5 from random import randint, choice
8 from framework import tag_fixme_ubuntu2204, is_distro_ubuntu2204
9 from framework import VppTestCase, VppTestRunner, VppLoInterface
10 from scapy.data import IP_PROTOS
11 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
12 from scapy.layers.inet import IPerror, TCPerror
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from syslog_rfc5424_parser import SyslogMessage, ParseError
16 from syslog_rfc5424_parser.constants import SyslogSeverity
17 from util import ppp, pr, ip4_range
18 from vpp_acl import AclRule, VppAcl, VppAclInterface
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_papi import VppEnum
21 from util import StatsDiff
24 class TestNAT44ED(VppTestCase):
25 """NAT44ED Test Case"""
27 nat_addr = "10.0.10.3"
38 tcp_external_port = 80
51 def plugin_enable(self):
52 self.vapi.nat44_ed_plugin_enable_disable(sessions=self.max_sessions, enable=1)
54 def plugin_disable(self):
55 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
58 def config_flags(self):
59 return VppEnum.vl_api_nat_config_flags_t
62 def nat44_config_flags(self):
63 return VppEnum.vl_api_nat44_config_flags_t
66 def syslog_severity(self):
67 return VppEnum.vl_api_syslog_severity_t
70 def server_addr(self):
71 return self.pg1.remote_hosts[0].ip4
75 return randint(1024, 65535)
78 def proto2layer(proto):
79 if proto == IP_PROTOS.tcp:
81 elif proto == IP_PROTOS.udp:
83 elif proto == IP_PROTOS.icmp:
86 raise Exception("Unsupported protocol")
89 def create_and_add_ip4_table(cls, i, table_id=0):
90 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": table_id})
91 i.set_table_ip4(table_id)
94 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
96 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(sw_if_index=i.sw_if_index, is_add=1)
110 def nat_add_inside_interface(self, i):
111 self.vapi.nat44_interface_add_del_feature(
112 flags=self.config_flags.NAT_IS_INSIDE, sw_if_index=i.sw_if_index, is_add=1
115 def nat_add_outside_interface(self, i):
116 self.vapi.nat44_interface_add_del_feature(
117 flags=self.config_flags.NAT_IS_OUTSIDE, sw_if_index=i.sw_if_index, is_add=1
120 def nat_add_address(self, address, twice_nat=0, vrf_id=0xFFFFFFFF, is_add=1):
121 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
122 self.vapi.nat44_add_del_address_range(
123 first_ip_address=address,
124 last_ip_address=address,
130 def nat_add_static_mapping(
133 external_ip="0.0.0.0",
138 external_sw_if_index=0xFFFFFFFF,
144 if not (local_port and external_port):
145 flags |= self.config_flags.NAT_IS_ADDR_ONLY
147 self.vapi.nat44_add_del_static_mapping(
149 local_ip_address=local_ip,
150 external_ip_address=external_ip,
151 external_sw_if_index=external_sw_if_index,
152 local_port=local_port,
153 external_port=external_port,
163 if is_distro_ubuntu2204 == True and not hasattr(cls, "vpp"):
166 cls.create_pg_interfaces(range(12))
167 cls.interfaces = list(cls.pg_interfaces[:4])
169 cls.create_and_add_ip4_table(cls.pg2, 10)
171 for i in cls.interfaces:
172 cls.configure_ip4_interface(i, hosts=3)
174 # test specific (test-multiple-vrf)
175 cls.vapi.ip_table_add_del(is_add=1, table={"table_id": 1})
177 # test specific (test-one-armed-nat44-static)
178 cls.pg4.generate_remote_hosts(2)
180 cls.vapi.sw_interface_add_del_address(
181 sw_if_index=cls.pg4.sw_if_index, prefix="10.0.0.1/24"
184 cls.pg4.resolve_arp()
185 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
186 cls.pg4.resolve_arp()
188 # test specific interface (pg5)
189 cls.pg5._local_ip4 = "10.1.1.1"
190 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
191 cls.pg5.set_table_ip4(1)
194 cls.pg5.resolve_arp()
196 # test specific interface (pg6)
197 cls.pg6._local_ip4 = "10.1.2.1"
198 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
199 cls.pg6.set_table_ip4(1)
202 cls.pg6.resolve_arp()
211 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=0)],
221 [VppRoutePath(cls.pg1.local_ip4, cls.pg1.sw_if_index)],
230 [VppRoutePath("0.0.0.0", cls.pg5.sw_if_index)],
240 [VppRoutePath("0.0.0.0", cls.pg6.sw_if_index)],
250 [VppRoutePath("0.0.0.0", 0xFFFFFFFF, nh_table_id=1)],
259 cls.no_diff = StatsDiff(
262 "/nat44-ed/in2out/fastpath/tcp": 0,
263 "/nat44-ed/in2out/fastpath/udp": 0,
264 "/nat44-ed/in2out/fastpath/icmp": 0,
265 "/nat44-ed/in2out/fastpath/drops": 0,
266 "/nat44-ed/in2out/slowpath/tcp": 0,
267 "/nat44-ed/in2out/slowpath/udp": 0,
268 "/nat44-ed/in2out/slowpath/icmp": 0,
269 "/nat44-ed/in2out/slowpath/drops": 0,
270 "/nat44-ed/in2out/fastpath/tcp": 0,
271 "/nat44-ed/in2out/fastpath/udp": 0,
272 "/nat44-ed/in2out/fastpath/icmp": 0,
273 "/nat44-ed/in2out/fastpath/drops": 0,
274 "/nat44-ed/in2out/slowpath/tcp": 0,
275 "/nat44-ed/in2out/slowpath/udp": 0,
276 "/nat44-ed/in2out/slowpath/icmp": 0,
277 "/nat44-ed/in2out/slowpath/drops": 0,
279 for pg in cls.pg_interfaces
283 def get_err_counter(self, path):
284 return self.statistics.get_err_counter(path)
286 def reass_hairpinning(
295 layer = self.proto2layer(proto)
297 if proto == IP_PROTOS.tcp:
298 data = b"A" * 4 + b"B" * 16 + b"C" * 3
300 data = b"A" * 16 + b"B" * 16 + b"C" * 3
302 # send packet from host to server
303 pkts = self.create_stream_frag(
304 self.pg0, self.nat_addr, host_in_port, server_out_port, data, proto
306 self.pg0.add_stream(pkts)
307 self.pg_enable_capture(self.pg_interfaces)
309 frags = self.pg0.get_capture(len(pkts))
310 p = self.reass_frags_and_verify(frags, self.nat_addr, server_addr)
311 if proto != IP_PROTOS.icmp:
313 self.assertNotEqual(p[layer].sport, host_in_port)
314 self.assertEqual(p[layer].dport, server_in_port)
317 self.assertNotEqual(p[layer].id, host_in_port)
318 self.assertEqual(data, p[Raw].load)
320 def frag_out_of_order(
321 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
323 layer = self.proto2layer(proto)
325 if proto == IP_PROTOS.tcp:
326 data = b"A" * 4 + b"B" * 16 + b"C" * 3
328 data = b"A" * 16 + b"B" * 16 + b"C" * 3
329 self.port_in = self.random_port()
333 pkts = self.create_stream_frag(
334 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
337 self.pg0.add_stream(pkts)
338 self.pg_enable_capture(self.pg_interfaces)
340 frags = self.pg1.get_capture(len(pkts))
341 if not dont_translate:
342 p = self.reass_frags_and_verify(
343 frags, self.nat_addr, self.pg1.remote_ip4
346 p = self.reass_frags_and_verify(
347 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
349 if proto != IP_PROTOS.icmp:
350 if not dont_translate:
351 self.assertEqual(p[layer].dport, 20)
353 self.assertNotEqual(p[layer].sport, self.port_in)
355 self.assertEqual(p[layer].sport, self.port_in)
358 if not dont_translate:
359 self.assertNotEqual(p[layer].id, self.port_in)
361 self.assertEqual(p[layer].id, self.port_in)
362 self.assertEqual(data, p[Raw].load)
365 if not dont_translate:
366 dst_addr = self.nat_addr
368 dst_addr = self.pg0.remote_ip4
369 if proto != IP_PROTOS.icmp:
371 dport = p[layer].sport
375 pkts = self.create_stream_frag(
376 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
379 self.pg1.add_stream(pkts)
380 self.pg_enable_capture(self.pg_interfaces)
381 self.logger.info(self.vapi.cli("show trace"))
383 frags = self.pg0.get_capture(len(pkts))
384 p = self.reass_frags_and_verify(
385 frags, self.pg1.remote_ip4, self.pg0.remote_ip4
387 if proto != IP_PROTOS.icmp:
388 self.assertEqual(p[layer].sport, 20)
389 self.assertEqual(p[layer].dport, self.port_in)
391 self.assertEqual(p[layer].id, self.port_in)
392 self.assertEqual(data, p[Raw].load)
394 def reass_frags_and_verify(self, frags, src, dst):
397 self.assertEqual(p[IP].src, src)
398 self.assertEqual(p[IP].dst, dst)
399 self.assert_ip_checksum_valid(p)
400 buffer.seek(p[IP].frag * 8)
401 buffer.write(bytes(p[IP].payload))
402 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst, proto=frags[0][IP].proto)
403 if ip.proto == IP_PROTOS.tcp:
404 p = ip / TCP(buffer.getvalue())
405 self.logger.debug(ppp("Reassembled:", p))
406 self.assert_tcp_checksum_valid(p)
407 elif ip.proto == IP_PROTOS.udp:
408 p = ip / UDP(buffer.getvalue()[:8]) / Raw(buffer.getvalue()[8:])
409 elif ip.proto == IP_PROTOS.icmp:
410 p = ip / ICMP(buffer.getvalue())
414 self, proto=IP_PROTOS.tcp, dont_translate=False, ignore_port=False
416 layer = self.proto2layer(proto)
418 if proto == IP_PROTOS.tcp:
419 data = b"A" * 4 + b"B" * 16 + b"C" * 3
421 data = b"A" * 16 + b"B" * 16 + b"C" * 3
422 self.port_in = self.random_port()
425 pkts = self.create_stream_frag(
426 self.pg0, self.pg1.remote_ip4, self.port_in, 20, data, proto
428 self.pg0.add_stream(pkts)
429 self.pg_enable_capture(self.pg_interfaces)
431 frags = self.pg1.get_capture(len(pkts))
432 if not dont_translate:
433 p = self.reass_frags_and_verify(frags, self.nat_addr, self.pg1.remote_ip4)
435 p = self.reass_frags_and_verify(
436 frags, self.pg0.remote_ip4, self.pg1.remote_ip4
438 if proto != IP_PROTOS.icmp:
439 if not dont_translate:
440 self.assertEqual(p[layer].dport, 20)
442 self.assertNotEqual(p[layer].sport, self.port_in)
444 self.assertEqual(p[layer].sport, self.port_in)
447 if not dont_translate:
448 self.assertNotEqual(p[layer].id, self.port_in)
450 self.assertEqual(p[layer].id, self.port_in)
451 self.assertEqual(data, p[Raw].load)
454 if not dont_translate:
455 dst_addr = self.nat_addr
457 dst_addr = self.pg0.remote_ip4
458 if proto != IP_PROTOS.icmp:
460 dport = p[layer].sport
464 pkts = self.create_stream_frag(
465 self.pg1, dst_addr, sport, dport, data, proto, echo_reply=True
467 self.pg1.add_stream(pkts)
468 self.pg_enable_capture(self.pg_interfaces)
470 frags = self.pg0.get_capture(len(pkts))
471 p = self.reass_frags_and_verify(frags, self.pg1.remote_ip4, self.pg0.remote_ip4)
472 if proto != IP_PROTOS.icmp:
473 self.assertEqual(p[layer].sport, 20)
474 self.assertEqual(p[layer].dport, self.port_in)
476 self.assertEqual(p[layer].id, self.port_in)
477 self.assertEqual(data, p[Raw].load)
479 def verify_capture_out(
480 self, capture, nat_ip=None, same_port=False, dst_ip=None, ignore_port=False
483 nat_ip = self.nat_addr
484 for packet in capture:
486 self.assert_packet_checksums_valid(packet)
487 self.assertEqual(packet[IP].src, nat_ip)
488 if dst_ip is not None:
489 self.assertEqual(packet[IP].dst, dst_ip)
490 if packet.haslayer(TCP):
493 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
495 self.assertNotEqual(packet[TCP].sport, self.tcp_port_in)
496 self.tcp_port_out = packet[TCP].sport
497 self.assert_packet_checksums_valid(packet)
498 elif packet.haslayer(UDP):
501 self.assertEqual(packet[UDP].sport, self.udp_port_in)
503 self.assertNotEqual(packet[UDP].sport, self.udp_port_in)
504 self.udp_port_out = packet[UDP].sport
508 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
510 self.assertNotEqual(packet[ICMP].id, self.icmp_id_in)
511 self.icmp_id_out = packet[ICMP].id
512 self.assert_packet_checksums_valid(packet)
515 ppp("Unexpected or invalid packet (outside network):", packet)
519 def verify_capture_in(self, capture, in_if):
520 for packet in capture:
522 self.assert_packet_checksums_valid(packet)
523 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
524 if packet.haslayer(TCP):
525 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
526 elif packet.haslayer(UDP):
527 self.assertEqual(packet[UDP].dport, self.udp_port_in)
529 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
532 ppp("Unexpected or invalid packet (inside network):", packet)
536 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
538 dst_ip = out_if.remote_ip4
543 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
544 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
545 / TCP(sport=self.tcp_port_in, dport=20)
551 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
552 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
553 / UDP(sport=self.udp_port_in, dport=20)
559 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
560 / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl)
561 / ICMP(id=self.icmp_id_in, type="echo-request")
567 def create_stream_out(self, out_if, dst_ip=None, ttl=64, use_inside_ports=False):
569 dst_ip = self.nat_addr
570 if not use_inside_ports:
571 tcp_port = self.tcp_port_out
572 udp_port = self.udp_port_out
573 icmp_id = self.icmp_id_out
575 tcp_port = self.tcp_port_in
576 udp_port = self.udp_port_in
577 icmp_id = self.icmp_id_in
581 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
582 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
583 / TCP(dport=tcp_port, sport=20)
589 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
590 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
591 / UDP(dport=udp_port, sport=20)
597 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
598 / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl)
599 / ICMP(id=icmp_id, type="echo-reply")
605 def create_tcp_stream(self, in_if, out_if, count):
609 for i in range(count):
611 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
612 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64)
613 / TCP(sport=port + i, dport=20)
619 def create_stream_frag(
620 self, src_if, dst, sport, dport, data, proto=IP_PROTOS.tcp, echo_reply=False
622 if proto == IP_PROTOS.tcp:
624 IP(src=src_if.remote_ip4, dst=dst)
625 / TCP(sport=sport, dport=dport)
628 p = p.__class__(scapy.compat.raw(p))
629 chksum = p[TCP].chksum
630 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
631 elif proto == IP_PROTOS.udp:
632 proto_header = UDP(sport=sport, dport=dport)
633 elif proto == IP_PROTOS.icmp:
635 proto_header = ICMP(id=sport, type="echo-request")
637 proto_header = ICMP(id=sport, type="echo-reply")
639 raise Exception("Unsupported protocol")
640 id = self.random_port()
642 if proto == IP_PROTOS.tcp:
645 raw = Raw(data[0:16])
647 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
648 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id)
653 if proto == IP_PROTOS.tcp:
654 raw = Raw(data[4:20])
656 raw = Raw(data[16:32])
658 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
659 / IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id, proto=proto)
663 if proto == IP_PROTOS.tcp:
668 Ether(src=src_if.remote_mac, dst=src_if.local_mac)
669 / IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto, id=id)
675 def frag_in_order_in_plus_out(
676 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
679 layer = self.proto2layer(proto)
681 if proto == IP_PROTOS.tcp:
682 data = b"A" * 4 + b"B" * 16 + b"C" * 3
684 data = b"A" * 16 + b"B" * 16 + b"C" * 3
685 port_in = self.random_port()
689 pkts = self.create_stream_frag(
690 self.pg0, out_addr, port_in, out_port, data, proto
692 self.pg0.add_stream(pkts)
693 self.pg_enable_capture(self.pg_interfaces)
695 frags = self.pg1.get_capture(len(pkts))
696 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
697 if proto != IP_PROTOS.icmp:
698 self.assertEqual(p[layer].sport, port_in)
699 self.assertEqual(p[layer].dport, in_port)
701 self.assertEqual(p[layer].id, port_in)
702 self.assertEqual(data, p[Raw].load)
705 if proto != IP_PROTOS.icmp:
706 pkts = self.create_stream_frag(
707 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
710 pkts = self.create_stream_frag(
719 self.pg1.add_stream(pkts)
720 self.pg_enable_capture(self.pg_interfaces)
722 frags = self.pg0.get_capture(len(pkts))
723 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
724 if proto != IP_PROTOS.icmp:
725 self.assertEqual(p[layer].sport, out_port)
726 self.assertEqual(p[layer].dport, port_in)
728 self.assertEqual(p[layer].id, port_in)
729 self.assertEqual(data, p[Raw].load)
731 def frag_out_of_order_in_plus_out(
732 self, in_addr, out_addr, in_port, out_port, proto=IP_PROTOS.tcp
735 layer = self.proto2layer(proto)
737 if proto == IP_PROTOS.tcp:
738 data = b"A" * 4 + b"B" * 16 + b"C" * 3
740 data = b"A" * 16 + b"B" * 16 + b"C" * 3
741 port_in = self.random_port()
745 pkts = self.create_stream_frag(
746 self.pg0, out_addr, port_in, out_port, data, proto
749 self.pg0.add_stream(pkts)
750 self.pg_enable_capture(self.pg_interfaces)
752 frags = self.pg1.get_capture(len(pkts))
753 p = self.reass_frags_and_verify(frags, self.pg0.remote_ip4, in_addr)
754 if proto != IP_PROTOS.icmp:
755 self.assertEqual(p[layer].dport, in_port)
756 self.assertEqual(p[layer].sport, port_in)
757 self.assertEqual(p[layer].dport, in_port)
759 self.assertEqual(p[layer].id, port_in)
760 self.assertEqual(data, p[Raw].load)
763 if proto != IP_PROTOS.icmp:
764 pkts = self.create_stream_frag(
765 self.pg1, self.pg0.remote_ip4, in_port, p[layer].sport, data, proto
768 pkts = self.create_stream_frag(
778 self.pg1.add_stream(pkts)
779 self.pg_enable_capture(self.pg_interfaces)
781 frags = self.pg0.get_capture(len(pkts))
782 p = self.reass_frags_and_verify(frags, out_addr, self.pg0.remote_ip4)
783 if proto != IP_PROTOS.icmp:
784 self.assertEqual(p[layer].sport, out_port)
785 self.assertEqual(p[layer].dport, port_in)
787 self.assertEqual(p[layer].id, port_in)
788 self.assertEqual(data, p[Raw].load)
790 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
793 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
794 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
795 / TCP(sport=in_port, dport=ext_port, flags="S")
798 self.pg_enable_capture(self.pg_interfaces)
800 capture = out_if.get_capture(1)
802 out_port = p[TCP].sport
804 # SYN + ACK packet out->in
806 Ether(src=out_if.remote_mac, dst=out_if.local_mac)
807 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
808 / TCP(sport=ext_port, dport=out_port, flags="SA")
811 self.pg_enable_capture(self.pg_interfaces)
817 Ether(src=in_if.remote_mac, dst=in_if.local_mac)
818 / IP(src=in_if.remote_ip4, dst=out_if.remote_ip4)
819 / TCP(sport=in_port, dport=ext_port, flags="A")
822 self.pg_enable_capture(self.pg_interfaces)
824 out_if.get_capture(1)
828 def twice_nat_common(
829 self, self_twice_nat=False, same_pg=False, lb=False, client_id=None
831 twice_nat_addr = "10.0.1.3"
839 port_in1 = port_in + 1
840 port_in2 = port_in + 2
845 server1 = self.pg0.remote_hosts[0]
846 server2 = self.pg0.remote_hosts[1]
858 eh_translate = (not self_twice_nat) or (not lb and same_pg) or client_id == 1
860 self.nat_add_address(self.nat_addr)
861 self.nat_add_address(twice_nat_addr, twice_nat=1)
865 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
867 flags |= self.config_flags.NAT_IS_TWICE_NAT
870 self.nat_add_static_mapping(
880 {"addr": server1.ip4, "port": port_in1, "probability": 50, "vrf_id": 0},
881 {"addr": server2.ip4, "port": port_in2, "probability": 50, "vrf_id": 0},
883 out_addr = self.nat_addr
885 self.vapi.nat44_add_del_lb_static_mapping(
888 external_addr=out_addr,
889 external_port=port_out,
890 protocol=IP_PROTOS.tcp,
891 local_num=len(locals),
894 self.nat_add_inside_interface(pg0)
895 self.nat_add_outside_interface(pg1)
901 assert client_id is not None
903 client = self.pg0.remote_hosts[0]
905 client = self.pg0.remote_hosts[1]
907 client = pg1.remote_hosts[0]
909 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
910 / IP(src=client.ip4, dst=self.nat_addr)
911 / TCP(sport=eh_port_out, dport=port_out)
914 self.pg_enable_capture(self.pg_interfaces)
916 capture = pg0.get_capture(1)
922 if ip.dst == server1.ip4:
928 self.assertEqual(ip.dst, server.ip4)
930 self.assertIn(tcp.dport, [port_in1, port_in2])
932 self.assertEqual(tcp.dport, port_in)
934 self.assertEqual(ip.src, twice_nat_addr)
935 self.assertNotEqual(tcp.sport, eh_port_out)
937 self.assertEqual(ip.src, client.ip4)
938 self.assertEqual(tcp.sport, eh_port_out)
940 eh_port_in = tcp.sport
941 saved_port_in = tcp.dport
942 self.assert_packet_checksums_valid(p)
944 self.logger.error(ppp("Unexpected or invalid packet:", p))
948 Ether(src=server.mac, dst=pg0.local_mac)
949 / IP(src=server.ip4, dst=eh_addr_in)
950 / TCP(sport=saved_port_in, dport=eh_port_in)
953 self.pg_enable_capture(self.pg_interfaces)
955 capture = pg1.get_capture(1)
960 self.assertEqual(ip.dst, client.ip4)
961 self.assertEqual(ip.src, self.nat_addr)
962 self.assertEqual(tcp.dport, eh_port_out)
963 self.assertEqual(tcp.sport, port_out)
964 self.assert_packet_checksums_valid(p)
966 self.logger.error(ppp("Unexpected or invalid packet:", p))
970 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
971 self.assertEqual(len(sessions), 1)
972 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
973 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_TWICE_NAT)
974 self.logger.info(self.vapi.cli("show nat44 sessions"))
975 self.vapi.nat44_del_session(
976 address=sessions[0].inside_ip_address,
977 port=sessions[0].inside_port,
978 protocol=sessions[0].protocol,
980 self.config_flags.NAT_IS_INSIDE
981 | self.config_flags.NAT_IS_EXT_HOST_VALID
983 ext_host_address=sessions[0].ext_host_nat_address,
984 ext_host_port=sessions[0].ext_host_nat_port,
986 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
987 self.assertEqual(len(sessions), 0)
989 def verify_syslog_sess(self, data, msgid, is_ip6=False):
990 message = data.decode("utf-8")
992 message = SyslogMessage.parse(message)
993 except ParseError as e:
997 self.assertEqual(message.severity, SyslogSeverity.info)
998 self.assertEqual(message.appname, "NAT")
999 self.assertEqual(message.msgid, msgid)
1000 sd_params = message.sd.get("nsess")
1001 self.assertTrue(sd_params is not None)
1003 self.assertEqual(sd_params.get("IATYP"), "IPv6")
1004 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip6)
1006 self.assertEqual(sd_params.get("IATYP"), "IPv4")
1007 self.assertEqual(sd_params.get("ISADDR"), self.pg0.remote_ip4)
1008 self.assertTrue(sd_params.get("SSUBIX") is not None)
1009 self.assertEqual(sd_params.get("ISPORT"), "%d" % self.tcp_port_in)
1010 self.assertEqual(sd_params.get("XATYP"), "IPv4")
1011 self.assertEqual(sd_params.get("XSADDR"), self.nat_addr)
1012 self.assertEqual(sd_params.get("XSPORT"), "%d" % self.tcp_port_out)
1013 self.assertEqual(sd_params.get("PROTO"), "%d" % IP_PROTOS.tcp)
1014 self.assertEqual(sd_params.get("SVLAN"), "0")
1015 self.assertEqual(sd_params.get("XDADDR"), self.pg1.remote_ip4)
1016 self.assertEqual(sd_params.get("XDPORT"), "%d" % self.tcp_external_port)
1018 def test_icmp_error(self):
1019 """NAT44ED test ICMP error message with inner header"""
1023 self.nat_add_address(self.nat_addr)
1024 self.nat_add_inside_interface(self.pg0)
1025 self.nat_add_outside_interface(self.pg1)
1027 # in2out (initiate connection)
1029 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1030 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1031 / UDP(sport=21, dport=20)
1033 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1034 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1035 / TCP(sport=21, dport=20, flags="S")
1037 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1038 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1039 / ICMP(type="echo-request", id=7777)
1043 capture = self.send_and_expect(self.pg0, p1, self.pg1)
1045 # out2in (send error message)
1047 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1048 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1049 / ICMP(type="dest-unreach", code="port-unreachable")
1054 capture = self.send_and_expect(self.pg1, p2, self.pg0)
1058 assert c[IP].dst == self.pg0.remote_ip4
1059 assert c[IPerror].src == self.pg0.remote_ip4
1060 except AssertionError as a:
1061 raise AssertionError(f"Packet {pr(c)} not translated properly") from a
1063 def test_icmp_echo_reply_trailer(self):
1064 """ICMP echo reply with ethernet trailer"""
1066 self.nat_add_address(self.nat_addr)
1067 self.nat_add_inside_interface(self.pg0)
1068 self.nat_add_outside_interface(self.pg1)
1072 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1073 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1074 / ICMP(type=8, id=0xABCD, seq=0)
1077 self.pg0.add_stream(p1)
1078 self.pg_enable_capture(self.pg_interfaces)
1080 c = self.pg1.get_capture(1)[0]
1082 self.logger.debug(self.vapi.cli("show trace"))
1086 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1087 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr, id=0xEE59)
1088 / ICMP(type=0, id=c[ICMP].id, seq=0)
1091 # force checksum calculation
1092 p2 = p2.__class__(bytes(p2))
1094 self.logger.debug(ppp("Packet before modification:", p2))
1096 # hex representation of vss monitoring ethernet trailer
1097 # this seems to be just added to end of packet without modifying
1098 # IP or ICMP lengths / checksums
1099 p2 = p2 / Raw("\x00\x00\x52\x54\x00\x46\xab\x04\x84\x18")
1100 # change it so that IP/ICMP is unaffected
1103 self.logger.debug(ppp("Packet with added trailer:", p2))
1105 self.pg1.add_stream(p2)
1106 self.pg_enable_capture(self.pg_interfaces)
1109 self.pg0.get_capture(1)
1111 def test_users_dump(self):
1112 """NAT44ED API test - nat44_user_dump"""
1114 self.nat_add_address(self.nat_addr)
1115 self.nat_add_inside_interface(self.pg0)
1116 self.nat_add_outside_interface(self.pg1)
1118 self.vapi.nat44_forwarding_enable_disable(enable=1)
1120 local_ip = self.pg0.remote_ip4
1121 external_ip = self.nat_addr
1122 self.nat_add_static_mapping(local_ip, external_ip)
1124 users = self.vapi.nat44_user_dump()
1125 self.assertEqual(len(users), 0)
1127 # in2out - static mapping match
1129 pkts = self.create_stream_out(self.pg1)
1130 self.pg1.add_stream(pkts)
1131 self.pg_enable_capture(self.pg_interfaces)
1133 capture = self.pg0.get_capture(len(pkts))
1134 self.verify_capture_in(capture, self.pg0)
1136 pkts = self.create_stream_in(self.pg0, self.pg1)
1137 self.pg0.add_stream(pkts)
1138 self.pg_enable_capture(self.pg_interfaces)
1140 capture = self.pg1.get_capture(len(pkts))
1141 self.verify_capture_out(capture, same_port=True)
1143 users = self.vapi.nat44_user_dump()
1144 self.assertEqual(len(users), 1)
1145 static_user = users[0]
1146 self.assertEqual(static_user.nstaticsessions, 3)
1147 self.assertEqual(static_user.nsessions, 0)
1149 # in2out - no static mapping match (forwarding test)
1151 host0 = self.pg0.remote_hosts[0]
1152 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1154 pkts = self.create_stream_out(
1155 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1157 self.pg1.add_stream(pkts)
1158 self.pg_enable_capture(self.pg_interfaces)
1160 capture = self.pg0.get_capture(len(pkts))
1161 self.verify_capture_in(capture, self.pg0)
1163 pkts = self.create_stream_in(self.pg0, self.pg1)
1164 self.pg0.add_stream(pkts)
1165 self.pg_enable_capture(self.pg_interfaces)
1167 capture = self.pg1.get_capture(len(pkts))
1168 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1170 self.pg0.remote_hosts[0] = host0
1172 users = self.vapi.nat44_user_dump()
1173 self.assertEqual(len(users), 2)
1174 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1175 non_static_user = users[1]
1176 static_user = users[0]
1178 non_static_user = users[0]
1179 static_user = users[1]
1180 self.assertEqual(static_user.nstaticsessions, 3)
1181 self.assertEqual(static_user.nsessions, 0)
1182 self.assertEqual(non_static_user.nstaticsessions, 0)
1183 self.assertEqual(non_static_user.nsessions, 3)
1185 users = self.vapi.nat44_user_dump()
1186 self.assertEqual(len(users), 2)
1187 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1188 non_static_user = users[1]
1189 static_user = users[0]
1191 non_static_user = users[0]
1192 static_user = users[1]
1193 self.assertEqual(static_user.nstaticsessions, 3)
1194 self.assertEqual(static_user.nsessions, 0)
1195 self.assertEqual(non_static_user.nstaticsessions, 0)
1196 self.assertEqual(non_static_user.nsessions, 3)
1198 def test_frag_out_of_order_do_not_translate(self):
1199 """NAT44ED don't translate fragments arriving out of order"""
1200 self.nat_add_inside_interface(self.pg0)
1201 self.nat_add_outside_interface(self.pg1)
1202 self.vapi.nat44_forwarding_enable_disable(enable=True)
1203 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1205 def test_forwarding(self):
1206 """NAT44ED forwarding test"""
1208 self.nat_add_inside_interface(self.pg0)
1209 self.nat_add_outside_interface(self.pg1)
1210 self.vapi.nat44_forwarding_enable_disable(enable=1)
1212 real_ip = self.pg0.remote_ip4
1213 alias_ip = self.nat_addr
1214 flags = self.config_flags.NAT_IS_ADDR_ONLY
1215 self.vapi.nat44_add_del_static_mapping(
1217 local_ip_address=real_ip,
1218 external_ip_address=alias_ip,
1219 external_sw_if_index=0xFFFFFFFF,
1224 # in2out - static mapping match
1226 pkts = self.create_stream_out(self.pg1)
1227 self.pg1.add_stream(pkts)
1228 self.pg_enable_capture(self.pg_interfaces)
1230 capture = self.pg0.get_capture(len(pkts))
1231 self.verify_capture_in(capture, self.pg0)
1233 pkts = self.create_stream_in(self.pg0, self.pg1)
1234 self.pg0.add_stream(pkts)
1235 self.pg_enable_capture(self.pg_interfaces)
1237 capture = self.pg1.get_capture(len(pkts))
1238 self.verify_capture_out(capture, same_port=True)
1240 # in2out - no static mapping match
1242 host0 = self.pg0.remote_hosts[0]
1243 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1245 pkts = self.create_stream_out(
1246 self.pg1, dst_ip=self.pg0.remote_ip4, use_inside_ports=True
1248 self.pg1.add_stream(pkts)
1249 self.pg_enable_capture(self.pg_interfaces)
1251 capture = self.pg0.get_capture(len(pkts))
1252 self.verify_capture_in(capture, self.pg0)
1254 pkts = self.create_stream_in(self.pg0, self.pg1)
1255 self.pg0.add_stream(pkts)
1256 self.pg_enable_capture(self.pg_interfaces)
1258 capture = self.pg1.get_capture(len(pkts))
1259 self.verify_capture_out(
1260 capture, nat_ip=self.pg0.remote_ip4, same_port=True
1263 self.pg0.remote_hosts[0] = host0
1265 user = self.pg0.remote_hosts[1]
1266 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1267 self.assertEqual(len(sessions), 3)
1268 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1269 self.vapi.nat44_del_session(
1270 address=sessions[0].inside_ip_address,
1271 port=sessions[0].inside_port,
1272 protocol=sessions[0].protocol,
1274 self.config_flags.NAT_IS_INSIDE
1275 | self.config_flags.NAT_IS_EXT_HOST_VALID
1277 ext_host_address=sessions[0].ext_host_address,
1278 ext_host_port=sessions[0].ext_host_port,
1280 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1281 self.assertEqual(len(sessions), 2)
1284 self.vapi.nat44_forwarding_enable_disable(enable=0)
1285 flags = self.config_flags.NAT_IS_ADDR_ONLY
1286 self.vapi.nat44_add_del_static_mapping(
1288 local_ip_address=real_ip,
1289 external_ip_address=alias_ip,
1290 external_sw_if_index=0xFFFFFFFF,
1294 def test_output_feature_and_service2(self):
1295 """NAT44ED interface output feature and service host direct access"""
1296 self.vapi.nat44_forwarding_enable_disable(enable=1)
1297 self.nat_add_address(self.nat_addr)
1299 self.vapi.nat44_ed_add_del_output_interface(
1300 sw_if_index=self.pg1.sw_if_index, is_add=1
1303 # session initiated from service host - translate
1304 pkts = self.create_stream_in(self.pg0, self.pg1)
1305 self.pg0.add_stream(pkts)
1306 self.pg_enable_capture(self.pg_interfaces)
1308 capture = self.pg1.get_capture(len(pkts))
1309 self.verify_capture_out(capture, ignore_port=True)
1311 pkts = self.create_stream_out(self.pg1)
1312 self.pg1.add_stream(pkts)
1313 self.pg_enable_capture(self.pg_interfaces)
1315 capture = self.pg0.get_capture(len(pkts))
1316 self.verify_capture_in(capture, self.pg0)
1318 # session initiated from remote host - do not translate
1319 tcp_port_in = self.tcp_port_in
1320 udp_port_in = self.udp_port_in
1321 icmp_id_in = self.icmp_id_in
1323 self.tcp_port_in = 60303
1324 self.udp_port_in = 60304
1325 self.icmp_id_in = 60305
1328 pkts = self.create_stream_out(
1329 self.pg1, self.pg0.remote_ip4, use_inside_ports=True
1331 self.pg1.add_stream(pkts)
1332 self.pg_enable_capture(self.pg_interfaces)
1334 capture = self.pg0.get_capture(len(pkts))
1335 self.verify_capture_in(capture, self.pg0)
1337 pkts = self.create_stream_in(self.pg0, self.pg1)
1338 self.pg0.add_stream(pkts)
1339 self.pg_enable_capture(self.pg_interfaces)
1341 capture = self.pg1.get_capture(len(pkts))
1342 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, same_port=True)
1344 self.tcp_port_in = tcp_port_in
1345 self.udp_port_in = udp_port_in
1346 self.icmp_id_in = icmp_id_in
1348 def test_twice_nat(self):
1349 """NAT44ED Twice NAT"""
1350 self.twice_nat_common()
1352 def test_self_twice_nat_positive(self):
1353 """NAT44ED Self Twice NAT (positive test)"""
1354 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1356 def test_self_twice_nat_lb_positive(self):
1357 """NAT44ED Self Twice NAT local service load balancing (positive test)"""
1358 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=1)
1360 def test_twice_nat_lb(self):
1361 """NAT44ED Twice NAT local service load balancing"""
1362 self.twice_nat_common(lb=True)
1364 def test_output_feature(self):
1365 """NAT44ED interface output feature (in2out postrouting)"""
1366 self.vapi.nat44_forwarding_enable_disable(enable=1)
1367 self.nat_add_address(self.nat_addr)
1369 self.nat_add_outside_interface(self.pg0)
1370 self.vapi.nat44_ed_add_del_output_interface(
1371 sw_if_index=self.pg1.sw_if_index, is_add=1
1375 pkts = self.create_stream_in(self.pg0, self.pg1)
1376 self.pg0.add_stream(pkts)
1377 self.pg_enable_capture(self.pg_interfaces)
1379 capture = self.pg1.get_capture(len(pkts))
1380 self.verify_capture_out(capture, ignore_port=True)
1381 self.logger.debug(self.vapi.cli("show trace"))
1384 pkts = self.create_stream_out(self.pg1)
1385 self.pg1.add_stream(pkts)
1386 self.pg_enable_capture(self.pg_interfaces)
1388 capture = self.pg0.get_capture(len(pkts))
1389 self.verify_capture_in(capture, self.pg0)
1390 self.logger.debug(self.vapi.cli("show trace"))
1393 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
1394 self.pg0.add_stream(pkts)
1395 self.pg_enable_capture(self.pg_interfaces)
1397 capture = self.pg1.get_capture(len(pkts))
1398 self.verify_capture_out(capture, ignore_port=True)
1399 self.logger.debug(self.vapi.cli("show trace"))
1402 pkts = self.create_stream_out(self.pg1, ttl=2)
1403 self.pg1.add_stream(pkts)
1404 self.pg_enable_capture(self.pg_interfaces)
1406 capture = self.pg0.get_capture(len(pkts))
1407 self.verify_capture_in(capture, self.pg0)
1408 self.logger.debug(self.vapi.cli("show trace"))
1411 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
1412 capture = self.send_and_expect_some(self.pg0, pkts, self.pg0)
1414 self.assertIn(ICMP, p)
1415 self.assertEqual(p[ICMP].type, 11) # 11 == time-exceeded
1417 def test_static_with_port_out2(self):
1418 """NAT44ED 1:1 NAPT asymmetrical rule"""
1423 self.vapi.nat44_forwarding_enable_disable(enable=1)
1424 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1425 self.nat_add_static_mapping(
1426 self.pg0.remote_ip4,
1430 proto=IP_PROTOS.tcp,
1434 self.nat_add_inside_interface(self.pg0)
1435 self.nat_add_outside_interface(self.pg1)
1437 # from client to service
1439 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1440 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1441 / TCP(sport=12345, dport=external_port)
1443 self.pg1.add_stream(p)
1444 self.pg_enable_capture(self.pg_interfaces)
1446 capture = self.pg0.get_capture(1)
1451 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1452 self.assertEqual(tcp.dport, local_port)
1453 self.assert_packet_checksums_valid(p)
1455 self.logger.error(ppp("Unexpected or invalid packet:", p))
1460 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
1461 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1465 self.pg0.add_stream(p)
1466 self.pg_enable_capture(self.pg_interfaces)
1468 capture = self.pg1.get_capture(1)
1471 self.assertEqual(p[IP].src, self.nat_addr)
1473 self.assertEqual(inner.dst, self.nat_addr)
1474 self.assertEqual(inner[TCPerror].dport, external_port)
1476 self.logger.error(ppp("Unexpected or invalid packet:", p))
1479 # from service back to client
1481 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1482 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1483 / TCP(sport=local_port, dport=12345)
1485 self.pg0.add_stream(p)
1486 self.pg_enable_capture(self.pg_interfaces)
1488 capture = self.pg1.get_capture(1)
1493 self.assertEqual(ip.src, self.nat_addr)
1494 self.assertEqual(tcp.sport, external_port)
1495 self.assert_packet_checksums_valid(p)
1497 self.logger.error(ppp("Unexpected or invalid packet:", p))
1502 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1503 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1507 self.pg1.add_stream(p)
1508 self.pg_enable_capture(self.pg_interfaces)
1510 capture = self.pg0.get_capture(1)
1513 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1515 self.assertEqual(inner.src, self.pg0.remote_ip4)
1516 self.assertEqual(inner[TCPerror].sport, local_port)
1518 self.logger.error(ppp("Unexpected or invalid packet:", p))
1521 # from client to server (no translation)
1523 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1524 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
1525 / TCP(sport=12346, dport=local_port)
1527 self.pg1.add_stream(p)
1528 self.pg_enable_capture(self.pg_interfaces)
1530 capture = self.pg0.get_capture(1)
1535 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1536 self.assertEqual(tcp.dport, local_port)
1537 self.assert_packet_checksums_valid(p)
1539 self.logger.error(ppp("Unexpected or invalid packet:", p))
1542 # from service back to client (no translation)
1544 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
1545 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
1546 / TCP(sport=local_port, dport=12346)
1548 self.pg0.add_stream(p)
1549 self.pg_enable_capture(self.pg_interfaces)
1551 capture = self.pg1.get_capture(1)
1556 self.assertEqual(ip.src, self.pg0.remote_ip4)
1557 self.assertEqual(tcp.sport, local_port)
1558 self.assert_packet_checksums_valid(p)
1560 self.logger.error(ppp("Unexpected or invalid packet:", p))
1563 def test_static_lb(self):
1564 """NAT44ED local service load balancing"""
1565 external_addr_n = self.nat_addr
1568 server1 = self.pg0.remote_hosts[0]
1569 server2 = self.pg0.remote_hosts[1]
1572 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1573 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1576 self.nat_add_address(self.nat_addr)
1577 self.vapi.nat44_add_del_lb_static_mapping(
1579 external_addr=external_addr_n,
1580 external_port=external_port,
1581 protocol=IP_PROTOS.tcp,
1582 local_num=len(locals),
1585 flags = self.config_flags.NAT_IS_INSIDE
1586 self.vapi.nat44_interface_add_del_feature(
1587 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1589 self.vapi.nat44_interface_add_del_feature(
1590 sw_if_index=self.pg1.sw_if_index, is_add=1
1593 # from client to service
1595 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1596 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1597 / TCP(sport=12345, dport=external_port)
1599 self.pg1.add_stream(p)
1600 self.pg_enable_capture(self.pg_interfaces)
1602 capture = self.pg0.get_capture(1)
1608 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1609 if ip.dst == server1.ip4:
1613 self.assertEqual(tcp.dport, local_port)
1614 self.assert_packet_checksums_valid(p)
1616 self.logger.error(ppp("Unexpected or invalid packet:", p))
1619 # from service back to client
1621 Ether(src=server.mac, dst=self.pg0.local_mac)
1622 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1623 / TCP(sport=local_port, dport=12345)
1625 self.pg0.add_stream(p)
1626 self.pg_enable_capture(self.pg_interfaces)
1628 capture = self.pg1.get_capture(1)
1633 self.assertEqual(ip.src, self.nat_addr)
1634 self.assertEqual(tcp.sport, external_port)
1635 self.assert_packet_checksums_valid(p)
1637 self.logger.error(ppp("Unexpected or invalid packet:", p))
1640 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1641 self.assertEqual(len(sessions), 1)
1642 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1643 self.vapi.nat44_del_session(
1644 address=sessions[0].inside_ip_address,
1645 port=sessions[0].inside_port,
1646 protocol=sessions[0].protocol,
1648 self.config_flags.NAT_IS_INSIDE
1649 | self.config_flags.NAT_IS_EXT_HOST_VALID
1651 ext_host_address=sessions[0].ext_host_address,
1652 ext_host_port=sessions[0].ext_host_port,
1654 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1655 self.assertEqual(len(sessions), 0)
1657 def test_static_lb_2(self):
1658 """NAT44ED local service load balancing (asymmetrical rule)"""
1659 external_addr = self.nat_addr
1662 server1 = self.pg0.remote_hosts[0]
1663 server2 = self.pg0.remote_hosts[1]
1666 {"addr": server1.ip4, "port": local_port, "probability": 70, "vrf_id": 0},
1667 {"addr": server2.ip4, "port": local_port, "probability": 30, "vrf_id": 0},
1670 self.vapi.nat44_forwarding_enable_disable(enable=1)
1671 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1672 self.vapi.nat44_add_del_lb_static_mapping(
1675 external_addr=external_addr,
1676 external_port=external_port,
1677 protocol=IP_PROTOS.tcp,
1678 local_num=len(locals),
1681 flags = self.config_flags.NAT_IS_INSIDE
1682 self.vapi.nat44_interface_add_del_feature(
1683 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1685 self.vapi.nat44_interface_add_del_feature(
1686 sw_if_index=self.pg1.sw_if_index, is_add=1
1689 # from client to service
1691 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1692 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1693 / TCP(sport=12345, dport=external_port)
1695 self.pg1.add_stream(p)
1696 self.pg_enable_capture(self.pg_interfaces)
1698 capture = self.pg0.get_capture(1)
1704 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1705 if ip.dst == server1.ip4:
1709 self.assertEqual(tcp.dport, local_port)
1710 self.assert_packet_checksums_valid(p)
1712 self.logger.error(ppp("Unexpected or invalid packet:", p))
1715 # from service back to client
1717 Ether(src=server.mac, dst=self.pg0.local_mac)
1718 / IP(src=server.ip4, dst=self.pg1.remote_ip4)
1719 / TCP(sport=local_port, dport=12345)
1721 self.pg0.add_stream(p)
1722 self.pg_enable_capture(self.pg_interfaces)
1724 capture = self.pg1.get_capture(1)
1729 self.assertEqual(ip.src, self.nat_addr)
1730 self.assertEqual(tcp.sport, external_port)
1731 self.assert_packet_checksums_valid(p)
1733 self.logger.error(ppp("Unexpected or invalid packet:", p))
1736 # from client to server (no translation)
1738 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1739 / IP(src=self.pg1.remote_ip4, dst=server1.ip4)
1740 / TCP(sport=12346, dport=local_port)
1742 self.pg1.add_stream(p)
1743 self.pg_enable_capture(self.pg_interfaces)
1745 capture = self.pg0.get_capture(1)
1751 self.assertEqual(ip.dst, server1.ip4)
1752 self.assertEqual(tcp.dport, local_port)
1753 self.assert_packet_checksums_valid(p)
1755 self.logger.error(ppp("Unexpected or invalid packet:", p))
1758 # from service back to client (no translation)
1760 Ether(src=server1.mac, dst=self.pg0.local_mac)
1761 / IP(src=server1.ip4, dst=self.pg1.remote_ip4)
1762 / TCP(sport=local_port, dport=12346)
1764 self.pg0.add_stream(p)
1765 self.pg_enable_capture(self.pg_interfaces)
1767 capture = self.pg1.get_capture(1)
1772 self.assertEqual(ip.src, server1.ip4)
1773 self.assertEqual(tcp.sport, local_port)
1774 self.assert_packet_checksums_valid(p)
1776 self.logger.error(ppp("Unexpected or invalid packet:", p))
1779 def test_lb_affinity(self):
1780 """NAT44ED local service load balancing affinity"""
1781 external_addr = self.nat_addr
1784 server1 = self.pg0.remote_hosts[0]
1785 server2 = self.pg0.remote_hosts[1]
1788 {"addr": server1.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1789 {"addr": server2.ip4, "port": local_port, "probability": 50, "vrf_id": 0},
1792 self.nat_add_address(self.nat_addr)
1793 self.vapi.nat44_add_del_lb_static_mapping(
1795 external_addr=external_addr,
1796 external_port=external_port,
1797 protocol=IP_PROTOS.tcp,
1799 local_num=len(locals),
1802 flags = self.config_flags.NAT_IS_INSIDE
1803 self.vapi.nat44_interface_add_del_feature(
1804 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
1806 self.vapi.nat44_interface_add_del_feature(
1807 sw_if_index=self.pg1.sw_if_index, is_add=1
1811 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1812 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1813 / TCP(sport=1025, dport=external_port)
1815 self.pg1.add_stream(p)
1816 self.pg_enable_capture(self.pg_interfaces)
1818 capture = self.pg0.get_capture(1)
1819 backend = capture[0][IP].dst
1821 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1822 self.assertEqual(len(sessions), 1)
1823 self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID)
1824 self.vapi.nat44_del_session(
1825 address=sessions[0].inside_ip_address,
1826 port=sessions[0].inside_port,
1827 protocol=sessions[0].protocol,
1829 self.config_flags.NAT_IS_INSIDE
1830 | self.config_flags.NAT_IS_EXT_HOST_VALID
1832 ext_host_address=sessions[0].ext_host_address,
1833 ext_host_port=sessions[0].ext_host_port,
1837 for port in range(1030, 1100):
1839 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1840 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1841 / TCP(sport=port, dport=external_port)
1844 self.pg1.add_stream(pkts)
1845 self.pg_enable_capture(self.pg_interfaces)
1847 capture = self.pg0.get_capture(len(pkts))
1849 self.assertEqual(p[IP].dst, backend)
1851 def test_multiple_vrf_1(self):
1852 """Multiple VRF - both client & service in VRF1"""
1854 external_addr = "1.2.3.4"
1859 flags = self.config_flags.NAT_IS_INSIDE
1860 self.vapi.nat44_interface_add_del_feature(
1861 sw_if_index=self.pg5.sw_if_index, is_add=1
1863 self.vapi.nat44_interface_add_del_feature(
1864 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1866 self.vapi.nat44_interface_add_del_feature(
1867 sw_if_index=self.pg6.sw_if_index, is_add=1
1869 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1870 self.nat_add_static_mapping(
1871 self.pg5.remote_ip4,
1876 proto=IP_PROTOS.tcp,
1881 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
1882 / IP(src=self.pg6.remote_ip4, dst=external_addr)
1883 / TCP(sport=12345, dport=external_port)
1885 self.pg6.add_stream(p)
1886 self.pg_enable_capture(self.pg_interfaces)
1888 capture = self.pg5.get_capture(1)
1893 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1894 self.assertEqual(tcp.dport, local_port)
1895 self.assert_packet_checksums_valid(p)
1897 self.logger.error(ppp("Unexpected or invalid packet:", p))
1901 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1902 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
1903 / TCP(sport=local_port, dport=12345)
1905 self.pg5.add_stream(p)
1906 self.pg_enable_capture(self.pg_interfaces)
1908 capture = self.pg6.get_capture(1)
1913 self.assertEqual(ip.src, external_addr)
1914 self.assertEqual(tcp.sport, external_port)
1915 self.assert_packet_checksums_valid(p)
1917 self.logger.error(ppp("Unexpected or invalid packet:", p))
1920 def test_multiple_vrf_2(self):
1921 """Multiple VRF - dynamic NAT from VRF1 to VRF0 (output-feature)"""
1923 external_addr = "1.2.3.4"
1928 self.nat_add_address(self.nat_addr)
1929 flags = self.config_flags.NAT_IS_INSIDE
1930 self.vapi.nat44_ed_add_del_output_interface(
1931 sw_if_index=self.pg1.sw_if_index, is_add=1
1933 self.vapi.nat44_interface_add_del_feature(
1934 sw_if_index=self.pg5.sw_if_index, is_add=1
1936 self.vapi.nat44_interface_add_del_feature(
1937 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
1939 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1940 self.nat_add_static_mapping(
1941 self.pg5.remote_ip4,
1946 proto=IP_PROTOS.tcp,
1951 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
1952 / IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4)
1953 / TCP(sport=2345, dport=22)
1955 self.pg5.add_stream(p)
1956 self.pg_enable_capture(self.pg_interfaces)
1958 capture = self.pg1.get_capture(1)
1963 self.assertEqual(ip.src, self.nat_addr)
1964 self.assert_packet_checksums_valid(p)
1967 self.logger.error(ppp("Unexpected or invalid packet:", p))
1971 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
1972 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
1973 / TCP(sport=22, dport=port)
1975 self.pg1.add_stream(p)
1976 self.pg_enable_capture(self.pg_interfaces)
1978 capture = self.pg5.get_capture(1)
1983 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1984 self.assertEqual(tcp.dport, 2345)
1985 self.assert_packet_checksums_valid(p)
1987 self.logger.error(ppp("Unexpected or invalid packet:", p))
1990 def test_multiple_vrf_3(self):
1991 """Multiple VRF - client in VRF1, service in VRF0"""
1993 external_addr = "1.2.3.4"
1998 flags = self.config_flags.NAT_IS_INSIDE
1999 self.vapi.nat44_interface_add_del_feature(
2000 sw_if_index=self.pg0.sw_if_index, is_add=1
2002 self.vapi.nat44_interface_add_del_feature(
2003 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2005 self.vapi.nat44_interface_add_del_feature(
2006 sw_if_index=self.pg6.sw_if_index, is_add=1
2008 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2009 self.nat_add_static_mapping(
2010 self.pg0.remote_ip4,
2011 external_sw_if_index=self.pg0.sw_if_index,
2012 local_port=local_port,
2014 external_port=external_port,
2015 proto=IP_PROTOS.tcp,
2019 # from client VRF1 to service VRF0
2021 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2022 / IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4)
2023 / TCP(sport=12346, dport=external_port)
2025 self.pg6.add_stream(p)
2026 self.pg_enable_capture(self.pg_interfaces)
2028 capture = self.pg0.get_capture(1)
2033 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2034 self.assertEqual(tcp.dport, local_port)
2035 self.assert_packet_checksums_valid(p)
2037 self.logger.error(ppp("Unexpected or invalid packet:", p))
2040 # from service VRF0 back to client VRF1
2042 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2043 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2044 / TCP(sport=local_port, dport=12346)
2046 self.pg0.add_stream(p)
2047 self.pg_enable_capture(self.pg_interfaces)
2049 capture = self.pg6.get_capture(1)
2054 self.assertEqual(ip.src, self.pg0.local_ip4)
2055 self.assertEqual(tcp.sport, external_port)
2056 self.assert_packet_checksums_valid(p)
2058 self.logger.error(ppp("Unexpected or invalid packet:", p))
2061 def test_multiple_vrf_4(self):
2062 """Multiple VRF - client in VRF0, service in VRF1"""
2064 external_addr = "1.2.3.4"
2069 flags = self.config_flags.NAT_IS_INSIDE
2070 self.vapi.nat44_interface_add_del_feature(
2071 sw_if_index=self.pg0.sw_if_index, is_add=1
2073 self.vapi.nat44_interface_add_del_feature(
2074 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2076 self.vapi.nat44_interface_add_del_feature(
2077 sw_if_index=self.pg5.sw_if_index, is_add=1
2079 self.vapi.nat44_interface_add_del_feature(
2080 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2082 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2083 self.nat_add_static_mapping(
2084 self.pg5.remote_ip4,
2089 proto=IP_PROTOS.tcp,
2093 # from client VRF0 to service VRF1
2095 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2096 / IP(src=self.pg0.remote_ip4, dst=external_addr)
2097 / TCP(sport=12347, dport=external_port)
2099 self.pg0.add_stream(p)
2100 self.pg_enable_capture(self.pg_interfaces)
2102 capture = self.pg5.get_capture(1)
2107 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2108 self.assertEqual(tcp.dport, local_port)
2109 self.assert_packet_checksums_valid(p)
2111 self.logger.error(ppp("Unexpected or invalid packet:", p))
2114 # from service VRF1 back to client VRF0
2116 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2117 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2118 / TCP(sport=local_port, dport=12347)
2120 self.pg5.add_stream(p)
2121 self.pg_enable_capture(self.pg_interfaces)
2123 capture = self.pg0.get_capture(1)
2128 self.assertEqual(ip.src, external_addr)
2129 self.assertEqual(tcp.sport, external_port)
2130 self.assert_packet_checksums_valid(p)
2132 self.logger.error(ppp("Unexpected or invalid packet:", p))
2135 def test_multiple_vrf_5(self):
2136 """Multiple VRF - forwarding - no translation"""
2138 external_addr = "1.2.3.4"
2143 self.vapi.nat44_forwarding_enable_disable(enable=1)
2144 flags = self.config_flags.NAT_IS_INSIDE
2145 self.vapi.nat44_interface_add_del_feature(
2146 sw_if_index=self.pg0.sw_if_index, is_add=1
2148 self.vapi.nat44_interface_add_del_feature(
2149 sw_if_index=self.pg0.sw_if_index, is_add=1, flags=flags
2151 self.vapi.nat44_interface_add_del_feature(
2152 sw_if_index=self.pg5.sw_if_index, is_add=1
2154 self.vapi.nat44_interface_add_del_feature(
2155 sw_if_index=self.pg5.sw_if_index, is_add=1, flags=flags
2157 self.vapi.nat44_interface_add_del_feature(
2158 sw_if_index=self.pg6.sw_if_index, is_add=1
2160 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2161 self.nat_add_static_mapping(
2162 self.pg5.remote_ip4,
2167 proto=IP_PROTOS.tcp,
2170 self.nat_add_static_mapping(
2171 self.pg0.remote_ip4,
2172 external_sw_if_index=self.pg0.sw_if_index,
2173 local_port=local_port,
2175 external_port=external_port,
2176 proto=IP_PROTOS.tcp,
2180 # from client to server (both VRF1, no translation)
2182 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
2183 / IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4)
2184 / TCP(sport=12348, dport=local_port)
2186 self.pg6.add_stream(p)
2187 self.pg_enable_capture(self.pg_interfaces)
2189 capture = self.pg5.get_capture(1)
2194 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2195 self.assertEqual(tcp.dport, local_port)
2196 self.assert_packet_checksums_valid(p)
2198 self.logger.error(ppp("Unexpected or invalid packet:", p))
2201 # from server back to client (both VRF1, no translation)
2203 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2204 / IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4)
2205 / TCP(sport=local_port, dport=12348)
2207 self.pg5.add_stream(p)
2208 self.pg_enable_capture(self.pg_interfaces)
2210 capture = self.pg6.get_capture(1)
2215 self.assertEqual(ip.src, self.pg5.remote_ip4)
2216 self.assertEqual(tcp.sport, local_port)
2217 self.assert_packet_checksums_valid(p)
2219 self.logger.error(ppp("Unexpected or invalid packet:", p))
2222 # from client VRF1 to server VRF0 (no translation)
2224 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2225 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2226 / TCP(sport=local_port, dport=12349)
2228 self.pg0.add_stream(p)
2229 self.pg_enable_capture(self.pg_interfaces)
2231 capture = self.pg6.get_capture(1)
2236 self.assertEqual(ip.src, self.pg0.remote_ip4)
2237 self.assertEqual(tcp.sport, local_port)
2238 self.assert_packet_checksums_valid(p)
2240 self.logger.error(ppp("Unexpected or invalid packet:", p))
2243 # from server VRF0 back to client VRF1 (no translation)
2245 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2246 / IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4)
2247 / TCP(sport=local_port, dport=12349)
2249 self.pg0.add_stream(p)
2250 self.pg_enable_capture(self.pg_interfaces)
2252 capture = self.pg6.get_capture(1)
2257 self.assertEqual(ip.src, self.pg0.remote_ip4)
2258 self.assertEqual(tcp.sport, local_port)
2259 self.assert_packet_checksums_valid(p)
2261 self.logger.error(ppp("Unexpected or invalid packet:", p))
2264 # from client VRF0 to server VRF1 (no translation)
2266 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
2267 / IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4)
2268 / TCP(sport=12344, dport=local_port)
2270 self.pg0.add_stream(p)
2271 self.pg_enable_capture(self.pg_interfaces)
2273 capture = self.pg5.get_capture(1)
2278 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2279 self.assertEqual(tcp.dport, local_port)
2280 self.assert_packet_checksums_valid(p)
2282 self.logger.error(ppp("Unexpected or invalid packet:", p))
2285 # from server VRF1 back to client VRF0 (no translation)
2287 Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac)
2288 / IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4)
2289 / TCP(sport=local_port, dport=12344)
2291 self.pg5.add_stream(p)
2292 self.pg_enable_capture(self.pg_interfaces)
2294 capture = self.pg0.get_capture(1)
2299 self.assertEqual(ip.src, self.pg5.remote_ip4)
2300 self.assertEqual(tcp.sport, local_port)
2301 self.assert_packet_checksums_valid(p)
2303 self.logger.error(ppp("Unexpected or invalid packet:", p))
2306 def test_outside_address_distribution(self):
2307 """Outside address distribution based on source address"""
2312 for i in range(1, x):
2314 nat_addresses.append(a)
2316 self.nat_add_inside_interface(self.pg0)
2317 self.nat_add_outside_interface(self.pg1)
2319 self.vapi.nat44_add_del_address_range(
2320 first_ip_address=nat_addresses[0],
2321 last_ip_address=nat_addresses[-1],
2327 self.pg0.generate_remote_hosts(x)
2331 info = self.create_packet_info(self.pg0, self.pg1)
2332 payload = self.info_to_payload(info)
2334 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2335 / IP(src=self.pg0.remote_hosts[i].ip4, dst=self.pg1.remote_ip4)
2336 / UDP(sport=7000 + i, dport=8000 + i)
2342 self.pg0.add_stream(pkts)
2343 self.pg_enable_capture(self.pg_interfaces)
2345 recvd = self.pg1.get_capture(len(pkts))
2346 for p_recvd in recvd:
2347 payload_info = self.payload_to_info(p_recvd[Raw])
2348 packet_index = payload_info.index
2349 info = self._packet_infos[packet_index]
2350 self.assertTrue(info is not None)
2351 self.assertEqual(packet_index, info.index)
2353 packed = socket.inet_aton(p_sent[IP].src)
2354 numeric = struct.unpack("!L", packed)[0]
2355 numeric = socket.htonl(numeric)
2356 a = nat_addresses[(numeric - 1) % len(nat_addresses)]
2360 "Invalid packet (src IP %s translated to %s, but expected %s)"
2361 % (p_sent[IP].src, p_recvd[IP].src, a),
2364 def test_dynamic_edge_ports(self):
2365 """NAT44ED dynamic translation test: edge ports"""
2367 worker_count = self.vpp_worker_count or 1
2369 port_per_thread = (65536 - port_offset) // worker_count
2370 port_count = port_per_thread * worker_count
2372 # worker thread edge ports
2373 thread_edge_ports = {0, port_offset - 1, 65535}
2374 for i in range(0, worker_count):
2375 port_thread_offset = (port_per_thread * i) + port_offset
2376 for port_range_offset in [0, port_per_thread - 1]:
2377 port = port_thread_offset + port_range_offset
2378 thread_edge_ports.add(port)
2379 thread_drop_ports = set(
2381 lambda x: x not in range(port_offset, port_offset + port_count),
2389 self.nat_add_address(self.nat_addr)
2392 self.configure_ip4_interface(in_if, hosts=worker_count)
2393 self.configure_ip4_interface(out_if)
2395 self.nat_add_inside_interface(in_if)
2396 self.nat_add_outside_interface(out_if)
2399 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2400 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2401 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2402 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2404 pkt_count = worker_count * len(thread_edge_ports)
2406 i2o_pkts = [[] for x in range(0, worker_count)]
2407 for i in range(0, worker_count):
2408 remote_host = in_if.remote_hosts[i]
2409 for port in thread_edge_ports:
2411 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2412 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2413 / TCP(sport=port, dport=port)
2415 i2o_pkts[i].append(p)
2418 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2419 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2420 / UDP(sport=port, dport=port)
2422 i2o_pkts[i].append(p)
2425 Ether(dst=in_if.local_mac, src=in_if.remote_mac)
2426 / IP(src=remote_host.ip4, dst=out_if.remote_ip4)
2427 / ICMP(id=port, seq=port, type="echo-request")
2429 i2o_pkts[i].append(p)
2431 for i in range(0, worker_count):
2432 if len(i2o_pkts[i]) > 0:
2433 in_if.add_stream(i2o_pkts[i], worker=i)
2435 self.pg_enable_capture(self.pg_interfaces)
2437 capture = out_if.get_capture(pkt_count * 3)
2438 for packet in capture:
2439 self.assert_packet_checksums_valid(packet)
2440 if packet.haslayer(TCP):
2441 self.assert_in_range(
2444 port_offset + port_count,
2447 elif packet.haslayer(UDP):
2448 self.assert_in_range(
2451 port_offset + port_count,
2454 elif packet.haslayer(ICMP):
2455 self.assert_in_range(
2458 port_offset + port_count,
2463 ppp("Unexpected or invalid packet (outside network):", packet)
2466 if_idx = in_if.sw_if_index
2467 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2468 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2469 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2470 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2472 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2473 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2474 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2475 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2478 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2479 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2480 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2481 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2482 dc3 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2484 # replies to unchanged thread ports should pass on each worker,
2485 # excluding packets outside dynamic port range
2486 drop_count = worker_count * len(thread_drop_ports)
2487 pass_count = worker_count * len(thread_edge_ports) - drop_count
2489 o2i_pkts = [[] for x in range(0, worker_count)]
2490 for i in range(0, worker_count):
2491 for port in thread_edge_ports:
2493 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2494 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2495 / TCP(sport=port, dport=port)
2497 o2i_pkts[i].append(p)
2500 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2501 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2502 / UDP(sport=port, dport=port)
2504 o2i_pkts[i].append(p)
2507 Ether(dst=out_if.local_mac, src=out_if.remote_mac)
2508 / IP(src=out_if.remote_ip4, dst=self.nat_addr)
2509 / ICMP(id=port, seq=port, type="echo-reply")
2511 o2i_pkts[i].append(p)
2513 for i in range(0, worker_count):
2514 if len(o2i_pkts[i]) > 0:
2515 out_if.add_stream(o2i_pkts[i], worker=i)
2517 self.pg_enable_capture(self.pg_interfaces)
2519 capture = in_if.get_capture(pass_count * 3)
2520 for packet in capture:
2521 self.assert_packet_checksums_valid(packet)
2522 if packet.haslayer(TCP):
2523 self.assertIn(packet[TCP].dport, thread_edge_ports, "dst TCP port")
2524 self.assertEqual(packet[TCP].dport, packet[TCP].sport, "TCP ports")
2525 elif packet.haslayer(UDP):
2526 self.assertIn(packet[UDP].dport, thread_edge_ports, "dst UDP port")
2527 self.assertEqual(packet[UDP].dport, packet[UDP].sport, "UDP ports")
2528 elif packet.haslayer(ICMP):
2529 self.assertIn(packet[ICMP].id, thread_edge_ports, "ICMP id")
2530 self.assertEqual(packet[ICMP].id, packet[ICMP].seq, "ICMP id & seq")
2533 ppp("Unexpected or invalid packet (inside network):", packet)
2536 if_idx = out_if.sw_if_index
2537 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2538 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2539 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2540 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2541 dc4 = self.statistics["/nat44-ed/out2in/slowpath/drops"]
2543 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pass_count)
2544 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pass_count)
2545 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pass_count)
2546 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2548 dc4[:, if_idx].sum() - dc3[:, if_idx].sum(), drop_count * 3
2555 def test_delete_interface(self):
2556 """NAT44ED delete nat interface"""
2558 self.nat_add_address(self.nat_addr)
2560 interfaces = self.create_loopback_interfaces(4)
2561 self.nat_add_outside_interface(interfaces[0])
2562 self.nat_add_inside_interface(interfaces[1])
2563 self.nat_add_outside_interface(interfaces[2])
2564 self.nat_add_inside_interface(interfaces[2])
2565 self.vapi.nat44_ed_add_del_output_interface(
2566 sw_if_index=interfaces[3].sw_if_index, is_add=1
2569 nat_sw_if_indices = [
2571 for i in self.vapi.nat44_interface_dump()
2572 + list(self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get))
2574 self.assertEqual(len(nat_sw_if_indices), len(interfaces))
2577 for i in interfaces:
2578 # delete nat-enabled interface
2579 self.assertIn(i.sw_if_index, nat_sw_if_indices)
2580 i.remove_vpp_config()
2582 # create interface with the same index
2583 lo = VppLoInterface(self)
2584 loopbacks.append(lo)
2585 self.assertEqual(lo.sw_if_index, i.sw_if_index)
2587 # check interface is not nat-enabled
2588 nat_sw_if_indices = [
2590 for i in self.vapi.nat44_interface_dump()
2592 self.vapi.vpp.details_iter(self.vapi.nat44_ed_output_interface_get)
2595 self.assertNotIn(lo.sw_if_index, nat_sw_if_indices)
2598 i.remove_vpp_config()
2601 @tag_fixme_ubuntu2204
2602 class TestNAT44EDMW(TestNAT44ED):
2603 """NAT44ED MW Test Case"""
2605 vpp_worker_count = 4
2608 def test_dynamic(self):
2609 """NAT44ED dynamic translation test"""
2611 tcp_port_offset = 20
2612 udp_port_offset = 20
2615 self.nat_add_address(self.nat_addr)
2616 self.nat_add_inside_interface(self.pg0)
2617 self.nat_add_outside_interface(self.pg1)
2620 tc1 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2621 uc1 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2622 ic1 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2623 dc1 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2625 i2o_pkts = [[] for x in range(0, self.vpp_worker_count)]
2627 for i in range(pkt_count):
2629 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2630 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2631 / TCP(sport=tcp_port_offset + i, dport=20)
2633 i2o_pkts[p[TCP].sport % self.vpp_worker_count].append(p)
2636 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2637 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2638 / UDP(sport=udp_port_offset + i, dport=20)
2640 i2o_pkts[p[UDP].sport % self.vpp_worker_count].append(p)
2643 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2644 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
2645 / ICMP(id=icmp_id_offset + i, type="echo-request")
2647 i2o_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2649 for i in range(0, self.vpp_worker_count):
2650 if len(i2o_pkts[i]) > 0:
2651 self.pg0.add_stream(i2o_pkts[i], worker=i)
2653 self.pg_enable_capture(self.pg_interfaces)
2655 capture = self.pg1.get_capture(pkt_count * 3, timeout=5)
2657 if_idx = self.pg0.sw_if_index
2658 tc2 = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
2659 uc2 = self.statistics["/nat44-ed/in2out/slowpath/udp"]
2660 ic2 = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
2661 dc2 = self.statistics["/nat44-ed/in2out/slowpath/drops"]
2663 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2664 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2665 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2666 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2668 self.logger.info(self.vapi.cli("show trace"))
2671 tc1 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2672 uc1 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2673 ic1 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2674 dc1 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2676 recvd_tcp_ports = set()
2677 recvd_udp_ports = set()
2678 recvd_icmp_ids = set()
2682 recvd_tcp_ports.add(p[TCP].sport)
2684 recvd_udp_ports.add(p[UDP].sport)
2686 recvd_icmp_ids.add(p[ICMP].id)
2688 recvd_tcp_ports = list(recvd_tcp_ports)
2689 recvd_udp_ports = list(recvd_udp_ports)
2690 recvd_icmp_ids = list(recvd_icmp_ids)
2692 o2i_pkts = [[] for x in range(0, self.vpp_worker_count)]
2693 for i in range(pkt_count):
2695 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2696 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2697 / TCP(dport=choice(recvd_tcp_ports), sport=20)
2699 o2i_pkts[p[TCP].dport % self.vpp_worker_count].append(p)
2702 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2703 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2704 / UDP(dport=choice(recvd_udp_ports), sport=20)
2706 o2i_pkts[p[UDP].dport % self.vpp_worker_count].append(p)
2709 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
2710 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
2711 / ICMP(id=choice(recvd_icmp_ids), type="echo-reply")
2713 o2i_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2715 for i in range(0, self.vpp_worker_count):
2716 if len(o2i_pkts[i]) > 0:
2717 self.pg1.add_stream(o2i_pkts[i], worker=i)
2719 self.pg_enable_capture(self.pg_interfaces)
2721 capture = self.pg0.get_capture(pkt_count * 3)
2722 for packet in capture:
2724 self.assert_packet_checksums_valid(packet)
2725 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2726 if packet.haslayer(TCP):
2727 self.assert_in_range(
2730 tcp_port_offset + pkt_count,
2733 elif packet.haslayer(UDP):
2734 self.assert_in_range(
2737 udp_port_offset + pkt_count,
2741 self.assert_in_range(
2744 icmp_id_offset + pkt_count,
2749 ppp("Unexpected or invalid packet (inside network):", packet)
2753 if_idx = self.pg1.sw_if_index
2754 tc2 = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
2755 uc2 = self.statistics["/nat44-ed/out2in/fastpath/udp"]
2756 ic2 = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
2757 dc2 = self.statistics["/nat44-ed/out2in/fastpath/drops"]
2759 self.assertEqual(tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2760 self.assertEqual(uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2761 self.assertEqual(ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2762 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2764 sc = self.statistics["/nat44-ed/total-sessions"]
2767 len(recvd_tcp_ports) + len(recvd_udp_ports) + len(recvd_icmp_ids),
2770 def test_frag_in_order(self):
2771 """NAT44ED translate fragments arriving in order"""
2773 self.nat_add_address(self.nat_addr)
2774 self.nat_add_inside_interface(self.pg0)
2775 self.nat_add_outside_interface(self.pg1)
2777 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2778 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2779 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2781 def test_frag_in_order_do_not_translate(self):
2782 """NAT44ED don't translate fragments arriving in order"""
2784 self.nat_add_address(self.nat_addr)
2785 self.nat_add_inside_interface(self.pg0)
2786 self.nat_add_outside_interface(self.pg1)
2787 self.vapi.nat44_forwarding_enable_disable(enable=True)
2789 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2791 def test_frag_out_of_order(self):
2792 """NAT44ED translate fragments arriving out of order"""
2794 self.nat_add_address(self.nat_addr)
2795 self.nat_add_inside_interface(self.pg0)
2796 self.nat_add_outside_interface(self.pg1)
2798 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2799 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2800 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2802 def test_frag_in_order_in_plus_out(self):
2803 """NAT44ED in+out interface fragments in order"""
2805 in_port = self.random_port()
2806 out_port = self.random_port()
2808 self.nat_add_address(self.nat_addr)
2809 self.nat_add_inside_interface(self.pg0)
2810 self.nat_add_outside_interface(self.pg0)
2811 self.nat_add_inside_interface(self.pg1)
2812 self.nat_add_outside_interface(self.pg1)
2814 # add static mappings for server
2815 self.nat_add_static_mapping(
2816 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2818 self.nat_add_static_mapping(
2819 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2821 self.nat_add_static_mapping(
2822 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2825 # run tests for each protocol
2826 self.frag_in_order_in_plus_out(
2827 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2829 self.frag_in_order_in_plus_out(
2830 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2832 self.frag_in_order_in_plus_out(
2833 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2836 def test_frag_out_of_order_in_plus_out(self):
2837 """NAT44ED in+out interface fragments out of order"""
2839 in_port = self.random_port()
2840 out_port = self.random_port()
2842 self.nat_add_address(self.nat_addr)
2843 self.nat_add_inside_interface(self.pg0)
2844 self.nat_add_outside_interface(self.pg0)
2845 self.nat_add_inside_interface(self.pg1)
2846 self.nat_add_outside_interface(self.pg1)
2848 # add static mappings for server
2849 self.nat_add_static_mapping(
2850 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.tcp
2852 self.nat_add_static_mapping(
2853 self.server_addr, self.nat_addr, in_port, out_port, proto=IP_PROTOS.udp
2855 self.nat_add_static_mapping(
2856 self.server_addr, self.nat_addr, proto=IP_PROTOS.icmp
2859 # run tests for each protocol
2860 self.frag_out_of_order_in_plus_out(
2861 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.tcp
2863 self.frag_out_of_order_in_plus_out(
2864 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.udp
2866 self.frag_out_of_order_in_plus_out(
2867 self.server_addr, self.nat_addr, in_port, out_port, IP_PROTOS.icmp
2870 def test_reass_hairpinning(self):
2871 """NAT44ED fragments hairpinning"""
2873 server_addr = self.pg0.remote_hosts[1].ip4
2875 host_in_port = self.random_port()
2876 server_in_port = self.random_port()
2877 server_out_port = self.random_port()
2879 self.nat_add_address(self.nat_addr)
2880 self.nat_add_inside_interface(self.pg0)
2881 self.nat_add_outside_interface(self.pg1)
2883 # add static mapping for server
2884 self.nat_add_static_mapping(
2889 proto=IP_PROTOS.tcp,
2891 self.nat_add_static_mapping(
2896 proto=IP_PROTOS.udp,
2898 self.nat_add_static_mapping(server_addr, self.nat_addr)
2900 self.reass_hairpinning(
2905 proto=IP_PROTOS.tcp,
2908 self.reass_hairpinning(
2913 proto=IP_PROTOS.udp,
2916 self.reass_hairpinning(
2921 proto=IP_PROTOS.icmp,
2925 def test_session_limit_per_vrf(self):
2926 """NAT44ED per vrf session limit"""
2929 inside_vrf10 = self.pg2
2934 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2935 # non existing vrf_id makes process core dump
2936 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2938 self.nat_add_inside_interface(inside)
2939 self.nat_add_inside_interface(inside_vrf10)
2940 self.nat_add_outside_interface(outside)
2943 self.nat_add_interface_address(outside)
2945 # BUG: causing core dump - when bad vrf_id is specified
2946 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2948 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2949 inside_vrf10.add_stream(stream)
2951 self.pg_enable_capture(self.pg_interfaces)
2954 capture = outside.get_capture(limit)
2956 stream = self.create_tcp_stream(inside, outside, limit * 2)
2957 inside.add_stream(stream)
2959 self.pg_enable_capture(self.pg_interfaces)
2962 capture = outside.get_capture(len(stream))
2964 def test_show_max_translations(self):
2965 """NAT44ED API test - max translations per thread"""
2966 config = self.vapi.nat44_show_running_config()
2967 self.assertEqual(self.max_sessions, config.sessions)
2969 def test_lru_cleanup(self):
2970 """NAT44ED LRU cleanup algorithm"""
2972 self.nat_add_address(self.nat_addr)
2973 self.nat_add_inside_interface(self.pg0)
2974 self.nat_add_outside_interface(self.pg1)
2976 self.vapi.nat_set_timeouts(
2977 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1
2980 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2982 for i in range(0, self.max_sessions - 1):
2984 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
2985 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
2986 / UDP(sport=7000 + i, dport=80)
2990 self.pg0.add_stream(pkts)
2991 self.pg_enable_capture(self.pg_interfaces)
2993 self.pg1.get_capture(len(pkts))
2994 self.virtual_sleep(1.5, "wait for timeouts")
2997 for i in range(0, self.max_sessions - 1):
2999 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3000 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64)
3001 / ICMP(id=8000 + i, type="echo-request")
3005 self.pg0.add_stream(pkts)
3006 self.pg_enable_capture(self.pg_interfaces)
3008 self.pg1.get_capture(len(pkts))
3010 def test_session_rst_timeout(self):
3011 """NAT44ED session RST timeouts"""
3013 self.nat_add_address(self.nat_addr)
3014 self.nat_add_inside_interface(self.pg0)
3015 self.nat_add_outside_interface(self.pg1)
3017 self.vapi.nat_set_timeouts(
3018 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
3021 self.init_tcp_session(
3022 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3025 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3026 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3027 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
3029 self.send_and_expect(self.pg0, p, self.pg1)
3031 self.virtual_sleep(6)
3033 # The session is already closed
3035 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3036 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3037 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3039 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3041 # The session can be re-opened
3043 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3044 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3045 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="S")
3047 self.send_and_expect(self.pg0, p, self.pg1)
3049 def test_session_rst_established_timeout(self):
3050 """NAT44ED session RST timeouts"""
3052 self.nat_add_address(self.nat_addr)
3053 self.nat_add_inside_interface(self.pg0)
3054 self.nat_add_outside_interface(self.pg1)
3056 self.vapi.nat_set_timeouts(
3057 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
3060 self.init_tcp_session(
3061 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3064 # Wait at least the transitory time, the session is in established
3065 # state anyway. RST followed by a data packet should move it to
3067 self.virtual_sleep(6)
3069 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3070 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3071 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="R")
3073 self.send_and_expect(self.pg0, p, self.pg1)
3076 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3077 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3078 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3080 self.send_and_expect(self.pg0, p, self.pg1)
3082 # State is transitory, session should be closed after 6 seconds
3083 self.virtual_sleep(6)
3086 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3087 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3088 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="P")
3090 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3092 def test_dynamic_out_of_ports(self):
3093 """NAT44ED dynamic translation test: out of ports"""
3095 self.nat_add_inside_interface(self.pg0)
3096 self.nat_add_outside_interface(self.pg1)
3098 # in2out and no NAT addresses added
3099 pkts = self.create_stream_in(self.pg0, self.pg1)
3101 self.send_and_assert_no_replies(
3105 stats_diff=self.no_diff
3108 "/err/nat44-ed-in2out-slowpath/out of ports": len(pkts),
3110 self.pg0.sw_if_index: {
3111 "/nat44-ed/in2out/slowpath/drops": len(pkts),
3116 # in2out after NAT addresses added
3117 self.nat_add_address(self.nat_addr)
3119 tcpn, udpn, icmpn = (
3120 sum(x) for x in zip(*((TCP in p, UDP in p, ICMP in p) for p in pkts))
3123 self.send_and_expect(
3128 stats_diff=self.no_diff
3131 "/err/nat44-ed-in2out-slowpath/out of ports": 0,
3133 self.pg0.sw_if_index: {
3134 "/nat44-ed/in2out/slowpath/drops": 0,
3135 "/nat44-ed/in2out/slowpath/tcp": tcpn,
3136 "/nat44-ed/in2out/slowpath/udp": udpn,
3137 "/nat44-ed/in2out/slowpath/icmp": icmpn,
3142 def test_unknown_proto(self):
3143 """NAT44ED translate packet with unknown protocol"""
3145 self.nat_add_address(self.nat_addr)
3146 self.nat_add_inside_interface(self.pg0)
3147 self.nat_add_outside_interface(self.pg1)
3151 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3152 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3153 / TCP(sport=self.tcp_port_in, dport=20)
3155 self.pg0.add_stream(p)
3156 self.pg_enable_capture(self.pg_interfaces)
3158 p = self.pg1.get_capture(1)
3161 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3162 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3164 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3165 / TCP(sport=1234, dport=1234)
3167 self.pg0.add_stream(p)
3168 self.pg_enable_capture(self.pg_interfaces)
3170 p = self.pg1.get_capture(1)
3173 self.assertEqual(packet[IP].src, self.nat_addr)
3174 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
3175 self.assertEqual(packet.haslayer(GRE), 1)
3176 self.assert_packet_checksums_valid(packet)
3178 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3183 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3184 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3186 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3187 / TCP(sport=1234, dport=1234)
3189 self.pg1.add_stream(p)
3190 self.pg_enable_capture(self.pg_interfaces)
3192 p = self.pg0.get_capture(1)
3195 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
3196 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
3197 self.assertEqual(packet.haslayer(GRE), 1)
3198 self.assert_packet_checksums_valid(packet)
3200 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3203 def test_hairpinning_unknown_proto(self):
3204 """NAT44ED translate packet with unknown protocol - hairpinning"""
3205 host = self.pg0.remote_hosts[0]
3206 server = self.pg0.remote_hosts[1]
3208 server_out_port = 8765
3209 server_nat_ip = "10.0.0.11"
3211 self.nat_add_address(self.nat_addr)
3212 self.nat_add_inside_interface(self.pg0)
3213 self.nat_add_outside_interface(self.pg1)
3215 # add static mapping for server
3216 self.nat_add_static_mapping(server.ip4, server_nat_ip)
3220 Ether(src=host.mac, dst=self.pg0.local_mac)
3221 / IP(src=host.ip4, dst=server_nat_ip)
3222 / TCP(sport=host_in_port, dport=server_out_port)
3224 self.pg0.add_stream(p)
3225 self.pg_enable_capture(self.pg_interfaces)
3227 self.pg0.get_capture(1)
3230 Ether(dst=self.pg0.local_mac, src=host.mac)
3231 / IP(src=host.ip4, dst=server_nat_ip)
3233 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3234 / TCP(sport=1234, dport=1234)
3236 self.pg0.add_stream(p)
3237 self.pg_enable_capture(self.pg_interfaces)
3239 p = self.pg0.get_capture(1)
3242 self.assertEqual(packet[IP].src, self.nat_addr)
3243 self.assertEqual(packet[IP].dst, server.ip4)
3244 self.assertEqual(packet.haslayer(GRE), 1)
3245 self.assert_packet_checksums_valid(packet)
3247 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3252 Ether(dst=self.pg0.local_mac, src=server.mac)
3253 / IP(src=server.ip4, dst=self.nat_addr)
3255 / IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4)
3256 / TCP(sport=1234, dport=1234)
3258 self.pg0.add_stream(p)
3259 self.pg_enable_capture(self.pg_interfaces)
3261 p = self.pg0.get_capture(1)
3264 self.assertEqual(packet[IP].src, server_nat_ip)
3265 self.assertEqual(packet[IP].dst, host.ip4)
3266 self.assertEqual(packet.haslayer(GRE), 1)
3267 self.assert_packet_checksums_valid(packet)
3269 self.logger.error(ppp("Unexpected or invalid packet:", packet))
3272 def test_output_feature_and_service(self):
3273 """NAT44ED interface output feature and services"""
3274 external_addr = "1.2.3.4"
3278 self.vapi.nat44_forwarding_enable_disable(enable=1)
3279 self.nat_add_address(self.nat_addr)
3280 flags = self.config_flags.NAT_IS_ADDR_ONLY
3281 self.vapi.nat44_add_del_identity_mapping(
3282 ip_address=self.pg1.remote_ip4,
3283 sw_if_index=0xFFFFFFFF,
3287 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3288 self.nat_add_static_mapping(
3289 self.pg0.remote_ip4,
3293 proto=IP_PROTOS.tcp,
3297 self.nat_add_inside_interface(self.pg0)
3298 self.nat_add_outside_interface(self.pg0)
3299 self.vapi.nat44_ed_add_del_output_interface(
3300 sw_if_index=self.pg1.sw_if_index, is_add=1
3303 # from client to service
3305 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3306 / IP(src=self.pg1.remote_ip4, dst=external_addr)
3307 / TCP(sport=12345, dport=external_port)
3309 self.pg1.add_stream(p)
3310 self.pg_enable_capture(self.pg_interfaces)
3312 capture = self.pg0.get_capture(1)
3317 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3318 self.assertEqual(tcp.dport, local_port)
3319 self.assert_packet_checksums_valid(p)
3321 self.logger.error(ppp("Unexpected or invalid packet:", p))
3324 # from service back to client
3326 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3327 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3328 / TCP(sport=local_port, dport=12345)
3330 self.pg0.add_stream(p)
3331 self.pg_enable_capture(self.pg_interfaces)
3333 capture = self.pg1.get_capture(1)
3338 self.assertEqual(ip.src, external_addr)
3339 self.assertEqual(tcp.sport, external_port)
3340 self.assert_packet_checksums_valid(p)
3342 self.logger.error(ppp("Unexpected or invalid packet:", p))
3345 # from local network host to external network
3346 pkts = self.create_stream_in(self.pg0, self.pg1)
3347 self.pg0.add_stream(pkts)
3348 self.pg_enable_capture(self.pg_interfaces)
3350 capture = self.pg1.get_capture(len(pkts))
3351 self.verify_capture_out(capture, ignore_port=True)
3352 pkts = self.create_stream_in(self.pg0, self.pg1)
3353 self.pg0.add_stream(pkts)
3354 self.pg_enable_capture(self.pg_interfaces)
3356 capture = self.pg1.get_capture(len(pkts))
3357 self.verify_capture_out(capture, ignore_port=True)
3359 # from external network back to local network host
3360 pkts = self.create_stream_out(self.pg1)
3361 self.pg1.add_stream(pkts)
3362 self.pg_enable_capture(self.pg_interfaces)
3364 capture = self.pg0.get_capture(len(pkts))
3365 self.verify_capture_in(capture, self.pg0)
3367 def test_output_feature_and_service3(self):
3368 """NAT44ED interface output feature and DST NAT"""
3369 external_addr = "1.2.3.4"
3373 self.vapi.nat44_forwarding_enable_disable(enable=1)
3374 self.nat_add_address(self.nat_addr)
3375 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
3376 self.nat_add_static_mapping(
3377 self.pg1.remote_ip4,
3381 proto=IP_PROTOS.tcp,
3385 self.nat_add_inside_interface(self.pg0)
3386 self.nat_add_outside_interface(self.pg0)
3387 self.vapi.nat44_ed_add_del_output_interface(
3388 sw_if_index=self.pg1.sw_if_index, is_add=1
3392 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3393 / IP(src=self.pg0.remote_ip4, dst=external_addr)
3394 / TCP(sport=12345, dport=external_port)
3396 self.pg0.add_stream(p)
3397 self.pg_enable_capture(self.pg_interfaces)
3399 capture = self.pg1.get_capture(1)
3404 self.assertEqual(ip.src, self.pg0.remote_ip4)
3405 self.assertEqual(tcp.sport, 12345)
3406 self.assertEqual(ip.dst, self.pg1.remote_ip4)
3407 self.assertEqual(tcp.dport, local_port)
3408 self.assert_packet_checksums_valid(p)
3410 self.logger.error(ppp("Unexpected or invalid packet:", p))
3414 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3415 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
3416 / TCP(sport=local_port, dport=12345)
3418 self.pg1.add_stream(p)
3419 self.pg_enable_capture(self.pg_interfaces)
3421 capture = self.pg0.get_capture(1)
3426 self.assertEqual(ip.src, external_addr)
3427 self.assertEqual(tcp.sport, external_port)
3428 self.assertEqual(ip.dst, self.pg0.remote_ip4)
3429 self.assertEqual(tcp.dport, 12345)
3430 self.assert_packet_checksums_valid(p)
3432 self.logger.error(ppp("Unexpected or invalid packet:", p))
3435 def test_self_twice_nat_lb_negative(self):
3436 """NAT44ED Self Twice NAT local service load balancing (negative test)"""
3437 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True, client_id=2)
3439 def test_self_twice_nat_negative(self):
3440 """NAT44ED Self Twice NAT (negative test)"""
3441 self.twice_nat_common(self_twice_nat=True)
3443 def test_static_lb_multi_clients(self):
3444 """NAT44ED local service load balancing - multiple clients"""
3446 external_addr = self.nat_addr
3449 server1 = self.pg0.remote_hosts[0]
3450 server2 = self.pg0.remote_hosts[1]
3451 server3 = self.pg0.remote_hosts[2]
3454 {"addr": server1.ip4, "port": local_port, "probability": 90, "vrf_id": 0},
3455 {"addr": server2.ip4, "port": local_port, "probability": 10, "vrf_id": 0},
3458 flags = self.config_flags.NAT_IS_INSIDE
3459 self.vapi.nat44_interface_add_del_feature(
3460 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3462 self.vapi.nat44_interface_add_del_feature(
3463 sw_if_index=self.pg1.sw_if_index, is_add=1
3466 self.nat_add_address(self.nat_addr)
3467 self.vapi.nat44_add_del_lb_static_mapping(
3469 external_addr=external_addr,
3470 external_port=external_port,
3471 protocol=IP_PROTOS.tcp,
3472 local_num=len(locals),
3478 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
3480 for client in clients:
3482 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3483 / IP(src=client, dst=self.nat_addr)
3484 / TCP(sport=12345, dport=external_port)
3487 self.pg1.add_stream(pkts)
3488 self.pg_enable_capture(self.pg_interfaces)
3490 capture = self.pg0.get_capture(len(pkts))
3492 if p[IP].dst == server1.ip4:
3496 self.assertGreaterEqual(server1_n, server2_n)
3499 "addr": server3.ip4,
3506 self.vapi.nat44_lb_static_mapping_add_del_local(
3508 external_addr=external_addr,
3509 external_port=external_port,
3511 protocol=IP_PROTOS.tcp,
3516 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
3518 for client in clients:
3520 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3521 / IP(src=client, dst=self.nat_addr)
3522 / TCP(sport=12346, dport=external_port)
3525 self.assertGreater(len(pkts), 0)
3526 self.pg1.add_stream(pkts)
3527 self.pg_enable_capture(self.pg_interfaces)
3529 capture = self.pg0.get_capture(len(pkts))
3531 if p[IP].dst == server1.ip4:
3533 elif p[IP].dst == server2.ip4:
3537 self.assertGreater(server1_n, 0)
3538 self.assertGreater(server2_n, 0)
3539 self.assertGreater(server3_n, 0)
3542 "addr": server2.ip4,
3548 # remove one back-end
3549 self.vapi.nat44_lb_static_mapping_add_del_local(
3551 external_addr=external_addr,
3552 external_port=external_port,
3554 protocol=IP_PROTOS.tcp,
3559 self.pg1.add_stream(pkts)
3560 self.pg_enable_capture(self.pg_interfaces)
3562 capture = self.pg0.get_capture(len(pkts))
3564 if p[IP].dst == server1.ip4:
3566 elif p[IP].dst == server2.ip4:
3570 self.assertGreater(server1_n, 0)
3571 self.assertEqual(server2_n, 0)
3572 self.assertGreater(server3_n, 0)
3574 # put zzz in front of syslog test name so that it runs as a last test
3575 # setting syslog sender cannot be undone and if it is set, it messes
3576 # with self.send_and_assert_no_replies functionality
3577 def test_zzz_syslog_sess(self):
3578 """NAT44ED Test syslog session creation and deletion"""
3579 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3580 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3582 self.nat_add_address(self.nat_addr)
3583 self.nat_add_inside_interface(self.pg0)
3584 self.nat_add_outside_interface(self.pg1)
3587 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3588 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3589 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3591 self.pg0.add_stream(p)
3592 self.pg_enable_capture(self.pg_interfaces)
3594 capture = self.pg1.get_capture(1)
3595 self.tcp_port_out = capture[0][TCP].sport
3596 capture = self.pg3.get_capture(1)
3597 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3599 self.pg_enable_capture(self.pg_interfaces)
3601 self.nat_add_address(self.nat_addr, is_add=0)
3602 capture = self.pg3.get_capture(1)
3603 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3605 # put zzz in front of syslog test name so that it runs as a last test
3606 # setting syslog sender cannot be undone and if it is set, it messes
3607 # with self.send_and_assert_no_replies functionality
3608 def test_zzz_syslog_sess_reopen(self):
3609 """Syslog events for session reopen"""
3610 self.vapi.syslog_set_filter(self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3611 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3613 self.nat_add_address(self.nat_addr)
3614 self.nat_add_inside_interface(self.pg0)
3615 self.nat_add_outside_interface(self.pg1)
3619 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3620 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3621 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port)
3623 capture = self.send_and_expect(self.pg0, p, self.pg1)[0]
3624 self.tcp_port_out = capture[0][TCP].sport
3625 capture = self.pg3.get_capture(1)
3626 self.verify_syslog_sess(capture[0][Raw].load, "SADD")
3630 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3631 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3632 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="SA")
3634 self.send_and_expect(self.pg1, p, self.pg0)
3637 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3638 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3639 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="A")
3641 self.send_and_expect(self.pg0, p, self.pg1)
3645 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
3646 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3647 / TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, flags="F")
3649 self.send_and_expect(self.pg0, p, self.pg1)
3653 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
3654 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3655 / TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, flags="F")
3657 self.send_and_expect(self.pg1, p, self.pg0)
3659 self.init_tcp_session(
3660 self.pg0, self.pg1, self.tcp_port_in, self.tcp_external_port
3663 # 2 records should be produced - first one del & add
3664 capture = self.pg3.get_capture(2)
3665 self.verify_syslog_sess(capture[0][Raw].load, "SDEL")
3666 self.verify_syslog_sess(capture[1][Raw].load, "SADD")
3668 def test_twice_nat_interface_addr(self):
3669 """NAT44ED Acquire twice NAT addresses from interface"""
3670 flags = self.config_flags.NAT_IS_TWICE_NAT
3671 self.vapi.nat44_add_del_interface_addr(
3672 sw_if_index=self.pg11.sw_if_index, flags=flags, is_add=1
3675 # no address in NAT pool
3676 adresses = self.vapi.nat44_address_dump()
3677 self.assertEqual(0, len(adresses))
3679 # configure interface address and check NAT address pool
3680 self.pg11.config_ip4()
3681 adresses = self.vapi.nat44_address_dump()
3682 self.assertEqual(1, len(adresses))
3683 self.assertEqual(str(adresses[0].ip_address), self.pg11.local_ip4)
3684 self.assertEqual(adresses[0].flags, flags)
3686 # remove interface address and check NAT address pool
3687 self.pg11.unconfig_ip4()
3688 adresses = self.vapi.nat44_address_dump()
3689 self.assertEqual(0, len(adresses))
3691 def test_output_feature_stateful_acl(self):
3692 """NAT44ED output feature works with stateful ACL"""
3694 self.nat_add_address(self.nat_addr)
3695 self.vapi.nat44_ed_add_del_output_interface(
3696 sw_if_index=self.pg1.sw_if_index, is_add=1
3699 # First ensure that the NAT is working sans ACL
3701 # send packets out2in, no sessions yet so packets should drop
3702 pkts_out2in = self.create_stream_out(self.pg1)
3703 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3705 # send packets into inside intf, ensure received via outside intf
3706 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
3707 capture = self.send_and_expect(
3708 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3710 self.verify_capture_out(capture, ignore_port=True)
3712 # send out2in again, with sessions created it should work now
3713 pkts_out2in = self.create_stream_out(self.pg1)
3714 capture = self.send_and_expect(
3715 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3717 self.verify_capture_in(capture, self.pg0)
3719 # Create an ACL blocking everything
3720 out2in_deny_rule = AclRule(is_permit=0)
3721 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
3722 out2in_acl.add_vpp_config()
3724 # create an ACL to permit/reflect everything
3725 in2out_reflect_rule = AclRule(is_permit=2)
3726 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
3727 in2out_acl.add_vpp_config()
3729 # apply as input acl on interface and confirm it blocks everything
3730 acl_if = VppAclInterface(
3731 self, sw_if_index=self.pg1.sw_if_index, n_input=1, acls=[out2in_acl]
3733 acl_if.add_vpp_config()
3734 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3737 acl_if.acls = [out2in_acl, in2out_acl]
3738 acl_if.add_vpp_config()
3739 # send in2out to generate ACL state (NAT state was created earlier)
3740 capture = self.send_and_expect(
3741 self.pg0, pkts_in2out, self.pg1, len(pkts_in2out)
3743 self.verify_capture_out(capture, ignore_port=True)
3745 # send out2in again. ACL state exists so it should work now.
3746 # TCP packets with the syn flag set also need the ack flag
3747 for p in pkts_out2in:
3748 if p.haslayer(TCP) and p[TCP].flags & 0x02:
3749 p[TCP].flags |= 0x10
3750 capture = self.send_and_expect(
3751 self.pg1, pkts_out2in, self.pg0, len(pkts_out2in)
3753 self.verify_capture_in(capture, self.pg0)
3754 self.logger.info(self.vapi.cli("show trace"))
3756 def test_tcp_close(self):
3757 """NAT44ED Close TCP session from inside network - output feature"""
3758 config = self.vapi.nat44_show_running_config()
3759 old_timeouts = config.timeouts
3761 self.vapi.nat_set_timeouts(
3762 udp=old_timeouts.udp,
3763 tcp_established=old_timeouts.tcp_established,
3764 icmp=old_timeouts.icmp,
3765 tcp_transitory=new_transitory,
3768 self.vapi.nat44_forwarding_enable_disable(enable=1)
3769 self.nat_add_address(self.pg1.local_ip4)
3770 twice_nat_addr = "10.0.1.3"
3771 service_ip = "192.168.16.150"
3772 self.nat_add_address(twice_nat_addr, twice_nat=1)
3774 flags = self.config_flags.NAT_IS_INSIDE
3775 self.vapi.nat44_interface_add_del_feature(
3776 sw_if_index=self.pg0.sw_if_index, is_add=1
3778 self.vapi.nat44_interface_add_del_feature(
3779 sw_if_index=self.pg0.sw_if_index, flags=flags, is_add=1
3781 self.vapi.nat44_ed_add_del_output_interface(
3782 is_add=1, sw_if_index=self.pg1.sw_if_index
3786 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
3788 self.nat_add_static_mapping(
3789 self.pg0.remote_ip4, service_ip, 80, 80, proto=IP_PROTOS.tcp, flags=flags
3791 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3792 start_sessnum = len(sessions)
3794 # SYN packet out->in
3796 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3797 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3798 / TCP(sport=33898, dport=80, flags="S")
3800 capture = self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3802 tcp_port = p[TCP].sport
3804 # SYN + ACK packet in->out
3806 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3807 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3808 / TCP(sport=80, dport=tcp_port, flags="SA")
3810 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3812 # ACK packet out->in
3814 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3815 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3816 / TCP(sport=33898, dport=80, flags="A")
3818 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3820 # FIN packet in -> out
3822 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3823 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3824 / TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300)
3826 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3828 # FIN+ACK packet out -> in
3830 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3831 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3832 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3834 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3836 # ACK packet in -> out
3838 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3839 / IP(src=self.pg0.remote_ip4, dst=twice_nat_addr)
3840 / TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301)
3842 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3844 # session now in transitory timeout, but traffic still flows
3845 # try FIN packet out->in
3847 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3848 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3849 / TCP(sport=33898, dport=80, flags="F")
3851 self.pg1.add_stream(p)
3852 self.pg_enable_capture(self.pg_interfaces)
3855 self.virtual_sleep(new_transitory, "wait for transitory timeout")
3856 self.pg0.get_capture(1)
3858 # session should still exist
3859 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3860 self.assertEqual(len(sessions) - start_sessnum, 1)
3862 # send FIN+ACK packet out -> in - will cause session to be wiped
3863 # but won't create a new session
3865 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3866 / IP(src=self.pg1.remote_ip4, dst=service_ip)
3867 / TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101)
3869 self.send_and_assert_no_replies(self.pg1, p)
3870 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3871 self.assertEqual(len(sessions) - start_sessnum, 0)
3873 def test_tcp_session_close_in(self):
3874 """NAT44ED Close TCP session from inside network"""
3876 in_port = self.tcp_port_in
3878 ext_port = self.tcp_external_port
3880 self.nat_add_address(self.nat_addr)
3881 self.nat_add_inside_interface(self.pg0)
3882 self.nat_add_outside_interface(self.pg1)
3883 self.nat_add_static_mapping(
3884 self.pg0.remote_ip4,
3888 proto=IP_PROTOS.tcp,
3889 flags=self.config_flags.NAT_IS_TWICE_NAT,
3892 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3893 session_n = len(sessions)
3895 self.vapi.nat_set_timeouts(
3896 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
3899 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3901 # FIN packet in -> out
3903 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3904 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3905 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
3907 self.send_and_expect(self.pg0, p, self.pg1)
3910 # ACK packet out -> in
3912 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3913 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3914 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
3918 # FIN packet out -> in
3920 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3921 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3922 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3926 self.send_and_expect(self.pg1, pkts, self.pg0)
3928 # ACK packet in -> out
3930 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3931 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3932 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3934 self.send_and_expect(self.pg0, p, self.pg1)
3936 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3937 self.assertEqual(len(sessions) - session_n, 1)
3939 # retransmit FIN packet out -> in
3941 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3942 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3943 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
3946 self.send_and_expect(self.pg1, p, self.pg0)
3948 # retransmit ACK packet in -> out
3950 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3951 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3952 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3954 self.send_and_expect(self.pg0, p, self.pg1)
3956 self.virtual_sleep(3)
3957 # retransmit ACK packet in -> out - this will cause session to be wiped
3959 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
3960 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
3961 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
3963 self.send_and_assert_no_replies(self.pg0, p)
3964 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3965 self.assertEqual(len(sessions) - session_n, 0)
3967 def test_tcp_session_close_out(self):
3968 """NAT44ED Close TCP session from outside network"""
3970 in_port = self.tcp_port_in
3972 ext_port = self.tcp_external_port
3974 self.nat_add_address(self.nat_addr)
3975 self.nat_add_inside_interface(self.pg0)
3976 self.nat_add_outside_interface(self.pg1)
3977 self.nat_add_static_mapping(
3978 self.pg0.remote_ip4,
3982 proto=IP_PROTOS.tcp,
3983 flags=self.config_flags.NAT_IS_TWICE_NAT,
3986 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3987 session_n = len(sessions)
3989 self.vapi.nat_set_timeouts(
3990 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
3993 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3995 # FIN packet out -> in
3997 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
3998 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
3999 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=100, ack=300)
4001 self.pg1.add_stream(p)
4002 self.pg_enable_capture(self.pg_interfaces)
4004 self.pg0.get_capture(1)
4006 # FIN+ACK packet in -> out
4008 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4009 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4010 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=300, ack=101)
4013 self.pg0.add_stream(p)
4014 self.pg_enable_capture(self.pg_interfaces)
4016 self.pg1.get_capture(1)
4018 # ACK packet out -> in
4020 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4021 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4022 / TCP(sport=ext_port, dport=out_port, flags="A", seq=101, ack=301)
4024 self.pg1.add_stream(p)
4025 self.pg_enable_capture(self.pg_interfaces)
4027 self.pg0.get_capture(1)
4029 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4030 self.assertEqual(len(sessions) - session_n, 1)
4032 # retransmit FIN packet out -> in
4034 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4035 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4036 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
4038 self.send_and_expect(self.pg1, p, self.pg0)
4040 # retransmit ACK packet in -> out
4042 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4043 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4044 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4046 self.send_and_expect(self.pg0, p, self.pg1)
4048 self.virtual_sleep(3)
4049 # retransmit ACK packet in -> out - this will cause session to be wiped
4051 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4052 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4053 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4055 self.send_and_assert_no_replies(self.pg0, p)
4056 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4057 self.assertEqual(len(sessions) - session_n, 0)
4059 def test_tcp_session_close_simultaneous(self):
4060 """Simultaneous TCP close from both sides"""
4062 in_port = self.tcp_port_in
4065 self.nat_add_address(self.nat_addr)
4066 self.nat_add_inside_interface(self.pg0)
4067 self.nat_add_outside_interface(self.pg1)
4068 self.nat_add_static_mapping(
4069 self.pg0.remote_ip4,
4073 proto=IP_PROTOS.tcp,
4074 flags=self.config_flags.NAT_IS_TWICE_NAT,
4077 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4078 session_n = len(sessions)
4080 self.vapi.nat_set_timeouts(
4081 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4084 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4086 # FIN packet in -> out
4088 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4089 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4090 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4092 self.send_and_expect(self.pg0, p, self.pg1)
4094 # FIN packet out -> in
4096 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4097 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4098 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4100 self.send_and_expect(self.pg1, p, self.pg0)
4102 # ACK packet in -> out
4104 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4105 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4106 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4108 self.send_and_expect(self.pg0, p, self.pg1)
4110 # ACK packet out -> in
4112 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4113 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4114 / TCP(sport=ext_port, dport=out_port, flags="A", seq=301, ack=101)
4116 self.send_and_expect(self.pg1, p, self.pg0)
4118 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4119 self.assertEqual(len(sessions) - session_n, 1)
4121 # retransmit FIN packet out -> in
4123 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4124 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4125 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=101)
4127 self.send_and_expect(self.pg1, p, self.pg0)
4129 # retransmit ACK packet in -> out
4131 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4132 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4133 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4135 self.send_and_expect(self.pg0, p, self.pg1)
4137 self.virtual_sleep(3)
4138 # retransmit ACK packet in -> out - this will cause session to be wiped
4140 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4141 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4142 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4144 self.pg_send(self.pg0, p)
4145 self.send_and_assert_no_replies(self.pg0, p)
4146 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4147 self.assertEqual(len(sessions) - session_n, 0)
4149 def test_tcp_session_half_reopen_inside(self):
4150 """TCP session in FIN/FIN state not reopened by in2out SYN only"""
4151 in_port = self.tcp_port_in
4154 self.nat_add_address(self.nat_addr)
4155 self.nat_add_inside_interface(self.pg0)
4156 self.nat_add_outside_interface(self.pg1)
4157 self.nat_add_static_mapping(
4158 self.pg0.remote_ip4,
4162 proto=IP_PROTOS.tcp,
4163 flags=self.config_flags.NAT_IS_TWICE_NAT,
4166 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4167 session_n = len(sessions)
4169 self.vapi.nat_set_timeouts(
4170 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4173 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4175 # FIN packet in -> out
4177 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4178 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4179 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4181 self.send_and_expect(self.pg0, p, self.pg1)
4183 # FIN packet out -> in
4185 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4186 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4187 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4189 self.send_and_expect(self.pg1, p, self.pg0)
4191 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4192 self.assertEqual(len(sessions) - session_n, 1)
4194 # send SYN packet in -> out
4196 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4197 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4198 / TCP(sport=in_port, dport=ext_port, flags="S", seq=101, ack=301)
4200 self.send_and_expect(self.pg0, p, self.pg1)
4202 self.virtual_sleep(3)
4203 # send ACK packet in -> out - session should be wiped
4205 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4206 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4207 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4209 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4210 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4211 self.assertEqual(len(sessions) - session_n, 0)
4213 def test_tcp_session_half_reopen_outside(self):
4214 """TCP session in FIN/FIN state not reopened by out2in SYN only"""
4215 in_port = self.tcp_port_in
4218 self.nat_add_address(self.nat_addr)
4219 self.nat_add_inside_interface(self.pg0)
4220 self.nat_add_outside_interface(self.pg1)
4221 self.nat_add_static_mapping(
4222 self.pg0.remote_ip4,
4226 proto=IP_PROTOS.tcp,
4227 flags=self.config_flags.NAT_IS_TWICE_NAT,
4230 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4231 session_n = len(sessions)
4233 self.vapi.nat_set_timeouts(
4234 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4237 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4239 # FIN packet in -> out
4241 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4242 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4243 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4245 self.send_and_expect(self.pg0, p, self.pg1)
4247 # FIN packet out -> in
4249 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4250 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4251 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4253 self.send_and_expect(self.pg1, p, self.pg0)
4255 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4256 self.assertEqual(len(sessions) - session_n, 1)
4258 # send SYN packet out -> in
4260 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4261 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4262 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4264 self.send_and_expect(self.pg1, p, self.pg0)
4266 self.virtual_sleep(3)
4267 # send ACK packet in -> out - session should be wiped
4269 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4270 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4271 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4273 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
4274 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4275 self.assertEqual(len(sessions) - session_n, 0)
4277 def test_tcp_session_reopen(self):
4278 """TCP session in FIN/FIN state reopened by SYN from both sides"""
4279 in_port = self.tcp_port_in
4282 self.nat_add_address(self.nat_addr)
4283 self.nat_add_inside_interface(self.pg0)
4284 self.nat_add_outside_interface(self.pg1)
4285 self.nat_add_static_mapping(
4286 self.pg0.remote_ip4,
4290 proto=IP_PROTOS.tcp,
4291 flags=self.config_flags.NAT_IS_TWICE_NAT,
4294 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4295 session_n = len(sessions)
4297 self.vapi.nat_set_timeouts(
4298 udp=300, tcp_established=7440, tcp_transitory=2, icmp=5
4301 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
4303 # FIN packet in -> out
4305 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4306 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4307 / TCP(sport=in_port, dport=ext_port, flags="FA", seq=100, ack=300)
4309 self.send_and_expect(self.pg0, p, self.pg1)
4311 # FIN packet out -> in
4313 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4314 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4315 / TCP(sport=ext_port, dport=out_port, flags="FA", seq=300, ack=100)
4317 self.send_and_expect(self.pg1, p, self.pg0)
4319 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4320 self.assertEqual(len(sessions) - session_n, 1)
4322 # send SYN packet out -> in
4324 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4325 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4326 / TCP(sport=ext_port, dport=out_port, flags="S", seq=300, ack=101)
4328 self.send_and_expect(self.pg1, p, self.pg0)
4330 # send SYN packet in -> out
4332 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4333 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4334 / TCP(sport=in_port, dport=ext_port, flags="SA", seq=101, ack=301)
4336 self.send_and_expect(self.pg0, p, self.pg1)
4338 # send ACK packet out -> in
4340 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4341 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4342 / TCP(sport=ext_port, dport=out_port, flags="A", seq=300, ack=101)
4344 self.send_and_expect(self.pg1, p, self.pg0)
4346 self.virtual_sleep(3)
4347 # send ACK packet in -> out - should be forwarded and session alive
4349 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4350 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4351 / TCP(sport=in_port, dport=ext_port, flags="A", seq=101, ack=301)
4353 self.send_and_expect(self.pg0, p, self.pg1)
4354 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
4355 self.assertEqual(len(sessions) - session_n, 1)
4357 def test_dynamic_vrf(self):
4358 """NAT44ED dynamic translation test: different VRF"""
4363 self.nat_add_address(self.nat_addr, vrf_id=vrf_id_in)
4366 self.configure_ip4_interface(self.pg7, table_id=vrf_id_in)
4367 self.configure_ip4_interface(self.pg8, table_id=vrf_id_out)
4369 self.nat_add_inside_interface(self.pg7)
4370 self.nat_add_outside_interface(self.pg8)
4372 # just basic stuff nothing special
4373 pkts = self.create_stream_in(self.pg7, self.pg8)
4374 self.pg7.add_stream(pkts)
4375 self.pg_enable_capture(self.pg_interfaces)
4377 capture = self.pg8.get_capture(len(pkts))
4378 self.verify_capture_out(capture, ignore_port=True)
4380 pkts = self.create_stream_out(self.pg8)
4381 self.pg8.add_stream(pkts)
4382 self.pg_enable_capture(self.pg_interfaces)
4384 capture = self.pg7.get_capture(len(pkts))
4385 self.verify_capture_in(capture, self.pg7)
4391 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_in})
4392 self.vapi.ip_table_add_del(is_add=0, table={"table_id": vrf_id_out})
4394 def test_dynamic_output_feature_vrf(self):
4395 """NAT44ED dynamic translation test: output-feature, VRF"""
4397 # other then default (0)
4400 self.nat_add_address(self.nat_addr)
4401 self.vapi.nat44_ed_add_del_output_interface(
4402 sw_if_index=self.pg8.sw_if_index, is_add=1
4405 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
4406 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
4409 tcpn = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4410 udpn = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4411 icmpn = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4412 drops = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4414 pkts = self.create_stream_in(self.pg7, self.pg8)
4415 self.pg7.add_stream(pkts)
4416 self.pg_enable_capture(self.pg_interfaces)
4418 capture = self.pg8.get_capture(len(pkts))
4419 self.verify_capture_out(capture, ignore_port=True)
4421 if_idx = self.pg8.sw_if_index
4422 cnt = self.statistics["/nat44-ed/in2out/slowpath/tcp"]
4423 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4424 cnt = self.statistics["/nat44-ed/in2out/slowpath/udp"]
4425 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4426 cnt = self.statistics["/nat44-ed/in2out/slowpath/icmp"]
4427 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4428 cnt = self.statistics["/nat44-ed/in2out/slowpath/drops"]
4429 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4432 tcpn = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4433 udpn = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4434 icmpn = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4435 drops = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4437 pkts = self.create_stream_out(self.pg8)
4438 self.pg8.add_stream(pkts)
4439 self.pg_enable_capture(self.pg_interfaces)
4441 capture = self.pg7.get_capture(len(pkts))
4442 self.verify_capture_in(capture, self.pg7)
4444 if_idx = self.pg8.sw_if_index
4445 cnt = self.statistics["/nat44-ed/out2in/fastpath/tcp"]
4446 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
4447 cnt = self.statistics["/nat44-ed/out2in/fastpath/udp"]
4448 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
4449 cnt = self.statistics["/nat44-ed/out2in/fastpath/icmp"]
4450 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
4451 cnt = self.statistics["/nat44-ed/out2in/fastpath/drops"]
4452 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
4454 sessions = self.statistics["/nat44-ed/total-sessions"]
4455 self.assertEqual(sessions[:, 0].sum(), 3)
4461 self.vapi.ip_table_add_del(is_add=0, table={"table_id": new_vrf_id})
4463 def test_next_src_nat(self):
4464 """NAT44ED On way back forward packet to nat44-in2out node."""
4466 twice_nat_addr = "10.0.1.3"
4469 post_twice_nat_port = 0
4471 self.vapi.nat44_forwarding_enable_disable(enable=1)
4472 self.nat_add_address(twice_nat_addr, twice_nat=1)
4474 self.config_flags.NAT_IS_OUT2IN_ONLY
4475 | self.config_flags.NAT_IS_SELF_TWICE_NAT
4477 self.nat_add_static_mapping(
4478 self.pg6.remote_ip4,
4479 self.pg1.remote_ip4,
4482 proto=IP_PROTOS.tcp,
4486 self.vapi.nat44_interface_add_del_feature(
4487 sw_if_index=self.pg6.sw_if_index, is_add=1
4491 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4492 / IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4)
4493 / TCP(sport=12345, dport=external_port)
4495 self.pg6.add_stream(p)
4496 self.pg_enable_capture(self.pg_interfaces)
4498 capture = self.pg6.get_capture(1)
4503 self.assertEqual(ip.src, twice_nat_addr)
4504 self.assertNotEqual(tcp.sport, 12345)
4505 post_twice_nat_port = tcp.sport
4506 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4507 self.assertEqual(tcp.dport, local_port)
4508 self.assert_packet_checksums_valid(p)
4510 self.logger.error(ppp("Unexpected or invalid packet:", p))
4514 Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac)
4515 / IP(src=self.pg6.remote_ip4, dst=twice_nat_addr)
4516 / TCP(sport=local_port, dport=post_twice_nat_port)
4518 self.pg6.add_stream(p)
4519 self.pg_enable_capture(self.pg_interfaces)
4521 capture = self.pg6.get_capture(1)
4526 self.assertEqual(ip.src, self.pg1.remote_ip4)
4527 self.assertEqual(tcp.sport, external_port)
4528 self.assertEqual(ip.dst, self.pg6.remote_ip4)
4529 self.assertEqual(tcp.dport, 12345)
4530 self.assert_packet_checksums_valid(p)
4532 self.logger.error(ppp("Unexpected or invalid packet:", p))
4535 def test_one_armed_nat44_static(self):
4536 """NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule"""
4538 remote_host = self.pg4.remote_hosts[0]
4539 local_host = self.pg4.remote_hosts[1]
4544 self.vapi.nat44_forwarding_enable_disable(enable=1)
4545 self.nat_add_address(self.nat_addr, twice_nat=1)
4547 self.config_flags.NAT_IS_OUT2IN_ONLY | self.config_flags.NAT_IS_TWICE_NAT
4549 self.nat_add_static_mapping(
4554 proto=IP_PROTOS.tcp,
4557 flags = self.config_flags.NAT_IS_INSIDE
4558 self.vapi.nat44_interface_add_del_feature(
4559 sw_if_index=self.pg4.sw_if_index, is_add=1
4561 self.vapi.nat44_interface_add_del_feature(
4562 sw_if_index=self.pg4.sw_if_index, flags=flags, is_add=1
4565 # from client to service
4567 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4568 / IP(src=remote_host.ip4, dst=self.nat_addr)
4569 / TCP(sport=12345, dport=external_port)
4571 self.pg4.add_stream(p)
4572 self.pg_enable_capture(self.pg_interfaces)
4574 capture = self.pg4.get_capture(1)
4579 self.assertEqual(ip.dst, local_host.ip4)
4580 self.assertEqual(ip.src, self.nat_addr)
4581 self.assertEqual(tcp.dport, local_port)
4582 self.assertNotEqual(tcp.sport, 12345)
4583 eh_port_in = tcp.sport
4584 self.assert_packet_checksums_valid(p)
4586 self.logger.error(ppp("Unexpected or invalid packet:", p))
4589 # from service back to client
4591 Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac)
4592 / IP(src=local_host.ip4, dst=self.nat_addr)
4593 / TCP(sport=local_port, dport=eh_port_in)
4595 self.pg4.add_stream(p)
4596 self.pg_enable_capture(self.pg_interfaces)
4598 capture = self.pg4.get_capture(1)
4603 self.assertEqual(ip.src, self.nat_addr)
4604 self.assertEqual(ip.dst, remote_host.ip4)
4605 self.assertEqual(tcp.sport, external_port)
4606 self.assertEqual(tcp.dport, 12345)
4607 self.assert_packet_checksums_valid(p)
4609 self.logger.error(ppp("Unexpected or invalid packet:", p))
4612 def test_icmp_error_fwd_outbound(self):
4613 """NAT44ED ICMP error outbound with forwarding enabled"""
4615 # Ensure that an outbound ICMP error message is properly associated
4616 # with the inbound forward bypass session it is related to.
4619 self.nat_add_address(self.nat_addr)
4620 self.nat_add_inside_interface(self.pg0)
4621 self.nat_add_outside_interface(self.pg1)
4623 # enable forwarding and initiate connection out2in
4624 self.vapi.nat44_forwarding_enable_disable(enable=1)
4626 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4627 / IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4)
4628 / UDP(sport=21, dport=20)
4632 self.pg1.add_stream(p1)
4633 self.pg_enable_capture(self.pg_interfaces)
4635 capture = self.pg0.get_capture(1)[0]
4637 self.logger.info(self.vapi.cli("show nat44 sessions"))
4639 # reply with ICMP error message in2out
4640 # We cannot reliably retrieve forward bypass sessions via the API.
4641 # session dumps for a user will only look on the worker that the
4642 # user is supposed to be mapped to in2out. The forward bypass session
4643 # is not necessarily created on that worker.
4645 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4646 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4647 / ICMP(type="dest-unreach", code="port-unreachable")
4651 self.pg0.add_stream(p2)
4652 self.pg_enable_capture(self.pg_interfaces)
4654 capture = self.pg1.get_capture(1)[0]
4656 self.logger.info(self.vapi.cli("show nat44 sessions"))
4658 self.logger.info(ppp("p1 packet:", p1))
4659 self.logger.info(ppp("p2 packet:", p2))
4660 self.logger.info(ppp("capture packet:", capture))
4662 def test_tcp_session_open_retransmit1(self):
4663 """NAT44ED Open TCP session with SYN,ACK retransmit 1
4665 The client does not receive the [SYN,ACK] or the
4666 ACK from the client is lost. Therefore, the [SYN, ACK]
4667 is retransmitted by the server.
4670 in_port = self.tcp_port_in
4671 ext_port = self.tcp_external_port
4674 self.nat_add_address(self.nat_addr)
4675 self.nat_add_inside_interface(self.pg0)
4676 self.nat_add_outside_interface(self.pg1)
4678 self.vapi.nat_set_timeouts(
4679 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4681 # SYN packet in->out
4683 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4684 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4685 / TCP(sport=in_port, dport=ext_port, flags="S")
4687 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4688 out_port = p[TCP].sport
4690 # SYN + ACK packet out->in
4692 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4693 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4694 / TCP(sport=ext_port, dport=out_port, flags="SA")
4696 self.send_and_expect(self.pg1, p, self.pg0)
4698 # ACK in->out does not arrive
4700 # resent SYN + ACK packet out->in
4702 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4703 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4704 / TCP(sport=ext_port, dport=out_port, flags="SA")
4706 self.send_and_expect(self.pg1, p, self.pg0)
4708 # ACK packet in->out
4710 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4711 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4712 / TCP(sport=in_port, dport=ext_port, flags="A")
4714 self.send_and_expect(self.pg0, p, self.pg1)
4716 # Verify that the data can be transmitted after the transitory time
4717 self.virtual_sleep(6)
4720 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4721 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4722 / TCP(sport=in_port, dport=ext_port, flags="PA")
4725 self.send_and_expect(self.pg0, p, self.pg1)
4727 def test_tcp_session_open_retransmit2(self):
4728 """NAT44ED Open TCP session with SYN,ACK retransmit 2
4730 The ACK is lost to the server after the TCP session is opened.
4731 Data is sent by the client, then the [SYN,ACK] is
4732 retransmitted by the server.
4735 in_port = self.tcp_port_in
4736 ext_port = self.tcp_external_port
4739 self.nat_add_address(self.nat_addr)
4740 self.nat_add_inside_interface(self.pg0)
4741 self.nat_add_outside_interface(self.pg1)
4743 self.vapi.nat_set_timeouts(
4744 udp=300, tcp_established=7440, tcp_transitory=5, icmp=60
4746 # SYN packet in->out
4748 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4749 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4750 / TCP(sport=in_port, dport=ext_port, flags="S")
4752 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4753 out_port = p[TCP].sport
4755 # SYN + ACK packet out->in
4757 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4758 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4759 / TCP(sport=ext_port, dport=out_port, flags="SA")
4761 self.send_and_expect(self.pg1, p, self.pg0)
4763 # ACK packet in->out -- not received by the server
4765 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4766 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4767 / TCP(sport=in_port, dport=ext_port, flags="A")
4769 self.send_and_expect(self.pg0, p, self.pg1)
4771 # PUSH + ACK packet in->out
4773 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4774 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4775 / TCP(sport=in_port, dport=ext_port, flags="PA")
4778 self.send_and_expect(self.pg0, p, self.pg1)
4780 # resent SYN + ACK packet out->in
4782 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4783 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4784 / TCP(sport=ext_port, dport=out_port, flags="SA")
4786 self.send_and_expect(self.pg1, p, self.pg0)
4788 # resent ACK packet in->out
4790 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4791 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4792 / TCP(sport=in_port, dport=ext_port, flags="A")
4794 self.send_and_expect(self.pg0, p, self.pg1)
4796 # resent PUSH + ACK packet in->out
4798 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4799 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4800 / TCP(sport=in_port, dport=ext_port, flags="PA")
4803 self.send_and_expect(self.pg0, p, self.pg1)
4805 # ACK packet out->in
4807 Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
4808 / IP(src=self.pg1.remote_ip4, dst=self.nat_addr)
4809 / TCP(sport=ext_port, dport=out_port, flags="A")
4811 self.send_and_expect(self.pg1, p, self.pg0)
4813 # Verify that the data can be transmitted after the transitory time
4814 self.virtual_sleep(6)
4817 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
4818 / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
4819 / TCP(sport=in_port, dport=ext_port, flags="PA")
4822 self.send_and_expect(self.pg0, p, self.pg1)
4825 if __name__ == "__main__":
4826 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob