Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 23caa885afad3501ea95b52cdbc64c0d48072a83 / . / test / test_snat.py
blob: 4cb5116135329dda49f6b07d6da4a6e3b07bf46f [file] [log] [blame]
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]1#!/usr/bin/env python
2
3import socket
4import unittest
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]5import struct
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]6
7from framework import VppTestCase, VppTestRunner
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]8from scapy.layers.inet import IP, TCP, UDP, ICMP
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]9from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror
Matus Fabiane1ae29a2017-01-27 00:47:58 -0800[diff] [blame]10from scapy.layers.l2 import Ether, ARP
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]11from scapy.data import IP_PROTOS
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]12from util import ppp
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]13from ipfix import IPFIX, Set, Template, Data, IPFIXDecoder
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]14
15
16class TestSNAT(VppTestCase):
17 """ SNAT Test Cases """
18
19 @classmethod
20 def setUpClass(cls):
21 super(TestSNAT, cls).setUpClass()
22
23 try:
24 cls.tcp_port_in = 6303
25 cls.tcp_port_out = 6303
26 cls.udp_port_in = 6304
27 cls.udp_port_out = 6304
28 cls.icmp_id_in = 6305
29 cls.icmp_id_out = 6305
30 cls.snat_addr = '10.0.0.3'
31
Matus Fabian8bf68e82017-01-12 04:24:35 -0800[diff] [blame]32 cls.create_pg_interfaces(range(8))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]33 cls.interfaces = list(cls.pg_interfaces[0:4])
34
35 for i in cls.interfaces:
36 i.admin_up()
37 i.config_ip4()
38 i.resolve_arp()
39
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]40 cls.pg0.generate_remote_hosts(2)
41 cls.pg0.configure_ipv4_neighbors()
42
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]43 cls.overlapping_interfaces = list(list(cls.pg_interfaces[4:7]))
44
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]45 cls.pg4._local_ip4 = "172.16.255.1"
46 cls.pg4._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
47 cls.pg4._remote_hosts[0]._ip4 = "172.16.255.2"
48 cls.pg4.set_table_ip4(10)
49 cls.pg5._local_ip4 = "172.16.255.3"
50 cls.pg5._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
51 cls.pg5._remote_hosts[0]._ip4 = "172.16.255.4"
52 cls.pg5.set_table_ip4(10)
53 cls.pg6._local_ip4 = "172.16.255.1"
54 cls.pg6._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
55 cls.pg6._remote_hosts[0]._ip4 = "172.16.255.2"
56 cls.pg6.set_table_ip4(20)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]57 for i in cls.overlapping_interfaces:
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]58 i.config_ip4()
59 i.admin_up()
60 i.resolve_arp()
61
Matus Fabian8bf68e82017-01-12 04:24:35 -0800[diff] [blame]62 cls.pg7.admin_up()
63
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]64 except Exception:
65 super(TestSNAT, cls).tearDownClass()
66 raise
67
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]68 def create_stream_in(self, in_if, out_if, ttl=64):
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]69 """
70 Create packet stream for inside network
71
72 :param in_if: Inside interface
73 :param out_if: Outside interface
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]74 :param ttl: TTL of generated packets
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]75 """
76 pkts = []
77 # TCP
78 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]79 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]80 TCP(sport=self.tcp_port_in))
81 pkts.append(p)
82
83 # UDP
84 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]85 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]86 UDP(sport=self.udp_port_in))
87 pkts.append(p)
88
89 # ICMP
90 p = (Ether(dst=in_if.local_mac, src=in_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]91 IP(src=in_if.remote_ip4, dst=out_if.remote_ip4, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]92 ICMP(id=self.icmp_id_in, type='echo-request'))
93 pkts.append(p)
94
95 return pkts
96
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]97 def create_stream_out(self, out_if, dst_ip=None, ttl=64):
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]98 """
99 Create packet stream for outside network
100
101 :param out_if: Outside interface
102 :param dst_ip: Destination IP address (Default use global SNAT address)
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]103 :param ttl: TTL of generated packets
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]104 """
105 if dst_ip is None:
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]106 dst_ip = self.snat_addr
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]107 pkts = []
108 # TCP
109 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]110 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]111 TCP(dport=self.tcp_port_out))
112 pkts.append(p)
113
114 # UDP
115 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]116 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]117 UDP(dport=self.udp_port_out))
118 pkts.append(p)
119
120 # ICMP
121 p = (Ether(dst=out_if.local_mac, src=out_if.remote_mac) /
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]122 IP(src=out_if.remote_ip4, dst=dst_ip, ttl=ttl) /
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]123 ICMP(id=self.icmp_id_out, type='echo-reply'))
124 pkts.append(p)
125
126 return pkts
127
128 def verify_capture_out(self, capture, nat_ip=None, same_port=False,
129 packet_num=3):
130 """
131 Verify captured packets on outside network
132
133 :param capture: Captured packets
134 :param nat_ip: Translated IP address (Default use global SNAT address)
135 :param same_port: Sorce port number is not translated (Default False)
136 :param packet_num: Expected number of packets (Default 3)
137 """
138 if nat_ip is None:
139 nat_ip = self.snat_addr
140 self.assertEqual(packet_num, len(capture))
141 for packet in capture:
142 try:
143 self.assertEqual(packet[IP].src, nat_ip)
144 if packet.haslayer(TCP):
145 if same_port:
146 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
147 else:
Klement Sekerada505f62017-01-04 12:58:53 +0100[diff] [blame]148 self.assertNotEqual(
149 packet[TCP].sport, self.tcp_port_in)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]150 self.tcp_port_out = packet[TCP].sport
151 elif packet.haslayer(UDP):
152 if same_port:
153 self.assertEqual(packet[UDP].sport, self.udp_port_in)
154 else:
Klement Sekerada505f62017-01-04 12:58:53 +0100[diff] [blame]155 self.assertNotEqual(
156 packet[UDP].sport, self.udp_port_in)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]157 self.udp_port_out = packet[UDP].sport
158 else:
159 if same_port:
160 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
161 else:
162 self.assertNotEqual(packet[ICMP].id, self.icmp_id_in)
163 self.icmp_id_out = packet[ICMP].id
164 except:
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]165 self.logger.error(ppp("Unexpected or invalid packet "
166 "(outside network):", packet))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]167 raise
168
169 def verify_capture_in(self, capture, in_if, packet_num=3):
170 """
171 Verify captured packets on inside network
172
173 :param capture: Captured packets
174 :param in_if: Inside interface
175 :param packet_num: Expected number of packets (Default 3)
176 """
177 self.assertEqual(packet_num, len(capture))
178 for packet in capture:
179 try:
180 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
181 if packet.haslayer(TCP):
182 self.assertEqual(packet[TCP].dport, self.tcp_port_in)
183 elif packet.haslayer(UDP):
184 self.assertEqual(packet[UDP].dport, self.udp_port_in)
185 else:
186 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
187 except:
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]188 self.logger.error(ppp("Unexpected or invalid packet "
189 "(inside network):", packet))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]190 raise
191
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]192 def verify_capture_no_translation(self, capture, ingress_if, egress_if):
193 """
194 Verify captured packet that don't have to be translated
195
196 :param capture: Captured packets
197 :param ingress_if: Ingress interface
198 :param egress_if: Egress interface
199 """
200 for packet in capture:
201 try:
202 self.assertEqual(packet[IP].src, ingress_if.remote_ip4)
203 self.assertEqual(packet[IP].dst, egress_if.remote_ip4)
204 if packet.haslayer(TCP):
205 self.assertEqual(packet[TCP].sport, self.tcp_port_in)
206 elif packet.haslayer(UDP):
207 self.assertEqual(packet[UDP].sport, self.udp_port_in)
208 else:
209 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
210 except:
211 self.logger.error(ppp("Unexpected or invalid packet "
212 "(inside network):", packet))
213 raise
214
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]215 def verify_capture_out_with_icmp_errors(self, capture, src_ip=None,
216 packet_num=3, icmp_type=11):
217 """
218 Verify captured packets with ICMP errors on outside network
219
220 :param capture: Captured packets
221 :param src_ip: Translated IP address or IP address of VPP
222 (Default use global SNAT address)
223 :param packet_num: Expected number of packets (Default 3)
224 :param icmp_type: Type of error ICMP packet
225 we are expecting (Default 11)
226 """
227 if src_ip is None:
228 src_ip = self.snat_addr
229 self.assertEqual(packet_num, len(capture))
230 for packet in capture:
231 try:
232 self.assertEqual(packet[IP].src, src_ip)
233 self.assertTrue(packet.haslayer(ICMP))
234 icmp = packet[ICMP]
235 self.assertEqual(icmp.type, icmp_type)
236 self.assertTrue(icmp.haslayer(IPerror))
237 inner_ip = icmp[IPerror]
238 if inner_ip.haslayer(TCPerror):
239 self.assertEqual(inner_ip[TCPerror].dport,
240 self.tcp_port_out)
241 elif inner_ip.haslayer(UDPerror):
242 self.assertEqual(inner_ip[UDPerror].dport,
243 self.udp_port_out)
244 else:
245 self.assertEqual(inner_ip[ICMPerror].id, self.icmp_id_out)
246 except:
247 self.logger.error(ppp("Unexpected or invalid packet "
248 "(outside network):", packet))
249 raise
250
251 def verify_capture_in_with_icmp_errors(self, capture, in_if, packet_num=3,
252 icmp_type=11):
253 """
254 Verify captured packets with ICMP errors on inside network
255
256 :param capture: Captured packets
257 :param in_if: Inside interface
258 :param packet_num: Expected number of packets (Default 3)
259 :param icmp_type: Type of error ICMP packet
260 we are expecting (Default 11)
261 """
262 self.assertEqual(packet_num, len(capture))
263 for packet in capture:
264 try:
265 self.assertEqual(packet[IP].dst, in_if.remote_ip4)
266 self.assertTrue(packet.haslayer(ICMP))
267 icmp = packet[ICMP]
268 self.assertEqual(icmp.type, icmp_type)
269 self.assertTrue(icmp.haslayer(IPerror))
270 inner_ip = icmp[IPerror]
271 if inner_ip.haslayer(TCPerror):
272 self.assertEqual(inner_ip[TCPerror].sport,
273 self.tcp_port_in)
274 elif inner_ip.haslayer(UDPerror):
275 self.assertEqual(inner_ip[UDPerror].sport,
276 self.udp_port_in)
277 else:
278 self.assertEqual(inner_ip[ICMPerror].id, self.icmp_id_in)
279 except:
280 self.logger.error(ppp("Unexpected or invalid packet "
281 "(inside network):", packet))
282 raise
283
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]284 def verify_ipfix_nat44_ses(self, data):
285 """
286 Verify IPFIX NAT44 session create/delete event
287
288 :param data: Decoded IPFIX data records
289 """
290 nat44_ses_create_num = 0
291 nat44_ses_delete_num = 0
292 self.assertEqual(6, len(data))
293 for record in data:
294 # natEvent
295 self.assertIn(ord(record[230]), [4, 5])
296 if ord(record[230]) == 4:
297 nat44_ses_create_num += 1
298 else:
299 nat44_ses_delete_num += 1
300 # sourceIPv4Address
301 self.assertEqual(self.pg0.remote_ip4n, record[8])
302 # postNATSourceIPv4Address
303 self.assertEqual(socket.inet_pton(socket.AF_INET, self.snat_addr),
304 record[225])
305 # ingressVRFID
306 self.assertEqual(struct.pack("!I", 0), record[234])
307 # protocolIdentifier/sourceTransportPort/postNAPTSourceTransportPort
308 if IP_PROTOS.icmp == ord(record[4]):
309 self.assertEqual(struct.pack("!H", self.icmp_id_in), record[7])
310 self.assertEqual(struct.pack("!H", self.icmp_id_out),
311 record[227])
312 elif IP_PROTOS.tcp == ord(record[4]):
313 self.assertEqual(struct.pack("!H", self.tcp_port_in),
314 record[7])
315 self.assertEqual(struct.pack("!H", self.tcp_port_out),
316 record[227])
317 elif IP_PROTOS.udp == ord(record[4]):
318 self.assertEqual(struct.pack("!H", self.udp_port_in),
319 record[7])
320 self.assertEqual(struct.pack("!H", self.udp_port_out),
321 record[227])
322 else:
323 self.fail("Invalid protocol")
324 self.assertEqual(3, nat44_ses_create_num)
325 self.assertEqual(3, nat44_ses_delete_num)
326
327 def verify_ipfix_addr_exhausted(self, data):
328 """
329 Verify IPFIX NAT addresses event
330
331 :param data: Decoded IPFIX data records
332 """
333 self.assertEqual(1, len(data))
334 record = data[0]
335 # natEvent
336 self.assertEqual(ord(record[230]), 3)
337 # natPoolID
338 self.assertEqual(struct.pack("!I", 0), record[283])
339
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]340 def clear_snat(self):
341 """
342 Clear SNAT configuration.
343 """
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]344 if self.pg7.has_ip4_config:
345 self.pg7.unconfig_ip4()
346
Matus Fabian8bf68e82017-01-12 04:24:35 -0800[diff] [blame]347 interfaces = self.vapi.snat_interface_addr_dump()
348 for intf in interfaces:
349 self.vapi.snat_add_interface_addr(intf.sw_if_index, is_add=0)
350
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]351 self.vapi.snat_ipfix(enable=0)
352
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]353 interfaces = self.vapi.snat_interface_dump()
354 for intf in interfaces:
355 self.vapi.snat_interface_add_del_feature(intf.sw_if_index,
356 intf.is_inside,
357 is_add=0)
358
359 static_mappings = self.vapi.snat_static_mapping_dump()
360 for sm in static_mappings:
361 self.vapi.snat_add_static_mapping(sm.local_ip_address,
362 sm.external_ip_address,
363 local_port=sm.local_port,
364 external_port=sm.external_port,
365 addr_only=sm.addr_only,
366 vrf_id=sm.vrf_id,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]367 protocol=sm.protocol,
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]368 is_add=0)
369
370 adresses = self.vapi.snat_address_dump()
371 for addr in adresses:
372 self.vapi.snat_add_address_range(addr.ip_address,
373 addr.ip_address,
374 is_add=0)
375
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]376 def snat_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
377 local_port=0, external_port=0, vrf_id=0,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]378 is_add=1, external_sw_if_index=0xFFFFFFFF,
379 proto=0):
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]380 """
381 Add/delete S-NAT static mapping
382
383 :param local_ip: Local IP address
384 :param external_ip: External IP address
385 :param local_port: Local port number (Optional)
386 :param external_port: External port number (Optional)
387 :param vrf_id: VRF ID (Default 0)
388 :param is_add: 1 if add, 0 if delete (Default add)
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]389 :param external_sw_if_index: External interface instead of IP address
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]390 :param proto: IP protocol (Mandatory if port specified)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]391 """
392 addr_only = 1
393 if local_port and external_port:
394 addr_only = 0
395 l_ip = socket.inet_pton(socket.AF_INET, local_ip)
396 e_ip = socket.inet_pton(socket.AF_INET, external_ip)
Klement Sekerada505f62017-01-04 12:58:53 +0100[diff] [blame]397 self.vapi.snat_add_static_mapping(
398 l_ip,
399 e_ip,
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]400 external_sw_if_index,
Klement Sekerada505f62017-01-04 12:58:53 +0100[diff] [blame]401 local_port,
402 external_port,
403 addr_only,
404 vrf_id,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]405 proto,
Klement Sekerada505f62017-01-04 12:58:53 +0100[diff] [blame]406 is_add)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]407
408 def snat_add_address(self, ip, is_add=1):
409 """
410 Add/delete S-NAT address
411
412 :param ip: IP address
413 :param is_add: 1 if add, 0 if delete (Default add)
414 """
415 snat_addr = socket.inet_pton(socket.AF_INET, ip)
416 self.vapi.snat_add_address_range(snat_addr, snat_addr, is_add)
417
418 def test_dynamic(self):
419 """ SNAT dynamic translation test """
420
421 self.snat_add_address(self.snat_addr)
422 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
423 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
424 is_inside=0)
425
426 # in2out
427 pkts = self.create_stream_in(self.pg0, self.pg1)
428 self.pg0.add_stream(pkts)
429 self.pg_enable_capture(self.pg_interfaces)
430 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]431 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]432 self.verify_capture_out(capture)
433
434 # out2in
435 pkts = self.create_stream_out(self.pg1)
436 self.pg1.add_stream(pkts)
437 self.pg_enable_capture(self.pg_interfaces)
438 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]439 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]440 self.verify_capture_in(capture, self.pg0)
441
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]442 def test_dynamic_icmp_errors_in2out_ttl_1(self):
443 """ SNAT handling of client packets with TTL=1 """
444
445 self.snat_add_address(self.snat_addr)
446 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
447 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
448 is_inside=0)
449
450 # Client side - generate traffic
451 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=1)
452 self.pg0.add_stream(pkts)
453 self.pg_enable_capture(self.pg_interfaces)
454 self.pg_start()
455
456 # Client side - verify ICMP type 11 packets
457 capture = self.pg0.get_capture(len(pkts))
458 self.verify_capture_in_with_icmp_errors(capture, self.pg0)
459
460 def test_dynamic_icmp_errors_out2in_ttl_1(self):
461 """ SNAT handling of server packets with TTL=1 """
462
463 self.snat_add_address(self.snat_addr)
464 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
465 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
466 is_inside=0)
467
468 # Client side - create sessions
469 pkts = self.create_stream_in(self.pg0, self.pg1)
470 self.pg0.add_stream(pkts)
471 self.pg_enable_capture(self.pg_interfaces)
472 self.pg_start()
473
474 # Server side - generate traffic
475 capture = self.pg1.get_capture(len(pkts))
476 self.verify_capture_out(capture)
477 pkts = self.create_stream_out(self.pg1, ttl=1)
478 self.pg1.add_stream(pkts)
479 self.pg_enable_capture(self.pg_interfaces)
480 self.pg_start()
481
482 # Server side - verify ICMP type 11 packets
483 capture = self.pg1.get_capture(len(pkts))
484 self.verify_capture_out_with_icmp_errors(capture,
485 src_ip=self.pg1.local_ip4)
486
487 def test_dynamic_icmp_errors_in2out_ttl_2(self):
Juraj Sloboda665e4822017-02-16 17:17:19 -0800[diff] [blame]488 """ SNAT handling of error responses to client packets with TTL=2 """
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]489
490 self.snat_add_address(self.snat_addr)
491 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
492 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
493 is_inside=0)
494
495 # Client side - generate traffic
496 pkts = self.create_stream_in(self.pg0, self.pg1, ttl=2)
497 self.pg0.add_stream(pkts)
498 self.pg_enable_capture(self.pg_interfaces)
499 self.pg_start()
500
501 # Server side - simulate ICMP type 11 response
502 capture = self.pg1.get_capture(len(pkts))
503 pkts = [Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
504 IP(src=self.pg1.remote_ip4, dst=self.snat_addr) /
505 ICMP(type=11) / packet[IP] for packet in capture]
506 self.pg1.add_stream(pkts)
507 self.pg_enable_capture(self.pg_interfaces)
508 self.pg_start()
509
510 # Client side - verify ICMP type 11 packets
511 capture = self.pg0.get_capture(len(pkts))
512 self.verify_capture_in_with_icmp_errors(capture, self.pg0)
513
514 def test_dynamic_icmp_errors_out2in_ttl_2(self):
Juraj Sloboda665e4822017-02-16 17:17:19 -0800[diff] [blame]515 """ SNAT handling of error responses to server packets with TTL=2 """
Juraj Slobodab33f4132017-02-08 23:54:21 -0800[diff] [blame]516
517 self.snat_add_address(self.snat_addr)
518 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
519 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
520 is_inside=0)
521
522 # Client side - create sessions
523 pkts = self.create_stream_in(self.pg0, self.pg1)
524 self.pg0.add_stream(pkts)
525 self.pg_enable_capture(self.pg_interfaces)
526 self.pg_start()
527
528 # Server side - generate traffic
529 capture = self.pg1.get_capture(len(pkts))
530 self.verify_capture_out(capture)
531 pkts = self.create_stream_out(self.pg1, ttl=2)
532 self.pg1.add_stream(pkts)
533 self.pg_enable_capture(self.pg_interfaces)
534 self.pg_start()
535
536 # Client side - simulate ICMP type 11 response
537 capture = self.pg0.get_capture(len(pkts))
538 pkts = [Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
539 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
540 ICMP(type=11) / packet[IP] for packet in capture]
541 self.pg0.add_stream(pkts)
542 self.pg_enable_capture(self.pg_interfaces)
543 self.pg_start()
544
545 # Server side - verify ICMP type 11 packets
546 capture = self.pg1.get_capture(len(pkts))
547 self.verify_capture_out_with_icmp_errors(capture)
548
Juraj Sloboda665e4822017-02-16 17:17:19 -0800[diff] [blame]549 def test_ping_out_interface_from_outside(self):
550 """ Ping SNAT out interface from outside """
551
552 self.snat_add_address(self.snat_addr)
553 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
554 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
555 is_inside=0)
556
557 p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
558 IP(src=self.pg1.remote_ip4, dst=self.pg1.local_ip4) /
559 ICMP(id=self.icmp_id_out, type='echo-request'))
560 pkts = [p]
561 self.pg1.add_stream(pkts)
562 self.pg_enable_capture(self.pg_interfaces)
563 self.pg_start()
564 capture = self.pg1.get_capture(len(pkts))
565 self.assertEqual(1, len(capture))
566 packet = capture[0]
567 try:
568 self.assertEqual(packet[IP].src, self.pg1.local_ip4)
569 self.assertEqual(packet[IP].dst, self.pg1.remote_ip4)
570 self.assertEqual(packet[ICMP].id, self.icmp_id_in)
571 self.assertEqual(packet[ICMP].type, 0) # echo reply
572 except:
573 self.logger.error(ppp("Unexpected or invalid packet "
574 "(outside network):", packet))
575 raise
576
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]577 def test_static_in(self):
578 """ SNAT 1:1 NAT initialized from inside network """
579
580 nat_ip = "10.0.0.10"
581 self.tcp_port_out = 6303
582 self.udp_port_out = 6304
583 self.icmp_id_out = 6305
584
585 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip)
586 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
587 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
588 is_inside=0)
589
590 # in2out
591 pkts = self.create_stream_in(self.pg0, self.pg1)
592 self.pg0.add_stream(pkts)
593 self.pg_enable_capture(self.pg_interfaces)
594 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]595 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]596 self.verify_capture_out(capture, nat_ip, True)
597
598 # out2in
599 pkts = self.create_stream_out(self.pg1, nat_ip)
600 self.pg1.add_stream(pkts)
601 self.pg_enable_capture(self.pg_interfaces)
602 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]603 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]604 self.verify_capture_in(capture, self.pg0)
605
606 def test_static_out(self):
607 """ SNAT 1:1 NAT initialized from outside network """
608
609 nat_ip = "10.0.0.20"
610 self.tcp_port_out = 6303
611 self.udp_port_out = 6304
612 self.icmp_id_out = 6305
613
614 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip)
615 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
616 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
617 is_inside=0)
618
619 # out2in
620 pkts = self.create_stream_out(self.pg1, nat_ip)
621 self.pg1.add_stream(pkts)
622 self.pg_enable_capture(self.pg_interfaces)
623 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]624 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]625 self.verify_capture_in(capture, self.pg0)
626
627 # in2out
628 pkts = self.create_stream_in(self.pg0, self.pg1)
629 self.pg0.add_stream(pkts)
630 self.pg_enable_capture(self.pg_interfaces)
631 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]632 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]633 self.verify_capture_out(capture, nat_ip, True)
634
635 def test_static_with_port_in(self):
636 """ SNAT 1:1 NAT with port initialized from inside network """
637
638 self.tcp_port_out = 3606
639 self.udp_port_out = 3607
640 self.icmp_id_out = 3608
641
642 self.snat_add_address(self.snat_addr)
643 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]644 self.tcp_port_in, self.tcp_port_out,
645 proto=IP_PROTOS.tcp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]646 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]647 self.udp_port_in, self.udp_port_out,
648 proto=IP_PROTOS.udp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]649 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]650 self.icmp_id_in, self.icmp_id_out,
651 proto=IP_PROTOS.icmp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]652 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
653 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
654 is_inside=0)
655
656 # in2out
657 pkts = self.create_stream_in(self.pg0, self.pg1)
658 self.pg0.add_stream(pkts)
659 self.pg_enable_capture(self.pg_interfaces)
660 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]661 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]662 self.verify_capture_out(capture)
663
664 # out2in
665 pkts = self.create_stream_out(self.pg1)
666 self.pg1.add_stream(pkts)
667 self.pg_enable_capture(self.pg_interfaces)
668 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]669 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]670 self.verify_capture_in(capture, self.pg0)
671
672 def test_static_with_port_out(self):
673 """ SNAT 1:1 NAT with port initialized from outside network """
674
675 self.tcp_port_out = 30606
676 self.udp_port_out = 30607
677 self.icmp_id_out = 30608
678
679 self.snat_add_address(self.snat_addr)
680 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]681 self.tcp_port_in, self.tcp_port_out,
682 proto=IP_PROTOS.tcp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]683 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]684 self.udp_port_in, self.udp_port_out,
685 proto=IP_PROTOS.udp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]686 self.snat_add_static_mapping(self.pg0.remote_ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]687 self.icmp_id_in, self.icmp_id_out,
688 proto=IP_PROTOS.icmp)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]689 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
690 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
691 is_inside=0)
692
693 # out2in
694 pkts = self.create_stream_out(self.pg1)
695 self.pg1.add_stream(pkts)
696 self.pg_enable_capture(self.pg_interfaces)
697 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]698 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]699 self.verify_capture_in(capture, self.pg0)
700
701 # in2out
702 pkts = self.create_stream_in(self.pg0, self.pg1)
703 self.pg0.add_stream(pkts)
704 self.pg_enable_capture(self.pg_interfaces)
705 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]706 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]707 self.verify_capture_out(capture)
708
709 def test_static_vrf_aware(self):
710 """ SNAT 1:1 NAT VRF awareness """
711
712 nat_ip1 = "10.0.0.30"
713 nat_ip2 = "10.0.0.40"
714 self.tcp_port_out = 6303
715 self.udp_port_out = 6304
716 self.icmp_id_out = 6305
717
718 self.snat_add_static_mapping(self.pg4.remote_ip4, nat_ip1,
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]719 vrf_id=10)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]720 self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip2,
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]721 vrf_id=10)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]722 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
723 is_inside=0)
724 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
725 self.vapi.snat_interface_add_del_feature(self.pg4.sw_if_index)
726
727 # inside interface VRF match SNAT static mapping VRF
728 pkts = self.create_stream_in(self.pg4, self.pg3)
729 self.pg4.add_stream(pkts)
730 self.pg_enable_capture(self.pg_interfaces)
731 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]732 capture = self.pg3.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]733 self.verify_capture_out(capture, nat_ip1, True)
734
735 # inside interface VRF don't match SNAT static mapping VRF (packets
736 # are dropped)
737 pkts = self.create_stream_in(self.pg0, self.pg3)
738 self.pg0.add_stream(pkts)
739 self.pg_enable_capture(self.pg_interfaces)
740 self.pg_start()
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]741 self.pg3.assert_nothing_captured()
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]742
743 def test_multiple_inside_interfaces(self):
Matus Fabiane1ae29a2017-01-27 00:47:58 -0800[diff] [blame]744 """ SNAT multiple inside interfaces (non-overlapping address space) """
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]745
746 self.snat_add_address(self.snat_addr)
747 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
748 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]749 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
750 is_inside=0)
751
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]752 # between two S-NAT inside interfaces (no translation)
753 pkts = self.create_stream_in(self.pg0, self.pg1)
754 self.pg0.add_stream(pkts)
755 self.pg_enable_capture(self.pg_interfaces)
756 self.pg_start()
757 capture = self.pg1.get_capture(len(pkts))
758 self.verify_capture_no_translation(capture, self.pg0, self.pg1)
759
760 # from S-NAT inside to interface without S-NAT feature (no translation)
761 pkts = self.create_stream_in(self.pg0, self.pg2)
762 self.pg0.add_stream(pkts)
763 self.pg_enable_capture(self.pg_interfaces)
764 self.pg_start()
765 capture = self.pg2.get_capture(len(pkts))
766 self.verify_capture_no_translation(capture, self.pg0, self.pg2)
767
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]768 # in2out 1st interface
769 pkts = self.create_stream_in(self.pg0, self.pg3)
770 self.pg0.add_stream(pkts)
771 self.pg_enable_capture(self.pg_interfaces)
772 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]773 capture = self.pg3.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]774 self.verify_capture_out(capture)
775
776 # out2in 1st interface
777 pkts = self.create_stream_out(self.pg3)
778 self.pg3.add_stream(pkts)
779 self.pg_enable_capture(self.pg_interfaces)
780 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]781 capture = self.pg0.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]782 self.verify_capture_in(capture, self.pg0)
783
784 # in2out 2nd interface
785 pkts = self.create_stream_in(self.pg1, self.pg3)
786 self.pg1.add_stream(pkts)
787 self.pg_enable_capture(self.pg_interfaces)
788 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]789 capture = self.pg3.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]790 self.verify_capture_out(capture)
791
792 # out2in 2nd interface
793 pkts = self.create_stream_out(self.pg3)
794 self.pg3.add_stream(pkts)
795 self.pg_enable_capture(self.pg_interfaces)
796 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]797 capture = self.pg1.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]798 self.verify_capture_in(capture, self.pg1)
799
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]800 def test_inside_overlapping_interfaces(self):
801 """ SNAT multiple inside interfaces with overlapping address space """
802
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]803 static_nat_ip = "10.0.0.10"
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]804 self.snat_add_address(self.snat_addr)
805 self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
806 is_inside=0)
807 self.vapi.snat_interface_add_del_feature(self.pg4.sw_if_index)
808 self.vapi.snat_interface_add_del_feature(self.pg5.sw_if_index)
809 self.vapi.snat_interface_add_del_feature(self.pg6.sw_if_index)
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]810 self.snat_add_static_mapping(self.pg6.remote_ip4, static_nat_ip,
811 vrf_id=20)
812
813 # between S-NAT inside interfaces with same VRF (no translation)
814 pkts = self.create_stream_in(self.pg4, self.pg5)
815 self.pg4.add_stream(pkts)
816 self.pg_enable_capture(self.pg_interfaces)
817 self.pg_start()
818 capture = self.pg5.get_capture(len(pkts))
819 self.verify_capture_no_translation(capture, self.pg4, self.pg5)
820
821 # between S-NAT inside interfaces with different VRF (hairpinning)
822 p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
823 IP(src=self.pg4.remote_ip4, dst=static_nat_ip) /
824 TCP(sport=1234, dport=5678))
825 self.pg4.add_stream(p)
826 self.pg_enable_capture(self.pg_interfaces)
827 self.pg_start()
828 capture = self.pg6.get_capture(1)
829 p = capture[0]
830 try:
831 ip = p[IP]
832 tcp = p[TCP]
833 self.assertEqual(ip.src, self.snat_addr)
834 self.assertEqual(ip.dst, self.pg6.remote_ip4)
835 self.assertNotEqual(tcp.sport, 1234)
836 self.assertEqual(tcp.dport, 5678)
837 except:
838 self.logger.error(ppp("Unexpected or invalid packet:", p))
839 raise
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]840
841 # in2out 1st interface
842 pkts = self.create_stream_in(self.pg4, self.pg3)
843 self.pg4.add_stream(pkts)
844 self.pg_enable_capture(self.pg_interfaces)
845 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]846 capture = self.pg3.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]847 self.verify_capture_out(capture)
848
849 # out2in 1st interface
850 pkts = self.create_stream_out(self.pg3)
851 self.pg3.add_stream(pkts)
852 self.pg_enable_capture(self.pg_interfaces)
853 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]854 capture = self.pg4.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]855 self.verify_capture_in(capture, self.pg4)
856
857 # in2out 2nd interface
858 pkts = self.create_stream_in(self.pg5, self.pg3)
859 self.pg5.add_stream(pkts)
860 self.pg_enable_capture(self.pg_interfaces)
861 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]862 capture = self.pg3.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]863 self.verify_capture_out(capture)
864
865 # out2in 2nd interface
866 pkts = self.create_stream_out(self.pg3)
867 self.pg3.add_stream(pkts)
868 self.pg_enable_capture(self.pg_interfaces)
869 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]870 capture = self.pg5.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]871 self.verify_capture_in(capture, self.pg5)
872
magalik23caa882017-02-08 23:25:45 -0800[diff] [blame^]873 # pg5 session dump
874 addresses = self.vapi.snat_address_dump()
875 self.assertEqual(len(addresses), 1)
876 sessions = self.vapi.snat_user_session_dump(self.pg5.remote_ip4n, 10)
877 self.assertEqual(len(sessions), 3)
878 for session in sessions:
879 self.assertFalse(session.is_static)
880 self.assertEqual(session.inside_ip_address[0:4],
881 self.pg5.remote_ip4n)
882 self.assertEqual(session.outside_ip_address,
883 addresses[0].ip_address)
884 self.assertEqual(sessions[0].protocol, IP_PROTOS.tcp)
885 self.assertEqual(sessions[1].protocol, IP_PROTOS.udp)
886 self.assertEqual(sessions[2].protocol, IP_PROTOS.icmp)
887 self.assertEqual(sessions[0].inside_port, self.tcp_port_in)
888 self.assertEqual(sessions[1].inside_port, self.udp_port_in)
889 self.assertEqual(sessions[2].inside_port, self.icmp_id_in)
890 self.assertEqual(sessions[0].outside_port, self.tcp_port_out)
891 self.assertEqual(sessions[1].outside_port, self.udp_port_out)
892 self.assertEqual(sessions[2].outside_port, self.icmp_id_out)
893
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]894 # in2out 3rd interface
895 pkts = self.create_stream_in(self.pg6, self.pg3)
896 self.pg6.add_stream(pkts)
897 self.pg_enable_capture(self.pg_interfaces)
898 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]899 capture = self.pg3.get_capture(len(pkts))
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]900 self.verify_capture_out(capture, static_nat_ip, True)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]901
902 # out2in 3rd interface
Matus Fabian675a69c2017-01-18 01:46:01 -0800[diff] [blame]903 pkts = self.create_stream_out(self.pg3, static_nat_ip)
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]904 self.pg3.add_stream(pkts)
905 self.pg_enable_capture(self.pg_interfaces)
906 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]907 capture = self.pg6.get_capture(len(pkts))
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]908 self.verify_capture_in(capture, self.pg6)
909
magalik23caa882017-02-08 23:25:45 -0800[diff] [blame^]910 # general user and session dump verifications
911 users = self.vapi.snat_user_dump()
912 self.assertTrue(len(users) >= 3)
913 addresses = self.vapi.snat_address_dump()
914 self.assertEqual(len(addresses), 1)
915 for user in users:
916 sessions = self.vapi.snat_user_session_dump(user.ip_address,
917 user.vrf_id)
918 for session in sessions:
919 self.assertEqual(user.ip_address, session.inside_ip_address)
920 self.assertTrue(session.total_bytes > session.total_pkts > 0)
921 self.assertTrue(session.protocol in
922 [IP_PROTOS.tcp, IP_PROTOS.udp,
923 IP_PROTOS.icmp])
924
925 # pg4 session dump
926 sessions = self.vapi.snat_user_session_dump(self.pg4.remote_ip4n, 10)
927 self.assertTrue(len(sessions) >= 4)
928 for session in sessions:
929 self.assertFalse(session.is_static)
930 self.assertEqual(session.inside_ip_address[0:4],
931 self.pg4.remote_ip4n)
932 self.assertEqual(session.outside_ip_address,
933 addresses[0].ip_address)
934
935 # pg6 session dump
936 sessions = self.vapi.snat_user_session_dump(self.pg6.remote_ip4n, 20)
937 self.assertTrue(len(sessions) >= 3)
938 for session in sessions:
939 self.assertTrue(session.is_static)
940 self.assertEqual(session.inside_ip_address[0:4],
941 self.pg6.remote_ip4n)
942 self.assertEqual(map(ord, session.outside_ip_address[0:4]),
943 map(int, static_nat_ip.split('.')))
944 self.assertTrue(session.inside_port in
945 [self.tcp_port_in, self.udp_port_in,
946 self.icmp_id_in])
947
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]948 def test_hairpinning(self):
949 """ SNAT hairpinning """
950
951 host = self.pg0.remote_hosts[0]
952 server = self.pg0.remote_hosts[1]
953 host_in_port = 1234
954 host_out_port = 0
955 server_in_port = 5678
956 server_out_port = 8765
957
958 self.snat_add_address(self.snat_addr)
959 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
960 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
961 is_inside=0)
962 # add static mapping for server
963 self.snat_add_static_mapping(server.ip4, self.snat_addr,
Matus Fabian09d96f42017-02-02 01:43:00 -0800[diff] [blame]964 server_in_port, server_out_port,
965 proto=IP_PROTOS.tcp)
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]966
967 # send packet from host to server
968 p = (Ether(src=host.mac, dst=self.pg0.local_mac) /
969 IP(src=host.ip4, dst=self.snat_addr) /
970 TCP(sport=host_in_port, dport=server_out_port))
971 self.pg0.add_stream(p)
972 self.pg_enable_capture(self.pg_interfaces)
973 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]974 capture = self.pg0.get_capture(1)
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]975 p = capture[0]
976 try:
977 ip = p[IP]
978 tcp = p[TCP]
979 self.assertEqual(ip.src, self.snat_addr)
980 self.assertEqual(ip.dst, server.ip4)
981 self.assertNotEqual(tcp.sport, host_in_port)
982 self.assertEqual(tcp.dport, server_in_port)
983 host_out_port = tcp.sport
984 except:
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]985 self.logger.error(ppp("Unexpected or invalid packet:", p))
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]986 raise
987
988 # send reply from server to host
989 p = (Ether(src=server.mac, dst=self.pg0.local_mac) /
990 IP(src=server.ip4, dst=self.snat_addr) /
991 TCP(sport=server_in_port, dport=host_out_port))
992 self.pg0.add_stream(p)
993 self.pg_enable_capture(self.pg_interfaces)
994 self.pg_start()
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]995 capture = self.pg0.get_capture(1)
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]996 p = capture[0]
997 try:
998 ip = p[IP]
999 tcp = p[TCP]
1000 self.assertEqual(ip.src, self.snat_addr)
1001 self.assertEqual(ip.dst, host.ip4)
1002 self.assertEqual(tcp.sport, server_out_port)
1003 self.assertEqual(tcp.dport, host_in_port)
1004 except:
Klement Sekera9225dee2016-12-12 08:36:58 +0100[diff] [blame]1005 self.logger.error(ppp("Unexpected or invalid packet:"), p)
Matus Fabianf78a70d2016-12-12 04:30:39 -0800[diff] [blame]1006 raise
1007
Matus Fabian9902fcd2016-12-21 23:58:46 -0800[diff] [blame]1008 def test_max_translations_per_user(self):
1009 """ MAX translations per user - recycle the least recently used """
1010
1011 self.snat_add_address(self.snat_addr)
1012 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
1013 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
1014 is_inside=0)
1015
1016 # get maximum number of translations per user
1017 snat_config = self.vapi.snat_show_config()
1018
1019 # send more than maximum number of translations per user packets
1020 pkts_num = snat_config.max_translations_per_user + 5
1021 pkts = []
1022 for port in range(0, pkts_num):
1023 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1024 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1025 TCP(sport=1025 + port))
1026 pkts.append(p)
1027 self.pg0.add_stream(pkts)
1028 self.pg_enable_capture(self.pg_interfaces)
1029 self.pg_start()
1030
1031 # verify number of translated packet
Klement Sekeradab231a2016-12-21 08:50:14 +0100[diff] [blame]1032 self.pg1.get_capture(pkts_num)
Matus Fabian9902fcd2016-12-21 23:58:46 -0800[diff] [blame]1033
Matus Fabian8bf68e82017-01-12 04:24:35 -0800[diff] [blame]1034 def test_interface_addr(self):
1035 """ Acquire SNAT addresses from interface """
1036 self.vapi.snat_add_interface_addr(self.pg7.sw_if_index)
1037
1038 # no address in NAT pool
1039 adresses = self.vapi.snat_address_dump()
1040 self.assertEqual(0, len(adresses))
1041
1042 # configure interface address and check NAT address pool
1043 self.pg7.config_ip4()
1044 adresses = self.vapi.snat_address_dump()
1045 self.assertEqual(1, len(adresses))
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]1046 self.assertEqual(adresses[0].ip_address[0:4], self.pg7.local_ip4n)
Matus Fabian8bf68e82017-01-12 04:24:35 -0800[diff] [blame]1047
1048 # remove interface address and check NAT address pool
1049 self.pg7.unconfig_ip4()
1050 adresses = self.vapi.snat_address_dump()
1051 self.assertEqual(0, len(adresses))
1052
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]1053 def test_interface_addr_static_mapping(self):
1054 """ Static mapping with addresses from interface """
1055 self.vapi.snat_add_interface_addr(self.pg7.sw_if_index)
1056 self.snat_add_static_mapping('1.2.3.4',
1057 external_sw_if_index=self.pg7.sw_if_index)
1058
Matus Fabiane22e5462017-02-14 23:33:43 -0800[diff] [blame]1059 # static mappings with external interface
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]1060 static_mappings = self.vapi.snat_static_mapping_dump()
Matus Fabiane22e5462017-02-14 23:33:43 -0800[diff] [blame]1061 self.assertEqual(1, len(static_mappings))
1062 self.assertEqual(self.pg7.sw_if_index,
1063 static_mappings[0].external_sw_if_index)
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]1064
1065 # configure interface address and check static mappings
1066 self.pg7.config_ip4()
1067 static_mappings = self.vapi.snat_static_mapping_dump()
1068 self.assertEqual(1, len(static_mappings))
1069 self.assertEqual(static_mappings[0].external_ip_address[0:4],
1070 self.pg7.local_ip4n)
Matus Fabiane22e5462017-02-14 23:33:43 -0800[diff] [blame]1071 self.assertEqual(0xFFFFFFFF, static_mappings[0].external_sw_if_index)
Matus Fabian36532bd2017-01-23 23:42:28 -0800[diff] [blame]1072
1073 # remove interface address and check static mappings
1074 self.pg7.unconfig_ip4()
1075 static_mappings = self.vapi.snat_static_mapping_dump()
1076 self.assertEqual(0, len(static_mappings))
1077
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]1078 def test_ipfix_nat44_sess(self):
1079 """ S-NAT IPFIX logging NAT44 session created/delted """
1080 self.snat_add_address(self.snat_addr)
1081 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
1082 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
1083 is_inside=0)
1084 self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
1085 src_address=self.pg3.local_ip4n,
1086 path_mtu=512,
1087 template_interval=10)
1088 self.vapi.snat_ipfix()
1089
1090 pkts = self.create_stream_in(self.pg0, self.pg1)
1091 self.pg0.add_stream(pkts)
1092 self.pg_enable_capture(self.pg_interfaces)
1093 self.pg_start()
1094 capture = self.pg1.get_capture(len(pkts))
1095 self.verify_capture_out(capture)
1096 self.snat_add_address(self.snat_addr, is_add=0)
1097 self.vapi.cli("ipfix flush") # FIXME this should be an API call
1098 capture = self.pg3.get_capture(3)
1099 ipfix = IPFIXDecoder()
1100 # first load template
1101 for p in capture:
1102 self.assertTrue(p.haslayer(IPFIX))
1103 if p.haslayer(Template):
1104 ipfix.add_template(p.getlayer(Template))
1105 # verify events in data set
1106 for p in capture:
1107 if p.haslayer(Data):
1108 data = ipfix.decode_data_set(p.getlayer(Set))
1109 self.verify_ipfix_nat44_ses(data)
1110
1111 def test_ipfix_addr_exhausted(self):
1112 """ S-NAT IPFIX logging NAT addresses exhausted """
1113 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
1114 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
1115 is_inside=0)
1116 self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4n,
1117 src_address=self.pg3.local_ip4n,
1118 path_mtu=512,
1119 template_interval=10)
1120 self.vapi.snat_ipfix()
1121
1122 p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
1123 IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
1124 TCP(sport=3025))
1125 self.pg0.add_stream(p)
1126 self.pg_enable_capture(self.pg_interfaces)
1127 self.pg_start()
1128 capture = self.pg1.get_capture(0)
1129 self.vapi.cli("ipfix flush") # FIXME this should be an API call
1130 capture = self.pg3.get_capture(3)
1131 ipfix = IPFIXDecoder()
1132 # first load template
1133 for p in capture:
1134 self.assertTrue(p.haslayer(IPFIX))
1135 if p.haslayer(Template):
1136 ipfix.add_template(p.getlayer(Template))
1137 # verify events in data set
1138 for p in capture:
1139 if p.haslayer(Data):
1140 data = ipfix.decode_data_set(p.getlayer(Set))
1141 self.verify_ipfix_addr_exhausted(data)
1142
Matus Fabiane1ae29a2017-01-27 00:47:58 -0800[diff] [blame]1143 def test_pool_addr_fib(self):
1144 """ S-NAT add pool addresses to FIB """
1145 static_addr = '10.0.0.10'
1146 self.snat_add_address(self.snat_addr)
1147 self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
1148 self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index,
1149 is_inside=0)
1150 self.snat_add_static_mapping(self.pg0.remote_ip4, static_addr)
1151
1152 # SNAT address
1153 p = (Ether(src=self.pg1.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
1154 ARP(op=ARP.who_has, pdst=self.snat_addr,
1155 psrc=self.pg1.remote_ip4, hwsrc=self.pg1.remote_mac))
1156 self.pg1.add_stream(p)
1157 self.pg_enable_capture(self.pg_interfaces)
1158 self.pg_start()
1159 capture = self.pg1.get_capture(1)
1160 self.assertTrue(capture[0].haslayer(ARP))
1161 self.assertTrue(capture[0][ARP].op, ARP.is_at)
1162
1163 # 1:1 NAT address
1164 p = (Ether(src=self.pg1.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
1165 ARP(op=ARP.who_has, pdst=static_addr,
1166 psrc=self.pg1.remote_ip4, hwsrc=self.pg1.remote_mac))
1167 self.pg1.add_stream(p)
1168 self.pg_enable_capture(self.pg_interfaces)
1169 self.pg_start()
1170 capture = self.pg1.get_capture(1)
1171 self.assertTrue(capture[0].haslayer(ARP))
1172 self.assertTrue(capture[0][ARP].op, ARP.is_at)
1173
1174 # send ARP to non-SNAT interface
1175 p = (Ether(src=self.pg2.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
1176 ARP(op=ARP.who_has, pdst=self.snat_addr,
1177 psrc=self.pg2.remote_ip4, hwsrc=self.pg2.remote_mac))
1178 self.pg2.add_stream(p)
1179 self.pg_enable_capture(self.pg_interfaces)
1180 self.pg_start()
1181 capture = self.pg1.get_capture(0)
1182
1183 # remove addresses and verify
1184 self.snat_add_address(self.snat_addr, is_add=0)
1185 self.snat_add_static_mapping(self.pg0.remote_ip4, static_addr,
1186 is_add=0)
1187
1188 p = (Ether(src=self.pg1.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
1189 ARP(op=ARP.who_has, pdst=self.snat_addr,
1190 psrc=self.pg1.remote_ip4, hwsrc=self.pg1.remote_mac))
1191 self.pg1.add_stream(p)
1192 self.pg_enable_capture(self.pg_interfaces)
1193 self.pg_start()
1194 capture = self.pg1.get_capture(0)
1195
1196 p = (Ether(src=self.pg1.remote_mac, dst='ff:ff:ff:ff:ff:ff') /
1197 ARP(op=ARP.who_has, pdst=static_addr,
1198 psrc=self.pg1.remote_ip4, hwsrc=self.pg1.remote_mac))
1199 self.pg1.add_stream(p)
1200 self.pg_enable_capture(self.pg_interfaces)
1201 self.pg_start()
1202 capture = self.pg1.get_capture(0)
1203
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]1204 def tearDown(self):
1205 super(TestSNAT, self).tearDown()
1206 if not self.vpp_dead:
1207 self.logger.info(self.vapi.cli("show snat verbose"))
1208 self.clear_snat()
1209
Matus Fabianeea28d72017-01-13 04:15:54 -0800[diff] [blame]1210
Matus Fabiande886752016-12-07 03:38:19 -0800[diff] [blame]1211if __name__ == '__main__':
1212 unittest.main(testRunner=VppTestRunner)