6 from framework import VppTestCase
7 from asfframework import VppTestRunner
8 from vpp_ip import DpoProto
9 from vpp_ip_route import VppIpRoute, VppRoutePath
10 from util import fragment_rfc791, fragment_rfc8200
13 from scapy.layers.l2 import Ether
14 from scapy.packet import Raw
15 from scapy.layers.inet import IP, UDP, ICMP, TCP
16 from scapy.layers.inet6 import (
25 class TestMAP(VppTestCase):
30 super(TestMAP, cls).setUpClass()
33 def tearDownClass(cls):
34 super(TestMAP, cls).tearDownClass()
37 super(TestMAP, self).setUp()
39 # create 2 pg interfaces
40 self.create_pg_interfaces(range(4))
42 # pg0 is 'inside' IPv4
45 self.pg0.resolve_arp()
46 self.pg0.generate_remote_hosts(2)
47 self.pg0.configure_ipv4_neighbors()
49 # pg1 is 'outside' IPv6
52 self.pg1.generate_remote_hosts(4)
53 self.pg1.configure_ipv6_neighbors()
56 super(TestMAP, self).tearDown()
58 for i in self.pg_interfaces:
60 self.vapi.map_if_enable_disable(
61 is_enable=0, sw_if_index=i.sw_if_index, is_translation=t
67 def send_and_assert_encapped(self, packets, ip6_src, ip6_dst, dmac=None):
69 dmac = self.pg1.remote_mac
71 self.pg0.add_stream(packets)
73 self.pg_enable_capture(self.pg_interfaces)
76 capture = self.pg1.get_capture(len(packets))
77 for rx, tx in zip(capture, packets):
78 self.assertEqual(rx[Ether].dst, dmac)
79 self.assertEqual(rx[IP].src, tx[IP].src)
80 self.assertEqual(rx[IPv6].src, ip6_src)
81 self.assertEqual(rx[IPv6].dst, ip6_dst)
83 def send_and_assert_encapped_one(self, packet, ip6_src, ip6_dst, dmac=None):
84 return self.send_and_assert_encapped([packet], ip6_src, ip6_dst, dmac)
86 def test_api_map_domain_dump(self):
88 map_src = "3000::1/128"
89 client_pfx = "192.168.0.0/16"
91 index = self.vapi.map_add_domain(
92 ip4_prefix=client_pfx, ip6_prefix=map_dst, ip6_src=map_src, tag=tag
94 rv = self.vapi.map_domain_dump()
96 # restore the state early so as to not impact subsequent tests.
97 # If an assert fails, we will not get the chance to do it at the end.
98 self.vapi.map_del_domain(index=index)
100 self.assertGreater(len(rv), 0, "Expected output from 'map_domain_dump'")
102 # typedefs are returned as ipaddress objects.
103 # wrap results in str() ugh! to avoid the need to call unicode.
104 self.assertEqual(str(rv[0].ip4_prefix), client_pfx)
105 self.assertEqual(str(rv[0].ip6_prefix), map_dst)
106 self.assertEqual(str(rv[0].ip6_src), map_src)
108 self.assertEqual(rv[0].tag, tag, "output produced incorrect tag value.")
110 def create_domains(self, ip4_pfx_str, ip6_pfx_str, ip6_src_str):
111 ip4_pfx = ipaddress.ip_network(ip4_pfx_str)
112 ip6_dst = ipaddress.ip_network(ip6_pfx_str)
113 mod = ip4_pfx.num_addresses / 1024
115 for i in range(ip4_pfx.num_addresses):
116 rv = self.vapi.map_add_domain(
117 ip6_prefix=ip6_pfx_str,
118 ip4_prefix=str(ip4_pfx[i]) + "/32",
121 indicies.append(rv.index)
124 def test_api_map_domains_get(self):
125 # Create a bunch of domains
126 no_domains = 4096 # This must be large enough to ensure VPP suspends
127 domains = self.create_domains("130.67.0.0/20", "2001::/32", "2001::1/128")
128 self.assertEqual(len(domains), no_domains)
134 rv, details = self.vapi.map_domains_get(cursor=no_domains + 10)
135 self.assertEqual(rv.retval, -7)
137 # Delete a domain in the middle of walk
138 rv, details = self.vapi.map_domains_get(cursor=0)
139 self.assertEqual(rv.retval, -165)
140 self.vapi.map_del_domain(index=rv.cursor)
141 domains.remove(rv.cursor)
143 # Continue at point of deleted cursor
144 rv, details = self.vapi.map_domains_get(cursor=rv.cursor)
145 self.assertIn(rv.retval, [0, -165])
147 d = list(self.vapi.vpp.details_iter(self.vapi.map_domains_get))
148 self.assertEqual(len(d), no_domains - 1)
152 self.vapi.map_del_domain(index=i)
154 def test_map_e_udp(self):
158 # Add a route to the MAP-BR
160 map_br_pfx = "2001::"
162 map_route = VppIpRoute(
166 [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)],
168 map_route.add_vpp_config()
171 # Add a domain that maps from pg0 to pg1
173 map_dst = "2001::/32"
174 map_src = "3000::1/128"
175 client_pfx = "192.168.0.0/16"
176 map_translated_addr = "2001:0:101:7000:0:c0a8:101:7"
178 self.vapi.map_add_domain(
179 ip4_prefix=client_pfx,
188 self.vapi.map_param_set_security_check(enable=1, fragments=1)
190 # Enable MAP on interface.
191 self.vapi.map_if_enable_disable(
192 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=0
195 # Ensure MAP doesn't steal all packets!
197 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
198 / IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4)
199 / UDP(sport=20000, dport=10000)
202 rx = self.send_and_expect(self.pg0, v4 * 4, self.pg0)
206 self.validate(p[1], v4_reply)
209 # Fire in a v4 packet that will be encapped to the BR
212 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
213 / IP(src=self.pg0.remote_ip4, dst="192.168.1.1")
214 / UDP(sport=20000, dport=10000)
218 self.send_and_assert_encapped(v4 * 4, "3000::1", map_translated_addr)
221 # Verify reordered fragments are able to pass as well
224 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
225 / IP(id=1, src=self.pg0.remote_ip4, dst="192.168.1.1")
226 / UDP(sport=20000, dport=10000)
227 / Raw(b"\xa5" * 1000)
230 frags = fragment_rfc791(v4, 400)
233 self.send_and_assert_encapped(frags, "3000::1", map_translated_addr)
235 # Enable MAP on interface.
236 self.vapi.map_if_enable_disable(
237 is_enable=1, sw_if_index=self.pg1.sw_if_index, is_translation=0
240 # Ensure MAP doesn't steal all packets
242 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
243 / IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6)
244 / UDP(sport=20000, dport=10000)
247 rx = self.send_and_expect(self.pg1, v6 * 1, self.pg1)
251 self.validate(p[1], v6_reply)
254 # Fire in a V6 encapped packet.
255 # expect a decapped packet on the inside ip4 link
258 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
259 / IPv6(dst="3000::1", src=map_translated_addr)
260 / IP(dst=self.pg0.remote_ip4, src="192.168.1.1")
261 / UDP(sport=10000, dport=20000)
265 self.pg1.add_stream(p)
267 self.pg_enable_capture(self.pg_interfaces)
270 rx = self.pg0.get_capture(1)
273 self.assertFalse(rx.haslayer(IPv6))
274 self.assertEqual(rx[IP].src, p[IP].src)
275 self.assertEqual(rx[IP].dst, p[IP].dst)
278 # Verify encapped reordered fragments pass as well
281 IP(id=1, dst=self.pg0.remote_ip4, src="192.168.1.1")
282 / UDP(sport=10000, dport=20000)
283 / Raw(b"\xa5" * 1500)
285 frags = fragment_rfc791(p, 400)
289 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
290 / IPv6(dst="3000::1", src=map_translated_addr)
295 self.pg1.add_stream(stream)
297 self.pg_enable_capture(self.pg_interfaces)
300 rx = self.pg0.get_capture(len(frags))
303 self.assertFalse(r.haslayer(IPv6))
304 self.assertEqual(r[IP].src, p[IP].src)
305 self.assertEqual(r[IP].dst, p[IP].dst)
307 # Verify that fragments pass even if ipv6 layer is fragmented
308 stream = (IPv6(dst="3000::1", src=map_translated_addr) / x for x in frags)
311 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / x
312 for i in range(len(frags))
313 for x in fragment_rfc8200(
314 IPv6(dst="3000::1", src=map_translated_addr) / frags[i], i, 200
318 self.pg1.add_stream(v6_stream)
320 self.pg_enable_capture(self.pg_interfaces)
323 rx = self.pg0.get_capture(len(frags))
326 self.assertFalse(r.haslayer(IPv6))
327 self.assertEqual(r[IP].src, p[IP].src)
328 self.assertEqual(r[IP].dst, p[IP].dst)
331 # Pre-resolve. No API for this!!
333 self.vapi.ppcli("map params pre-resolve ip6-nh 4001::1")
335 self.send_and_assert_no_replies(self.pg0, v4, "resolved via default route")
338 # Add a route to 4001::1. Expect the encapped traffic to be
339 # sent via that routes next-hop
341 pre_res_route = VppIpRoute(
345 [VppRoutePath(self.pg1.remote_hosts[2].ip6, self.pg1.sw_if_index)],
347 pre_res_route.add_vpp_config()
349 self.send_and_assert_encapped_one(
350 v4, "3000::1", map_translated_addr, dmac=self.pg1.remote_hosts[2].mac
354 # change the route to the pre-solved next-hop
356 pre_res_route.modify(
357 [VppRoutePath(self.pg1.remote_hosts[3].ip6, self.pg1.sw_if_index)]
359 pre_res_route.add_vpp_config()
361 self.send_and_assert_encapped_one(
362 v4, "3000::1", map_translated_addr, dmac=self.pg1.remote_hosts[3].mac
366 # cleanup. The test infra's object registry will ensure
367 # the route is really gone and thus that the unresolve worked.
369 pre_res_route.remove_vpp_config()
370 self.vapi.ppcli("map params pre-resolve del ip6-nh 4001::1")
372 def test_map_e_inner_frag(self):
373 """MAP-E Inner fragmentation"""
376 # Add a route to the MAP-BR
378 map_br_pfx = "2001::"
380 map_route = VppIpRoute(
384 [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)],
386 map_route.add_vpp_config()
389 # Add a domain that maps from pg0 to pg1
391 map_dst = "2001::/32"
392 map_src = "3000::1/128"
393 client_pfx = "192.168.0.0/16"
394 map_translated_addr = "2001:0:101:7000:0:c0a8:101:7"
396 self.vapi.map_add_domain(
397 ip4_prefix=client_pfx,
407 # Enable MAP on interface.
408 self.vapi.map_if_enable_disable(
409 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=0
412 # Enable inner fragmentation
413 self.vapi.map_param_set_fragmentation(inner=1)
416 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
417 / IP(src=self.pg0.remote_ip4, dst="192.168.1.1")
418 / UDP(sport=20000, dport=10000)
419 / Raw(b"\xa5" * 1300)
422 self.pg_send(self.pg0, v4 * 1)
423 rx = self.pg1.get_capture(2)
425 # 1000-sizeof(ip6_header_t) = 960.
426 frags = fragment_rfc791(v4[1], 960)
434 v6_reply1 = IPv6(src="3000::1", dst=map_translated_addr, hlim=63) / frags[0]
435 v6_reply2 = IPv6(src="3000::1", dst=map_translated_addr, hlim=63) / frags[1]
440 rx[0][1][IP].chksum = 0
441 rx[1][1][IP].chksum = 0
443 self.validate(rx[0][1], v6_reply1)
444 self.validate(rx[1][1], v6_reply2)
446 def test_map_e_tcp_mss(self):
450 # Add a route to the MAP-BR
452 map_br_pfx = "2001::"
454 map_route = VppIpRoute(
458 [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)],
460 map_route.add_vpp_config()
463 # Add a domain that maps from pg0 to pg1
465 map_dst = "2001::/32"
466 map_src = "3000::1/128"
467 client_pfx = "192.168.0.0/16"
468 map_translated_addr = "2001:0:101:5000:0:c0a8:101:5"
469 tag = "MAP-E TCP tag."
470 self.vapi.map_add_domain(
471 ip4_prefix=client_pfx,
480 # Enable MAP on pg0 interface.
481 self.vapi.map_if_enable_disable(
482 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=0
485 # Enable MAP on pg1 interface.
486 self.vapi.map_if_enable_disable(
487 is_enable=1, sw_if_index=self.pg1.sw_if_index, is_translation=0
492 self.vapi.map_param_set_tcp(mss_clamp)
495 # Send a v4 packet that will be encapped.
497 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
498 p_ip4 = IP(src=self.pg0.remote_ip4, dst="192.168.1.1")
499 p_tcp = TCP(sport=20000, dport=30000, flags="S", options=[("MSS", 1455)])
500 p4 = p_ether / p_ip4 / p_tcp
502 self.pg1.add_stream(p4)
503 self.pg_enable_capture(self.pg_interfaces)
506 rx = self.pg1.get_capture(1)
509 self.assertTrue(rx.haslayer(IPv6))
510 self.assertEqual(rx[IP].src, p4[IP].src)
511 self.assertEqual(rx[IP].dst, p4[IP].dst)
512 self.assertEqual(rx[IPv6].src, "3000::1")
513 self.assertEqual(rx[TCP].options, TCP(options=[("MSS", mss_clamp)]).options)
515 def validate(self, rx, expected):
516 self.assertEqual(rx, expected.__class__(scapy.compat.raw(expected)))
518 def validate_frag6(self, p6_frag, p_ip6_expected):
519 self.assertFalse(p6_frag.haslayer(IP))
520 self.assertTrue(p6_frag.haslayer(IPv6))
521 self.assertTrue(p6_frag.haslayer(IPv6ExtHdrFragment))
522 self.assertEqual(p6_frag[IPv6].src, p_ip6_expected.src)
523 self.assertEqual(p6_frag[IPv6].dst, p_ip6_expected.dst)
525 def validate_frag_payload_len6(self, rx, proto, payload_len_expected):
528 payload_total += p[IPv6].plen
530 # First fragment has proto
531 payload_total -= len(proto())
533 # Every fragment has IPv6 fragment header
534 payload_total -= len(IPv6ExtHdrFragment()) * len(rx)
536 self.assertEqual(payload_total, payload_len_expected)
538 def validate_frag4(self, p4_frag, p_ip4_expected):
539 self.assertFalse(p4_frag.haslayer(IPv6))
540 self.assertTrue(p4_frag.haslayer(IP))
541 self.assertTrue(p4_frag[IP].frag != 0 or p4_frag[IP].flags.MF)
542 self.assertEqual(p4_frag[IP].src, p_ip4_expected.src)
543 self.assertEqual(p4_frag[IP].dst, p_ip4_expected.dst)
545 def validate_frag_payload_len4(self, rx, proto, payload_len_expected):
548 payload_total += len(p[IP].payload)
550 # First fragment has proto
551 payload_total -= len(proto())
553 self.assertEqual(payload_total, payload_len_expected)
555 def payload(self, len):
558 def test_map_t(self):
562 # Add a domain that maps from pg0 to pg1
564 map_dst = "2001:db8::/32"
565 map_src = "1234:5678:90ab:cdef::/64"
566 ip4_pfx = "192.168.0.0/24"
569 self.vapi.map_add_domain(
580 # Enable MAP-T on interfaces.
581 self.vapi.map_if_enable_disable(
582 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=1
584 self.vapi.map_if_enable_disable(
585 is_enable=1, sw_if_index=self.pg1.sw_if_index, is_translation=1
588 # Ensure MAP doesn't steal all packets!
590 Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
591 / IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4)
592 / UDP(sport=20000, dport=10000)
595 rx = self.send_and_expect(self.pg0, v4 * 1, self.pg0)
599 self.validate(p[1], v4_reply)
600 # Ensure MAP doesn't steal all packets
602 Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
603 / IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6)
604 / UDP(sport=20000, dport=10000)
607 rx = self.send_and_expect(self.pg1, v6 * 1, self.pg1)
611 self.validate(p[1], v6_reply)
613 map_route = VppIpRoute(
620 self.pg1.sw_if_index,
621 proto=DpoProto.DPO_PROTO_IP6,
625 map_route.add_vpp_config()
628 # Send a v4 packet that will be translated
630 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
631 p_ip4 = IP(src=self.pg0.remote_ip4, dst="192.168.0.1")
632 payload = TCP(sport=0xABCD, dport=0xABCD)
634 p4 = p_ether / p_ip4 / payload
636 IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0", dst="2001:db8:1f0::c0a8:1:f")
639 p6_translated.hlim -= 1
640 rx = self.send_and_expect(self.pg0, p4 * 1, self.pg1)
642 self.validate(p[1], p6_translated)
644 # Send back an IPv6 packet that will be "untranslated"
645 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
647 src="2001:db8:1f0::c0a8:1:f", dst="1234:5678:90ab:cdef:ac:1001:200:0"
649 p6 = p_ether6 / p_ip6 / payload
650 p4_translated = IP(src="192.168.0.1", dst=self.pg0.remote_ip4) / payload
652 p4_translated.ttl -= 1
653 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
655 self.validate(p[1], p4_translated)
658 ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst="192.168.0.1", ttl=0)
659 p4 = p_ether / ip4_ttl_expired / payload
662 IP(id=0, ttl=255, src=self.pg0.local_ip4, dst=self.pg0.remote_ip4)
663 / ICMP(type="time-exceeded", code="ttl-zero-during-transit")
664 / IP(src=self.pg0.remote_ip4, dst="192.168.0.1", ttl=0)
667 rx = self.send_and_expect(self.pg0, p4 * 1, self.pg0)
669 self.validate(p[1], icmp4_reply)
672 ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst="192.168.0.1", ttl=1)
673 p4 = p_ether / ip4_ttl_expired / payload
676 IP(id=0, ttl=255, src=self.pg0.local_ip4, dst=self.pg0.remote_ip4)
677 / ICMP(type="time-exceeded", code="ttl-zero-during-transit")
678 / IP(src=self.pg0.remote_ip4, dst="192.168.0.1", ttl=1)
681 rx = self.send_and_expect(self.pg0, p4 * 1, self.pg0)
683 self.validate(p[1], icmp4_reply)
685 # IPv6 Hop limit at BR
686 ip6_hlim_expired = IPv6(
688 src="2001:db8:1ab::c0a8:1:ab",
689 dst="1234:5678:90ab:cdef:ac:1001:200:0",
691 p6 = p_ether6 / ip6_hlim_expired / payload
694 IPv6(hlim=255, src=self.pg1.local_ip6, dst="2001:db8:1ab::c0a8:1:ab")
695 / ICMPv6TimeExceeded(code=0)
697 src="2001:db8:1ab::c0a8:1:ab",
698 dst="1234:5678:90ab:cdef:ac:1001:200:0",
703 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg1)
705 self.validate(p[1], icmp6_reply)
707 # IPv6 Hop limit beyond BR
708 ip6_hlim_expired = IPv6(
710 src="2001:db8:1ab::c0a8:1:ab",
711 dst="1234:5678:90ab:cdef:ac:1001:200:0",
713 p6 = p_ether6 / ip6_hlim_expired / payload
716 IPv6(hlim=255, src=self.pg1.local_ip6, dst="2001:db8:1ab::c0a8:1:ab")
717 / ICMPv6TimeExceeded(code=0)
719 src="2001:db8:1ab::c0a8:1:ab",
720 dst="1234:5678:90ab:cdef:ac:1001:200:0",
725 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg1)
727 self.validate(p[1], icmp6_reply)
729 # IPv4 Well-known port
730 p_ip4 = IP(src=self.pg0.remote_ip4, dst="192.168.0.1")
731 payload = UDP(sport=200, dport=200)
732 p4 = p_ether / p_ip4 / payload
733 self.send_and_assert_no_replies(self.pg0, p4 * 1)
735 # IPv6 Well-known port
736 payload = UDP(sport=200, dport=200)
737 p6 = p_ether6 / p_ip6 / payload
738 self.send_and_assert_no_replies(self.pg1, p6 * 1)
740 # UDP packet fragmentation
742 payload = UDP(sport=40000, dport=4000) / self.payload(payload_len)
743 p4 = p_ether / p_ip4 / payload
744 self.pg_enable_capture()
745 self.pg0.add_stream(p4)
747 rx = self.pg1.get_capture(2)
749 p_ip6_translated = IPv6(
750 src="1234:5678:90ab:cdef:ac:1001:200:0", dst="2001:db8:1e0::c0a8:1:e"
753 self.validate_frag6(p, p_ip6_translated)
755 self.validate_frag_payload_len6(rx, UDP, payload_len)
757 # UDP packet fragmentation send fragments
759 payload = UDP(sport=40000, dport=4000) / self.payload(payload_len)
760 p4 = p_ether / p_ip4 / payload
761 frags = fragment_rfc791(p4, fragsize=1000)
762 self.pg_enable_capture()
763 self.pg0.add_stream(frags)
765 rx = self.pg1.get_capture(2)
768 self.validate_frag6(p, p_ip6_translated)
770 self.validate_frag_payload_len6(rx, UDP, payload_len)
772 # Send back an fragmented IPv6 UDP packet that will be "untranslated"
773 payload = UDP(sport=4000, dport=40000) / self.payload(payload_len)
774 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
776 src="2001:db8:1e0::c0a8:1:e", dst="1234:5678:90ab:cdef:ac:1001:200:0"
778 p6 = p_ether6 / p_ip6 / payload
779 frags6 = fragment_rfc8200(p6, identification=0xDCBA, fragsize=1000)
781 p_ip4_translated = IP(src="192.168.0.1", dst=self.pg0.remote_ip4)
782 p4_translated = p_ip4_translated / payload
784 p4_translated.ttl -= 1
786 self.pg_enable_capture()
787 self.pg1.add_stream(frags6)
789 rx = self.pg0.get_capture(2)
792 self.validate_frag4(p, p4_translated)
794 self.validate_frag_payload_len4(rx, UDP, payload_len)
796 # ICMP packet fragmentation
797 payload = ICMP(id=6529) / self.payload(payload_len)
798 p4 = p_ether / p_ip4 / payload
799 self.pg_enable_capture()
800 self.pg0.add_stream(p4)
802 rx = self.pg1.get_capture(2)
804 p_ip6_translated = IPv6(
805 src="1234:5678:90ab:cdef:ac:1001:200:0", dst="2001:db8:160::c0a8:1:6"
808 self.validate_frag6(p, p_ip6_translated)
810 self.validate_frag_payload_len6(rx, ICMPv6EchoRequest, payload_len)
812 # ICMP packet fragmentation send fragments
813 payload = ICMP(id=6529) / self.payload(payload_len)
814 p4 = p_ether / p_ip4 / payload
815 frags = fragment_rfc791(p4, fragsize=1000)
816 self.pg_enable_capture()
817 self.pg0.add_stream(frags)
819 rx = self.pg1.get_capture(2)
822 self.validate_frag6(p, p_ip6_translated)
824 self.validate_frag_payload_len6(rx, ICMPv6EchoRequest, payload_len)
827 self.vapi.map_param_set_tcp(1300)
830 # Send a v4 TCP SYN packet that will be translated and MSS clamped
832 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
833 p_ip4 = IP(src=self.pg0.remote_ip4, dst="192.168.0.1")
834 payload = TCP(sport=0xABCD, dport=0xABCD, flags="S", options=[("MSS", 1460)])
836 p4 = p_ether / p_ip4 / payload
838 IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0", dst="2001:db8:1f0::c0a8:1:f")
841 p6_translated.hlim -= 1
842 p6_translated[TCP].options = [("MSS", 1300)]
843 rx = self.send_and_expect(self.pg0, p4 * 1, self.pg1)
845 self.validate(p[1], p6_translated)
847 # Send back an IPv6 packet that will be "untranslated"
848 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
850 src="2001:db8:1f0::c0a8:1:f", dst="1234:5678:90ab:cdef:ac:1001:200:0"
852 p6 = p_ether6 / p_ip6 / payload
853 p4_translated = IP(src="192.168.0.1", dst=self.pg0.remote_ip4) / payload
855 p4_translated.ttl -= 1
856 p4_translated[TCP].options = [("MSS", 1300)]
857 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
859 self.validate(p[1], p4_translated)
861 # TCP MSS clamping cleanup
862 self.vapi.map_param_set_tcp(0)
864 # Enable icmp6 param to get back ICMPv6 unreachable messages in case
865 # of security check fails
866 self.vapi.map_param_set_icmp6(enable_unreachable=1)
868 # Send back an IPv6 packet that will be droppped due to security
870 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
871 p_ip6_sec_check_fail = IPv6(
872 src="2001:db8:1fe::c0a8:1:f", dst="1234:5678:90ab:cdef:ac:1001:200:0"
874 payload = TCP(sport=0xABCD, dport=0xABCD)
875 p6 = p_ether6 / p_ip6_sec_check_fail / payload
877 self.pg_send(self.pg1, p6 * 1)
878 self.pg0.get_capture(0, timeout=1)
879 rx = self.pg1.get_capture(1)
882 IPv6(hlim=255, src=self.pg1.local_ip6, dst="2001:db8:1fe::c0a8:1:f")
883 / ICMPv6DestUnreach(code=5)
884 / p_ip6_sec_check_fail
889 self.validate(p[1], icmp6_reply)
891 # ICMPv6 unreachable messages cleanup
892 self.vapi.map_param_set_icmp6(enable_unreachable=0)
894 def test_map_t_ip6_psid(self):
895 """MAP-T v6->v4 PSID validation"""
898 # Add a domain that maps from pg0 to pg1
900 map_dst = "2001:db8::/32"
901 map_src = "1234:5678:90ab:cdef::/64"
902 ip4_pfx = "192.168.0.0/24"
903 tag = "MAP-T Test Domain"
905 self.vapi.map_add_domain(
916 # Enable MAP-T on interfaces.
917 self.vapi.map_if_enable_disable(
918 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=1
920 self.vapi.map_if_enable_disable(
921 is_enable=1, sw_if_index=self.pg1.sw_if_index, is_translation=1
924 map_route = VppIpRoute(
931 self.pg1.sw_if_index,
932 proto=DpoProto.DPO_PROTO_IP6,
936 map_route.add_vpp_config()
938 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
940 src="2001:db8:1f0::c0a8:1:f", dst="1234:5678:90ab:cdef:ac:1001:200:0"
943 # Send good IPv6 source port, ensure translated IPv4 received
944 payload = TCP(sport=0xABCD, dport=80)
945 p6 = p_ether6 / p_ip6 / payload
946 p4_translated = IP(src="192.168.0.1", dst=self.pg0.remote_ip4) / payload
948 p4_translated.ttl -= 1
949 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
951 self.validate(p[1], p4_translated)
953 # Send bad IPv6 source port, ensure translated IPv4 not received
954 payload = TCP(sport=0xDCBA, dport=80)
955 p6 = p_ether6 / p_ip6 / payload
956 self.send_and_assert_no_replies(self.pg1, p6 * 1)
958 def test_map_t_pre_resolve(self):
959 """MAP-T pre-resolve"""
961 # Add a domain that maps from pg0 to pg1
962 map_dst = "2001:db8::/32"
963 map_src = "1234:5678:90ab:cdef::/64"
964 ip4_pfx = "192.168.0.0/24"
965 tag = "MAP-T Test Domain."
967 self.vapi.map_add_domain(
978 # Enable MAP-T on interfaces.
979 self.vapi.map_if_enable_disable(
980 is_enable=1, sw_if_index=self.pg0.sw_if_index, is_translation=1
982 self.vapi.map_if_enable_disable(
983 is_enable=1, sw_if_index=self.pg1.sw_if_index, is_translation=1
986 # Enable pre-resolve option
987 self.vapi.map_param_add_del_pre_resolve(
988 ip4_nh_address="10.1.2.3", ip6_nh_address="4001::1", is_add=1
991 # Add a route to 4001::1 and expect the translated traffic to be
992 # sent via that route next-hop.
993 pre_res_route6 = VppIpRoute(
997 [VppRoutePath(self.pg1.remote_hosts[2].ip6, self.pg1.sw_if_index)],
999 pre_res_route6.add_vpp_config()
1001 # Add a route to 10.1.2.3 and expect the "untranslated" traffic to be
1002 # sent via that route next-hop.
1003 pre_res_route4 = VppIpRoute(
1007 [VppRoutePath(self.pg0.remote_hosts[1].ip4, self.pg0.sw_if_index)],
1009 pre_res_route4.add_vpp_config()
1011 # Send an IPv4 packet that will be translated
1012 p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
1013 p_ip4 = IP(src=self.pg0.remote_ip4, dst="192.168.0.1")
1014 payload = TCP(sport=0xABCD, dport=0xABCD)
1015 p4 = p_ether / p_ip4 / payload
1018 IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0", dst="2001:db8:1f0::c0a8:1:f")
1021 p6_translated.hlim -= 1
1023 rx = self.send_and_expect(self.pg0, p4 * 1, self.pg1)
1025 self.assertEqual(p[Ether].dst, self.pg1.remote_hosts[2].mac)
1026 self.validate(p[1], p6_translated)
1028 # Send back an IPv6 packet that will be "untranslated"
1029 p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
1031 src="2001:db8:1f0::c0a8:1:f", dst="1234:5678:90ab:cdef:ac:1001:200:0"
1033 p6 = p_ether6 / p_ip6 / payload
1035 p4_translated = IP(src="192.168.0.1", dst=self.pg0.remote_ip4) / payload
1036 p4_translated.id = 0
1037 p4_translated.ttl -= 1
1039 rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
1041 self.assertEqual(p[Ether].dst, self.pg0.remote_hosts[1].mac)
1042 self.validate(p[1], p4_translated)
1044 # Cleanup pre-resolve option
1045 self.vapi.map_param_add_del_pre_resolve(
1046 ip4_nh_address="10.1.2.3", ip6_nh_address="4001::1", is_add=0
1050 if __name__ == "__main__":
1051 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob