#include <vnet/flow/flow_report.h>
#include <vlibmemory/api.h>
-#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
snat_ipfix_logging_main_t snat_ipfix_logging_main;
#define NAT44_SESSION_CREATE_LEN 26
#define NAT_ADDRESSES_EXHAUTED_LEN 13
-#define MAX_ENTRIES_PER_USER_LEN 17
+#define MAX_ENTRIES_PER_USER_LEN 21
+#define MAX_SESSIONS_LEN 17
+#define MAX_BIBS_LEN 17
+#define MAX_FRAGMENTS_IP4_LEN 21
+#define MAX_FRAGMENTS_IP6_LEN 33
+#define NAT64_BIB_LEN 38
+#define NAT64_SES_LEN 62
#define NAT44_SESSION_CREATE_FIELD_COUNT 8
#define NAT_ADDRESSES_EXHAUTED_FIELD_COUNT 3
-#define MAX_ENTRIES_PER_USER_FIELD_COUNT 4
+#define MAX_ENTRIES_PER_USER_FIELD_COUNT 5
+#define MAX_SESSIONS_FIELD_COUNT 4
+#define MAX_BIBS_FIELD_COUNT 4
+#define MAX_FRAGMENTS_FIELD_COUNT 5
+#define NAT64_BIB_FIELD_COUNT 8
+#define NAT64_SES_FIELD_COUNT 12
typedef struct
{
typedef struct
{
+ u32 limit;
u32 src_ip;
} snat_ipfix_logging_max_entries_per_user_args_t;
+typedef struct
+{
+ u32 limit;
+} nat_ipfix_logging_max_sessions_args_t;
+
+typedef struct
+{
+ u32 limit;
+} nat_ipfix_logging_max_bibs_args_t;
+
+typedef struct
+{
+ u32 limit;
+ u32 src;
+} nat_ipfix_logging_max_frags_ip4_args_t;
+
+typedef struct
+{
+ u32 limit;
+ u64 src[2];
+} nat_ipfix_logging_max_frags_ip6_args_t;
+
+typedef struct
+{
+ u8 nat_event;
+ u64 src_ip[2];
+ u32 nat_src_ip;
+ u8 proto;
+ u16 src_port;
+ u16 nat_src_port;
+ u64 dst_ip[2];
+ u32 nat_dst_ip;
+ u32 vrf_id;
+ u16 dst_port;
+ u16 nat_dst_port;
+} nat_ipfix_logging_nat64_ses_args_t;
+
+typedef struct
+{
+ u8 nat_event;
+ u64 src_ip[2];
+ u32 nat_src_ip;
+ u8 proto;
+ u16 src_port;
+ u16 nat_src_port;
+ u32 vrf_id;
+} nat_ipfix_logging_nat64_bib_args_t;
+
#define skip_if_disabled() \
do { \
snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main; \
field_count = NAT44_SESSION_CREATE_FIELD_COUNT;
silm->nat44_session_template_id = fr->template_id;
}
+ else if (event == NAT64_BIB_CREATE)
+ {
+ field_count = NAT64_BIB_FIELD_COUNT;
+ silm->nat64_bib_template_id = fr->template_id;
+ }
+ else if (event == NAT64_SESSION_CREATE)
+ {
+ field_count = NAT64_SES_FIELD_COUNT;
+ silm->nat64_ses_template_id = fr->template_id;
+ }
else if (event == QUOTA_EXCEEDED)
{
if (quota_event == MAX_ENTRIES_PER_USER)
field_count = MAX_ENTRIES_PER_USER_FIELD_COUNT;
silm->max_entries_per_user_template_id = fr->template_id;
}
+ else if (quota_event == MAX_SESSION_ENTRIES)
+ {
+ field_count = MAX_SESSIONS_FIELD_COUNT;
+ silm->max_sessions_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_BIB_ENTRIES)
+ {
+ field_count = MAX_BIBS_FIELD_COUNT;
+ silm->max_bibs_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
+ {
+ field_count = MAX_FRAGMENTS_FIELD_COUNT;
+ silm->max_frags_ip4_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
+ {
+ field_count = MAX_FRAGMENTS_FIELD_COUNT;
+ silm->max_frags_ip6_template_id = fr->template_id;
+ }
}
/* allocate rewrite space */
f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
f++;
}
+ else if (event == NAT64_BIB_CREATE)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATSourceIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, protocolIdentifier, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTSourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
+ f++;
+ }
+ else if (event == NAT64_SESSION_CREATE)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATSourceIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, protocolIdentifier, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTSourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, destinationIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATDestinationIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, destinationTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTDestinationTransportPort,
+ 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
+ f++;
+ }
else if (event == QUOTA_EXCEEDED)
{
if (quota_event == MAX_ENTRIES_PER_USER)
f++;
f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
f++;
+ f->e_id_length = ipfix_e_id_length (0, maxEntriesPerUser, 4);
+ f++;
f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4);
f++;
}
+ else if (quota_event == MAX_SESSION_ENTRIES)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxSessionEntries, 4);
+ f++;
+ }
+ else if (quota_event == MAX_BIB_ENTRIES)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxBIBEntries, 4);
+ f++;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
+ 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4);
+ f++;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
+ 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ }
}
/* Back to the template packet... */
MAX_ENTRIES_PER_USER);
}
+u8 *
+nat_template_rewrite_max_sessions (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_SESSION_ENTRIES);
+}
+
+u8 *
+nat_template_rewrite_max_bibs (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_BIB_ENTRIES);
+}
+
+u8 *
+nat_template_rewrite_max_frags_ip4 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY);
+}
+
+u8 *
+nat_template_rewrite_max_frags_ip6 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6);
+}
+
+u8 *
+nat_template_rewrite_nat64_bib (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, NAT64_BIB_CREATE, 0);
+}
+
+u8 *
+nat_template_rewrite_nat64_session (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, NAT64_SESSION_CREATE, 0);
+}
+
static inline void
snat_ipfix_header_create (flow_report_main_t * frm,
vlib_buffer_t * b0, u32 * offset)
}
static void
-snat_ipfix_logging_max_entries_per_usr (u32 src_ip, int do_flush)
+snat_ipfix_logging_max_entries_per_usr (u32 limit, u32 src_ip, int do_flush)
{
snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
flow_report_main_t *frm = &flow_report_main;
clib_memcpy (b0->data + offset, "a_event, sizeof (quota_event));
offset += sizeof (quota_event);
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
clib_memcpy (b0->data + offset, &src_ip, sizeof (src_ip));
offset += sizeof (src_ip);
}
static void
-snat_ipfix_logging_nat44_ses_rpc_cb (snat_ipfix_logging_nat44_ses_args_t * a)
+nat_ipfix_logging_max_ses (u32 limit, int do_flush)
{
- snat_ipfix_logging_nat44_ses (a->nat_event, a->src_ip, a->nat_src_ip,
- a->snat_proto, a->src_port, a->nat_src_port,
- a->vrf_id, 0);
-}
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_SESSION_ENTRIES;
-/**
- * @brief Generate NAT44 session create event
- *
- * @param src_ip source IPv4 address
- * @param nat_src_ip transaltes source IPv4 address
- * @param snat_proto NAT transport protocol
- * @param src_port source port
- * @param nat_src_port translated source port
- * @param vrf_id VRF ID
- */
-void
-snat_ipfix_logging_nat44_ses_create (u32 src_ip,
- u32 nat_src_ip,
- snat_protocol_t snat_proto,
- u16 src_port,
- u16 nat_src_port, u32 vrf_id)
-{
- snat_ipfix_logging_nat44_ses_args_t a;
+ if (!silm->enabled)
+ return;
- skip_if_disabled ();
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
- a.nat_event = NAT44_SESSION_CREATE;
- a.src_ip = src_ip;
- a.nat_src_ip = nat_src_ip;
- a.snat_proto = snat_proto;
- a.src_port = src_port;
- a.nat_src_port = nat_src_port;
- a.vrf_id = vrf_id;
+ b0 = silm->max_sessions_buffer;
- vl_api_rpc_call_main_thread (snat_ipfix_logging_nat44_ses_rpc_cb,
- (u8 *) & a, sizeof (a));
-}
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
-/**
- * @brief Generate NAT44 session delete event
- *
- * @param src_ip source IPv4 address
- * @param nat_src_ip transaltes source IPv4 address
- * @param snat_proto NAT transport protocol
- * @param src_port source port
- * @param nat_src_port translated source port
- * @param vrf_id VRF ID
- */
-void
-snat_ipfix_logging_nat44_ses_delete (u32 src_ip,
- u32 nat_src_ip,
- snat_protocol_t snat_proto,
- u16 src_port,
- u16 nat_src_port, u32 vrf_id)
-{
- snat_ipfix_logging_nat44_ses_args_t a;
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
- skip_if_disabled ();
+ b0 = silm->max_sessions_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_sessions_next_record_offset;
+ }
- a.nat_event = NAT44_SESSION_DELETE;
- a.src_ip = src_ip;
- a.nat_src_ip = nat_src_ip;
- a.snat_proto = snat_proto;
- a.src_port = src_port;
- a.nat_src_port = nat_src_port;
- a.vrf_id = vrf_id;
+ f = silm->max_sessions_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_sessions_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
- vl_api_rpc_call_main_thread (snat_ipfix_logging_nat44_ses_rpc_cb,
- (u8 *) & a, sizeof (a));
-}
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
-vlib_frame_t *
-snat_data_callback_nat44_session (flow_report_main_t * frm,
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, "a_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ b0->current_length += MAX_SESSIONS_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_SESSIONS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_sessions_template_id);
+ silm->max_sessions_frame = 0;
+ silm->max_sessions_buffer = 0;
+ offset = 0;
+ }
+ silm->max_sessions_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_bib (u32 limit, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_BIB_ENTRIES;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_bibs_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_bibs_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_bibs_next_record_offset;
+ }
+
+ f = silm->max_bibs_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_bibs_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, "a_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ b0->current_length += MAX_BIBS_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_bibs_template_id);
+ silm->max_bibs_frame = 0;
+ silm->max_bibs_buffer = 0;
+ offset = 0;
+ }
+ silm->max_bibs_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip4 (u32 limit, u32 src, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_frags_ip4_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_frags_ip4_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_frags_ip4_next_record_offset;
+ }
+
+ f = silm->max_frags_ip4_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_frags_ip4_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, "a_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ clib_memcpy (b0->data + offset, &src, sizeof (src));
+ offset += sizeof (src);
+
+ b0->current_length += MAX_FRAGMENTS_IP4_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_frags_ip4_template_id);
+ silm->max_frags_ip4_frame = 0;
+ silm->max_frags_ip4_buffer = 0;
+ offset = 0;
+ }
+ silm->max_frags_ip4_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip6 (u32 limit, ip6_address_t * src, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_frags_ip6_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_frags_ip6_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_frags_ip6_next_record_offset;
+ }
+
+ f = silm->max_frags_ip6_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_frags_ip6_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, "a_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ clib_memcpy (b0->data + offset, src, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ b0->current_length += MAX_FRAGMENTS_IP6_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_frags_ip6_template_id);
+ silm->max_frags_ip6_frame = 0;
+ silm->max_frags_ip6_buffer = 0;
+ offset = 0;
+ }
+ silm->max_frags_ip6_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_nat64_bibe (u8 nat_event, ip6_address_t * src_ip,
+ u32 nat_src_ip, u8 proto, u16 src_port,
+ u16 nat_src_port, u32 vrf_id, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->nat64_bib_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->nat64_bib_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->nat64_bib_next_record_offset;
+ }
+
+ f = silm->nat64_bib_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->nat64_bib_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, src_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_src_ip, sizeof (nat_src_ip));
+ offset += sizeof (nat_src_ip);
+
+ clib_memcpy (b0->data + offset, &proto, sizeof (proto));
+ offset += sizeof (proto);
+
+ clib_memcpy (b0->data + offset, &src_port, sizeof (src_port));
+ offset += sizeof (src_port);
+
+ clib_memcpy (b0->data + offset, &nat_src_port, sizeof (nat_src_port));
+ offset += sizeof (nat_src_port);
+
+ clib_memcpy (b0->data + offset, &vrf_id, sizeof (vrf_id));
+ offset += sizeof (vrf_id);
+
+ b0->current_length += NAT64_BIB_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + NAT64_BIB_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->nat64_bib_template_id);
+ silm->nat64_bib_frame = 0;
+ silm->nat64_bib_buffer = 0;
+ offset = 0;
+ }
+ silm->nat64_bib_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_nat64_ses (u8 nat_event, ip6_address_t * src_ip,
+ u32 nat_src_ip, u8 proto, u16 src_port,
+ u16 nat_src_port, ip6_address_t * dst_ip,
+ u32 nat_dst_ip, u16 dst_port, u16 nat_dst_port,
+ u32 vrf_id, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->nat64_ses_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->nat64_ses_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->nat64_ses_next_record_offset;
+ }
+
+ f = silm->nat64_ses_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->nat64_ses_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, src_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_src_ip, sizeof (nat_src_ip));
+ offset += sizeof (nat_src_ip);
+
+ clib_memcpy (b0->data + offset, &proto, sizeof (proto));
+ offset += sizeof (proto);
+
+ clib_memcpy (b0->data + offset, &src_port, sizeof (src_port));
+ offset += sizeof (src_port);
+
+ clib_memcpy (b0->data + offset, &nat_src_port, sizeof (nat_src_port));
+ offset += sizeof (nat_src_port);
+
+ clib_memcpy (b0->data + offset, dst_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_dst_ip, sizeof (nat_dst_ip));
+ offset += sizeof (nat_dst_ip);
+
+ clib_memcpy (b0->data + offset, &dst_port, sizeof (dst_port));
+ offset += sizeof (dst_port);
+
+ clib_memcpy (b0->data + offset, &nat_dst_port, sizeof (nat_dst_port));
+ offset += sizeof (nat_dst_port);
+
+ clib_memcpy (b0->data + offset, &vrf_id, sizeof (vrf_id));
+ offset += sizeof (vrf_id);
+
+ b0->current_length += NAT64_SES_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + NAT64_SES_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->nat64_ses_template_id);
+ silm->nat64_ses_frame = 0;
+ silm->nat64_ses_buffer = 0;
+ offset = 0;
+ }
+ silm->nat64_ses_next_record_offset = offset;
+}
+
+static void
+snat_ipfix_logging_nat44_ses_rpc_cb (snat_ipfix_logging_nat44_ses_args_t * a)
+{
+ snat_ipfix_logging_nat44_ses (a->nat_event, a->src_ip, a->nat_src_ip,
+ a->snat_proto, a->src_port, a->nat_src_port,
+ a->vrf_id, 0);
+}
+
+/**
+ * @brief Generate NAT44 session create event
+ *
+ * @param src_ip source IPv4 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param snat_proto NAT transport protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param vrf_id VRF ID
+ */
+void
+snat_ipfix_logging_nat44_ses_create (u32 src_ip,
+ u32 nat_src_ip,
+ snat_protocol_t snat_proto,
+ u16 src_port,
+ u16 nat_src_port, u32 vrf_id)
+{
+ snat_ipfix_logging_nat44_ses_args_t a;
+
+ skip_if_disabled ();
+
+ a.nat_event = NAT44_SESSION_CREATE;
+ a.src_ip = src_ip;
+ a.nat_src_ip = nat_src_ip;
+ a.snat_proto = snat_proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.vrf_id = vrf_id;
+
+ vl_api_rpc_call_main_thread (snat_ipfix_logging_nat44_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+/**
+ * @brief Generate NAT44 session delete event
+ *
+ * @param src_ip source IPv4 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param snat_proto NAT transport protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param vrf_id VRF ID
+ */
+void
+snat_ipfix_logging_nat44_ses_delete (u32 src_ip,
+ u32 nat_src_ip,
+ snat_protocol_t snat_proto,
+ u16 src_port,
+ u16 nat_src_port, u32 vrf_id)
+{
+ snat_ipfix_logging_nat44_ses_args_t a;
+
+ skip_if_disabled ();
+
+ a.nat_event = NAT44_SESSION_DELETE;
+ a.src_ip = src_ip;
+ a.nat_src_ip = nat_src_ip;
+ a.snat_proto = snat_proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.vrf_id = vrf_id;
+
+ vl_api_rpc_call_main_thread (snat_ipfix_logging_nat44_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+snat_data_callback_nat44_session (flow_report_main_t * frm,
flow_report_t * fr,
vlib_frame_t * f,
u32 * to_next, u32 node_index)
snat_ipfix_logging_max_entries_per_usr_rpc_cb
(snat_ipfix_logging_max_entries_per_user_args_t * a)
{
- snat_ipfix_logging_max_entries_per_usr (a->src_ip, 0);
+ snat_ipfix_logging_max_entries_per_usr (a->limit, a->src_ip, 0);
}
/**
* @brief Generate maximum entries per user exceeded event
*
+ * @param limit maximum NAT entries that can be created per user
* @param src_ip source IPv4 address
*/
void
-snat_ipfix_logging_max_entries_per_user (u32 src_ip)
+snat_ipfix_logging_max_entries_per_user (u32 limit, u32 src_ip)
{
//TODO: This event SHOULD be rate limited
snat_ipfix_logging_max_entries_per_user_args_t a;
skip_if_disabled ();
+ a.limit = limit;
a.src_ip = src_ip;
vl_api_rpc_call_main_thread (snat_ipfix_logging_max_entries_per_usr_rpc_cb,
vlib_frame_t * f,
u32 * to_next, u32 node_index)
{
- snat_ipfix_logging_max_entries_per_usr (0, 1);
+ snat_ipfix_logging_max_entries_per_usr (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_ses_rpc_cb (nat_ipfix_logging_max_sessions_args_t * a)
+{
+ nat_ipfix_logging_max_ses (a->limit, 0);
+}
+
+/**
+ * @brief Generate maximum session entries exceeded event
+ *
+ * @param limit configured limit
+ */
+void
+nat_ipfix_logging_max_sessions (u32 limit)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_sessions_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_sessions (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_ses (0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_bib_rpc_cb (nat_ipfix_logging_max_bibs_args_t * a)
+{
+ nat_ipfix_logging_max_bib (a->limit, 0);
+}
+
+/**
+ * @brief Generate maximum BIB entries exceeded event
+ *
+ * @param limit configured limit
+ */
+void
+nat_ipfix_logging_max_bibs (u32 limit)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_bibs_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_bib_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_bibs (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_bib (0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip4_rpc_cb (nat_ipfix_logging_max_frags_ip4_args_t * a)
+{
+ nat_ipfix_logging_max_frag_ip4 (a->limit, a->src, 0);
+}
+
+/**
+ * @brief Generate maximum IPv4 fragments pending reassembly exceeded event
+ *
+ * @param limit configured limit
+ * @param src source IPv4 address
+ */
+void
+nat_ipfix_logging_max_fragments_ip4 (u32 limit, ip4_address_t * src)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_frags_ip4_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+ a.src = src->as_u32;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_frag_ip4_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_frags_ip4 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_frag_ip4 (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip6_rpc_cb (nat_ipfix_logging_max_frags_ip6_args_t * a)
+{
+ ip6_address_t src;
+ src.as_u64[0] = a->src[0];
+ src.as_u64[1] = a->src[1];
+ nat_ipfix_logging_max_frag_ip6 (a->limit, &src, 0);
+}
+
+/**
+ * @brief Generate maximum IPv6 fragments pending reassembly exceeded event
+ *
+ * @param limit configured limit
+ * @param src source IPv6 address
+ */
+void
+nat_ipfix_logging_max_fragments_ip6 (u32 limit, ip6_address_t * src)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_frags_ip6_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+ a.src[0] = src->as_u64[0];
+ a.src[1] = src->as_u64[1];
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_frag_ip6_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_frags_ip6 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_frag_ip6 (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_nat64_bib_rpc_cb (nat_ipfix_logging_nat64_bib_args_t * a)
+{
+ ip6_address_t src_ip;
+ src_ip.as_u64[0] = a->src_ip[0];
+ src_ip.as_u64[1] = a->src_ip[1];
+ nat_ipfix_logging_nat64_bibe (a->nat_event, &src_ip, a->nat_src_ip,
+ a->proto, a->src_port, a->nat_src_port,
+ a->vrf_id, 0);
+}
+
+/**
+ * @brief Generate NAT64 BIB create and delete events
+ *
+ * @param src_ip source IPv6 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param proto L4 protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param vrf_id VRF ID
+ * @param is_create non-zero value if create event otherwise delete event
+ */
+void
+nat_ipfix_logging_nat64_bib (ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port, u32 vrf_id,
+ u8 is_create)
+{
+ nat_ipfix_logging_nat64_bib_args_t a;
+
+ skip_if_disabled ();
+
+ a.src_ip[0] = src_ip->as_u64[0];
+ a.src_ip[1] = src_ip->as_u64[1];
+ a.nat_src_ip = nat_src_ip->as_u32;
+ a.proto = proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.vrf_id = vrf_id;
+ a.nat_event = is_create ? NAT64_BIB_CREATE : NAT64_BIB_DELETE;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_nat64_bib_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_nat64_bib (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_nat64_bibe (0, 0, 0, 0, 0, 0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_nat64_ses_rpc_cb (nat_ipfix_logging_nat64_ses_args_t * a)
+{
+ ip6_address_t src_ip, dst_ip;
+ src_ip.as_u64[0] = a->src_ip[0];
+ src_ip.as_u64[1] = a->src_ip[1];
+ dst_ip.as_u64[0] = a->dst_ip[0];
+ dst_ip.as_u64[1] = a->dst_ip[1];
+ nat_ipfix_logging_nat64_ses (a->nat_event, &src_ip, a->nat_src_ip,
+ a->proto, a->src_port, a->nat_src_port,
+ &dst_ip, a->nat_dst_ip, a->dst_port,
+ a->nat_dst_port, a->vrf_id, 0);
+}
+
+/**
+ * @brief Generate NAT64 session create and delete events
+ *
+ * @param src_ip source IPv6 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param proto L4 protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param dst_ip destination IPv6 address
+ * @param nat_dst_ip destination IPv4 address
+ * @param dst_port destination port
+ * @param nat_dst_port translated destination port
+ * @param vrf_id VRF ID
+ * @param is_create non-zero value if create event otherwise delete event
+ */
+void
+nat_ipfix_logging_nat64_session (ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port,
+ ip6_address_t * dst_ip,
+ ip4_address_t * nat_dst_ip, u16 dst_port,
+ u16 nat_dst_port, u32 vrf_id, u8 is_create)
+{
+ nat_ipfix_logging_nat64_ses_args_t a;
+
+ skip_if_disabled ();
+
+ a.src_ip[0] = src_ip->as_u64[0];
+ a.src_ip[1] = src_ip->as_u64[1];
+ a.nat_src_ip = nat_src_ip->as_u32;
+ a.proto = proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.dst_ip[0] = dst_ip->as_u64[0];
+ a.dst_ip[1] = dst_ip->as_u64[1];
+ a.nat_dst_ip = nat_dst_ip->as_u32;
+ a.dst_port = dst_port;
+ a.nat_dst_port = nat_dst_port;
+ a.vrf_id = vrf_id;
+ a.nat_event = is_create ? NAT64_SESSION_CREATE : NAT64_SESSION_DELETE;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_nat64_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_nat64_session (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_nat64_ses (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1);
return f;
}
a.rewrite_callback = snat_template_rewrite_addr_exhausted;
a.flow_data_callback = snat_data_callback_addr_exhausted;
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_sessions;
+ a.flow_data_callback = nat_data_callback_max_sessions;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_bibs;
+ a.flow_data_callback = nat_data_callback_max_bibs;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_frags_ip4;
+ a.flow_data_callback = nat_data_callback_max_frags_ip4;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_frags_ip6;
+ a.flow_data_callback = nat_data_callback_max_frags_ip6;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_nat64_bib;
+ a.flow_data_callback = nat_data_callback_nat64_bib;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_nat64_session;
+ a.flow_data_callback = nat_data_callback_nat64_session;
+
rv = vnet_flow_report_add_del (frm, &a, NULL);
if (rv)
{
# natPoolID
self.assertEqual(struct.pack("!I", 0), record[283])
+ def verify_ipfix_max_sessions(self, data, limit):
+ """
+ Verify IPFIX maximum session entries exceeded event
+
+ :param data: Decoded IPFIX data records
+ :param limit: Number of maximum session entries that can be created.
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ self.assertEqual(ord(record[230]), 13)
+ # natQuotaExceededEvent
+ self.assertEqual(struct.pack("I", 1), record[466])
+ # maxSessionEntries
+ self.assertEqual(struct.pack("I", limit), record[471])
+
+ def verify_ipfix_max_bibs(self, data, limit):
+ """
+ Verify IPFIX maximum BIB entries exceeded event
+
+ :param data: Decoded IPFIX data records
+ :param limit: Number of maximum BIB entries that can be created.
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ self.assertEqual(ord(record[230]), 13)
+ # natQuotaExceededEvent
+ self.assertEqual(struct.pack("I", 2), record[466])
+ # maxBIBEntries
+ self.assertEqual(struct.pack("I", limit), record[472])
+
+ def verify_ipfix_max_fragments_ip6(self, data, limit, src_addr):
+ """
+ Verify IPFIX maximum IPv6 fragments pending reassembly exceeded event
+
+ :param data: Decoded IPFIX data records
+ :param limit: Number of maximum fragments pending reassembly
+ :param src_addr: IPv6 source address
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ self.assertEqual(ord(record[230]), 13)
+ # natQuotaExceededEvent
+ self.assertEqual(struct.pack("I", 5), record[466])
+ # maxFragmentsPendingReassembly
+ self.assertEqual(struct.pack("I", limit), record[475])
+ # sourceIPv6Address
+ self.assertEqual(src_addr, record[27])
+
+ def verify_ipfix_max_fragments_ip4(self, data, limit, src_addr):
+ """
+ Verify IPFIX maximum IPv4 fragments pending reassembly exceeded event
+
+ :param data: Decoded IPFIX data records
+ :param limit: Number of maximum fragments pending reassembly
+ :param src_addr: IPv4 source address
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ self.assertEqual(ord(record[230]), 13)
+ # natQuotaExceededEvent
+ self.assertEqual(struct.pack("I", 5), record[466])
+ # maxFragmentsPendingReassembly
+ self.assertEqual(struct.pack("I", limit), record[475])
+ # sourceIPv4Address
+ self.assertEqual(src_addr, record[8])
+
+ def verify_ipfix_bib(self, data, is_create, src_addr):
+ """
+ Verify IPFIX NAT64 BIB create and delete events
+
+ :param data: Decoded IPFIX data records
+ :param is_create: Create event if nonzero value otherwise delete event
+ :param src_addr: IPv6 source address
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ if is_create:
+ self.assertEqual(ord(record[230]), 10)
+ else:
+ self.assertEqual(ord(record[230]), 11)
+ # sourceIPv6Address
+ self.assertEqual(src_addr, record[27])
+ # postNATSourceIPv4Address
+ self.assertEqual(self.nat_addr_n, record[225])
+ # protocolIdentifier
+ self.assertEqual(IP_PROTOS.tcp, ord(record[4]))
+ # ingressVRFID
+ self.assertEqual(struct.pack("!I", 0), record[234])
+ # sourceTransportPort
+ self.assertEqual(struct.pack("!H", self.tcp_port_in), record[7])
+ # postNAPTSourceTransportPort
+ self.assertEqual(struct.pack("!H", self.tcp_port_out), record[227])
+
+ def verify_ipfix_nat64_ses(self, data, is_create, src_addr, dst_addr,
+ dst_port):
+ """
+ Verify IPFIX NAT64 session create and delete events
+
+ :param data: Decoded IPFIX data records
+ :param is_create: Create event if nonzero value otherwise delete event
+ :param src_addr: IPv6 source address
+ :param dst_addr: IPv4 destination address
+ :param dst_port: destination TCP port
+ """
+ self.assertEqual(1, len(data))
+ record = data[0]
+ # natEvent
+ if is_create:
+ self.assertEqual(ord(record[230]), 6)
+ else:
+ self.assertEqual(ord(record[230]), 7)
+ # sourceIPv6Address
+ self.assertEqual(src_addr, record[27])
+ # destinationIPv6Address
+ self.assertEqual(socket.inet_pton(socket.AF_INET6,
+ self.compose_ip6(dst_addr,
+ '64:ff9b::',
+ 96)),
+ record[28])
+ # postNATSourceIPv4Address
+ self.assertEqual(self.nat_addr_n, record[225])
+ # postNATDestinationIPv4Address
+ self.assertEqual(socket.inet_pton(socket.AF_INET, dst_addr),
+ record[226])
+ # protocolIdentifier
+ self.assertEqual(IP_PROTOS.tcp, ord(record[4]))
+ # ingressVRFID
+ self.assertEqual(struct.pack("!I", 0), record[234])
+ # sourceTransportPort
+ self.assertEqual(struct.pack("!H", self.tcp_port_in), record[7])
+ # postNAPTSourceTransportPort
+ self.assertEqual(struct.pack("!H", self.tcp_port_out), record[227])
+ # destinationTransportPort
+ self.assertEqual(struct.pack("!H", dst_port), record[11])
+ # postNAPTDestinationTransportPort
+ self.assertEqual(struct.pack("!H", dst_port), record[228])
+
class TestNAT44(MethodHolder):
""" NAT44 Test Cases """
self.verify_capture_out(capture)
self.nat44_add_address(self.nat_addr, is_add=0)
self.vapi.cli("ipfix flush") # FIXME this should be an API call
- capture = self.pg3.get_capture(3)
+ capture = self.pg3.get_capture(9)
ipfix = IPFIXDecoder()
# first load template
for p in capture:
self.pg_start()
capture = self.pg1.get_capture(0)
self.vapi.cli("ipfix flush") # FIXME this should be an API call
- capture = self.pg3.get_capture(3)
+ capture = self.pg3.get_capture(9)
ipfix = IPFIXDecoder()
# first load template
for p in capture:
data = ipfix.decode_data_set(p.getlayer(Set))
self.verify_ipfix_addr_exhausted(data)
+ @unittest.skipUnless(running_extended_tests(), "part of extended tests")
+ def test_ipfix_max_sessions(self):
+ """ IPFIX logging maximum session entries exceeded """
+ self.nat44_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index)
+ self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index,
+ is_inside=0)
+
+ nat44_config = self.vapi.nat_show_config()
+ max_sessions = 10 * nat44_config.translation_buckets
+
+ pkts = []
+ for i in range(0, max_sessions):
+ src = "10.10.%u.%u" % ((i & 0xFF00) >> 8, i & 0xFF)
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=src, dst=self.pg1.remote_ip4) /
+ TCP(sport=1025))
+ pkts.append(p)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+
+ self.pg1.get_capture(max_sessions)
+ self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
+ src_address=self.pg3.local_ip4n,
+ path_mtu=512,
+ template_interval=10)
+ self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id,
+ src_port=self.ipfix_src_port)
+
+ p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=1025))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(9)
+ ipfix = IPFIXDecoder()
+ # first load template
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Template):
+ ipfix.add_template(p.getlayer(Template))
+ # verify events in data set
+ for p in capture:
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ self.verify_ipfix_max_sessions(data, max_sessions)
+
def test_pool_addr_fib(self):
""" NAT44 add pool addresses to FIB """
static_addr = '10.0.0.10'
adresses = self.vapi.nat44_address_dump()
self.assertEqual(0, len(adresses))
+ def test_ipfix_max_frags(self):
+ """ IPFIX logging maximum fragments pending reassembly exceeded """
+ self.nat44_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index)
+ self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index,
+ is_inside=0)
+ self.vapi.nat_set_reass(max_frag=0)
+ self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
+ src_address=self.pg3.local_ip4n,
+ path_mtu=512,
+ template_interval=10)
+ self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id,
+ src_port=self.ipfix_src_port)
+
+ data = "A" * 4 + "B" * 16 + "C" * 3
+ self.tcp_port_in = random.randint(1025, 65535)
+ pkts = self.create_stream_frag(self.pg0,
+ self.pg1.remote_ip4,
+ self.tcp_port_in,
+ 20,
+ data)
+ self.pg0.add_stream(pkts[-1])
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ frags = self.pg1.get_capture(0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(9)
+ ipfix = IPFIXDecoder()
+ # first load template
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Template):
+ ipfix.add_template(p.getlayer(Template))
+ # verify events in data set
+ for p in capture:
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ self.verify_ipfix_max_fragments_ip4(data, 0,
+ self.pg0.remote_ip4n)
+
def tearDown(self):
super(TestNAT44, self).tearDown()
if not self.vpp_dead:
self.assertEqual(ord(record[230]), 13)
# natQuotaExceededEvent
self.assertEqual('\x03\x00\x00\x00', record[466])
+ # maxEntriesPerUser
+ self.assertEqual('\xe8\x03\x00\x00', record[473])
# sourceIPv4Address
self.assertEqual(self.pg0.remote_ip4n, record[8])
class TestNAT64(MethodHolder):
""" NAT64 Test Cases """
+ @classmethod
+ def setUpConstants(cls):
+ super(TestNAT64, cls).setUpConstants()
+ cls.vpp_cmdline.extend(["nat", "{", "nat64 bib hash buckets 128",
+ "nat64 st hash buckets 256", "}"])
+
@classmethod
def setUpClass(cls):
super(TestNAT64, cls).setUpClass()
cls.vrf1_nat_addr = '10.0.10.3'
cls.vrf1_nat_addr_n = socket.inet_pton(socket.AF_INET,
cls.vrf1_nat_addr)
+ cls.ipfix_src_port = 4739
+ cls.ipfix_domain_id = 1
cls.create_pg_interfaces(range(5))
cls.ip6_interfaces = list(cls.pg_interfaces[0:1])
addresses = self.vapi.nat64_pool_addr_dump()
self.assertEqual(0, len(adresses))
+ @unittest.skipUnless(running_extended_tests(), "part of extended tests")
+ def test_ipfix_max_bibs_sessions(self):
+ """ IPFIX logging maximum session and BIB entries exceeded """
+ max_bibs = 1280
+ max_sessions = 2560
+ remote_host_ip6 = self.compose_ip6(self.pg1.remote_ip4,
+ '64:ff9b::',
+ 96)
+
+ self.vapi.nat64_add_del_pool_addr_range(self.nat_addr_n,
+ self.nat_addr_n)
+ self.vapi.nat64_add_del_interface(self.pg0.sw_if_index)
+ self.vapi.nat64_add_del_interface(self.pg1.sw_if_index, is_inside=0)
+
+ pkts = []
+ src = ""
+ for i in range(0, max_bibs):
+ src = "fd01:aa::%x" % (i)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IPv6(src=src, dst=remote_host_ip6) /
+ TCP(sport=12345, dport=80))
+ pkts.append(p)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IPv6(src=src, dst=remote_host_ip6) /
+ TCP(sport=12345, dport=22))
+ pkts.append(p)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(max_sessions)
+
+ self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
+ src_address=self.pg3.local_ip4n,
+ path_mtu=512,
+ template_interval=10)
+ self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id,
+ src_port=self.ipfix_src_port)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IPv6(src=src, dst=remote_host_ip6) /
+ TCP(sport=12345, dport=25))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(9)
+ ipfix = IPFIXDecoder()
+ # first load template
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Template):
+ ipfix.add_template(p.getlayer(Template))
+ # verify events in data set
+ for p in capture:
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ self.verify_ipfix_max_sessions(data, max_sessions)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IPv6(src=self.pg0.remote_ip6, dst=remote_host_ip6) /
+ TCP(sport=12345, dport=80))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(1)
+ # verify events in data set
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ self.verify_ipfix_max_bibs(data, max_bibs)
+
+ def test_ipfix_max_frags(self):
+ """ IPFIX logging maximum fragments pending reassembly exceeded """
+ self.vapi.nat64_add_del_pool_addr_range(self.nat_addr_n,
+ self.nat_addr_n)
+ self.vapi.nat64_add_del_interface(self.pg0.sw_if_index)
+ self.vapi.nat64_add_del_interface(self.pg1.sw_if_index, is_inside=0)
+ self.vapi.nat_set_reass(max_frag=0, is_ip6=1)
+ self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
+ src_address=self.pg3.local_ip4n,
+ path_mtu=512,
+ template_interval=10)
+ self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id,
+ src_port=self.ipfix_src_port)
+
+ data = 'a' * 200
+ pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4,
+ self.tcp_port_in, 20, data)
+ self.pg0.add_stream(pkts[-1])
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ self.pg1.get_capture(0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(9)
+ ipfix = IPFIXDecoder()
+ # first load template
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Template):
+ ipfix.add_template(p.getlayer(Template))
+ # verify events in data set
+ for p in capture:
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ self.verify_ipfix_max_fragments_ip6(data, 0,
+ self.pg0.remote_ip6n)
+
+ def test_ipfix_bib_ses(self):
+ """ IPFIX logging NAT64 BIB/session create and delete events """
+ self.tcp_port_in = random.randint(1025, 65535)
+ remote_host_ip6 = self.compose_ip6(self.pg1.remote_ip4,
+ '64:ff9b::',
+ 96)
+
+ self.vapi.nat64_add_del_pool_addr_range(self.nat_addr_n,
+ self.nat_addr_n)
+ self.vapi.nat64_add_del_interface(self.pg0.sw_if_index)
+ self.vapi.nat64_add_del_interface(self.pg1.sw_if_index, is_inside=0)
+ self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
+ src_address=self.pg3.local_ip4n,
+ path_mtu=512,
+ template_interval=10)
+ self.vapi.nat_ipfix(domain_id=self.ipfix_domain_id,
+ src_port=self.ipfix_src_port)
+
+ # Create
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IPv6(src=self.pg0.remote_ip6, dst=remote_host_ip6) /
+ TCP(sport=self.tcp_port_in, dport=25))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ p = self.pg1.get_capture(1)
+ self.tcp_port_out = p[0][TCP].sport
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(10)
+ ipfix = IPFIXDecoder()
+ # first load template
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Template):
+ ipfix.add_template(p.getlayer(Template))
+ # verify events in data set
+ for p in capture:
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ if ord(data[0][230]) == 10:
+ self.verify_ipfix_bib(data, 1, self.pg0.remote_ip6n)
+ elif ord(data[0][230]) == 6:
+ self.verify_ipfix_nat64_ses(data,
+ 1,
+ self.pg0.remote_ip6n,
+ self.pg1.remote_ip4,
+ 25)
+ else:
+ self.logger.error(ppp("Unexpected or invalid packet: ", p))
+
+ # Delete
+ self.pg_enable_capture(self.pg_interfaces)
+ self.vapi.nat64_add_del_pool_addr_range(self.nat_addr_n,
+ self.nat_addr_n,
+ is_add=0)
+ self.vapi.cli("ipfix flush") # FIXME this should be an API call
+ capture = self.pg3.get_capture(2)
+ # verify events in data set
+ for p in capture:
+ self.assertTrue(p.haslayer(IPFIX))
+ self.assertEqual(p[IP].src, self.pg3.local_ip4)
+ self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
+ self.assertEqual(p[UDP].sport, self.ipfix_src_port)
+ self.assertEqual(p[UDP].dport, 4739)
+ self.assertEqual(p[IPFIX].observationDomainID,
+ self.ipfix_domain_id)
+ if p.haslayer(Data):
+ data = ipfix.decode_data_set(p.getlayer(Set))
+ if ord(data[0][230]) == 11:
+ self.verify_ipfix_bib(data, 0, self.pg0.remote_ip6n)
+ elif ord(data[0][230]) == 7:
+ self.verify_ipfix_nat64_ses(data,
+ 0,
+ self.pg0.remote_ip6n,
+ self.pg1.remote_ip4,
+ 25)
+ else:
+ self.logger.error(ppp("Unexpected or invalid packet: ", p))
+
def nat64_get_ses_num(self):
"""
Return number of active NAT64 sessions.
"""
Clear NAT64 configuration.
"""
+ self.vapi.nat_ipfix(enable=0, src_port=self.ipfix_src_port,
+ domain_id=self.ipfix_domain_id)
+ self.ipfix_src_port = 4739
+ self.ipfix_domain_id = 1
+
self.vapi.nat64_set_timeouts()
interfaces = self.vapi.nat64_interface_dump()
intf.is_inside,
is_add=0)
- bib = self.vapi.nat64_bib_dump(IP_PROTOS.tcp)
- for bibe in bib:
- if bibe.is_static:
- self.vapi.nat64_add_del_static_bib(bibe.i_addr,
- bibe.o_addr,
- bibe.i_port,
- bibe.o_port,
- bibe.proto,
- bibe.vrf_id,
- is_add=0)
-
- bib = self.vapi.nat64_bib_dump(IP_PROTOS.udp)
- for bibe in bib:
- if bibe.is_static:
- self.vapi.nat64_add_del_static_bib(bibe.i_addr,
- bibe.o_addr,
- bibe.i_port,
- bibe.o_port,
- bibe.proto,
- bibe.vrf_id,
- is_add=0)
-
- bib = self.vapi.nat64_bib_dump(IP_PROTOS.icmp)
+ bib = self.vapi.nat64_bib_dump(255)
for bibe in bib:
if bibe.is_static:
self.vapi.nat64_add_del_static_bib(bibe.i_addr,