session: add support for proxying apps

To enable this, applications set the proxy flag in their attach requests
and pass the transport protocols they want to act as proxies for as part
of the attach options.

When proxy is enabled, session rules that point incoming packets to the
proxy app are addedd to the local and global session tables, if these
scopes are accessible to the app. In particular, in case of the former,
the rule accepts packets from all sources and all ports destined to the
namespace's supporting interface address on any port. While in case of
the latter, a generic any destination and any port rule is addedd.

Change-Id: I791f8c1cc083350f02e26a2ac3bdbbfbfa19ece3
Signed-off-by: Florin Coras <fcoras@cisco.com>
diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c
index ac7727a..0c4687d 100644
--- a/src/vnet/ip/ip.c
+++ b/src/vnet/ip/ip.c
@@ -190,6 +190,8 @@
 u32
 ip4_mask_to_preflen (ip4_address_t * mask)
 {
+  if (mask->as_u32 == 0)
+    return 0;
   return (32 - log2_first_set (clib_net_to_host_u32 (mask->as_u32)));
 }
 
@@ -251,7 +253,7 @@
 {
   u8 first1, first0;
   if (mask->as_u64[0] == 0 && mask->as_u64[1] == 0)
-    return 128;
+    return 0;
   first1 = log2_first_set (mask->as_u64[1]);
   first0 = log2_first_set (mask->as_u64[0]);
 
diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c
index df68ce0..6d8ae65 100644
--- a/src/vnet/session/application.c
+++ b/src/vnet/session/application.c
@@ -147,8 +147,8 @@
 application_del (application_t * app)
 {
   segment_manager_t *sm;
-  u64 handle;
-  u32 index, *handles = 0;
+  u64 handle, *handles = 0;
+  u32 index;
   int i;
   vnet_unbind_args_t _a, *a = &_a;
 
@@ -159,6 +159,9 @@
   if (CLIB_DEBUG > 1)
     clib_warning ("[%d] Delete app (%d)", getpid (), app->index);
 
+  if (application_is_proxy (app))
+    application_remove_proxy (app);
+
   /*
    *  Listener cleanup
    */
@@ -251,7 +254,7 @@
   props->add_segment = props->add_segment_size != 0;
   props->preallocated_fifo_pairs = options[APP_OPTIONS_PREALLOC_FIFO_PAIRS];
   props->use_private_segment = options[APP_OPTIONS_FLAGS]
-    & APP_OPTIONS_FLAGS_BUILTIN_APP;
+    & APP_OPTIONS_FLAGS_IS_BUILTIN;
   props->private_segment_count = options[APP_OPTIONS_PRIVATE_SEGMENT_COUNT];
   props->private_segment_size = options[APP_OPTIONS_PRIVATE_SEGMENT_SIZE];
 
@@ -268,6 +271,8 @@
   app->flags = options[APP_OPTIONS_FLAGS];
   app->cb_fns = *cb_fns;
   app->ns_index = options[APP_OPTIONS_NAMESPACE];
+  app->listeners_table = hash_create (0, sizeof (u64));
+  app->proxied_transports = options[APP_OPTIONS_PROXY_TRANSPORT];
 
   /* If no scope enabled, default to global */
   if (!application_has_global_scope (app)
@@ -452,7 +457,19 @@
 int
 application_is_proxy (application_t * app)
 {
-  return !(app->flags & APP_OPTIONS_FLAGS_IS_PROXY);
+  return (app->flags & APP_OPTIONS_FLAGS_IS_PROXY);
+}
+
+int
+application_is_builtin (application_t * app)
+{
+  return (app->flags & APP_OPTIONS_FLAGS_IS_BUILTIN);
+}
+
+int
+application_is_builtin_proxy (application_t * app)
+{
+  return (application_is_proxy (app) && application_is_builtin (app));
 }
 
 int
@@ -489,20 +506,137 @@
 }
 
 stream_session_t *
-application_first_listener (application_t * app)
+application_first_listener (application_t * app, u8 fib_proto,
+			    u8 transport_proto)
 {
+  stream_session_t *listener;
   u64 handle;
   u32 sm_index;
+  u8 sst;
+
+  sst = session_type_from_proto_and_ip (transport_proto,
+					fib_proto == FIB_PROTOCOL_IP4);
 
   /* *INDENT-OFF* */
    hash_foreach (handle, sm_index, app->listeners_table, ({
-     return listen_session_get_from_handle (handle);
+     listener = listen_session_get_from_handle (handle);
+     if (listener->session_type == sst)
+       return listener;
    }));
   /* *INDENT-ON* */
 
   return 0;
 }
 
+static clib_error_t *
+application_start_stop_proxy_fib_proto (application_t * app, u8 fib_proto,
+					u8 transport_proto, u8 is_start)
+{
+  session_rule_add_del_args_t args;
+  fib_prefix_t lcl_pref, rmt_pref;
+  app_namespace_t *app_ns = app_namespace_get (app->ns_index);
+  u8 is_ip4 = (fib_proto == FIB_PROTOCOL_IP4);
+  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  transport_connection_t *tc;
+  stream_session_t *s;
+  u64 handle;
+
+  if (is_start)
+    {
+      sep.is_ip4 = is_ip4;
+      sep.fib_index = app_namespace_get_fib_index (app_ns, fib_proto);
+      sep.sw_if_index = app_ns->sw_if_index;
+      sep.transport_proto = transport_proto;
+      application_start_listen (app, &sep, &handle);
+      s = listen_session_get_from_handle (handle);
+    }
+  else
+    {
+      s = application_first_listener (app, fib_proto, transport_proto);
+    }
+  tc = listen_session_get_transport (s);
+
+  if (!ip_is_zero (&tc->lcl_ip, 1))
+    {
+      ip_copy (&lcl_pref.fp_addr, &tc->lcl_ip, is_ip4);
+      lcl_pref.fp_len = is_ip4 ? 32 : 128;
+      lcl_pref.fp_proto = fib_proto;
+      memset (&rmt_pref.fp_addr, 0, sizeof (rmt_pref.fp_addr));
+      rmt_pref.fp_len = 0;
+      rmt_pref.fp_proto = fib_proto;
+
+      args.table_args.lcl = lcl_pref;
+      args.table_args.rmt = rmt_pref;
+      args.table_args.lcl_port = 0;
+      args.table_args.rmt_port = 0;
+      args.table_args.action_index = app->index;
+      args.table_args.is_add = is_start;
+      args.table_args.transport_proto = transport_proto;
+      args.appns_index = app->ns_index;
+      args.scope = SESSION_RULE_SCOPE_GLOBAL;
+      return vnet_session_rule_add_del (&args);
+    }
+  return 0;
+}
+
+void
+application_start_stop_proxy (application_t * app, u8 transport_proto,
+			      u8 is_start)
+{
+  session_rule_add_del_args_t args;
+
+  if (application_has_local_scope (app))
+    {
+      memset (&args, 0, sizeof (args));
+      args.table_args.lcl.fp_proto = FIB_PROTOCOL_IP4;
+      args.table_args.rmt.fp_proto = FIB_PROTOCOL_IP4;
+      args.table_args.lcl_port = 0;
+      args.table_args.rmt_port = 0;
+      args.table_args.action_index = app->index;
+      args.table_args.is_add = is_start;
+      args.table_args.transport_proto = transport_proto;
+      args.appns_index = app->ns_index;
+      args.scope = SESSION_RULE_SCOPE_LOCAL;
+      vnet_session_rule_add_del (&args);
+
+      args.table_args.lcl.fp_proto = FIB_PROTOCOL_IP6;
+      args.table_args.rmt.fp_proto = FIB_PROTOCOL_IP6;
+      vnet_session_rule_add_del (&args);
+    }
+
+  if (application_has_global_scope (app))
+    {
+      application_start_stop_proxy_fib_proto (app, FIB_PROTOCOL_IP4,
+					      transport_proto, is_start);
+      application_start_stop_proxy_fib_proto (app, FIB_PROTOCOL_IP6,
+					      transport_proto, is_start);
+    }
+}
+
+void
+application_setup_proxy (application_t * app)
+{
+  u16 transports = app->proxied_transports;
+  ASSERT (application_is_proxy (app));
+  if (application_is_builtin (app))
+    return;
+  if (transports & (1 << TRANSPORT_PROTO_TCP))
+    application_start_stop_proxy (app, TRANSPORT_PROTO_TCP, 1);
+  if (transports & (1 << TRANSPORT_PROTO_UDP))
+    application_start_stop_proxy (app, TRANSPORT_PROTO_UDP, 1);
+}
+
+void
+application_remove_proxy (application_t * app)
+{
+  u16 transports = app->proxied_transports;
+  ASSERT (application_is_proxy (app));
+  if (transports & (1 << TRANSPORT_PROTO_TCP))
+    application_start_stop_proxy (app, TRANSPORT_PROTO_TCP, 0);
+  if (transports & (1 << TRANSPORT_PROTO_UDP))
+    application_start_stop_proxy (app, TRANSPORT_PROTO_UDP, 0);
+}
+
 u8 *
 format_application_listener (u8 * s, va_list * args)
 {
diff --git a/src/vnet/session/application.h b/src/vnet/session/application.h
index b05e1e1..b985213 100644
--- a/src/vnet/session/application.h
+++ b/src/vnet/session/application.h
@@ -88,14 +88,18 @@
   /** Lookup tables for listeners. Value is segment manager index */
   uword *listeners_table;
 
-  /** First segment manager has in the the first segment the application's
+  /**
+   * First segment manager has in the the first segment the application's
    * event fifo. Depending on what the app does, it may be either used for
-   * a listener or for connects. */
+   * a listener or for connects.
+   */
   u32 first_segment_manager;
   u8 first_segment_manager_in_use;
 
   /** Segment manager properties. Shared by all segment managers */
   segment_manager_properties_t sm_properties;
+
+  u16 proxied_transports;
 } application_t;
 
 #define APP_INVALID_INDEX ((u32)~0)
@@ -125,6 +129,8 @@
 segment_manager_t *application_get_connect_segment_manager (application_t *
 							    app);
 int application_is_proxy (application_t * app);
+int application_is_builtin (application_t * app);
+int application_is_builtin_proxy (application_t * app);
 int application_add_segment_notify (u32 app_index, u32 fifo_segment_index);
 u32 application_session_table (application_t * app, u8 fib_proto);
 u32 application_local_session_table (application_t * app);
@@ -133,7 +139,12 @@
 u8 application_has_local_scope (application_t * app);
 u8 application_has_global_scope (application_t * app);
 u32 application_n_listeners (application_t * app);
-stream_session_t *application_first_listener (application_t * app);
+stream_session_t *application_first_listener (application_t * app,
+					      u8 fib_proto,
+					      u8 transport_proto);
+void application_setup_proxy (application_t * app);
+void application_remove_proxy (application_t * app);
+
 #endif /* SRC_VNET_SESSION_APPLICATION_H_ */
 
 /*
diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c
index 8599c74..a9dda02 100644
--- a/src/vnet/session/application_interface.c
+++ b/src/vnet/session/application_interface.c
@@ -206,7 +206,7 @@
 		void *mp)
 {
   application_t *server, *app;
-  u32 table_index;
+  u32 table_index, server_index;
   stream_session_t *listener;
 
   if (session_endpoint_is_zero (sep))
@@ -223,14 +223,23 @@
   if (application_has_local_scope (app))
     {
       table_index = application_local_session_table (app);
-      app_index = session_lookup_local_session_endpoint (table_index, sep);
-      server = application_get (app_index);
+      server_index = session_lookup_local_session_endpoint (table_index, sep);
+
       /*
-       * Server is willing to have a direct fifo connection created
-       * instead of going through the state machine, etc.
+       * Break loop if rule in local table points to connecting app. This
+       * can happen if client is a generic proxy. Route connect through
+       * global table instead.
        */
-      if (server && (server->flags & APP_OPTIONS_FLAGS_ACCEPT_REDIRECT))
-	return app_connect_redirect (server, mp);
+      if (server_index != app_index)
+	{
+	  server = application_get (server_index);
+	  /*
+	   * Server is willing to have a direct fifo connection created
+	   * instead of going through the state machine, etc.
+	   */
+	  if (server && (server->flags & APP_OPTIONS_FLAGS_ACCEPT_REDIRECT))
+	    return app_connect_redirect (server, mp);
+	}
     }
 
   /*
@@ -414,6 +423,9 @@
   segment_manager_get_segment_info (sm->segment_indices[0],
 				    &seg_name, &a->segment_size);
 
+  if (application_is_proxy (app))
+    application_setup_proxy (app);
+
   a->segment_name_length = vec_len (seg_name);
   a->segment_name = seg_name;
   ASSERT (vec_len (a->segment_name) <= 128);
diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h
index 0251c3b..686b418 100644
--- a/src/vnet/session/application_interface.h
+++ b/src/vnet/session/application_interface.h
@@ -108,6 +108,7 @@
   APP_OPTIONS_PRIVATE_SEGMENT_SIZE,
   APP_OPTIONS_NAMESPACE,
   APP_OPTIONS_NAMESPACE_SECRET,
+  APP_OPTIONS_PROXY_TRANSPORT,
   SESSION_OPTIONS_SEGMENT_SIZE,
   SESSION_OPTIONS_ADD_SEGMENT_SIZE,
   SESSION_OPTIONS_RX_FIFO_SIZE,
@@ -120,7 +121,7 @@
 #define foreach_app_options_flags				\
   _(ACCEPT_REDIRECT, "Use FIFO with redirects")			\
   _(ADD_SEGMENT, "Add segment and signal app if needed")	\
-  _(BUILTIN_APP, "Application is builtin")			\
+  _(IS_BUILTIN, "Application is builtin")			\
   _(IS_PROXY, "Application is proxying")				\
   _(USE_GLOBAL_SCOPE, "App can use global session scope")	\
   _(USE_LOCAL_SCOPE, "App can use local session scope")
diff --git a/src/vnet/session/mma_template.c b/src/vnet/session/mma_template.c
index 81333a7..a838669 100644
--- a/src/vnet/session/mma_template.c
+++ b/src/vnet/session/mma_template.c
@@ -220,7 +220,11 @@
   if (!RT (rule_is_match_for_key) (&rule->match, rp))
     return ~0;
   if (RT (rule_is_exact_match) (rule, rp))
-    return 1;
+    {
+      if (rule_index == srt->root_index)
+	rp->action_index = SESSION_RULES_TABLE_INVALID_INDEX;
+      return 1;
+    }
   for (i = 0; i < vec_len (rp->next_indices); i++)
     {
       rv = RT (mma_rules_table_del_rule) (srt, rule, rp->next_indices[i]);
diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c
index 34707e0..c214b81 100644
--- a/src/vnet/session/session.c
+++ b/src/vnet/session/session.c
@@ -581,7 +581,7 @@
   if (!is_fail)
     {
       sm = application_get_connect_segment_manager (app);
-      alloc_fifos = application_is_proxy (app);
+      alloc_fifos = !application_is_builtin_proxy (app);
       if (session_alloc_and_init (sm, tc, alloc_fifos, &new_s))
 	{
 	  is_fail = 1;
diff --git a/src/vnet/session/session_lookup.c b/src/vnet/session/session_lookup.c
index 2168c61..58af2bc 100644
--- a/src/vnet/session/session_lookup.c
+++ b/src/vnet/session/session_lookup.c
@@ -340,21 +340,15 @@
 }
 
 static stream_session_t *
-session_lookup_app_listen_session (u32 app_index)
+session_lookup_app_listen_session (u32 app_index, u8 fib_proto,
+				   u8 transport_proto)
 {
   application_t *app;
   app = application_get (app_index);
   if (!app)
     return 0;
 
-  if (application_n_listeners (app) != 1)
-    {
-      clib_warning ("there should be one and only one listener %d",
-		    hash_elts (app->listeners_table));
-      return 0;
-    }
-
-  return application_first_listener (app);
+  return application_first_listener (app, fib_proto, transport_proto);
 }
 
 stream_session_t *
@@ -366,7 +360,8 @@
   action_index = session_rules_table_lookup4 (srt, proto, lcl, rmt, lcl_port,
 					      rmt_port);
   /* Nothing sophisticated for now, action index is app index */
-  return session_lookup_app_listen_session (action_index);
+  return session_lookup_app_listen_session (action_index, FIB_PROTOCOL_IP4,
+					    proto);
 }
 
 stream_session_t *
@@ -377,7 +372,8 @@
   u32 action_index;
   action_index = session_rules_table_lookup6 (srt, proto, lcl, rmt, lcl_port,
 					      rmt_port);
-  return session_lookup_app_listen_session (action_index);
+  return session_lookup_app_listen_session (action_index, FIB_PROTOCOL_IP6,
+					    proto);
 }
 
 u64
@@ -1290,6 +1286,28 @@
 };
 /* *INDENT-ON* */
 
+void
+session_lookup_dump_rules_table (u32 fib_index, u8 fib_proto,
+				 u8 transport_proto)
+{
+  vlib_main_t *vm = vlib_get_main ();
+  session_table_t *st;
+  st = session_table_get_for_fib_index (fib_index, fib_proto);
+  session_rules_table_cli_dump (vm, &st->session_rules, fib_proto,
+				transport_proto);
+}
+
+void
+session_lookup_dump_local_rules_table (u32 table_index, u8 fib_proto,
+				       u8 transport_proto)
+{
+  vlib_main_t *vm = vlib_get_main ();
+  session_table_t *st;
+  st = session_table_get (table_index);
+  session_rules_table_cli_dump (vm, &st->session_rules, fib_proto,
+				transport_proto);
+}
+
 static clib_error_t *
 show_session_rules_command_fn (vlib_main_t * vm, unformat_input_t * input,
 			       vlib_cli_command_t * cmd)
diff --git a/src/vnet/session/session_lookup.h b/src/vnet/session/session_lookup.h
index 46af302..d8f0518 100644
--- a/src/vnet/session/session_lookup.h
+++ b/src/vnet/session/session_lookup.h
@@ -86,6 +86,11 @@
 					session_table_t * table, u8 type,
 					u8 is_local);
 
+void session_lookup_dump_rules_table (u32 fib_index, u8 fib_proto,
+				      u8 transport_proto);
+void session_lookup_dump_local_rules_table (u32 fib_index, u8 fib_proto,
+					    u8 transport_proto);
+
 enum _session_rule_scope
 {
   SESSION_RULE_SCOPE_GLOBAL = 1,
diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c
index bdd4f05..4b47754 100644
--- a/src/vnet/session/session_test.c
+++ b/src/vnet/session/session_test.c
@@ -124,7 +124,7 @@
   memset (options, 0, sizeof (options));
   memset (intf_mac, 0, sizeof (intf_mac));
 
-  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_ACCEPT_REDIRECT;
   vnet_app_attach_args_t attach_args = {
     .api_client_index = ~0,
@@ -753,7 +753,7 @@
   /*
    * Attach server with global and local default scope
    */
-  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_ACCEPT_REDIRECT;
   options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE;
   options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_LOCAL_SCOPE;
@@ -896,6 +896,131 @@
   return 0;
 }
 
+static int
+session_test_proxy (vlib_main_t * vm, unformat_input_t * input)
+{
+  u64 options[SESSION_OPTIONS_N_OPTIONS];
+  u32 server_index, app_index;
+  u32 dummy_server_api_index = ~0, sw_if_index = 0;
+  clib_error_t *error = 0;
+  u8 segment_name[128], intf_mac[6], sst;
+  stream_session_t *s;
+  transport_connection_t *tc;
+  u16 lcl_port = 1234, rmt_port = 4321;
+  app_namespace_t *app_ns;
+  int verbose = 0;
+
+  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (input, "verbose"))
+	verbose = 1;
+      else
+	{
+	  vlib_cli_output (vm, "parse error: '%U'", format_unformat_error,
+			   input);
+	  return -1;
+	}
+    }
+
+  ip4_address_t lcl_ip = {
+    .as_u32 = clib_host_to_net_u32 (0x01020304),
+  };
+  ip4_address_t rmt_ip = {
+    .as_u32 = clib_host_to_net_u32 (0x05060708),
+  };
+  fib_prefix_t rmt_pref = {
+    .fp_addr.ip4.as_u32 = rmt_ip.as_u32,
+    .fp_len = 16,
+    .fp_proto = FIB_PROTOCOL_IP4,
+  };
+  session_endpoint_t sep = {
+    .ip = rmt_pref.fp_addr,
+    .is_ip4 = 1,
+    .port = rmt_port,
+    .transport_proto = TRANSPORT_PROTO_TCP,
+  };
+
+  /*
+   * Create loopback interface
+   */
+  memset (intf_mac, 0, sizeof (intf_mac));
+  if (vnet_create_loopback_interface (&sw_if_index, intf_mac, 0, 0))
+    {
+      clib_warning ("couldn't create loopback. stopping the test!");
+      return 0;
+    }
+  vnet_sw_interface_set_flags (vnet_get_main (), sw_if_index,
+			       VNET_SW_INTERFACE_FLAG_ADMIN_UP);
+  ip4_add_del_interface_address (vlib_get_main (), sw_if_index, &lcl_ip,
+				 24, 0);
+
+  app_ns = app_namespace_get_default ();
+  app_ns->sw_if_index = sw_if_index;
+
+  memset (options, 0, sizeof (options));
+  options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_ACCEPT_REDIRECT;
+  options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_IS_PROXY;
+  options[APP_OPTIONS_PROXY_TRANSPORT] = 1 << TRANSPORT_PROTO_TCP;
+  options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE;
+  options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_LOCAL_SCOPE;
+  vnet_app_attach_args_t attach_args = {
+    .api_client_index = ~0,
+    .options = options,
+    .namespace_id = 0,
+    .session_cb_vft = &dummy_session_cbs,
+    .segment_name = segment_name,
+  };
+
+  attach_args.api_client_index = dummy_server_api_index;
+  error = vnet_application_attach (&attach_args);
+  SESSION_TEST ((error == 0), "server attachment should work");
+  server_index = attach_args.app_index;
+
+  if (verbose)
+    session_lookup_dump_rules_table (0, FIB_PROTOCOL_IP4,
+				     TRANSPORT_PROTO_TCP);
+
+  tc = session_lookup_connection_wt4 (0, &lcl_ip, &rmt_ip, lcl_port, rmt_port,
+				      TRANSPORT_PROTO_TCP, 0);
+  SESSION_TEST ((tc != 0), "lookup 1.2.3.4 1234 5.6.7.8 4321 should be "
+		"successful");
+  sst = session_type_from_proto_and_ip (TRANSPORT_PROTO_TCP, 1);
+  s = listen_session_get (sst, tc->s_index);
+  SESSION_TEST ((s->app_index == server_index), "lookup should return the"
+		" server");
+
+  tc = session_lookup_connection_wt4 (0, &rmt_ip, &rmt_ip, lcl_port, rmt_port,
+				      TRANSPORT_PROTO_TCP, 0);
+  SESSION_TEST ((tc == 0), "lookup 5.6.7.8 1234 5.6.7.8 4321 should"
+		" not work");
+
+  if (verbose)
+    session_lookup_dump_local_rules_table (app_ns->local_table_index,
+					   FIB_PROTOCOL_IP4,
+					   TRANSPORT_PROTO_TCP);
+  app_index =
+    session_lookup_local_session_endpoint (app_ns->local_table_index, &sep);
+  SESSION_TEST ((app_index == server_index), "local session endpoint lookup"
+		" should work");
+
+  vnet_app_detach_args_t detach_args = {
+    .app_index = server_index,
+  };
+  vnet_application_detach (&detach_args);
+
+  if (verbose)
+    session_lookup_dump_local_rules_table (app_ns->local_table_index,
+					   FIB_PROTOCOL_IP4,
+					   TRANSPORT_PROTO_TCP);
+
+  app_index =
+    session_lookup_local_session_endpoint (app_ns->local_table_index, &sep);
+  SESSION_TEST ((app_index == SESSION_RULES_TABLE_INVALID_INDEX),
+		"local session endpoint lookup should not work after detach");
+
+  return 0;
+}
+
 static clib_error_t *
 session_test (vlib_main_t * vm,
 	      unformat_input_t * input, vlib_cli_command_t * cmd_arg)
@@ -914,6 +1039,8 @@
 	res = session_test_rule_table (vm, input);
       else if (unformat (input, "rules"))
 	res = session_test_rules (vm, input);
+      else if (unformat (input, "proxy"))
+	res = session_test_proxy (vm, input);
       else
 	break;
     }
diff --git a/src/vnet/tcp/builtin_client.c b/src/vnet/tcp/builtin_client.c
index 76c5c12..468a5c1 100644
--- a/src/vnet/tcp/builtin_client.c
+++ b/src/vnet/tcp/builtin_client.c
@@ -456,7 +456,7 @@
   options[APP_OPTIONS_PRIVATE_SEGMENT_SIZE] = tm->private_segment_size;
   options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] = prealloc_fifos;
 
-  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   if (appns_id)
     {
       options[APP_OPTIONS_FLAGS] |= appns_flags;
diff --git a/src/vnet/tcp/builtin_http_server.c b/src/vnet/tcp/builtin_http_server.c
index f307880..07c8a4d 100644
--- a/src/vnet/tcp/builtin_http_server.c
+++ b/src/vnet/tcp/builtin_http_server.c
@@ -459,7 +459,7 @@
   a->options[SESSION_OPTIONS_SEGMENT_SIZE] = 128 << 20;
   a->options[SESSION_OPTIONS_RX_FIFO_SIZE] = 8 << 10;
   a->options[SESSION_OPTIONS_TX_FIFO_SIZE] = 32 << 10;
-  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   a->options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] = 16;
   a->segment_name = segment_name;
   a->segment_name_length = ARRAY_LEN (segment_name);
diff --git a/src/vnet/tcp/builtin_proxy.c b/src/vnet/tcp/builtin_proxy.c
index e1e0198..779e9b6 100644
--- a/src/vnet/tcp/builtin_proxy.c
+++ b/src/vnet/tcp/builtin_proxy.c
@@ -400,7 +400,7 @@
   a->options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] =
     bpm->prealloc_fifos ? bpm->prealloc_fifos : 1;
 
-  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
 
   a->segment_name = segment_name;
   a->segment_name_length = ARRAY_LEN (segment_name);
@@ -443,7 +443,7 @@
   options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] =
     bpm->prealloc_fifos ? bpm->prealloc_fifos : 1;
 
-  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP
+  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN
     | APP_OPTIONS_FLAGS_IS_PROXY;
 
   a->options = options;
diff --git a/src/vnet/tcp/builtin_server.c b/src/vnet/tcp/builtin_server.c
index 27c4370..b613b3a 100644
--- a/src/vnet/tcp/builtin_server.c
+++ b/src/vnet/tcp/builtin_server.c
@@ -296,7 +296,7 @@
   a->options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] =
     bsm->prealloc_fifos ? bsm->prealloc_fifos : 1;
 
-  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   if (appns_id)
     {
       a->namespace_id = appns_id;
diff --git a/src/vnet/udp/builtin_server.c b/src/vnet/udp/builtin_server.c
index 593642c..8f8cb40 100644
--- a/src/vnet/udp/builtin_server.c
+++ b/src/vnet/udp/builtin_server.c
@@ -109,7 +109,7 @@
 
   options[SESSION_OPTIONS_ACCEPT_COOKIE] = 0x12345678;
   options[SESSION_OPTIONS_SEGMENT_SIZE] = (2 << 30);	/*$$$$ config / arg */
-  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_BUILTIN_APP;
+  options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
   options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] = 1024;
 
   a->options = options;