X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=test%2Ftest_nat.py;h=a705bd98fc016de7fde5dd5c19a5f26271140951;hb=bb4e022502dd7f76d4f1cd705a7bac628d8c098c;hp=8012350b6c63220ec2e5543436946ddda7cc6d67;hpb=a6110b6ea5a066b64005347850f61df9a2000fe9;p=vpp.git diff --git a/test/test_nat.py b/test/test_nat.py index 8012350b6c6..a705bd98fc0 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -9,7 +9,8 @@ import random from framework import VppTestCase, VppTestRunner, running_extended_tests from scapy.layers.inet import IP, TCP, UDP, ICMP from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror -from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, ICMPv6EchoReply +from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, ICMPv6EchoReply, \ + ICMPv6ND_NS, ICMPv6ND_NA, ICMPv6NDOptDstLLAddr from scapy.layers.inet6 import ICMPv6DestUnreach, IPerror6, IPv6ExtHdrFragment from scapy.layers.l2 import Ether, ARP, GRE from scapy.data import IP_PROTOS @@ -107,7 +108,6 @@ class MethodHolder(VppTestCase): lb_sm.external_addr, lb_sm.external_port, lb_sm.protocol, - vrf_id=lb_sm.vrf_id, twice_nat=lb_sm.twice_nat, self_twice_nat=lb_sm.self_twice_nat, out2in_only=lb_sm.out2in_only, @@ -136,6 +136,10 @@ class MethodHolder(VppTestCase): self.vapi.nat_set_reass() self.vapi.nat_set_reass(is_ip6=1) + self.verify_no_nat44_user() + self.vapi.nat_set_timeouts() + self.vapi.nat_set_addr_and_port_alloc_alg() + self.vapi.nat_set_mss_clamping() def nat44_add_static_mapping(self, local_ip, external_ip='0.0.0.0', local_port=0, external_port=0, vrf_id=0, @@ -419,14 +423,13 @@ class MethodHolder(VppTestCase): return pkts def verify_capture_out(self, capture, nat_ip=None, same_port=False, - packet_num=3, dst_ip=None, is_ip6=False): + dst_ip=None, is_ip6=False): """ Verify captured packets on outside network :param capture: Captured packets :param nat_ip: Translated IP address (Default use global NAT address) :param same_port: Sorce port number is not translated (Default False) - :param packet_num: Expected number of packets (Default 3) :param dst_ip: Destination IP address (Default do not verify) :param is_ip6: If L3 protocol is IPv6 (Default False) """ @@ -438,7 +441,6 @@ class MethodHolder(VppTestCase): ICMP46 = ICMP if nat_ip is None: nat_ip = self.nat_addr - self.assertEqual(packet_num, len(capture)) for packet in capture: try: if not is_ip6: @@ -474,28 +476,25 @@ class MethodHolder(VppTestCase): raise def verify_capture_out_ip6(self, capture, nat_ip, same_port=False, - packet_num=3, dst_ip=None): + dst_ip=None): """ Verify captured packets on outside network :param capture: Captured packets :param nat_ip: Translated IP address :param same_port: Sorce port number is not translated (Default False) - :param packet_num: Expected number of packets (Default 3) :param dst_ip: Destination IP address (Default do not verify) """ - return self.verify_capture_out(capture, nat_ip, same_port, packet_num, - dst_ip, True) + return self.verify_capture_out(capture, nat_ip, same_port, dst_ip, + True) - def verify_capture_in(self, capture, in_if, packet_num=3): + def verify_capture_in(self, capture, in_if): """ Verify captured packets on inside network :param capture: Captured packets :param in_if: Inside interface - :param packet_num: Expected number of packets (Default 3) """ - self.assertEqual(packet_num, len(capture)) for packet in capture: try: self.assert_packet_checksums_valid(packet) @@ -511,16 +510,14 @@ class MethodHolder(VppTestCase): "(inside network):", packet)) raise - def verify_capture_in_ip6(self, capture, src_ip, dst_ip, packet_num=3): + def verify_capture_in_ip6(self, capture, src_ip, dst_ip): """ Verify captured IPv6 packets on inside network :param capture: Captured packets :param src_ip: Source IP :param dst_ip: Destination IP address - :param packet_num: Expected number of packets (Default 3) """ - self.assertEqual(packet_num, len(capture)) for packet in capture: try: self.assertEqual(packet[IPv6].src, src_ip) @@ -562,20 +559,18 @@ class MethodHolder(VppTestCase): raise def verify_capture_out_with_icmp_errors(self, capture, src_ip=None, - packet_num=3, icmp_type=11): + icmp_type=11): """ Verify captured packets with ICMP errors on outside network :param capture: Captured packets :param src_ip: Translated IP address or IP address of VPP (Default use global NAT address) - :param packet_num: Expected number of packets (Default 3) :param icmp_type: Type of error ICMP packet we are expecting (Default 11) """ if src_ip is None: src_ip = self.nat_addr - self.assertEqual(packet_num, len(capture)) for packet in capture: try: self.assertEqual(packet[IP].src, src_ip) @@ -597,18 +592,15 @@ class MethodHolder(VppTestCase): "(outside network):", packet)) raise - def verify_capture_in_with_icmp_errors(self, capture, in_if, packet_num=3, - icmp_type=11): + def verify_capture_in_with_icmp_errors(self, capture, in_if, icmp_type=11): """ Verify captured packets with ICMP errors on inside network :param capture: Captured packets :param in_if: Inside interface - :param packet_num: Expected number of packets (Default 3) :param icmp_type: Type of error ICMP packet we are expecting (Default 11) """ - self.assertEqual(packet_num, len(capture)) for packet in capture: try: self.assertEqual(packet[IP].dst, in_if.remote_ip4) @@ -987,6 +979,45 @@ class MethodHolder(VppTestCase): # postNAPTDestinationTransportPort self.assertEqual(struct.pack("!H", dst_port), record[228]) + def verify_no_nat44_user(self): + """ Verify that there is no NAT44 user """ + users = self.vapi.nat44_user_dump() + self.assertEqual(len(users), 0) + + def verify_ipfix_max_entries_per_user(self, data, limit, src_addr): + """ + Verify IPFIX maximum entries per user exceeded event + + :param data: Decoded IPFIX data records + :param limit: Number of maximum entries per user + :param src_addr: IPv4 source address + """ + self.assertEqual(1, len(data)) + record = data[0] + # natEvent + self.assertEqual(ord(record[230]), 13) + # natQuotaExceededEvent + self.assertEqual(struct.pack("I", 3), record[466]) + # maxEntriesPerUser + self.assertEqual(struct.pack("I", limit), record[473]) + # sourceIPv4Address + self.assertEqual(src_addr, record[8]) + + def verify_mss_value(self, pkt, mss): + """ + Verify TCP MSS value + + :param pkt: + :param mss: + """ + if not pkt.haslayer(IP) or not pkt.haslayer(TCP): + raise TypeError("Not a TCP/IP packet") + + for option in pkt[TCP].options: + if option[0] == 'MSS': + self.assertEqual(option[1], mss) + self.assert_tcp_checksum_valid(pkt) + class TestNAT44(MethodHolder): """ NAT44 Test Cases """ @@ -1210,7 +1241,6 @@ class TestNAT44(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(len(pkts)) - self.assertEqual(1, len(capture)) packet = capture[0] try: self.assertEqual(packet[IP].src, self.pg1.local_ip4) @@ -1238,7 +1268,7 @@ class TestNAT44(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg0.get_capture(1) - self.verify_capture_in(capture, self.pg0, packet_num=1) + self.verify_capture_in(capture, self.pg0) self.assert_equal(capture[0][IP].proto, IP_PROTOS.icmp) # in2out @@ -1249,10 +1279,10 @@ class TestNAT44(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) - self.verify_capture_out(capture, same_port=True, packet_num=1) + self.verify_capture_out(capture, same_port=True) self.assert_equal(capture[0][IP].proto, IP_PROTOS.icmp) - def _test_forwarding(self): + def test_forwarding(self): """ NAT44 forwarding test """ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) @@ -1266,7 +1296,7 @@ class TestNAT44(MethodHolder): external_ip=alias_ip) try: - # in2out - static mapping match + # static mapping match pkts = self.create_stream_out(self.pg1) self.pg1.add_stream(pkts) @@ -1282,7 +1312,7 @@ class TestNAT44(MethodHolder): capture = self.pg1.get_capture(len(pkts)) self.verify_capture_out(capture, same_port=True) - # in2out - no static mapping match + # no static mapping match host0 = self.pg0.remote_hosts[0] self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1] @@ -1306,19 +1336,6 @@ class TestNAT44(MethodHolder): finally: self.pg0.remote_hosts[0] = host0 - user = self.pg0.remote_hosts[1] - sessions = self.vapi.nat44_user_session_dump(user.ip4n, 0) - self.assertEqual(len(sessions), 3) - self.assertTrue(sessions[0].ext_host_valid) - self.vapi.nat44_del_session( - sessions[0].inside_ip_address, - sessions[0].inside_port, - sessions[0].protocol, - ext_host_address=sessions[0].ext_host_address, - ext_host_port=sessions[0].ext_host_port) - sessions = self.vapi.nat44_user_session_dump(user.ip4n, 0) - self.assertEqual(len(sessions), 2) - finally: self.vapi.nat44_forwarding_enable_disable(0) self.vapi.nat44_add_del_static_mapping(local_ip=real_ip, @@ -2382,6 +2399,8 @@ class TestNAT44(MethodHolder): self.pg1.set_table_ip4(vrf_id2) self.pg0.config_ip4() self.pg1.config_ip4() + self.pg0.resolve_arp() + self.pg1.resolve_arp() self.nat44_add_address(nat_ip1, vrf_id=vrf_id1) self.nat44_add_address(nat_ip2, vrf_id=vrf_id2) @@ -2390,28 +2409,34 @@ class TestNAT44(MethodHolder): self.vapi.nat44_interface_add_del_feature(self.pg2.sw_if_index, is_inside=0) - # first VRF - pkts = self.create_stream_in(self.pg0, self.pg2) - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg2.get_capture(len(pkts)) - self.verify_capture_out(capture, nat_ip1) + try: + # first VRF + pkts = self.create_stream_in(self.pg0, self.pg2) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg2.get_capture(len(pkts)) + self.verify_capture_out(capture, nat_ip1) - # second VRF - pkts = self.create_stream_in(self.pg1, self.pg2) - self.pg1.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg2.get_capture(len(pkts)) - self.verify_capture_out(capture, nat_ip2) + # second VRF + pkts = self.create_stream_in(self.pg1, self.pg2) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg2.get_capture(len(pkts)) + self.verify_capture_out(capture, nat_ip2) - self.pg0.unconfig_ip4() - self.pg1.unconfig_ip4() - self.pg0.set_table_ip4(0) - self.pg1.set_table_ip4(0) - self.vapi.ip_table_add_del(vrf_id1, is_add=0) - self.vapi.ip_table_add_del(vrf_id2, is_add=0) + finally: + self.pg0.unconfig_ip4() + self.pg1.unconfig_ip4() + self.pg0.set_table_ip4(0) + self.pg1.set_table_ip4(0) + self.pg0.config_ip4() + self.pg1.config_ip4() + self.pg0.resolve_arp() + self.pg1.resolve_arp() + self.vapi.ip_table_add_del(vrf_id1, is_add=0) + self.vapi.ip_table_add_del(vrf_id2, is_add=0) def test_vrf_feature_independent(self): """ NAT44 tenant VRF independent address pool mode """ @@ -2914,6 +2939,12 @@ class TestNAT44(MethodHolder): sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4n, 0) self.assertEqual(nsessions - len(sessions), 2) + self.vapi.nat44_del_session(sessions[0].inside_ip_address, + sessions[0].inside_port, + sessions[0].protocol) + + self.verify_no_nat44_user() + def test_set_get_reass(self): """ NAT44 set/get virtual fragmentation reassembly """ reas_cfg1 = self.vapi.nat_get_reass() @@ -3071,8 +3102,10 @@ class TestNAT44(MethodHolder): self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, is_inside=0) - self.vapi.cli("nat addr-port-assignment-alg map-e psid 10 " - "psid-offset 6 psid-len 6") + self.vapi.nat_set_addr_and_port_alloc_alg(alg=1, + psid_offset=6, + psid_length=6, + psid=10) p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / @@ -3095,13 +3128,38 @@ class TestNAT44(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise + def test_port_range(self): + """ External address port range """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat_set_addr_and_port_alloc_alg(alg=2, + start_port=1025, + end_port=1027) + + pkts = [] + for port in range(0, 5): + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=1125 + port)) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(3) + for p in capture: + tcp = p[TCP] + self.assertGreaterEqual(tcp.sport, 1025) + self.assertLessEqual(tcp.sport, 1027) + def test_ipfix_max_frags(self): """ IPFIX logging maximum fragments pending reassembly exceeded """ self.nat44_add_address(self.nat_addr) self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, is_inside=0) - self.vapi.nat_set_reass(max_frag=0) + self.vapi.nat_set_reass(max_frag=1) self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, src_address=self.pg3.local_ip4n, path_mtu=512, @@ -3116,7 +3174,8 @@ class TestNAT44(MethodHolder): self.tcp_port_in, 20, data) - self.pg0.add_stream(pkts[-1]) + pkts.reverse() + self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg1.assert_nothing_captured() @@ -3139,9 +3198,155 @@ class TestNAT44(MethodHolder): for p in capture: if p.haslayer(Data): data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_fragments_ip4(data, 0, + self.verify_ipfix_max_fragments_ip4(data, 1, self.pg0.remote_ip4n) + def test_multiple_outside_vrf(self): + """ Multiple outside VRF """ + vrf_id1 = 1 + vrf_id2 = 2 + + self.pg1.unconfig_ip4() + self.pg2.unconfig_ip4() + self.vapi.ip_table_add_del(vrf_id1, is_add=1) + self.vapi.ip_table_add_del(vrf_id2, is_add=1) + self.pg1.set_table_ip4(vrf_id1) + self.pg2.set_table_ip4(vrf_id2) + self.pg1.config_ip4() + self.pg2.config_ip4() + self.pg1.resolve_arp() + self.pg2.resolve_arp() + + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat44_interface_add_del_feature(self.pg2.sw_if_index, + is_inside=0) + + try: + # first VRF + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture, self.nat_addr) + + pkts = self.create_stream_out(self.pg1, self.nat_addr) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + self.tcp_port_in = 60303 + self.udp_port_in = 60304 + self.icmp_id_in = 60305 + + # second VRF + pkts = self.create_stream_in(self.pg0, self.pg2) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg2.get_capture(len(pkts)) + self.verify_capture_out(capture, self.nat_addr) + + pkts = self.create_stream_out(self.pg2, self.nat_addr) + self.pg2.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + finally: + self.pg1.unconfig_ip4() + self.pg2.unconfig_ip4() + self.pg1.set_table_ip4(0) + self.pg2.set_table_ip4(0) + self.pg1.config_ip4() + self.pg2.config_ip4() + self.pg1.resolve_arp() + self.pg2.resolve_arp() + + @unittest.skipUnless(running_extended_tests(), "part of extended tests") + def test_session_timeout(self): + """ NAT44 session timeouts """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat_set_timeouts(udp=5) + + max_sessions = 1000 + pkts = [] + for i in range(0, max_sessions): + src = "10.10.%u.%u" % ((i & 0xFF00) >> 8, i & 0xFF) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=src, dst=self.pg1.remote_ip4) / + UDP(sport=1025, dport=53)) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(max_sessions) + + sleep(6) + + pkts = [] + for i in range(0, max_sessions): + src = "10.10.%u.%u" % ((i & 0xFF00) >> 8, i & 0xFF) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=src, dst=self.pg1.remote_ip4) / + UDP(sport=1026, dport=53)) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(max_sessions) + + nsessions = 0 + users = self.vapi.nat44_user_dump() + for user in users: + nsessions = nsessions + user.nsessions + self.assertLess(nsessions, 2 * max_sessions) + + def test_mss_clamping(self): + """ TCP MSS clamping """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=self.tcp_port_in, dport=self.tcp_external_port, + flags="S", options=[('MSS', 1400)])) + + self.vapi.nat_set_mss_clamping(enable=1, mss_value=1000) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # Negotiated MSS value greater than configured - changed + self.verify_mss_value(capture[0], 1000) + + self.vapi.nat_set_mss_clamping(enable=0) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # MSS clamping disabled - negotiated MSS unchanged + self.verify_mss_value(capture[0], 1400) + + self.vapi.nat_set_mss_clamping(enable=1, mss_value=1500) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + # Negotiated MSS value smaller than configured - unchanged + self.verify_mss_value(capture[0], 1400) + def tearDown(self): super(TestNAT44, self).tearDown() if not self.vpp_dead: @@ -3152,7 +3357,9 @@ class TestNAT44(MethodHolder): self.logger.info(self.vapi.cli("show nat44 sessions detail")) self.logger.info(self.vapi.cli("show nat virtual-reassembly")) self.logger.info(self.vapi.cli("show nat44 hash tables detail")) - self.vapi.cli("nat addr-port-assignment-alg default") + self.logger.info(self.vapi.cli("show nat timeouts")) + self.logger.info( + self.vapi.cli("show nat addr-port-assignment-alg")) self.clear_nat44() self.vapi.cli("clear logging") @@ -3182,7 +3389,7 @@ class TestNAT44EndpointDependent(MethodHolder): cls.ipfix_domain_id = 1 cls.tcp_external_port = 80 - cls.create_pg_interfaces(range(5)) + cls.create_pg_interfaces(range(7)) cls.interfaces = list(cls.pg_interfaces[0:3]) for i in cls.interfaces: @@ -3206,6 +3413,58 @@ class TestNAT44EndpointDependent(MethodHolder): cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4 cls.pg4.resolve_arp() + zero_ip4n = socket.inet_pton(socket.AF_INET, "0.0.0.0") + cls.vapi.ip_table_add_del(1, is_add=1) + + cls.pg5._local_ip4 = "10.1.1.1" + cls.pg5._local_ip4n = socket.inet_pton(socket.AF_INET, + cls.pg5.local_ip4) + cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2" + cls.pg5._remote_hosts[0]._ip4n = socket.inet_pton( + socket.AF_INET, cls.pg5.remote_ip4) + cls.pg5.set_table_ip4(1) + cls.pg5.config_ip4() + cls.pg5.admin_up() + cls.vapi.ip_add_del_route(dst_address=cls.pg5.remote_ip4n, + dst_address_length=32, + table_id=1, + next_hop_sw_if_index=cls.pg5.sw_if_index, + next_hop_address=zero_ip4n) + + cls.pg6._local_ip4 = "10.1.2.1" + cls.pg6._local_ip4n = socket.inet_pton(socket.AF_INET, + cls.pg6.local_ip4) + cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2" + cls.pg6._remote_hosts[0]._ip4n = socket.inet_pton( + socket.AF_INET, cls.pg6.remote_ip4) + cls.pg6.set_table_ip4(1) + cls.pg6.config_ip4() + cls.pg6.admin_up() + cls.vapi.ip_add_del_route(dst_address=cls.pg6.remote_ip4n, + dst_address_length=32, + table_id=1, + next_hop_sw_if_index=cls.pg6.sw_if_index, + next_hop_address=zero_ip4n) + + cls.vapi.ip_add_del_route(dst_address=cls.pg6.remote_ip4n, + dst_address_length=16, + next_hop_address=zero_ip4n, + table_id=0, + next_hop_table_id=1) + cls.vapi.ip_add_del_route(dst_address=zero_ip4n, + dst_address_length=0, + next_hop_address=zero_ip4n, + table_id=1, + next_hop_table_id=0) + cls.vapi.ip_add_del_route(dst_address=zero_ip4n, + dst_address_length=0, + table_id=0, + next_hop_sw_if_index=cls.pg1.sw_if_index, + next_hop_address=cls.pg1.local_ip4n) + + cls.pg5.resolve_arp() + cls.pg6.resolve_arp() + except Exception: super(TestNAT44EndpointDependent, cls).tearDownClass() raise @@ -3218,6 +3477,9 @@ class TestNAT44EndpointDependent(MethodHolder): self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, is_inside=0) + nat_config = self.vapi.nat_show_config() + self.assertEqual(1, nat_config.endpoint_dependent) + # in2out pkts = self.create_stream_in(self.pg0, self.pg1) self.pg0.add_stream(pkts) @@ -3317,10 +3579,12 @@ class TestNAT44EndpointDependent(MethodHolder): locals = [{'addr': server1.ip4n, 'port': local_port, - 'probability': 70}, + 'probability': 70, + 'vrf_id': 0}, {'addr': server2.ip4n, 'port': local_port, - 'probability': 30}] + 'probability': 30, + 'vrf_id': 0}] self.nat44_add_address(self.nat_addr) self.vapi.nat44_add_del_lb_static_mapping(external_addr_n, @@ -3399,10 +3663,12 @@ class TestNAT44EndpointDependent(MethodHolder): locals = [{'addr': server1.ip4n, 'port': local_port, - 'probability': 90}, + 'probability': 90, + 'vrf_id': 0}, {'addr': server2.ip4n, 'port': local_port, - 'probability': 10}] + 'probability': 10, + 'vrf_id': 0}] self.nat44_add_address(self.nat_addr) self.vapi.nat44_add_del_lb_static_mapping(external_addr_n, @@ -3444,10 +3710,12 @@ class TestNAT44EndpointDependent(MethodHolder): locals = [{'addr': server1.ip4n, 'port': local_port, - 'probability': 70}, + 'probability': 70, + 'vrf_id': 0}, {'addr': server2.ip4n, 'port': local_port, - 'probability': 30}] + 'probability': 30, + 'vrf_id': 0}] self.vapi.nat44_forwarding_enable_disable(1) self.vapi.nat44_add_del_lb_static_mapping(external_addr_n, @@ -3542,6 +3810,67 @@ class TestNAT44EndpointDependent(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise + def test_lb_affinity(self): + """ NAT44 local service load balancing affinity """ + external_addr_n = socket.inet_pton(socket.AF_INET, self.nat_addr) + external_port = 80 + local_port = 8080 + server1 = self.pg0.remote_hosts[0] + server2 = self.pg0.remote_hosts[1] + + locals = [{'addr': server1.ip4n, + 'port': local_port, + 'probability': 50, + 'vrf_id': 0}, + {'addr': server2.ip4n, + 'port': local_port, + 'probability': 50, + 'vrf_id': 0}] + + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_add_del_lb_static_mapping(external_addr_n, + external_port, + IP_PROTOS.tcp, + affinity=10800, + local_num=len(locals), + locals=locals) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=1025, dport=external_port)) + self.pg1.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(1) + backend = capture[0][IP].dst + + sessions = self.vapi.nat44_user_session_dump( + socket.inet_pton(socket.AF_INET, backend), 0) + self.assertEqual(len(sessions), 1) + self.assertTrue(sessions[0].ext_host_valid) + self.vapi.nat44_del_session( + sessions[0].inside_ip_address, + sessions[0].inside_port, + sessions[0].protocol, + ext_host_address=sessions[0].ext_host_address, + ext_host_port=sessions[0].ext_host_port) + + pkts = [] + for port in range(1030, 1100): + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=port, dport=external_port)) + pkts.append(p) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + for p in capture: + self.assertEqual(p[IP].dst, backend) + def test_unknown_proto(self): """ NAT44 translate packet with unknown protocol """ self.nat44_add_address(self.nat_addr) @@ -3839,24 +4168,81 @@ class TestNAT44EndpointDependent(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise - def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False, - client_id=None): + def test_next_src_nat(self): + """ On way back forward packet to nat44-in2out node. """ twice_nat_addr = '10.0.1.3' + external_port = 80 + local_port = 8080 + post_twice_nat_port = 0 - port_in = 8080 - if lb: - if not same_pg: - port_in1 = port_in - port_in2 = port_in - else: - port_in1 = port_in+1 - port_in2 = port_in+2 - - port_out = 80 - eh_port_out = 4567 + self.vapi.nat44_forwarding_enable_disable(1) + self.nat44_add_address(twice_nat_addr, twice_nat=1) + self.nat44_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4, + local_port, external_port, + proto=IP_PROTOS.tcp, out2in_only=1, + self_twice_nat=1, vrf_id=1) + self.vapi.nat44_interface_add_del_feature(self.pg6.sw_if_index, + is_inside=0) - server1 = self.pg0.remote_hosts[0] - server2 = self.pg0.remote_hosts[1] + p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / + IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=12345, dport=external_port)) + self.pg6.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, twice_nat_addr) + self.assertNotEqual(tcp.sport, 12345) + post_twice_nat_port = tcp.sport + self.assertEqual(ip.dst, self.pg6.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / + IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) / + TCP(sport=local_port, dport=post_twice_nat_port)) + self.pg6.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg1.remote_ip4) + self.assertEqual(tcp.sport, external_port) + self.assertEqual(ip.dst, self.pg6.remote_ip4) + self.assertEqual(tcp.dport, 12345) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False, + client_id=None): + twice_nat_addr = '10.0.1.3' + + port_in = 8080 + if lb: + if not same_pg: + port_in1 = port_in + port_in2 = port_in + else: + port_in1 = port_in+1 + port_in2 = port_in+2 + + port_out = 80 + eh_port_out = 4567 + + server1 = self.pg0.remote_hosts[0] + server2 = self.pg0.remote_hosts[1] if lb and same_pg: server2 = server1 if not lb: @@ -3882,10 +4268,12 @@ class TestNAT44EndpointDependent(MethodHolder): else: locals = [{'addr': server1.ip4n, 'port': port_in1, - 'probability': 50}, + 'probability': 50, + 'vrf_id': 0}, {'addr': server2.ip4n, 'port': port_in2, - 'probability': 50}] + 'probability': 50, + 'vrf_id': 0}] out_addr_n = socket.inet_pton(socket.AF_INET, self.nat_addr) self.vapi.nat44_add_del_lb_static_mapping(out_addr_n, port_out, @@ -4396,6 +4784,423 @@ class TestNAT44EndpointDependent(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise + def test_output_feature(self): + """ NAT44 interface output feature (in2out postrouting) """ + self.vapi.nat44_forwarding_enable_disable(1) + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index, + is_inside=0) + self.vapi.nat44_interface_add_del_output_feature(self.pg1.sw_if_index, + is_inside=0) + + # in2out + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture) + + # out2in + pkts = self.create_stream_out(self.pg1) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + def test_multiple_vrf(self): + """ Multiple VRF setup """ + external_addr = '1.2.3.4' + external_port = 80 + local_port = 8080 + port = 0 + + self.vapi.nat44_forwarding_enable_disable(1) + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index, + is_inside=0) + self.vapi.nat44_interface_add_del_output_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat44_interface_add_del_feature(self.pg5.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg5.sw_if_index, + is_inside=0) + self.vapi.nat44_interface_add_del_feature(self.pg6.sw_if_index, + is_inside=0) + self.nat44_add_static_mapping(self.pg5.remote_ip4, external_addr, + local_port, external_port, vrf_id=1, + proto=IP_PROTOS.tcp, out2in_only=1) + self.nat44_add_static_mapping( + self.pg0.remote_ip4, external_sw_if_index=self.pg0.sw_if_index, + local_port=local_port, vrf_id=0, external_port=external_port, + proto=IP_PROTOS.tcp, out2in_only=1) + + # from client to service (both VRF1) + p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / + IP(src=self.pg6.remote_ip4, dst=external_addr) / + TCP(sport=12345, dport=external_port)) + self.pg6.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg5.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg5.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from service back to client (both VRF1) + p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / + IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) / + TCP(sport=local_port, dport=12345)) + self.pg5.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, external_addr) + self.assertEqual(tcp.sport, external_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # dynamic NAT from VRF1 to VRF0 (output-feature) + p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / + IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) / + TCP(sport=2345, dport=22)) + self.pg5.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.nat_addr) + self.assertNotEqual(tcp.sport, 2345) + self.assert_packet_checksums_valid(p) + port = tcp.sport + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) / + IP(src=self.pg1.remote_ip4, dst=self.nat_addr) / + TCP(sport=22, dport=port)) + self.pg1.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg5.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg5.remote_ip4) + self.assertEqual(tcp.dport, 2345) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from client VRF1 to service VRF0 + p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / + IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) / + TCP(sport=12346, dport=external_port)) + self.pg6.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg0.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from service VRF0 back to client VRF1 + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / + TCP(sport=local_port, dport=12346)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg0.local_ip4) + self.assertEqual(tcp.sport, external_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from client VRF0 to service VRF1 + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=external_addr) / + TCP(sport=12347, dport=external_port)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg5.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg5.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from service VRF1 back to client VRF0 + p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / + IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) / + TCP(sport=local_port, dport=12347)) + self.pg5.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, external_addr) + self.assertEqual(tcp.sport, external_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from client to server (both VRF1, no translation) + p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) / + IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) / + TCP(sport=12348, dport=local_port)) + self.pg6.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg5.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg5.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from server back to client (both VRF1, no translation) + p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / + IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) / + TCP(sport=local_port, dport=12348)) + self.pg5.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg5.remote_ip4) + self.assertEqual(tcp.sport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from client VRF1 to server VRF0 (no translation) + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / + TCP(sport=local_port, dport=12349)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg0.remote_ip4) + self.assertEqual(tcp.sport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from server VRF0 back to client VRF1 (no translation) + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) / + TCP(sport=local_port, dport=12349)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg6.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg0.remote_ip4) + self.assertEqual(tcp.sport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from client VRF0 to server VRF1 (no translation) + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) / + TCP(sport=12344, dport=local_port)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg5.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.dst, self.pg5.remote_ip4) + self.assertEqual(tcp.dport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + # from server VRF1 back to client VRF0 (no translation) + p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) / + IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) / + TCP(sport=local_port, dport=12344)) + self.pg5.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(1) + p = capture[0] + try: + ip = p[IP] + tcp = p[TCP] + self.assertEqual(ip.src, self.pg5.remote_ip4) + self.assertEqual(tcp.sport, local_port) + self.assert_packet_checksums_valid(p) + except: + self.logger.error(ppp("Unexpected or invalid packet:", p)) + raise + + @unittest.skipUnless(running_extended_tests(), "part of extended tests") + def test_session_timeout(self): + """ NAT44 session timeouts """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.nat_set_timeouts(icmp=5) + + max_sessions = 1000 + pkts = [] + for i in range(0, max_sessions): + src = "10.10.%u.%u" % ((i & 0xFF00) >> 8, i & 0xFF) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=src, dst=self.pg1.remote_ip4) / + ICMP(id=1025, type='echo-request')) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(max_sessions) + + sleep(10) + + pkts = [] + for i in range(0, max_sessions): + src = "10.10.%u.%u" % ((i & 0xFF00) >> 8, i & 0xFF) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IP(src=src, dst=self.pg1.remote_ip4) / + ICMP(id=1026, type='echo-request')) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + self.pg1.get_capture(max_sessions) + + nsessions = 0 + users = self.vapi.nat44_user_dump() + for user in users: + nsessions = nsessions + user.nsessions + self.assertLess(nsessions, 2 * max_sessions) + + @unittest.skipUnless(running_extended_tests(), "part of extended tests") + def test_session_limit_per_user(self): + """ Maximum sessions per user limit """ + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) + self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index, + is_inside=0) + self.vapi.set_ipfix_exporter(collector_address=self.pg2.remote_ip4n, + src_address=self.pg2.local_ip4n, + path_mtu=512, + template_interval=10) + + # get maximum number of translations per user + nat44_config = self.vapi.nat_show_config() + + pkts = [] + for port in range(0, nat44_config.max_translations_per_user): + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + UDP(sport=1025 + port, dport=1025 + port)) + pkts.append(p) + + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + + self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id, + src_port=self.ipfix_src_port) + + p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / + IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / + UDP(sport=3001, dport=3002)) + self.pg0.add_stream(p) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.assert_nothing_captured() + + # verify IPFIX logging + self.vapi.cli("ipfix flush") # FIXME this should be an API call + sleep(1) + capture = self.pg2.get_capture(10) + ipfix = IPFIXDecoder() + # first load template + for p in capture: + self.assertTrue(p.haslayer(IPFIX)) + if p.haslayer(Template): + ipfix.add_template(p.getlayer(Template)) + # verify events in data set + for p in capture: + if p.haslayer(Data): + data = ipfix.decode_data_set(p.getlayer(Set)) + self.verify_ipfix_max_entries_per_user( + data, + nat44_config.max_translations_per_user, + self.pg0.remote_ip4n) + def tearDown(self): super(TestNAT44EndpointDependent, self).tearDown() if not self.vpp_dead: @@ -4405,6 +5210,7 @@ class TestNAT44EndpointDependent(MethodHolder): self.logger.info(self.vapi.cli("show nat44 interface address")) self.logger.info(self.vapi.cli("show nat44 sessions detail")) self.logger.info(self.vapi.cli("show nat44 hash tables detail")) + self.logger.info(self.vapi.cli("show nat timeouts")) self.clear_nat44() self.vapi.cli("clear logging") @@ -4469,6 +5275,9 @@ class TestNAT44Out2InDPO(MethodHolder): def test_464xlat_ce(self): """ Test 464XLAT CE with NAT44 """ + nat_config = self.vapi.nat_show_config() + self.assertEqual(1, nat_config.out2in_dpo) + self.configure_xlat() self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index) @@ -4623,18 +5432,16 @@ class TestDeterministicNAT(MethodHolder): return pkts - def verify_capture_out(self, capture, nat_ip=None, packet_num=3): + def verify_capture_out(self, capture, nat_ip=None): """ Verify captured packets on outside network :param capture: Captured packets :param nat_ip: Translated IP address (Default use global NAT address) :param same_port: Sorce port number is not translated (Default False) - :param packet_num: Expected number of packets (Default 3) """ if nat_ip is None: nat_ip = self.nat_addr - self.assertEqual(packet_num, len(capture)) for packet in capture: try: self.assertEqual(packet[IP].src, nat_ip) @@ -4649,23 +5456,6 @@ class TestDeterministicNAT(MethodHolder): "(outside network):", packet)) raise - def verify_ipfix_max_entries_per_user(self, data): - """ - Verify IPFIX maximum entries per user exceeded event - - :param data: Decoded IPFIX data records - """ - self.assertEqual(1, len(data)) - record = data[0] - # natEvent - self.assertEqual(ord(record[230]), 13) - # natQuotaExceededEvent - self.assertEqual('\x03\x00\x00\x00', record[466]) - # maxEntriesPerUser - self.assertEqual('\xe8\x03\x00\x00', record[473]) - # sourceIPv4Address - self.assertEqual(self.pg0.remote_ip4n, record[8]) - def test_deterministic_mode(self): """ NAT plugin run deterministic mode """ in_addr = '172.16.255.0' @@ -4701,14 +5491,14 @@ class TestDeterministicNAT(MethodHolder): def test_set_timeouts(self): """ Set deterministic NAT timeouts """ - timeouts_before = self.vapi.nat_det_get_timeouts() + timeouts_before = self.vapi.nat_get_timeouts() - self.vapi.nat_det_set_timeouts(timeouts_before.udp + 10, - timeouts_before.tcp_established + 10, - timeouts_before.tcp_transitory + 10, - timeouts_before.icmp + 10) + self.vapi.nat_set_timeouts(timeouts_before.udp + 10, + timeouts_before.tcp_established + 10, + timeouts_before.tcp_transitory + 10, + timeouts_before.icmp + 10) - timeouts_after = self.vapi.nat_det_get_timeouts() + timeouts_after = self.vapi.nat_get_timeouts() self.assertNotEqual(timeouts_before.udp, timeouts_after.udp) self.assertNotEqual(timeouts_before.icmp, timeouts_after.icmp) @@ -5023,7 +5813,7 @@ class TestDeterministicNAT(MethodHolder): is_inside=0) self.initiate_tcp_session(self.pg0, self.pg1) - self.vapi.nat_det_set_timeouts(5, 5, 5, 5) + self.vapi.nat_set_timeouts(5, 5, 5, 5) pkts = self.create_stream_in(self.pg0, self.pg1) self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) @@ -5100,14 +5890,16 @@ class TestDeterministicNAT(MethodHolder): for p in capture: if p.haslayer(Data): data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_entries_per_user(data) + self.verify_ipfix_max_entries_per_user(data, + 1000, + self.pg0.remote_ip4n) def clear_nat_det(self): """ Clear deterministic NAT configuration. """ self.vapi.nat_ipfix(enable=0) - self.vapi.nat_det_set_timeouts() + self.vapi.nat_set_timeouts() deterministic_mappings = self.vapi.nat_det_map_dump() for dsm in deterministic_mappings: self.vapi.nat_det_add_del_map(dsm.in_addr, @@ -5126,10 +5918,9 @@ class TestDeterministicNAT(MethodHolder): super(TestDeterministicNAT, self).tearDown() if not self.vpp_dead: self.logger.info(self.vapi.cli("show nat44 interfaces")) + self.logger.info(self.vapi.cli("show nat timeouts")) self.logger.info( self.vapi.cli("show nat44 deterministic mappings")) - self.logger.info( - self.vapi.cli("show nat44 deterministic timeouts")) self.logger.info( self.vapi.cli("show nat44 deterministic sessions")) self.clear_nat_det() @@ -5164,7 +5955,7 @@ class TestNAT64(MethodHolder): cls.ipfix_src_port = 4739 cls.ipfix_domain_id = 1 - cls.create_pg_interfaces(range(5)) + cls.create_pg_interfaces(range(6)) cls.ip6_interfaces = list(cls.pg_interfaces[0:1]) cls.ip6_interfaces.append(cls.pg_interfaces[2]) cls.ip4_interfaces = list(cls.pg_interfaces[1:2]) @@ -5191,10 +5982,65 @@ class TestNAT64(MethodHolder): cls.pg3.config_ip6() cls.pg3.configure_ipv6_neighbors() + cls.pg5.admin_up() + cls.pg5.config_ip6() + except Exception: super(TestNAT64, cls).tearDownClass() raise + def test_nat64_inside_interface_handles_neighbor_advertisement(self): + """ NAT64 inside interface handles Neighbor Advertisement """ + + self.vapi.nat64_add_del_interface(self.pg5.sw_if_index) + + # Try to send ping + ping = (Ether(dst=self.pg5.local_mac, src=self.pg5.remote_mac) / + IPv6(src=self.pg5.remote_ip6, dst=self.pg5.local_ip6) / + ICMPv6EchoRequest()) + pkts = [ping] + self.pg5.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + + # Wait for Neighbor Solicitation + capture = self.pg5.get_capture(len(pkts)) + packet = capture[0] + try: + self.assertEqual(packet[IPv6].src, self.pg5.local_ip6) + self.assertTrue(packet.haslayer(ICMPv6ND_NS)) + tgt = packet[ICMPv6ND_NS].tgt + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + + # Send Neighbor Advertisement + p = (Ether(dst=self.pg5.local_mac, src=self.pg5.remote_mac) / + IPv6(src=self.pg5.remote_ip6, dst=self.pg5.local_ip6) / + ICMPv6ND_NA(tgt=tgt) / + ICMPv6NDOptDstLLAddr(lladdr=self.pg5.remote_mac)) + pkts = [p] + self.pg5.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + + # Try to send ping again + pkts = [ping] + self.pg5.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + + # Wait for ping reply + capture = self.pg5.get_capture(len(pkts)) + packet = capture[0] + try: + self.assertEqual(packet[IPv6].src, self.pg5.local_ip6) + self.assertEqual(packet[IPv6].dst, self.pg5.remote_ip6) + self.assertTrue(packet.haslayer(ICMPv6EchoReply)) + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + def test_pool(self): """ Add/delete address to NAT64 pool """ nat_addr = socket.inet_pton(socket.AF_INET, '1.2.3.4') @@ -5281,22 +6127,20 @@ class TestNAT64(MethodHolder): def test_set_timeouts(self): """ Set NAT64 timeouts """ # verify default values - timeouts = self.vapi.nat64_get_timeouts() + timeouts = self.vapi.nat_get_timeouts() self.assertEqual(timeouts.udp, 300) self.assertEqual(timeouts.icmp, 60) - self.assertEqual(timeouts.tcp_trans, 240) - self.assertEqual(timeouts.tcp_est, 7440) - self.assertEqual(timeouts.tcp_incoming_syn, 6) + self.assertEqual(timeouts.tcp_transitory, 240) + self.assertEqual(timeouts.tcp_established, 7440) # set and verify custom values - self.vapi.nat64_set_timeouts(udp=200, icmp=30, tcp_trans=250, - tcp_est=7450, tcp_incoming_syn=10) - timeouts = self.vapi.nat64_get_timeouts() + self.vapi.nat_set_timeouts(udp=200, icmp=30, tcp_transitory=250, + tcp_established=7450) + timeouts = self.vapi.nat_get_timeouts() self.assertEqual(timeouts.udp, 200) self.assertEqual(timeouts.icmp, 30) - self.assertEqual(timeouts.tcp_trans, 250) - self.assertEqual(timeouts.tcp_est, 7450) - self.assertEqual(timeouts.tcp_incoming_syn, 10) + self.assertEqual(timeouts.tcp_transitory, 250) + self.assertEqual(timeouts.tcp_established, 7450) def test_dynamic(self): """ NAT64 dynamic translation test """ @@ -5433,7 +6277,7 @@ class TestNAT64(MethodHolder): self.nat_addr_n) self.vapi.nat64_add_del_interface(self.pg0.sw_if_index) self.vapi.nat64_add_del_interface(self.pg1.sw_if_index, is_inside=0) - self.vapi.nat64_set_timeouts(icmp=5) + self.vapi.nat_set_timeouts(icmp=5, tcp_transitory=5, tcp_established=5) pkts = self.create_stream_in_ip6(self.pg0, self.pg1) self.pg0.add_stream(pkts) @@ -5445,9 +6289,9 @@ class TestNAT64(MethodHolder): sleep(15) - # ICMP session after timeout + # ICMP and TCP session after timeout ses_num_after_timeout = self.nat64_get_ses_num() - self.assertNotEqual(ses_num_before_timeout, ses_num_after_timeout) + self.assertEqual(ses_num_before_timeout - ses_num_after_timeout, 2) def test_icmp_error(self): """ NAT64 ICMP Error message translation """ @@ -6181,7 +7025,7 @@ class TestNAT64(MethodHolder): self.nat_addr_n) self.vapi.nat64_add_del_interface(self.pg0.sw_if_index) self.vapi.nat64_add_del_interface(self.pg1.sw_if_index, is_inside=0) - self.vapi.nat_set_reass(max_frag=0, is_ip6=1) + self.vapi.nat_set_reass(max_frag=1, is_ip6=1) self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n, src_address=self.pg3.local_ip4n, path_mtu=512, @@ -6192,7 +7036,8 @@ class TestNAT64(MethodHolder): data = 'a' * 200 pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4, self.tcp_port_in, 20, data) - self.pg0.add_stream(pkts[-1]) + pkts.reverse() + self.pg0.add_stream(pkts) self.pg_enable_capture(self.pg_interfaces) self.pg_start() self.pg1.assert_nothing_captured() @@ -6215,7 +7060,7 @@ class TestNAT64(MethodHolder): for p in capture: if p.haslayer(Data): data = ipfix.decode_data_set(p.getlayer(Set)) - self.verify_ipfix_max_fragments_ip6(data, 0, + self.verify_ipfix_max_fragments_ip6(data, 1, self.pg0.remote_ip6n) def test_ipfix_bib_ses(self): @@ -6319,7 +7164,7 @@ class TestNAT64(MethodHolder): self.ipfix_src_port = 4739 self.ipfix_domain_id = 1 - self.vapi.nat64_set_timeouts() + self.vapi.nat_set_timeouts() interfaces = self.vapi.nat64_interface_dump() for intf in interfaces: @@ -6394,6 +7239,9 @@ class TestDSlite(MethodHolder): def test_dslite(self): """ Test DS-Lite """ + nat_config = self.vapi.nat_show_config() + self.assertEqual(0, nat_config.dslite_ce) + self.vapi.dslite_add_del_pool_addr_range(self.nat_addr_n, self.nat_addr_n) aftr_ip4 = '192.0.0.1' @@ -6510,7 +7358,6 @@ class TestDSlite(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) - self.assertEqual(1, len(capture)) capture = capture[0] self.assertEqual(capture[IPv6].src, aftr_ip6) self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[1].ip6) @@ -6554,6 +7401,9 @@ class TestDSliteCE(MethodHolder): def test_dslite_ce(self): """ Test DS-Lite CE """ + nat_config = self.vapi.nat_show_config() + self.assertEqual(1, nat_config.dslite_ce) + b4_ip4 = '192.0.0.2' b4_ip4_n = socket.inet_pton(socket.AF_INET, b4_ip4) b4_ip6 = '2001:db8:62aa::375e:f4c1:1' @@ -6614,7 +7464,6 @@ class TestDSliteCE(MethodHolder): self.pg_enable_capture(self.pg_interfaces) self.pg_start() capture = self.pg1.get_capture(1) - self.assertEqual(1, len(capture)) capture = capture[0] self.assertEqual(capture[IPv6].src, b4_ip6) self.assertEqual(capture[IPv6].dst, self.pg1.remote_hosts[0].ip6)