2021-05-26 13:02:35 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
"""NAT44 ED output-feature tests"""
|
|
|
|
|
|
|
|
import random
|
|
|
|
import unittest
|
|
|
|
from scapy.layers.inet import ICMP, Ether, IP, TCP
|
|
|
|
from scapy.packet import Raw
|
|
|
|
from scapy.data import IP_PROTOS
|
|
|
|
from framework import VppTestCase, VppTestRunner
|
|
|
|
from vpp_papi import VppEnum
|
|
|
|
|
|
|
|
|
|
|
|
def get_nat44_ed_in2out_worker_index(ip, vpp_worker_count):
|
|
|
|
if 0 == vpp_worker_count:
|
|
|
|
return 0
|
|
|
|
numeric = socket.inet_aton(ip)
|
|
|
|
numeric = struct.unpack("!L", numeric)[0]
|
|
|
|
numeric = socket.htonl(numeric)
|
|
|
|
h = numeric + (numeric >> 8) + (numeric >> 16) + (numeric >> 24)
|
|
|
|
return 1 + h % vpp_worker_count
|
|
|
|
|
|
|
|
|
|
|
|
class TestNAT44EDOutput(VppTestCase):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""NAT44 ED output feature Test Case"""
|
|
|
|
|
2021-05-26 13:02:35 +02:00
|
|
|
max_sessions = 1024
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def setUpClass(cls):
|
|
|
|
super().setUpClass()
|
|
|
|
cls.create_pg_interfaces(range(2))
|
|
|
|
cls.interfaces = list(cls.pg_interfaces)
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def tearDownClass(cls):
|
|
|
|
super().tearDownClass()
|
|
|
|
|
|
|
|
def setUp(self):
|
|
|
|
super().setUp()
|
|
|
|
for i in self.interfaces:
|
|
|
|
i.admin_up()
|
|
|
|
i.config_ip4()
|
|
|
|
i.resolve_arp()
|
2022-04-26 19:02:15 +02:00
|
|
|
self.vapi.nat44_ed_plugin_enable_disable(sessions=self.max_sessions, enable=1)
|
2021-05-26 13:02:35 +02:00
|
|
|
|
|
|
|
def tearDown(self):
|
|
|
|
if not self.vpp_dead:
|
|
|
|
self.logger.debug(self.vapi.cli("show nat44 sessions"))
|
|
|
|
super().tearDown()
|
|
|
|
if not self.vpp_dead:
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
i.unconfig_ip4()
|
|
|
|
i.admin_down()
|
|
|
|
self.vapi.nat44_ed_plugin_enable_disable(enable=0)
|
|
|
|
|
|
|
|
def test_static_dynamic(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""Create static mapping which matches existing dynamic mapping"""
|
2021-05-26 13:02:35 +02:00
|
|
|
|
2022-02-15 11:56:07 -08:00
|
|
|
config = self.vapi.nat44_show_running_config()
|
|
|
|
old_timeouts = config.timeouts
|
2021-05-26 13:02:35 +02:00
|
|
|
new_transitory = 2
|
|
|
|
self.vapi.nat_set_timeouts(
|
|
|
|
udp=old_timeouts.udp,
|
|
|
|
tcp_established=old_timeouts.tcp_established,
|
|
|
|
icmp=old_timeouts.icmp,
|
2022-04-26 19:02:15 +02:00
|
|
|
tcp_transitory=new_transitory,
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
|
|
|
|
local_host = self.pg0.remote_ip4
|
|
|
|
remote_host = self.pg1.remote_ip4
|
|
|
|
nat_intf = self.pg1
|
|
|
|
outside_addr = nat_intf.local_ip4
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
self.vapi.nat44_add_del_address_range(
|
|
|
|
first_ip_address=outside_addr,
|
|
|
|
last_ip_address=outside_addr,
|
|
|
|
vrf_id=0xFFFFFFFF,
|
|
|
|
is_add=1,
|
|
|
|
flags=0,
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.vapi.nat44_interface_add_del_feature(
|
2022-04-26 19:02:15 +02:00
|
|
|
sw_if_index=self.pg0.sw_if_index, is_add=1
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.vapi.nat44_interface_add_del_feature(
|
|
|
|
sw_if_index=self.pg0.sw_if_index,
|
2022-04-26 19:02:15 +02:00
|
|
|
flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_INSIDE,
|
|
|
|
is_add=1,
|
|
|
|
)
|
2022-02-15 11:56:07 -08:00
|
|
|
self.vapi.nat44_ed_add_del_output_interface(
|
2022-04-26 19:02:15 +02:00
|
|
|
sw_if_index=self.pg1.sw_if_index, is_add=1
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
|
|
|
|
thread_index = get_nat44_ed_in2out_worker_index(
|
2022-04-26 19:02:15 +02:00
|
|
|
local_host, self.vpp_worker_count
|
|
|
|
)
|
|
|
|
port_per_thread = int((0xFFFF - 1024) / max(1, self.vpp_worker_count))
|
2021-05-26 13:02:35 +02:00
|
|
|
local_sport = 1024 + random.randint(1, port_per_thread)
|
|
|
|
if self.vpp_worker_count > 0:
|
|
|
|
local_sport += port_per_thread * (thread_index - 1)
|
|
|
|
|
|
|
|
remote_dport = 10000
|
|
|
|
|
|
|
|
pg0 = self.pg0
|
|
|
|
pg1 = self.pg1
|
|
|
|
|
|
|
|
# first setup a dynamic TCP session
|
|
|
|
|
|
|
|
# SYN packet in->out
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="S")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
p = self.send_and_expect(pg0, [p], pg1)[0]
|
|
|
|
|
|
|
|
self.assertEqual(p[IP].src, outside_addr)
|
|
|
|
self.assertEqual(p[TCP].sport, local_sport)
|
|
|
|
outside_port = p[TCP].sport
|
|
|
|
|
|
|
|
# SYN+ACK packet out->in
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg1.remote_mac, dst=pg1.local_mac)
|
|
|
|
/ IP(src=remote_host, dst=outside_addr)
|
|
|
|
/ TCP(sport=remote_dport, dport=outside_port, flags="SA")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg1, [p], pg0)
|
|
|
|
|
|
|
|
# ACK packet in->out
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="A")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg0, [p], pg1)
|
|
|
|
|
|
|
|
# now we have a session up, create a conflicting static mapping
|
|
|
|
self.vapi.nat44_add_del_static_mapping(
|
|
|
|
is_add=1,
|
|
|
|
local_ip_address=local_host,
|
|
|
|
external_ip_address=outside_addr,
|
2022-04-26 19:02:15 +02:00
|
|
|
external_sw_if_index=0xFFFFFFFF,
|
2021-05-26 13:02:35 +02:00
|
|
|
local_port=local_sport,
|
|
|
|
external_port=outside_port,
|
|
|
|
protocol=IP_PROTOS.tcp,
|
2022-04-26 19:02:15 +02:00
|
|
|
flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_OUT2IN_ONLY,
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
|
|
|
|
sessions = self.vapi.nat44_user_session_dump(local_host, 0)
|
|
|
|
self.assertEqual(1, len(sessions))
|
|
|
|
|
|
|
|
# now send some more data over existing session - it should pass
|
|
|
|
|
|
|
|
# in->out
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport)
|
|
|
|
/ Raw("zippity zap")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg0, [p], pg1)
|
|
|
|
|
|
|
|
# out->in
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg1.remote_mac, dst=pg1.local_mac)
|
|
|
|
/ IP(src=remote_host, dst=outside_addr)
|
|
|
|
/ TCP(sport=remote_dport, dport=outside_port)
|
|
|
|
/ Raw("flippity flop")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg1, [p], pg0)
|
|
|
|
|
|
|
|
# now close the session
|
|
|
|
|
|
|
|
# FIN packet in -> out
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=100, ack=300)
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg0, [p], pg1)
|
|
|
|
|
|
|
|
# FIN+ACK packet out -> in
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg1.remote_mac, dst=pg1.local_mac)
|
|
|
|
/ IP(src=remote_host, dst=outside_addr)
|
|
|
|
/ TCP(sport=remote_dport, dport=outside_port, flags="FA", seq=300, ack=101)
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg1, [p], pg0)
|
|
|
|
|
|
|
|
# ACK packet in -> out
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="A", seq=101, ack=301)
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg0, [p], pg1)
|
|
|
|
|
|
|
|
# session now in transitory timeout
|
|
|
|
# try SYN packet in->out - should be dropped
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="S")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
pg0.add_stream(p)
|
|
|
|
self.pg_enable_capture()
|
|
|
|
self.pg_start()
|
|
|
|
|
|
|
|
self.sleep(new_transitory, "wait for transitory timeout")
|
|
|
|
pg0.assert_nothing_captured(0)
|
|
|
|
|
|
|
|
# session should still exist
|
|
|
|
sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
|
|
|
|
self.assertEqual(1, len(sessions))
|
|
|
|
|
|
|
|
# send FIN+ACK packet in->out - will cause session to be wiped
|
|
|
|
# but won't create a new session
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=300, ack=101)
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
pg1.add_stream(p)
|
|
|
|
self.pg_enable_capture()
|
|
|
|
self.pg_start()
|
|
|
|
pg0.assert_nothing_captured(0)
|
|
|
|
|
|
|
|
sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
|
|
|
|
self.assertEqual(0, len(sessions))
|
|
|
|
|
|
|
|
# create a new session and make sure the outside port is remapped
|
|
|
|
# SYN packet in->out
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg0.remote_mac, dst=pg0.local_mac)
|
|
|
|
/ IP(src=local_host, dst=remote_host)
|
|
|
|
/ TCP(sport=local_sport, dport=remote_dport, flags="S")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
p = self.send_and_expect(pg0, [p], pg1)[0]
|
|
|
|
|
|
|
|
self.assertEqual(p[IP].src, outside_addr)
|
|
|
|
self.assertNotEqual(p[TCP].sport, local_sport)
|
|
|
|
|
|
|
|
# make sure static mapping works and creates a new session
|
|
|
|
# SYN packet out->in
|
2022-04-26 19:02:15 +02:00
|
|
|
p = (
|
|
|
|
Ether(src=pg1.remote_mac, dst=pg1.local_mac)
|
|
|
|
/ IP(src=remote_host, dst=outside_addr)
|
|
|
|
/ TCP(sport=remote_dport, dport=outside_port, flags="S")
|
|
|
|
)
|
2021-05-26 13:02:35 +02:00
|
|
|
self.send_and_expect(pg1, [p], pg0)
|
|
|
|
|
|
|
|
sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
|
|
|
|
self.assertEqual(2, len(sessions))
|
|
|
|
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
if __name__ == "__main__":
|
2021-05-26 13:02:35 +02:00
|
|
|
unittest.main(testRunner=VppTestRunner)
|