5 from random import randint
8 from framework import tag_fixme_vpp_workers
9 from framework import VppTestCase, VppTestRunner
10 from scapy.data import IP_PROTOS
11 from scapy.layers.inet import IP, TCP, UDP, ICMP, GRE
12 from scapy.layers.inet import IPerror, TCPerror
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from syslog_rfc5424_parser import SyslogMessage, ParseError
16 from syslog_rfc5424_parser.constants import SyslogSeverity
17 from util import ppp, ip4_range
18 from vpp_acl import AclRule, VppAcl, VppAclInterface
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_papi import VppEnum
23 class NAT44EDTestCase(VppTestCase):
36 tcp_external_port = 80
41 super(NAT44EDTestCase, self).setUp()
45 super(NAT44EDTestCase, self).tearDown()
49 def plugin_enable(self):
50 self.vapi.nat44_plugin_enable_disable(
51 sessions=self.max_sessions, enable=1)
53 def plugin_disable(self):
54 self.vapi.nat44_plugin_enable_disable(enable=0)
57 def config_flags(self):
58 return VppEnum.vl_api_nat_config_flags_t
61 def nat44_config_flags(self):
62 return VppEnum.vl_api_nat44_config_flags_t
65 def syslog_severity(self):
66 return VppEnum.vl_api_syslog_severity_t
69 def server_addr(self):
70 return self.pg1.remote_hosts[0].ip4
74 return randint(1025, 65535)
77 def proto2layer(proto):
78 if proto == IP_PROTOS.tcp:
80 elif proto == IP_PROTOS.udp:
82 elif proto == IP_PROTOS.icmp:
85 raise Exception("Unsupported protocol")
88 def create_and_add_ip4_table(cls, i, table_id=0):
89 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': table_id})
90 i.set_table_ip4(table_id)
93 def configure_ip4_interface(cls, i, hosts=0, table_id=None):
95 cls.create_and_add_ip4_table(i, table_id)
103 i.generate_remote_hosts(hosts)
104 i.configure_ipv4_neighbors()
107 def nat_add_interface_address(cls, i):
108 cls.vapi.nat44_add_del_interface_addr(
109 sw_if_index=i.sw_if_index, is_add=1)
111 def nat_add_inside_interface(self, i):
112 self.vapi.nat44_interface_add_del_feature(
113 flags=self.config_flags.NAT_IS_INSIDE,
114 sw_if_index=i.sw_if_index, is_add=1)
116 def nat_add_outside_interface(self, i):
117 self.vapi.nat44_interface_add_del_feature(
118 flags=self.config_flags.NAT_IS_OUTSIDE,
119 sw_if_index=i.sw_if_index, is_add=1)
121 def nat_add_address(self, address, twice_nat=0,
122 vrf_id=0xFFFFFFFF, is_add=1):
123 flags = self.config_flags.NAT_IS_TWICE_NAT if twice_nat else 0
124 self.vapi.nat44_add_del_address_range(first_ip_address=address,
125 last_ip_address=address,
130 def nat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
131 local_port=0, external_port=0, vrf_id=0,
132 is_add=1, external_sw_if_index=0xFFFFFFFF,
133 proto=0, tag="", flags=0):
135 if not (local_port and external_port):
136 flags |= self.config_flags.NAT_IS_ADDR_ONLY
138 self.vapi.nat44_add_del_static_mapping(
140 local_ip_address=local_ip,
141 external_ip_address=external_ip,
142 external_sw_if_index=external_sw_if_index,
143 local_port=local_port,
144 external_port=external_port,
145 vrf_id=vrf_id, protocol=proto,
151 super(NAT44EDTestCase, cls).setUpClass()
153 cls.create_pg_interfaces(range(12))
154 cls.interfaces = list(cls.pg_interfaces[:4])
156 cls.create_and_add_ip4_table(cls.pg2, 10)
158 for i in cls.interfaces:
159 cls.configure_ip4_interface(i, hosts=3)
161 # test specific (test-multiple-vrf)
162 cls.vapi.ip_table_add_del(is_add=1, table={'table_id': 1})
164 # test specific (test-one-armed-nat44-static)
165 cls.pg4.generate_remote_hosts(2)
167 cls.vapi.sw_interface_add_del_address(
168 sw_if_index=cls.pg4.sw_if_index,
169 prefix="10.0.0.1/24")
171 cls.pg4.resolve_arp()
172 cls.pg4._remote_hosts[1]._ip4 = cls.pg4._remote_hosts[0]._ip4
173 cls.pg4.resolve_arp()
175 # test specific interface (pg5)
176 cls.pg5._local_ip4 = "10.1.1.1"
177 cls.pg5._remote_hosts[0]._ip4 = "10.1.1.2"
178 cls.pg5.set_table_ip4(1)
181 cls.pg5.resolve_arp()
183 # test specific interface (pg6)
184 cls.pg6._local_ip4 = "10.1.2.1"
185 cls.pg6._remote_hosts[0]._ip4 = "10.1.2.2"
186 cls.pg6.set_table_ip4(1)
189 cls.pg6.resolve_arp()
193 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
194 [VppRoutePath("0.0.0.0", 0xffffffff,
196 register=False, table_id=1))
197 rl.append(VppIpRoute(cls, "0.0.0.0", 0,
198 [VppRoutePath(cls.pg1.local_ip4,
199 cls.pg1.sw_if_index)],
201 rl.append(VppIpRoute(cls, cls.pg5.remote_ip4, 32,
202 [VppRoutePath("0.0.0.0",
203 cls.pg5.sw_if_index)],
204 register=False, table_id=1))
205 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 32,
206 [VppRoutePath("0.0.0.0",
207 cls.pg6.sw_if_index)],
208 register=False, table_id=1))
209 rl.append(VppIpRoute(cls, cls.pg6.remote_ip4, 16,
210 [VppRoutePath("0.0.0.0", 0xffffffff,
212 register=False, table_id=0))
217 def get_err_counter(self, path):
218 return self.statistics.get_err_counter(path)
220 def get_stats_counter(self, path, worker=0):
221 return self.statistics.get_counter(path)[worker]
223 def reass_hairpinning(self, server_addr, server_in_port, server_out_port,
224 host_in_port, proto=IP_PROTOS.tcp,
226 layer = self.proto2layer(proto)
228 if proto == IP_PROTOS.tcp:
229 data = b"A" * 4 + b"B" * 16 + b"C" * 3
231 data = b"A" * 16 + b"B" * 16 + b"C" * 3
233 # send packet from host to server
234 pkts = self.create_stream_frag(self.pg0,
240 self.pg0.add_stream(pkts)
241 self.pg_enable_capture(self.pg_interfaces)
243 frags = self.pg0.get_capture(len(pkts))
244 p = self.reass_frags_and_verify(frags,
247 if proto != IP_PROTOS.icmp:
249 self.assertNotEqual(p[layer].sport, host_in_port)
250 self.assertEqual(p[layer].dport, server_in_port)
253 self.assertNotEqual(p[layer].id, host_in_port)
254 self.assertEqual(data, p[Raw].load)
256 def frag_out_of_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
258 layer = self.proto2layer(proto)
260 if proto == IP_PROTOS.tcp:
261 data = b"A" * 4 + b"B" * 16 + b"C" * 3
263 data = b"A" * 16 + b"B" * 16 + b"C" * 3
264 self.port_in = self.random_port()
268 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
269 self.port_in, 20, data, proto)
271 self.pg0.add_stream(pkts)
272 self.pg_enable_capture(self.pg_interfaces)
274 frags = self.pg1.get_capture(len(pkts))
275 if not dont_translate:
276 p = self.reass_frags_and_verify(frags,
280 p = self.reass_frags_and_verify(frags,
283 if proto != IP_PROTOS.icmp:
284 if not dont_translate:
285 self.assertEqual(p[layer].dport, 20)
287 self.assertNotEqual(p[layer].sport, self.port_in)
289 self.assertEqual(p[layer].sport, self.port_in)
292 if not dont_translate:
293 self.assertNotEqual(p[layer].id, self.port_in)
295 self.assertEqual(p[layer].id, self.port_in)
296 self.assertEqual(data, p[Raw].load)
299 if not dont_translate:
300 dst_addr = self.nat_addr
302 dst_addr = self.pg0.remote_ip4
303 if proto != IP_PROTOS.icmp:
305 dport = p[layer].sport
309 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport,
310 data, proto, echo_reply=True)
312 self.pg1.add_stream(pkts)
313 self.pg_enable_capture(self.pg_interfaces)
315 frags = self.pg0.get_capture(len(pkts))
316 p = self.reass_frags_and_verify(frags,
319 if proto != IP_PROTOS.icmp:
320 self.assertEqual(p[layer].sport, 20)
321 self.assertEqual(p[layer].dport, self.port_in)
323 self.assertEqual(p[layer].id, self.port_in)
324 self.assertEqual(data, p[Raw].load)
326 def reass_frags_and_verify(self, frags, src, dst):
329 self.assertEqual(p[IP].src, src)
330 self.assertEqual(p[IP].dst, dst)
331 self.assert_ip_checksum_valid(p)
332 buffer.seek(p[IP].frag * 8)
333 buffer.write(bytes(p[IP].payload))
334 ip = IP(src=frags[0][IP].src, dst=frags[0][IP].dst,
335 proto=frags[0][IP].proto)
336 if ip.proto == IP_PROTOS.tcp:
337 p = (ip / TCP(buffer.getvalue()))
338 self.logger.debug(ppp("Reassembled:", p))
339 self.assert_tcp_checksum_valid(p)
340 elif ip.proto == IP_PROTOS.udp:
341 p = (ip / UDP(buffer.getvalue()[:8]) /
342 Raw(buffer.getvalue()[8:]))
343 elif ip.proto == IP_PROTOS.icmp:
344 p = (ip / ICMP(buffer.getvalue()))
347 def frag_in_order(self, proto=IP_PROTOS.tcp, dont_translate=False,
349 layer = self.proto2layer(proto)
351 if proto == IP_PROTOS.tcp:
352 data = b"A" * 4 + b"B" * 16 + b"C" * 3
354 data = b"A" * 16 + b"B" * 16 + b"C" * 3
355 self.port_in = self.random_port()
358 pkts = self.create_stream_frag(self.pg0, self.pg1.remote_ip4,
359 self.port_in, 20, data, proto)
360 self.pg0.add_stream(pkts)
361 self.pg_enable_capture(self.pg_interfaces)
363 frags = self.pg1.get_capture(len(pkts))
364 if not dont_translate:
365 p = self.reass_frags_and_verify(frags,
369 p = self.reass_frags_and_verify(frags,
372 if proto != IP_PROTOS.icmp:
373 if not dont_translate:
374 self.assertEqual(p[layer].dport, 20)
376 self.assertNotEqual(p[layer].sport, self.port_in)
378 self.assertEqual(p[layer].sport, self.port_in)
381 if not dont_translate:
382 self.assertNotEqual(p[layer].id, self.port_in)
384 self.assertEqual(p[layer].id, self.port_in)
385 self.assertEqual(data, p[Raw].load)
388 if not dont_translate:
389 dst_addr = self.nat_addr
391 dst_addr = self.pg0.remote_ip4
392 if proto != IP_PROTOS.icmp:
394 dport = p[layer].sport
398 pkts = self.create_stream_frag(self.pg1, dst_addr, sport, dport, data,
399 proto, echo_reply=True)
400 self.pg1.add_stream(pkts)
401 self.pg_enable_capture(self.pg_interfaces)
403 frags = self.pg0.get_capture(len(pkts))
404 p = self.reass_frags_and_verify(frags,
407 if proto != IP_PROTOS.icmp:
408 self.assertEqual(p[layer].sport, 20)
409 self.assertEqual(p[layer].dport, self.port_in)
411 self.assertEqual(p[layer].id, self.port_in)
412 self.assertEqual(data, p[Raw].load)
414 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
415 dst_ip=None, ignore_port=False):
417 nat_ip = self.nat_addr
418 for packet in capture:
420 self.assert_packet_checksums_valid(packet)
421 self.assertEqual(packet[IP].src, nat_ip)
422 if dst_ip is not None:
423 self.assertEqual(packet[IP].dst, dst_ip)
424 if packet.haslayer(TCP):
428 packet[TCP].sport, self.tcp_port_in)
431 packet[TCP].sport, self.tcp_port_in)
432 self.tcp_port_out = packet[TCP].sport
433 self.assert_packet_checksums_valid(packet)
434 elif packet.haslayer(UDP):
438 packet[UDP].sport, self.udp_port_in)
441 packet[UDP].sport, self.udp_port_in)
442 self.udp_port_out = packet[UDP].sport
447 packet[ICMP].id, self.icmp_id_in)
450 packet[ICMP].id, self.icmp_id_in)
451 self.icmp_id_out = packet[ICMP].id
452 self.assert_packet_checksums_valid(packet)
454 self.logger.error(ppp("Unexpected or invalid packet "
455 "(outside network):", packet))
458 def verify_capture_in(self, capture, in_if):
459 for packet in capture:
461 self.assert_packet_checksums_valid(packet)
462 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
463 if packet.haslayer(TCP):
464 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
465 elif packet.haslayer(UDP):
466 self.assertEqual(packet[UDP].dport, self.udp_port_in)
468 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
470 self.logger.error(ppp("Unexpected or invalid packet "
471 "(inside network):", packet))
474 def create_stream_in(self, in_if, out_if, dst_ip=None, ttl=64):
476 dst_ip = out_if.remote_ip4
480 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
481 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
482 TCP(sport=self.tcp_port_in, dport=20))
486 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
487 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
488 UDP(sport=self.udp_port_in, dport=20))
492 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
493 IP(src=in_if.remote_ip4, dst=dst_ip, ttl=ttl) /
494 ICMP(id=self.icmp_id_in, type='echo-request'))
499 def create_stream_out(self, out_if, dst_ip=None, ttl=64,
500 use_inside_ports=False):
502 dst_ip = self.nat_addr
503 if not use_inside_ports:
504 tcp_port = self.tcp_port_out
505 udp_port = self.udp_port_out
506 icmp_id = self.icmp_id_out
508 tcp_port = self.tcp_port_in
509 udp_port = self.udp_port_in
510 icmp_id = self.icmp_id_in
513 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
514 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
515 TCP(dport=tcp_port, sport=20))
519 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
520 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
521 UDP(dport=udp_port, sport=20))
525 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
526 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
527 ICMP(id=icmp_id, type='echo-reply'))
532 def create_tcp_stream(self, in_if, out_if, count):
536 for i in range(count):
537 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
538 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=64) /
539 TCP(sport=port + i, dport=20))
544 def create_stream_frag(self, src_if, dst, sport, dport, data,
545 proto=IP_PROTOS.tcp, echo_reply=False):
546 if proto == IP_PROTOS.tcp:
547 p = (IP(src=src_if.remote_ip4, dst=dst) /
548 TCP(sport=sport, dport=dport) /
550 p = p.__class__(scapy.compat.raw(p))
551 chksum = p[TCP].chksum
552 proto_header = TCP(sport=sport, dport=dport, chksum=chksum)
553 elif proto == IP_PROTOS.udp:
554 proto_header = UDP(sport=sport, dport=dport)
555 elif proto == IP_PROTOS.icmp:
557 proto_header = ICMP(id=sport, type='echo-request')
559 proto_header = ICMP(id=sport, type='echo-reply')
561 raise Exception("Unsupported protocol")
562 id = self.random_port()
564 if proto == IP_PROTOS.tcp:
567 raw = Raw(data[0:16])
568 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
569 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=0, id=id) /
573 if proto == IP_PROTOS.tcp:
574 raw = Raw(data[4:20])
576 raw = Raw(data[16:32])
577 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
578 IP(src=src_if.remote_ip4, dst=dst, flags="MF", frag=3, id=id,
582 if proto == IP_PROTOS.tcp:
586 p = (Ether(src=src_if.remote_mac, dst=src_if.local_mac) /
587 IP(src=src_if.remote_ip4, dst=dst, frag=5, proto=proto,
593 def frag_in_order_in_plus_out(self, in_addr, out_addr, in_port, out_port,
594 proto=IP_PROTOS.tcp):
596 layer = self.proto2layer(proto)
598 if proto == IP_PROTOS.tcp:
599 data = b"A" * 4 + b"B" * 16 + b"C" * 3
601 data = b"A" * 16 + b"B" * 16 + b"C" * 3
602 port_in = self.random_port()
606 pkts = self.create_stream_frag(self.pg0, out_addr,
609 self.pg0.add_stream(pkts)
610 self.pg_enable_capture(self.pg_interfaces)
612 frags = self.pg1.get_capture(len(pkts))
613 p = self.reass_frags_and_verify(frags,
616 if proto != IP_PROTOS.icmp:
617 self.assertEqual(p[layer].sport, port_in)
618 self.assertEqual(p[layer].dport, in_port)
620 self.assertEqual(p[layer].id, port_in)
621 self.assertEqual(data, p[Raw].load)
624 if proto != IP_PROTOS.icmp:
625 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
627 p[layer].sport, data, proto)
629 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
630 p[layer].id, 0, data, proto,
632 self.pg1.add_stream(pkts)
633 self.pg_enable_capture(self.pg_interfaces)
635 frags = self.pg0.get_capture(len(pkts))
636 p = self.reass_frags_and_verify(frags,
639 if proto != IP_PROTOS.icmp:
640 self.assertEqual(p[layer].sport, out_port)
641 self.assertEqual(p[layer].dport, port_in)
643 self.assertEqual(p[layer].id, port_in)
644 self.assertEqual(data, p[Raw].load)
646 def frag_out_of_order_in_plus_out(self, in_addr, out_addr, in_port,
647 out_port, proto=IP_PROTOS.tcp):
649 layer = self.proto2layer(proto)
651 if proto == IP_PROTOS.tcp:
652 data = b"A" * 4 + b"B" * 16 + b"C" * 3
654 data = b"A" * 16 + b"B" * 16 + b"C" * 3
655 port_in = self.random_port()
659 pkts = self.create_stream_frag(self.pg0, out_addr,
663 self.pg0.add_stream(pkts)
664 self.pg_enable_capture(self.pg_interfaces)
666 frags = self.pg1.get_capture(len(pkts))
667 p = self.reass_frags_and_verify(frags,
670 if proto != IP_PROTOS.icmp:
671 self.assertEqual(p[layer].dport, in_port)
672 self.assertEqual(p[layer].sport, port_in)
673 self.assertEqual(p[layer].dport, in_port)
675 self.assertEqual(p[layer].id, port_in)
676 self.assertEqual(data, p[Raw].load)
679 if proto != IP_PROTOS.icmp:
680 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
682 p[layer].sport, data, proto)
684 pkts = self.create_stream_frag(self.pg1, self.pg0.remote_ip4,
685 p[layer].id, 0, data, proto,
688 self.pg1.add_stream(pkts)
689 self.pg_enable_capture(self.pg_interfaces)
691 frags = self.pg0.get_capture(len(pkts))
692 p = self.reass_frags_and_verify(frags,
695 if proto != IP_PROTOS.icmp:
696 self.assertEqual(p[layer].sport, out_port)
697 self.assertEqual(p[layer].dport, port_in)
699 self.assertEqual(p[layer].id, port_in)
700 self.assertEqual(data, p[Raw].load)
702 def init_tcp_session(self, in_if, out_if, in_port, ext_port):
704 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
705 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
706 TCP(sport=in_port, dport=ext_port, flags="S"))
708 self.pg_enable_capture(self.pg_interfaces)
710 capture = out_if.get_capture(1)
712 out_port = p[TCP].sport
714 # SYN + ACK packet out->in
715 p = (Ether(src=out_if.remote_mac, dst=out_if.local_mac) /
716 IP(src=out_if.remote_ip4, dst=self.nat_addr) /
717 TCP(sport=ext_port, dport=out_port, flags="SA"))
719 self.pg_enable_capture(self.pg_interfaces)
724 p = (Ether(src=in_if.remote_mac, dst=in_if.local_mac) /
725 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
726 TCP(sport=in_port, dport=ext_port, flags="A"))
728 self.pg_enable_capture(self.pg_interfaces)
730 out_if.get_capture(1)
734 def twice_nat_common(self, self_twice_nat=False, same_pg=False, lb=False,
736 twice_nat_addr = '10.0.1.3'
744 port_in1 = port_in + 1
745 port_in2 = port_in + 2
750 server1 = self.pg0.remote_hosts[0]
751 server2 = self.pg0.remote_hosts[1]
763 eh_translate = ((not self_twice_nat) or (not lb and same_pg) or
766 self.nat_add_address(self.nat_addr)
767 self.nat_add_address(twice_nat_addr, twice_nat=1)
771 flags |= self.config_flags.NAT_IS_SELF_TWICE_NAT
773 flags |= self.config_flags.NAT_IS_TWICE_NAT
776 self.nat_add_static_mapping(pg0.remote_ip4, self.nat_addr,
781 locals = [{'addr': server1.ip4,
785 {'addr': server2.ip4,
789 out_addr = self.nat_addr
791 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
792 external_addr=out_addr,
793 external_port=port_out,
794 protocol=IP_PROTOS.tcp,
795 local_num=len(locals),
797 self.nat_add_inside_interface(pg0)
798 self.nat_add_outside_interface(pg1)
804 assert client_id is not None
806 client = self.pg0.remote_hosts[0]
808 client = self.pg0.remote_hosts[1]
810 client = pg1.remote_hosts[0]
811 p = (Ether(src=pg1.remote_mac, dst=pg1.local_mac) /
812 IP(src=client.ip4, dst=self.nat_addr) /
813 TCP(sport=eh_port_out, dport=port_out))
815 self.pg_enable_capture(self.pg_interfaces)
817 capture = pg0.get_capture(1)
823 if ip.dst == server1.ip4:
829 self.assertEqual(ip.dst, server.ip4)
831 self.assertIn(tcp.dport, [port_in1, port_in2])
833 self.assertEqual(tcp.dport, port_in)
835 self.assertEqual(ip.src, twice_nat_addr)
836 self.assertNotEqual(tcp.sport, eh_port_out)
838 self.assertEqual(ip.src, client.ip4)
839 self.assertEqual(tcp.sport, eh_port_out)
841 eh_port_in = tcp.sport
842 saved_port_in = tcp.dport
843 self.assert_packet_checksums_valid(p)
845 self.logger.error(ppp("Unexpected or invalid packet:", p))
848 p = (Ether(src=server.mac, dst=pg0.local_mac) /
849 IP(src=server.ip4, dst=eh_addr_in) /
850 TCP(sport=saved_port_in, dport=eh_port_in))
852 self.pg_enable_capture(self.pg_interfaces)
854 capture = pg1.get_capture(1)
859 self.assertEqual(ip.dst, client.ip4)
860 self.assertEqual(ip.src, self.nat_addr)
861 self.assertEqual(tcp.dport, eh_port_out)
862 self.assertEqual(tcp.sport, port_out)
863 self.assert_packet_checksums_valid(p)
865 self.logger.error(ppp("Unexpected or invalid packet:", p))
869 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
870 self.assertEqual(len(sessions), 1)
871 self.assertTrue(sessions[0].flags &
872 self.config_flags.NAT_IS_EXT_HOST_VALID)
873 self.assertTrue(sessions[0].flags &
874 self.config_flags.NAT_IS_TWICE_NAT)
875 self.logger.info(self.vapi.cli("show nat44 sessions"))
876 self.vapi.nat44_del_session(
877 address=sessions[0].inside_ip_address,
878 port=sessions[0].inside_port,
879 protocol=sessions[0].protocol,
880 flags=(self.config_flags.NAT_IS_INSIDE |
881 self.config_flags.NAT_IS_EXT_HOST_VALID),
882 ext_host_address=sessions[0].ext_host_nat_address,
883 ext_host_port=sessions[0].ext_host_nat_port)
884 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
885 self.assertEqual(len(sessions), 0)
887 def verify_syslog_sess(self, data, is_add=True, is_ip6=False):
888 message = data.decode('utf-8')
890 message = SyslogMessage.parse(message)
891 except ParseError as e:
895 self.assertEqual(message.severity, SyslogSeverity.info)
896 self.assertEqual(message.appname, 'NAT')
897 self.assertEqual(message.msgid, 'SADD' if is_add else 'SDEL')
898 sd_params = message.sd.get('nsess')
899 self.assertTrue(sd_params is not None)
901 self.assertEqual(sd_params.get('IATYP'), 'IPv6')
902 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip6)
904 self.assertEqual(sd_params.get('IATYP'), 'IPv4')
905 self.assertEqual(sd_params.get('ISADDR'), self.pg0.remote_ip4)
906 self.assertTrue(sd_params.get('SSUBIX') is not None)
907 self.assertEqual(sd_params.get('ISPORT'), "%d" % self.tcp_port_in)
908 self.assertEqual(sd_params.get('XATYP'), 'IPv4')
909 self.assertEqual(sd_params.get('XSADDR'), self.nat_addr)
910 self.assertEqual(sd_params.get('XSPORT'), "%d" % self.tcp_port_out)
911 self.assertEqual(sd_params.get('PROTO'), "%d" % IP_PROTOS.tcp)
912 self.assertEqual(sd_params.get('SVLAN'), '0')
913 self.assertEqual(sd_params.get('XDADDR'), self.pg1.remote_ip4)
914 self.assertEqual(sd_params.get('XDPORT'),
915 "%d" % self.tcp_external_port)
918 @tag_fixme_vpp_workers
919 class TestNAT44ED(NAT44EDTestCase):
920 """ NAT44ED Test Case """
922 def test_users_dump(self):
923 """ NAT44ED API test - nat44_user_dump """
925 self.nat_add_address(self.nat_addr)
926 self.nat_add_inside_interface(self.pg0)
927 self.nat_add_outside_interface(self.pg1)
929 self.vapi.nat44_forwarding_enable_disable(enable=1)
931 local_ip = self.pg0.remote_ip4
932 external_ip = self.nat_addr
933 self.nat_add_static_mapping(local_ip, external_ip)
935 users = self.vapi.nat44_user_dump()
936 self.assertEqual(len(users), 0)
938 # in2out - static mapping match
940 pkts = self.create_stream_out(self.pg1)
941 self.pg1.add_stream(pkts)
942 self.pg_enable_capture(self.pg_interfaces)
944 capture = self.pg0.get_capture(len(pkts))
945 self.verify_capture_in(capture, self.pg0)
947 pkts = self.create_stream_in(self.pg0, self.pg1)
948 self.pg0.add_stream(pkts)
949 self.pg_enable_capture(self.pg_interfaces)
951 capture = self.pg1.get_capture(len(pkts))
952 self.verify_capture_out(capture, same_port=True)
954 users = self.vapi.nat44_user_dump()
955 self.assertEqual(len(users), 1)
956 static_user = users[0]
957 self.assertEqual(static_user.nstaticsessions, 3)
958 self.assertEqual(static_user.nsessions, 0)
960 # in2out - no static mapping match (forwarding test)
962 host0 = self.pg0.remote_hosts[0]
963 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
965 pkts = self.create_stream_out(self.pg1,
966 dst_ip=self.pg0.remote_ip4,
967 use_inside_ports=True)
968 self.pg1.add_stream(pkts)
969 self.pg_enable_capture(self.pg_interfaces)
971 capture = self.pg0.get_capture(len(pkts))
972 self.verify_capture_in(capture, self.pg0)
974 pkts = self.create_stream_in(self.pg0, self.pg1)
975 self.pg0.add_stream(pkts)
976 self.pg_enable_capture(self.pg_interfaces)
978 capture = self.pg1.get_capture(len(pkts))
979 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
982 self.pg0.remote_hosts[0] = host0
984 users = self.vapi.nat44_user_dump()
985 self.assertEqual(len(users), 2)
986 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
987 non_static_user = users[1]
988 static_user = users[0]
990 non_static_user = users[0]
991 static_user = users[1]
992 self.assertEqual(static_user.nstaticsessions, 3)
993 self.assertEqual(static_user.nsessions, 0)
994 self.assertEqual(non_static_user.nstaticsessions, 0)
995 self.assertEqual(non_static_user.nsessions, 3)
997 users = self.vapi.nat44_user_dump()
998 self.assertEqual(len(users), 2)
999 if str(users[0].ip_address) == self.pg0.remote_hosts[0].ip4:
1000 non_static_user = users[1]
1001 static_user = users[0]
1003 non_static_user = users[0]
1004 static_user = users[1]
1005 self.assertEqual(static_user.nstaticsessions, 3)
1006 self.assertEqual(static_user.nsessions, 0)
1007 self.assertEqual(non_static_user.nstaticsessions, 0)
1008 self.assertEqual(non_static_user.nsessions, 3)
1010 def test_frag_out_of_order_do_not_translate(self):
1011 """ NAT44ED don't translate fragments arriving out of order """
1012 self.nat_add_inside_interface(self.pg0)
1013 self.nat_add_outside_interface(self.pg1)
1014 self.vapi.nat44_forwarding_enable_disable(enable=True)
1015 self.frag_out_of_order(proto=IP_PROTOS.tcp, dont_translate=True)
1017 def test_forwarding(self):
1018 """ NAT44ED forwarding test """
1020 self.nat_add_inside_interface(self.pg0)
1021 self.nat_add_outside_interface(self.pg1)
1022 self.vapi.nat44_forwarding_enable_disable(enable=1)
1024 real_ip = self.pg0.remote_ip4
1025 alias_ip = self.nat_addr
1026 flags = self.config_flags.NAT_IS_ADDR_ONLY
1027 self.vapi.nat44_add_del_static_mapping(is_add=1,
1028 local_ip_address=real_ip,
1029 external_ip_address=alias_ip,
1030 external_sw_if_index=0xFFFFFFFF,
1034 # in2out - static mapping match
1036 pkts = self.create_stream_out(self.pg1)
1037 self.pg1.add_stream(pkts)
1038 self.pg_enable_capture(self.pg_interfaces)
1040 capture = self.pg0.get_capture(len(pkts))
1041 self.verify_capture_in(capture, self.pg0)
1043 pkts = self.create_stream_in(self.pg0, self.pg1)
1044 self.pg0.add_stream(pkts)
1045 self.pg_enable_capture(self.pg_interfaces)
1047 capture = self.pg1.get_capture(len(pkts))
1048 self.verify_capture_out(capture, same_port=True)
1050 # in2out - no static mapping match
1052 host0 = self.pg0.remote_hosts[0]
1053 self.pg0.remote_hosts[0] = self.pg0.remote_hosts[1]
1055 pkts = self.create_stream_out(self.pg1,
1056 dst_ip=self.pg0.remote_ip4,
1057 use_inside_ports=True)
1058 self.pg1.add_stream(pkts)
1059 self.pg_enable_capture(self.pg_interfaces)
1061 capture = self.pg0.get_capture(len(pkts))
1062 self.verify_capture_in(capture, self.pg0)
1064 pkts = self.create_stream_in(self.pg0, self.pg1)
1065 self.pg0.add_stream(pkts)
1066 self.pg_enable_capture(self.pg_interfaces)
1068 capture = self.pg1.get_capture(len(pkts))
1069 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1072 self.pg0.remote_hosts[0] = host0
1074 user = self.pg0.remote_hosts[1]
1075 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1076 self.assertEqual(len(sessions), 3)
1077 self.assertTrue(sessions[0].flags &
1078 self.config_flags.NAT_IS_EXT_HOST_VALID)
1079 self.vapi.nat44_del_session(
1080 address=sessions[0].inside_ip_address,
1081 port=sessions[0].inside_port,
1082 protocol=sessions[0].protocol,
1083 flags=(self.config_flags.NAT_IS_INSIDE |
1084 self.config_flags.NAT_IS_EXT_HOST_VALID),
1085 ext_host_address=sessions[0].ext_host_address,
1086 ext_host_port=sessions[0].ext_host_port)
1087 sessions = self.vapi.nat44_user_session_dump(user.ip4, 0)
1088 self.assertEqual(len(sessions), 2)
1091 self.vapi.nat44_forwarding_enable_disable(enable=0)
1092 flags = self.config_flags.NAT_IS_ADDR_ONLY
1093 self.vapi.nat44_add_del_static_mapping(
1095 local_ip_address=real_ip,
1096 external_ip_address=alias_ip,
1097 external_sw_if_index=0xFFFFFFFF,
1100 def test_output_feature_and_service2(self):
1101 """ NAT44ED interface output feature and service host direct access """
1102 self.vapi.nat44_forwarding_enable_disable(enable=1)
1103 self.nat_add_address(self.nat_addr)
1105 self.vapi.nat44_interface_add_del_output_feature(
1106 sw_if_index=self.pg1.sw_if_index, is_add=1,)
1108 # session initiated from service host - translate
1109 pkts = self.create_stream_in(self.pg0, self.pg1)
1110 self.pg0.add_stream(pkts)
1111 self.pg_enable_capture(self.pg_interfaces)
1113 capture = self.pg1.get_capture(len(pkts))
1114 self.verify_capture_out(capture, ignore_port=True)
1116 pkts = self.create_stream_out(self.pg1)
1117 self.pg1.add_stream(pkts)
1118 self.pg_enable_capture(self.pg_interfaces)
1120 capture = self.pg0.get_capture(len(pkts))
1121 self.verify_capture_in(capture, self.pg0)
1123 # session initiated from remote host - do not translate
1124 tcp_port_in = self.tcp_port_in
1125 udp_port_in = self.udp_port_in
1126 icmp_id_in = self.icmp_id_in
1128 self.tcp_port_in = 60303
1129 self.udp_port_in = 60304
1130 self.icmp_id_in = 60305
1133 pkts = self.create_stream_out(self.pg1,
1134 self.pg0.remote_ip4,
1135 use_inside_ports=True)
1136 self.pg1.add_stream(pkts)
1137 self.pg_enable_capture(self.pg_interfaces)
1139 capture = self.pg0.get_capture(len(pkts))
1140 self.verify_capture_in(capture, self.pg0)
1142 pkts = self.create_stream_in(self.pg0, self.pg1)
1143 self.pg0.add_stream(pkts)
1144 self.pg_enable_capture(self.pg_interfaces)
1146 capture = self.pg1.get_capture(len(pkts))
1147 self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
1150 self.tcp_port_in = tcp_port_in
1151 self.udp_port_in = udp_port_in
1152 self.icmp_id_in = icmp_id_in
1154 def test_twice_nat(self):
1155 """ NAT44ED Twice NAT """
1156 self.twice_nat_common()
1158 def test_self_twice_nat_positive(self):
1159 """ NAT44ED Self Twice NAT (positive test) """
1160 self.twice_nat_common(self_twice_nat=True, same_pg=True)
1162 def test_self_twice_nat_lb_positive(self):
1163 """ NAT44ED Self Twice NAT local service load balancing (positive test)
1165 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
1168 def test_twice_nat_lb(self):
1169 """ NAT44ED Twice NAT local service load balancing """
1170 self.twice_nat_common(lb=True)
1172 def test_output_feature(self):
1173 """ NAT44ED interface output feature (in2out postrouting) """
1174 self.vapi.nat44_forwarding_enable_disable(enable=1)
1175 self.nat_add_address(self.nat_addr)
1177 self.nat_add_outside_interface(self.pg0)
1178 self.vapi.nat44_interface_add_del_output_feature(
1179 sw_if_index=self.pg1.sw_if_index, is_add=1)
1182 pkts = self.create_stream_in(self.pg0, self.pg1)
1183 self.pg0.add_stream(pkts)
1184 self.pg_enable_capture(self.pg_interfaces)
1186 capture = self.pg1.get_capture(len(pkts))
1187 self.verify_capture_out(capture, ignore_port=True)
1190 pkts = self.create_stream_out(self.pg1)
1191 self.pg1.add_stream(pkts)
1192 self.pg_enable_capture(self.pg_interfaces)
1194 capture = self.pg0.get_capture(len(pkts))
1195 self.verify_capture_in(capture, self.pg0)
1197 def test_static_with_port_out2(self):
1198 """ NAT44ED 1:1 NAPT asymmetrical rule """
1203 self.vapi.nat44_forwarding_enable_disable(enable=1)
1204 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1205 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
1206 local_port, external_port,
1207 proto=IP_PROTOS.tcp, flags=flags)
1209 self.nat_add_inside_interface(self.pg0)
1210 self.nat_add_outside_interface(self.pg1)
1212 # from client to service
1213 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1214 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1215 TCP(sport=12345, dport=external_port))
1216 self.pg1.add_stream(p)
1217 self.pg_enable_capture(self.pg_interfaces)
1219 capture = self.pg0.get_capture(1)
1224 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1225 self.assertEqual(tcp.dport, local_port)
1226 self.assert_packet_checksums_valid(p)
1228 self.logger.error(ppp("Unexpected or invalid packet:", p))
1232 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1233 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1234 ICMP(type=11) / capture[0][IP])
1235 self.pg0.add_stream(p)
1236 self.pg_enable_capture(self.pg_interfaces)
1238 capture = self.pg1.get_capture(1)
1241 self.assertEqual(p[IP].src, self.nat_addr)
1243 self.assertEqual(inner.dst, self.nat_addr)
1244 self.assertEqual(inner[TCPerror].dport, external_port)
1246 self.logger.error(ppp("Unexpected or invalid packet:", p))
1249 # from service back to client
1250 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1251 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1252 TCP(sport=local_port, dport=12345))
1253 self.pg0.add_stream(p)
1254 self.pg_enable_capture(self.pg_interfaces)
1256 capture = self.pg1.get_capture(1)
1261 self.assertEqual(ip.src, self.nat_addr)
1262 self.assertEqual(tcp.sport, external_port)
1263 self.assert_packet_checksums_valid(p)
1265 self.logger.error(ppp("Unexpected or invalid packet:", p))
1269 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1270 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1271 ICMP(type=11) / capture[0][IP])
1272 self.pg1.add_stream(p)
1273 self.pg_enable_capture(self.pg_interfaces)
1275 capture = self.pg0.get_capture(1)
1278 self.assertEqual(p[IP].dst, self.pg0.remote_ip4)
1280 self.assertEqual(inner.src, self.pg0.remote_ip4)
1281 self.assertEqual(inner[TCPerror].sport, local_port)
1283 self.logger.error(ppp("Unexpected or invalid packet:", p))
1286 # from client to server (no translation)
1287 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1288 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
1289 TCP(sport=12346, dport=local_port))
1290 self.pg1.add_stream(p)
1291 self.pg_enable_capture(self.pg_interfaces)
1293 capture = self.pg0.get_capture(1)
1298 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1299 self.assertEqual(tcp.dport, local_port)
1300 self.assert_packet_checksums_valid(p)
1302 self.logger.error(ppp("Unexpected or invalid packet:", p))
1305 # from service back to client (no translation)
1306 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1307 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1308 TCP(sport=local_port, dport=12346))
1309 self.pg0.add_stream(p)
1310 self.pg_enable_capture(self.pg_interfaces)
1312 capture = self.pg1.get_capture(1)
1317 self.assertEqual(ip.src, self.pg0.remote_ip4)
1318 self.assertEqual(tcp.sport, local_port)
1319 self.assert_packet_checksums_valid(p)
1321 self.logger.error(ppp("Unexpected or invalid packet:", p))
1324 def test_static_lb(self):
1325 """ NAT44ED local service load balancing """
1326 external_addr_n = self.nat_addr
1329 server1 = self.pg0.remote_hosts[0]
1330 server2 = self.pg0.remote_hosts[1]
1332 locals = [{'addr': server1.ip4,
1336 {'addr': server2.ip4,
1341 self.nat_add_address(self.nat_addr)
1342 self.vapi.nat44_add_del_lb_static_mapping(
1344 external_addr=external_addr_n,
1345 external_port=external_port,
1346 protocol=IP_PROTOS.tcp,
1347 local_num=len(locals),
1349 flags = self.config_flags.NAT_IS_INSIDE
1350 self.vapi.nat44_interface_add_del_feature(
1351 sw_if_index=self.pg0.sw_if_index,
1352 flags=flags, is_add=1)
1353 self.vapi.nat44_interface_add_del_feature(
1354 sw_if_index=self.pg1.sw_if_index,
1357 # from client to service
1358 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1359 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1360 TCP(sport=12345, dport=external_port))
1361 self.pg1.add_stream(p)
1362 self.pg_enable_capture(self.pg_interfaces)
1364 capture = self.pg0.get_capture(1)
1370 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1371 if ip.dst == server1.ip4:
1375 self.assertEqual(tcp.dport, local_port)
1376 self.assert_packet_checksums_valid(p)
1378 self.logger.error(ppp("Unexpected or invalid packet:", p))
1381 # from service back to client
1382 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1383 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1384 TCP(sport=local_port, dport=12345))
1385 self.pg0.add_stream(p)
1386 self.pg_enable_capture(self.pg_interfaces)
1388 capture = self.pg1.get_capture(1)
1393 self.assertEqual(ip.src, self.nat_addr)
1394 self.assertEqual(tcp.sport, external_port)
1395 self.assert_packet_checksums_valid(p)
1397 self.logger.error(ppp("Unexpected or invalid packet:", p))
1400 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1401 self.assertEqual(len(sessions), 1)
1402 self.assertTrue(sessions[0].flags &
1403 self.config_flags.NAT_IS_EXT_HOST_VALID)
1404 self.vapi.nat44_del_session(
1405 address=sessions[0].inside_ip_address,
1406 port=sessions[0].inside_port,
1407 protocol=sessions[0].protocol,
1408 flags=(self.config_flags.NAT_IS_INSIDE |
1409 self.config_flags.NAT_IS_EXT_HOST_VALID),
1410 ext_host_address=sessions[0].ext_host_address,
1411 ext_host_port=sessions[0].ext_host_port)
1412 sessions = self.vapi.nat44_user_session_dump(server.ip4, 0)
1413 self.assertEqual(len(sessions), 0)
1415 def test_static_lb_2(self):
1416 """ NAT44ED local service load balancing (asymmetrical rule) """
1417 external_addr = self.nat_addr
1420 server1 = self.pg0.remote_hosts[0]
1421 server2 = self.pg0.remote_hosts[1]
1423 locals = [{'addr': server1.ip4,
1427 {'addr': server2.ip4,
1432 self.vapi.nat44_forwarding_enable_disable(enable=1)
1433 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1434 self.vapi.nat44_add_del_lb_static_mapping(is_add=1, flags=flags,
1435 external_addr=external_addr,
1436 external_port=external_port,
1437 protocol=IP_PROTOS.tcp,
1438 local_num=len(locals),
1440 flags = self.config_flags.NAT_IS_INSIDE
1441 self.vapi.nat44_interface_add_del_feature(
1442 sw_if_index=self.pg0.sw_if_index,
1443 flags=flags, is_add=1)
1444 self.vapi.nat44_interface_add_del_feature(
1445 sw_if_index=self.pg1.sw_if_index,
1448 # from client to service
1449 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1450 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1451 TCP(sport=12345, dport=external_port))
1452 self.pg1.add_stream(p)
1453 self.pg_enable_capture(self.pg_interfaces)
1455 capture = self.pg0.get_capture(1)
1461 self.assertIn(ip.dst, [server1.ip4, server2.ip4])
1462 if ip.dst == server1.ip4:
1466 self.assertEqual(tcp.dport, local_port)
1467 self.assert_packet_checksums_valid(p)
1469 self.logger.error(ppp("Unexpected or invalid packet:", p))
1472 # from service back to client
1473 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
1474 IP(src=server.ip4, dst=self.pg1.remote_ip4) /
1475 TCP(sport=local_port, dport=12345))
1476 self.pg0.add_stream(p)
1477 self.pg_enable_capture(self.pg_interfaces)
1479 capture = self.pg1.get_capture(1)
1484 self.assertEqual(ip.src, self.nat_addr)
1485 self.assertEqual(tcp.sport, external_port)
1486 self.assert_packet_checksums_valid(p)
1488 self.logger.error(ppp("Unexpected or invalid packet:", p))
1491 # from client to server (no translation)
1492 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1493 IP(src=self.pg1.remote_ip4, dst=server1.ip4) /
1494 TCP(sport=12346, dport=local_port))
1495 self.pg1.add_stream(p)
1496 self.pg_enable_capture(self.pg_interfaces)
1498 capture = self.pg0.get_capture(1)
1504 self.assertEqual(ip.dst, server1.ip4)
1505 self.assertEqual(tcp.dport, local_port)
1506 self.assert_packet_checksums_valid(p)
1508 self.logger.error(ppp("Unexpected or invalid packet:", p))
1511 # from service back to client (no translation)
1512 p = (Ether(src=server1.mac, dst=self.pg0.local_mac) /
1513 IP(src=server1.ip4, dst=self.pg1.remote_ip4) /
1514 TCP(sport=local_port, dport=12346))
1515 self.pg0.add_stream(p)
1516 self.pg_enable_capture(self.pg_interfaces)
1518 capture = self.pg1.get_capture(1)
1523 self.assertEqual(ip.src, server1.ip4)
1524 self.assertEqual(tcp.sport, local_port)
1525 self.assert_packet_checksums_valid(p)
1527 self.logger.error(ppp("Unexpected or invalid packet:", p))
1530 def test_lb_affinity(self):
1531 """ NAT44ED local service load balancing affinity """
1532 external_addr = self.nat_addr
1535 server1 = self.pg0.remote_hosts[0]
1536 server2 = self.pg0.remote_hosts[1]
1538 locals = [{'addr': server1.ip4,
1542 {'addr': server2.ip4,
1547 self.nat_add_address(self.nat_addr)
1548 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
1549 external_addr=external_addr,
1550 external_port=external_port,
1551 protocol=IP_PROTOS.tcp,
1553 local_num=len(locals),
1555 flags = self.config_flags.NAT_IS_INSIDE
1556 self.vapi.nat44_interface_add_del_feature(
1557 sw_if_index=self.pg0.sw_if_index,
1558 flags=flags, is_add=1)
1559 self.vapi.nat44_interface_add_del_feature(
1560 sw_if_index=self.pg1.sw_if_index,
1563 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1564 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1565 TCP(sport=1025, dport=external_port))
1566 self.pg1.add_stream(p)
1567 self.pg_enable_capture(self.pg_interfaces)
1569 capture = self.pg0.get_capture(1)
1570 backend = capture[0][IP].dst
1572 sessions = self.vapi.nat44_user_session_dump(backend, 0)
1573 self.assertEqual(len(sessions), 1)
1574 self.assertTrue(sessions[0].flags &
1575 self.config_flags.NAT_IS_EXT_HOST_VALID)
1576 self.vapi.nat44_del_session(
1577 address=sessions[0].inside_ip_address,
1578 port=sessions[0].inside_port,
1579 protocol=sessions[0].protocol,
1580 flags=(self.config_flags.NAT_IS_INSIDE |
1581 self.config_flags.NAT_IS_EXT_HOST_VALID),
1582 ext_host_address=sessions[0].ext_host_address,
1583 ext_host_port=sessions[0].ext_host_port)
1586 for port in range(1030, 1100):
1587 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
1588 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1589 TCP(sport=port, dport=external_port))
1591 self.pg1.add_stream(pkts)
1592 self.pg_enable_capture(self.pg_interfaces)
1594 capture = self.pg0.get_capture(len(pkts))
1596 self.assertEqual(p[IP].dst, backend)
1598 def test_multiple_vrf(self):
1599 """ NAT44ED Multiple VRF setup """
1601 external_addr = '1.2.3.4'
1606 self.vapi.nat44_forwarding_enable_disable(enable=1)
1607 self.nat_add_address(self.nat_addr)
1608 flags = self.config_flags.NAT_IS_INSIDE
1609 self.vapi.nat44_interface_add_del_feature(
1610 sw_if_index=self.pg0.sw_if_index,
1612 self.vapi.nat44_interface_add_del_feature(
1613 sw_if_index=self.pg0.sw_if_index,
1614 is_add=1, flags=flags)
1615 self.vapi.nat44_interface_add_del_output_feature(
1616 sw_if_index=self.pg1.sw_if_index,
1618 self.vapi.nat44_interface_add_del_feature(
1619 sw_if_index=self.pg5.sw_if_index,
1621 self.vapi.nat44_interface_add_del_feature(
1622 sw_if_index=self.pg5.sw_if_index,
1623 is_add=1, flags=flags)
1624 self.vapi.nat44_interface_add_del_feature(
1625 sw_if_index=self.pg6.sw_if_index,
1627 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
1628 self.nat_add_static_mapping(self.pg5.remote_ip4, external_addr,
1629 local_port, external_port, vrf_id=1,
1630 proto=IP_PROTOS.tcp, flags=flags)
1631 self.nat_add_static_mapping(
1632 self.pg0.remote_ip4,
1633 external_sw_if_index=self.pg0.sw_if_index,
1634 local_port=local_port,
1636 external_port=external_port,
1637 proto=IP_PROTOS.tcp,
1641 # from client to service (both VRF1)
1642 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1643 IP(src=self.pg6.remote_ip4, dst=external_addr) /
1644 TCP(sport=12345, dport=external_port))
1645 self.pg6.add_stream(p)
1646 self.pg_enable_capture(self.pg_interfaces)
1648 capture = self.pg5.get_capture(1)
1653 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1654 self.assertEqual(tcp.dport, local_port)
1655 self.assert_packet_checksums_valid(p)
1657 self.logger.error(ppp("Unexpected or invalid packet:", p))
1660 # from service back to client (both VRF1)
1661 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1662 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1663 TCP(sport=local_port, dport=12345))
1664 self.pg5.add_stream(p)
1665 self.pg_enable_capture(self.pg_interfaces)
1667 capture = self.pg6.get_capture(1)
1672 self.assertEqual(ip.src, external_addr)
1673 self.assertEqual(tcp.sport, external_port)
1674 self.assert_packet_checksums_valid(p)
1676 self.logger.error(ppp("Unexpected or invalid packet:", p))
1679 # dynamic NAT from VRF1 to VRF0 (output-feature)
1680 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1681 IP(src=self.pg5.remote_ip4, dst=self.pg1.remote_ip4) /
1682 TCP(sport=2345, dport=22))
1683 self.pg5.add_stream(p)
1684 self.pg_enable_capture(self.pg_interfaces)
1686 capture = self.pg1.get_capture(1)
1691 self.assertEqual(ip.src, self.nat_addr)
1692 self.assert_packet_checksums_valid(p)
1695 self.logger.error(ppp("Unexpected or invalid packet:", p))
1698 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
1699 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
1700 TCP(sport=22, dport=port))
1701 self.pg1.add_stream(p)
1702 self.pg_enable_capture(self.pg_interfaces)
1704 capture = self.pg5.get_capture(1)
1709 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1710 self.assertEqual(tcp.dport, 2345)
1711 self.assert_packet_checksums_valid(p)
1713 self.logger.error(ppp("Unexpected or invalid packet:", p))
1716 # from client VRF1 to service VRF0
1717 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1718 IP(src=self.pg6.remote_ip4, dst=self.pg0.local_ip4) /
1719 TCP(sport=12346, dport=external_port))
1720 self.pg6.add_stream(p)
1721 self.pg_enable_capture(self.pg_interfaces)
1723 capture = self.pg0.get_capture(1)
1728 self.assertEqual(ip.dst, self.pg0.remote_ip4)
1729 self.assertEqual(tcp.dport, local_port)
1730 self.assert_packet_checksums_valid(p)
1732 self.logger.error(ppp("Unexpected or invalid packet:", p))
1735 # from service VRF0 back to client VRF1
1736 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1737 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1738 TCP(sport=local_port, dport=12346))
1739 self.pg0.add_stream(p)
1740 self.pg_enable_capture(self.pg_interfaces)
1742 capture = self.pg6.get_capture(1)
1747 self.assertEqual(ip.src, self.pg0.local_ip4)
1748 self.assertEqual(tcp.sport, external_port)
1749 self.assert_packet_checksums_valid(p)
1751 self.logger.error(ppp("Unexpected or invalid packet:", p))
1754 # from client VRF0 to service VRF1
1755 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1756 IP(src=self.pg0.remote_ip4, dst=external_addr) /
1757 TCP(sport=12347, dport=external_port))
1758 self.pg0.add_stream(p)
1759 self.pg_enable_capture(self.pg_interfaces)
1761 capture = self.pg5.get_capture(1)
1766 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1767 self.assertEqual(tcp.dport, local_port)
1768 self.assert_packet_checksums_valid(p)
1770 self.logger.error(ppp("Unexpected or invalid packet:", p))
1773 # from service VRF1 back to client VRF0
1774 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1775 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1776 TCP(sport=local_port, dport=12347))
1777 self.pg5.add_stream(p)
1778 self.pg_enable_capture(self.pg_interfaces)
1780 capture = self.pg0.get_capture(1)
1785 self.assertEqual(ip.src, external_addr)
1786 self.assertEqual(tcp.sport, external_port)
1787 self.assert_packet_checksums_valid(p)
1789 self.logger.error(ppp("Unexpected or invalid packet:", p))
1792 # from client to server (both VRF1, no translation)
1793 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
1794 IP(src=self.pg6.remote_ip4, dst=self.pg5.remote_ip4) /
1795 TCP(sport=12348, dport=local_port))
1796 self.pg6.add_stream(p)
1797 self.pg_enable_capture(self.pg_interfaces)
1799 capture = self.pg5.get_capture(1)
1804 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1805 self.assertEqual(tcp.dport, local_port)
1806 self.assert_packet_checksums_valid(p)
1808 self.logger.error(ppp("Unexpected or invalid packet:", p))
1811 # from server back to client (both VRF1, no translation)
1812 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1813 IP(src=self.pg5.remote_ip4, dst=self.pg6.remote_ip4) /
1814 TCP(sport=local_port, dport=12348))
1815 self.pg5.add_stream(p)
1816 self.pg_enable_capture(self.pg_interfaces)
1818 capture = self.pg6.get_capture(1)
1823 self.assertEqual(ip.src, self.pg5.remote_ip4)
1824 self.assertEqual(tcp.sport, local_port)
1825 self.assert_packet_checksums_valid(p)
1827 self.logger.error(ppp("Unexpected or invalid packet:", p))
1830 # from client VRF1 to server VRF0 (no translation)
1831 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1832 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1833 TCP(sport=local_port, dport=12349))
1834 self.pg0.add_stream(p)
1835 self.pg_enable_capture(self.pg_interfaces)
1837 capture = self.pg6.get_capture(1)
1842 self.assertEqual(ip.src, self.pg0.remote_ip4)
1843 self.assertEqual(tcp.sport, local_port)
1844 self.assert_packet_checksums_valid(p)
1846 self.logger.error(ppp("Unexpected or invalid packet:", p))
1849 # from server VRF0 back to client VRF1 (no translation)
1850 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1851 IP(src=self.pg0.remote_ip4, dst=self.pg6.remote_ip4) /
1852 TCP(sport=local_port, dport=12349))
1853 self.pg0.add_stream(p)
1854 self.pg_enable_capture(self.pg_interfaces)
1856 capture = self.pg6.get_capture(1)
1861 self.assertEqual(ip.src, self.pg0.remote_ip4)
1862 self.assertEqual(tcp.sport, local_port)
1863 self.assert_packet_checksums_valid(p)
1865 self.logger.error(ppp("Unexpected or invalid packet:", p))
1868 # from client VRF0 to server VRF1 (no translation)
1869 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1870 IP(src=self.pg0.remote_ip4, dst=self.pg5.remote_ip4) /
1871 TCP(sport=12344, dport=local_port))
1872 self.pg0.add_stream(p)
1873 self.pg_enable_capture(self.pg_interfaces)
1875 capture = self.pg5.get_capture(1)
1880 self.assertEqual(ip.dst, self.pg5.remote_ip4)
1881 self.assertEqual(tcp.dport, local_port)
1882 self.assert_packet_checksums_valid(p)
1884 self.logger.error(ppp("Unexpected or invalid packet:", p))
1887 # from server VRF1 back to client VRF0 (no translation)
1888 p = (Ether(src=self.pg5.remote_mac, dst=self.pg5.local_mac) /
1889 IP(src=self.pg5.remote_ip4, dst=self.pg0.remote_ip4) /
1890 TCP(sport=local_port, dport=12344))
1891 self.pg5.add_stream(p)
1892 self.pg_enable_capture(self.pg_interfaces)
1894 capture = self.pg0.get_capture(1)
1899 self.assertEqual(ip.src, self.pg5.remote_ip4)
1900 self.assertEqual(tcp.sport, local_port)
1901 self.assert_packet_checksums_valid(p)
1903 self.logger.error(ppp("Unexpected or invalid packet:", p))
1907 class TestNAT44EDMW(TestNAT44ED):
1908 """ NAT44ED MW Test Case """
1909 worker_config = "workers 1"
1911 def get_stats_counter(self, path, worker=1):
1912 return super(TestNAT44EDMW, self).get_stats_counter(path, worker)
1914 @unittest.skip('MW fix required')
1915 def test_users_dump(self):
1916 """ NAT44ED API test - nat44_user_dump """
1918 @unittest.skip('MW fix required')
1919 def test_frag_out_of_order_do_not_translate(self):
1920 """ NAT44ED don't translate fragments arriving out of order """
1922 @unittest.skip('MW fix required')
1923 def test_forwarding(self):
1924 """ NAT44ED forwarding test """
1926 @unittest.skip('MW fix required')
1927 def test_twice_nat(self):
1928 """ NAT44ED Twice NAT """
1930 @unittest.skip('MW fix required')
1931 def test_twice_nat_lb(self):
1932 """ NAT44ED Twice NAT local service load balancing """
1934 @unittest.skip('MW fix required')
1935 def test_output_feature(self):
1936 """ NAT44ED interface output feature (in2out postrouting) """
1938 @unittest.skip('MW fix required')
1939 def test_static_with_port_out2(self):
1940 """ NAT44ED 1:1 NAPT asymmetrical rule """
1942 @unittest.skip('MW fix required')
1943 def test_output_feature_and_service2(self):
1944 """ NAT44ED interface output feature and service host direct access """
1946 @unittest.skip('MW fix required')
1947 def test_static_lb(self):
1948 """ NAT44ED local service load balancing """
1950 @unittest.skip('MW fix required')
1951 def test_static_lb_2(self):
1952 """ NAT44ED local service load balancing (asymmetrical rule) """
1954 @unittest.skip('MW fix required')
1955 def test_lb_affinity(self):
1956 """ NAT44ED local service load balancing affinity """
1958 @unittest.skip('MW fix required')
1959 def test_multiple_vrf(self):
1960 """ NAT44ED Multiple VRF setup """
1962 @unittest.skip('MW fix required')
1963 def test_self_twice_nat_positive(self):
1964 """ NAT44ED Self Twice NAT (positive test) """
1966 @unittest.skip('MW fix required')
1967 def test_self_twice_nat_lb_positive(self):
1968 """ NAT44ED Self Twice NAT local service load balancing (positive test)
1971 def test_dynamic(self):
1972 """ NAT44ED dynamic translation test """
1974 self.nat_add_address(self.nat_addr)
1975 self.nat_add_inside_interface(self.pg0)
1976 self.nat_add_outside_interface(self.pg1)
1979 tc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
1980 uc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
1981 ic1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
1982 dc1 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
1984 pkts = self.create_stream_in(self.pg0, self.pg1)
1985 # TODO: specify worker=idx, also stats have to
1986 # know from which worker to take capture
1987 self.pg0.add_stream(pkts)
1988 self.pg_enable_capture(self.pg_interfaces)
1990 capture = self.pg1.get_capture(len(pkts))
1991 self.verify_capture_out(capture, ignore_port=True)
1993 if_idx = self.pg0.sw_if_index
1994 tc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/tcp')
1995 uc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/udp')
1996 ic2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/icmp')
1997 dc2 = self.get_stats_counter('/nat44-ed/in2out/slowpath/drops')
1999 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2000 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2001 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2002 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2005 tc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2006 uc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2007 ic1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2008 dc1 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2010 pkts = self.create_stream_out(self.pg1)
2011 self.pg1.add_stream(pkts)
2012 self.pg_enable_capture(self.pg_interfaces)
2014 capture = self.pg0.get_capture(len(pkts))
2015 self.verify_capture_in(capture, self.pg0)
2017 if_idx = self.pg1.sw_if_index
2018 tc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/tcp')
2019 uc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/udp')
2020 ic2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/icmp')
2021 dc2 = self.get_stats_counter('/nat44-ed/out2in/fastpath/drops')
2023 self.assertEqual(tc2[if_idx] - tc1[if_idx], 2)
2024 self.assertEqual(uc2[if_idx] - uc1[if_idx], 1)
2025 self.assertEqual(ic2[if_idx] - ic1[if_idx], 1)
2026 self.assertEqual(dc2[if_idx] - dc1[if_idx], 0)
2028 sc = self.get_stats_counter('/nat44-ed/total-sessions')
2029 self.assertEqual(sc[0], 3)
2031 def test_frag_in_order(self):
2032 """ NAT44ED translate fragments arriving in order """
2034 self.nat_add_address(self.nat_addr)
2035 self.nat_add_inside_interface(self.pg0)
2036 self.nat_add_outside_interface(self.pg1)
2038 self.frag_in_order(proto=IP_PROTOS.tcp, ignore_port=True)
2039 self.frag_in_order(proto=IP_PROTOS.udp, ignore_port=True)
2040 self.frag_in_order(proto=IP_PROTOS.icmp, ignore_port=True)
2042 def test_frag_in_order_do_not_translate(self):
2043 """ NAT44ED don't translate fragments arriving in order """
2045 self.nat_add_address(self.nat_addr)
2046 self.nat_add_inside_interface(self.pg0)
2047 self.nat_add_outside_interface(self.pg1)
2048 self.vapi.nat44_forwarding_enable_disable(enable=True)
2050 self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
2052 def test_frag_out_of_order(self):
2053 """ NAT44ED translate fragments arriving out of order """
2055 self.nat_add_address(self.nat_addr)
2056 self.nat_add_inside_interface(self.pg0)
2057 self.nat_add_outside_interface(self.pg1)
2059 self.frag_out_of_order(proto=IP_PROTOS.tcp, ignore_port=True)
2060 self.frag_out_of_order(proto=IP_PROTOS.udp, ignore_port=True)
2061 self.frag_out_of_order(proto=IP_PROTOS.icmp, ignore_port=True)
2063 def test_frag_in_order_in_plus_out(self):
2064 """ NAT44ED in+out interface fragments in order """
2066 in_port = self.random_port()
2067 out_port = self.random_port()
2069 self.nat_add_address(self.nat_addr)
2070 self.nat_add_inside_interface(self.pg0)
2071 self.nat_add_outside_interface(self.pg0)
2072 self.nat_add_inside_interface(self.pg1)
2073 self.nat_add_outside_interface(self.pg1)
2075 # add static mappings for server
2076 self.nat_add_static_mapping(self.server_addr,
2080 proto=IP_PROTOS.tcp)
2081 self.nat_add_static_mapping(self.server_addr,
2085 proto=IP_PROTOS.udp)
2086 self.nat_add_static_mapping(self.server_addr,
2088 proto=IP_PROTOS.icmp)
2090 # run tests for each protocol
2091 self.frag_in_order_in_plus_out(self.server_addr,
2096 self.frag_in_order_in_plus_out(self.server_addr,
2101 self.frag_in_order_in_plus_out(self.server_addr,
2107 def test_frag_out_of_order_in_plus_out(self):
2108 """ NAT44ED in+out interface fragments out of order """
2110 in_port = self.random_port()
2111 out_port = self.random_port()
2113 self.nat_add_address(self.nat_addr)
2114 self.nat_add_inside_interface(self.pg0)
2115 self.nat_add_outside_interface(self.pg0)
2116 self.nat_add_inside_interface(self.pg1)
2117 self.nat_add_outside_interface(self.pg1)
2119 # add static mappings for server
2120 self.nat_add_static_mapping(self.server_addr,
2124 proto=IP_PROTOS.tcp)
2125 self.nat_add_static_mapping(self.server_addr,
2129 proto=IP_PROTOS.udp)
2130 self.nat_add_static_mapping(self.server_addr,
2132 proto=IP_PROTOS.icmp)
2134 # run tests for each protocol
2135 self.frag_out_of_order_in_plus_out(self.server_addr,
2140 self.frag_out_of_order_in_plus_out(self.server_addr,
2145 self.frag_out_of_order_in_plus_out(self.server_addr,
2151 def test_reass_hairpinning(self):
2152 """ NAT44ED fragments hairpinning """
2154 server_addr = self.pg0.remote_hosts[1].ip4
2156 host_in_port = self.random_port()
2157 server_in_port = self.random_port()
2158 server_out_port = self.random_port()
2160 self.nat_add_address(self.nat_addr)
2161 self.nat_add_inside_interface(self.pg0)
2162 self.nat_add_outside_interface(self.pg1)
2164 # add static mapping for server
2165 self.nat_add_static_mapping(server_addr, self.nat_addr,
2166 server_in_port, server_out_port,
2167 proto=IP_PROTOS.tcp)
2168 self.nat_add_static_mapping(server_addr, self.nat_addr,
2169 server_in_port, server_out_port,
2170 proto=IP_PROTOS.udp)
2171 self.nat_add_static_mapping(server_addr, self.nat_addr)
2173 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2174 host_in_port, proto=IP_PROTOS.tcp,
2176 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2177 host_in_port, proto=IP_PROTOS.udp,
2179 self.reass_hairpinning(server_addr, server_in_port, server_out_port,
2180 host_in_port, proto=IP_PROTOS.icmp,
2183 def test_session_limit_per_vrf(self):
2184 """ NAT44ED per vrf session limit """
2187 inside_vrf10 = self.pg2
2192 # 2 interfaces pg0, pg1 (vrf10, limit 1 tcp session)
2193 # non existing vrf_id makes process core dump
2194 self.vapi.nat44_set_session_limit(session_limit=limit, vrf_id=10)
2196 self.nat_add_inside_interface(inside)
2197 self.nat_add_inside_interface(inside_vrf10)
2198 self.nat_add_outside_interface(outside)
2201 self.nat_add_interface_address(outside)
2203 # BUG: causing core dump - when bad vrf_id is specified
2204 # self.nat_add_address(outside.local_ip4, vrf_id=20)
2206 stream = self.create_tcp_stream(inside_vrf10, outside, limit * 2)
2207 inside_vrf10.add_stream(stream)
2209 self.pg_enable_capture(self.pg_interfaces)
2212 capture = outside.get_capture(limit)
2214 stream = self.create_tcp_stream(inside, outside, limit * 2)
2215 inside.add_stream(stream)
2217 self.pg_enable_capture(self.pg_interfaces)
2220 capture = outside.get_capture(len(stream))
2222 def test_show_max_translations(self):
2223 """ NAT44ED API test - max translations per thread """
2224 nat_config = self.vapi.nat_show_config_2()
2225 self.assertEqual(self.max_sessions,
2226 nat_config.max_translations_per_thread)
2228 def test_lru_cleanup(self):
2229 """ NAT44ED LRU cleanup algorithm """
2231 self.nat_add_address(self.nat_addr)
2232 self.nat_add_inside_interface(self.pg0)
2233 self.nat_add_outside_interface(self.pg1)
2235 self.vapi.nat_set_timeouts(
2236 udp=1, tcp_established=7440, tcp_transitory=30, icmp=1)
2238 tcp_port_out = self.init_tcp_session(self.pg0, self.pg1, 2000, 80)
2240 for i in range(0, self.max_sessions - 1):
2241 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2242 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2243 UDP(sport=7000+i, dport=80))
2246 self.pg0.add_stream(pkts)
2247 self.pg_enable_capture(self.pg_interfaces)
2249 self.pg1.get_capture(len(pkts))
2250 self.sleep(1.5, "wait for timeouts")
2253 for i in range(0, self.max_sessions - 1):
2254 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2255 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4, ttl=64) /
2256 ICMP(id=8000+i, type='echo-request'))
2259 self.pg0.add_stream(pkts)
2260 self.pg_enable_capture(self.pg_interfaces)
2262 self.pg1.get_capture(len(pkts))
2264 def test_session_rst_timeout(self):
2265 """ NAT44ED session RST timeouts """
2267 self.nat_add_address(self.nat_addr)
2268 self.nat_add_inside_interface(self.pg0)
2269 self.nat_add_outside_interface(self.pg1)
2271 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2272 tcp_transitory=5, icmp=60)
2274 self.init_tcp_session(self.pg0, self.pg1, self.tcp_port_in,
2275 self.tcp_external_port)
2276 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2277 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2278 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
2280 self.pg0.add_stream(p)
2281 self.pg_enable_capture(self.pg_interfaces)
2283 self.pg1.get_capture(1)
2287 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2288 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2289 TCP(sport=self.tcp_port_in + 1, dport=self.tcp_external_port + 1,
2291 self.pg0.add_stream(p)
2292 self.pg_enable_capture(self.pg_interfaces)
2294 self.pg1.get_capture(1)
2296 def test_dynamic_out_of_ports(self):
2297 """ NAT44ED dynamic translation test: out of ports """
2299 self.nat_add_inside_interface(self.pg0)
2300 self.nat_add_outside_interface(self.pg1)
2302 # in2out and no NAT addresses added
2303 err_old = self.statistics.get_err_counter(
2304 '/err/nat44-ed-in2out-slowpath/out of ports')
2306 pkts = self.create_stream_in(self.pg0, self.pg1)
2307 self.pg0.add_stream(pkts)
2308 self.pg_enable_capture(self.pg_interfaces)
2310 self.pg1.get_capture(0, timeout=1)
2312 err_new = self.statistics.get_err_counter(
2313 '/err/nat44-ed-in2out-slowpath/out of ports')
2315 self.assertEqual(err_new - err_old, len(pkts))
2317 # in2out after NAT addresses added
2318 self.nat_add_address(self.nat_addr)
2320 err_old = self.statistics.get_err_counter(
2321 '/err/nat44-ed-in2out-slowpath/out of ports')
2323 pkts = self.create_stream_in(self.pg0, self.pg1)
2324 self.pg0.add_stream(pkts)
2325 self.pg_enable_capture(self.pg_interfaces)
2327 capture = self.pg1.get_capture(len(pkts))
2328 self.verify_capture_out(capture, ignore_port=True)
2330 err_new = self.statistics.get_err_counter(
2331 '/err/nat44-ed-in2out-slowpath/out of ports')
2333 self.assertEqual(err_new, err_old)
2335 def test_unknown_proto(self):
2336 """ NAT44ED translate packet with unknown protocol """
2338 self.nat_add_address(self.nat_addr)
2339 self.nat_add_inside_interface(self.pg0)
2340 self.nat_add_outside_interface(self.pg1)
2343 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2344 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2345 TCP(sport=self.tcp_port_in, dport=20))
2346 self.pg0.add_stream(p)
2347 self.pg_enable_capture(self.pg_interfaces)
2349 p = self.pg1.get_capture(1)
2351 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2352 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2354 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2355 TCP(sport=1234, dport=1234))
2356 self.pg0.add_stream(p)
2357 self.pg_enable_capture(self.pg_interfaces)
2359 p = self.pg1.get_capture(1)
2362 self.assertEqual(packet[IP].src, self.nat_addr)
2363 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
2364 self.assertEqual(packet.haslayer(GRE), 1)
2365 self.assert_packet_checksums_valid(packet)
2367 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2371 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
2372 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
2374 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2375 TCP(sport=1234, dport=1234))
2376 self.pg1.add_stream(p)
2377 self.pg_enable_capture(self.pg_interfaces)
2379 p = self.pg0.get_capture(1)
2382 self.assertEqual(packet[IP].src, self.pg1.remote_ip4)
2383 self.assertEqual(packet[IP].dst, self.pg0.remote_ip4)
2384 self.assertEqual(packet.haslayer(GRE), 1)
2385 self.assert_packet_checksums_valid(packet)
2387 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2390 def test_hairpinning_unknown_proto(self):
2391 """ NAT44ED translate packet with unknown protocol - hairpinning """
2392 host = self.pg0.remote_hosts[0]
2393 server = self.pg0.remote_hosts[1]
2395 server_out_port = 8765
2396 server_nat_ip = "10.0.0.11"
2398 self.nat_add_address(self.nat_addr)
2399 self.nat_add_inside_interface(self.pg0)
2400 self.nat_add_outside_interface(self.pg1)
2402 # add static mapping for server
2403 self.nat_add_static_mapping(server.ip4, server_nat_ip)
2406 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
2407 IP(src=host.ip4, dst=server_nat_ip) /
2408 TCP(sport=host_in_port, dport=server_out_port))
2409 self.pg0.add_stream(p)
2410 self.pg_enable_capture(self.pg_interfaces)
2412 self.pg0.get_capture(1)
2414 p = (Ether(dst=self.pg0.local_mac, src=host.mac) /
2415 IP(src=host.ip4, dst=server_nat_ip) /
2417 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2418 TCP(sport=1234, dport=1234))
2419 self.pg0.add_stream(p)
2420 self.pg_enable_capture(self.pg_interfaces)
2422 p = self.pg0.get_capture(1)
2425 self.assertEqual(packet[IP].src, self.nat_addr)
2426 self.assertEqual(packet[IP].dst, server.ip4)
2427 self.assertEqual(packet.haslayer(GRE), 1)
2428 self.assert_packet_checksums_valid(packet)
2430 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2434 p = (Ether(dst=self.pg0.local_mac, src=server.mac) /
2435 IP(src=server.ip4, dst=self.nat_addr) /
2437 IP(src=self.pg2.remote_ip4, dst=self.pg2.remote_ip4) /
2438 TCP(sport=1234, dport=1234))
2439 self.pg0.add_stream(p)
2440 self.pg_enable_capture(self.pg_interfaces)
2442 p = self.pg0.get_capture(1)
2445 self.assertEqual(packet[IP].src, server_nat_ip)
2446 self.assertEqual(packet[IP].dst, host.ip4)
2447 self.assertEqual(packet.haslayer(GRE), 1)
2448 self.assert_packet_checksums_valid(packet)
2450 self.logger.error(ppp("Unexpected or invalid packet:", packet))
2453 def test_output_feature_and_service(self):
2454 """ NAT44ED interface output feature and services """
2455 external_addr = '1.2.3.4'
2459 self.vapi.nat44_forwarding_enable_disable(enable=1)
2460 self.nat_add_address(self.nat_addr)
2461 flags = self.config_flags.NAT_IS_ADDR_ONLY
2462 self.vapi.nat44_add_del_identity_mapping(
2463 ip_address=self.pg1.remote_ip4, sw_if_index=0xFFFFFFFF,
2464 flags=flags, is_add=1)
2465 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2466 self.nat_add_static_mapping(self.pg0.remote_ip4, external_addr,
2467 local_port, external_port,
2468 proto=IP_PROTOS.tcp, flags=flags)
2470 self.nat_add_inside_interface(self.pg0)
2471 self.nat_add_outside_interface(self.pg0)
2472 self.vapi.nat44_interface_add_del_output_feature(
2473 sw_if_index=self.pg1.sw_if_index, is_add=1)
2475 # from client to service
2476 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2477 IP(src=self.pg1.remote_ip4, dst=external_addr) /
2478 TCP(sport=12345, dport=external_port))
2479 self.pg1.add_stream(p)
2480 self.pg_enable_capture(self.pg_interfaces)
2482 capture = self.pg0.get_capture(1)
2487 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2488 self.assertEqual(tcp.dport, local_port)
2489 self.assert_packet_checksums_valid(p)
2491 self.logger.error(ppp("Unexpected or invalid packet:", p))
2494 # from service back to client
2495 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2496 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2497 TCP(sport=local_port, dport=12345))
2498 self.pg0.add_stream(p)
2499 self.pg_enable_capture(self.pg_interfaces)
2501 capture = self.pg1.get_capture(1)
2506 self.assertEqual(ip.src, external_addr)
2507 self.assertEqual(tcp.sport, external_port)
2508 self.assert_packet_checksums_valid(p)
2510 self.logger.error(ppp("Unexpected or invalid packet:", p))
2513 # from local network host to external network
2514 pkts = self.create_stream_in(self.pg0, self.pg1)
2515 self.pg0.add_stream(pkts)
2516 self.pg_enable_capture(self.pg_interfaces)
2518 capture = self.pg1.get_capture(len(pkts))
2519 self.verify_capture_out(capture, ignore_port=True)
2520 pkts = self.create_stream_in(self.pg0, self.pg1)
2521 self.pg0.add_stream(pkts)
2522 self.pg_enable_capture(self.pg_interfaces)
2524 capture = self.pg1.get_capture(len(pkts))
2525 self.verify_capture_out(capture, ignore_port=True)
2527 # from external network back to local network host
2528 pkts = self.create_stream_out(self.pg1)
2529 self.pg1.add_stream(pkts)
2530 self.pg_enable_capture(self.pg_interfaces)
2532 capture = self.pg0.get_capture(len(pkts))
2533 self.verify_capture_in(capture, self.pg0)
2535 def test_output_feature_and_service3(self):
2536 """ NAT44ED interface output feature and DST NAT """
2537 external_addr = '1.2.3.4'
2541 self.vapi.nat44_forwarding_enable_disable(enable=1)
2542 self.nat_add_address(self.nat_addr)
2543 flags = self.config_flags.NAT_IS_OUT2IN_ONLY
2544 self.nat_add_static_mapping(self.pg1.remote_ip4, external_addr,
2545 local_port, external_port,
2546 proto=IP_PROTOS.tcp, flags=flags)
2548 self.nat_add_inside_interface(self.pg0)
2549 self.nat_add_outside_interface(self.pg0)
2550 self.vapi.nat44_interface_add_del_output_feature(
2551 sw_if_index=self.pg1.sw_if_index, is_add=1)
2553 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2554 IP(src=self.pg0.remote_ip4, dst=external_addr) /
2555 TCP(sport=12345, dport=external_port))
2556 self.pg0.add_stream(p)
2557 self.pg_enable_capture(self.pg_interfaces)
2559 capture = self.pg1.get_capture(1)
2564 self.assertEqual(ip.src, self.pg0.remote_ip4)
2565 self.assertEqual(tcp.sport, 12345)
2566 self.assertEqual(ip.dst, self.pg1.remote_ip4)
2567 self.assertEqual(tcp.dport, local_port)
2568 self.assert_packet_checksums_valid(p)
2570 self.logger.error(ppp("Unexpected or invalid packet:", p))
2573 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2574 IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
2575 TCP(sport=local_port, dport=12345))
2576 self.pg1.add_stream(p)
2577 self.pg_enable_capture(self.pg_interfaces)
2579 capture = self.pg0.get_capture(1)
2584 self.assertEqual(ip.src, external_addr)
2585 self.assertEqual(tcp.sport, external_port)
2586 self.assertEqual(ip.dst, self.pg0.remote_ip4)
2587 self.assertEqual(tcp.dport, 12345)
2588 self.assert_packet_checksums_valid(p)
2590 self.logger.error(ppp("Unexpected or invalid packet:", p))
2593 def test_self_twice_nat_lb_negative(self):
2594 """ NAT44ED Self Twice NAT local service load balancing (negative test)
2596 self.twice_nat_common(lb=True, self_twice_nat=True, same_pg=True,
2599 def test_self_twice_nat_negative(self):
2600 """ NAT44ED Self Twice NAT (negative test) """
2601 self.twice_nat_common(self_twice_nat=True)
2603 def test_static_lb_multi_clients(self):
2604 """ NAT44ED local service load balancing - multiple clients"""
2606 external_addr = self.nat_addr
2609 server1 = self.pg0.remote_hosts[0]
2610 server2 = self.pg0.remote_hosts[1]
2611 server3 = self.pg0.remote_hosts[2]
2613 locals = [{'addr': server1.ip4,
2617 {'addr': server2.ip4,
2622 flags = self.config_flags.NAT_IS_INSIDE
2623 self.vapi.nat44_interface_add_del_feature(
2624 sw_if_index=self.pg0.sw_if_index,
2625 flags=flags, is_add=1)
2626 self.vapi.nat44_interface_add_del_feature(
2627 sw_if_index=self.pg1.sw_if_index,
2630 self.nat_add_address(self.nat_addr)
2631 self.vapi.nat44_add_del_lb_static_mapping(is_add=1,
2632 external_addr=external_addr,
2633 external_port=external_port,
2634 protocol=IP_PROTOS.tcp,
2635 local_num=len(locals),
2640 clients = ip4_range(self.pg1.remote_ip4, 10, 50)
2642 for client in clients:
2643 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2644 IP(src=client, dst=self.nat_addr) /
2645 TCP(sport=12345, dport=external_port))
2647 self.pg1.add_stream(pkts)
2648 self.pg_enable_capture(self.pg_interfaces)
2650 capture = self.pg0.get_capture(len(pkts))
2652 if p[IP].dst == server1.ip4:
2656 self.assertGreater(server1_n, server2_n)
2659 'addr': server3.ip4,
2666 self.vapi.nat44_lb_static_mapping_add_del_local(
2668 external_addr=external_addr,
2669 external_port=external_port,
2671 protocol=IP_PROTOS.tcp)
2675 clients = ip4_range(self.pg1.remote_ip4, 60, 110)
2677 for client in clients:
2678 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2679 IP(src=client, dst=self.nat_addr) /
2680 TCP(sport=12346, dport=external_port))
2682 self.assertGreater(len(pkts), 0)
2683 self.pg1.add_stream(pkts)
2684 self.pg_enable_capture(self.pg_interfaces)
2686 capture = self.pg0.get_capture(len(pkts))
2688 if p[IP].dst == server1.ip4:
2690 elif p[IP].dst == server2.ip4:
2694 self.assertGreater(server1_n, 0)
2695 self.assertGreater(server2_n, 0)
2696 self.assertGreater(server3_n, 0)
2699 'addr': server2.ip4,
2705 # remove one back-end
2706 self.vapi.nat44_lb_static_mapping_add_del_local(
2708 external_addr=external_addr,
2709 external_port=external_port,
2711 protocol=IP_PROTOS.tcp)
2715 self.pg1.add_stream(pkts)
2716 self.pg_enable_capture(self.pg_interfaces)
2718 capture = self.pg0.get_capture(len(pkts))
2720 if p[IP].dst == server1.ip4:
2722 elif p[IP].dst == server2.ip4:
2726 self.assertGreater(server1_n, 0)
2727 self.assertEqual(server2_n, 0)
2728 self.assertGreater(server3_n, 0)
2730 def test_syslog_sess(self):
2731 """ NAT44ED Test syslog session creation and deletion """
2732 self.vapi.syslog_set_filter(
2733 self.syslog_severity.SYSLOG_API_SEVERITY_INFO)
2734 self.vapi.syslog_set_sender(self.pg3.local_ip4, self.pg3.remote_ip4)
2736 self.nat_add_address(self.nat_addr)
2737 self.nat_add_inside_interface(self.pg0)
2738 self.nat_add_outside_interface(self.pg1)
2740 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
2741 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2742 TCP(sport=self.tcp_port_in, dport=self.tcp_external_port))
2743 self.pg0.add_stream(p)
2744 self.pg_enable_capture(self.pg_interfaces)
2746 capture = self.pg1.get_capture(1)
2747 self.tcp_port_out = capture[0][TCP].sport
2748 capture = self.pg3.get_capture(1)
2749 self.verify_syslog_sess(capture[0][Raw].load)
2751 self.pg_enable_capture(self.pg_interfaces)
2753 self.nat_add_address(self.nat_addr, is_add=0)
2754 capture = self.pg3.get_capture(1)
2755 self.verify_syslog_sess(capture[0][Raw].load, False)
2757 def test_twice_nat_interface_addr(self):
2758 """ NAT44ED Acquire twice NAT addresses from interface """
2759 flags = self.config_flags.NAT_IS_TWICE_NAT
2760 self.vapi.nat44_add_del_interface_addr(
2761 sw_if_index=self.pg11.sw_if_index,
2762 flags=flags, is_add=1)
2764 # no address in NAT pool
2765 adresses = self.vapi.nat44_address_dump()
2766 self.assertEqual(0, len(adresses))
2768 # configure interface address and check NAT address pool
2769 self.pg11.config_ip4()
2770 adresses = self.vapi.nat44_address_dump()
2771 self.assertEqual(1, len(adresses))
2772 self.assertEqual(str(adresses[0].ip_address),
2773 self.pg11.local_ip4)
2774 self.assertEqual(adresses[0].flags, flags)
2776 # remove interface address and check NAT address pool
2777 self.pg11.unconfig_ip4()
2778 adresses = self.vapi.nat44_address_dump()
2779 self.assertEqual(0, len(adresses))
2781 def test_output_feature_stateful_acl(self):
2782 """ NAT44ED output feature works with stateful ACL """
2784 self.nat_add_address(self.nat_addr)
2785 self.vapi.nat44_interface_add_del_output_feature(
2786 sw_if_index=self.pg0.sw_if_index,
2787 flags=self.config_flags.NAT_IS_INSIDE, is_add=1)
2788 self.vapi.nat44_interface_add_del_output_feature(
2789 sw_if_index=self.pg1.sw_if_index,
2790 flags=self.config_flags.NAT_IS_OUTSIDE, is_add=1)
2792 # First ensure that the NAT is working sans ACL
2794 # send packets out2in, no sessions yet so packets should drop
2795 pkts_out2in = self.create_stream_out(self.pg1)
2796 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2798 # send packets into inside intf, ensure received via outside intf
2799 pkts_in2out = self.create_stream_in(self.pg0, self.pg1)
2800 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2802 self.verify_capture_out(capture, ignore_port=True)
2804 # send out2in again, with sessions created it should work now
2805 pkts_out2in = self.create_stream_out(self.pg1)
2806 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2808 self.verify_capture_in(capture, self.pg0)
2810 # Create an ACL blocking everything
2811 out2in_deny_rule = AclRule(is_permit=0)
2812 out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
2813 out2in_acl.add_vpp_config()
2815 # create an ACL to permit/reflect everything
2816 in2out_reflect_rule = AclRule(is_permit=2)
2817 in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
2818 in2out_acl.add_vpp_config()
2820 # apply as input acl on interface and confirm it blocks everything
2821 acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
2822 n_input=1, acls=[out2in_acl])
2823 acl_if.add_vpp_config()
2824 self.send_and_assert_no_replies(self.pg1, pkts_out2in)
2827 acl_if.acls = [out2in_acl, in2out_acl]
2828 acl_if.add_vpp_config()
2829 # send in2out to generate ACL state (NAT state was created earlier)
2830 capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
2832 self.verify_capture_out(capture, ignore_port=True)
2834 # send out2in again. ACL state exists so it should work now.
2835 # TCP packets with the syn flag set also need the ack flag
2836 for p in pkts_out2in:
2837 if p.haslayer(TCP) and p[TCP].flags & 0x02:
2838 p[TCP].flags |= 0x10
2839 capture = self.send_and_expect(self.pg1, pkts_out2in, self.pg0,
2841 self.verify_capture_in(capture, self.pg0)
2842 self.logger.info(self.vapi.cli("show trace"))
2844 def test_tcp_close(self):
2845 """ NAT44ED Close TCP session from inside network - output feature """
2846 old_timeouts = self.vapi.nat_get_timeouts()
2848 self.vapi.nat_set_timeouts(
2849 udp=old_timeouts.udp,
2850 tcp_established=old_timeouts.tcp_established,
2851 icmp=old_timeouts.icmp,
2852 tcp_transitory=new_transitory)
2854 self.vapi.nat44_forwarding_enable_disable(enable=1)
2855 self.nat_add_address(self.pg1.local_ip4)
2856 twice_nat_addr = '10.0.1.3'
2857 service_ip = '192.168.16.150'
2858 self.nat_add_address(twice_nat_addr, twice_nat=1)
2860 flags = self.config_flags.NAT_IS_INSIDE
2861 self.vapi.nat44_interface_add_del_feature(
2862 sw_if_index=self.pg0.sw_if_index,
2864 self.vapi.nat44_interface_add_del_feature(
2865 sw_if_index=self.pg0.sw_if_index,
2866 flags=flags, is_add=1)
2867 self.vapi.nat44_interface_add_del_output_feature(
2869 sw_if_index=self.pg1.sw_if_index)
2871 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
2872 self.config_flags.NAT_IS_TWICE_NAT)
2873 self.nat_add_static_mapping(self.pg0.remote_ip4,
2875 proto=IP_PROTOS.tcp,
2877 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2878 start_sessnum = len(sessions)
2880 # SYN packet out->in
2881 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2882 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2883 TCP(sport=33898, dport=80, flags="S"))
2884 self.pg1.add_stream(p)
2885 self.pg_enable_capture(self.pg_interfaces)
2887 capture = self.pg0.get_capture(1)
2889 tcp_port = p[TCP].sport
2891 # SYN + ACK packet in->out
2892 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2893 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2894 TCP(sport=80, dport=tcp_port, flags="SA"))
2895 self.pg0.add_stream(p)
2896 self.pg_enable_capture(self.pg_interfaces)
2898 self.pg1.get_capture(1)
2900 # ACK packet out->in
2901 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2902 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2903 TCP(sport=33898, dport=80, flags="A"))
2904 self.pg1.add_stream(p)
2905 self.pg_enable_capture(self.pg_interfaces)
2907 self.pg0.get_capture(1)
2909 # FIN packet in -> out
2910 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2911 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2912 TCP(sport=80, dport=tcp_port, flags="FA", seq=100, ack=300))
2913 self.pg0.add_stream(p)
2914 self.pg_enable_capture(self.pg_interfaces)
2916 self.pg1.get_capture(1)
2918 # FIN+ACK packet out -> in
2919 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2920 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2921 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
2922 self.pg1.add_stream(p)
2923 self.pg_enable_capture(self.pg_interfaces)
2925 self.pg0.get_capture(1)
2927 # ACK packet in -> out
2928 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2929 IP(src=self.pg0.remote_ip4, dst=twice_nat_addr) /
2930 TCP(sport=80, dport=tcp_port, flags="A", seq=101, ack=301))
2931 self.pg0.add_stream(p)
2932 self.pg_enable_capture(self.pg_interfaces)
2934 self.pg1.get_capture(1)
2936 # session now in transitory timeout
2937 # try SYN packet out->in - should be dropped
2938 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2939 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2940 TCP(sport=33898, dport=80, flags="S"))
2941 self.pg1.add_stream(p)
2942 self.pg_enable_capture(self.pg_interfaces)
2945 self.sleep(new_transitory, "wait for transitory timeout")
2946 self.pg0.assert_nothing_captured(0)
2948 # session should still exist
2949 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2950 self.assertEqual(len(sessions) - start_sessnum, 1)
2952 # send FIN+ACK packet out -> in - will cause session to be wiped
2953 # but won't create a new session
2954 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
2955 IP(src=self.pg1.remote_ip4, dst=service_ip) /
2956 TCP(sport=33898, dport=80, flags="FA", seq=300, ack=101))
2957 self.pg1.add_stream(p)
2958 self.pg_enable_capture(self.pg_interfaces)
2961 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2962 self.assertEqual(len(sessions) - start_sessnum, 0)
2963 self.pg0.assert_nothing_captured(0)
2965 def test_tcp_session_close_in(self):
2966 """ NAT44ED Close TCP session from inside network """
2968 in_port = self.tcp_port_in
2970 ext_port = self.tcp_external_port
2972 self.nat_add_address(self.nat_addr)
2973 self.nat_add_inside_interface(self.pg0)
2974 self.nat_add_outside_interface(self.pg1)
2975 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
2976 in_port, out_port, proto=IP_PROTOS.tcp,
2977 flags=self.config_flags.NAT_IS_TWICE_NAT)
2979 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
2980 session_n = len(sessions)
2982 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
2983 tcp_transitory=2, icmp=5)
2985 self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
2987 # FIN packet in -> out
2988 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
2989 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
2990 TCP(sport=in_port, dport=ext_port,
2991 flags="FA", seq=100, ack=300))
2992 self.pg0.add_stream(p)
2993 self.pg_enable_capture(self.pg_interfaces)
2995 self.pg1.get_capture(1)
2999 # ACK packet out -> in
3000 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3001 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3002 TCP(sport=ext_port, dport=out_port,
3003 flags="A", seq=300, ack=101))
3006 # FIN packet out -> in
3007 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3008 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3009 TCP(sport=ext_port, dport=out_port,
3010 flags="FA", seq=300, ack=101))
3013 self.pg1.add_stream(pkts)
3014 self.pg_enable_capture(self.pg_interfaces)
3016 self.pg0.get_capture(2)
3018 # ACK packet in -> out
3019 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3020 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3021 TCP(sport=in_port, dport=ext_port,
3022 flags="A", seq=101, ack=301))
3023 self.pg0.add_stream(p)
3024 self.pg_enable_capture(self.pg_interfaces)
3026 self.pg1.get_capture(1)
3028 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3029 self.assertEqual(len(sessions) - session_n, 1)
3031 out2in_drops = self.get_err_counter(
3032 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3033 in2out_drops = self.get_err_counter(
3034 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3036 # extra FIN packet out -> in - this should be dropped
3037 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3038 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3039 TCP(sport=ext_port, dport=out_port,
3040 flags="FA", seq=300, ack=101))
3042 self.pg1.add_stream(p)
3043 self.pg_enable_capture(self.pg_interfaces)
3045 self.pg0.assert_nothing_captured()
3047 # extra ACK packet in -> out - this should be dropped
3048 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3049 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3050 TCP(sport=in_port, dport=ext_port,
3051 flags="A", seq=101, ack=301))
3052 self.pg0.add_stream(p)
3053 self.pg_enable_capture(self.pg_interfaces)
3055 self.pg1.assert_nothing_captured()
3057 stats = self.get_err_counter(
3058 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3059 self.assertEqual(stats - out2in_drops, 1)
3060 stats = self.get_err_counter(
3061 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3062 self.assertEqual(stats - in2out_drops, 1)
3065 # extra ACK packet in -> out - this will cause session to be wiped
3066 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3067 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3068 TCP(sport=in_port, dport=ext_port,
3069 flags="A", seq=101, ack=301))
3070 self.pg0.add_stream(p)
3071 self.pg_enable_capture(self.pg_interfaces)
3073 self.pg1.assert_nothing_captured()
3074 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3075 self.assertEqual(len(sessions) - session_n, 0)
3077 def test_tcp_session_close_out(self):
3078 """ NAT44ED Close TCP session from outside network """
3080 in_port = self.tcp_port_in
3082 ext_port = self.tcp_external_port
3084 self.nat_add_address(self.nat_addr)
3085 self.nat_add_inside_interface(self.pg0)
3086 self.nat_add_outside_interface(self.pg1)
3087 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3088 in_port, out_port, proto=IP_PROTOS.tcp,
3089 flags=self.config_flags.NAT_IS_TWICE_NAT)
3091 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3092 session_n = len(sessions)
3094 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3095 tcp_transitory=2, icmp=5)
3097 _ = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3099 # FIN packet out -> in
3100 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3101 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3102 TCP(sport=ext_port, dport=out_port,
3103 flags="FA", seq=100, ack=300))
3104 self.pg1.add_stream(p)
3105 self.pg_enable_capture(self.pg_interfaces)
3107 self.pg0.get_capture(1)
3109 # FIN+ACK packet in -> out
3110 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3111 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3112 TCP(sport=in_port, dport=ext_port,
3113 flags="FA", seq=300, ack=101))
3115 self.pg0.add_stream(p)
3116 self.pg_enable_capture(self.pg_interfaces)
3118 self.pg1.get_capture(1)
3120 # ACK packet out -> in
3121 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3122 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3123 TCP(sport=ext_port, dport=out_port,
3124 flags="A", seq=101, ack=301))
3125 self.pg1.add_stream(p)
3126 self.pg_enable_capture(self.pg_interfaces)
3128 self.pg0.get_capture(1)
3130 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3131 self.assertEqual(len(sessions) - session_n, 1)
3133 out2in_drops = self.get_err_counter(
3134 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3135 in2out_drops = self.get_err_counter(
3136 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3138 # extra FIN packet out -> in - this should be dropped
3139 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3140 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3141 TCP(sport=ext_port, dport=out_port,
3142 flags="FA", seq=300, ack=101))
3144 self.pg1.add_stream(p)
3145 self.pg_enable_capture(self.pg_interfaces)
3147 self.pg0.assert_nothing_captured()
3149 # extra ACK packet in -> out - this should be dropped
3150 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3151 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3152 TCP(sport=in_port, dport=ext_port,
3153 flags="A", seq=101, ack=301))
3154 self.pg0.add_stream(p)
3155 self.pg_enable_capture(self.pg_interfaces)
3157 self.pg1.assert_nothing_captured()
3159 stats = self.get_err_counter(
3160 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3161 self.assertEqual(stats - out2in_drops, 1)
3162 stats = self.get_err_counter(
3163 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3164 self.assertEqual(stats - in2out_drops, 1)
3167 # extra ACK packet in -> out - this will cause session to be wiped
3168 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3169 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3170 TCP(sport=in_port, dport=ext_port,
3171 flags="A", seq=101, ack=301))
3172 self.pg0.add_stream(p)
3173 self.pg_enable_capture(self.pg_interfaces)
3175 self.pg1.assert_nothing_captured()
3176 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3177 self.assertEqual(len(sessions) - session_n, 0)
3179 def test_tcp_session_close_simultaneous(self):
3180 """ NAT44ED Close TCP session from inside network """
3182 in_port = self.tcp_port_in
3185 self.nat_add_address(self.nat_addr)
3186 self.nat_add_inside_interface(self.pg0)
3187 self.nat_add_outside_interface(self.pg1)
3188 self.nat_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
3189 in_port, ext_port, proto=IP_PROTOS.tcp,
3190 flags=self.config_flags.NAT_IS_TWICE_NAT)
3192 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3193 session_n = len(sessions)
3195 self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
3196 tcp_transitory=2, icmp=5)
3198 out_port = self.init_tcp_session(self.pg0, self.pg1, in_port, ext_port)
3200 # FIN packet in -> out
3201 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3202 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3203 TCP(sport=in_port, dport=ext_port,
3204 flags="FA", seq=100, ack=300))
3205 self.pg0.add_stream(p)
3206 self.pg_enable_capture(self.pg_interfaces)
3208 self.pg1.get_capture(1)
3210 # FIN packet out -> in
3211 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3212 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3213 TCP(sport=ext_port, dport=out_port,
3214 flags="FA", seq=300, ack=100))
3215 self.pg1.add_stream(p)
3216 self.pg_enable_capture(self.pg_interfaces)
3218 self.pg0.get_capture(1)
3220 # ACK packet in -> out
3221 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3222 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3223 TCP(sport=in_port, dport=ext_port,
3224 flags="A", seq=101, ack=301))
3225 self.pg0.add_stream(p)
3226 self.pg_enable_capture(self.pg_interfaces)
3228 self.pg1.get_capture(1)
3230 # ACK packet out -> in
3231 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3232 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3233 TCP(sport=ext_port, dport=out_port,
3234 flags="A", seq=301, ack=101))
3235 self.pg1.add_stream(p)
3236 self.pg_enable_capture(self.pg_interfaces)
3238 self.pg0.get_capture(1)
3240 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3241 self.assertEqual(len(sessions) - session_n, 1)
3243 out2in_drops = self.get_err_counter(
3244 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3245 in2out_drops = self.get_err_counter(
3246 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3248 # extra FIN packet out -> in - this should be dropped
3249 p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
3250 IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
3251 TCP(sport=ext_port, dport=out_port,
3252 flags="FA", seq=300, ack=101))
3254 self.pg1.add_stream(p)
3255 self.pg_enable_capture(self.pg_interfaces)
3257 self.pg0.assert_nothing_captured()
3259 # extra ACK packet in -> out - this should be dropped
3260 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3261 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3262 TCP(sport=in_port, dport=ext_port,
3263 flags="A", seq=101, ack=301))
3264 self.pg0.add_stream(p)
3265 self.pg_enable_capture(self.pg_interfaces)
3267 self.pg1.assert_nothing_captured()
3269 stats = self.get_err_counter(
3270 '/err/nat44-ed-out2in/drops due to TCP in transitory timeout')
3271 self.assertEqual(stats - out2in_drops, 1)
3272 stats = self.get_err_counter(
3273 '/err/nat44-ed-in2out/drops due to TCP in transitory timeout')
3274 self.assertEqual(stats - in2out_drops, 1)
3277 # extra ACK packet in -> out - this will cause session to be wiped
3278 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
3279 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
3280 TCP(sport=in_port, dport=ext_port,
3281 flags="A", seq=101, ack=301))
3282 self.pg0.add_stream(p)
3283 self.pg_enable_capture(self.pg_interfaces)
3285 self.pg1.assert_nothing_captured()
3286 sessions = self.vapi.nat44_user_session_dump(self.pg0.remote_ip4, 0)
3287 self.assertEqual(len(sessions) - session_n, 0)
3289 def test_dynamic_output_feature_vrf(self):
3290 """ NAT44ED dynamic translation test: output-feature, VRF"""
3292 # other then default (0)
3295 self.nat_add_address(self.nat_addr)
3296 flags = self.config_flags.NAT_IS_INSIDE
3297 self.vapi.nat44_interface_add_del_output_feature(
3298 sw_if_index=self.pg7.sw_if_index,
3299 flags=flags, is_add=1)
3300 self.vapi.nat44_interface_add_del_output_feature(
3301 sw_if_index=self.pg8.sw_if_index,
3305 self.configure_ip4_interface(self.pg7, table_id=new_vrf_id)
3306 self.configure_ip4_interface(self.pg8, table_id=new_vrf_id)
3309 tcpn = self.get_stats_counter(
3310 '/nat44-ed/in2out/slowpath/tcp')
3311 udpn = self.get_stats_counter(
3312 '/nat44-ed/in2out/slowpath/udp')
3313 icmpn = self.get_stats_counter(
3314 '/nat44-ed/in2out/slowpath/icmp')
3315 drops = self.get_stats_counter(
3316 '/nat44-ed/in2out/slowpath/drops')
3318 pkts = self.create_stream_in(self.pg7, self.pg8)
3319 self.pg7.add_stream(pkts)
3320 self.pg_enable_capture(self.pg_interfaces)
3322 capture = self.pg8.get_capture(len(pkts))
3323 self.verify_capture_out(capture, ignore_port=True)
3325 if_idx = self.pg7.sw_if_index
3326 cnt = self.get_stats_counter(
3327 '/nat44-ed/in2out/slowpath/tcp')
3328 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3329 cnt = self.get_stats_counter(
3330 '/nat44-ed/in2out/slowpath/udp')
3331 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3332 cnt = self.get_stats_counter(
3333 '/nat44-ed/in2out/slowpath/icmp')
3334 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3335 cnt = self.get_stats_counter(
3336 '/nat44-ed/in2out/slowpath/drops')
3337 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3340 tcpn = self.get_stats_counter(
3341 '/nat44-ed/out2in/fastpath/tcp')
3342 udpn = self.get_stats_counter(
3343 '/nat44-ed/out2in/fastpath/udp')
3344 icmpn = self.get_stats_counter(
3345 '/nat44-ed/out2in/fastpath/icmp')
3346 drops = self.get_stats_counter(
3347 '/nat44-ed/out2in/fastpath/drops')
3349 pkts = self.create_stream_out(self.pg8)
3350 self.pg8.add_stream(pkts)
3351 self.pg_enable_capture(self.pg_interfaces)
3353 capture = self.pg7.get_capture(len(pkts))
3354 self.verify_capture_in(capture, self.pg7)
3356 if_idx = self.pg8.sw_if_index
3357 cnt = self.get_stats_counter(
3358 '/nat44-ed/out2in/fastpath/tcp')
3359 self.assertEqual(cnt[if_idx] - tcpn[if_idx], 2)
3360 cnt = self.get_stats_counter(
3361 '/nat44-ed/out2in/fastpath/udp')
3362 self.assertEqual(cnt[if_idx] - udpn[if_idx], 1)
3363 cnt = self.get_stats_counter(
3364 '/nat44-ed/out2in/fastpath/icmp')
3365 self.assertEqual(cnt[if_idx] - icmpn[if_idx], 1)
3366 cnt = self.get_stats_counter(
3367 '/nat44-ed/out2in/fastpath/drops')
3368 self.assertEqual(cnt[if_idx] - drops[if_idx], 0)
3370 sessions = self.get_stats_counter('/nat44-ed/total-sessions')
3371 self.assertEqual(sessions[0], 3)
3374 self.configure_ip4_interface(self.pg7, table_id=0)
3375 self.configure_ip4_interface(self.pg8, table_id=0)
3377 self.vapi.ip_table_add_del(is_add=0,
3378 table={'table_id': new_vrf_id})
3380 def test_next_src_nat(self):
3381 """ NAT44ED On way back forward packet to nat44-in2out node. """
3383 twice_nat_addr = '10.0.1.3'
3386 post_twice_nat_port = 0
3388 self.vapi.nat44_forwarding_enable_disable(enable=1)
3389 self.nat_add_address(twice_nat_addr, twice_nat=1)
3390 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3391 self.config_flags.NAT_IS_SELF_TWICE_NAT)
3392 self.nat_add_static_mapping(self.pg6.remote_ip4, self.pg1.remote_ip4,
3393 local_port, external_port,
3394 proto=IP_PROTOS.tcp, vrf_id=1,
3396 self.vapi.nat44_interface_add_del_feature(
3397 sw_if_index=self.pg6.sw_if_index,
3400 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3401 IP(src=self.pg6.remote_ip4, dst=self.pg1.remote_ip4) /
3402 TCP(sport=12345, dport=external_port))
3403 self.pg6.add_stream(p)
3404 self.pg_enable_capture(self.pg_interfaces)
3406 capture = self.pg6.get_capture(1)
3411 self.assertEqual(ip.src, twice_nat_addr)
3412 self.assertNotEqual(tcp.sport, 12345)
3413 post_twice_nat_port = tcp.sport
3414 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3415 self.assertEqual(tcp.dport, local_port)
3416 self.assert_packet_checksums_valid(p)
3418 self.logger.error(ppp("Unexpected or invalid packet:", p))
3421 p = (Ether(src=self.pg6.remote_mac, dst=self.pg6.local_mac) /
3422 IP(src=self.pg6.remote_ip4, dst=twice_nat_addr) /
3423 TCP(sport=local_port, dport=post_twice_nat_port))
3424 self.pg6.add_stream(p)
3425 self.pg_enable_capture(self.pg_interfaces)
3427 capture = self.pg6.get_capture(1)
3432 self.assertEqual(ip.src, self.pg1.remote_ip4)
3433 self.assertEqual(tcp.sport, external_port)
3434 self.assertEqual(ip.dst, self.pg6.remote_ip4)
3435 self.assertEqual(tcp.dport, 12345)
3436 self.assert_packet_checksums_valid(p)
3438 self.logger.error(ppp("Unexpected or invalid packet:", p))
3441 def test_one_armed_nat44_static(self):
3442 """ NAT44ED One armed NAT and 1:1 NAPT asymmetrical rule """
3444 remote_host = self.pg4.remote_hosts[0]
3445 local_host = self.pg4.remote_hosts[1]
3450 self.vapi.nat44_forwarding_enable_disable(enable=1)
3451 self.nat_add_address(self.nat_addr, twice_nat=1)
3452 flags = (self.config_flags.NAT_IS_OUT2IN_ONLY |
3453 self.config_flags.NAT_IS_TWICE_NAT)
3454 self.nat_add_static_mapping(local_host.ip4, self.nat_addr,
3455 local_port, external_port,
3456 proto=IP_PROTOS.tcp, flags=flags)
3457 flags = self.config_flags.NAT_IS_INSIDE
3458 self.vapi.nat44_interface_add_del_feature(
3459 sw_if_index=self.pg4.sw_if_index,
3461 self.vapi.nat44_interface_add_del_feature(
3462 sw_if_index=self.pg4.sw_if_index,
3463 flags=flags, is_add=1)
3465 # from client to service
3466 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3467 IP(src=remote_host.ip4, dst=self.nat_addr) /
3468 TCP(sport=12345, dport=external_port))
3469 self.pg4.add_stream(p)
3470 self.pg_enable_capture(self.pg_interfaces)
3472 capture = self.pg4.get_capture(1)
3477 self.assertEqual(ip.dst, local_host.ip4)
3478 self.assertEqual(ip.src, self.nat_addr)
3479 self.assertEqual(tcp.dport, local_port)
3480 self.assertNotEqual(tcp.sport, 12345)
3481 eh_port_in = tcp.sport
3482 self.assert_packet_checksums_valid(p)
3484 self.logger.error(ppp("Unexpected or invalid packet:", p))
3487 # from service back to client
3488 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
3489 IP(src=local_host.ip4, dst=self.nat_addr) /
3490 TCP(sport=local_port, dport=eh_port_in))
3491 self.pg4.add_stream(p)
3492 self.pg_enable_capture(self.pg_interfaces)
3494 capture = self.pg4.get_capture(1)
3499 self.assertEqual(ip.src, self.nat_addr)
3500 self.assertEqual(ip.dst, remote_host.ip4)
3501 self.assertEqual(tcp.sport, external_port)
3502 self.assertEqual(tcp.dport, 12345)
3503 self.assert_packet_checksums_valid(p)
3505 self.logger.error(ppp("Unexpected or invalid packet:", p))
3509 if __name__ == '__main__':
3510 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob