_ids = list(recvd_icmp_ids)
2647 o2i_pkts = [[] for x in range(0, self.vpp_worker_count)]
2648 for i in range(pkt_count):
2650 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2651 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2652 / TCP(dport=choice(recvd_tcp_ports), sport=20)
2654 o2i_pkts[p[TCP].dport % self.vpp_worker_count].append(p)
2657 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2658 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2659 / UDP(dport=choice(recvd_udp_ports), sport=20)
2661 o2i_pkts[p[UDP].dport % self.vpp_worker_count].append(p)
2664 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2665 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2666 / ICMP(id=choice(recvd_icmp_ids), type="echo-reply")
2668 o2i_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2670 for i in range(0, self.vpp_worker_count):
2671 if len(o2i_pkts[i]) > 0:
2672 self.pg1.add_stream(o2i_pkts[i], worker=i)
2674 self.pg_enable_capture(self.pg_interfaces)
2676 capture = self.pg0.get_capture(pkt_count * 3)
2677 for packet in capture:
2679 self.assert_packet_checksums_valid(packet)
2680 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2681 if packet.haslayer(TCP):
2682 self.assert_in_range(
2685 tcp_port_offset + pkt_count,
2688 elif packet.haslayer(UDP):
2689 self.assert_in_range(
2692 udp_port_offset + pkt_count,
2696 self.assert_in_range(
2699 icmp_id_offset + pkt_count,
2704 ppp("Unexpected or invalid packet (inside network):", packet)
2708 if_idx = self.pg1.sw_if_index
2709 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2710 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2711 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2712 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2714 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2715 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2716 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2717 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2719 sc = self.statistics["/nat44-ed/total-sessions"]
2722 len(recvd_tcp_ports) + len(recvd_udp_ports) + len(recvd_icmp_ids),
2725 def test_frag_in_order(self):
2726 """NAT44ED translate fragments arriving in order"""
2728 self.nat_add_address(self.nat_addr)
2729 self.nat_add_inside_interface(self.pg0)
2730 self.nat_add_outside_interface(self.pg1)
2732 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2733 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2734 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2736 def test_frag_in_order_do_not_translate(self):
2737 """NAT44ED don't translate fragments arriving in order"""
2739 self.nat_add_address(self.nat_addr)
2740 self.nat_add_inside_interface(self.pg0)
2741 self.nat_add_outside_interface(self.pg1)
2742 self.vapi.nat44_forwarding_enable_disable(enable=True)
2744 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2746 def test_frag_out_of_order(self):
2747 """NAT44ED translate fragments arriving out of order"""
2749 self.nat_add_address(self.nat_addr)
2750 self.nat_add_inside_interface(self.pg0)
2751 self.nat_add_outside_interface(self.pg1)
2753 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2754 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2755 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2757 def test_frag_in_order_in_plus_out(self):
2758 """NAT44ED in+out interface fragments in order"""
2760 in_port = self.random_port()
2761 out_port = self.random_port()
2763 self.nat_add_address(self.nat_addr)
2764 self.nat_add_inside_interface(self.pg0)
2765 self.nat_add_outside_interface(self.pg0)
2766 self.nat_add_inside_interface(self.pg1)
2767 self.nat_add_outside_interface(self.pg1)
2769 # add static mappings for server
2770 self.nat_add_static_mapping(
2771 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2773 self.nat_add_static_mapping(
2774 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2776 self.nat_add_static_mapping(
2777 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2780 # run tests for each protocol
2781 self.frag_in_order_in_plus_out(
2782 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2784 self.frag_in_order_in_plus_out(
2785 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2787 self.frag_in_order_in_plus_out(
2788 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2791 def test_frag_out_of_order_in_plus_out(self):
2792 """NAT44ED in+out interface fragments out of order"""
2794 in_port = self.random_port()
2795 out_port = self.random_port()
2797 self.nat_add_address(self.nat_addr)
2798 self.nat_add_inside_interface(self.pg0)
2799 self.nat_add_outside_interface(self.pg0)
2800 self.nat_add_inside_interface(self.pg1)
2801 self.nat_add_outside_interface(self.pg1)
2803 # add static mappings for server
2804 self.nat_add_static_mapping(
2805 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2807 self.nat_add_static_mapping(
2808 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2810 self.nat_add_static_mapping(
2811 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2814 # run tests for each protocol
2815 self.frag_out_of_order_in_plus_out(
2816 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2818 self.frag_out_of_order_in_plus_out(
2819 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2821 self.frag_out_of_order_in_plus_out(
2822 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2825 def test_reass_hairpinning(self):
2826 """NAT44ED fragments hairpinning"""
2828 server_addr = self.pg0.remote_hosts[1].ip4
2830 host_in_port = self.random_port()
2831 server_in_port = self.random_port()
2832 server_out_port = self.random_port()
2834 self.nat_add_address(self.nat_addr)
2835 self.nat_add_inside_interface(self.pg0)
2836 self.nat_add_outside_interface(self.pg1)
2838 # add static mapping for server
2839 self.nat_add_static_mapping(
2844 proto=IP_PROTOS.tcp,
2846 self.nat_add_static_mapping(
2851 proto=IP_PROTOS.udp,
2853 self.nat_add_static_mapping(server_addr, self.nat_addr)
2855 self.reass_hairpinning(
2860 proto=IP_PROTOS.tcp,
2863 self.reass_hairpinning(
2868 proto=IP_PROTOS.udp,
2871 self.reass_hairpinning(
2876 proto=IP_PROTOS.icmp,
2880 def test_session_limit_per_vrf(self):
2881 """NAT44ED per vrf session limit"""
2884 inside_vrf10 = self.pg2
2889 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2890 # non existing vrf_id makes process core dump
2891 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2893 self.nat_add_inside_interface(inside)
2894 self.nat_add_inside_interface(inside_vrf10)
2895 self.nat_add_outside_interface(outside)
2898 self.nat_add_interface_address(outside)
2900 # BUG: causing core dump - when bad vrf_id is specified
2901 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2903 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2904 inside_vrf10.add_stream(stream)
2906 self.pg_enable_capture(self.pg_interfaces)
2909 capture = outside.get_capture(limit)
2911 stream = self.create_tcp_stream(inside, outside, limit * 2)
2912 inside.add_stream(stream)
2914 self.pg_enable_capture(self.pg_interfaces)
2917 capture = outside.get_capture(len(stream))
2919 def test_show_max_translations(self):
2920 """NAT44ED API test - max translations per thread"""
2921 config = self.vapi.nat44_show_running_config()
2922 self.assertEqual(self.max_sessions, config.sessions)
2924 def test_lru_cleanup(self):
2925 """NAT44ED LRU cleanup algorithm"""
2927 self.nat_add_address(self.nat_addr)
2928 self.nat_add_inside_interface(self.pg0)
2929 self.nat_add_outside_interface(self.pg1)
2931 self.vapi.nat_set_timeouts(
2932 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1
2935 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2937 for i in range(0, self.max_sessions - 1):
2939 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2940 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
2941 / UDP(sport=7000 + i, dport=80)
2945 self.pg0.add_stream(pkts)
2946 self.pg_enable_capture(self.pg_interfaces)
2948 self.pg1.get_capture(len(pkts))
2949 self.virtual_sleep(1.5, "wait for timeouts")
2952 for i in range(0, self.max_sessions - 1):
2954 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2955 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
2956 / ICMP(id=8000 + i, type="echo-request")
2960 self.pg0.add_stream(pkts)
2961 self.pg_enable_capture(self.pg_interfaces)
2963 self.pg1.get_capture(len(pkts))
2965 def test_session_rst_timeout(self):
2966 """NAT44ED session RST timeouts"""
2968 self.nat_add_address(self.nat_addr)
2969 self.nat_add_inside_interface(self.pg0)
2970 self.nat_add_outside_interface(self.pg1)
2972 self.vapi.nat_set_timeouts(
2973 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
2976 self.init_tcp_session(
2977 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
2980 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2981 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2982 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
2984 self.send_and_expect(self.pg0, p, self.pg1)
2986 self.virtual_sleep(6)
2988 # The session is already closed
2990 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2991 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2992 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
2994 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
2996 # The session can be re-opened
2998 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2999 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3000 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="S")
3002 self.send_and_expect(self.pg0, p, self.pg1)
3004 def test_session_rst_established_timeout(self):
3005 """NAT44ED session RST timeouts"""
3007 self.nat_add_address(self.nat_addr)
3008 self.nat_add_inside_interface(self.pg0)
3009 self.nat_add_outside_interface(self.pg1)
3011 self.vapi.nat_set_timeouts(
3012 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
3015 self.init_tcp_session(
3016 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3019 # Wait at least the transitory time, the session is in established
3020 # state anyway. RST followed by a data packet should move it to
3022 self.virtual_sleep(6)
3024 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3025 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3026 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
3028 self.send_and_expect(self.pg0, p, self.pg1)
3031 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3032 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3033 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3035 self.send_and_expect(self.pg0, p, self.pg1)
3037 # State is transitory, session should be closed after 6 seconds
3038 self.virtual_sleep(6)
3041 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3042 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3043 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3045 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3047 def test_dynamic_out_of_ports(self):
3048 """NAT44ED dynamic translation test: out of ports"""
3050 self.nat_add_inside_interface(self.pg0)
3051 self.nat_add_outside_interface(self.pg1)
3053 # in2out and no NAT addresses added
3054 pkts = self.create_stream_in(self.pg0, self.pg1)
3056 self.send_and_assert_no_replies(
3060 stats_diff=self.no_diff
3063 "/err/nat44-ed-in2out-slowpath/out of ports": len(pkts),
3065 self.pg0.sw_if_index: {
3066 "/nat44-ed/in2out/slowpath/drops": len(pkts),
3071 # in2out after NAT addresses added
3072 self.nat_add_address(self.nat_addr)
3074 tcpn, udpn, icmpn = (
3075 sum(x) for x in zip(*((TCP in p, UDP in p, ICMP in p) for p in pkts))
3078 self.send_and_expect(
3083 stats_diff=self.no_diff
3086 "/err/nat44-ed-in2out-slowpath/out of ports": 0,
3088 self.pg0.sw_if_index: {
3089 "/nat44-ed/in2out/slowpath/drops": 0,
3090 "/nat44-ed/in2out/slowpath/tcp": tcpn,
3091 "/nat44-ed/in2out/slowpath/udp": udpn,
3092 "/nat44-ed/in2out/slowpath/icmp": icmpn,
3097 def test_unknown_proto(self):
3098 """NAT44ED translate packet with unknown protocol"""
3100 self.nat_add_address(self.nat_addr)
3101 self.nat_add_inside_interface(self.pg0)
3102 self.nat_add_outside_interface(self.pg1)
3106 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3107 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3108 / TCP(sport=self.tcp_port_in, dport=20)
3110 self.pg0.add_stream(p)
3111 self.pg_enable_capture(self.pg_interfaces)
3113 p = self.pg1.get_capture(1)
3116 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3117 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3119 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3120 / TCP(sport=1234, dport=1234)
3122 self.pg0.add_stream(p)
3123 self.pg_enable_capture(self.pg_interfaces)
3125 p = self.pg1.get_capture(1)
3128 self.assertEqual(packet[IP].src, self.nat_addr)
3129 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
3130 self.assertEqual(packet.haslayer(GRE), 1)
3131 self.assert_packet_checksums_valid(packet)
3133 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3138 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3139 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3141 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3142 / TCP(sport=1234, dport=1234)
3144 self.pg1.add_stream(p)
3145 self.pg_enable_capture(self.pg_interfaces)
3147 p = self.pg0.get_capture(1)
3150 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
3151 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
3152 self.assertEqual(packet.haslayer(GRE), 1)
3153 self.assert_packet_checksums_valid(packet)
3155 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3158 def test_hairpinning_unknown_proto(self):
3159 """NAT44ED translate packet with unknown protocol - hairpinning"""
3160 host = self.pg0.remote_hosts[0]
3161 server = self.pg0.remote_hosts[1]
3163 server_out_port = 8765
3164 server_nat_ip = "10.0.0.11"
3166 self.nat_add_address(self.nat_addr)
3167 self.nat_add_inside_interface(self.pg0)
3168 self.nat_add_outside_interface(self.pg1)
3170 # add static mapping for server
3171 self.nat_add_static_mapping(server.ip4, server_nat_ip)
3175 Ether(src=host.mac, dst=self.pg0.local_mac)
3176 / IP(src=host.ip4, dst=server_nat_ip)
3177 / TCP(sport=host_in_port, dport=server_out_port)
3179 self.pg0.add_stream(p)
3180 self.pg_enable_capture(self.pg_interfaces)
3182 self.pg0.get_capture(1)
3185 Ether(dst=self.pg0.local_mac, src=host.mac)
3186 / IP(src=host.ip4, dst=server_nat_ip)
3188 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3189 / TCP(sport=1234, dport=1234)
3191 self.pg0.add_stream(p)
3192 self.pg_enable_capture(self.pg_interfaces)
3194 p = self.pg0.get_capture(1)
3197 self.assertEqual(packet[IP].src, self.nat_addr)
3198 self.assertEqual(packet[IP].dst, server.ip4)
3199 self.assertEqual(packet.haslayer(GRE), 1)
3200 self.assert_packet_checksums_valid(packet)
3202 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3207 Ether(dst=self.pg0.local_mac, src=server.mac)
3208 / IP(src=server.ip4, dst=self.nat_addr)
3210 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3211 / TCP(sport=1234, dport=1234)
3213 self.pg0.add_stream(p)
3214 self.pg_enable_capture(self.pg_interfaces)
3216 p = self.pg0.get_capture(1)
3219 self.assertEqual(packet[IP].src, server_nat_ip)
3220 self.assertEqual(packet[IP].dst, host.ip4)
3221 self.assertEqual(packet.haslayer(GRE), 1)
3222 self.assert_packet_checksums_valid(packet)
3224 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3227 def test_output_feature_and_service(self):
3228 """NAT44ED interface output feature and services"""
3229 external_addr = "1.2.3.4"
3233 self.vapi.nat44_forwarding_enable_disable(enable=1)
3234 self.nat_add_address(self.nat_addr)
3235 flags = self.config_flags.NAT_IS_ADDR_ONLY
3236 self.vapi.nat44_add_del_identity_mapping(
3237 ip_address=self.pg1.remote_ip4,
3238 sw_if_index=0xFFFFFFFF,
3242 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3243 self.nat_add_static_mapping(
3244 self.pg0.remote_ip4,
3248 proto=IP_PROTOS.tcp,
3252 self.nat_add_inside_interface(self.pg0)
3253 self.nat_add_outside_interface(self.pg0)
3254 self.vapi.nat44_ed_add_del_output_interface(
3255 sw_if_index=self.pg1.sw_if_index, is_add=1
3258 # from client to service
3260 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3261 / IP(src=self.pg1.remote_ip4, dst=external_addr)
3262 / TCP(sport=12345, dport=external_port)
3264 self.pg1.add_stream(p)
3265 self.pg_enable_capture(self.pg_interfaces)
3267 capture = self.pg0.get_capture(1)
3272 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3273 self.assertEqual(tcp.dport, local_port)
3274 self.assert_packet_checksums_valid(p)
3276 self.logger.error(ppp("Unexpected or invalid packet:", p))
3279 # from service back to client
3281 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3282 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3283 / TCP(sport=local_port, dport=12345)
3285 self.pg0.add_stream(p)
3286 self.pg_enable_capture(self.pg_interfaces)
3288 capture = self.pg1.get_capture(1)
3293 self.assertEqual(ip.src, external_addr)
3294 self.assertEqual(tcp.sport, external_port)
3295 self.assert_packet_checksums_valid(p)
3297 self.logger.error(ppp("Unexpected or invalid packet:", p))
3300 # from local network host to external network
3301 pkts = self.create_stream_in(self.pg0, self.pg1)
3302 self.pg0.add_stream(pkts)
3303 self.pg_enable_capture(self.pg_interfaces)
3305 capture = self.pg1.get_capture(len(pkts))
3306 self.verify_capture_out(capture, ignore_port=True)
3307 pkts = self.create_stream_in(self.pg0, self.pg1)
3308 self.pg0.add_stream(pkts)
3309 self.pg_enable_capture(self.pg_interfaces)
3311 capture = self.pg1.get_capture(len(pkts))
3312 self.verify_capture_out(capture, ignore_port=True)
3314 # from external network back to local network host
3315 pkts = self.create_stream_out(self.pg1)
3316 self.pg1.add_stream(pkts)
3317 self.pg_enable_capture(self.pg_interfaces)
3319 capture = self.pg0.get_capture(len(pkts))
3320 self.verify_capture_in(capture, self.pg0)
3322 def test_output_feature_and_service3(self):
3323 """NAT44ED interface output feature and DST NAT"""
3324 external_addr = "1.2.3.4"
3328 self.vapi.nat44_forwarding_enable_disable(enable=1)
3329 self.nat_add_address(self.nat_addr)
3330 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3331 self.nat_add_static_mapping(
3332 self.pg1.remote_ip4,
3336 proto=IP_PROTOS.tcp,
3340 self.nat_add_inside_interface(self.pg0)
3341 self.nat_add_outside_interface(self.pg0)
3342 self.vapi.nat44_ed_add_del_output_interface(
3343 sw_if_index=self.pg1.sw_if_index, is_add=1
3347 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3348 / IP(src=self.pg0.remote_ip4, dst=external_addr)
3349 / TCP(sport=12345, dport=external_port)
3351 self.pg0.add_stream(p)
3352 self.pg_enable_capture(self.pg_interfaces)
3354 capture = self.pg1.get_capture(1)
3359 self.assertEqual(ip.src, self.pg0.remote_ip4)
3360 self.assertEqual(tcp.sport, 12345)
3361 self.assertEqual(ip.dst, self.pg1.remote_ip4)
3362 self.assertEqual(tcp.dport, local_port)
3363 self.assert_packet_checksums_valid(p)
3365 self.logger.error(ppp("Unexpected or invalid packet:", p))
3369 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3370 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
3371 / TCP(sport=local_port, dport=12345)
3373 self.pg1.add_stream(p)
3374 self.pg_enable_capture(self.pg_interfaces)
3376 capture = self.pg0.get_capture(1)
3381 self.assertEqual(ip.src, external_addr)
3382 self.assertEqual(tcp.sport, external_port)
3383 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3384 self.assertEqual(tcp.dport, 12345)
3385 self.assert_packet_checksums_valid(p)
3387 self.logger.error(ppp("Unexpected or invalid packet:", p))
3390 def test_self_twice_nat_lb_negative(self):
3391 """NAT44ED Self Twice NAT local service load balancing (negative test)"""
3392 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=2)
3394 def test_self_twice_nat_negative(self):
3395 """NAT44ED Self Twice NAT (negative test)"""
3396 self.twice_nat_common(self_twice_nat=True)
3398 def test_static_lb_multi_clients(self):
3399 """NAT44ED local service load balancing - multiple clients"""
3401 external_addr = self.nat_addr
3404 server1 = self.pg0.remote_hosts[0]
3405 server2 = self.pg0.remote_hosts[1]
3406 server3 = self.pg0.remote_hosts[2]
3409 {"addr": server1.ip4, "port": local_port, "probability": 90, "vrf_id": 0},
3410 {"addr": server2.ip4, "port": local_port, "probability": 10, "vrf_id": 0},
3413 flags = self.config_flags.NAT_IS_INSIDE
3414 self.vapi.nat44_interface_add_del_feature(
3415 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3417 self.vapi.nat44_interface_add_del_feature(
3418 sw_if_index=self.pg1.sw_if_index, is_add=1
3421 self.nat_add_address(self.nat_addr)
3422 self.vapi.nat44_add_del_lb_static_mapping(
3424 external_addr=external_addr,
3425 external_port=external_port,
3426 protocol=IP_PROTOS.tcp,
3427 local_num=len(locals),
3433 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
3435 for client in clients:
3437 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3438 / IP(src=client, dst=self.nat_addr)
3439 / TCP(sport=12345, dport=external_port)
3442 self.pg1.add_stream(pkts)
3443 self.pg_enable_capture(self.pg_interfaces)
3445 capture = self.pg0.get_capture(len(pkts))
3447 if p[IP].dst == server1.ip4:
3451 self.assertGreaterEqual(server1_n, server2_n)
3454 "addr": server3.ip4,
3461 self.vapi.nat44_lb_static_mapping_add_del_local(
3463 external_addr=external_addr,
3464 external_port=external_port,
3466 protocol=IP_PROTOS.tcp,
3471 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
3473 for client in clients:
3475 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3476 / IP(src=client, dst=self.nat_addr)
3477 / TCP(sport=12346, dport=external_port)
3480 self.assertGreater(len(pkts), 0)
3481 self.pg1.add_stream(pkts)
3482 self.pg_enable_capture(self.pg_interfaces)
3484 capture = self.pg0.get_capture(len(pkts))
3486 if p[IP].dst == server1.ip4:
3488 elif p[IP].dst == server2.ip4:
3492 self.assertGreater(server1_n, 0)
3493 self.assertGreater(server2_n, 0)
3494 self.assertGreater(server3_n, 0)
3497 "addr": server2.ip4,
3503 # remove one back-end
3504 self.vapi.nat44_lb_static_mapping_add_del_local(
3506 external_addr=external_addr,
3507 external_port=external_port,
3509 protocol=IP_PROTOS.tcp,
3514 self.pg1.add_stream(pkts)
3515 self.pg_enable_capture(self.pg_interfaces)
3517 capture = self.pg0.get_capture(len(pkts))
3519 if p[IP].dst == server1.ip4:
3521 elif p[IP].dst == server2.ip4:
3525 self.assertGreater(server1_n, 0)
3526 self.assertEqual(server2_n, 0)
3527 self.assertGreater(server3_n, 0)
3529 # put zzz in front of syslog test name so that it runs as a last test
3530 # setting syslog sender cannot be undone and if it is set, it messes
3531 # with self.send_and_assert_no_replies functionality
3532 def test_zzz_syslog_sess(self):
3533 """NAT44ED Test syslog session creation and deletion"""
3534 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3535 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3537 self.nat_add_address(self.nat_addr)
3538 self.nat_add_inside_interface(self.pg0)
3539 self.nat_add_outside_interface(self.pg1)
3542 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3543 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3544 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3546 self.pg0.add_stream(p)
3547 self.pg_enable_capture(self.pg_interfaces)
3549 capture = self.pg1.get_capture(1)
3550 self.tcp_port_out = capture[0][TCP].sport
3551 capture = self.pg3.get_capture(1)
3552 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3554 self.pg_enable_capture(self.pg_interfaces)
3556 self.nat_add_address(self.nat_addr, is_add=0)
3557 capture = self.pg3.get_capture(1)
3558 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3560 # put zzz in front of syslog test name so that it runs as a last test
3561 # setting syslog sender cannot be undone and if it is set, it messes
3562 # with self.send_and_assert_no_replies functionality
3563 def test_zzz_syslog_sess_reopen(self):
3564 """Syslog events for session reopen"""
3565 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3566 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3568 self.nat_add_address(self.nat_addr)
3569 self.nat_add_inside_interface(self.pg0)
3570 self.nat_add_outside_interface(self.pg1)
3574 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3575 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3576 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3578 capture = self.send_and_expect(self.pg0, p, self.pg1)[0]
3579 self.tcp_port_out = capture[0][TCP].sport
3580 capture = self.pg3.get_capture(1)
3581 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3585 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3586 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3587 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="SA")
3589 self.send_and_expect(self.pg1, p, self.pg0)
3592 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3593 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3594 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="A")
3596 self.send_and_expect(self.pg0, p, self.pg1)
3600 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3601 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3602 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="F")
3604 self.send_and_expect(self.pg0, p, self.pg1)
3608 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3609 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3610 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="F")
3612 self.send_and_expect(self.pg1, p, self.pg0)
3614 self.init_tcp_session(
3615 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3618 # 2 records should be produced - first one del & add
3619 capture = self.pg3.get_capture(2)
3620 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3621 self.verify_syslog_sess(capture[1][Raw].load, "SADD")
3623 def test_twice_nat_interface_addr(self):
3624 """NAT44ED Acquire twice NAT addresses from interface"""
3625 flags = self.config_flags.NAT_IS_TWICE_NAT
3626 self.vapi.nat44_add_del_interface_addr(
3627 sw_if_index=self.pg11.sw_if_index, flags=flags, is_add=1
3630 # no address in NAT pool
3631 adresses = self.vapi.nat44_address_dump()
3632 self.assertEqual(0, len(adresses))
3634 # configure interface address and check NAT address pool
3635 self.pg11.config_ip4()
3636 adresses = self.vapi.nat44_address_dump()
3637 self.assertEqual(1, len(adresses))
3638 self.assertEqual(str(adresses[0].ip_address), self.pg11.local_ip4)
3639 self.assertEqual(adresses[0].flags, flags)
3641 # remove interface address and check NAT address pool
3642 self.pg11.unconfig_ip4()
3643 adresses = self.vapi.nat44_address_dump()
3644 self.assertEqual(0, len(adresses))
3646 def test_output_feature_stateful_acl(self):
3647 """NAT44ED output feature works with stateful ACL"""
3649 self.nat_add_address(self.nat_addr)
3650 self.vapi.nat44_ed_add_del_output_interface(
3651 sw_if_index=self.pg1.sw_if_index, is_add=1
3654 # First ensure that the NAT is working sans ACL
3656 # send packets out2in, no sessions yet so packets should drop
3657 pkts_out2in = self.create_stream_out(self.pg1)
3658 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3660 # send packets into inside intf, ensure received via outside intf
3661 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
3662 capture = self.send_and_expect(
3663 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3665 self.verify_capture_out(capture, ignore_port=True)
3667 # send out2in again, with sessions created it should work now
3668 pkts_out2in = self.create_stream_out(self.pg1)
3669 capture = self.send_and_expect(
3670 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3672 self.verify_capture_in(capture, self.pg0)
3674 # Create an ACL blocking everything
3675 out2in_deny_rule = AclRule(is_permit=0)
3676 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
3677 out2in_acl.add_vpp_config()
3679 # create an ACL to permit/reflect everything
3680 in2out_reflect_rule = AclRule(is_permit=2)
3681 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
3682 in2out_acl.add_vpp_config()
3684 # apply as input acl on interface and confirm it blocks everything
3685 acl_if = VppAclInterface(
3686 self, sw_if_index=self.pg1.sw_if_index, n_input=1, acls=[out2in_acl]
3688 acl_if.add_vpp_config()
3689 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3692 acl_if.acls = [out2in_acl, in2out_acl]
3693 acl_if.add_vpp_config()
3694 # send in2out to generate ACL state (NAT state was created earlier)
3695 capture = self.send_and_expect(
3696 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3698 self.verify_capture_out(capture, ignore_port=True)
3700 # send out2in again. ACL state exists so it should work now.
3701 # TCP packets with the syn flag set also need the ack flag
3702 for p in pkts_out2in:
3703 if p.haslayer(TCP) and p[TCP].flags & 0x02:
3704 p[TCP].flags |= 0x10
3705 capture = self.send_and_expect(
3706 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3708 self.verify_capture_in(capture, self.pg0)
3709 self.logger.info(self.vapi.cli("show trace"))
3711 def test_tcp_close(self):
3712 """NAT44ED Close TCP session from inside network - output feature"""
3713 config = self.vapi.nat44_show_running_config()
3714 old_timeouts = config.timeouts
3716 self.vapi.nat_set_timeouts(
3717 udp=old_timeouts.udp,
3718 tcp_established=old_timeouts.tcp_established,
3719 icmp=old_timeouts.icmp,
3720 tcp_transitory=new_transitory,
3723 self.vapi.nat44_forwarding_enable_disable(enable=1)
3724 self.nat_add_address(self.pg1.local_ip4)
3725 twice_nat_addr = "10.0.1.3"
3726 service_ip = "192.168.16.150"
3727 self.nat_add_address(twice_nat_addr, twice_nat=1)
3729 flags = self.config_flags.NAT_IS_INSIDE
3730 self.vapi.nat44_interface_add_del_feature(
3731 sw_if_index=self.pg0.sw_if_index, is_add=1
3733 self.vapi.nat44_interface_add_del_feature(
3734 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3736 self.vapi.nat44_ed_add_del_output_interface(
3737 is_add=1, sw_if_index=self.pg1.sw_if_index
3741 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
3743 self.nat_add_static_mapping(
3744 self.pg0.remote_ip4, service_ip, 80, 80, proto=IP_PROTOS.tcp, flags=flags
3746 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3747 start_sessnum = len(sessions)
3749 # SYN packet out->in
3751 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3752 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3753 / TCP(sport=33898, dport=80, flags="S")
3755 capture = self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3757 tcp_port = p[TCP].sport
3759 # SYN + ACK packet in->out
3761 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3762 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3763 / TCP(sport=80, dport=tcp_port, flags="SA")
3765 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3767 # ACK packet out->in
3769 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3770 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3771 / TCP(sport=33898, dport=80, flags="A")
3773 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3775 # FIN packet in -> out
3777 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3778 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3779 / TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300)
3781 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3783 # FIN+ACK packet out -> in
3785 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3786 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3787 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3789 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3791 # ACK packet in -> out
3793 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3794 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3795 / TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301)
3797 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3799 # session now in transitory timeout, but traffic still flows
3800 # try FIN packet out->in
3802 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3803 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3804 / TCP(sport=33898, dport=80, flags="F")
3806 self.pg1.add_stream(p)
3807 self.pg_enable_capture(self.pg_interfaces)
3810 self.virtual_sleep(new_transitory, "wait for transitory timeout")
3811 self.pg0.get_capture(1)
3813 # session should still exist
3814 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3815 self.assertEqual(len(sessions) - start_sessnum, 1)
3817 # send FIN+ACK packet out -> in - will cause session to be wiped
3818 # but won't create a new session
3820 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3821 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3822 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3824 self.send_and_assert_no_replies(self.pg1, p)
3825 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3826 self.assertEqual(len(sessions) - start_sessnum, 0)
3828 def test_tcp_session_close_in(self):
3829 """NAT44ED Close TCP session from inside network"""
3831 in_port = self.tcp_port_in
3833 ext_port = self.tcp_external_port
3835 self.nat_add_address(self.nat_addr)
3836 self.nat_add_inside_interface(self.pg0)
3837 self.nat_add_outside_interface(self.pg1)
3838 self.nat_add_static_mapping(
3839 self.pg0.remote_ip4,
3843 proto=IP_PROTOS.tcp,
3844 flags=self.config_flags.NAT_IS_TWICE_NAT,
3847 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3848 session_n = len(sessions)
3850 self.vapi.nat_set_timeouts(
3851 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
3854 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3856 # FIN packet in -> out
3858 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3859 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3860 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
3862 self.send_and_expect(self.pg0, p, self.pg1)
3865 # ACK packet out -> in
3867 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3868 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3869 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
3873 # FIN packet out -> in
3875 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3876 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3877 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3881 self.send_and_expect(self.pg1, pkts, self.pg0)
3883 # ACK packet in -> out
3885 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3886 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3887 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3889 self.send_and_expect(self.pg0, p, self.pg1)
3891 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3892 self.assertEqual(len(sessions) - session_n, 1)
3894 # retransmit FIN packet out -> in
3896 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3897 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3898 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3901 self.send_and_expect(self.pg1, p, self.pg0)
3903 # retransmit ACK packet in -> out
3905 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3906 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3907 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3909 self.send_and_expect(self.pg0, p, self.pg1)
3911 self.virtual_sleep(3)
3912 # retransmit ACK packet in -> out - this will cause session to be wiped
3914 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3915 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3916 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3918 self.send_and_assert_no_replies(self.pg0, p)
3919 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3920 self.assertEqual(len(sessions) - session_n, 0)
3922 def test_tcp_session_close_out(self):
3923 """NAT44ED Close TCP session from outside network"""
3925 in_port = self.tcp_port_in
3927 ext_port = self.tcp_external_port
3929 self.nat_add_address(self.nat_addr)
3930 self.nat_add_inside_interface(self.pg0)
3931 self.nat_add_outside_interface(self.pg1)
3932 self.nat_add_static_mapping(
3933 self.pg0.remote_ip4,
3937 proto=IP_PROTOS.tcp,
3938 flags=self.config_flags.NAT_IS_TWICE_NAT,
3941 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3942 session_n = len(sessions)
3944 self.vapi.nat_set_timeouts(
3945 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
3948 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3950 # FIN packet out -> in
3952 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3953 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3954 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=100, ack=300)
3956 self.pg1.add_stream(p)
3957 self.pg_enable_capture(self.pg_interfaces)
3959 self.pg0.get_capture(1)
3961 # FIN+ACK packet in -> out
3963 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3964 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3965 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=300, ack=101)
3968 self.pg0.add_stream(p)
3969 self.pg_enable_capture(self.pg_interfaces)
3971 self.pg1.get_capture(1)
3973 # ACK packet out -> in
3975 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3976 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3977 / TCP(sport=ext_port, dport=out_port, flags="A", seq=101, ack=301)
3979 self.pg1.add_stream(p)
3980 self.pg_enable_capture(self.pg_interfaces)
3982 self.pg0.get_capture(1)
3984 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3985 self.assertEqual(len(sessions) - session_n, 1)
3987 # retransmit FIN packet out -> in
3989 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3990 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3991 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3993 self.send_and_expect(self.pg1, p, self.pg0)
3995 # retransmit ACK packet in -> out
3997 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3998 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3999 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4001 self.send_and_expect(self.pg0, p, self.pg1)
4003 self.virtual_sleep(3)
4004 # retransmit ACK packet in -> out - this will cause session to be wiped
4006 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4007 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4008 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4010 self.send_and_assert_no_replies(self.pg0, p)
4011 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4012 self.assertEqual(len(sessions) - session_n, 0)
4014 def test_tcp_session_close_simultaneous(self):
4015 """Simultaneous TCP close from both sides"""
4017 in_port = self.tcp_port_in
4020 self.nat_add_address(self.nat_addr)
4021 self.nat_add_inside_interface(self.pg0)
4022 self.nat_add_outside_interface(self.pg1)
4023 self.nat_add_static_mapping(
4024 self.pg0.remote_ip4,
4028 proto=IP_PROTOS.tcp,
4029 flags=self.config_flags.NAT_IS_TWICE_NAT,
4032 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4033 session_n = len(sessions)
4035 self.vapi.nat_set_timeouts(
4036 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4039 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4041 # FIN packet in -> out
4043 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4044 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4045 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4047 self.send_and_expect(self.pg0, p, self.pg1)
4049 # FIN packet out -> in
4051 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4052 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4053 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4055 self.send_and_expect(self.pg1, p, self.pg0)
4057 # ACK packet in -> out
4059 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4060 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4061 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4063 self.send_and_expect(self.pg0, p, self.pg1)
4065 # ACK packet out -> in
4067 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4068 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4069 / TCP(sport=ext_port, dport=out_port, flags="A", seq=301, ack=101)
4071 self.send_and_expect(self.pg1, p, self.pg0)
4073 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4074 self.assertEqual(len(sessions) - session_n, 1)
4076 # retransmit FIN packet out -> in
4078 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4079 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4080 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
4082 self.send_and_expect(self.pg1, p, self.pg0)
4084 # retransmit ACK packet in -> out
4086 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4087 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4088 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4090 self.send_and_expect(self.pg0, p, self.pg1)
4092 self.virtual_sleep(3)
4093 # retransmit ACK packet in -> out - this will cause session to be wiped
4095 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4096 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4097 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4099 self.pg_send(self.pg0, p)
4100 self.send_and_assert_no_replies(self.pg0, p)
4101 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4102 self.assertEqual(len(sessions) - session_n, 0)
4104 def test_tcp_session_half_reopen_inside(self):
4105 """TCP session in FIN/FIN state not reopened by in2out SYN only"""
4106 in_port = self.tcp_port_in
4109 self.nat_add_address(self.nat_addr)
4110 self.nat_add_inside_interface(self.pg0)
4111 self.nat_add_outside_interface(self.pg1)
4112 self.nat_add_static_mapping(
4113 self.pg0.remote_ip4,
4117 proto=IP_PROTOS.tcp,
4118 flags=self.config_flags.NAT_IS_TWICE_NAT,
4121 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4122 session_n = len(sessions)
4124 self.vapi.nat_set_timeouts(
4125 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4128 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4130 # FIN packet in -> out
4132 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4133 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4134 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4136 self.send_and_expect(self.pg0, p, self.pg1)
4138 # FIN packet out -> in
4140 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4141 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4142 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4144 self.send_and_expect(self.pg1, p, self.pg0)
4146 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4147 self.assertEqual(len(sessions) - session_n, 1)
4149 # send SYN packet in -> out
4151 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4152 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4153 / TCP(sport=in_port, dport=ext_port, flags="S", seq=101, ack=301)
4155 self.send_and_expect(self.pg0, p, self.pg1)
4157 self.virtual_sleep(3)
4158 # send ACK packet in -> out - session should be wiped
4160 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4161 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4162 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4164 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4165 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4166 self.assertEqual(len(sessions) - session_n, 0)
4168 def test_tcp_session_half_reopen_outside(self):
4169 """TCP session in FIN/FIN state not reopened by out2in SYN only"""
4170 in_port = self.tcp_port_in
4173 self.nat_add_address(self.nat_addr)
4174 self.nat_add_inside_interface(self.pg0)
4175 self.nat_add_outside_interface(self.pg1)
4176 self.nat_add_static_mapping(
4177 self.pg0.remote_ip4,
4181 proto=IP_PROTOS.tcp,
4182 flags=self.config_flags.NAT_IS_TWICE_NAT,
4185 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4186 session_n = len(sessions)
4188 self.vapi.nat_set_timeouts(
4189 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4192 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4194 # FIN packet in -> out
4196 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4197 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4198 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4200 self.send_and_expect(self.pg0, p, self.pg1)
4202 # FIN packet out -> in
4204 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4205 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4206 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4208 self.send_and_expect(self.pg1, p, self.pg0)
4210 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4211 self.assertEqual(len(sessions) - session_n, 1)
4213 # send SYN packet out -> in
4215 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4216 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4217 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4219 self.send_and_expect(self.pg1, p, self.pg0)
4221 self.virtual_sleep(3)
4222 # send ACK packet in -> out - session should be wiped
4224 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4225 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4226 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4228 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4229 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4230 self.assertEqual(len(sessions) - session_n, 0)
4232 def test_tcp_session_reopen(self):
4233 """TCP session in FIN/FIN state reopened by SYN from both sides"""
4234 in_port = self.tcp_port_in
4237 self.nat_add_address(self.nat_addr)
4238 self.nat_add_inside_interface(self.pg0)
4239 self.nat_add_outside_interface(self.pg1)
4240 self.nat_add_static_mapping(
4241 self.pg0.remote_ip4,
4245 proto=IP_PROTOS.tcp,
4246 flags=self.config_flags.NAT_IS_TWICE_NAT,
4249 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4250 session_n = len(sessions)
4252 self.vapi.nat_set_timeouts(
4253 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4256 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4258 # FIN packet in -> out
4260 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4261 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4262 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4264 self.send_and_expect(self.pg0, p, self.pg1)
4266 # FIN packet out -> in
4268 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4269 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4270 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4272 self.send_and_expect(self.pg1, p, self.pg0)
4274 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4275 self.assertEqual(len(sessions) - session_n, 1)
4277 # send SYN packet out -> in
4279 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4280 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4281 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4283 self.send_and_expect(self.pg1, p, self.pg0)
4285 # send SYN packet in -> out
4287 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4288 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4289 / TCP(sport=in_port, dport=ext_port, flags="SA", seq=101, ack=301)
4291 self.send_and_expect(self.pg0, p, self.pg1)
4293 # send ACK packet out -> in
4295 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4296 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4297 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
4299 self.send_and_expect(self.pg1, p, self.pg0)
4301 self.virtual_sleep(3)
4302 # send ACK packet in -> out - should be forwarded and session alive
4304 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4305 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4306 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4308 self.send_and_expect(self.pg0, p, self.pg1)
4309 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4310 self.assertEqual(len(sessions) - session_n, 1)
4312 def test_dynamic_vrf(self):
4313 """NAT44ED dynamic translation test: different VRF"""
4318 self.nat_add_address(self.nat_addr, vrf_id=vrf_id_in)
4321 self.configure_ip4_interface(self.pg7, table_id=vrf_id_in)
4322 self.configure_ip4_interface(self.pg8, table_id=vrf_id_out)
4324 self.nat_add_inside_interface(self.pg7)
4325 self.nat_add_outside_interface(self.pg8)
4327 # just basic stuff nothing special
4328 pkts = self.create_stream_in(self.pg7, self.pg8)
4329 self.pg7.add_stream(pkts)
4330 self.pg_enable_capture(self.pg_interfaces)
4332 capture = self.pg8.get_capture(len(pkts))
4333 self.verify_capture_out(capture, ignore_port=True)
4335 pkts = self.create_stream_out(self.pg8)
4336 self.pg8.add_stream(pkts)
4337 self.pg_enable_capture(self.pg_interfaces)
4339 capture = self.pg7.get_capture(len(pkts))
4340 self.verify_capture_in(capture, self.pg7)
4346 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_in})
4347 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_out})
4349 def test_dynamic_output_feature_vrf(self):
4350 """NAT44ED dynamic translation test: output-feature, VRF"""
4352 # other then default (0)
4355 self.nat_add_address(self.nat_addr)
4356 self.vapi.nat44_ed_add_del_output_interface(
4357 sw_if_index=self.pg8.sw_if_index, is_add=1
4360 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
4361 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
4364 tcpn = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4365 udpn = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4366 icmpn = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4367 drops = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4369 pkts = self.create_stream_in(self.pg7, self.pg8)
4370 self.pg7.add_stream(pkts)
4371 self.pg_enable_capture(self.pg_interfaces)
4373 capture = self.pg8.get_capture(len(pkts))
4374 self.verify_capture_out(capture, ignore_port=True)
4376 if_idx = self.pg8.sw_if_index
4377 cnt = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4378 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4379 cnt = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4380 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4381 cnt = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4382 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4383 cnt = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4384 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4387 tcpn = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4388 udpn = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4389 icmpn = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4390 drops = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4392 pkts = self.create_stream_out(self.pg8)
4393 self.pg8.add_stream(pkts)
4394 self.pg_enable_capture(self.pg_interfaces)
4396 capture = self.pg7.get_capture(len(pkts))
4397 self.verify_capture_in(capture, self.pg7)
4399 if_idx = self.pg8.sw_if_index
4400 cnt = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4401 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4402 cnt = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4403 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4404 cnt = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4405 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4406 cnt = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4407 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4409 sessions = self.statistics["/nat44-ed/total-sessions"]
4410 self.assertEqual(sessions[:, 0].sum(), 3)
4416 self.vapi.ip_table_add_del(is_add=0, table={"table_id": new_vrf_id})
4418 def test_next_src_nat(self):
4419 """NAT44ED On way back forward packet to nat44-in2out node."""
4421 twice_nat_addr = "10.0.1.3"
4424 post_twice_nat_port = 0
4426 self.vapi.nat44_forwarding_enable_disable(enable=1)
4427 self.nat_add_address(twice_nat_addr, twice_nat=1)
4429 self.config_flags.NAT_IS_OUT2IN_ONLY
4430 | self.config_flags.NAT_IS_SELF_TWICE_NAT
4432 self.nat_add_static_mapping(
4433 self.pg6.remote_ip4,
4434 self.pg1.remote_ip4,
4437 proto=IP_PROTOS.tcp,
4441 self.vapi.nat44_interface_add_del_feature(
4442 sw_if_index=self.pg6.sw_if_index, is_add=1
4446 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4447 / IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4)
4448 / TCP(sport=12345, dport=external_port)
4450 self.pg6.add_stream(p)
4451 self.pg_enable_capture(self.pg_interfaces)
4453 capture = self.pg6.get_capture(1)
4458 self.assertEqual(ip.src, twice_nat_addr)
4459 self.assertNotEqual(tcp.sport, 12345)
4460 post_twice_nat_port = tcp.sport
4461 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4462 self.assertEqual(tcp.dport, local_port)
4463 self.assert_packet_checksums_valid(p)
4465 self.logger.error(ppp("Unexpected or invalid packet:", p))
4469 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4470 / IP(src=self.pg6.remote_ip4, dst=twice_nat_addr)
4471 / TCP(sport=local_port, dport=post_twice_nat_port)
4473 self.pg6.add_stream(p)
4474 self.pg_enable_capture(self.pg_interfaces)
4476 capture = self.pg6.get_capture(1)
4481 self.assertEqual(ip.src, self.pg1.remote_ip4)
4482 self.assertEqual(tcp.sport, external_port)
4483 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4484 self.assertEqual(tcp.dport, 12345)
4485 self.assert_packet_checksums_valid(p)
4487 self.logger.error(ppp("Unexpected or invalid packet:", p))
4490 def test_one_armed_nat44_static(self):
4491 """NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule"""
4493 remote_host = self.pg4.remote_hosts[0]
4494 local_host = self.pg4.remote_hosts[1]
4499 self.vapi.nat44_forwarding_enable_disable(enable=1)
4500 self.nat_add_address(self.nat_addr, twice_nat=1)
4502 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
4504 self.nat_add_static_mapping(
4509 proto=IP_PROTOS.tcp,
4512 flags = self.config_flags.NAT_IS_INSIDE
4513 self.vapi.nat44_interface_add_del_feature(
4514 sw_if_index=self.pg4.sw_if_index, is_add=1
4516 self.vapi.nat44_interface_add_del_feature(
4517 sw_if_index=self.pg4.sw_if_index, flags=flags, is_add=1
4520 # from client to service
4522 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4523 / IP(src=remote_host.ip4, dst=self.nat_addr)
4524 / TCP(sport=12345, dport=external_port)
4526 self.pg4.add_stream(p)
4527 self.pg_enable_capture(self.pg_interfaces)
4529 capture = self.pg4.get_capture(1)
4534 self.assertEqual(ip.dst, local_host.ip4)
4535 self.assertEqual(ip.src, self.nat_addr)
4536 self.assertEqual(tcp.dport, local_port)
4537 self.assertNotEqual(tcp.sport, 12345)
4538 eh_port_in = tcp.sport
4539 self.assert_packet_checksums_valid(p)
4541 self.logger.error(ppp("Unexpected or invalid packet:", p))
4544 # from service back to client
4546 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4547 / IP(src=local_host.ip4, dst=self.nat_addr)
4548 / TCP(sport=local_port, dport=eh_port_in)
4550 self.pg4.add_stream(p)
4551 self.pg_enable_capture(self.pg_interfaces)
4553 capture = self.pg4.get_capture(1)
4558 self.assertEqual(ip.src, self.nat_addr)
4559 self.assertEqual(ip.dst, remote_host.ip4)
4560 self.assertEqual(tcp.sport, external_port)
4561 self.assertEqual(tcp.dport, 12345)
4562 self.assert_packet_checksums_valid(p)
4564 self.logger.error(ppp("Unexpected or invalid packet:", p))
4567 def test_icmp_error_fwd_outbound(self):
4568 """NAT44ED ICMP error outbound with forwarding enabled"""
4570 # Ensure that an outbound ICMP error message is properly associated
4571 # with the inbound forward bypass session it is related to.
4574 self.nat_add_address(self.nat_addr)
4575 self.nat_add_inside_interface(self.pg0)
4576 self.nat_add_outside_interface(self.pg1)
4578 # enable forwarding and initiate connection out2in
4579 self.vapi.nat44_forwarding_enable_disable(enable=1)
4581 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4582 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
4583 / UDP(sport=21, dport=20)
4587 self.pg1.add_stream(p1)
4588 self.pg_enable_capture(self.pg_interfaces)
4590 capture = self.pg0.get_capture(1)[0]
4592 self.logger.info(self.vapi.cli("show nat44 sessions"))
4594 # reply with ICMP error message in2out
4595 # We cannot reliably retrieve forward bypass sessions via the API.
4596 # session dumps for a user will only look on the worker that the
4597 # user is supposed to be mapped to in2out. The forward bypass session
4598 # is not necessarily created on that worker.
4600 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4601 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4602 / ICMP(type="dest-unreach", code="port-unreachable")
4606 self.pg0.add_stream(p2)
4607 self.pg_enable_capture(self.pg_interfaces)
4609 capture = self.pg1.get_capture(1)[0]
4611 self.logger.info(self.vapi.cli("show nat44 sessions"))
4613 self.logger.info(ppp("p1 packet:", p1))
4614 self.logger.info(ppp("p2 packet:", p2))
4615 self.logger.info(ppp("capture packet:", capture))
4617 def test_tcp_session_open_retransmit1(self):
4618 """NAT44ED Open TCP session with SYN,ACK retransmit 1
4620 The client does not receive the [SYN,ACK] or the
4621 ACK from the client is lost. Therefore, the [SYN, ACK]
4622 is retransmitted by the server.
4625 in_port = self.tcp_port_in
4626 ext_port = self.tcp_external_port
4629 self.nat_add_address(self.nat_addr)
4630 self.nat_add_inside_interface(self.pg0)
4631 self.nat_add_outside_interface(self.pg1)
4633 self.vapi.nat_set_timeouts(
4634 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4636 # SYN packet in->out
4638 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4639 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4640 / TCP(sport=in_port, dport=ext_port, flags="S")
4642 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4643 out_port = p[TCP].sport
4645 # SYN + ACK packet out->in
4647 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4648 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4649 / TCP(sport=ext_port, dport=out_port, flags="SA")
4651 self.send_and_expect(self.pg1, p, self.pg0)
4653 # ACK in->out does not arrive
4655 # resent SYN + ACK packet out->in
4657 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4658 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4659 / TCP(sport=ext_port, dport=out_port, flags="SA")
4661 self.send_and_expect(self.pg1, p, self.pg0)
4663 # ACK packet in->out
4665 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4666 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4667 / TCP(sport=in_port, dport=ext_port, flags="A")
4669 self.send_and_expect(self.pg0, p, self.pg1)
4671 # Verify that the data can be transmitted after the transitory time
4672 self.virtual_sleep(6)
4675 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4676 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4677 / TCP(sport=in_port, dport=ext_port, flags="PA")
4680 self.send_and_expect(self.pg0, p, self.pg1)
4682 def test_tcp_session_open_retransmit2(self):
4683 """NAT44ED Open TCP session with SYN,ACK retransmit 2
4685 The ACK is lost to the server after the TCP session is opened.
4686 Data is sent by the client, then the [SYN,ACK] is
4687 retransmitted by the server.
4690 in_port = self.tcp_port_in
4691 ext_port = self.tcp_external_port
4694 self.nat_add_address(self.nat_addr)
4695 self.nat_add_inside_interface(self.pg0)
4696 self.nat_add_outside_interface(self.pg1)
4698 self.vapi.nat_set_timeouts(
4699 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4701 # SYN packet in->out
4703 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4704 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4705 / TCP(sport=in_port, dport=ext_port, flags="S")
4707 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4708 out_port = p[TCP].sport
4710 # SYN + ACK packet out->in
4712 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4713 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4714 / TCP(sport=ext_port, dport=out_port, flags="SA")
4716 self.send_and_expect(self.pg1, p, self.pg0)
4718 # ACK packet in->out -- not received by the server
4720 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4721 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4722 / TCP(sport=in_port, dport=ext_port, flags="A")
4724 self.send_and_expect(self.pg0, p, self.pg1)
4726 # PUSH + ACK packet in->out
4728 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4729 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4730 / TCP(sport=in_port, dport=ext_port, flags="PA")
4733 self.send_and_expect(self.pg0, p, self.pg1)
4735 # resent SYN + ACK packet out->in
4737 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4738 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4739 / TCP(sport=ext_port, dport=out_port, flags="SA")
4741 self.send_and_expect(self.pg1, p, self.pg0)
4743 # resent ACK packet in->out
4745 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4746 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4747 / TCP(sport=in_port, dport=ext_port, flags="A")
4749 self.send_and_expect(self.pg0, p, self.pg1)
4751 # resent PUSH + ACK packet in->out
4753 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4754 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4755 / TCP(sport=in_port, dport=ext_port, flags="PA")
4758 self.send_and_expect(self.pg0, p, self.pg1)
4760 # ACK packet out->in
4762 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4763 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4764 / TCP(sport=ext_port, dport=out_port, flags="A")
4766 self.send_and_expect(self.pg1, p, self.pg0)
4768 # Verify that the data can be transmitted after the transitory time
4769 self.virtual_sleep(6)
4772 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4773 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4774 / TCP(sport=in_port, dport=ext_port, flags="PA")
4777 self.send_and_expect(self.pg0, p, self.pg1)
4780 if __name__ == "__main__":
4781 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob