X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Ftest%2Ftest_nat.py;h=d5d41288c424b6ff16ddd62f2c4d9257e327e1f5;hb=492a5d0bd;hp=4d48ee494c6efdeeb0faea979c2d854937065d6a;hpb=e5ff5a36dd126ee57dca4e0b03da2f7704e0a4f5;p=vpp.git diff --git a/src/plugins/nat/test/test_nat.py b/src/plugins/nat/test/test_nat.py index 4d48ee494c6..d5d41288c42 100644 --- a/src/plugins/nat/test/test_nat.py +++ b/src/plugins/nat/test/test_nat.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import socket import unittest @@ -27,11 +27,12 @@ from io import BytesIO from vpp_papi import VppEnum from vpp_ip_route import VppIpRoute, VppRoutePath, FibPathType from vpp_neighbor import VppNeighbor -from vpp_ip import VppIpAddress, VppIpPrefix from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \ IPField, IntField, LongField, XByteField, FlagsField, FieldLenField, \ PacketListField from ipaddress import IPv6Network +from util import ppc, ppp +from socket import inet_pton, AF_INET # NAT HA protocol event data @@ -169,10 +170,6 @@ class MethodHolder(VppTestCase): last_ip_address=addr.ip_address, vrf_id=0xFFFFFFFF, flags=addr.flags) - self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5, - drop_frag=0) - self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5, - drop_frag=0, is_ip6=1) self.verify_no_nat44_user() self.vapi.nat_set_timeouts(udp=300, tcp_established=7440, tcp_transitory=240, icmp=60) @@ -244,7 +241,7 @@ class MethodHolder(VppTestCase): p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) / IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) / TCP(sport=self.tcp_port_in, dport=20)) - pkts.append(p) + pkts.extend([p, p]) # UDP p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) / @@ -408,7 +405,7 @@ class MethodHolder(VppTestCase): p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) / IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) / TCP(dport=tcp_port, sport=20)) - pkts.append(p) + pkts.extend([p, p]) # UDP p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) / @@ -763,6 +760,7 @@ class MethodHolder(VppTestCase): proto=frags[0][IP].proto) if ip.proto == IP_PROTOS.tcp: p = (ip / TCP(buffer.getvalue())) + self.logger.debug(ppp("Reassembled:", p)) self.assert_tcp_checksum_valid(p) elif ip.proto == IP_PROTOS.udp: p = (ip / UDP(buffer.getvalue()[:8]) / @@ -793,6 +791,7 @@ class MethodHolder(VppTestCase): p = (ip / TCP(buffer.getvalue())) elif ip.nh == IP_PROTOS.udp: p = (ip / UDP(buffer.getvalue())) + self.logger.debug(ppp("Reassembled:", p)) self.assert_packet_checksums_valid(p) return p @@ -1065,7 +1064,7 @@ class MethodHolder(VppTestCase): # maxEntriesPerUser self.assertEqual(struct.pack("I", limit), record[473]) # sourceIPv4Address - self.assertEqual(src_addr, record[8]) + self.assertEqual(socket.inet_pton(socket.AF_INET, src_addr), record[8]) def verify_syslog_apmap(self, data, is_add=True): message = data.decode('utf-8') @@ -1155,16 +1154,9 @@ class MethodHolder(VppTestCase): data = b"A" * 16 + b"B" * 16 + b"C" * 3 self.port_in = random.randint(1025, 65535) - reass = self.vapi.nat_reass_dump() - reass_n_start = len(reass) - # in2out - pkts = self.create_stream_frag(self.pg0, - self.pg1.remote_ip4, - self.port_in, - 20, - data, - proto) + pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4, + self.port_in, 20, data, proto) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() @@ -1201,13 +1193,8 @@ class MethodHolder(VppTestCase): else: sport = p[layer].id dport = 0 - pkts = self.create_stream_frag(self.pg1, - dst_addr, - sport, - dport, - data, - proto, - echo_reply=True) + pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data, + proto, echo_reply=True) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() @@ -1222,11 +1209,6 @@ class MethodHolder(VppTestCase): self.assertEqual(p[layer].id, self.port_in) self.assertEqual(data, p[Raw].load) - reass = self.vapi.nat_reass_dump() - reass_n_end = len(reass) - - self.assertEqual(reass_n_end - reass_n_start, 2) - def frag_in_order_in_plus_out(self, proto=IP_PROTOS.tcp): layer = self.proto2layer(proto) @@ -1237,16 +1219,10 @@ class MethodHolder(VppTestCase): self.port_in = random.randint(1025, 65535) for i in range(2): - reass = self.vapi.nat_reass_dump() - reass_n_start = len(reass) - # out2in - pkts = self.create_stream_frag(self.pg0, - self.server_out_addr, - self.port_in, - self.server_out_port, - data, - proto) + pkts = self.create_stream_frag(self.pg0, self.server_out_addr, + self.port_in, self.server_out_port, + data, proto) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() @@ -1263,19 +1239,12 @@ class MethodHolder(VppTestCase): # in2out if proto != IP_PROTOS.icmp: - pkts = self.create_stream_frag(self.pg1, - self.pg0.remote_ip4, + pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4, self.server_in_port, - p[layer].sport, - data, - proto) + p[layer].sport, data, proto) else: - pkts = self.create_stream_frag(self.pg1, - self.pg0.remote_ip4, - p[layer].id, - 0, - data, - proto, + pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4, + p[layer].id, 0, data, proto, echo_reply=True) self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) @@ -1291,11 +1260,6 @@ class MethodHolder(VppTestCase): self.assertEqual(p[layer].id, self.port_in) self.assertEqual(data, p[Raw].load) - reass = self.vapi.nat_reass_dump() - reass_n_end = len(reass) - - self.assertEqual(reass_n_end - reass_n_start, 2) - def reass_hairpinning(self, proto=IP_PROTOS.tcp): layer = self.proto2layer(proto) @@ -1336,12 +1300,8 @@ class MethodHolder(VppTestCase): for i in range(2): # in2out - pkts = self.create_stream_frag(self.pg0, - self.pg1.remote_ip4, - self.port_in, - 20, - data, - proto) + pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4, + self.port_in, 20, data, proto) pkts.reverse() self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) @@ -1379,13 +1339,8 @@ class MethodHolder(VppTestCase): else: sport = p[layer].id dport = 0 - pkts = self.create_stream_frag(self.pg1, - dst_addr, - sport, - dport, - data, - proto, - echo_reply=True) + pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, + data, proto, echo_reply=True) pkts.reverse() self.pg1.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) @@ -1412,12 +1367,9 @@ class MethodHolder(VppTestCase): for i in range(2): # out2in - pkts = self.create_stream_frag(self.pg0, - self.server_out_addr, - self.port_in, - self.server_out_port, - data, - proto) + pkts = self.create_stream_frag(self.pg0, self.server_out_addr, + self.port_in, self.server_out_port, + data, proto) pkts.reverse() self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) @@ -1436,19 +1388,12 @@ class MethodHolder(VppTestCase): # in2out if proto != IP_PROTOS.icmp: - pkts = self.create_stream_frag(self.pg1, - self.pg0.remote_ip4, + pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4, self.server_in_port, - p[layer].sport, - data, - proto) + p[layer].sport, data, proto) else: - pkts = self.create_stream_frag(self.pg1, - self.pg0.remote_ip4, - p[layer].id, - 0, - data, - proto, + pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4, + p[layer].id, 0, data, proto, echo_reply=True) pkts.reverse() self.pg1.add_stream(pkts) @@ -1474,72 +1419,64 @@ class TestNAT44(MethodHolder): super(TestNAT44, cls).setUpClass() cls.vapi.cli("set log class nat level debug") - try: - cls.tcp_port_in = 6303 - cls.tcp_port_out = 6303 - cls.udp_port_in = 6304 - cls.udp_port_out = 6304 - cls.icmp_id_in = 6305 - cls.icmp_id_out = 6305 - cls.nat_addr = '10.0.0.3' - cls.ipfix_src_port = 4739 - cls.ipfix_domain_id = 1 - cls.tcp_external_port = 80 - cls.udp_external_port = 69 - - cls.create_pg_interfaces(range(10)) - cls.interfaces = list(cls.pg_interfaces[0:4]) - - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - - cls.pg0.generate_remote_hosts(3) - cls.pg0.configure_ipv4_neighbors() - - cls.pg1.generate_remote_hosts(1) - cls.pg1.configure_ipv4_neighbors() - - cls.overlapping_interfaces = list(list(cls.pg_interfaces[4:7])) - cls.vapi.ip_table_add_del(is_add=1, table_id=10) - cls.vapi.ip_table_add_del(is_add=1, table_id=20) - - cls.pg4._local_ip4 = VppIpPrefix("172.16.255.1", - cls.pg4.local_ip4_prefix.len) - cls.pg4._remote_hosts[0]._ip4 = "172.16.255.2" - cls.pg4.set_table_ip4(10) - cls.pg5._local_ip4 = VppIpPrefix("172.17.255.3", - cls.pg5.local_ip4_prefix.len) - cls.pg5._remote_hosts[0]._ip4 = "172.17.255.4" - cls.pg5.set_table_ip4(10) - cls.pg6._local_ip4 = VppIpPrefix("172.16.255.1", - cls.pg6.local_ip4_prefix.len) - cls.pg6._remote_hosts[0]._ip4 = "172.16.255.2" - cls.pg6.set_table_ip4(20) - for i in cls.overlapping_interfaces: - i.config_ip4() - i.admin_up() - i.resolve_arp() - - cls.pg7.admin_up() - cls.pg8.admin_up() - - cls.pg9.generate_remote_hosts(2) - cls.pg9.config_ip4() - cls.vapi.sw_interface_add_del_address( - sw_if_index=cls.pg9.sw_if_index, - prefix=VppIpPrefix("10.0.0.1", 24).encode()) - - cls.pg9.admin_up() - cls.pg9.resolve_arp() - cls.pg9._remote_hosts[1]._ip4 = cls.pg9._remote_hosts[0]._ip4 - cls.pg4._remote_ip4 = cls.pg9._remote_hosts[0]._ip4 = "10.0.0.2" - cls.pg9.resolve_arp() - - except Exception: - super(TestNAT44, cls).tearDownClass() - raise + cls.tcp_port_in = 6303 + cls.tcp_port_out = 6303 + cls.udp_port_in = 6304 + cls.udp_port_out = 6304 + cls.icmp_id_in = 6305 + cls.icmp_id_out = 6305 + cls.nat_addr = '10.0.0.3' + cls.ipfix_src_port = 4739 + cls.ipfix_domain_id = 1 + cls.tcp_external_port = 80 + cls.udp_external_port = 69 + + cls.create_pg_interfaces(range(10)) + cls.interfaces = list(cls.pg_interfaces[0:4]) + + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + cls.pg0.generate_remote_hosts(3) + cls.pg0.configure_ipv4_neighbors() + + cls.pg1.generate_remote_hosts(1) + cls.pg1.configure_ipv4_neighbors() + + cls.overlapping_interfaces = list(list(cls.pg_interfaces[4:7])) + cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 10}) + cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 20}) + + cls.pg4._local_ip4 = "172.16.255.1" + cls.pg4._remote_hosts[0]._ip4 = "172.16.255.2" + cls.pg4.set_table_ip4(10) + cls.pg5._local_ip4 = "172.17.255.3" + cls.pg5._remote_hosts[0]._ip4 = "172.17.255.4" + cls.pg5.set_table_ip4(10) + cls.pg6._local_ip4 = "172.16.255.1" + cls.pg6._remote_hosts[0]._ip4 = "172.16.255.2" + cls.pg6.set_table_ip4(20) + for i in cls.overlapping_interfaces: + i.config_ip4() + i.admin_up() + i.resolve_arp() + + cls.pg7.admin_up() + cls.pg8.admin_up() + + cls.pg9.generate_remote_hosts(2) + cls.pg9.config_ip4() + cls.vapi.sw_interface_add_del_address( + sw_if_index=cls.pg9.sw_if_index, + prefix="10.0.0.1/24") + + cls.pg9.admin_up() + cls.pg9.resolve_arp() + cls.pg9._remote_hosts[1]._ip4 = cls.pg9._remote_hosts[0]._ip4 + cls.pg4._remote_ip4 = cls.pg9._remote_hosts[0]._ip4 = "10.0.0.2" + cls.pg9.resolve_arp() @classmethod def tearDownClass(cls): @@ -1575,7 +1512,7 @@ class TestNAT44(MethodHolder): err = self.statistics.get_err_counter( '/err/nat44-in2out-slowpath/TCP packets') - self.assertEqual(err - tcpn, 1) + self.assertEqual(err - tcpn, 2) err = self.statistics.get_err_counter( '/err/nat44-in2out-slowpath/UDP packets') self.assertEqual(err - udpn, 1) @@ -1584,7 +1521,7 @@ class TestNAT44(MethodHolder): self.assertEqual(err - icmpn, 1) err = self.statistics.get_err_counter( '/err/nat44-in2out-slowpath/good in2out packets processed') - self.assertEqual(err - totaln, 3) + self.assertEqual(err - totaln, 4) # out2in tcpn = self.statistics.get_err_counter('/err/nat44-out2in/TCP packets') @@ -1602,14 +1539,14 @@ class TestNAT44(MethodHolder): self.verify_capture_in(capture, self.pg0) err = self.statistics.get_err_counter('/err/nat44-out2in/TCP packets') - self.assertEqual(err - tcpn, 1) + self.assertEqual(err - tcpn, 2) err = self.statistics.get_err_counter('/err/nat44-out2in/UDP packets') self.assertEqual(err - udpn, 1) err = self.statistics.get_err_counter('/err/nat44-out2in/ICMP packets') self.assertEqual(err - icmpn, 1) err = self.statistics.get_err_counter( '/err/nat44-out2in/good out2in packets processed') - self.assertEqual(err - totaln, 3) + self.assertEqual(err - totaln, 4) users = self.statistics.get_counter('/nat44/total-users') self.assertEqual(users[0][0], 1) @@ -1816,7 +1753,7 @@ class TestNAT44(MethodHolder): is_add=1) self.vapi.nat44_forwarding_enable_disable(enable=1) - real_ip = self.pg0.remote_ip4n + real_ip = self.pg0.remote_ip4 alias_ip = self.nat_addr flags = self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_static_mapping(is_add=1, @@ -1922,7 +1859,7 @@ class TestNAT44(MethodHolder): self.tcp_port_out = 6303 self.udp_port_out = 6304 self.icmp_id_out = 6305 - tag = b"testTAG" + tag = "testTAG" self.nat44_add_static_mapping(self.pg0.remote_ip4, nat_ip, tag=tag) flags = self.config_flags.NAT_IS_INSIDE @@ -1934,7 +1871,7 @@ class TestNAT44(MethodHolder): is_add=1) sm = self.vapi.nat44_static_mapping_dump() self.assertEqual(len(sm), 1) - self.assertEqual((sm[0].tag).split(b'\0', 1)[0], tag) + self.assertEqual(sm[0].tag, tag) # out2in pkts = self.create_stream_out(self.pg1, nat_ip) @@ -2100,7 +2037,7 @@ class TestNAT44(MethodHolder): # 1:1NAT self.nat44_add_static_mapping(self.pg0.remote_ip4, nat_ip) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions), 0) pkts = self.create_stream_in(self.pg0, self.pg1) self.pg0.add_stream(pkts) @@ -2113,7 +2050,7 @@ class TestNAT44(MethodHolder): """ Identity NAT """ flags = self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_identity_mapping( - ip_address=self.pg0.remote_ip4n, sw_if_index=0xFFFFFFFF, + ip_address=self.pg0.remote_ip4, sw_if_index=0xFFFFFFFF, flags=flags, is_add=1) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( @@ -2143,11 +2080,11 @@ class TestNAT44(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions), 0) flags = self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_identity_mapping( - ip_address=self.pg0.remote_ip4n, sw_if_index=0xFFFFFFFF, + ip_address=self.pg0.remote_ip4, sw_if_index=0xFFFFFFFF, flags=flags, vrf_id=1, is_add=1) identity_mappings = self.vapi.nat44_identity_mapping_dump() self.assertEqual(len(identity_mappings), 2) @@ -2299,7 +2236,7 @@ class TestNAT44(MethodHolder): # pg5 session dump addresses = self.vapi.nat44_address_dump() self.assertEqual(len(addresses), 1) - sessions = self.vapi.nat44_user_session_dump(self.pg5.remote_ip4n, 10) + sessions = self.vapi.nat44_user_session_dump(self.pg5.remote_ip4, 10) self.assertEqual(len(sessions), 3) for session in sessions: self.assertFalse(session.flags & self.config_flags.NAT_IS_STATIC) @@ -2351,7 +2288,7 @@ class TestNAT44(MethodHolder): self.config_flags.NAT_IS_EXT_HOST_VALID) # pg4 session dump - sessions = self.vapi.nat44_user_session_dump(self.pg4.remote_ip4n, 10) + sessions = self.vapi.nat44_user_session_dump(self.pg4.remote_ip4, 10) self.assertGreaterEqual(len(sessions), 4) for session in sessions: self.assertFalse(session.flags & self.config_flags.NAT_IS_STATIC) @@ -2361,7 +2298,7 @@ class TestNAT44(MethodHolder): addresses[0].ip_address) # pg6 session dump - sessions = self.vapi.nat44_user_session_dump(self.pg6.remote_ip4n, 20) + sessions = self.vapi.nat44_user_session_dump(self.pg6.remote_ip4, 20) self.assertGreaterEqual(len(sessions), 3) for session in sessions: self.assertTrue(session.flags & self.config_flags.NAT_IS_STATIC) @@ -2610,61 +2547,6 @@ class TestNAT44(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", packet)) raise - def test_max_translations_per_user(self): - """ MAX translations per user - recycle the least recently used """ - - self.nat44_add_address(self.nat_addr) - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg0.sw_if_index, - flags=flags, is_add=1) - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg1.sw_if_index, - is_add=1) - - # get maximum number of translations per user - nat44_config = self.vapi.nat_show_config() - - # send more than maximum number of translations per user packets - pkts_num = nat44_config.max_translations_per_user + 5 - pkts = [] - for port in range(0, pkts_num): - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - TCP(sport=1025 + port)) - pkts.append(p) - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - - # verify number of translated packet - self.pg1.get_capture(pkts_num) - - users = self.vapi.nat44_user_dump() - for user in users: - if user.ip_address == self.pg0.remote_ip4n: - self.assertEqual(user.nsessions, - nat44_config.max_translations_per_user) - self.assertEqual(user.nstaticsessions, 0) - - tcp_port = 22 - self.nat44_add_static_mapping(self.pg0.remote_ip4, self.nat_addr, - tcp_port, tcp_port, - proto=IP_PROTOS.tcp) - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - TCP(sport=tcp_port)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - self.pg1.get_capture(1) - users = self.vapi.nat44_user_dump() - for user in users: - if user.ip_address == self.pg0.remote_ip4n: - self.assertEqual(user.nsessions, - nat44_config.max_translations_per_user - 1) - self.assertEqual(user.nstaticsessions, 1) - def test_interface_addr(self): """ Acquire NAT44 addresses from interface """ self.vapi.nat44_add_del_interface_addr( @@ -2688,7 +2570,7 @@ class TestNAT44(MethodHolder): def test_interface_addr_static_mapping(self): """ Static mapping with addresses from interface """ - tag = b"testTAG" + tag = "testTAG" self.vapi.nat44_add_del_interface_addr( is_add=1, @@ -2703,7 +2585,7 @@ class TestNAT44(MethodHolder): self.assertEqual(1, len(static_mappings)) self.assertEqual(self.pg7.sw_if_index, static_mappings[0].external_sw_if_index) - self.assertEqual((static_mappings[0].tag).split(b'\0', 1)[0], tag) + self.assertEqual(static_mappings[0].tag, tag) # configure interface address and check static mappings self.pg7.config_ip4() @@ -2714,7 +2596,7 @@ class TestNAT44(MethodHolder): if sm.external_sw_if_index == 0xFFFFFFFF: self.assertEqual(str(sm.external_ip_address), self.pg7.local_ip4) - self.assertEqual((sm.tag).split(b'\0', 1)[0], tag) + self.assertEqual(sm.tag, tag) resolved = True self.assertTrue(resolved) @@ -2724,7 +2606,7 @@ class TestNAT44(MethodHolder): self.assertEqual(1, len(static_mappings)) self.assertEqual(self.pg7.sw_if_index, static_mappings[0].external_sw_if_index) - self.assertEqual((static_mappings[0].tag).split(b'\0', 1)[0], tag) + self.assertEqual(static_mappings[0].tag, tag) # configure interface address again and check static mappings self.pg7.config_ip4() @@ -2735,7 +2617,7 @@ class TestNAT44(MethodHolder): if sm.external_sw_if_index == 0xFFFFFFFF: self.assertEqual(str(sm.external_ip_address), self.pg7.local_ip4) - self.assertEqual((sm.tag).split(b'\0', 1)[0], tag) + self.assertEqual(sm.tag, tag) resolved = True self.assertTrue(resolved) @@ -2803,8 +2685,8 @@ class TestNAT44(MethodHolder): self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg1.sw_if_index, is_add=1) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4, + src_address=self.pg3.local_ip4, path_mtu=512, template_interval=10, collector_port=collector_port) @@ -2848,8 +2730,8 @@ class TestNAT44(MethodHolder): self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg1.sw_if_index, is_add=1) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4, + src_address=self.pg3.local_ip4, path_mtu=512, template_interval=10) self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, @@ -2911,8 +2793,8 @@ class TestNAT44(MethodHolder): self.pg_start() self.pg1.get_capture(max_sessions) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4, + src_address=self.pg3.local_ip4, path_mtu=512, template_interval=10) self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, @@ -2951,7 +2833,7 @@ class TestNAT44(MethodHolder): """ Test syslog address and port mapping creation and deletion """ self.vapi.syslog_set_filter( self.SYSLOG_SEVERITY.SYSLOG_API_SEVERITY_INFO) - self.vapi.syslog_set_sender(self.pg3.local_ip4n, self.pg3.remote_ip4n) + self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4) self.nat44_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( @@ -3053,8 +2935,8 @@ class TestNAT44(MethodHolder): self.pg0.unconfig_ip4() self.pg1.unconfig_ip4() - self.vapi.ip_table_add_del(is_add=1, table_id=vrf_id1) - self.vapi.ip_table_add_del(is_add=1, table_id=vrf_id2) + self.vapi.ip_table_add_del(is_add=1, table={'table_id': vrf_id1}) + self.vapi.ip_table_add_del(is_add=1, table={'table_id': vrf_id2}) self.pg0.set_table_ip4(vrf_id1) self.pg1.set_table_ip4(vrf_id2) self.pg0.config_ip4() @@ -3101,8 +2983,8 @@ class TestNAT44(MethodHolder): self.pg1.config_ip4() self.pg0.resolve_arp() self.pg1.resolve_arp() - self.vapi.ip_table_add_del(is_add=0, table_id=vrf_id1) - self.vapi.ip_table_add_del(is_add=0, table_id=vrf_id2) + self.vapi.ip_table_add_del(is_add=0, table={'table_id': vrf_id1}) + self.vapi.ip_table_add_del(is_add=0, table={'table_id': vrf_id2}) def test_vrf_feature_independent(self): """ NAT44 tenant VRF independent address pool mode """ @@ -3619,7 +3501,7 @@ class TestNAT44(MethodHolder): self.pg_start() self.pg1.get_capture(len(pkts)) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) nsessions = len(sessions) self.vapi.nat44_del_session(address=sessions[0].inside_ip_address, @@ -3630,7 +3512,7 @@ class TestNAT44(MethodHolder): port=sessions[1].outside_port, protocol=sessions[1].protocol) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(nsessions - len(sessions), 2) self.vapi.nat44_del_session(address=sessions[0].inside_ip_address, @@ -3640,25 +3522,6 @@ class TestNAT44(MethodHolder): self.verify_no_nat44_user() - def test_set_get_reass(self): - """ NAT44 set/get virtual fragmentation reassembly """ - reas_cfg1 = self.vapi.nat_get_reass() - - self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout + 5, - max_reass=reas_cfg1.ip4_max_reass * 2, - max_frag=reas_cfg1.ip4_max_frag * 2, - drop_frag=0) - - reas_cfg2 = self.vapi.nat_get_reass() - - self.assertEqual(reas_cfg1.ip4_timeout + 5, reas_cfg2.ip4_timeout) - self.assertEqual(reas_cfg1.ip4_max_reass * 2, reas_cfg2.ip4_max_reass) - self.assertEqual(reas_cfg1.ip4_max_frag * 2, reas_cfg2.ip4_max_frag) - - self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5, - drop_frag=1) - self.assertTrue(self.vapi.nat_get_reass().ip4_drop_frag) - def test_frag_in_order(self): """ NAT44 translate fragments arriving in order """ @@ -3671,22 +3534,10 @@ class TestNAT44(MethodHolder): sw_if_index=self.pg1.sw_if_index, is_add=1) - reas_cfg1 = self.vapi.nat_get_reass() - # this test was intermittently failing in some cases - # until we temporarily bump the reassembly timeouts - self.vapi.nat_set_reass(timeout=20, max_reass=1024, max_frag=5, - drop_frag=0) - self.frag_in_order(proto=IP_PROTOS.tcp) self.frag_in_order(proto=IP_PROTOS.udp) self.frag_in_order(proto=IP_PROTOS.icmp) - # restore the reassembly timeouts - self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout, - max_reass=reas_cfg1.ip4_max_reass, - max_frag=reas_cfg1.ip4_max_frag, - drop_frag=reas_cfg1.ip4_drop_frag) - def test_frag_forwarding(self): """ NAT44 forwarding fragment test """ self.vapi.nat44_add_del_interface_addr( @@ -3831,60 +3682,6 @@ class TestNAT44(MethodHolder): self.assertGreaterEqual(tcp.sport, 1025) self.assertLessEqual(tcp.sport, 1027) - def test_ipfix_max_frags(self): - """ IPFIX logging maximum fragments pending reassembly exceeded """ - self.nat44_add_address(self.nat_addr) - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg0.sw_if_index, - flags=flags, is_add=1) - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg1.sw_if_index, - is_add=1) - self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=1, - drop_frag=0) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, - path_mtu=512, - template_interval=10) - self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, - src_port=self.ipfix_src_port, - enable=1) - - data = b"A" * 4 + b"B" * 16 + b"C" * 3 - self.tcp_port_in = random.randint(1025, 65535) - pkts = self.create_stream_frag(self.pg0, - self.pg1.remote_ip4, - self.tcp_port_in, - 20, - data) - pkts.reverse() - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - self.pg1.assert_nothing_captured() - sleep(1) - self.vapi.ipfix_flush() - capture = self.pg3.get_capture(9) - ipfix = IPFIXDecoder() - # first load template - for p in capture: - self.assertTrue(p.haslayer(IPFIX)) - self.assertEqual(p[IP].src, self.pg3.local_ip4) - self.assertEqual(p[IP].dst, self.pg3.remote_ip4) - self.assertEqual(p[UDP].sport, self.ipfix_src_port) - self.assertEqual(p[UDP].dport, 4739) - self.assertEqual(p[IPFIX].observationDomainID, - self.ipfix_domain_id) - if p.haslayer(Template): - ipfix.add_template(p.getlayer(Template)) - # verify events in data set - for p in capture: - if p.haslayer(Data): - data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_fragments_ip4(data, 1, - self.pg0.remote_ip4n) - def test_multiple_outside_vrf(self): """ Multiple outside VRF """ vrf_id1 = 1 @@ -3892,8 +3689,8 @@ class TestNAT44(MethodHolder): self.pg1.unconfig_ip4() self.pg2.unconfig_ip4() - self.vapi.ip_table_add_del(is_add=1, table_id=vrf_id1) - self.vapi.ip_table_add_del(is_add=1, table_id=vrf_id2) + self.vapi.ip_table_add_del(is_add=1, table={'table_id': vrf_id1}) + self.vapi.ip_table_add_del(is_add=1, table={'table_id': vrf_id2}) self.pg1.set_table_ip4(vrf_id1) self.pg2.set_table_ip4(vrf_id2) self.pg1.config_ip4() @@ -4112,7 +3909,7 @@ class TestNAT44(MethodHolder): # delete one session self.pg_enable_capture(self.pg_interfaces) - self.vapi.nat44_del_session(address=self.pg0.remote_ip4n, + self.vapi.nat44_del_session(address=self.pg0.remote_ip4, port=self.tcp_port_in, protocol=IP_PROTOS.tcp, flags=self.config_flags.NAT_IS_INSIDE) @@ -4382,7 +4179,6 @@ class TestNAT44(MethodHolder): self.logger.info(self.vapi.cli("show nat44 static mappings")) self.logger.info(self.vapi.cli("show nat44 interface address")) self.logger.info(self.vapi.cli("show nat44 sessions detail")) - self.logger.info(self.vapi.cli("show nat virtual-reassembly")) self.logger.info(self.vapi.cli("show nat44 hash tables detail")) self.logger.info(self.vapi.cli("show nat timeouts")) self.logger.info( @@ -4390,6 +4186,100 @@ class TestNAT44(MethodHolder): self.logger.info(self.vapi.cli("show nat ha")) +class TestNAT44EndpointDependent2(MethodHolder): + """ Endpoint-Dependent session test cases """ + + icmp_timeout = 2 + + @classmethod + def setUpConstants(cls): + super(TestNAT44EndpointDependent2, cls).setUpConstants() + cls.vpp_cmdline.extend(["nat", "{", "endpoint-dependent", + "translation", "hash", "buckets", "1", + "icmp", "timeout", str(cls.icmp_timeout), "}"]) + + @classmethod + def setUpClass(cls): + super(TestNAT44EndpointDependent2, cls).setUpClass() + translation_buckets = 1 + cls.max_translations = 10 * translation_buckets + + cls.create_pg_interfaces(range(2)) + cls.interfaces = list(cls.pg_interfaces[0:2]) + + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + cls.pg0.generate_remote_hosts(1) + cls.pg0.configure_ipv4_neighbors() + + cls.pg1.generate_remote_hosts(1) + cls.pg1.configure_ipv4_neighbors() + + @classmethod + def tearDownClass(cls): + super(TestNAT44EndpointDependent2, cls).tearDownClass() + + def create_icmp_stream(self, in_if, out_if, count): + """ + Create ICMP packet stream for inside network + + :param in_if: Inside interface + :param out_if: Outside interface + :param count: Number of packets + """ + + self.assertTrue(count > 0) + icmp_id = random.randint(0, 65535 - (count - 1)) + + pkts = list() + for i in range(count): + p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) / + IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) / + ICMP(id=icmp_id + i, type='echo-request')) + pkts.append(p) + return pkts + + def send_pkts(self, pkts, expected=None): + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + return self.pg1.get_capture( + len(pkts) if expected is None else expected) + + def test_session_cleanup(self): + """ NAT44 session cleanup test """ + + self.nat44_add_address(self.pg1.local_ip4) + flags = self.config_flags.NAT_IS_INSIDE + self.vapi.nat44_interface_add_del_feature( + sw_if_index=self.pg0.sw_if_index, + flags=flags, is_add=1) + self.vapi.nat44_interface_add_del_feature( + sw_if_index=self.pg1.sw_if_index, + is_add=1) + + nat_config = self.vapi.nat_show_config() + self.assertEqual(1, nat_config.endpoint_dependent) + + pkts = self.create_icmp_stream(self.pg0, self.pg1, + self.max_translations + 2) + sz = len(pkts) + + # positive test + self.send_pkts(pkts[0:self.max_translations]) + + # false positive test + self.send_pkts(pkts[self.max_translations:sz - 1], 0) + + sleep(self.icmp_timeout) + + # positive test + self.send_pkts(pkts[self.max_translations + 1:sz]) + + class TestNAT44EndpointDependent(MethodHolder): """ Endpoint-Dependent mapping and filtering test cases """ @@ -4402,100 +4292,105 @@ class TestNAT44EndpointDependent(MethodHolder): def setUpClass(cls): super(TestNAT44EndpointDependent, cls).setUpClass() cls.vapi.cli("set log class nat level debug") - try: - cls.tcp_port_in = 6303 - cls.tcp_port_out = 6303 - cls.udp_port_in = 6304 - cls.udp_port_out = 6304 - cls.icmp_id_in = 6305 - cls.icmp_id_out = 6305 - cls.nat_addr = '10.0.0.3' - cls.ipfix_src_port = 4739 - cls.ipfix_domain_id = 1 - cls.tcp_external_port = 80 - - cls.create_pg_interfaces(range(7)) - cls.interfaces = list(cls.pg_interfaces[0:3]) - - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - - cls.pg0.generate_remote_hosts(3) - cls.pg0.configure_ipv4_neighbors() - - cls.pg3.admin_up() - - cls.pg4.generate_remote_hosts(2) - cls.pg4.config_ip4() - cls.vapi.sw_interface_add_del_address( - sw_if_index=cls.pg4.sw_if_index, - prefix=VppIpPrefix("10.0.0.1", 24).encode()) - - cls.pg4.admin_up() - cls.pg4.resolve_arp() - cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4 - cls.pg4.resolve_arp() - - zero_ip4n = socket.inet_pton(socket.AF_INET, "0.0.0.0") - cls.vapi.ip_table_add_del(is_add=1, table_id=1) - - cls.pg5._local_ip4 = VppIpPrefix("10.1.1.1", - cls.pg5.local_ip4_prefix.len) - cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2" - cls.pg5._remote_hosts[0]._ip4n = socket.inet_pton( - socket.AF_INET, cls.pg5.remote_ip4) - cls.pg5.set_table_ip4(1) - cls.pg5.config_ip4() - cls.pg5.admin_up() - r1 = VppIpRoute(cls, cls.pg5.remote_ip4, 32, - [VppRoutePath("0.0.0.0", - cls.pg5.sw_if_index)], - table_id=1, - register=False) - r1.add_vpp_config() - - cls.pg6._local_ip4 = VppIpPrefix("10.1.2.1", - cls.pg6.local_ip4_prefix.len) - cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2" - cls.pg6._remote_hosts[0]._ip4n = socket.inet_pton( - socket.AF_INET, cls.pg6.remote_ip4) - cls.pg6.set_table_ip4(1) - cls.pg6.config_ip4() - cls.pg6.admin_up() - - r2 = VppIpRoute(cls, cls.pg6.remote_ip4, 32, - [VppRoutePath("0.0.0.0", - cls.pg6.sw_if_index)], - table_id=1, - register=False) - r3 = VppIpRoute(cls, cls.pg6.remote_ip4, 16, - [VppRoutePath("0.0.0.0", - 0xffffffff, - nh_table_id=1)], - table_id=0, - register=False) - r4 = VppIpRoute(cls, "0.0.0.0", 0, - [VppRoutePath("0.0.0.0", 0xffffffff, - nh_table_id=0)], - table_id=1, - register=False) - r5 = VppIpRoute(cls, "0.0.0.0", 0, - [VppRoutePath(cls.pg1.local_ip4, - cls.pg1.sw_if_index)], - register=False) - r2.add_vpp_config() - r3.add_vpp_config() - r4.add_vpp_config() - r5.add_vpp_config() - - cls.pg5.resolve_arp() - cls.pg6.resolve_arp() - - except Exception: - super(TestNAT44EndpointDependent, cls).tearDownClass() - raise + + cls.tcp_port_in = 6303 + cls.tcp_port_out = 6303 + cls.udp_port_in = 6304 + cls.udp_port_out = 6304 + cls.icmp_id_in = 6305 + cls.icmp_id_out = 6305 + cls.nat_addr = '10.0.0.3' + cls.ipfix_src_port = 4739 + cls.ipfix_domain_id = 1 + cls.tcp_external_port = 80 + + cls.create_pg_interfaces(range(9)) + cls.interfaces = list(cls.pg_interfaces[0:3]) + + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + cls.pg0.generate_remote_hosts(3) + cls.pg0.configure_ipv4_neighbors() + + cls.pg3.admin_up() + + cls.pg4.generate_remote_hosts(2) + cls.pg4.config_ip4() + cls.vapi.sw_interface_add_del_address( + sw_if_index=cls.pg4.sw_if_index, + prefix="10.0.0.1/24") + + cls.pg4.admin_up() + cls.pg4.resolve_arp() + cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4 + cls.pg4.resolve_arp() + + zero_ip4 = socket.inet_pton(socket.AF_INET, "0.0.0.0") + cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1}) + + cls.pg5._local_ip4 = "10.1.1.1" + cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2" + cls.pg5.set_table_ip4(1) + cls.pg5.config_ip4() + cls.pg5.admin_up() + r1 = VppIpRoute(cls, cls.pg5.remote_ip4, 32, + [VppRoutePath("0.0.0.0", + cls.pg5.sw_if_index)], + table_id=1, + register=False) + r1.add_vpp_config() + + cls.pg6._local_ip4 = "10.1.2.1" + cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2" + cls.pg6.set_table_ip4(1) + cls.pg6.config_ip4() + cls.pg6.admin_up() + + r2 = VppIpRoute(cls, cls.pg6.remote_ip4, 32, + [VppRoutePath("0.0.0.0", + cls.pg6.sw_if_index)], + table_id=1, + register=False) + r3 = VppIpRoute(cls, cls.pg6.remote_ip4, 16, + [VppRoutePath("0.0.0.0", + 0xffffffff, + nh_table_id=1)], + table_id=0, + register=False) + r4 = VppIpRoute(cls, "0.0.0.0", 0, + [VppRoutePath("0.0.0.0", 0xffffffff, + nh_table_id=0)], + table_id=1, + register=False) + r5 = VppIpRoute(cls, "0.0.0.0", 0, + [VppRoutePath(cls.pg1.local_ip4, + cls.pg1.sw_if_index)], + register=False) + r2.add_vpp_config() + r3.add_vpp_config() + r4.add_vpp_config() + r5.add_vpp_config() + + cls.pg5.resolve_arp() + cls.pg6.resolve_arp() + + cls.pg7.admin_up() + cls.pg7.config_ip4() + cls.pg7.resolve_arp() + cls.pg7.generate_remote_hosts(3) + cls.pg7.configure_ipv4_neighbors() + + cls.pg8.admin_up() + cls.pg8.config_ip4() + cls.pg8.resolve_arp() + + def setUp(self): + super(TestNAT44EndpointDependent, self).setUp() + self.vapi.nat_set_timeouts( + udp=300, tcp_established=7440, tcp_transitory=240, icmp=60) @classmethod def tearDownClass(cls): @@ -4525,17 +4420,7 @@ class TestNAT44EndpointDependent(MethodHolder): sw_if_index=self.pg1.sw_if_index, is_add=1) self.vapi.nat44_forwarding_enable_disable(enable=True) - reas_cfg1 = self.vapi.nat_get_reass() - # this test was intermittently failing in some cases - # until we temporarily bump the reassembly timeouts - self.vapi.nat_set_reass(timeout=20, max_reass=1024, max_frag=5, - drop_frag=0) self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True) - # restore the reassembly timeouts - self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout, - max_reass=reas_cfg1.ip4_max_reass, - max_frag=reas_cfg1.ip4_max_frag, - drop_frag=reas_cfg1.ip4_drop_frag) def test_frag_out_of_order(self): """ NAT44 translate fragments arriving out of order """ @@ -4603,9 +4488,6 @@ class TestNAT44EndpointDependent(MethodHolder): self.server_out_addr, proto=IP_PROTOS.icmp) - self.vapi.nat_set_reass(timeout=10, max_reass=1024, max_frag=5, - drop_frag=0) - self.frag_in_order_in_plus_out(proto=IP_PROTOS.tcp) self.frag_in_order_in_plus_out(proto=IP_PROTOS.udp) self.frag_in_order_in_plus_out(proto=IP_PROTOS.icmp) @@ -4650,9 +4532,6 @@ class TestNAT44EndpointDependent(MethodHolder): self.server_out_addr, proto=IP_PROTOS.icmp) - self.vapi.nat_set_reass(timeout=10, max_reass=1024, max_frag=5, - drop_frag=0) - self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.tcp) self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.udp) self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.icmp) @@ -4721,7 +4600,7 @@ class TestNAT44EndpointDependent(MethodHolder): err = self.statistics.get_err_counter( '/err/nat44-ed-in2out-slowpath/TCP packets') - self.assertEqual(err - tcpn, 1) + self.assertEqual(err - tcpn, 2) err = self.statistics.get_err_counter( '/err/nat44-ed-in2out-slowpath/UDP packets') self.assertEqual(err - udpn, 1) @@ -4730,7 +4609,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.assertEqual(err - icmpn, 1) err = self.statistics.get_err_counter( '/err/nat44-ed-in2out-slowpath/good in2out packets processed') - self.assertEqual(err - totaln, 3) + self.assertEqual(err - totaln, 4) # out2in tcpn = self.statistics.get_err_counter( @@ -4751,7 +4630,7 @@ class TestNAT44EndpointDependent(MethodHolder): err = self.statistics.get_err_counter( '/err/nat44-ed-out2in/TCP packets') - self.assertEqual(err - tcpn, 1) + self.assertEqual(err - tcpn, 2) err = self.statistics.get_err_counter( '/err/nat44-ed-out2in/UDP packets') self.assertEqual(err - udpn, 1) @@ -4760,13 +4639,124 @@ class TestNAT44EndpointDependent(MethodHolder): self.assertEqual(err - icmpn, 1) err = self.statistics.get_err_counter( '/err/nat44-ed-out2in/good out2in packets processed') - self.assertEqual(err - totaln, 2) + self.assertEqual(err - totaln, 3) users = self.statistics.get_counter('/nat44/total-users') self.assertEqual(users[0][0], 1) sessions = self.statistics.get_counter('/nat44/total-sessions') self.assertEqual(sessions[0][0], 3) + def test_dynamic_output_feature_vrf(self): + """ NAT44 dynamic translation test: output-feature, VRF""" + + # other then default (0) + new_vrf_id = 22 + + self.nat44_add_address(self.nat_addr) + flags = self.config_flags.NAT_IS_INSIDE + self.vapi.nat44_interface_add_del_output_feature( + sw_if_index=self.pg7.sw_if_index, + flags=flags, is_add=1) + self.vapi.nat44_interface_add_del_output_feature( + sw_if_index=self.pg8.sw_if_index, + is_add=1) + + try: + self.vapi.ip_table_add_del(is_add=1, + table={'table_id': new_vrf_id}) + + self.pg7.unconfig_ip4() + self.pg7.set_table_ip4(new_vrf_id) + self.pg7.config_ip4() + self.pg7.resolve_arp() + + self.pg8.unconfig_ip4() + self.pg8.set_table_ip4(new_vrf_id) + self.pg8.config_ip4() + self.pg8.resolve_arp() + + nat_config = self.vapi.nat_show_config() + self.assertEqual(1, nat_config.endpoint_dependent) + + # in2out + tcpn = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/TCP packets') + udpn = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/UDP packets') + icmpn = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/ICMP packets') + totaln = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/good in2out packets processed') + + pkts = self.create_stream_in(self.pg7, self.pg8) + self.pg7.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg8.get_capture(len(pkts)) + self.verify_capture_out(capture) + + err = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/TCP packets') + self.assertEqual(err - tcpn, 2) + err = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/UDP packets') + self.assertEqual(err - udpn, 1) + err = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/ICMP packets') + self.assertEqual(err - icmpn, 1) + err = self.statistics.get_err_counter( + '/err/nat44-ed-in2out-slowpath/good in2out packets processed') + self.assertEqual(err - totaln, 4) + + # out2in + tcpn = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/TCP packets') + udpn = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/UDP packets') + icmpn = self.statistics.get_err_counter( + '/err/nat44-ed-out2in-slowpath/ICMP packets') + totaln = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/good out2in packets processed') + + pkts = self.create_stream_out(self.pg8) + self.pg8.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg7.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg7) + + err = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/TCP packets') + self.assertEqual(err - tcpn, 2) + err = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/UDP packets') + self.assertEqual(err - udpn, 1) + err = self.statistics.get_err_counter( + '/err/nat44-ed-out2in-slowpath/ICMP packets') + self.assertEqual(err - icmpn, 1) + err = self.statistics.get_err_counter( + '/err/nat44-ed-out2in/good out2in packets processed') + self.assertEqual(err - totaln, 3) + + users = self.statistics.get_counter('/nat44/total-users') + self.assertEqual(users[0][0], 1) + sessions = self.statistics.get_counter('/nat44/total-sessions') + self.assertEqual(sessions[0][0], 3) + + finally: + self.pg7.unconfig_ip4() + self.pg7.set_table_ip4(1) + self.pg7.config_ip4() + self.pg7.resolve_arp() + + self.pg8.unconfig_ip4() + self.pg8.set_table_ip4(1) + self.pg8.config_ip4() + self.pg8.resolve_arp() + + self.vapi.ip_table_add_del(is_add=0, + table={'table_id': new_vrf_id}) + def test_forwarding(self): """ NAT44 forwarding test """ @@ -4830,7 +4820,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg0.remote_hosts[0] = host0 user = self.pg0.remote_hosts[1] - sessions = self.vapi.nat44_user_session_dump(user.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(user.ip4, 0) self.assertEqual(len(sessions), 3) self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID) @@ -4842,7 +4832,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.config_flags.NAT_IS_EXT_HOST_VALID), ext_host_address=sessions[0].ext_host_address, ext_host_port=sessions[0].ext_host_port) - sessions = self.vapi.nat44_user_session_dump(user.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(user.ip4, 0) self.assertEqual(len(sessions), 2) finally: @@ -4863,11 +4853,11 @@ class TestNAT44EndpointDependent(MethodHolder): server1 = self.pg0.remote_hosts[0] server2 = self.pg0.remote_hosts[1] - locals = [{'addr': server1.ip4n, + locals = [{'addr': server1.ip4, 'port': local_port, 'probability': 70, 'vrf_id': 0}, - {'addr': server2.ip4n, + {'addr': server2.ip4, 'port': local_port, 'probability': 30, 'vrf_id': 0}] @@ -4931,7 +4921,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise - sessions = self.vapi.nat44_user_session_dump(server.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(server.ip4, 0) self.assertEqual(len(sessions), 1) self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID) @@ -4943,7 +4933,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.config_flags.NAT_IS_EXT_HOST_VALID), ext_host_address=sessions[0].ext_host_address, ext_host_port=sessions[0].ext_host_port) - sessions = self.vapi.nat44_user_session_dump(server.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(server.ip4, 0) self.assertEqual(len(sessions), 0) @unittest.skipUnless(running_extended_tests, "part of extended tests") @@ -4957,11 +4947,11 @@ class TestNAT44EndpointDependent(MethodHolder): server2 = self.pg0.remote_hosts[1] server3 = self.pg0.remote_hosts[2] - locals = [{'addr': server1.ip4n, + locals = [{'addr': server1.ip4, 'port': local_port, 'probability': 90, 'vrf_id': 0}, - {'addr': server2.ip4n, + {'addr': server2.ip4, 'port': local_port, 'probability': 10, 'vrf_id': 0}] @@ -5002,7 +4992,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.assertGreater(server1_n, server2_n) local = { - 'addr': server3.ip4n, + 'addr': server3.ip4, 'port': local_port, 'probability': 20, 'vrf_id': 0 @@ -5042,7 +5032,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.assertGreater(server3_n, 0) local = { - 'addr': server2.ip4n, + 'addr': server2.ip4, 'port': local_port, 'probability': 10, 'vrf_id': 0 @@ -5081,11 +5071,11 @@ class TestNAT44EndpointDependent(MethodHolder): server1 = self.pg0.remote_hosts[0] server2 = self.pg0.remote_hosts[1] - locals = [{'addr': server1.ip4n, + locals = [{'addr': server1.ip4, 'port': local_port, 'probability': 70, 'vrf_id': 0}, - {'addr': server2.ip4n, + {'addr': server2.ip4, 'port': local_port, 'probability': 30, 'vrf_id': 0}] @@ -5196,11 +5186,11 @@ class TestNAT44EndpointDependent(MethodHolder): server1 = self.pg0.remote_hosts[0] server2 = self.pg0.remote_hosts[1] - locals = [{'addr': server1.ip4n, + locals = [{'addr': server1.ip4, 'port': local_port, 'probability': 50, 'vrf_id': 0}, - {'addr': server2.ip4n, + {'addr': server2.ip4, 'port': local_port, 'probability': 50, 'vrf_id': 0}] @@ -5393,7 +5383,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.nat44_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_ADDR_ONLY self.vapi.nat44_add_del_identity_mapping( - ip_address=self.pg1.remote_ip4n, sw_if_index=0xFFFFFFFF, + ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF, flags=flags, is_add=1) flags = self.config_flags.NAT_IS_OUT2IN_ONLY self.nat44_add_static_mapping(self.pg0.remote_ip4, external_addr, @@ -5684,11 +5674,11 @@ class TestNAT44EndpointDependent(MethodHolder): proto=IP_PROTOS.tcp, flags=flags) else: - locals = [{'addr': server1.ip4n, + locals = [{'addr': server1.ip4, 'port': port_in1, 'probability': 50, 'vrf_id': 0}, - {'addr': server2.ip4n, + {'addr': server2.ip4, 'port': port_in2, 'probability': 50, 'vrf_id': 0}] @@ -5777,7 +5767,7 @@ class TestNAT44EndpointDependent(MethodHolder): raise if eh_translate: - sessions = self.vapi.nat44_user_session_dump(server.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(server.ip4, 0) self.assertEqual(len(sessions), 1) self.assertTrue(sessions[0].flags & self.config_flags.NAT_IS_EXT_HOST_VALID) @@ -5792,7 +5782,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.config_flags.NAT_IS_EXT_HOST_VALID), ext_host_address=sessions[0].ext_host_nat_address, ext_host_port=sessions[0].ext_host_nat_port) - sessions = self.vapi.nat44_user_session_dump(server.ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(server.ip4, 0) self.assertEqual(len(sessions), 0) def test_twice_nat(self): @@ -5871,7 +5861,7 @@ class TestNAT44EndpointDependent(MethodHolder): 80, proto=IP_PROTOS.tcp, flags=flags) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) start_sessnum = len(sessions) # SYN packet out->in @@ -5930,7 +5920,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg_start() self.pg1.get_capture(1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - start_sessnum, 0) @@ -5953,9 +5943,12 @@ class TestNAT44EndpointDependent(MethodHolder): sw_if_index=self.pg1.sw_if_index, is_add=1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) start_sessnum = len(sessions) + self.vapi.nat_set_timeouts(udp=300, tcp_established=7440, + tcp_transitory=2, icmp=5) + self.initiate_tcp_session(self.pg0, self.pg1) # FIN packet in -> out @@ -5999,8 +5992,55 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg_start() self.pg1.get_capture(1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, - 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) + self.assertEqual(len(sessions) - start_sessnum, 1) + + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + out2in_drops = stats[0] + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + in2out_drops = stats[0] + + # extra FIN packet out -> in - this should be dropped + p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, + flags="FA", seq=300, ack=101)) + + self.pg1.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg0.assert_nothing_captured() + + # extra ACK packet in -> out - this should be dropped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - out2in_drops, 1) + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - in2out_drops, 1) + + self.sleep(3) + # extra ACK packet in -> out - this will cause session to be wiped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - start_sessnum, 0) def test_tcp_session_close_out(self): @@ -6022,9 +6062,12 @@ class TestNAT44EndpointDependent(MethodHolder): sw_if_index=self.pg1.sw_if_index, is_add=1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) start_sessnum = len(sessions) + self.vapi.nat_set_timeouts(udp=300, tcp_established=7440, + tcp_transitory=2, icmp=5) + self.initiate_tcp_session(self.pg0, self.pg1) # FIN packet out -> in @@ -6058,32 +6101,82 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg_start() self.pg0.get_capture(1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, - 0) - self.assertEqual(len(sessions) - start_sessnum, 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) + self.assertEqual(len(sessions) - start_sessnum, 1) - def test_tcp_session_close_simultaneous(self): - """ Close TCP session from inside network """ - self.tcp_port_out = 10505 - self.nat44_add_address(self.nat_addr) - flags = self.config_flags.NAT_IS_TWICE_NAT - self.nat44_add_static_mapping(self.pg0.remote_ip4, - self.nat_addr, - self.tcp_port_in, - self.tcp_port_out, - proto=IP_PROTOS.tcp, - flags=flags) - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg0.sw_if_index, - flags=flags, is_add=1) - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg1.sw_if_index, - is_add=1) + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + out2in_drops = stats[0] + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + in2out_drops = stats[0] - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) + # extra FIN packet out -> in - this should be dropped + p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, + flags="FA", seq=300, ack=101)) + + self.pg1.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg0.assert_nothing_captured() + + # extra ACK packet in -> out - this should be dropped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - out2in_drops, 1) + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - in2out_drops, 1) + + self.sleep(3) + # extra ACK packet in -> out - this will cause session to be wiped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) + self.assertEqual(len(sessions) - start_sessnum, 0) + + def test_tcp_session_close_simultaneous(self): + """ Close TCP session from inside network """ + self.tcp_port_out = 10505 + self.nat44_add_address(self.nat_addr) + flags = self.config_flags.NAT_IS_TWICE_NAT + self.nat44_add_static_mapping(self.pg0.remote_ip4, + self.nat_addr, + self.tcp_port_in, + self.tcp_port_out, + proto=IP_PROTOS.tcp, + flags=flags) + flags = self.config_flags.NAT_IS_INSIDE + self.vapi.nat44_interface_add_del_feature( + sw_if_index=self.pg0.sw_if_index, + flags=flags, is_add=1) + self.vapi.nat44_interface_add_del_feature( + sw_if_index=self.pg1.sw_if_index, + is_add=1) + + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) start_sessnum = len(sessions) + self.vapi.nat_set_timeouts(udp=300, tcp_established=7440, + tcp_transitory=2, icmp=5) + self.initiate_tcp_session(self.pg0, self.pg1) # FIN packet in -> out @@ -6126,8 +6219,55 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg_start() self.pg0.get_capture(1) - sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, - 0) + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) + self.assertEqual(len(sessions) - start_sessnum, 1) + + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + out2in_drops = stats[0] + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + in2out_drops = stats[0] + + # extra FIN packet out -> in - this should be dropped + p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=self.tcp_external_port, dport=self.tcp_port_out, + flags="FA", seq=300, ack=101)) + + self.pg1.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg0.assert_nothing_captured() + + # extra ACK packet in -> out - this should be dropped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + + stats = self.statistics.get_counter( + '/err/nat44-ed-out2in/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - out2in_drops, 1) + stats = self.statistics.get_counter( + '/err/nat44-ed-in2out/drops due to TCP in transitory timeout') + self.assertEqual(stats[0] - in2out_drops, 1) + + self.sleep(3) + # extra ACK packet in -> out - this will cause session to be wiped + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="A", seq=101, ack=301)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.assert_nothing_captured() + sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0) self.assertEqual(len(sessions) - start_sessnum, 0) def test_one_armed_nat44_static(self): @@ -6354,6 +6494,108 @@ class TestNAT44EndpointDependent(MethodHolder): capture = self.pg0.get_capture(len(pkts)) self.verify_capture_in(capture, self.pg0) + def test_output_feature_stateful_acl(self): + """ NAT44 endpoint-dependent output feature works with stateful ACL """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_output_feature( + sw_if_index=self.pg0.sw_if_index, + flags=self.config_flags.NAT_IS_INSIDE, + is_add=1) + self.vapi.nat44_interface_add_del_output_feature( + sw_if_index=self.pg1.sw_if_index, + flags=self.config_flags.NAT_IS_OUTSIDE, + is_add=1) + + # First ensure that the NAT is working sans ACL + + # send packets out2in, no sessions yet so packets should drop + pkts_out2in = self.create_stream_out(self.pg1) + self.send_and_assert_no_replies(self.pg1, pkts_out2in) + + # send packets into inside intf, ensure received via outside intf + pkts_in2out = self.create_stream_in(self.pg0, self.pg1) + capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1, + len(pkts_in2out)) + self.verify_capture_out(capture) + + # send out2in again, with sessions created it should work now + pkts_out2in = self.create_stream_out(self.pg1) + capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0, + len(pkts_out2in)) + self.verify_capture_in(capture, self.pg0) + + # Create an ACL blocking everything + out2in_deny_rule = { + 'is_permit': 0, + 'is_ipv6': 0, + 'src_ip_addr': inet_pton(AF_INET, "0.0.0.0"), + 'src_ip_prefix_len': 0, + 'dst_ip_addr': inet_pton(AF_INET, "0.0.0.0"), + 'dst_ip_prefix_len': 0, + 'srcport_or_icmptype_first': 0, + 'srcport_or_icmptype_last': 65535, + 'dstport_or_icmpcode_first': 0, + 'dstport_or_icmpcode_last': 65535, + 'proto': 0, + } + out2in_rules = [out2in_deny_rule] + res = self.vapi.acl_add_replace(0xffffffff, out2in_rules) + self.assertEqual(res.retval, 0, "error adding out2in ACL") + out2in_acl = res.acl_index + + # apply as input acl on interface and confirm it blocks everything + self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index, + n_input=1, + acls=[out2in_acl]) + self.send_and_assert_no_replies(self.pg1, pkts_out2in) + + # create an ACL to permit/reflect everything + in2out_reflect_rule = { + 'is_permit': 2, + 'is_ipv6': 0, + 'src_ip_addr': inet_pton(AF_INET, "0.0.0.0"), + 'src_ip_prefix_len': 0, + 'dst_ip_addr': inet_pton(AF_INET, "0.0.0.0"), + 'dst_ip_prefix_len': 0, + 'srcport_or_icmptype_first': 0, + 'srcport_or_icmptype_last': 65535, + 'dstport_or_icmpcode_first': 0, + 'dstport_or_icmpcode_last': 65535, + 'proto': 0, + } + in2out_rules = [in2out_reflect_rule] + res = self.vapi.acl_add_replace(0xffffffff, in2out_rules) + self.assertEqual(res.retval, 0, "error adding in2out ACL") + in2out_acl = res.acl_index + + # apply output acl + self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index, + n_input=1, + acls=[out2in_acl, in2out_acl]) + # send in2out to generate ACL state (NAT state was created earlier) + capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1, + len(pkts_in2out)) + self.verify_capture_out(capture) + + # send out2in again. ACL state exists so it should work now. + # TCP packets with the syn flag set also need the ack flag + for p in pkts_out2in: + if p.haslayer(TCP) and p[TCP].flags & 0x02: + p[TCP].flags |= 0x10 + capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0, + len(pkts_out2in)) + self.verify_capture_in(capture, self.pg0) + self.logger.info(self.vapi.cli("show trace")) + + # Clean up + # Remove ACLs from interface + self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index, + n_input=0, + acls=[]) + # delete ACLs + self.vapi.acl_del(acl_index=out2in_acl, expected_retval=0) + self.vapi.acl_del(acl_index=in2out_acl, expected_retval=0) + def test_multiple_vrf(self): """ Multiple VRF setup """ external_addr = '1.2.3.4' @@ -6751,84 +6993,11 @@ class TestNAT44EndpointDependent(MethodHolder): self.pg0.remote_ip4) self.assertEqual(users[0].nsessions, 1) - @unittest.skipUnless(running_extended_tests, "part of extended tests") - def test_session_limit_per_user(self): - """ Maximum sessions per user limit """ - self.nat44_add_address(self.nat_addr) - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg0.sw_if_index, - flags=flags, is_add=1) - self.vapi.nat44_interface_add_del_feature( - sw_if_index=self.pg1.sw_if_index, - is_add=1) - self.vapi.set_ipfix_exporter(collector_address=self.pg2.remote_ip4n, - src_address=self.pg2.local_ip4n, - path_mtu=512, - template_interval=10) - self.vapi.nat_set_timeouts(udp=5, tcp_established=7440, - tcp_transitory=240, icmp=60) - - # get maximum number of translations per user - nat44_config = self.vapi.nat_show_config() - - pkts = [] - for port in range(0, nat44_config.max_translations_per_user): - p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - UDP(sport=1025 + port, dport=1025 + port)) - pkts.append(p) - - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(len(pkts)) - - self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, - src_port=self.ipfix_src_port, - enable=1) - - p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - UDP(sport=3001, dport=3002)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.assert_nothing_captured() - - # verify IPFIX logging - self.vapi.ipfix_flush() - sleep(1) - capture = self.pg2.get_capture(10) - ipfix = IPFIXDecoder() - # first load template - for p in capture: - self.assertTrue(p.haslayer(IPFIX)) - if p.haslayer(Template): - ipfix.add_template(p.getlayer(Template)) - # verify events in data set - for p in capture: - if p.haslayer(Data): - data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_entries_per_user( - data, - nat44_config.max_translations_per_user, - self.pg0.remote_ip4n) - - sleep(6) - p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - UDP(sport=3001, dport=3002)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - self.pg1.get_capture(1) - def test_syslog_sess(self): """ Test syslog session creation and deletion """ self.vapi.syslog_set_filter( self.SYSLOG_SEVERITY.SYSLOG_API_SEVERITY_INFO) - self.vapi.syslog_set_sender(self.pg2.local_ip4n, self.pg2.remote_ip4n) + self.vapi.syslog_set_sender(self.pg2.local_ip4, self.pg2.remote_ip4) self.nat44_add_address(self.nat_addr) flags = self.config_flags.NAT_IS_INSIDE self.vapi.nat44_interface_add_del_feature( @@ -6884,35 +7053,30 @@ class TestNAT44Out2InDPO(MethodHolder): super(TestNAT44Out2InDPO, cls).setUpClass() cls.vapi.cli("set log class nat level debug") - try: - cls.tcp_port_in = 6303 - cls.tcp_port_out = 6303 - cls.udp_port_in = 6304 - cls.udp_port_out = 6304 - cls.icmp_id_in = 6305 - cls.icmp_id_out = 6305 - cls.nat_addr = '10.0.0.3' - cls.dst_ip4 = '192.168.70.1' - - cls.create_pg_interfaces(range(2)) - - cls.pg0.admin_up() - cls.pg0.config_ip4() - cls.pg0.resolve_arp() - - cls.pg1.admin_up() - cls.pg1.config_ip6() - cls.pg1.resolve_ndp() - - r1 = VppIpRoute(cls, "::", 0, - [VppRoutePath(cls.pg1.remote_ip6, - cls.pg1.sw_if_index)], - register=False) - r1.add_vpp_config() - - except Exception: - super(TestNAT44Out2InDPO, cls).tearDownClass() - raise + cls.tcp_port_in = 6303 + cls.tcp_port_out = 6303 + cls.udp_port_in = 6304 + cls.udp_port_out = 6304 + cls.icmp_id_in = 6305 + cls.icmp_id_out = 6305 + cls.nat_addr = '10.0.0.3' + cls.dst_ip4 = '192.168.70.1' + + cls.create_pg_interfaces(range(2)) + + cls.pg0.admin_up() + cls.pg0.config_ip4() + cls.pg0.resolve_arp() + + cls.pg1.admin_up() + cls.pg1.config_ip6() + cls.pg1.resolve_ndp() + + r1 = VppIpRoute(cls, "::", 0, + [VppRoutePath(cls.pg1.remote_ip6, + cls.pg1.sw_if_index)], + register=False) + r1.add_vpp_config() @classmethod def tearDownClass(cls): @@ -7018,28 +7182,23 @@ class TestDeterministicNAT(MethodHolder): super(TestDeterministicNAT, cls).setUpClass() cls.vapi.cli("set log class nat level debug") - try: - cls.tcp_port_in = 6303 - cls.tcp_external_port = 6303 - cls.udp_port_in = 6304 - cls.udp_external_port = 6304 - cls.icmp_id_in = 6305 - cls.nat_addr = '10.0.0.3' - - cls.create_pg_interfaces(range(3)) - cls.interfaces = list(cls.pg_interfaces) - - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - - cls.pg0.generate_remote_hosts(2) - cls.pg0.configure_ipv4_neighbors() - - except Exception: - super(TestDeterministicNAT, cls).tearDownClass() - raise + cls.tcp_port_in = 6303 + cls.tcp_external_port = 6303 + cls.udp_port_in = 6304 + cls.udp_external_port = 6304 + cls.icmp_id_in = 6305 + cls.nat_addr = '10.0.0.3' + + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + cls.pg0.generate_remote_hosts(2) + cls.pg0.configure_ipv4_neighbors() @classmethod def tearDownClass(cls): @@ -7186,7 +7345,7 @@ class TestDeterministicNAT(MethodHolder): nat_ip = "10.0.0.10" - self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4n, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4, in_plen=32, out_addr=socket.inet_aton(nat_ip), out_plen=32) @@ -7216,7 +7375,7 @@ class TestDeterministicNAT(MethodHolder): self.verify_capture_in(capture, self.pg0) # session dump test - sessions = self.vapi.nat_det_session_dump(self.pg0.remote_ip4n) + sessions = self.vapi.nat_det_session_dump(self.pg0.remote_ip4) self.assertEqual(len(sessions), 3) # TCP session @@ -7249,7 +7408,7 @@ class TestDeterministicNAT(MethodHolder): host0 = self.pg0.remote_hosts[0] host1 = self.pg0.remote_hosts[1] - self.vapi.nat_det_add_del_map(is_add=1, in_addr=host0.ip4n, in_plen=24, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=host0.ip4, in_plen=24, out_addr=socket.inet_aton(nat_ip), out_plen=32) flags = self.config_flags.NAT_IS_INSIDE @@ -7347,21 +7506,21 @@ class TestDeterministicNAT(MethodHolder): # session close api test self.vapi.nat_det_close_session_out(socket.inet_aton(nat_ip), port_out1, - self.pg1.remote_ip4n, + self.pg1.remote_ip4, external_port) dms = self.vapi.nat_det_map_dump() self.assertEqual(dms[0].ses_num, 1) - self.vapi.nat_det_close_session_in(host0.ip4n, + self.vapi.nat_det_close_session_in(host0.ip4, port_in, - self.pg1.remote_ip4n, + self.pg1.remote_ip4, external_port) dms = self.vapi.nat_det_map_dump() self.assertEqual(dms[0].ses_num, 0) def test_tcp_session_close_detection_in(self): """ Deterministic NAT TCP session close from inside network """ - self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4n, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4, in_plen=32, out_addr=socket.inet_aton(self.nat_addr), out_plen=32) @@ -7427,7 +7586,7 @@ class TestDeterministicNAT(MethodHolder): def test_tcp_session_close_detection_out(self): """ Deterministic NAT TCP session close from outside network """ - self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4n, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4, in_plen=32, out_addr=socket.inet_aton(self.nat_addr), out_plen=32) @@ -7494,7 +7653,7 @@ class TestDeterministicNAT(MethodHolder): @unittest.skipUnless(running_extended_tests, "part of extended tests") def test_session_timeout(self): """ Deterministic NAT session timeouts """ - self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4n, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4, in_plen=32, out_addr=socket.inet_aton(self.nat_addr), out_plen=32) @@ -7522,7 +7681,7 @@ class TestDeterministicNAT(MethodHolder): @unittest.skipUnless(running_extended_tests, "part of extended tests") def test_session_limit_per_user(self): """ Deterministic NAT maximum sessions per user limit """ - self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4n, + self.vapi.nat_det_add_del_map(is_add=1, in_addr=self.pg0.remote_ip4, in_plen=32, out_addr=socket.inet_aton(self.nat_addr), out_plen=32) @@ -7533,8 +7692,8 @@ class TestDeterministicNAT(MethodHolder): self.vapi.nat44_interface_add_del_feature( sw_if_index=self.pg1.sw_if_index, is_add=1) - self.vapi.set_ipfix_exporter(collector_address=self.pg2.remote_ip4n, - src_address=self.pg2.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg2.remote_ip4, + src_address=self.pg2.local_ip4, path_mtu=512, template_interval=10) self.vapi.nat_ipfix_enable_disable(domain_id=1, src_port=4739, @@ -7592,7 +7751,7 @@ class TestDeterministicNAT(MethodHolder): data = ipfix.decode_data_set(p.getlayer(Set)) self.verify_ipfix_max_entries_per_user(data, 1000, - self.pg0.remote_ip4n) + self.pg0.remote_ip4) def clear_nat_det(self): """ @@ -7642,55 +7801,51 @@ class TestNAT64(MethodHolder): def setUpClass(cls): super(TestNAT64, cls).setUpClass() - try: - cls.tcp_port_in = 6303 - cls.tcp_port_out = 6303 - cls.udp_port_in = 6304 - cls.udp_port_out = 6304 - cls.icmp_id_in = 6305 - cls.icmp_id_out = 6305 - cls.tcp_external_port = 80 - cls.nat_addr = '10.0.0.3' - cls.nat_addr_n = socket.inet_pton(socket.AF_INET, cls.nat_addr) - cls.vrf1_id = 10 - cls.vrf1_nat_addr = '10.0.10.3' - cls.ipfix_src_port = 4739 - cls.ipfix_domain_id = 1 - - cls.create_pg_interfaces(range(6)) - cls.ip6_interfaces = list(cls.pg_interfaces[0:1]) - cls.ip6_interfaces.append(cls.pg_interfaces[2]) - cls.ip4_interfaces = list(cls.pg_interfaces[1:2]) - - cls.vapi.ip_table_add_del(is_ipv6=1, is_add=1, - table_id=cls.vrf1_id) - - cls.pg_interfaces[2].set_table_ip6(cls.vrf1_id) - - cls.pg0.generate_remote_hosts(2) - - for i in cls.ip6_interfaces: - i.admin_up() - i.config_ip6() - i.configure_ipv6_neighbors() - - for i in cls.ip4_interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - - cls.pg3.admin_up() - cls.pg3.config_ip4() - cls.pg3.resolve_arp() - cls.pg3.config_ip6() - cls.pg3.configure_ipv6_neighbors() - - cls.pg5.admin_up() - cls.pg5.config_ip6() - - except Exception: - super(TestNAT64, cls).tearDownClass() - raise + cls.tcp_port_in = 6303 + cls.tcp_port_out = 6303 + cls.udp_port_in = 6304 + cls.udp_port_out = 6304 + cls.icmp_id_in = 6305 + cls.icmp_id_out = 6305 + cls.tcp_external_port = 80 + cls.nat_addr = '10.0.0.3' + cls.nat_addr_n = socket.inet_pton(socket.AF_INET, cls.nat_addr) + cls.vrf1_id = 10 + cls.vrf1_nat_addr = '10.0.10.3' + cls.ipfix_src_port = 4739 + cls.ipfix_domain_id = 1 + + cls.create_pg_interfaces(range(6)) + cls.ip6_interfaces = list(cls.pg_interfaces[0:1]) + cls.ip6_interfaces.append(cls.pg_interfaces[2]) + cls.ip4_interfaces = list(cls.pg_interfaces[1:2]) + + cls.vapi.ip_table_add_del(is_add=1, + table={'table_id': cls.vrf1_id, + 'is_ip6': 1}) + + cls.pg_interfaces[2].set_table_ip6(cls.vrf1_id) + + cls.pg0.generate_remote_hosts(2) + + for i in cls.ip6_interfaces: + i.admin_up() + i.config_ip6() + i.configure_ipv6_neighbors() + + for i in cls.ip4_interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + cls.pg3.admin_up() + cls.pg3.config_ip4() + cls.pg3.resolve_arp() + cls.pg3.config_ip6() + cls.pg3.configure_ipv6_neighbors() + + cls.pg5.admin_up() + cls.pg5.config_ip6() @classmethod def tearDownClass(cls): @@ -7919,14 +8074,14 @@ class TestNAT64(MethodHolder): self.verify_capture_in_ip6(capture, ip[IPv6].src, self.pg0.remote_ip6) err = self.statistics.get_err_counter('/err/nat64-out2in/TCP packets') - self.assertEqual(err - tcpn, 1) + self.assertEqual(err - tcpn, 2) err = self.statistics.get_err_counter('/err/nat64-out2in/UDP packets') self.assertEqual(err - udpn, 1) err = self.statistics.get_err_counter('/err/nat64-out2in/ICMP packets') self.assertEqual(err - icmpn, 1) err = self.statistics.get_err_counter( '/err/nat64-out2in/good out2in packets processed') - self.assertEqual(err - totaln, 3) + self.assertEqual(err - totaln, 4) bibs = self.statistics.get_counter('/nat64/total-bibs') self.assertEqual(bibs[0][0], 3) @@ -8322,8 +8477,7 @@ class TestNAT64(MethodHolder): prefix = self.vapi.nat64_prefix_dump() self.assertEqual(len(prefix), 1) - self.assertEqual(prefix[0].prefix, - IPv6Network(unicode(global_pref64_str))) + self.assertEqual(str(prefix[0].prefix), global_pref64_str) self.assertEqual(prefix[0].vrf_id, 0) # Add tenant specific prefix @@ -8605,9 +8759,6 @@ class TestNAT64(MethodHolder): self.vapi.nat64_add_del_interface(is_add=1, flags=0, sw_if_index=self.pg1.sw_if_index) - reass = self.vapi.nat_reass_dump() - reass_n_start = len(reass) - # in2out data = b'a' * 200 pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4, @@ -8635,20 +8786,16 @@ class TestNAT64(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() frags = self.pg0.get_capture(len(pkts)) + self.logger.debug(ppc("Captured:", frags)) src = self.compose_ip6(self.pg1.remote_ip4, '64:ff9b::', 96) p = self.reass_frags_and_verify_ip6(frags, src, self.pg0.remote_ip6) self.assertEqual(p[TCP].sport, 20) self.assertEqual(p[TCP].dport, self.tcp_port_in) self.assertEqual(data, p[Raw].load) - reass = self.vapi.nat_reass_dump() - reass_n_end = len(reass) - - self.assertEqual(reass_n_end - reass_n_start, 2) - def test_reass_hairpinning(self): """ NAT64 fragments hairpinning """ - data = 'a' * 200 + data = b'a' * 200 server = self.pg0.remote_hosts[1] server_in_port = random.randint(1025, 65535) server_out_port = random.randint(1025, 65535) @@ -8684,6 +8831,7 @@ class TestNAT64(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() frags = self.pg0.get_capture(len(pkts)) + self.logger.debug(ppc("Captured:", frags)) p = self.reass_frags_and_verify_ip6(frags, nat_addr_ip6, server.ip6) self.assertNotEqual(p[TCP].sport, client_in_port) self.assertEqual(p[TCP].dport, server_in_port) @@ -8797,8 +8945,8 @@ class TestNAT64(MethodHolder): self.pg_start() self.pg1.get_capture(max_sessions) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4, + src_address=self.pg3.local_ip4, path_mtu=512, template_interval=10) self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, @@ -8856,57 +9004,6 @@ class TestNAT64(MethodHolder): data = ipfix.decode_data_set(p.getlayer(Set)) self.verify_ipfix_max_bibs(data, max_bibs) - def test_ipfix_max_frags(self): - """ IPFIX logging maximum fragments pending reassembly exceeded """ - self.vapi.nat64_add_del_pool_addr_range(start_addr=self.nat_addr, - end_addr=self.nat_addr, - vrf_id=0xFFFFFFFF, - is_add=1) - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat64_add_del_interface(is_add=1, flags=flags, - sw_if_index=self.pg0.sw_if_index) - self.vapi.nat64_add_del_interface(is_add=1, flags=0, - sw_if_index=self.pg1.sw_if_index) - self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=1, - drop_frag=0, is_ip6=1) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, - path_mtu=512, - template_interval=10) - self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, - src_port=self.ipfix_src_port, - enable=1) - - data = b'a' * 200 - pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4, - self.tcp_port_in, 20, data) - pkts.reverse() - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - self.pg1.assert_nothing_captured() - sleep(1) - self.vapi.ipfix_flush() - capture = self.pg3.get_capture(9) - ipfix = IPFIXDecoder() - # first load template - for p in capture: - self.assertTrue(p.haslayer(IPFIX)) - self.assertEqual(p[IP].src, self.pg3.local_ip4) - self.assertEqual(p[IP].dst, self.pg3.remote_ip4) - self.assertEqual(p[UDP].sport, self.ipfix_src_port) - self.assertEqual(p[UDP].dport, 4739) - self.assertEqual(p[IPFIX].observationDomainID, - self.ipfix_domain_id) - if p.haslayer(Template): - ipfix.add_template(p.getlayer(Template)) - # verify events in data set - for p in capture: - if p.haslayer(Data): - data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_fragments_ip6(data, 1, - self.pg0.remote_ip6n) - def test_ipfix_bib_ses(self): """ IPFIX logging NAT64 BIB/session create and delete events """ self.tcp_port_in = random.randint(1025, 65535) @@ -8923,8 +9020,8 @@ class TestNAT64(MethodHolder): sw_if_index=self.pg0.sw_if_index) self.vapi.nat64_add_del_interface(is_add=1, flags=0, sw_if_index=self.pg1.sw_if_index) - self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, - src_address=self.pg3.local_ip4n, + self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4, + src_address=self.pg3.local_ip4, path_mtu=512, template_interval=10) self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id, @@ -9017,7 +9114,7 @@ class TestNAT64(MethodHolder): sw_if_index=self.pg1.sw_if_index) self.vapi.syslog_set_filter( self.SYSLOG_SEVERITY.SYSLOG_API_SEVERITY_INFO) - self.vapi.syslog_set_sender(self.pg3.local_ip4n, self.pg3.remote_ip4n) + self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4) p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IPv6(src=self.pg0.remote_ip6, dst=remote_host_ip6) / @@ -9106,312 +9203,6 @@ class TestNAT64(MethodHolder): self.logger.info(self.vapi.cli("show nat64 prefix")) self.logger.info(self.vapi.cli("show nat64 bib all")) self.logger.info(self.vapi.cli("show nat64 session table all")) - self.logger.info(self.vapi.cli("show nat virtual-reassembly")) - - -class TestDSlite(MethodHolder): - """ DS-Lite Test Cases """ - - @classmethod - def setUpClass(cls): - super(TestDSlite, cls).setUpClass() - - try: - cls.nat_addr = '10.0.0.3' - - cls.create_pg_interfaces(range(3)) - cls.pg0.admin_up() - cls.pg0.config_ip4() - cls.pg0.resolve_arp() - cls.pg1.admin_up() - cls.pg1.config_ip6() - cls.pg1.generate_remote_hosts(2) - cls.pg1.configure_ipv6_neighbors() - cls.pg2.admin_up() - cls.pg2.config_ip4() - cls.pg2.resolve_arp() - - except Exception: - super(TestDSlite, cls).tearDownClass() - raise - - @classmethod - def tearDownClass(cls): - super(TestDSlite, cls).tearDownClass() - - def verify_syslog_apmadd(self, data, isaddr, isport, xsaddr, xsport, - sv6enc, proto): - message = data.decode('utf-8') - try: - message = SyslogMessage.parse(message) - except ParseError as e: - self.logger.error(e) - else: - self.assertEqual(message.severity, SyslogSeverity.info) - self.assertEqual(message.appname, 'NAT') - self.assertEqual(message.msgid, 'APMADD') - sd_params = message.sd.get('napmap') - self.assertTrue(sd_params is not None) - self.assertEqual(sd_params.get('IATYP'), 'IPv4') - self.assertEqual(sd_params.get('ISADDR'), isaddr) - self.assertEqual(sd_params.get('ISPORT'), "%d" % isport) - self.assertEqual(sd_params.get('XATYP'), 'IPv4') - self.assertEqual(sd_params.get('XSADDR'), xsaddr) - self.assertEqual(sd_params.get('XSPORT'), "%d" % xsport) - self.assertEqual(sd_params.get('PROTO'), "%d" % proto) - self.assertTrue(sd_params.get('SSUBIX') is not None) - self.assertEqual(sd_params.get('SV6ENC'), sv6enc) - - def test_dslite(self): - """ Test DS-Lite """ - nat_config = self.vapi.nat_show_config() - self.assertEqual(0, nat_config.dslite_ce) - - self.vapi.dslite_add_del_pool_addr_range(start_addr=self.nat_addr, - end_addr=self.nat_addr, - is_add=1) - aftr_ip4 = '192.0.0.1' - aftr_ip6 = '2001:db8:85a3::8a2e:370:1' - self.vapi.dslite_set_aftr_addr(ip4_addr=aftr_ip4, ip6_addr=aftr_ip6) - self.vapi.syslog_set_sender(self.pg2.local_ip4n, self.pg2.remote_ip4n) - - # UDP - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(dst=aftr_ip6, src=self.pg1.remote_hosts[0].ip6) / - IP(dst=self.pg0.remote_ip4, src='192.168.1.1') / - UDP(sport=20000, dport=10000)) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg0.get_capture(1) - capture = capture[0] - self.assertFalse(capture.haslayer(IPv6)) - self.assertEqual(capture[IP].src, self.nat_addr) - self.assertEqual(capture[IP].dst, self.pg0.remote_ip4) - self.assertNotEqual(capture[UDP].sport, 20000) - self.assertEqual(capture[UDP].dport, 10000) - self.assert_packet_checksums_valid(capture) - out_port = capture[UDP].sport - capture = self.pg2.get_capture(1) - self.verify_syslog_apmadd(capture[0][Raw].load, '192.168.1.1', - 20000, self.nat_addr, out_port, - self.pg1.remote_hosts[0].ip6, IP_PROTOS.udp) - - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(dst=self.nat_addr, src=self.pg0.remote_ip4) / - UDP(sport=10000, dport=out_port)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, aftr_ip6) - self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[0].ip6) - self.assertEqual(capture[IP].src, self.pg0.remote_ip4) - self.assertEqual(capture[IP].dst, '192.168.1.1') - self.assertEqual(capture[UDP].sport, 10000) - self.assertEqual(capture[UDP].dport, 20000) - self.assert_packet_checksums_valid(capture) - - # TCP - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(dst=aftr_ip6, src=self.pg1.remote_hosts[1].ip6) / - IP(dst=self.pg0.remote_ip4, src='192.168.1.1') / - TCP(sport=20001, dport=10001)) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg0.get_capture(1) - capture = capture[0] - self.assertFalse(capture.haslayer(IPv6)) - self.assertEqual(capture[IP].src, self.nat_addr) - self.assertEqual(capture[IP].dst, self.pg0.remote_ip4) - self.assertNotEqual(capture[TCP].sport, 20001) - self.assertEqual(capture[TCP].dport, 10001) - self.assert_packet_checksums_valid(capture) - out_port = capture[TCP].sport - - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(dst=self.nat_addr, src=self.pg0.remote_ip4) / - TCP(sport=10001, dport=out_port)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, aftr_ip6) - self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[1].ip6) - self.assertEqual(capture[IP].src, self.pg0.remote_ip4) - self.assertEqual(capture[IP].dst, '192.168.1.1') - self.assertEqual(capture[TCP].sport, 10001) - self.assertEqual(capture[TCP].dport, 20001) - self.assert_packet_checksums_valid(capture) - - # ICMP - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(dst=aftr_ip6, src=self.pg1.remote_hosts[1].ip6) / - IP(dst=self.pg0.remote_ip4, src='192.168.1.1') / - ICMP(id=4000, type='echo-request')) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg0.get_capture(1) - capture = capture[0] - self.assertFalse(capture.haslayer(IPv6)) - self.assertEqual(capture[IP].src, self.nat_addr) - self.assertEqual(capture[IP].dst, self.pg0.remote_ip4) - self.assertNotEqual(capture[ICMP].id, 4000) - self.assert_packet_checksums_valid(capture) - out_id = capture[ICMP].id - - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(dst=self.nat_addr, src=self.pg0.remote_ip4) / - ICMP(id=out_id, type='echo-reply')) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, aftr_ip6) - self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[1].ip6) - self.assertEqual(capture[IP].src, self.pg0.remote_ip4) - self.assertEqual(capture[IP].dst, '192.168.1.1') - self.assertEqual(capture[ICMP].id, 4000) - self.assert_packet_checksums_valid(capture) - - # ping DS-Lite AFTR tunnel endpoint address - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_hosts[1].ip6, dst=aftr_ip6) / - ICMPv6EchoRequest()) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, aftr_ip6) - self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[1].ip6) - self.assertTrue(capture.haslayer(ICMPv6EchoReply)) - - b4s = self.statistics.get_counter('/dslite/total-b4s') - self.assertEqual(b4s[0][0], 2) - sessions = self.statistics.get_counter('/dslite/total-sessions') - self.assertEqual(sessions[0][0], 3) - - def tearDown(self): - super(TestDSlite, self).tearDown() - - def show_commands_at_teardown(self): - self.logger.info(self.vapi.cli("show dslite pool")) - self.logger.info( - self.vapi.cli("show dslite aftr-tunnel-endpoint-address")) - self.logger.info(self.vapi.cli("show dslite sessions")) - - -class TestDSliteCE(MethodHolder): - """ DS-Lite CE Test Cases """ - - @classmethod - def setUpConstants(cls): - super(TestDSliteCE, cls).setUpConstants() - cls.vpp_cmdline.extend(["nat", "{", "dslite ce", "}"]) - - @classmethod - def setUpClass(cls): - super(TestDSliteCE, cls).setUpClass() - - try: - cls.create_pg_interfaces(range(2)) - cls.pg0.admin_up() - cls.pg0.config_ip4() - cls.pg0.resolve_arp() - cls.pg1.admin_up() - cls.pg1.config_ip6() - cls.pg1.generate_remote_hosts(1) - cls.pg1.configure_ipv6_neighbors() - - except Exception: - super(TestDSliteCE, cls).tearDownClass() - raise - - @classmethod - def tearDownClass(cls): - super(TestDSliteCE, cls).tearDownClass() - - def test_dslite_ce(self): - """ Test DS-Lite CE """ - - nat_config = self.vapi.nat_show_config() - self.assertEqual(1, nat_config.dslite_ce) - - b4_ip4 = '192.0.0.2' - b4_ip6 = '2001:db8:62aa::375e:f4c1:1' - self.vapi.dslite_set_b4_addr(ip4_addr=b4_ip4, ip6_addr=b4_ip6) - - aftr_ip4 = '192.0.0.1' - aftr_ip6 = '2001:db8:85a3::8a2e:370:1' - aftr_ip6_n = socket.inet_pton(socket.AF_INET6, aftr_ip6) - self.vapi.dslite_set_aftr_addr(ip4_addr=aftr_ip4, ip6_addr=aftr_ip6) - - r1 = VppIpRoute(self, aftr_ip6, 128, - [VppRoutePath(self.pg1.remote_ip6, - self.pg1.sw_if_index)]) - r1.add_vpp_config() - - # UDP encapsulation - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IP(dst=self.pg1.remote_ip4, src=self.pg0.remote_ip4) / - UDP(sport=10000, dport=20000)) - self.pg0.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, b4_ip6) - self.assertEqual(capture[IPv6].dst, aftr_ip6) - self.assertEqual(capture[IP].src, self.pg0.remote_ip4) - self.assertEqual(capture[IP].dst, self.pg1.remote_ip4) - self.assertEqual(capture[UDP].sport, 10000) - self.assertEqual(capture[UDP].dport, 20000) - self.assert_packet_checksums_valid(capture) - - # UDP decapsulation - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(dst=b4_ip6, src=aftr_ip6) / - IP(dst=self.pg0.remote_ip4, src=self.pg1.remote_ip4) / - UDP(sport=20000, dport=10000)) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg0.get_capture(1) - capture = capture[0] - self.assertFalse(capture.haslayer(IPv6)) - self.assertEqual(capture[IP].src, self.pg1.remote_ip4) - self.assertEqual(capture[IP].dst, self.pg0.remote_ip4) - self.assertEqual(capture[UDP].sport, 20000) - self.assertEqual(capture[UDP].dport, 10000) - self.assert_packet_checksums_valid(capture) - - # ping DS-Lite B4 tunnel endpoint address - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_hosts[0].ip6, dst=b4_ip6) / - ICMPv6EchoRequest()) - self.pg1.add_stream(p) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - capture = capture[0] - self.assertEqual(capture[IPv6].src, b4_ip6) - self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[0].ip6) - self.assertTrue(capture.haslayer(ICMPv6EchoReply)) - - def tearDown(self): - super(TestDSliteCE, self).tearDown() - - def show_commands_at_teardown(self): - self.logger.info( - self.vapi.cli("show dslite aftr-tunnel-endpoint-address")) - self.logger.info( - self.vapi.cli("show dslite b4-tunnel-endpoint-address")) class TestNAT66(MethodHolder): @@ -9421,20 +9212,15 @@ class TestNAT66(MethodHolder): def setUpClass(cls): super(TestNAT66, cls).setUpClass() - try: - cls.nat_addr = 'fd01:ff::2' + cls.nat_addr = 'fd01:ff::2' - cls.create_pg_interfaces(range(2)) - cls.interfaces = list(cls.pg_interfaces) + cls.create_pg_interfaces(range(2)) + cls.interfaces = list(cls.pg_interfaces) - for i in cls.interfaces: - i.admin_up() - i.config_ip6() - i.configure_ipv6_neighbors() - - except Exception: - super(TestNAT66, cls).tearDownClass() - raise + for i in cls.interfaces: + i.admin_up() + i.config_ip6() + i.configure_ipv6_neighbors() @classmethod def tearDownClass(cls): @@ -9474,6 +9260,7 @@ class TestNAT66(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(len(pkts)) + for packet in capture: try: self.assertEqual(packet[IPv6].src, self.nat_addr)