6 from framework import VppTestCase, VppTestRunner
8 from scapy.layers.inet import IP, TCP, UDP, ICMP
9 from scapy.layers.l2 import Ether
13 class TestSNAT(VppTestCase):
14 """ SNAT Test Cases """
18 super(TestSNAT, cls).setUpClass()
21 cls.tcp_port_in = 6303
22 cls.tcp_port_out = 6303
23 cls.udp_port_in = 6304
24 cls.udp_port_out = 6304
26 cls.icmp_id_out = 6305
27 cls.snat_addr = '10.0.0.3'
29 cls.create_pg_interfaces(range(7))
30 cls.interfaces = list(cls.pg_interfaces[0:4])
32 for i in cls.interfaces:
37 cls.pg0.generate_remote_hosts(2)
38 cls.pg0.configure_ipv4_neighbors()
40 cls.overlapping_interfaces = list(list(cls.pg_interfaces[4:7]))
42 for i in cls.overlapping_interfaces:
43 i._local_ip4 = "172.16.255.1"
44 i._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
45 i._remote_hosts[0]._ip4 = "172.16.255.2"
46 i.set_table_ip4(i.sw_if_index)
52 super(TestSNAT, cls).tearDownClass()
55 def create_stream_in(self, in_if, out_if):
57 Create packet stream for inside network
59 :param in_if: Inside interface
60 :param out_if: Outside interface
64 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
65 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
66 TCP(sport=self.tcp_port_in))
70 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
71 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
72 UDP(sport=self.udp_port_in))
76 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
77 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4) /
78 ICMP(id=self.icmp_id_in, type='echo-request'))
83 def create_stream_out(self, out_if, dst_ip=None):
85 Create packet stream for outside network
87 :param out_if: Outside interface
88 :param dst_ip: Destination IP address (Default use global SNAT address)
91 dst_ip = self.snat_addr
94 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
95 IP(src=out_if.remote_ip4, dst=dst_ip) /
96 TCP(dport=self.tcp_port_out))
100 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
101 IP(src=out_if.remote_ip4, dst=dst_ip) /
102 UDP(dport=self.udp_port_out))
106 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
107 IP(src=out_if.remote_ip4, dst=dst_ip) /
108 ICMP(id=self.icmp_id_out, type='echo-reply'))
113 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
116 Verify captured packets on outside network
118 :param capture: Captured packets
119 :param nat_ip: Translated IP address (Default use global SNAT address)
120 :param same_port: Sorce port number is not translated (Default False)
121 :param packet_num: Expected number of packets (Default 3)
124 nat_ip = self.snat_addr
125 self.assertEqual(packet_num, len(capture))
126 for packet in capture:
128 self.assertEqual(packet[IP].src, nat_ip)
129 if packet.haslayer(TCP):
131 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
134 packet[TCP].sport, self.tcp_port_in)
135 self.tcp_port_out = packet[TCP].sport
136 elif packet.haslayer(UDP):
138 self.assertEqual(packet[UDP].sport, self.udp_port_in)
141 packet[UDP].sport, self.udp_port_in)
142 self.udp_port_out = packet[UDP].sport
145 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
147 self.assertNotEqual(packet[ICMP].id, self.icmp_id_in)
148 self.icmp_id_out = packet[ICMP].id
150 self.logger.error(ppp("Unexpected or invalid packet "
151 "(outside network):", packet))
154 def verify_capture_in(self, capture, in_if, packet_num=3):
156 Verify captured packets on inside network
158 :param capture: Captured packets
159 :param in_if: Inside interface
160 :param packet_num: Expected number of packets (Default 3)
162 self.assertEqual(packet_num, len(capture))
163 for packet in capture:
165 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
166 if packet.haslayer(TCP):
167 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
168 elif packet.haslayer(UDP):
169 self.assertEqual(packet[UDP].dport, self.udp_port_in)
171 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
173 self.logger.error(ppp("Unexpected or invalid packet "
174 "(inside network):", packet))
177 def clear_snat(self):
179 Clear SNAT configuration.
181 interfaces = self.vapi.snat_interface_dump()
182 for intf in interfaces:
183 self.vapi.snat_interface_add_del_feature(intf.sw_if_index,
187 static_mappings = self.vapi.snat_static_mapping_dump()
188 for sm in static_mappings:
189 self.vapi.snat_add_static_mapping(sm.local_ip_address,
190 sm.external_ip_address,
191 local_port=sm.local_port,
192 external_port=sm.external_port,
193 addr_only=sm.addr_only,
197 adresses = self.vapi.snat_address_dump()
198 for addr in adresses:
199 self.vapi.snat_add_address_range(addr.ip_address,
203 def snat_add_static_mapping(self, local_ip, external_ip, local_port=0,
204 external_port=0, vrf_id=0, is_add=1):
206 Add/delete S-NAT static mapping
208 :param local_ip: Local IP address
209 :param external_ip: External IP address
210 :param local_port: Local port number (Optional)
211 :param external_port: External port number (Optional)
212 :param vrf_id: VRF ID (Default 0)
213 :param is_add: 1 if add, 0 if delete (Default add)
216 if local_port and external_port:
218 l_ip = socket.inet_pton(socket.AF_INET, local_ip)
219 e_ip = socket.inet_pton(socket.AF_INET, external_ip)
220 self.vapi.snat_add_static_mapping(
229 def snat_add_address(self, ip, is_add=1):
231 Add/delete S-NAT address
233 :param ip: IP address
234 :param is_add: 1 if add, 0 if delete (Default add)
236 snat_addr = socket.inet_pton(socket.AF_INET, ip)
237 self.vapi.snat_add_address_range(snat_addr, snat_addr, is_add)
239 def test_dynamic(self):
240 """ SNAT dynamic translation test """
242 self.snat_add_address(self.snat_addr)
243 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
244 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
248 pkts = self.create_stream_in(self.pg0, self.pg1)
249 self.pg0.add_stream(pkts)
250 self.pg_enable_capture(self.pg_interfaces)
252 capture = self.pg1.get_capture(len(pkts))
253 self.verify_capture_out(capture)
256 pkts = self.create_stream_out(self.pg1)
257 self.pg1.add_stream(pkts)
258 self.pg_enable_capture(self.pg_interfaces)
260 capture = self.pg0.get_capture(len(pkts))
261 self.verify_capture_in(capture, self.pg0)
263 def test_static_in(self):
264 """ SNAT 1:1 NAT initialized from inside network """
267 self.tcp_port_out = 6303
268 self.udp_port_out = 6304
269 self.icmp_id_out = 6305
271 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip)
272 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
273 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
277 pkts = self.create_stream_in(self.pg0, self.pg1)
278 self.pg0.add_stream(pkts)
279 self.pg_enable_capture(self.pg_interfaces)
281 capture = self.pg1.get_capture(len(pkts))
282 self.verify_capture_out(capture, nat_ip, True)
285 pkts = self.create_stream_out(self.pg1, nat_ip)
286 self.pg1.add_stream(pkts)
287 self.pg_enable_capture(self.pg_interfaces)
289 capture = self.pg0.get_capture(len(pkts))
290 self.verify_capture_in(capture, self.pg0)
292 def test_static_out(self):
293 """ SNAT 1:1 NAT initialized from outside network """
296 self.tcp_port_out = 6303
297 self.udp_port_out = 6304
298 self.icmp_id_out = 6305
300 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip)
301 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
302 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
306 pkts = self.create_stream_out(self.pg1, nat_ip)
307 self.pg1.add_stream(pkts)
308 self.pg_enable_capture(self.pg_interfaces)
310 capture = self.pg0.get_capture(len(pkts))
311 self.verify_capture_in(capture, self.pg0)
314 pkts = self.create_stream_in(self.pg0, self.pg1)
315 self.pg0.add_stream(pkts)
316 self.pg_enable_capture(self.pg_interfaces)
318 capture = self.pg1.get_capture(len(pkts))
319 self.verify_capture_out(capture, nat_ip, True)
321 def test_static_with_port_in(self):
322 """ SNAT 1:1 NAT with port initialized from inside network """
324 self.tcp_port_out = 3606
325 self.udp_port_out = 3607
326 self.icmp_id_out = 3608
328 self.snat_add_address(self.snat_addr)
329 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
330 self.tcp_port_in, self.tcp_port_out)
331 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
332 self.udp_port_in, self.udp_port_out)
333 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
334 self.icmp_id_in, self.icmp_id_out)
335 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
336 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
340 pkts = self.create_stream_in(self.pg0, self.pg1)
341 self.pg0.add_stream(pkts)
342 self.pg_enable_capture(self.pg_interfaces)
344 capture = self.pg1.get_capture(len(pkts))
345 self.verify_capture_out(capture)
348 pkts = self.create_stream_out(self.pg1)
349 self.pg1.add_stream(pkts)
350 self.pg_enable_capture(self.pg_interfaces)
352 capture = self.pg0.get_capture(len(pkts))
353 self.verify_capture_in(capture, self.pg0)
355 def test_static_with_port_out(self):
356 """ SNAT 1:1 NAT with port initialized from outside network """
358 self.tcp_port_out = 30606
359 self.udp_port_out = 30607
360 self.icmp_id_out = 30608
362 self.snat_add_address(self.snat_addr)
363 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
364 self.tcp_port_in, self.tcp_port_out)
365 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
366 self.udp_port_in, self.udp_port_out)
367 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
368 self.icmp_id_in, self.icmp_id_out)
369 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
370 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
374 pkts = self.create_stream_out(self.pg1)
375 self.pg1.add_stream(pkts)
376 self.pg_enable_capture(self.pg_interfaces)
378 capture = self.pg0.get_capture(len(pkts))
379 self.verify_capture_in(capture, self.pg0)
382 pkts = self.create_stream_in(self.pg0, self.pg1)
383 self.pg0.add_stream(pkts)
384 self.pg_enable_capture(self.pg_interfaces)
386 capture = self.pg1.get_capture(len(pkts))
387 self.verify_capture_out(capture)
389 def test_static_vrf_aware(self):
390 """ SNAT 1:1 NAT VRF awareness """
392 nat_ip1 = "10.0.0.30"
393 nat_ip2 = "10.0.0.40"
394 self.tcp_port_out = 6303
395 self.udp_port_out = 6304
396 self.icmp_id_out = 6305
398 self.snat_add_static_mapping(self.pg4.remote_ip4, nat_ip1,
399 vrf_id=self.pg4.sw_if_index)
400 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip2,
401 vrf_id=self.pg4.sw_if_index)
402 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
404 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
405 self.vapi.snat_interface_add_del_feature(self.pg4.sw_if_index)
407 # inside interface VRF match SNAT static mapping VRF
408 pkts = self.create_stream_in(self.pg4, self.pg3)
409 self.pg4.add_stream(pkts)
410 self.pg_enable_capture(self.pg_interfaces)
412 capture = self.pg3.get_capture(len(pkts))
413 self.verify_capture_out(capture, nat_ip1, True)
415 # inside interface VRF don't match SNAT static mapping VRF (packets
417 pkts = self.create_stream_in(self.pg0, self.pg3)
418 self.pg0.add_stream(pkts)
419 self.pg_enable_capture(self.pg_interfaces)
421 self.pg3.assert_nothing_captured()
423 def test_multiple_inside_interfaces(self):
425 SNAT multiple inside interfaces with non-overlapping address space
428 self.snat_add_address(self.snat_addr)
429 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
430 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index)
431 self.vapi.snat_interface_add_del_feature(self.pg2.sw_if_index)
432 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
435 # in2out 1st interface
436 pkts = self.create_stream_in(self.pg0, self.pg3)
437 self.pg0.add_stream(pkts)
438 self.pg_enable_capture(self.pg_interfaces)
440 capture = self.pg3.get_capture(len(pkts))
441 self.verify_capture_out(capture)
443 # out2in 1st interface
444 pkts = self.create_stream_out(self.pg3)
445 self.pg3.add_stream(pkts)
446 self.pg_enable_capture(self.pg_interfaces)
448 capture = self.pg0.get_capture(len(pkts))
449 self.verify_capture_in(capture, self.pg0)
451 # in2out 2nd interface
452 pkts = self.create_stream_in(self.pg1, self.pg3)
453 self.pg1.add_stream(pkts)
454 self.pg_enable_capture(self.pg_interfaces)
456 capture = self.pg3.get_capture(len(pkts))
457 self.verify_capture_out(capture)
459 # out2in 2nd interface
460 pkts = self.create_stream_out(self.pg3)
461 self.pg3.add_stream(pkts)
462 self.pg_enable_capture(self.pg_interfaces)
464 capture = self.pg1.get_capture(len(pkts))
465 self.verify_capture_in(capture, self.pg1)
467 # in2out 3rd interface
468 pkts = self.create_stream_in(self.pg2, self.pg3)
469 self.pg2.add_stream(pkts)
470 self.pg_enable_capture(self.pg_interfaces)
472 capture = self.pg3.get_capture(len(pkts))
473 self.verify_capture_out(capture)
475 # out2in 3rd interface
476 pkts = self.create_stream_out(self.pg3)
477 self.pg3.add_stream(pkts)
478 self.pg_enable_capture(self.pg_interfaces)
480 capture = self.pg2.get_capture(len(pkts))
481 self.verify_capture_in(capture, self.pg2)
483 def test_inside_overlapping_interfaces(self):
484 """ SNAT multiple inside interfaces with overlapping address space """
486 self.snat_add_address(self.snat_addr)
487 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
489 self.vapi.snat_interface_add_del_feature(self.pg4.sw_if_index)
490 self.vapi.snat_interface_add_del_feature(self.pg5.sw_if_index)
491 self.vapi.snat_interface_add_del_feature(self.pg6.sw_if_index)
493 # in2out 1st interface
494 pkts = self.create_stream_in(self.pg4, self.pg3)
495 self.pg4.add_stream(pkts)
496 self.pg_enable_capture(self.pg_interfaces)
498 capture = self.pg3.get_capture(len(pkts))
499 self.verify_capture_out(capture)
501 # out2in 1st interface
502 pkts = self.create_stream_out(self.pg3)
503 self.pg3.add_stream(pkts)
504 self.pg_enable_capture(self.pg_interfaces)
506 capture = self.pg4.get_capture(len(pkts))
507 self.verify_capture_in(capture, self.pg4)
509 # in2out 2nd interface
510 pkts = self.create_stream_in(self.pg5, self.pg3)
511 self.pg5.add_stream(pkts)
512 self.pg_enable_capture(self.pg_interfaces)
514 capture = self.pg3.get_capture(len(pkts))
515 self.verify_capture_out(capture)
517 # out2in 2nd interface
518 pkts = self.create_stream_out(self.pg3)
519 self.pg3.add_stream(pkts)
520 self.pg_enable_capture(self.pg_interfaces)
522 capture = self.pg5.get_capture(len(pkts))
523 self.verify_capture_in(capture, self.pg5)
525 # in2out 3rd interface
526 pkts = self.create_stream_in(self.pg6, self.pg3)
527 self.pg6.add_stream(pkts)
528 self.pg_enable_capture(self.pg_interfaces)
530 capture = self.pg3.get_capture(len(pkts))
531 self.verify_capture_out(capture)
533 # out2in 3rd interface
534 pkts = self.create_stream_out(self.pg3)
535 self.pg3.add_stream(pkts)
536 self.pg_enable_capture(self.pg_interfaces)
538 capture = self.pg6.get_capture(len(pkts))
539 self.verify_capture_in(capture, self.pg6)
541 def test_hairpinning(self):
542 """ SNAT hairpinning """
544 host = self.pg0.remote_hosts[0]
545 server = self.pg0.remote_hosts[1]
548 server_in_port = 5678
549 server_out_port = 8765
551 self.snat_add_address(self.snat_addr)
552 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
553 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
555 # add static mapping for server
556 self.snat_add_static_mapping(server.ip4, self.snat_addr,
557 server_in_port, server_out_port)
559 # send packet from host to server
560 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
561 IP(src=host.ip4, dst=self.snat_addr) /
562 TCP(sport=host_in_port, dport=server_out_port))
563 self.pg0.add_stream(p)
564 self.pg_enable_capture(self.pg_interfaces)
566 capture = self.pg0.get_capture(1)
571 self.assertEqual(ip.src, self.snat_addr)
572 self.assertEqual(ip.dst, server.ip4)
573 self.assertNotEqual(tcp.sport, host_in_port)
574 self.assertEqual(tcp.dport, server_in_port)
575 host_out_port = tcp.sport
577 self.logger.error(ppp("Unexpected or invalid packet:", p))
580 # send reply from server to host
581 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
582 IP(src=server.ip4, dst=self.snat_addr) /
583 TCP(sport=server_in_port, dport=host_out_port))
584 self.pg0.add_stream(p)
585 self.pg_enable_capture(self.pg_interfaces)
587 capture = self.pg0.get_capture(1)
592 self.assertEqual(ip.src, self.snat_addr)
593 self.assertEqual(ip.dst, host.ip4)
594 self.assertEqual(tcp.sport, server_out_port)
595 self.assertEqual(tcp.dport, host_in_port)
597 self.logger.error(ppp("Unexpected or invalid packet:"), p)
600 def test_max_translations_per_user(self):
601 """ MAX translations per user - recycle the least recently used """
603 self.snat_add_address(self.snat_addr)
604 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
605 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
608 # get maximum number of translations per user
609 snat_config = self.vapi.snat_show_config()
611 # send more than maximum number of translations per user packets
612 pkts_num = snat_config.max_translations_per_user + 5
614 for port in range(0, pkts_num):
615 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
616 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
617 TCP(sport=1025 + port))
619 self.pg0.add_stream(pkts)
620 self.pg_enable_capture(self.pg_interfaces)
623 # verify number of translated packet
624 self.pg1.get_capture(pkts_num)
627 super(TestSNAT, self).tearDown()
628 if not self.vpp_dead:
629 self.logger.info(self.vapi.cli("show snat verbose"))
632 if __name__ == '__main__':
633 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob