5 from random import randint, choice
8 from framework import VppTestCase, VppTestRunner
9 from scapy.data import IP_PROTOS
10 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
11 from scapy.layers.inet import IPerror, TCPerror
12 from scapy.layers.l2 import Ether
13 from scapy.packet import Raw
14 from syslog_rfc5424_parser import SyslogMessage, ParseError
15 from syslog_rfc5424_parser.constants import SyslogSeverity
16 from util import ppp, pr, ip4_range
17 from vpp_acl import AclRule, VppAcl, VppAclInterface
18 from vpp_ip_route import VppIpRoute, VppRoutePath
19 from vpp_papi import VppEnum
20 from util import StatsDiff
23 class TestNAT44ED(VppTestCase):
24 """ NAT44ED Test Case """
26 nat_addr = '10.0.10.3'
37 tcp_external_port = 80
50 def plugin_enable(self):
51 self.vapi.nat44_ed_plugin_enable_disable(
52 sessions=self.max_sessions, enable=1)
54 def plugin_disable(self):
55 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
58 def config_flags(self):
59 return VppEnum.vl_api_nat_config_flags_t
62 def nat44_config_flags(self):
63 return VppEnum.vl_api_nat44_config_flags_t
66 def syslog_severity(self):
67 return VppEnum.vl_api_syslog_severity_t
70 def server_addr(self):
71 return self.pg1.remote_hosts[0].ip4
75 return randint(1025, 65535)
78 def proto2layer(proto):
79 if proto == IP_PROTOS.tcp:
81 elif proto == IP_PROTOS.udp:
83 elif proto == IP_PROTOS.icmp:
86 raise Exception("Unsupported protocol")
89 def create_and_add_ip4_table(cls, i, table_id=0):
90 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
91 i.set_table_ip4(table_id)
94 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
96 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(
109 sw_if_index=i.sw_if_index, is_add=1)
111 def nat_add_inside_interface(self, i):
112 self.vapi.nat44_interface_add_del_feature(
113 flags=self.config_flags.NAT_IS_INSIDE,
114 sw_if_index=i.sw_if_index, is_add=1)
116 def nat_add_outside_interface(self, i):
117 self.vapi.nat44_interface_add_del_feature(
118 flags=self.config_flags.NAT_IS_OUTSIDE,
119 sw_if_index=i.sw_if_index, is_add=1)
121 def nat_add_address(self, address, twice_nat=0,
122 vrf_id=0xFFFFFFFF, is_add=1):
123 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
124 self.vapi.nat44_add_del_address_range(first_ip_address=address,
125 last_ip_address=address,
130 def nat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
131 local_port=0, external_port=0, vrf_id=0,
132 is_add=1, external_sw_if_index=0xFFFFFFFF,
133 proto=0, tag="", flags=0):
135 if not (local_port and external_port):
136 flags |= self.config_flags.NAT_IS_ADDR_ONLY
138 self.vapi.nat44_add_del_static_mapping(
140 local_ip_address=local_ip,
141 external_ip_address=external_ip,
142 external_sw_if_index=external_sw_if_index,
143 local_port=local_port,
144 external_port=external_port,
145 vrf_id=vrf_id, protocol=proto,
153 cls.create_pg_interfaces(range(12))
154 cls.interfaces = list(cls.pg_interfaces[:4])
156 cls.create_and_add_ip4_table(cls.pg2, 10)
158 for i in cls.interfaces:
159 cls.configure_ip4_interface(i, hosts=3)
161 # test specific (test-multiple-vrf)
162 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
164 # test specific (test-one-armed-nat44-static)
165 cls.pg4.generate_remote_hosts(2)
167 cls.vapi.sw_interface_add_del_address(
168 sw_if_index=cls.pg4.sw_if_index,
169 prefix="10.0.0.1/24")
171 cls.pg4.resolve_arp()
172 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
173 cls.pg4.resolve_arp()
175 # test specific interface (pg5)
176 cls.pg5._local_ip4 = "10.1.1.1"
177 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
178 cls.pg5.set_table_ip4(1)
181 cls.pg5.resolve_arp()
183 # test specific interface (pg6)
184 cls.pg6._local_ip4 = "10.1.2.1"
185 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
186 cls.pg6.set_table_ip4(1)
189 cls.pg6.resolve_arp()
193 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
194 [VppRoutePath("0.0.0.0", 0xffffffff,
196 register=False, table_id=1))
197 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
198 [VppRoutePath(cls.pg1.local_ip4,
199 cls.pg1.sw_if_index)],
201 rl.append(VppIpRoute(cls, cls.pg5.remote_ip4, 32,
202 [VppRoutePath("0.0.0.0",
203 cls.pg5.sw_if_index)],
204 register=False, table_id=1))
205 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 32,
206 [VppRoutePath("0.0.0.0",
207 cls.pg6.sw_if_index)],
208 register=False, table_id=1))
209 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 16,
210 [VppRoutePath("0.0.0.0", 0xffffffff,
212 register=False, table_id=0))
217 cls.no_diff = StatsDiff({
219 '/nat44-ed/in2out/fastpath/tcp': 0,
220 '/nat44-ed/in2out/fastpath/udp': 0,
221 '/nat44-ed/in2out/fastpath/icmp': 0,
222 '/nat44-ed/in2out/fastpath/drops': 0,
223 '/nat44-ed/in2out/slowpath/tcp': 0,
224 '/nat44-ed/in2out/slowpath/udp': 0,
225 '/nat44-ed/in2out/slowpath/icmp': 0,
226 '/nat44-ed/in2out/slowpath/drops': 0,
227 '/nat44-ed/in2out/fastpath/tcp': 0,
228 '/nat44-ed/in2out/fastpath/udp': 0,
229 '/nat44-ed/in2out/fastpath/icmp': 0,
230 '/nat44-ed/in2out/fastpath/drops': 0,
231 '/nat44-ed/in2out/slowpath/tcp': 0,
232 '/nat44-ed/in2out/slowpath/udp': 0,
233 '/nat44-ed/in2out/slowpath/icmp': 0,
234 '/nat44-ed/in2out/slowpath/drops': 0,
236 for pg in cls.pg_interfaces
239 def get_err_counter(self, path):
240 return self.statistics.get_err_counter(path)
242 def reass_hairpinning(self, server_addr, server_in_port, server_out_port,
243 host_in_port, proto=IP_PROTOS.tcp,
245 layer = self.proto2layer(proto)
247 if proto == IP_PROTOS.tcp:
248 data = b"A" * 4 + b"B" * 16 + b"C" * 3
250 data = b"A" * 16 + b"B" * 16 + b"C" * 3
252 # send packet from host to server
253 pkts = self.create_stream_frag(self.pg0,
259 self.pg0.add_stream(pkts)
260 self.pg_enable_capture(self.pg_interfaces)
262 frags = self.pg0.get_capture(len(pkts))
263 p = self.reass_frags_and_verify(frags,
266 if proto != IP_PROTOS.icmp:
268 self.assertNotEqual(p[layer].sport, host_in_port)
269 self.assertEqual(p[layer].dport, server_in_port)
272 self.assertNotEqual(p[layer].id, host_in_port)
273 self.assertEqual(data, p[Raw].load)
275 def frag_out_of_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
277 layer = self.proto2layer(proto)
279 if proto == IP_PROTOS.tcp:
280 data = b"A" * 4 + b"B" * 16 + b"C" * 3
282 data = b"A" * 16 + b"B" * 16 + b"C" * 3
283 self.port_in = self.random_port()
287 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
288 self.port_in, 20, data, proto)
290 self.pg0.add_stream(pkts)
291 self.pg_enable_capture(self.pg_interfaces)
293 frags = self.pg1.get_capture(len(pkts))
294 if not dont_translate:
295 p = self.reass_frags_and_verify(frags,
299 p = self.reass_frags_and_verify(frags,
302 if proto != IP_PROTOS.icmp:
303 if not dont_translate:
304 self.assertEqual(p[layer].dport, 20)
306 self.assertNotEqual(p[layer].sport, self.port_in)
308 self.assertEqual(p[layer].sport, self.port_in)
311 if not dont_translate:
312 self.assertNotEqual(p[layer].id, self.port_in)
314 self.assertEqual(p[layer].id, self.port_in)
315 self.assertEqual(data, p[Raw].load)
318 if not dont_translate:
319 dst_addr = self.nat_addr
321 dst_addr = self.pg0.remote_ip4
322 if proto != IP_PROTOS.icmp:
324 dport = p[layer].sport
328 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport,
329 data, proto, echo_reply=True)
331 self.pg1.add_stream(pkts)
332 self.pg_enable_capture(self.pg_interfaces)
333 self.logger.info(self.vapi.cli("show trace"))
335 frags = self.pg0.get_capture(len(pkts))
336 p = self.reass_frags_and_verify(frags,
339 if proto != IP_PROTOS.icmp:
340 self.assertEqual(p[layer].sport, 20)
341 self.assertEqual(p[layer].dport, self.port_in)
343 self.assertEqual(p[layer].id, self.port_in)
344 self.assertEqual(data, p[Raw].load)
346 def reass_frags_and_verify(self, frags, src, dst):
349 self.assertEqual(p[IP].src, src)
350 self.assertEqual(p[IP].dst, dst)
351 self.assert_ip_checksum_valid(p)
352 buffer.seek(p[IP].frag * 8)
353 buffer.write(bytes(p[IP].payload))
354 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst,
355 proto=frags[0][IP].proto)
356 if ip.proto == IP_PROTOS.tcp:
357 p = (ip / TCP(buffer.getvalue()))
358 self.logger.debug(ppp("Reassembled:", p))
359 self.assert_tcp_checksum_valid(p)
360 elif ip.proto == IP_PROTOS.udp:
361 p = (ip / UDP(buffer.getvalue()[:8]) /
362 Raw(buffer.getvalue()[8:]))
363 elif ip.proto == IP_PROTOS.icmp:
364 p = (ip / ICMP(buffer.getvalue()))
367 def frag_in_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
369 layer = self.proto2layer(proto)
371 if proto == IP_PROTOS.tcp:
372 data = b"A" * 4 + b"B" * 16 + b"C" * 3
374 data = b"A" * 16 + b"B" * 16 + b"C" * 3
375 self.port_in = self.random_port()
378 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
379 self.port_in, 20, data, proto)
380 self.pg0.add_stream(pkts)
381 self.pg_enable_capture(self.pg_interfaces)
383 frags = self.pg1.get_capture(len(pkts))
384 if not dont_translate:
385 p = self.reass_frags_and_verify(frags,
389 p = self.reass_frags_and_verify(frags,
392 if proto != IP_PROTOS.icmp:
393 if not dont_translate:
394 self.assertEqual(p[layer].dport, 20)
396 self.assertNotEqual(p[layer].sport, self.port_in)
398 self.assertEqual(p[layer].sport, self.port_in)
401 if not dont_translate:
402 self.assertNotEqual(p[layer].id, self.port_in)
404 self.assertEqual(p[layer].id, self.port_in)
405 self.assertEqual(data, p[Raw].load)
408 if not dont_translate:
409 dst_addr = self.nat_addr
411 dst_addr = self.pg0.remote_ip4
412 if proto != IP_PROTOS.icmp:
414 dport = p[layer].sport
418 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data,
419 proto, echo_reply=True)
420 self.pg1.add_stream(pkts)
421 self.pg_enable_capture(self.pg_interfaces)
423 frags = self.pg0.get_capture(len(pkts))
424 p = self.reass_frags_and_verify(frags,
427 if proto != IP_PROTOS.icmp:
428 self.assertEqual(p[layer].sport, 20)
429 self.assertEqual(p[layer].dport, self.port_in)
431 self.assertEqual(p[layer].id, self.port_in)
432 self.assertEqual(data, p[Raw].load)
434 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
435 dst_ip=None, ignore_port=False):
437 nat_ip = self.nat_addr
438 for packet in capture:
440 self.assert_packet_checksums_valid(packet)
441 self.assertEqual(packet[IP].src, nat_ip)
442 if dst_ip is not None:
443 self.assertEqual(packet[IP].dst, dst_ip)
444 if packet.haslayer(TCP):
448 packet[TCP].sport, self.tcp_port_in)
451 packet[TCP].sport, self.tcp_port_in)
452 self.tcp_port_out = packet[TCP].sport
453 self.assert_packet_checksums_valid(packet)
454 elif packet.haslayer(UDP):
458 packet[UDP].sport, self.udp_port_in)
461 packet[UDP].sport, self.udp_port_in)
462 self.udp_port_out = packet[UDP].sport
467 packet[ICMP].id, self.icmp_id_in)
470 packet[ICMP].id, self.icmp_id_in)
471 self.icmp_id_out = packet[ICMP].id
472 self.assert_packet_checksums_valid(packet)
474 self.logger.error(ppp("Unexpected or invalid packet "
475 "(outside network):", packet))
478 def verify_capture_in(self, capture, in_if):
479 for packet in capture:
481 self.assert_packet_checksums_valid(packet)
482 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
483 if packet.haslayer(TCP):
484 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
485 elif packet.haslayer(UDP):
486 self.assertEqual(packet[UDP].dport, self.udp_port_in)
488 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
490 self.logger.error(ppp("Unexpected or invalid packet "
491 "(inside network):", packet))
494 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
496 dst_ip = out_if.remote_ip4
500 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
501 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
502 TCP(sport=self.tcp_port_in, dport=20))
506 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
507 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
508 UDP(sport=self.udp_port_in, dport=20))
512 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
513 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
514 ICMP(id=self.icmp_id_in, type='echo-request'))
519 def create_stream_out(self, out_if, dst_ip=None, ttl=64,
520 use_inside_ports=False):
522 dst_ip = self.nat_addr
523 if not use_inside_ports:
524 tcp_port = self.tcp_port_out
525 udp_port = self.udp_port_out
526 icmp_id = self.icmp_id_out
528 tcp_port = self.tcp_port_in
529 udp_port = self.udp_port_in
530 icmp_id = self.icmp_id_in
533 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
534 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
535 TCP(dport=tcp_port, sport=20))
539 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
540 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
541 UDP(dport=udp_port, sport=20))
545 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
546 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
547 ICMP(id=icmp_id, type='echo-reply'))
552 def create_tcp_stream(self, in_if, out_if, count):
556 for i in range(count):
557 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
558 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
559 TCP(sport=port + i, dport=20))
564 def create_stream_frag(self, src_if, dst, sport, dport, data,
565 proto=IP_PROTOS.tcp, echo_reply=False):
566 if proto == IP_PROTOS.tcp:
567 p = (IP(src=src_if.remote_ip4, dst=dst) /
568 TCP(sport=sport, dport=dport) /
570 p = p.__class__(scapy.compat.raw(p))
571 chksum = p[TCP].chksum
572 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
573 elif proto == IP_PROTOS.udp:
574 proto_header = UDP(sport=sport, dport=dport)
575 elif proto == IP_PROTOS.icmp:
577 proto_header = ICMP(id=sport, type='echo-request')
579 proto_header = ICMP(id=sport, type='echo-reply')
581 raise Exception("Unsupported protocol")
582 id = self.random_port()
584 if proto == IP_PROTOS.tcp:
587 raw = Raw(data[0:16])
588 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
589 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id) /
593 if proto == IP_PROTOS.tcp:
594 raw = Raw(data[4:20])
596 raw = Raw(data[16:32])
597 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
598 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id,
602 if proto == IP_PROTOS.tcp:
606 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
607 IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto,
613 def frag_in_order_in_plus_out(self, in_addr, out_addr, in_port, out_port,
614 proto=IP_PROTOS.tcp):
616 layer = self.proto2layer(proto)
618 if proto == IP_PROTOS.tcp:
619 data = b"A" * 4 + b"B" * 16 + b"C" * 3
621 data = b"A" * 16 + b"B" * 16 + b"C" * 3
622 port_in = self.random_port()
626 pkts = self.create_stream_frag(self.pg0, out_addr,
629 self.pg0.add_stream(pkts)
630 self.pg_enable_capture(self.pg_interfaces)
632 frags = self.pg1.get_capture(len(pkts))
633 p = self.reass_frags_and_verify(frags,
636 if proto != IP_PROTOS.icmp:
637 self.assertEqual(p[layer].sport, port_in)
638 self.assertEqual(p[layer].dport, in_port)
640 self.assertEqual(p[layer].id, port_in)
641 self.assertEqual(data, p[Raw].load)
644 if proto != IP_PROTOS.icmp:
645 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
647 p[layer].sport, data, proto)
649 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
650 p[layer].id, 0, data, proto,
652 self.pg1.add_stream(pkts)
653 self.pg_enable_capture(self.pg_interfaces)
655 frags = self.pg0.get_capture(len(pkts))
656 p = self.reass_frags_and_verify(frags,
659 if proto != IP_PROTOS.icmp:
660 self.assertEqual(p[layer].sport, out_port)
661 self.assertEqual(p[layer].dport, port_in)
663 self.assertEqual(p[layer].id, port_in)
664 self.assertEqual(data, p[Raw].load)
666 def frag_out_of_order_in_plus_out(self, in_addr, out_addr, in_port,
667 out_port, proto=IP_PROTOS.tcp):
669 layer = self.proto2layer(proto)
671 if proto == IP_PROTOS.tcp:
672 data = b"A" * 4 + b"B" * 16 + b"C" * 3
674 data = b"A" * 16 + b"B" * 16 + b"C" * 3
675 port_in = self.random_port()
679 pkts = self.create_stream_frag(self.pg0, out_addr,
683 self.pg0.add_stream(pkts)
684 self.pg_enable_capture(self.pg_interfaces)
686 frags = self.pg1.get_capture(len(pkts))
687 p = self.reass_frags_and_verify(frags,
690 if proto != IP_PROTOS.icmp:
691 self.assertEqual(p[layer].dport, in_port)
692 self.assertEqual(p[layer].sport, port_in)
693 self.assertEqual(p[layer].dport, in_port)
695 self.assertEqual(p[layer].id, port_in)
696 self.assertEqual(data, p[Raw].load)
699 if proto != IP_PROTOS.icmp:
700 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
702 p[layer].sport, data, proto)
704 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
705 p[layer].id, 0, data, proto,
708 self.pg1.add_stream(pkts)
709 self.pg_enable_capture(self.pg_interfaces)
711 frags = self.pg0.get_capture(len(pkts))
712 p = self.reass_frags_and_verify(frags,
715 if proto != IP_PROTOS.icmp:
716 self.assertEqual(p[layer].sport, out_port)
717 self.assertEqual(p[layer].dport, port_in)
719 self.assertEqual(p[layer].id, port_in)
720 self.assertEqual(data, p[Raw].load)
722 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
724 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
725 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
726 TCP(sport=in_port, dport=ext_port, flags="S"))
728 self.pg_enable_capture(self.pg_interfaces)
730 capture = out_if.get_capture(1)
732 out_port = p[TCP].sport
734 # SYN + ACK packet out->in
735 p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
736 IP(src=out_if.remote_ip4, dst=self.nat_addr) /
737 TCP(sport=ext_port, dport=out_port, flags="SA"))
739 self.pg_enable_capture(self.pg_interfaces)
744 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
745 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
746 TCP(sport=in_port, dport=ext_port, flags="A"))
748 self.pg_enable_capture(self.pg_interfaces)
750 out_if.get_capture(1)
754 def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
756 twice_nat_addr = '10.0.1.3'
764 port_in1 = port_in + 1
765 port_in2 = port_in + 2
770 server1 = self.pg0.remote_hosts[0]
771 server2 = self.pg0.remote_hosts[1]
783 eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
786 self.nat_add_address(self.nat_addr)
787 self.nat_add_address(twice_nat_addr, twice_nat=1)
791 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
793 flags |= self.config_flags.NAT_IS_TWICE_NAT
796 self.nat_add_static_mapping(pg0.remote_ip4, self.nat_addr,
801 locals = [{'addr': server1.ip4,
805 {'addr': server2.ip4,
809 out_addr = self.nat_addr
811 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
812 external_addr=out_addr,
813 external_port=port_out,
814 protocol=IP_PROTOS.tcp,
815 local_num=len(locals),
817 self.nat_add_inside_interface(pg0)
818 self.nat_add_outside_interface(pg1)
824 assert client_id is not None
826 client = self.pg0.remote_hosts[0]
828 client = self.pg0.remote_hosts[1]
830 client = pg1.remote_hosts[0]
831 p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
832 IP(src=client.ip4, dst=self.nat_addr) /
833 TCP(sport=eh_port_out, dport=port_out))
835 self.pg_enable_capture(self.pg_interfaces)
837 capture = pg0.get_capture(1)
843 if ip.dst == server1.ip4:
849 self.assertEqual(ip.dst, server.ip4)
851 self.assertIn(tcp.dport, [port_in1, port_in2])
853 self.assertEqual(tcp.dport, port_in)
855 self.assertEqual(ip.src, twice_nat_addr)
856 self.assertNotEqual(tcp.sport, eh_port_out)
858 self.assertEqual(ip.src, client.ip4)
859 self.assertEqual(tcp.sport, eh_port_out)
861 eh_port_in = tcp.sport
862 saved_port_in = tcp.dport
863 self.assert_packet_checksums_valid(p)
865 self.logger.error(ppp("Unexpected or invalid packet:", p))
868 p = (Ether(src=server.mac, dst=pg0.local_mac) /
869 IP(src=server.ip4, dst=eh_addr_in) /
870 TCP(sport=saved_port_in, dport=eh_port_in))
872 self.pg_enable_capture(self.pg_interfaces)
874 capture = pg1.get_capture(1)
879 self.assertEqual(ip.dst, client.ip4)
880 self.assertEqual(ip.src, self.nat_addr)
881 self.assertEqual(tcp.dport, eh_port_out)
882 self.assertEqual(tcp.sport, port_out)
883 self.assert_packet_checksums_valid(p)
885 self.logger.error(ppp("Unexpected or invalid packet:", p))
889 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
890 self.assertEqual(len(sessions), 1)
891 self.assertTrue(sessions[0].flags &
892 self.config_flags.NAT_IS_EXT_HOST_VALID)
893 self.assertTrue(sessions[0].flags &
894 self.config_flags.NAT_IS_TWICE_NAT)
895 self.logger.info(self.vapi.cli("show nat44 sessions"))
896 self.vapi.nat44_del_session(
897 address=sessions[0].inside_ip_address,
898 port=sessions[0].inside_port,
899 protocol=sessions[0].protocol,
900 flags=(self.config_flags.NAT_IS_INSIDE |
901 self.config_flags.NAT_IS_EXT_HOST_VALID),
902 ext_host_address=sessions[0].ext_host_nat_address,
903 ext_host_port=sessions[0].ext_host_nat_port)
904 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
905 self.assertEqual(len(sessions), 0)
907 def verify_syslog_sess(self, data, msgid, is_ip6=False):
908 message = data.decode('utf-8')
910 message = SyslogMessage.parse(message)
911 except ParseError as e:
915 self.assertEqual(message.severity, SyslogSeverity.info)
916 self.assertEqual(message.appname, 'NAT')
917 self.assertEqual(message.msgid, msgid)
918 sd_params = message.sd.get('nsess')
919 self.assertTrue(sd_params is not None)
921 self.assertEqual(sd_params.get('IATYP'), 'IPv6')
922 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
924 self.assertEqual(sd_params.get('IATYP'), 'IPv4')
925 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
926 self.assertTrue(sd_params.get('SSUBIX') is not None)
927 self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
928 self.assertEqual(sd_params.get('XATYP'), 'IPv4')
929 self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
930 self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
931 self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
932 self.assertEqual(sd_params.get('SVLAN'), '0')
933 self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
934 self.assertEqual(sd_params.get('XDPORT'),
935 "%d" % self.tcp_external_port)
937 def test_icmp_error(self):
938 """ NAT44ED test ICMP error message with inner header"""
942 self.nat_add_address(self.nat_addr)
943 self.nat_add_inside_interface(self.pg0)
944 self.nat_add_outside_interface(self.pg1)
946 # in2out (initiate connection)
947 p1 = [Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
948 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
949 UDP(sport=21, dport=20) / payload,
950 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
951 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
952 TCP(sport=21, dport=20, flags="S") / payload,
953 Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
954 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
955 ICMP(type='echo-request', id=7777) / payload,
958 capture = self.send_and_expect(self.pg0, p1, self.pg1)
960 # out2in (send error message)
961 p2 = [Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
962 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
963 ICMP(type='dest-unreach', code='port-unreachable') /
967 capture = self.send_and_expect(self.pg1, p2, self.pg0)
971 assert c[IP].dst == self.pg0.remote_ip4
972 assert c[IPerror].src == self.pg0.remote_ip4
973 except AssertionError as a:
974 raise AssertionError(
975 f"Packet {pr(c)} not translated properly") from a
977 def test_icmp_echo_reply_trailer(self):
978 """ ICMP echo reply with ethernet trailer"""
980 self.nat_add_address(self.nat_addr)
981 self.nat_add_inside_interface(self.pg0)
982 self.nat_add_outside_interface(self.pg1)
985 p1 = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
986 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
987 ICMP(type=8, id=0xabcd, seq=0))
989 self.pg0.add_stream(p1)
990 self.pg_enable_capture(self.pg_interfaces)
992 c = self.pg1.get_capture(1)[0]
994 self.logger.debug(self.vapi.cli("show trace"))
997 p2 = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
998 IP(src=self.pg1.remote_ip4, dst=self.nat_addr, id=0xee59) /
999 ICMP(type=0, id=c[ICMP].id, seq=0))
1001 # force checksum calculation
1002 p2 = p2.__class__(bytes(p2))
1004 self.logger.debug(ppp("Packet before modification:", p2))
1006 # hex representation of vss monitoring ethernet trailer
1007 # this seems to be just added to end of packet without modifying
1008 # IP or ICMP lengths / checksums
1009 p2 = p2 / Raw("\x00\x00\x52\x54\x00\x46\xab\x04\x84\x18")
1010 # change it so that IP/ICMP is unaffected
1013 self.logger.debug(ppp("Packet with added trailer:", p2))
1015 self.pg1.add_stream(p2)
1016 self.pg_enable_capture(self.pg_interfaces)
1019 self.pg0.get_capture(1)
1021 def test_users_dump(self):
1022 """ NAT44ED API test - nat44_user_dump """
1024 self.nat_add_address(self.nat_addr)
1025 self.nat_add_inside_interface(self.pg0)
1026 self.nat_add_outside_interface(self.pg1)
1028 self.vapi.nat44_forwarding_enable_disable(enable=1)
1030 local_ip = self.pg0.remote_ip4
1031 external_ip = self.nat_addr
1032 self.nat_add_static_mapping(local_ip, external_ip)
1034 users = self.vapi.nat44_user_dump()
1035 self.assertEqual(len(users), 0)
1037 # in2out - static mapping match
1039 pkts = self.create_stream_out(self.pg1)
1040 self.pg1.add_stream(pkts)
1041 self.pg_enable_capture(self.pg_interfaces)
1043 capture = self.pg0.get_capture(len(pkts))
1044 self.verify_capture_in(capture, self.pg0)
1046 pkts = self.create_stream_in(self.pg0, self.pg1)
1047 self.pg0.add_stream(pkts)
1048 self.pg_enable_capture(self.pg_interfaces)
1050 capture = self.pg1.get_capture(len(pkts))
1051 self.verify_capture_out(capture, same_port=True)
1053 users = self.vapi.nat44_user_dump()
1054 self.assertEqual(len(users), 1)
1055 static_user = users[0]
1056 self.assertEqual(static_user.nstaticsessions, 3)
1057 self.assertEqual(static_user.nsessions, 0)
1059 # in2out - no static mapping match (forwarding test)
1061 host0 = self.pg0.remote_hosts[0]
1062 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1064 pkts = self.create_stream_out(self.pg1,
1065 dst_ip=self.pg0.remote_ip4,
1066 use_inside_ports=True)
1067 self.pg1.add_stream(pkts)
1068 self.pg_enable_capture(self.pg_interfaces)
1070 capture = self.pg0.get_capture(len(pkts))
1071 self.verify_capture_in(capture, self.pg0)
1073 pkts = self.create_stream_in(self.pg0, self.pg1)
1074 self.pg0.add_stream(pkts)
1075 self.pg_enable_capture(self.pg_interfaces)
1077 capture = self.pg1.get_capture(len(pkts))
1078 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1081 self.pg0.remote_hosts[0] = host0
1083 users = self.vapi.nat44_user_dump()
1084 self.assertEqual(len(users), 2)
1085 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1086 non_static_user = users[1]
1087 static_user = users[0]
1089 non_static_user = users[0]
1090 static_user = users[1]
1091 self.assertEqual(static_user.nstaticsessions, 3)
1092 self.assertEqual(static_user.nsessions, 0)
1093 self.assertEqual(non_static_user.nstaticsessions, 0)
1094 self.assertEqual(non_static_user.nsessions, 3)
1096 users = self.vapi.nat44_user_dump()
1097 self.assertEqual(len(users), 2)
1098 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1099 non_static_user = users[1]
1100 static_user = users[0]
1102 non_static_user = users[0]
1103 static_user = users[1]
1104 self.assertEqual(static_user.nstaticsessions, 3)
1105 self.assertEqual(static_user.nsessions, 0)
1106 self.assertEqual(non_static_user.nstaticsessions, 0)
1107 self.assertEqual(non_static_user.nsessions, 3)
1109 def test_frag_out_of_order_do_not_translate(self):
1110 """ NAT44ED don't translate fragments arriving out of order """
1111 self.nat_add_inside_interface(self.pg0)
1112 self.nat_add_outside_interface(self.pg1)
1113 self.vapi.nat44_forwarding_enable_disable(enable=True)
1114 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1116 def test_forwarding(self):
1117 """ NAT44ED forwarding test """
1119 self.nat_add_inside_interface(self.pg0)
1120 self.nat_add_outside_interface(self.pg1)
1121 self.vapi.nat44_forwarding_enable_disable(enable=1)
1123 real_ip = self.pg0.remote_ip4
1124 alias_ip = self.nat_addr
1125 flags = self.config_flags.NAT_IS_ADDR_ONLY
1126 self.vapi.nat44_add_del_static_mapping(is_add=1,
1127 local_ip_address=real_ip,
1128 external_ip_address=alias_ip,
1129 external_sw_if_index=0xFFFFFFFF,
1133 # in2out - static mapping match
1135 pkts = self.create_stream_out(self.pg1)
1136 self.pg1.add_stream(pkts)
1137 self.pg_enable_capture(self.pg_interfaces)
1139 capture = self.pg0.get_capture(len(pkts))
1140 self.verify_capture_in(capture, self.pg0)
1142 pkts = self.create_stream_in(self.pg0, self.pg1)
1143 self.pg0.add_stream(pkts)
1144 self.pg_enable_capture(self.pg_interfaces)
1146 capture = self.pg1.get_capture(len(pkts))
1147 self.verify_capture_out(capture, same_port=True)
1149 # in2out - no static mapping match
1151 host0 = self.pg0.remote_hosts[0]
1152 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1154 pkts = self.create_stream_out(self.pg1,
1155 dst_ip=self.pg0.remote_ip4,
1156 use_inside_ports=True)
1157 self.pg1.add_stream(pkts)
1158 self.pg_enable_capture(self.pg_interfaces)
1160 capture = self.pg0.get_capture(len(pkts))
1161 self.verify_capture_in(capture, self.pg0)
1163 pkts = self.create_stream_in(self.pg0, self.pg1)
1164 self.pg0.add_stream(pkts)
1165 self.pg_enable_capture(self.pg_interfaces)
1167 capture = self.pg1.get_capture(len(pkts))
1168 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1171 self.pg0.remote_hosts[0] = host0
1173 user = self.pg0.remote_hosts[1]
1174 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1175 self.assertEqual(len(sessions), 3)
1176 self.assertTrue(sessions[0].flags &
1177 self.config_flags.NAT_IS_EXT_HOST_VALID)
1178 self.vapi.nat44_del_session(
1179 address=sessions[0].inside_ip_address,
1180 port=sessions[0].inside_port,
1181 protocol=sessions[0].protocol,
1182 flags=(self.config_flags.NAT_IS_INSIDE |
1183 self.config_flags.NAT_IS_EXT_HOST_VALID),
1184 ext_host_address=sessions[0].ext_host_address,
1185 ext_host_port=sessions[0].ext_host_port)
1186 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1187 self.assertEqual(len(sessions), 2)
1190 self.vapi.nat44_forwarding_enable_disable(enable=0)
1191 flags = self.config_flags.NAT_IS_ADDR_ONLY
1192 self.vapi.nat44_add_del_static_mapping(
1194 local_ip_address=real_ip,
1195 external_ip_address=alias_ip,
1196 external_sw_if_index=0xFFFFFFFF,
1199 def test_output_feature_and_service2(self):
1200 """ NAT44ED interface output feature and service host direct access """
1201 self.vapi.nat44_forwarding_enable_disable(enable=1)
1202 self.nat_add_address(self.nat_addr)
1204 self.vapi.nat44_interface_add_del_output_feature(
1205 sw_if_index=self.pg1.sw_if_index, is_add=1,)
1207 # session initiated from service host - translate
1208 pkts = self.create_stream_in(self.pg0, self.pg1)
1209 self.pg0.add_stream(pkts)
1210 self.pg_enable_capture(self.pg_interfaces)
1212 capture = self.pg1.get_capture(len(pkts))
1213 self.verify_capture_out(capture, ignore_port=True)
1215 pkts = self.create_stream_out(self.pg1)
1216 self.pg1.add_stream(pkts)
1217 self.pg_enable_capture(self.pg_interfaces)
1219 capture = self.pg0.get_capture(len(pkts))
1220 self.verify_capture_in(capture, self.pg0)
1222 # session initiated from remote host - do not translate
1223 tcp_port_in = self.tcp_port_in
1224 udp_port_in = self.udp_port_in
1225 icmp_id_in = self.icmp_id_in
1227 self.tcp_port_in = 60303
1228 self.udp_port_in = 60304
1229 self.icmp_id_in = 60305
1232 pkts = self.create_stream_out(self.pg1,
1233 self.pg0.remote_ip4,
1234 use_inside_ports=True)
1235 self.pg1.add_stream(pkts)
1236 self.pg_enable_capture(self.pg_interfaces)
1238 capture = self.pg0.get_capture(len(pkts))
1239 self.verify_capture_in(capture, self.pg0)
1241 pkts = self.create_stream_in(self.pg0, self.pg1)
1242 self.pg0.add_stream(pkts)
1243 self.pg_enable_capture(self.pg_interfaces)
1245 capture = self.pg1.get_capture(len(pkts))
1246 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1249 self.tcp_port_in = tcp_port_in
1250 self.udp_port_in = udp_port_in
1251 self.icmp_id_in = icmp_id_in
1253 def test_twice_nat(self):
1254 """ NAT44ED Twice NAT """
1255 self.twice_nat_common()
1257 def test_self_twice_nat_positive(self):
1258 """ NAT44ED Self Twice NAT (positive test) """
1259 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1261 def test_self_twice_nat_lb_positive(self):
1262 """ NAT44ED Self Twice NAT local service load balancing (positive test)
1264 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
1267 def test_twice_nat_lb(self):
1268 """ NAT44ED Twice NAT local service load balancing """
1269 self.twice_nat_common(lb=True)
1271 def test_output_feature(self):
1272 """ NAT44ED interface output feature (in2out postrouting) """
1273 self.vapi.nat44_forwarding_enable_disable(enable=1)
1274 self.nat_add_address(self.nat_addr)
1276 self.nat_add_outside_interface(self.pg0)
1277 self.vapi.nat44_interface_add_del_output_feature(
1278 sw_if_index=self.pg1.sw_if_index, is_add=1)
1281 pkts = self.create_stream_in(self.pg0, self.pg1)
1282 self.pg0.add_stream(pkts)
1283 self.pg_enable_capture(self.pg_interfaces)
1285 capture = self.pg1.get_capture(len(pkts))
1286 self.verify_capture_out(capture, ignore_port=True)
1287 self.logger.debug(self.vapi.cli("show trace"))
1290 pkts = self.create_stream_out(self.pg1)
1291 self.pg1.add_stream(pkts)
1292 self.pg_enable_capture(self.pg_interfaces)
1294 capture = self.pg0.get_capture(len(pkts))
1295 self.verify_capture_in(capture, self.pg0)
1296 self.logger.debug(self.vapi.cli("show trace"))
1299 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
1300 self.pg0.add_stream(pkts)
1301 self.pg_enable_capture(self.pg_interfaces)
1303 capture = self.pg1.get_capture(len(pkts))
1304 self.verify_capture_out(capture, ignore_port=True)
1305 self.logger.debug(self.vapi.cli("show trace"))
1308 pkts = self.create_stream_out(self.pg1, ttl=2)
1309 self.pg1.add_stream(pkts)
1310 self.pg_enable_capture(self.pg_interfaces)
1312 capture = self.pg0.get_capture(len(pkts))
1313 self.verify_capture_in(capture, self.pg0)
1314 self.logger.debug(self.vapi.cli("show trace"))
1317 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
1318 capture = self.send_and_expect_some(self.pg0, pkts, self.pg0)
1320 self.assertIn(ICMP, p)
1321 self.assertEqual(p[ICMP].type, 11) # 11 == time-exceeded
1323 def test_static_with_port_out2(self):
1324 """ NAT44ED 1:1 NAPT asymmetrical rule """
1329 self.vapi.nat44_forwarding_enable_disable(enable=1)
1330 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1331 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
1332 local_port, external_port,
1333 proto=IP_PROTOS.tcp, flags=flags)
1335 self.nat_add_inside_interface(self.pg0)
1336 self.nat_add_outside_interface(self.pg1)
1338 # from client to service
1339 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1340 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1341 TCP(sport=12345, dport=external_port))
1342 self.pg1.add_stream(p)
1343 self.pg_enable_capture(self.pg_interfaces)
1345 capture = self.pg0.get_capture(1)
1350 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1351 self.assertEqual(tcp.dport, local_port)
1352 self.assert_packet_checksums_valid(p)
1354 self.logger.error(ppp("Unexpected or invalid packet:", p))
1358 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1359 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1360 ICMP(type=11) / capture[0][IP])
1361 self.pg0.add_stream(p)
1362 self.pg_enable_capture(self.pg_interfaces)
1364 capture = self.pg1.get_capture(1)
1367 self.assertEqual(p[IP].src, self.nat_addr)
1369 self.assertEqual(inner.dst, self.nat_addr)
1370 self.assertEqual(inner[TCPerror].dport, external_port)
1372 self.logger.error(ppp("Unexpected or invalid packet:", p))
1375 # from service back to client
1376 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1377 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1378 TCP(sport=local_port, dport=12345))
1379 self.pg0.add_stream(p)
1380 self.pg_enable_capture(self.pg_interfaces)
1382 capture = self.pg1.get_capture(1)
1387 self.assertEqual(ip.src, self.nat_addr)
1388 self.assertEqual(tcp.sport, external_port)
1389 self.assert_packet_checksums_valid(p)
1391 self.logger.error(ppp("Unexpected or invalid packet:", p))
1395 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1396 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1397 ICMP(type=11) / capture[0][IP])
1398 self.pg1.add_stream(p)
1399 self.pg_enable_capture(self.pg_interfaces)
1401 capture = self.pg0.get_capture(1)
1404 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1406 self.assertEqual(inner.src, self.pg0.remote_ip4)
1407 self.assertEqual(inner[TCPerror].sport, local_port)
1409 self.logger.error(ppp("Unexpected or invalid packet:", p))
1412 # from client to server (no translation)
1413 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1414 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
1415 TCP(sport=12346, dport=local_port))
1416 self.pg1.add_stream(p)
1417 self.pg_enable_capture(self.pg_interfaces)
1419 capture = self.pg0.get_capture(1)
1424 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1425 self.assertEqual(tcp.dport, local_port)
1426 self.assert_packet_checksums_valid(p)
1428 self.logger.error(ppp("Unexpected or invalid packet:", p))
1431 # from service back to client (no translation)
1432 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1433 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1434 TCP(sport=local_port, dport=12346))
1435 self.pg0.add_stream(p)
1436 self.pg_enable_capture(self.pg_interfaces)
1438 capture = self.pg1.get_capture(1)
1443 self.assertEqual(ip.src, self.pg0.remote_ip4)
1444 self.assertEqual(tcp.sport, local_port)
1445 self.assert_packet_checksums_valid(p)
1447 self.logger.error(ppp("Unexpected or invalid packet:", p))
1450 def test_static_lb(self):
1451 """ NAT44ED local service load balancing """
1452 external_addr_n = self.nat_addr
1455 server1 = self.pg0.remote_hosts[0]
1456 server2 = self.pg0.remote_hosts[1]
1458 locals = [{'addr': server1.ip4,
1462 {'addr': server2.ip4,
1467 self.nat_add_address(self.nat_addr)
1468 self.vapi.nat44_add_del_lb_static_mapping(
1470 external_addr=external_addr_n,
1471 external_port=external_port,
1472 protocol=IP_PROTOS.tcp,
1473 local_num=len(locals),
1475 flags = self.config_flags.NAT_IS_INSIDE
1476 self.vapi.nat44_interface_add_del_feature(
1477 sw_if_index=self.pg0.sw_if_index,
1478 flags=flags, is_add=1)
1479 self.vapi.nat44_interface_add_del_feature(
1480 sw_if_index=self.pg1.sw_if_index,
1483 # from client to service
1484 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1485 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1486 TCP(sport=12345, dport=external_port))
1487 self.pg1.add_stream(p)
1488 self.pg_enable_capture(self.pg_interfaces)
1490 capture = self.pg0.get_capture(1)
1496 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1497 if ip.dst == server1.ip4:
1501 self.assertEqual(tcp.dport, local_port)
1502 self.assert_packet_checksums_valid(p)
1504 self.logger.error(ppp("Unexpected or invalid packet:", p))
1507 # from service back to client
1508 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1509 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1510 TCP(sport=local_port, dport=12345))
1511 self.pg0.add_stream(p)
1512 self.pg_enable_capture(self.pg_interfaces)
1514 capture = self.pg1.get_capture(1)
1519 self.assertEqual(ip.src, self.nat_addr)
1520 self.assertEqual(tcp.sport, external_port)
1521 self.assert_packet_checksums_valid(p)
1523 self.logger.error(ppp("Unexpected or invalid packet:", p))
1526 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1527 self.assertEqual(len(sessions), 1)
1528 self.assertTrue(sessions[0].flags &
1529 self.config_flags.NAT_IS_EXT_HOST_VALID)
1530 self.vapi.nat44_del_session(
1531 address=sessions[0].inside_ip_address,
1532 port=sessions[0].inside_port,
1533 protocol=sessions[0].protocol,
1534 flags=(self.config_flags.NAT_IS_INSIDE |
1535 self.config_flags.NAT_IS_EXT_HOST_VALID),
1536 ext_host_address=sessions[0].ext_host_address,
1537 ext_host_port=sessions[0].ext_host_port)
1538 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1539 self.assertEqual(len(sessions), 0)
1541 def test_static_lb_2(self):
1542 """ NAT44ED local service load balancing (asymmetrical rule) """
1543 external_addr = self.nat_addr
1546 server1 = self.pg0.remote_hosts[0]
1547 server2 = self.pg0.remote_hosts[1]
1549 locals = [{'addr': server1.ip4,
1553 {'addr': server2.ip4,
1558 self.vapi.nat44_forwarding_enable_disable(enable=1)
1559 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1560 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
1561 external_addr=external_addr,
1562 external_port=external_port,
1563 protocol=IP_PROTOS.tcp,
1564 local_num=len(locals),
1566 flags = self.config_flags.NAT_IS_INSIDE
1567 self.vapi.nat44_interface_add_del_feature(
1568 sw_if_index=self.pg0.sw_if_index,
1569 flags=flags, is_add=1)
1570 self.vapi.nat44_interface_add_del_feature(
1571 sw_if_index=self.pg1.sw_if_index,
1574 # from client to service
1575 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1576 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1577 TCP(sport=12345, dport=external_port))
1578 self.pg1.add_stream(p)
1579 self.pg_enable_capture(self.pg_interfaces)
1581 capture = self.pg0.get_capture(1)
1587 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1588 if ip.dst == server1.ip4:
1592 self.assertEqual(tcp.dport, local_port)
1593 self.assert_packet_checksums_valid(p)
1595 self.logger.error(ppp("Unexpected or invalid packet:", p))
1598 # from service back to client
1599 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1600 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1601 TCP(sport=local_port, dport=12345))
1602 self.pg0.add_stream(p)
1603 self.pg_enable_capture(self.pg_interfaces)
1605 capture = self.pg1.get_capture(1)
1610 self.assertEqual(ip.src, self.nat_addr)
1611 self.assertEqual(tcp.sport, external_port)
1612 self.assert_packet_checksums_valid(p)
1614 self.logger.error(ppp("Unexpected or invalid packet:", p))
1617 # from client to server (no translation)
1618 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1619 IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
1620 TCP(sport=12346, dport=local_port))
1621 self.pg1.add_stream(p)
1622 self.pg_enable_capture(self.pg_interfaces)
1624 capture = self.pg0.get_capture(1)
1630 self.assertEqual(ip.dst, server1.ip4)
1631 self.assertEqual(tcp.dport, local_port)
1632 self.assert_packet_checksums_valid(p)
1634 self.logger.error(ppp("Unexpected or invalid packet:", p))
1637 # from service back to client (no translation)
1638 p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
1639 IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
1640 TCP(sport=local_port, dport=12346))
1641 self.pg0.add_stream(p)
1642 self.pg_enable_capture(self.pg_interfaces)
1644 capture = self.pg1.get_capture(1)
1649 self.assertEqual(ip.src, server1.ip4)
1650 self.assertEqual(tcp.sport, local_port)
1651 self.assert_packet_checksums_valid(p)
1653 self.logger.error(ppp("Unexpected or invalid packet:", p))
1656 def test_lb_affinity(self):
1657 """ NAT44ED local service load balancing affinity """
1658 external_addr = self.nat_addr
1661 server1 = self.pg0.remote_hosts[0]
1662 server2 = self.pg0.remote_hosts[1]
1664 locals = [{'addr': server1.ip4,
1668 {'addr': server2.ip4,
1673 self.nat_add_address(self.nat_addr)
1674 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
1675 external_addr=external_addr,
1676 external_port=external_port,
1677 protocol=IP_PROTOS.tcp,
1679 local_num=len(locals),
1681 flags = self.config_flags.NAT_IS_INSIDE
1682 self.vapi.nat44_interface_add_del_feature(
1683 sw_if_index=self.pg0.sw_if_index,
1684 flags=flags, is_add=1)
1685 self.vapi.nat44_interface_add_del_feature(
1686 sw_if_index=self.pg1.sw_if_index,
1689 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1690 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1691 TCP(sport=1025, dport=external_port))
1692 self.pg1.add_stream(p)
1693 self.pg_enable_capture(self.pg_interfaces)
1695 capture = self.pg0.get_capture(1)
1696 backend = capture[0][IP].dst
1698 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1699 self.assertEqual(len(sessions), 1)
1700 self.assertTrue(sessions[0].flags &
1701 self.config_flags.NAT_IS_EXT_HOST_VALID)
1702 self.vapi.nat44_del_session(
1703 address=sessions[0].inside_ip_address,
1704 port=sessions[0].inside_port,
1705 protocol=sessions[0].protocol,
1706 flags=(self.config_flags.NAT_IS_INSIDE |
1707 self.config_flags.NAT_IS_EXT_HOST_VALID),
1708 ext_host_address=sessions[0].ext_host_address,
1709 ext_host_port=sessions[0].ext_host_port)
1712 for port in range(1030, 1100):
1713 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1714 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1715 TCP(sport=port, dport=external_port))
1717 self.pg1.add_stream(pkts)
1718 self.pg_enable_capture(self.pg_interfaces)
1720 capture = self.pg0.get_capture(len(pkts))
1722 self.assertEqual(p[IP].dst, backend)
1724 def test_multiple_vrf_1(self):
1725 """ Multiple VRF - both client & service in VRF1 """
1727 external_addr = '1.2.3.4'
1732 flags = self.config_flags.NAT_IS_INSIDE
1733 self.vapi.nat44_interface_add_del_feature(
1734 sw_if_index=self.pg5.sw_if_index,
1736 self.vapi.nat44_interface_add_del_feature(
1737 sw_if_index=self.pg5.sw_if_index,
1738 is_add=1, flags=flags)
1739 self.vapi.nat44_interface_add_del_feature(
1740 sw_if_index=self.pg6.sw_if_index,
1742 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1743 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1744 local_port, external_port, vrf_id=1,
1745 proto=IP_PROTOS.tcp, flags=flags)
1747 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1748 IP(src=self.pg6.remote_ip4, dst=external_addr) /
1749 TCP(sport=12345, dport=external_port))
1750 self.pg6.add_stream(p)
1751 self.pg_enable_capture(self.pg_interfaces)
1753 capture = self.pg5.get_capture(1)
1758 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1759 self.assertEqual(tcp.dport, local_port)
1760 self.assert_packet_checksums_valid(p)
1762 self.logger.error(ppp("Unexpected or invalid packet:", p))
1765 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1766 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1767 TCP(sport=local_port, dport=12345))
1768 self.pg5.add_stream(p)
1769 self.pg_enable_capture(self.pg_interfaces)
1771 capture = self.pg6.get_capture(1)
1776 self.assertEqual(ip.src, external_addr)
1777 self.assertEqual(tcp.sport, external_port)
1778 self.assert_packet_checksums_valid(p)
1780 self.logger.error(ppp("Unexpected or invalid packet:", p))
1783 def test_multiple_vrf_2(self):
1784 """ Multiple VRF - dynamic NAT from VRF1 to VRF0 (output-feature) """
1786 external_addr = '1.2.3.4'
1791 self.nat_add_address(self.nat_addr)
1792 flags = self.config_flags.NAT_IS_INSIDE
1793 self.vapi.nat44_interface_add_del_output_feature(
1794 sw_if_index=self.pg1.sw_if_index,
1796 self.vapi.nat44_interface_add_del_feature(
1797 sw_if_index=self.pg5.sw_if_index,
1799 self.vapi.nat44_interface_add_del_feature(
1800 sw_if_index=self.pg5.sw_if_index,
1801 is_add=1, flags=flags)
1802 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1803 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1804 local_port, external_port, vrf_id=1,
1805 proto=IP_PROTOS.tcp, flags=flags)
1807 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1808 IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
1809 TCP(sport=2345, dport=22))
1810 self.pg5.add_stream(p)
1811 self.pg_enable_capture(self.pg_interfaces)
1813 capture = self.pg1.get_capture(1)
1818 self.assertEqual(ip.src, self.nat_addr)
1819 self.assert_packet_checksums_valid(p)
1822 self.logger.error(ppp("Unexpected or invalid packet:", p))
1825 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1826 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1827 TCP(sport=22, dport=port))
1828 self.pg1.add_stream(p)
1829 self.pg_enable_capture(self.pg_interfaces)
1831 capture = self.pg5.get_capture(1)
1836 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1837 self.assertEqual(tcp.dport, 2345)
1838 self.assert_packet_checksums_valid(p)
1840 self.logger.error(ppp("Unexpected or invalid packet:", p))
1843 def test_multiple_vrf_3(self):
1844 """ Multiple VRF - client in VRF1, service in VRF0 """
1846 external_addr = '1.2.3.4'
1851 flags = self.config_flags.NAT_IS_INSIDE
1852 self.vapi.nat44_interface_add_del_feature(
1853 sw_if_index=self.pg0.sw_if_index,
1855 self.vapi.nat44_interface_add_del_feature(
1856 sw_if_index=self.pg0.sw_if_index,
1857 is_add=1, flags=flags)
1858 self.vapi.nat44_interface_add_del_feature(
1859 sw_if_index=self.pg6.sw_if_index,
1861 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1862 self.nat_add_static_mapping(
1863 self.pg0.remote_ip4,
1864 external_sw_if_index=self.pg0.sw_if_index,
1865 local_port=local_port,
1867 external_port=external_port,
1868 proto=IP_PROTOS.tcp,
1872 # from client VRF1 to service VRF0
1873 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1874 IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
1875 TCP(sport=12346, dport=external_port))
1876 self.pg6.add_stream(p)
1877 self.pg_enable_capture(self.pg_interfaces)
1879 capture = self.pg0.get_capture(1)
1884 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1885 self.assertEqual(tcp.dport, local_port)
1886 self.assert_packet_checksums_valid(p)
1888 self.logger.error(ppp("Unexpected or invalid packet:", p))
1891 # from service VRF0 back to client VRF1
1892 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1893 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1894 TCP(sport=local_port, dport=12346))
1895 self.pg0.add_stream(p)
1896 self.pg_enable_capture(self.pg_interfaces)
1898 capture = self.pg6.get_capture(1)
1903 self.assertEqual(ip.src, self.pg0.local_ip4)
1904 self.assertEqual(tcp.sport, external_port)
1905 self.assert_packet_checksums_valid(p)
1907 self.logger.error(ppp("Unexpected or invalid packet:", p))
1910 def test_multiple_vrf_4(self):
1911 """ Multiple VRF - client in VRF0, service in VRF1 """
1913 external_addr = '1.2.3.4'
1918 flags = self.config_flags.NAT_IS_INSIDE
1919 self.vapi.nat44_interface_add_del_feature(
1920 sw_if_index=self.pg0.sw_if_index,
1922 self.vapi.nat44_interface_add_del_feature(
1923 sw_if_index=self.pg0.sw_if_index,
1924 is_add=1, flags=flags)
1925 self.vapi.nat44_interface_add_del_feature(
1926 sw_if_index=self.pg5.sw_if_index,
1928 self.vapi.nat44_interface_add_del_feature(
1929 sw_if_index=self.pg5.sw_if_index,
1930 is_add=1, flags=flags)
1931 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1932 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1933 local_port, external_port, vrf_id=1,
1934 proto=IP_PROTOS.tcp, flags=flags)
1936 # from client VRF0 to service VRF1
1937 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1938 IP(src=self.pg0.remote_ip4, dst=external_addr) /
1939 TCP(sport=12347, dport=external_port))
1940 self.pg0.add_stream(p)
1941 self.pg_enable_capture(self.pg_interfaces)
1943 capture = self.pg5.get_capture(1)
1948 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1949 self.assertEqual(tcp.dport, local_port)
1950 self.assert_packet_checksums_valid(p)
1952 self.logger.error(ppp("Unexpected or invalid packet:", p))
1955 # from service VRF1 back to client VRF0
1956 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1957 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1958 TCP(sport=local_port, dport=12347))
1959 self.pg5.add_stream(p)
1960 self.pg_enable_capture(self.pg_interfaces)
1962 capture = self.pg0.get_capture(1)
1967 self.assertEqual(ip.src, external_addr)
1968 self.assertEqual(tcp.sport, external_port)
1969 self.assert_packet_checksums_valid(p)
1971 self.logger.error(ppp("Unexpected or invalid packet:", p))
1974 def test_multiple_vrf_5(self):
1975 """ Multiple VRF - forwarding - no translation """
1977 external_addr = '1.2.3.4'
1982 self.vapi.nat44_forwarding_enable_disable(enable=1)
1983 flags = self.config_flags.NAT_IS_INSIDE
1984 self.vapi.nat44_interface_add_del_feature(
1985 sw_if_index=self.pg0.sw_if_index,
1987 self.vapi.nat44_interface_add_del_feature(
1988 sw_if_index=self.pg0.sw_if_index,
1989 is_add=1, flags=flags)
1990 self.vapi.nat44_interface_add_del_feature(
1991 sw_if_index=self.pg5.sw_if_index,
1993 self.vapi.nat44_interface_add_del_feature(
1994 sw_if_index=self.pg5.sw_if_index,
1995 is_add=1, flags=flags)
1996 self.vapi.nat44_interface_add_del_feature(
1997 sw_if_index=self.pg6.sw_if_index,
1999 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2000 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
2001 local_port, external_port, vrf_id=1,
2002 proto=IP_PROTOS.tcp, flags=flags)
2003 self.nat_add_static_mapping(
2004 self.pg0.remote_ip4,
2005 external_sw_if_index=self.pg0.sw_if_index,
2006 local_port=local_port,
2008 external_port=external_port,
2009 proto=IP_PROTOS.tcp,
2013 # from client to server (both VRF1, no translation)
2014 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
2015 IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
2016 TCP(sport=12348, dport=local_port))
2017 self.pg6.add_stream(p)
2018 self.pg_enable_capture(self.pg_interfaces)
2020 capture = self.pg5.get_capture(1)
2025 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2026 self.assertEqual(tcp.dport, local_port)
2027 self.assert_packet_checksums_valid(p)
2029 self.logger.error(ppp("Unexpected or invalid packet:", p))
2032 # from server back to client (both VRF1, no translation)
2033 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
2034 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
2035 TCP(sport=local_port, dport=12348))
2036 self.pg5.add_stream(p)
2037 self.pg_enable_capture(self.pg_interfaces)
2039 capture = self.pg6.get_capture(1)
2044 self.assertEqual(ip.src, self.pg5.remote_ip4)
2045 self.assertEqual(tcp.sport, local_port)
2046 self.assert_packet_checksums_valid(p)
2048 self.logger.error(ppp("Unexpected or invalid packet:", p))
2051 # from client VRF1 to server VRF0 (no translation)
2052 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2053 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
2054 TCP(sport=local_port, dport=12349))
2055 self.pg0.add_stream(p)
2056 self.pg_enable_capture(self.pg_interfaces)
2058 capture = self.pg6.get_capture(1)
2063 self.assertEqual(ip.src, self.pg0.remote_ip4)
2064 self.assertEqual(tcp.sport, local_port)
2065 self.assert_packet_checksums_valid(p)
2067 self.logger.error(ppp("Unexpected or invalid packet:", p))
2070 # from server VRF0 back to client VRF1 (no translation)
2071 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2072 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
2073 TCP(sport=local_port, dport=12349))
2074 self.pg0.add_stream(p)
2075 self.pg_enable_capture(self.pg_interfaces)
2077 capture = self.pg6.get_capture(1)
2082 self.assertEqual(ip.src, self.pg0.remote_ip4)
2083 self.assertEqual(tcp.sport, local_port)
2084 self.assert_packet_checksums_valid(p)
2086 self.logger.error(ppp("Unexpected or invalid packet:", p))
2089 # from client VRF0 to server VRF1 (no translation)
2090 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2091 IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
2092 TCP(sport=12344, dport=local_port))
2093 self.pg0.add_stream(p)
2094 self.pg_enable_capture(self.pg_interfaces)
2096 capture = self.pg5.get_capture(1)
2101 self.assertEqual(ip.dst, self.pg5.remote_ip4)
2102 self.assertEqual(tcp.dport, local_port)
2103 self.assert_packet_checksums_valid(p)
2105 self.logger.error(ppp("Unexpected or invalid packet:", p))
2108 # from server VRF1 back to client VRF0 (no translation)
2109 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
2110 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
2111 TCP(sport=local_port, dport=12344))
2112 self.pg5.add_stream(p)
2113 self.pg_enable_capture(self.pg_interfaces)
2115 capture = self.pg0.get_capture(1)
2120 self.assertEqual(ip.src, self.pg5.remote_ip4)
2121 self.assertEqual(tcp.sport, local_port)
2122 self.assert_packet_checksums_valid(p)
2124 self.logger.error(ppp("Unexpected or invalid packet:", p))
2127 def test_outside_address_distribution(self):
2128 """ Outside address distribution based on source address """
2133 for i in range(1, x):
2135 nat_addresses.append(a)
2137 self.nat_add_inside_interface(self.pg0)
2138 self.nat_add_outside_interface(self.pg1)
2140 self.vapi.nat44_add_del_address_range(
2141 first_ip_address=nat_addresses[0],
2142 last_ip_address=nat_addresses[-1],
2143 vrf_id=0xFFFFFFFF, is_add=1, flags=0)
2145 self.pg0.generate_remote_hosts(x)
2149 info = self.create_packet_info(self.pg0, self.pg1)
2150 payload = self.info_to_payload(info)
2151 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2152 IP(src=self.pg0.remote_hosts[i].ip4,
2153 dst=self.pg1.remote_ip4) /
2154 UDP(sport=7000+i, dport=8000+i) /
2159 self.pg0.add_stream(pkts)
2160 self.pg_enable_capture(self.pg_interfaces)
2162 recvd = self.pg1.get_capture(len(pkts))
2163 for p_recvd in recvd:
2164 payload_info = self.payload_to_info(p_recvd[Raw])
2165 packet_index = payload_info.index
2166 info = self._packet_infos[packet_index]
2167 self.assertTrue(info is not None)
2168 self.assertEqual(packet_index, info.index)
2170 packed = socket.inet_aton(p_sent[IP].src)
2171 numeric = struct.unpack("!L", packed)[0]
2172 numeric = socket.htonl(numeric)
2173 a = nat_addresses[(numeric-1) % len(nat_addresses)]
2176 "Invalid packet (src IP %s translated to %s, but expected %s)"
2177 % (p_sent[IP].src, p_recvd[IP].src, a))
2180 class TestNAT44EDMW(TestNAT44ED):
2181 """ NAT44ED MW Test Case """
2182 vpp_worker_count = 4
2185 def test_dynamic(self):
2186 """ NAT44ED dynamic translation test """
2188 tcp_port_offset = 20
2189 udp_port_offset = 20
2192 self.nat_add_address(self.nat_addr)
2193 self.nat_add_inside_interface(self.pg0)
2194 self.nat_add_outside_interface(self.pg1)
2197 tc1 = self.statistics['/nat44-ed/in2out/slowpath/tcp']
2198 uc1 = self.statistics['/nat44-ed/in2out/slowpath/udp']
2199 ic1 = self.statistics['/nat44-ed/in2out/slowpath/icmp']
2200 dc1 = self.statistics['/nat44-ed/in2out/slowpath/drops']
2202 i2o_pkts = [[] for x in range(0, self.vpp_worker_count)]
2204 for i in range(pkt_count):
2205 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2206 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2207 TCP(sport=tcp_port_offset + i, dport=20))
2208 i2o_pkts[p[TCP].sport % self.vpp_worker_count].append(p)
2210 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2211 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2212 UDP(sport=udp_port_offset + i, dport=20))
2213 i2o_pkts[p[UDP].sport % self.vpp_worker_count].append(p)
2215 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2216 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2217 ICMP(id=icmp_id_offset + i, type='echo-request'))
2218 i2o_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2220 for i in range(0, self.vpp_worker_count):
2221 if len(i2o_pkts[i]) > 0:
2222 self.pg0.add_stream(i2o_pkts[i], worker=i)
2224 self.pg_enable_capture(self.pg_interfaces)
2226 capture = self.pg1.get_capture(pkt_count * 3, timeout=5)
2228 if_idx = self.pg0.sw_if_index
2229 tc2 = self.statistics['/nat44-ed/in2out/slowpath/tcp']
2230 uc2 = self.statistics['/nat44-ed/in2out/slowpath/udp']
2231 ic2 = self.statistics['/nat44-ed/in2out/slowpath/icmp']
2232 dc2 = self.statistics['/nat44-ed/in2out/slowpath/drops']
2235 tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2237 uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2239 ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2240 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2242 self.logger.info(self.vapi.cli("show trace"))
2245 tc1 = self.statistics['/nat44-ed/out2in/fastpath/tcp']
2246 uc1 = self.statistics['/nat44-ed/out2in/fastpath/udp']
2247 ic1 = self.statistics['/nat44-ed/out2in/fastpath/icmp']
2248 dc1 = self.statistics['/nat44-ed/out2in/fastpath/drops']
2250 recvd_tcp_ports = set()
2251 recvd_udp_ports = set()
2252 recvd_icmp_ids = set()
2256 recvd_tcp_ports.add(p[TCP].sport)
2258 recvd_udp_ports.add(p[UDP].sport)
2260 recvd_icmp_ids.add(p[ICMP].id)
2262 recvd_tcp_ports = list(recvd_tcp_ports)
2263 recvd_udp_ports = list(recvd_udp_ports)
2264 recvd_icmp_ids = list(recvd_icmp_ids)
2266 o2i_pkts = [[] for x in range(0, self.vpp_worker_count)]
2267 for i in range(pkt_count):
2268 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2269 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2270 TCP(dport=choice(recvd_tcp_ports), sport=20))
2271 o2i_pkts[p[TCP].dport % self.vpp_worker_count].append(p)
2273 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2274 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2275 UDP(dport=choice(recvd_udp_ports), sport=20))
2276 o2i_pkts[p[UDP].dport % self.vpp_worker_count].append(p)
2278 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2279 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2280 ICMP(id=choice(recvd_icmp_ids), type='echo-reply'))
2281 o2i_pkts[p[ICMP].id % self.vpp_worker_count].append(p)
2283 for i in range(0, self.vpp_worker_count):
2284 if len(o2i_pkts[i]) > 0:
2285 self.pg1.add_stream(o2i_pkts[i], worker=i)
2287 self.pg_enable_capture(self.pg_interfaces)
2289 capture = self.pg0.get_capture(pkt_count * 3)
2290 for packet in capture:
2292 self.assert_packet_checksums_valid(packet)
2293 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2294 if packet.haslayer(TCP):
2295 self.assert_in_range(
2296 packet[TCP].dport, tcp_port_offset,
2297 tcp_port_offset + pkt_count, "dst TCP port")
2298 elif packet.haslayer(UDP):
2299 self.assert_in_range(
2300 packet[UDP].dport, udp_port_offset,
2301 udp_port_offset + pkt_count, "dst UDP port")
2303 self.assert_in_range(
2304 packet[ICMP].id, icmp_id_offset,
2305 icmp_id_offset + pkt_count, "ICMP id")
2307 self.logger.error(ppp("Unexpected or invalid packet "
2308 "(inside network):", packet))
2311 if_idx = self.pg1.sw_if_index
2312 tc2 = self.statistics['/nat44-ed/out2in/fastpath/tcp']
2313 uc2 = self.statistics['/nat44-ed/out2in/fastpath/udp']
2314 ic2 = self.statistics['/nat44-ed/out2in/fastpath/icmp']
2315 dc2 = self.statistics['/nat44-ed/out2in/fastpath/drops']
2318 tc2[:, if_idx].sum() - tc1[:, if_idx].sum(), pkt_count)
2320 uc2[:, if_idx].sum() - uc1[:, if_idx].sum(), pkt_count)
2322 ic2[:, if_idx].sum() - ic1[:, if_idx].sum(), pkt_count)
2323 self.assertEqual(dc2[:, if_idx].sum() - dc1[:, if_idx].sum(), 0)
2325 sc = self.statistics['/nat44-ed/total-sessions']
2326 self.assertEqual(sc[:, 0].sum(), len(recvd_tcp_ports) +
2327 len(recvd_udp_ports) + len(recvd_icmp_ids))
2329 def test_frag_in_order(self):
2330 """ NAT44ED translate fragments arriving in order """
2332 self.nat_add_address(self.nat_addr)
2333 self.nat_add_inside_interface(self.pg0)
2334 self.nat_add_outside_interface(self.pg1)
2336 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2337 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2338 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2340 def test_frag_in_order_do_not_translate(self):
2341 """ NAT44ED don't translate fragments arriving in order """
2343 self.nat_add_address(self.nat_addr)
2344 self.nat_add_inside_interface(self.pg0)
2345 self.nat_add_outside_interface(self.pg1)
2346 self.vapi.nat44_forwarding_enable_disable(enable=True)
2348 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2350 def test_frag_out_of_order(self):
2351 """ NAT44ED translate fragments arriving out of order """
2353 self.nat_add_address(self.nat_addr)
2354 self.nat_add_inside_interface(self.pg0)
2355 self.nat_add_outside_interface(self.pg1)
2357 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2358 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2359 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2361 def test_frag_in_order_in_plus_out(self):
2362 """ NAT44ED in+out interface fragments in order """
2364 in_port = self.random_port()
2365 out_port = self.random_port()
2367 self.nat_add_address(self.nat_addr)
2368 self.nat_add_inside_interface(self.pg0)
2369 self.nat_add_outside_interface(self.pg0)
2370 self.nat_add_inside_interface(self.pg1)
2371 self.nat_add_outside_interface(self.pg1)
2373 # add static mappings for server
2374 self.nat_add_static_mapping(self.server_addr,
2378 proto=IP_PROTOS.tcp)
2379 self.nat_add_static_mapping(self.server_addr,
2383 proto=IP_PROTOS.udp)
2384 self.nat_add_static_mapping(self.server_addr,
2386 proto=IP_PROTOS.icmp)
2388 # run tests for each protocol
2389 self.frag_in_order_in_plus_out(self.server_addr,
2394 self.frag_in_order_in_plus_out(self.server_addr,
2399 self.frag_in_order_in_plus_out(self.server_addr,
2405 def test_frag_out_of_order_in_plus_out(self):
2406 """ NAT44ED in+out interface fragments out of order """
2408 in_port = self.random_port()
2409 out_port = self.random_port()
2411 self.nat_add_address(self.nat_addr)
2412 self.nat_add_inside_interface(self.pg0)
2413 self.nat_add_outside_interface(self.pg0)
2414 self.nat_add_inside_interface(self.pg1)
2415 self.nat_add_outside_interface(self.pg1)
2417 # add static mappings for server
2418 self.nat_add_static_mapping(self.server_addr,
2422 proto=IP_PROTOS.tcp)
2423 self.nat_add_static_mapping(self.server_addr,
2427 proto=IP_PROTOS.udp)
2428 self.nat_add_static_mapping(self.server_addr,
2430 proto=IP_PROTOS.icmp)
2432 # run tests for each protocol
2433 self.frag_out_of_order_in_plus_out(self.server_addr,
2438 self.frag_out_of_order_in_plus_out(self.server_addr,
2443 self.frag_out_of_order_in_plus_out(self.server_addr,
2449 def test_reass_hairpinning(self):
2450 """ NAT44ED fragments hairpinning """
2452 server_addr = self.pg0.remote_hosts[1].ip4
2454 host_in_port = self.random_port()
2455 server_in_port = self.random_port()
2456 server_out_port = self.random_port()
2458 self.nat_add_address(self.nat_addr)
2459 self.nat_add_inside_interface(self.pg0)
2460 self.nat_add_outside_interface(self.pg1)
2462 # add static mapping for server
2463 self.nat_add_static_mapping(server_addr, self.nat_addr,
2464 server_in_port, server_out_port,
2465 proto=IP_PROTOS.tcp)
2466 self.nat_add_static_mapping(server_addr, self.nat_addr,
2467 server_in_port, server_out_port,
2468 proto=IP_PROTOS.udp)
2469 self.nat_add_static_mapping(server_addr, self.nat_addr)
2471 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2472 host_in_port, proto=IP_PROTOS.tcp,
2474 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2475 host_in_port, proto=IP_PROTOS.udp,
2477 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2478 host_in_port, proto=IP_PROTOS.icmp,
2481 def test_session_limit_per_vrf(self):
2482 """ NAT44ED per vrf session limit """
2485 inside_vrf10 = self.pg2
2490 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2491 # non existing vrf_id makes process core dump
2492 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2494 self.nat_add_inside_interface(inside)
2495 self.nat_add_inside_interface(inside_vrf10)
2496 self.nat_add_outside_interface(outside)
2499 self.nat_add_interface_address(outside)
2501 # BUG: causing core dump - when bad vrf_id is specified
2502 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2504 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2505 inside_vrf10.add_stream(stream)
2507 self.pg_enable_capture(self.pg_interfaces)
2510 capture = outside.get_capture(limit)
2512 stream = self.create_tcp_stream(inside, outside, limit * 2)
2513 inside.add_stream(stream)
2515 self.pg_enable_capture(self.pg_interfaces)
2518 capture = outside.get_capture(len(stream))
2520 def test_show_max_translations(self):
2521 """ NAT44ED API test - max translations per thread """
2522 nat_config = self.vapi.nat_show_config_2()
2523 self.assertEqual(self.max_sessions,
2524 nat_config.max_translations_per_thread)
2526 def test_lru_cleanup(self):
2527 """ NAT44ED LRU cleanup algorithm """
2529 self.nat_add_address(self.nat_addr)
2530 self.nat_add_inside_interface(self.pg0)
2531 self.nat_add_outside_interface(self.pg1)
2533 self.vapi.nat_set_timeouts(
2534 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
2536 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2538 for i in range(0, self.max_sessions - 1):
2539 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2540 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2541 UDP(sport=7000+i, dport=80))
2544 self.pg0.add_stream(pkts)
2545 self.pg_enable_capture(self.pg_interfaces)
2547 self.pg1.get_capture(len(pkts))
2548 self.virtual_sleep(1.5, "wait for timeouts")
2551 for i in range(0, self.max_sessions - 1):
2552 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2553 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2554 ICMP(id=8000+i, type='echo-request'))
2557 self.pg0.add_stream(pkts)
2558 self.pg_enable_capture(self.pg_interfaces)
2560 self.pg1.get_capture(len(pkts))
2562 def test_session_rst_timeout(self):
2563 """ NAT44ED session RST timeouts """
2565 self.nat_add_address(self.nat_addr)
2566 self.nat_add_inside_interface(self.pg0)
2567 self.nat_add_outside_interface(self.pg1)
2569 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2570 tcp_transitory=5, icmp=60)
2572 self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
2573 self.tcp_external_port)
2574 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2575 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2576 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2578 self.send_and_expect(self.pg0, p, self.pg1)
2580 self.virtual_sleep(6)
2582 # The session is already closed
2583 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2584 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2585 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2587 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
2589 # The session can be re-opened
2590 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2591 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2592 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2594 self.send_and_expect(self.pg0, p, self.pg1)
2596 def test_session_rst_established_timeout(self):
2597 """ NAT44ED session RST timeouts """
2599 self.nat_add_address(self.nat_addr)
2600 self.nat_add_inside_interface(self.pg0)
2601 self.nat_add_outside_interface(self.pg1)
2603 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2604 tcp_transitory=5, icmp=60)
2606 self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
2607 self.tcp_external_port)
2609 # Wait at least the transitory time, the session is in established
2610 # state anyway. RST followed by a data packet should keep it
2612 self.virtual_sleep(6)
2613 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2614 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2615 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2617 self.send_and_expect(self.pg0, p, self.pg1)
2619 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2620 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2621 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2623 self.send_and_expect(self.pg0, p, self.pg1)
2625 # State is established, session should be still open after 6 seconds
2626 self.virtual_sleep(6)
2628 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2629 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2630 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2632 self.send_and_expect(self.pg0, p, self.pg1)
2634 # State is transitory, session should be closed after 6 seconds
2635 self.virtual_sleep(6)
2637 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2638 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2639 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2641 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
2643 def test_dynamic_out_of_ports(self):
2644 """ NAT44ED dynamic translation test: out of ports """
2646 self.nat_add_inside_interface(self.pg0)
2647 self.nat_add_outside_interface(self.pg1)
2649 # in2out and no NAT addresses added
2650 pkts = self.create_stream_in(self.pg0, self.pg1)
2652 self.send_and_assert_no_replies(
2653 self.pg0, pkts, msg="i2o pkts",
2654 stats_diff=self.no_diff | {
2656 '/err/nat44-ed-in2out-slowpath/out of ports': len(pkts),
2658 self.pg0.sw_if_index: {
2659 '/nat44-ed/in2out/slowpath/drops': len(pkts),
2664 # in2out after NAT addresses added
2665 self.nat_add_address(self.nat_addr)
2667 tcpn, udpn, icmpn = (sum(x) for x in
2668 zip(*((TCP in p, UDP in p, ICMP in p)
2671 self.send_and_expect(
2672 self.pg0, pkts, self.pg1, msg="i2o pkts",
2673 stats_diff=self.no_diff | {
2675 '/err/nat44-ed-in2out-slowpath/out of ports': 0,
2677 self.pg0.sw_if_index: {
2678 '/nat44-ed/in2out/slowpath/drops': 0,
2679 '/nat44-ed/in2out/slowpath/tcp': tcpn,
2680 '/nat44-ed/in2out/slowpath/udp': udpn,
2681 '/nat44-ed/in2out/slowpath/icmp': icmpn,
2686 def test_unknown_proto(self):
2687 """ NAT44ED translate packet with unknown protocol """
2689 self.nat_add_address(self.nat_addr)
2690 self.nat_add_inside_interface(self.pg0)
2691 self.nat_add_outside_interface(self.pg1)
2694 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2695 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2696 TCP(sport=self.tcp_port_in, dport=20))
2697 self.pg0.add_stream(p)
2698 self.pg_enable_capture(self.pg_interfaces)
2700 p = self.pg1.get_capture(1)
2702 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2703 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2705 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2706 TCP(sport=1234, dport=1234))
2707 self.pg0.add_stream(p)
2708 self.pg_enable_capture(self.pg_interfaces)
2710 p = self.pg1.get_capture(1)
2713 self.assertEqual(packet[IP].src, self.nat_addr)
2714 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
2715 self.assertEqual(packet.haslayer(GRE), 1)
2716 self.assert_packet_checksums_valid(packet)
2718 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2722 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2723 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2725 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2726 TCP(sport=1234, dport=1234))
2727 self.pg1.add_stream(p)
2728 self.pg_enable_capture(self.pg_interfaces)
2730 p = self.pg0.get_capture(1)
2733 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
2734 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2735 self.assertEqual(packet.haslayer(GRE), 1)
2736 self.assert_packet_checksums_valid(packet)
2738 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2741 def test_hairpinning_unknown_proto(self):
2742 """ NAT44ED translate packet with unknown protocol - hairpinning """
2743 host = self.pg0.remote_hosts[0]
2744 server = self.pg0.remote_hosts[1]
2746 server_out_port = 8765
2747 server_nat_ip = "10.0.0.11"
2749 self.nat_add_address(self.nat_addr)
2750 self.nat_add_inside_interface(self.pg0)
2751 self.nat_add_outside_interface(self.pg1)
2753 # add static mapping for server
2754 self.nat_add_static_mapping(server.ip4, server_nat_ip)
2757 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
2758 IP(src=host.ip4, dst=server_nat_ip) /
2759 TCP(sport=host_in_port, dport=server_out_port))
2760 self.pg0.add_stream(p)
2761 self.pg_enable_capture(self.pg_interfaces)
2763 self.pg0.get_capture(1)
2765 p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
2766 IP(src=host.ip4, dst=server_nat_ip) /
2768 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2769 TCP(sport=1234, dport=1234))
2770 self.pg0.add_stream(p)
2771 self.pg_enable_capture(self.pg_interfaces)
2773 p = self.pg0.get_capture(1)
2776 self.assertEqual(packet[IP].src, self.nat_addr)
2777 self.assertEqual(packet[IP].dst, server.ip4)
2778 self.assertEqual(packet.haslayer(GRE), 1)
2779 self.assert_packet_checksums_valid(packet)
2781 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2785 p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
2786 IP(src=server.ip4, dst=self.nat_addr) /
2788 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2789 TCP(sport=1234, dport=1234))
2790 self.pg0.add_stream(p)
2791 self.pg_enable_capture(self.pg_interfaces)
2793 p = self.pg0.get_capture(1)
2796 self.assertEqual(packet[IP].src, server_nat_ip)
2797 self.assertEqual(packet[IP].dst, host.ip4)
2798 self.assertEqual(packet.haslayer(GRE), 1)
2799 self.assert_packet_checksums_valid(packet)
2801 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2804 def test_output_feature_and_service(self):
2805 """ NAT44ED interface output feature and services """
2806 external_addr = '1.2.3.4'
2810 self.vapi.nat44_forwarding_enable_disable(enable=1)
2811 self.nat_add_address(self.nat_addr)
2812 flags = self.config_flags.NAT_IS_ADDR_ONLY
2813 self.vapi.nat44_add_del_identity_mapping(
2814 ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
2815 flags=flags, is_add=1)
2816 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2817 self.nat_add_static_mapping(self.pg0.remote_ip4, external_addr,
2818 local_port, external_port,
2819 proto=IP_PROTOS.tcp, flags=flags)
2821 self.nat_add_inside_interface(self.pg0)
2822 self.nat_add_outside_interface(self.pg0)
2823 self.vapi.nat44_ed_add_del_output_interface(
2824 sw_if_index=self.pg1.sw_if_index, is_add=1)
2826 # from client to service
2827 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2828 IP(src=self.pg1.remote_ip4, dst=external_addr) /
2829 TCP(sport=12345, dport=external_port))
2830 self.pg1.add_stream(p)
2831 self.pg_enable_capture(self.pg_interfaces)
2833 capture = self.pg0.get_capture(1)
2838 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2839 self.assertEqual(tcp.dport, local_port)
2840 self.assert_packet_checksums_valid(p)
2842 self.logger.error(ppp("Unexpected or invalid packet:", p))
2845 # from service back to client
2846 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2847 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2848 TCP(sport=local_port, dport=12345))
2849 self.pg0.add_stream(p)
2850 self.pg_enable_capture(self.pg_interfaces)
2852 capture = self.pg1.get_capture(1)
2857 self.assertEqual(ip.src, external_addr)
2858 self.assertEqual(tcp.sport, external_port)
2859 self.assert_packet_checksums_valid(p)
2861 self.logger.error(ppp("Unexpected or invalid packet:", p))
2864 # from local network host to external network
2865 pkts = self.create_stream_in(self.pg0, self.pg1)
2866 self.pg0.add_stream(pkts)
2867 self.pg_enable_capture(self.pg_interfaces)
2869 capture = self.pg1.get_capture(len(pkts))
2870 self.verify_capture_out(capture, ignore_port=True)
2871 pkts = self.create_stream_in(self.pg0, self.pg1)
2872 self.pg0.add_stream(pkts)
2873 self.pg_enable_capture(self.pg_interfaces)
2875 capture = self.pg1.get_capture(len(pkts))
2876 self.verify_capture_out(capture, ignore_port=True)
2878 # from external network back to local network host
2879 pkts = self.create_stream_out(self.pg1)
2880 self.pg1.add_stream(pkts)
2881 self.pg_enable_capture(self.pg_interfaces)
2883 capture = self.pg0.get_capture(len(pkts))
2884 self.verify_capture_in(capture, self.pg0)
2886 def test_output_feature_and_service3(self):
2887 """ NAT44ED interface output feature and DST NAT """
2888 external_addr = '1.2.3.4'
2892 self.vapi.nat44_forwarding_enable_disable(enable=1)
2893 self.nat_add_address(self.nat_addr)
2894 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2895 self.nat_add_static_mapping(self.pg1.remote_ip4, external_addr,
2896 local_port, external_port,
2897 proto=IP_PROTOS.tcp, flags=flags)
2899 self.nat_add_inside_interface(self.pg0)
2900 self.nat_add_outside_interface(self.pg0)
2901 self.vapi.nat44_ed_add_del_output_interface(
2902 sw_if_index=self.pg1.sw_if_index, is_add=1)
2904 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2905 IP(src=self.pg0.remote_ip4, dst=external_addr) /
2906 TCP(sport=12345, dport=external_port))
2907 self.pg0.add_stream(p)
2908 self.pg_enable_capture(self.pg_interfaces)
2910 capture = self.pg1.get_capture(1)
2915 self.assertEqual(ip.src, self.pg0.remote_ip4)
2916 self.assertEqual(tcp.sport, 12345)
2917 self.assertEqual(ip.dst, self.pg1.remote_ip4)
2918 self.assertEqual(tcp.dport, local_port)
2919 self.assert_packet_checksums_valid(p)
2921 self.logger.error(ppp("Unexpected or invalid packet:", p))
2924 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2925 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
2926 TCP(sport=local_port, dport=12345))
2927 self.pg1.add_stream(p)
2928 self.pg_enable_capture(self.pg_interfaces)
2930 capture = self.pg0.get_capture(1)
2935 self.assertEqual(ip.src, external_addr)
2936 self.assertEqual(tcp.sport, external_port)
2937 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2938 self.assertEqual(tcp.dport, 12345)
2939 self.assert_packet_checksums_valid(p)
2941 self.logger.error(ppp("Unexpected or invalid packet:", p))
2944 def test_self_twice_nat_lb_negative(self):
2945 """ NAT44ED Self Twice NAT local service load balancing (negative test)
2947 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
2950 def test_self_twice_nat_negative(self):
2951 """ NAT44ED Self Twice NAT (negative test) """
2952 self.twice_nat_common(self_twice_nat=True)
2954 def test_static_lb_multi_clients(self):
2955 """ NAT44ED local service load balancing - multiple clients"""
2957 external_addr = self.nat_addr
2960 server1 = self.pg0.remote_hosts[0]
2961 server2 = self.pg0.remote_hosts[1]
2962 server3 = self.pg0.remote_hosts[2]
2964 locals = [{'addr': server1.ip4,
2968 {'addr': server2.ip4,
2973 flags = self.config_flags.NAT_IS_INSIDE
2974 self.vapi.nat44_interface_add_del_feature(
2975 sw_if_index=self.pg0.sw_if_index,
2976 flags=flags, is_add=1)
2977 self.vapi.nat44_interface_add_del_feature(
2978 sw_if_index=self.pg1.sw_if_index,
2981 self.nat_add_address(self.nat_addr)
2982 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
2983 external_addr=external_addr,
2984 external_port=external_port,
2985 protocol=IP_PROTOS.tcp,
2986 local_num=len(locals),
2991 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
2993 for client in clients:
2994 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2995 IP(src=client, dst=self.nat_addr) /
2996 TCP(sport=12345, dport=external_port))
2998 self.pg1.add_stream(pkts)
2999 self.pg_enable_capture(self.pg_interfaces)
3001 capture = self.pg0.get_capture(len(pkts))
3003 if p[IP].dst == server1.ip4:
3007 self.assertGreaterEqual(server1_n, server2_n)
3010 'addr': server3.ip4,
3017 self.vapi.nat44_lb_static_mapping_add_del_local(
3019 external_addr=external_addr,
3020 external_port=external_port,
3022 protocol=IP_PROTOS.tcp)
3026 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
3028 for client in clients:
3029 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3030 IP(src=client, dst=self.nat_addr) /
3031 TCP(sport=12346, dport=external_port))
3033 self.assertGreater(len(pkts), 0)
3034 self.pg1.add_stream(pkts)
3035 self.pg_enable_capture(self.pg_interfaces)
3037 capture = self.pg0.get_capture(len(pkts))
3039 if p[IP].dst == server1.ip4:
3041 elif p[IP].dst == server2.ip4:
3045 self.assertGreater(server1_n, 0)
3046 self.assertGreater(server2_n, 0)
3047 self.assertGreater(server3_n, 0)
3050 'addr': server2.ip4,
3056 # remove one back-end
3057 self.vapi.nat44_lb_static_mapping_add_del_local(
3059 external_addr=external_addr,
3060 external_port=external_port,
3062 protocol=IP_PROTOS.tcp)
3066 self.pg1.add_stream(pkts)
3067 self.pg_enable_capture(self.pg_interfaces)
3069 capture = self.pg0.get_capture(len(pkts))
3071 if p[IP].dst == server1.ip4:
3073 elif p[IP].dst == server2.ip4:
3077 self.assertGreater(server1_n, 0)
3078 self.assertEqual(server2_n, 0)
3079 self.assertGreater(server3_n, 0)
3081 # put zzz in front of syslog test name so that it runs as a last test
3082 # setting syslog sender cannot be undone and if it is set, it messes
3083 # with self.send_and_assert_no_replies functionality
3084 def test_zzz_syslog_sess(self):
3085 """ NAT44ED Test syslog session creation and deletion """
3086 self.vapi.syslog_set_filter(
3087 self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3088 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3090 self.nat_add_address(self.nat_addr)
3091 self.nat_add_inside_interface(self.pg0)
3092 self.nat_add_outside_interface(self.pg1)
3094 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
3095 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3096 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
3097 self.pg0.add_stream(p)
3098 self.pg_enable_capture(self.pg_interfaces)
3100 capture = self.pg1.get_capture(1)
3101 self.tcp_port_out = capture[0][TCP].sport
3102 capture = self.pg3.get_capture(1)
3103 self.verify_syslog_sess(capture[0][Raw].load, 'SADD')
3105 self.pg_enable_capture(self.pg_interfaces)
3107 self.nat_add_address(self.nat_addr, is_add=0)
3108 capture = self.pg3.get_capture(1)
3109 self.verify_syslog_sess(capture[0][Raw].load, 'SDEL')
3111 # put zzz in front of syslog test name so that it runs as a last test
3112 # setting syslog sender cannot be undone and if it is set, it messes
3113 # with self.send_and_assert_no_replies functionality
3114 def test_zzz_syslog_sess_reopen(self):
3115 """ Syslog events for session reopen """
3116 self.vapi.syslog_set_filter(
3117 self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
3118 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
3120 self.nat_add_address(self.nat_addr)
3121 self.nat_add_inside_interface(self.pg0)
3122 self.nat_add_outside_interface(self.pg1)
3125 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
3126 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3127 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
3128 capture = self.send_and_expect(self.pg0, p, self.pg1)[0]
3129 self.tcp_port_out = capture[0][TCP].sport
3130 capture = self.pg3.get_capture(1)
3131 self.verify_syslog_sess(capture[0][Raw].load, 'SADD')
3134 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
3135 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3136 TCP(sport=self.tcp_external_port, dport=self.tcp_port_out))
3137 self.send_and_expect(self.pg1, p, self.pg0)
3140 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
3141 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3142 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
3144 self.send_and_expect(self.pg0, p, self.pg1)
3147 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
3148 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3149 TCP(sport=self.tcp_external_port, dport=self.tcp_port_out,
3151 self.send_and_expect(self.pg1, p, self.pg0)
3154 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
3155 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3156 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
3157 self.send_and_expect(self.pg0, p, self.pg1)
3160 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
3161 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3162 TCP(sport=self.tcp_external_port, dport=self.tcp_port_out))
3163 self.send_and_expect(self.pg1, p, self.pg0)
3165 # 2 records should be produced - first one del & add
3166 capture = self.pg3.get_capture(2)
3167 self.verify_syslog_sess(capture[0][Raw].load, 'SDEL')
3168 self.verify_syslog_sess(capture[1][Raw].load, 'SADD')
3170 def test_twice_nat_interface_addr(self):
3171 """ NAT44ED Acquire twice NAT addresses from interface """
3172 flags = self.config_flags.NAT_IS_TWICE_NAT
3173 self.vapi.nat44_add_del_interface_addr(
3174 sw_if_index=self.pg11.sw_if_index,
3175 flags=flags, is_add=1)
3177 # no address in NAT pool
3178 adresses = self.vapi.nat44_address_dump()
3179 self.assertEqual(0, len(adresses))
3181 # configure interface address and check NAT address pool
3182 self.pg11.config_ip4()
3183 adresses = self.vapi.nat44_address_dump()
3184 self.assertEqual(1, len(adresses))
3185 self.assertEqual(str(adresses[0].ip_address),
3186 self.pg11.local_ip4)
3187 self.assertEqual(adresses[0].flags, flags)
3189 # remove interface address and check NAT address pool
3190 self.pg11.unconfig_ip4()
3191 adresses = self.vapi.nat44_address_dump()
3192 self.assertEqual(0, len(adresses))
3194 def test_output_feature_stateful_acl(self):
3195 """ NAT44ED output feature works with stateful ACL """
3197 self.nat_add_address(self.nat_addr)
3198 self.vapi.nat44_ed_add_del_output_interface(
3199 sw_if_index=self.pg1.sw_if_index, is_add=1)
3201 # First ensure that the NAT is working sans ACL
3203 # send packets out2in, no sessions yet so packets should drop
3204 pkts_out2in = self.create_stream_out(self.pg1)
3205 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3207 # send packets into inside intf, ensure received via outside intf
3208 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
3209 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
3211 self.verify_capture_out(capture, ignore_port=True)
3213 # send out2in again, with sessions created it should work now
3214 pkts_out2in = self.create_stream_out(self.pg1)
3215 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
3217 self.verify_capture_in(capture, self.pg0)
3219 # Create an ACL blocking everything
3220 out2in_deny_rule = AclRule(is_permit=0)
3221 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
3222 out2in_acl.add_vpp_config()
3224 # create an ACL to permit/reflect everything
3225 in2out_reflect_rule = AclRule(is_permit=2)
3226 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
3227 in2out_acl.add_vpp_config()
3229 # apply as input acl on interface and confirm it blocks everything
3230 acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
3231 n_input=1, acls=[out2in_acl])
3232 acl_if.add_vpp_config()
3233 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
3236 acl_if.acls = [out2in_acl, in2out_acl]
3237 acl_if.add_vpp_config()
3238 # send in2out to generate ACL state (NAT state was created earlier)
3239 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
3241 self.verify_capture_out(capture, ignore_port=True)
3243 # send out2in again. ACL state exists so it should work now.
3244 # TCP packets with the syn flag set also need the ack flag
3245 for p in pkts_out2in:
3246 if p.haslayer(TCP) and p[TCP].flags & 0x02:
3247 p[TCP].flags |= 0x10
3248 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
3250 self.verify_capture_in(capture, self.pg0)
3251 self.logger.info(self.vapi.cli("show trace"))
3253 def test_tcp_close(self):
3254 """ NAT44ED Close TCP session from inside network - output feature """
3255 old_timeouts = self.vapi.nat_get_timeouts()
3257 self.vapi.nat_set_timeouts(
3258 udp=old_timeouts.udp,
3259 tcp_established=old_timeouts.tcp_established,
3260 icmp=old_timeouts.icmp,
3261 tcp_transitory=new_transitory)
3263 self.vapi.nat44_forwarding_enable_disable(enable=1)
3264 self.nat_add_address(self.pg1.local_ip4)
3265 twice_nat_addr = '10.0.1.3'
3266 service_ip = '192.168.16.150'
3267 self.nat_add_address(twice_nat_addr, twice_nat=1)
3269 flags = self.config_flags.NAT_IS_INSIDE
3270 self.vapi.nat44_interface_add_del_feature(
3271 sw_if_index=self.pg0.sw_if_index,
3273 self.vapi.nat44_interface_add_del_feature(
3274 sw_if_index=self.pg0.sw_if_index,
3275 flags=flags, is_add=1)
3276 self.vapi.nat44_ed_add_del_output_interface(
3278 sw_if_index=self.pg1.sw_if_index)
3280 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3281 self.config_flags.NAT_IS_TWICE_NAT)
3282 self.nat_add_static_mapping(self.pg0.remote_ip4,
3284 proto=IP_PROTOS.tcp,
3286 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3287 start_sessnum = len(sessions)
3289 # SYN packet out->in
3290 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3291 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3292 TCP(sport=33898, dport=80, flags="S"))
3293 capture = self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3295 tcp_port = p[TCP].sport
3297 # SYN + ACK packet in->out
3298 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3299 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
3300 TCP(sport=80, dport=tcp_port, flags="SA"))
3301 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3303 # ACK packet out->in
3304 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3305 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3306 TCP(sport=33898, dport=80, flags="A"))
3307 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3309 # FIN packet in -> out
3310 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3311 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
3312 TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
3313 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3315 # FIN+ACK packet out -> in
3316 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3317 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3318 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
3319 self.send_and_expect(self.pg1, p, self.pg0, n_rx=1)
3321 # ACK packet in -> out
3322 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3323 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
3324 TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
3325 self.send_and_expect(self.pg0, p, self.pg1, n_rx=1)
3327 # session now in transitory timeout, but traffic still flows
3328 # try FIN packet out->in
3329 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3330 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3331 TCP(sport=33898, dport=80, flags="F"))
3332 self.pg1.add_stream(p)
3333 self.pg_enable_capture(self.pg_interfaces)
3336 self.virtual_sleep(new_transitory, "wait for transitory timeout")
3337 self.pg0.get_capture(1)
3339 # session should still exist
3340 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3341 self.assertEqual(len(sessions) - start_sessnum, 1)
3343 # send FIN+ACK packet out -> in - will cause session to be wiped
3344 # but won't create a new session
3345 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3346 IP(src=self.pg1.remote_ip4, dst=service_ip) /
3347 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
3348 self.send_and_assert_no_replies(self.pg1, p)
3349 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3350 self.assertEqual(len(sessions) - start_sessnum, 0)
3352 def test_tcp_session_close_in(self):
3353 """ NAT44ED Close TCP session from inside network """
3355 in_port = self.tcp_port_in
3357 ext_port = self.tcp_external_port
3359 self.nat_add_address(self.nat_addr)
3360 self.nat_add_inside_interface(self.pg0)
3361 self.nat_add_outside_interface(self.pg1)
3362 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3363 in_port, out_port, proto=IP_PROTOS.tcp,
3364 flags=self.config_flags.NAT_IS_TWICE_NAT)
3366 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3367 session_n = len(sessions)
3369 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3370 tcp_transitory=2, icmp=5)
3372 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3374 # FIN packet in -> out
3375 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3376 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3377 TCP(sport=in_port, dport=ext_port,
3378 flags="FA", seq=100, ack=300))
3379 self.send_and_expect(self.pg0, p, self.pg1)
3382 # ACK packet out -> in
3383 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3384 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3385 TCP(sport=ext_port, dport=out_port,
3386 flags="A", seq=300, ack=101))
3389 # FIN packet out -> in
3390 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3391 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3392 TCP(sport=ext_port, dport=out_port,
3393 flags="FA", seq=300, ack=101))
3396 self.send_and_expect(self.pg1, pkts, self.pg0)
3398 # ACK packet in -> out
3399 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3400 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3401 TCP(sport=in_port, dport=ext_port,
3402 flags="A", seq=101, ack=301))
3403 self.send_and_expect(self.pg0, p, self.pg1)
3405 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3406 self.assertEqual(len(sessions) - session_n, 1)
3408 # retransmit FIN packet out -> in
3409 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3410 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3411 TCP(sport=ext_port, dport=out_port,
3412 flags="FA", seq=300, ack=101))
3414 self.send_and_expect(self.pg1, p, self.pg0)
3416 # retransmit ACK packet in -> out
3417 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3418 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3419 TCP(sport=in_port, dport=ext_port,
3420 flags="A", seq=101, ack=301))
3421 self.send_and_expect(self.pg0, p, self.pg1)
3423 self.virtual_sleep(3)
3424 # retransmit ACK packet in -> out - this will cause session to be wiped
3425 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3426 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3427 TCP(sport=in_port, dport=ext_port,
3428 flags="A", seq=101, ack=301))
3429 self.send_and_assert_no_replies(self.pg0, p)
3430 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3431 self.assertEqual(len(sessions) - session_n, 0)
3433 def test_tcp_session_close_out(self):
3434 """ NAT44ED Close TCP session from outside network """
3436 in_port = self.tcp_port_in
3438 ext_port = self.tcp_external_port
3440 self.nat_add_address(self.nat_addr)
3441 self.nat_add_inside_interface(self.pg0)
3442 self.nat_add_outside_interface(self.pg1)
3443 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3444 in_port, out_port, proto=IP_PROTOS.tcp,
3445 flags=self.config_flags.NAT_IS_TWICE_NAT)
3447 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3448 session_n = len(sessions)
3450 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3451 tcp_transitory=2, icmp=5)
3453 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3455 # FIN packet out -> in
3456 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3457 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3458 TCP(sport=ext_port, dport=out_port,
3459 flags="FA", seq=100, ack=300))
3460 self.pg1.add_stream(p)
3461 self.pg_enable_capture(self.pg_interfaces)
3463 self.pg0.get_capture(1)
3465 # FIN+ACK packet in -> out
3466 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3467 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3468 TCP(sport=in_port, dport=ext_port,
3469 flags="FA", seq=300, ack=101))
3471 self.pg0.add_stream(p)
3472 self.pg_enable_capture(self.pg_interfaces)
3474 self.pg1.get_capture(1)
3476 # ACK packet out -> in
3477 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3478 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3479 TCP(sport=ext_port, dport=out_port,
3480 flags="A", seq=101, ack=301))
3481 self.pg1.add_stream(p)
3482 self.pg_enable_capture(self.pg_interfaces)
3484 self.pg0.get_capture(1)
3486 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3487 self.assertEqual(len(sessions) - session_n, 1)
3489 # retransmit FIN packet out -> in
3490 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3491 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3492 TCP(sport=ext_port, dport=out_port,
3493 flags="FA", seq=300, ack=101))
3494 self.send_and_expect(self.pg1, p, self.pg0)
3496 # retransmit ACK packet in -> out
3497 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3498 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3499 TCP(sport=in_port, dport=ext_port,
3500 flags="A", seq=101, ack=301))
3501 self.send_and_expect(self.pg0, p, self.pg1)
3503 self.virtual_sleep(3)
3504 # retransmit ACK packet in -> out - this will cause session to be wiped
3505 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3506 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3507 TCP(sport=in_port, dport=ext_port,
3508 flags="A", seq=101, ack=301))
3509 self.send_and_assert_no_replies(self.pg0, p)
3510 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3511 self.assertEqual(len(sessions) - session_n, 0)
3513 def test_tcp_session_close_simultaneous(self):
3514 """ Simultaneous TCP close from both sides """
3516 in_port = self.tcp_port_in
3519 self.nat_add_address(self.nat_addr)
3520 self.nat_add_inside_interface(self.pg0)
3521 self.nat_add_outside_interface(self.pg1)
3522 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3523 in_port, ext_port, proto=IP_PROTOS.tcp,
3524 flags=self.config_flags.NAT_IS_TWICE_NAT)
3526 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3527 session_n = len(sessions)
3529 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3530 tcp_transitory=2, icmp=5)
3532 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3534 # FIN packet in -> out
3535 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3536 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3537 TCP(sport=in_port, dport=ext_port,
3538 flags="FA", seq=100, ack=300))
3539 self.send_and_expect(self.pg0, p, self.pg1)
3541 # FIN packet out -> in
3542 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3543 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3544 TCP(sport=ext_port, dport=out_port,
3545 flags="FA", seq=300, ack=100))
3546 self.send_and_expect(self.pg1, p, self.pg0)
3548 # ACK packet in -> out
3549 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3550 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3551 TCP(sport=in_port, dport=ext_port,
3552 flags="A", seq=101, ack=301))
3553 self.send_and_expect(self.pg0, p, self.pg1)
3555 # ACK packet out -> in
3556 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3557 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3558 TCP(sport=ext_port, dport=out_port,
3559 flags="A", seq=301, ack=101))
3560 self.send_and_expect(self.pg1, p, self.pg0)
3562 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3563 self.assertEqual(len(sessions) - session_n, 1)
3565 # retransmit FIN packet out -> in
3566 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3567 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3568 TCP(sport=ext_port, dport=out_port,
3569 flags="FA", seq=300, ack=101))
3570 self.send_and_expect(self.pg1, p, self.pg0)
3572 # retransmit ACK packet in -> out
3573 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3574 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3575 TCP(sport=in_port, dport=ext_port,
3576 flags="A", seq=101, ack=301))
3577 self.send_and_expect(self.pg0, p, self.pg1)
3579 self.virtual_sleep(3)
3580 # retransmit ACK packet in -> out - this will cause session to be wiped
3581 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3582 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3583 TCP(sport=in_port, dport=ext_port,
3584 flags="A", seq=101, ack=301))
3585 self.pg_send(self.pg0, p)
3586 self.send_and_assert_no_replies(self.pg0, p)
3587 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3588 self.assertEqual(len(sessions) - session_n, 0)
3590 def test_tcp_session_half_reopen_inside(self):
3591 """ TCP session in FIN/FIN state not reopened by in2out SYN only """
3592 in_port = self.tcp_port_in
3595 self.nat_add_address(self.nat_addr)
3596 self.nat_add_inside_interface(self.pg0)
3597 self.nat_add_outside_interface(self.pg1)
3598 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3599 in_port, ext_port, proto=IP_PROTOS.tcp,
3600 flags=self.config_flags.NAT_IS_TWICE_NAT)
3602 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3603 session_n = len(sessions)
3605 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3606 tcp_transitory=2, icmp=5)
3608 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3610 # FIN packet in -> out
3611 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3612 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3613 TCP(sport=in_port, dport=ext_port,
3614 flags="FA", seq=100, ack=300))
3615 self.send_and_expect(self.pg0, p, self.pg1)
3617 # FIN packet out -> in
3618 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3619 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3620 TCP(sport=ext_port, dport=out_port,
3621 flags="FA", seq=300, ack=100))
3622 self.send_and_expect(self.pg1, p, self.pg0)
3624 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3625 self.assertEqual(len(sessions) - session_n, 1)
3627 # send SYN packet in -> out
3628 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3629 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3630 TCP(sport=in_port, dport=ext_port,
3631 flags="S", seq=101, ack=301))
3632 self.send_and_expect(self.pg0, p, self.pg1)
3634 self.virtual_sleep(3)
3635 # send ACK packet in -> out - session should be wiped
3636 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3637 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3638 TCP(sport=in_port, dport=ext_port,
3639 flags="A", seq=101, ack=301))
3640 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3641 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3642 self.assertEqual(len(sessions) - session_n, 0)
3644 def test_tcp_session_half_reopen_outside(self):
3645 """ TCP session in FIN/FIN state not reopened by out2in SYN only """
3646 in_port = self.tcp_port_in
3649 self.nat_add_address(self.nat_addr)
3650 self.nat_add_inside_interface(self.pg0)
3651 self.nat_add_outside_interface(self.pg1)
3652 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3653 in_port, ext_port, proto=IP_PROTOS.tcp,
3654 flags=self.config_flags.NAT_IS_TWICE_NAT)
3656 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3657 session_n = len(sessions)
3659 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3660 tcp_transitory=2, icmp=5)
3662 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3664 # FIN packet in -> out
3665 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3666 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3667 TCP(sport=in_port, dport=ext_port,
3668 flags="FA", seq=100, ack=300))
3669 self.send_and_expect(self.pg0, p, self.pg1)
3671 # FIN packet out -> in
3672 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3673 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3674 TCP(sport=ext_port, dport=out_port,
3675 flags="FA", seq=300, ack=100))
3676 self.send_and_expect(self.pg1, p, self.pg0)
3678 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3679 self.assertEqual(len(sessions) - session_n, 1)
3681 # send SYN packet out -> in
3682 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3683 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3684 TCP(sport=ext_port, dport=out_port,
3685 flags="S", seq=300, ack=101))
3686 self.send_and_expect(self.pg1, p, self.pg0)
3688 self.virtual_sleep(3)
3689 # send ACK packet in -> out - session should be wiped
3690 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3691 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3692 TCP(sport=in_port, dport=ext_port,
3693 flags="A", seq=101, ack=301))
3694 self.send_and_assert_no_replies(self.pg0, p, self.pg1)
3695 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3696 self.assertEqual(len(sessions) - session_n, 0)
3698 def test_tcp_session_reopen(self):
3699 """ TCP session in FIN/FIN state reopened by SYN from both sides """
3700 in_port = self.tcp_port_in
3703 self.nat_add_address(self.nat_addr)
3704 self.nat_add_inside_interface(self.pg0)
3705 self.nat_add_outside_interface(self.pg1)
3706 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3707 in_port, ext_port, proto=IP_PROTOS.tcp,
3708 flags=self.config_flags.NAT_IS_TWICE_NAT)
3710 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3711 session_n = len(sessions)
3713 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3714 tcp_transitory=2, icmp=5)
3716 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3718 # FIN packet in -> out
3719 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3720 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3721 TCP(sport=in_port, dport=ext_port,
3722 flags="FA", seq=100, ack=300))
3723 self.send_and_expect(self.pg0, p, self.pg1)
3725 # FIN packet out -> in
3726 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3727 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3728 TCP(sport=ext_port, dport=out_port,
3729 flags="FA", seq=300, ack=100))
3730 self.send_and_expect(self.pg1, p, self.pg0)
3732 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3733 self.assertEqual(len(sessions) - session_n, 1)
3735 # send SYN packet out -> in
3736 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3737 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3738 TCP(sport=ext_port, dport=out_port,
3739 flags="S", seq=300, ack=101))
3740 self.send_and_expect(self.pg1, p, self.pg0)
3742 # send SYN packet in -> out
3743 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3744 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3745 TCP(sport=in_port, dport=ext_port,
3746 flags="S", seq=101, ack=301))
3747 self.send_and_expect(self.pg0, p, self.pg1)
3749 self.virtual_sleep(3)
3750 # send ACK packet in -> out - should be forwarded and session alive
3751 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3752 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3753 TCP(sport=in_port, dport=ext_port,
3754 flags="A", seq=101, ack=301))
3755 self.send_and_expect(self.pg0, p, self.pg1)
3756 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3757 self.assertEqual(len(sessions) - session_n, 1)
3759 def test_dynamic_vrf(self):
3760 """ NAT44ED dynamic translation test: different VRF"""
3765 self.nat_add_address(self.nat_addr, vrf_id=vrf_id_in)
3768 self.configure_ip4_interface(self.pg7, table_id=vrf_id_in)
3769 self.configure_ip4_interface(self.pg8, table_id=vrf_id_out)
3771 self.nat_add_inside_interface(self.pg7)
3772 self.nat_add_outside_interface(self.pg8)
3774 # just basic stuff nothing special
3775 pkts = self.create_stream_in(self.pg7, self.pg8)
3776 self.pg7.add_stream(pkts)
3777 self.pg_enable_capture(self.pg_interfaces)
3779 capture = self.pg8.get_capture(len(pkts))
3780 self.verify_capture_out(capture, ignore_port=True)
3782 pkts = self.create_stream_out(self.pg8)
3783 self.pg8.add_stream(pkts)
3784 self.pg_enable_capture(self.pg_interfaces)
3786 capture = self.pg7.get_capture(len(pkts))
3787 self.verify_capture_in(capture, self.pg7)
3793 self.vapi.ip_table_add_del(is_add=0,
3794 table={'table_id': vrf_id_in})
3795 self.vapi.ip_table_add_del(is_add=0,
3796 table={'table_id': vrf_id_out})
3798 def test_dynamic_output_feature_vrf(self):
3799 """ NAT44ED dynamic translation test: output-feature, VRF"""
3801 # other then default (0)
3804 self.nat_add_address(self.nat_addr)
3805 self.vapi.nat44_interface_add_del_output_feature(
3806 sw_if_index=self.pg8.sw_if_index, is_add=1)
3809 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
3810 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
3813 tcpn = self.statistics['/nat44-ed/in2out/slowpath/tcp']
3814 udpn = self.statistics['/nat44-ed/in2out/slowpath/udp']
3815 icmpn = self.statistics['/nat44-ed/in2out/slowpath/icmp']
3816 drops = self.statistics['/nat44-ed/in2out/slowpath/drops']
3818 pkts = self.create_stream_in(self.pg7, self.pg8)
3819 self.pg7.add_stream(pkts)
3820 self.pg_enable_capture(self.pg_interfaces)
3822 capture = self.pg8.get_capture(len(pkts))
3823 self.verify_capture_out(capture, ignore_port=True)
3825 if_idx = self.pg8.sw_if_index
3826 cnt = self.statistics['/nat44-ed/in2out/slowpath/tcp']
3827 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
3828 cnt = self.statistics['/nat44-ed/in2out/slowpath/udp']
3829 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
3830 cnt = self.statistics['/nat44-ed/in2out/slowpath/icmp']
3831 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
3832 cnt = self.statistics['/nat44-ed/in2out/slowpath/drops']
3833 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
3836 tcpn = self.statistics['/nat44-ed/out2in/fastpath/tcp']
3837 udpn = self.statistics['/nat44-ed/out2in/fastpath/udp']
3838 icmpn = self.statistics['/nat44-ed/out2in/fastpath/icmp']
3839 drops = self.statistics['/nat44-ed/out2in/fastpath/drops']
3841 pkts = self.create_stream_out(self.pg8)
3842 self.pg8.add_stream(pkts)
3843 self.pg_enable_capture(self.pg_interfaces)
3845 capture = self.pg7.get_capture(len(pkts))
3846 self.verify_capture_in(capture, self.pg7)
3848 if_idx = self.pg8.sw_if_index
3849 cnt = self.statistics['/nat44-ed/out2in/fastpath/tcp']
3850 self.assertEqual(cnt[:, if_idx].sum() - tcpn[:, if_idx].sum(), 2)
3851 cnt = self.statistics['/nat44-ed/out2in/fastpath/udp']
3852 self.assertEqual(cnt[:, if_idx].sum() - udpn[:, if_idx].sum(), 1)
3853 cnt = self.statistics['/nat44-ed/out2in/fastpath/icmp']
3854 self.assertEqual(cnt[:, if_idx].sum() - icmpn[:, if_idx].sum(), 1)
3855 cnt = self.statistics['/nat44-ed/out2in/fastpath/drops']
3856 self.assertEqual(cnt[:, if_idx].sum() - drops[:, if_idx].sum(), 0)
3858 sessions = self.statistics['/nat44-ed/total-sessions']
3859 self.assertEqual(sessions[:, 0].sum(), 3)
3865 self.vapi.ip_table_add_del(is_add=0,
3866 table={'table_id': new_vrf_id})
3868 def test_next_src_nat(self):
3869 """ NAT44ED On way back forward packet to nat44-in2out node. """
3871 twice_nat_addr = '10.0.1.3'
3874 post_twice_nat_port = 0
3876 self.vapi.nat44_forwarding_enable_disable(enable=1)
3877 self.nat_add_address(twice_nat_addr, twice_nat=1)
3878 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3879 self.config_flags.NAT_IS_SELF_TWICE_NAT)
3880 self.nat_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
3881 local_port, external_port,
3882 proto=IP_PROTOS.tcp, vrf_id=1,
3884 self.vapi.nat44_interface_add_del_feature(
3885 sw_if_index=self.pg6.sw_if_index,
3888 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3889 IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
3890 TCP(sport=12345, dport=external_port))
3891 self.pg6.add_stream(p)
3892 self.pg_enable_capture(self.pg_interfaces)
3894 capture = self.pg6.get_capture(1)
3899 self.assertEqual(ip.src, twice_nat_addr)
3900 self.assertNotEqual(tcp.sport, 12345)
3901 post_twice_nat_port = tcp.sport
3902 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3903 self.assertEqual(tcp.dport, local_port)
3904 self.assert_packet_checksums_valid(p)
3906 self.logger.error(ppp("Unexpected or invalid packet:", p))
3909 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3910 IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
3911 TCP(sport=local_port, dport=post_twice_nat_port))
3912 self.pg6.add_stream(p)
3913 self.pg_enable_capture(self.pg_interfaces)
3915 capture = self.pg6.get_capture(1)
3920 self.assertEqual(ip.src, self.pg1.remote_ip4)
3921 self.assertEqual(tcp.sport, external_port)
3922 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3923 self.assertEqual(tcp.dport, 12345)
3924 self.assert_packet_checksums_valid(p)
3926 self.logger.error(ppp("Unexpected or invalid packet:", p))
3929 def test_one_armed_nat44_static(self):
3930 """ NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule """
3932 remote_host = self.pg4.remote_hosts[0]
3933 local_host = self.pg4.remote_hosts[1]
3938 self.vapi.nat44_forwarding_enable_disable(enable=1)
3939 self.nat_add_address(self.nat_addr, twice_nat=1)
3940 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3941 self.config_flags.NAT_IS_TWICE_NAT)
3942 self.nat_add_static_mapping(local_host.ip4, self.nat_addr,
3943 local_port, external_port,
3944 proto=IP_PROTOS.tcp, flags=flags)
3945 flags = self.config_flags.NAT_IS_INSIDE
3946 self.vapi.nat44_interface_add_del_feature(
3947 sw_if_index=self.pg4.sw_if_index,
3949 self.vapi.nat44_interface_add_del_feature(
3950 sw_if_index=self.pg4.sw_if_index,
3951 flags=flags, is_add=1)
3953 # from client to service
3954 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3955 IP(src=remote_host.ip4, dst=self.nat_addr) /
3956 TCP(sport=12345, dport=external_port))
3957 self.pg4.add_stream(p)
3958 self.pg_enable_capture(self.pg_interfaces)
3960 capture = self.pg4.get_capture(1)
3965 self.assertEqual(ip.dst, local_host.ip4)
3966 self.assertEqual(ip.src, self.nat_addr)
3967 self.assertEqual(tcp.dport, local_port)
3968 self.assertNotEqual(tcp.sport, 12345)
3969 eh_port_in = tcp.sport
3970 self.assert_packet_checksums_valid(p)
3972 self.logger.error(ppp("Unexpected or invalid packet:", p))
3975 # from service back to client
3976 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3977 IP(src=local_host.ip4, dst=self.nat_addr) /
3978 TCP(sport=local_port, dport=eh_port_in))
3979 self.pg4.add_stream(p)
3980 self.pg_enable_capture(self.pg_interfaces)
3982 capture = self.pg4.get_capture(1)
3987 self.assertEqual(ip.src, self.nat_addr)
3988 self.assertEqual(ip.dst, remote_host.ip4)
3989 self.assertEqual(tcp.sport, external_port)
3990 self.assertEqual(tcp.dport, 12345)
3991 self.assert_packet_checksums_valid(p)
3993 self.logger.error(ppp("Unexpected or invalid packet:", p))
3996 def test_icmp_error_fwd_outbound(self):
3997 """ NAT44ED ICMP error outbound with forwarding enabled """
3999 # Ensure that an outbound ICMP error message is properly associated
4000 # with the inbound forward bypass session it is related to.
4003 self.nat_add_address(self.nat_addr)
4004 self.nat_add_inside_interface(self.pg0)
4005 self.nat_add_outside_interface(self.pg1)
4007 # enable forwarding and initiate connection out2in
4008 self.vapi.nat44_forwarding_enable_disable(enable=1)
4009 p1 = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4010 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
4011 UDP(sport=21, dport=20) / payload)
4013 self.pg1.add_stream(p1)
4014 self.pg_enable_capture(self.pg_interfaces)
4016 capture = self.pg0.get_capture(1)[0]
4018 self.logger.info(self.vapi.cli("show nat44 sessions"))
4020 # reply with ICMP error message in2out
4021 # We cannot reliably retrieve forward bypass sessions via the API.
4022 # session dumps for a user will only look on the worker that the
4023 # user is supposed to be mapped to in2out. The forward bypass session
4024 # is not necessarily created on that worker.
4025 p2 = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4026 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4027 ICMP(type='dest-unreach', code='port-unreachable') /
4030 self.pg0.add_stream(p2)
4031 self.pg_enable_capture(self.pg_interfaces)
4033 capture = self.pg1.get_capture(1)[0]
4035 self.logger.info(self.vapi.cli("show nat44 sessions"))
4037 self.logger.info(ppp("p1 packet:", p1))
4038 self.logger.info(ppp("p2 packet:", p2))
4039 self.logger.info(ppp("capture packet:", capture))
4041 def test_tcp_session_open_retransmit1(self):
4042 """ NAT44ED Open TCP session with SYN,ACK retransmit 1
4044 The client does not receive the [SYN,ACK] or the
4045 ACK from the client is lost. Therefore, the [SYN, ACK]
4046 is retransmitted by the server.
4049 in_port = self.tcp_port_in
4050 ext_port = self.tcp_external_port
4053 self.nat_add_address(self.nat_addr)
4054 self.nat_add_inside_interface(self.pg0)
4055 self.nat_add_outside_interface(self.pg1)
4057 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
4058 tcp_transitory=5, icmp=60)
4059 # SYN packet in->out
4060 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4061 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4062 TCP(sport=in_port, dport=ext_port, flags="S"))
4063 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4064 out_port = p[TCP].sport
4066 # SYN + ACK packet out->in
4067 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4068 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
4069 TCP(sport=ext_port, dport=out_port, flags="SA"))
4070 self.send_and_expect(self.pg1, p, self.pg0)
4072 # ACK in->out does not arrive
4074 # resent SYN + ACK packet out->in
4075 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4076 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
4077 TCP(sport=ext_port, dport=out_port, flags="SA"))
4078 self.send_and_expect(self.pg1, p, self.pg0)
4080 # ACK packet in->out
4081 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4082 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4083 TCP(sport=in_port, dport=ext_port, flags="A"))
4084 self.send_and_expect(self.pg0, p, self.pg1)
4086 # Verify that the data can be transmitted after the transitory time
4087 self.virtual_sleep(6)
4089 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4090 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4091 TCP(sport=in_port, dport=ext_port, flags="PA") /
4093 self.send_and_expect(self.pg0, p, self.pg1)
4095 def test_tcp_session_open_retransmit2(self):
4096 """ NAT44ED Open TCP session with SYN,ACK retransmit 2
4098 The ACK is lost to the server after the TCP session is opened.
4099 Data is sent by the client, then the [SYN,ACK] is
4100 retransmitted by the server.
4103 in_port = self.tcp_port_in
4104 ext_port = self.tcp_external_port
4107 self.nat_add_address(self.nat_addr)
4108 self.nat_add_inside_interface(self.pg0)
4109 self.nat_add_outside_interface(self.pg1)
4111 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
4112 tcp_transitory=5, icmp=60)
4113 # SYN packet in->out
4114 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4115 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4116 TCP(sport=in_port, dport=ext_port, flags="S"))
4117 p = self.send_and_expect(self.pg0, p, self.pg1)[0]
4118 out_port = p[TCP].sport
4120 # SYN + ACK packet out->in
4121 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4122 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
4123 TCP(sport=ext_port, dport=out_port, flags="SA"))
4124 self.send_and_expect(self.pg1, p, self.pg0)
4126 # ACK packet in->out -- not received by the server
4127 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4128 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4129 TCP(sport=in_port, dport=ext_port, flags="A"))
4130 self.send_and_expect(self.pg0, p, self.pg1)
4132 # PUSH + ACK packet in->out
4133 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4134 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4135 TCP(sport=in_port, dport=ext_port, flags="PA") /
4137 self.send_and_expect(self.pg0, p, self.pg1)
4139 # resent SYN + ACK packet out->in
4140 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4141 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
4142 TCP(sport=ext_port, dport=out_port, flags="SA"))
4143 self.send_and_expect(self.pg1, p, self.pg0)
4145 # resent ACK packet in->out
4146 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4147 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4148 TCP(sport=in_port, dport=ext_port, flags="A"))
4149 self.send_and_expect(self.pg0, p, self.pg1)
4151 # resent PUSH + ACK packet in->out
4152 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4153 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4154 TCP(sport=in_port, dport=ext_port, flags="PA") /
4156 self.send_and_expect(self.pg0, p, self.pg1)
4158 # ACK packet out->in
4159 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
4160 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
4161 TCP(sport=ext_port, dport=out_port, flags="A"))
4162 self.send_and_expect(self.pg1, p, self.pg0)
4164 # Verify that the data can be transmitted after the transitory time
4165 self.virtual_sleep(6)
4167 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
4168 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
4169 TCP(sport=in_port, dport=ext_port, flags="PA") /
4171 self.send_and_expect(self.pg0, p, self.pg1)
4174 if __name__ == '__main__':
4175 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob