Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 6a8f26c3abed7a3c26d4ac3b88b80f08966fb3e0 / . / test / test_nat44_ed_output.py
blob: eea610df70e7fffcdc711207b619a382a45dd1ac [file] [log] [blame]
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]1#!/usr/bin/env python3
2"""NAT44 ED output-feature tests"""
3
4import random
5import unittest
Dave Wallace8800f732023-08-31 00:47:44 -0400[diff] [blame]6from scapy.layers.inet import Ether, IP, TCP
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]7from scapy.packet import Raw
8from scapy.data import IP_PROTOS
Dave Wallace8800f732023-08-31 00:47:44 -0400[diff] [blame]9from framework import VppTestCase
10from asfframework import VppTestRunner
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]11from vpp_papi import VppEnum
Dmitry Valter34fa0ce2024-03-11 10:38:46 +0000[diff] [blame]12from config import config
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]13
14
15def get_nat44_ed_in2out_worker_index(ip, vpp_worker_count):
16 if 0 == vpp_worker_count:
17 return 0
18 numeric = socket.inet_aton(ip)
19 numeric = struct.unpack("!L", numeric)[0]
20 numeric = socket.htonl(numeric)
21 h = numeric + (numeric >> 8) + (numeric >> 16) + (numeric >> 24)
22 return 1 + h % vpp_worker_count
23
24
Dmitry Valter34fa0ce2024-03-11 10:38:46 +0000[diff] [blame]25@unittest.skipIf("nat" in config.excluded_plugins, "Exclude NAT plugin tests")
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]26class TestNAT44EDOutput(VppTestCase):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]27 """NAT44 ED output feature Test Case"""
28
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]29 max_sessions = 1024
30
31 @classmethod
32 def setUpClass(cls):
33 super().setUpClass()
34 cls.create_pg_interfaces(range(2))
35 cls.interfaces = list(cls.pg_interfaces)
36
37 @classmethod
38 def tearDownClass(cls):
39 super().tearDownClass()
40
41 def setUp(self):
42 super().setUp()
43 for i in self.interfaces:
44 i.admin_up()
45 i.config_ip4()
46 i.resolve_arp()
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]47 self.vapi.nat44_ed_plugin_enable_disable(sessions=self.max_sessions, enable=1)
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]48
49 def tearDown(self):
50 if not self.vpp_dead:
51 self.logger.debug(self.vapi.cli("show nat44 sessions"))
52 super().tearDown()
53 if not self.vpp_dead:
54 for i in self.pg_interfaces:
55 i.unconfig_ip4()
56 i.admin_down()
57 self.vapi.nat44_ed_plugin_enable_disable(enable=0)
58
59 def test_static_dynamic(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]60 """Create static mapping which matches existing dynamic mapping"""
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]61
Filip Vargab6810822022-02-15 11:56:07 -0800[diff] [blame]62 config = self.vapi.nat44_show_running_config()
63 old_timeouts = config.timeouts
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]64 new_transitory = 2
65 self.vapi.nat_set_timeouts(
66 udp=old_timeouts.udp,
67 tcp_established=old_timeouts.tcp_established,
68 icmp=old_timeouts.icmp,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]69 tcp_transitory=new_transitory,
70 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]71
72 local_host = self.pg0.remote_ip4
73 remote_host = self.pg1.remote_ip4
74 nat_intf = self.pg1
75 outside_addr = nat_intf.local_ip4
76
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]77 self.vapi.nat44_add_del_address_range(
78 first_ip_address=outside_addr,
79 last_ip_address=outside_addr,
80 vrf_id=0xFFFFFFFF,
81 is_add=1,
82 flags=0,
83 )
84 self.vapi.nat44_interface_add_del_feature(
85 sw_if_index=self.pg0.sw_if_index, is_add=1
86 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]87 self.vapi.nat44_interface_add_del_feature(
88 sw_if_index=self.pg0.sw_if_index,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]89 flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_INSIDE,
90 is_add=1,
91 )
Filip Vargab6810822022-02-15 11:56:07 -0800[diff] [blame]92 self.vapi.nat44_ed_add_del_output_interface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]93 sw_if_index=self.pg1.sw_if_index, is_add=1
94 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]95
96 thread_index = get_nat44_ed_in2out_worker_index(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]97 local_host, self.vpp_worker_count
98 )
99 port_per_thread = int((0xFFFF - 1024) / max(1, self.vpp_worker_count))
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]100 local_sport = 1024 + random.randint(1, port_per_thread)
101 if self.vpp_worker_count > 0:
102 local_sport += port_per_thread * (thread_index - 1)
103
104 remote_dport = 10000
105
106 pg0 = self.pg0
107 pg1 = self.pg1
108
109 # first setup a dynamic TCP session
110
111 # SYN packet in->out
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]112 p = (
113 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
114 / IP(src=local_host, dst=remote_host)
115 / TCP(sport=local_sport, dport=remote_dport, flags="S")
116 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]117 p = self.send_and_expect(pg0, [p], pg1)[0]
118
119 self.assertEqual(p[IP].src, outside_addr)
120 self.assertEqual(p[TCP].sport, local_sport)
121 outside_port = p[TCP].sport
122
123 # SYN+ACK packet out->in
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]124 p = (
125 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
126 / IP(src=remote_host, dst=outside_addr)
127 / TCP(sport=remote_dport, dport=outside_port, flags="SA")
128 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]129 self.send_and_expect(pg1, [p], pg0)
130
131 # ACK packet in->out
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]132 p = (
133 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
134 / IP(src=local_host, dst=remote_host)
135 / TCP(sport=local_sport, dport=remote_dport, flags="A")
136 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]137 self.send_and_expect(pg0, [p], pg1)
138
139 # now we have a session up, create a conflicting static mapping
140 self.vapi.nat44_add_del_static_mapping(
141 is_add=1,
142 local_ip_address=local_host,
143 external_ip_address=outside_addr,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]144 external_sw_if_index=0xFFFFFFFF,
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]145 local_port=local_sport,
146 external_port=outside_port,
147 protocol=IP_PROTOS.tcp,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]148 flags=VppEnum.vl_api_nat_config_flags_t.NAT_IS_OUT2IN_ONLY,
149 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]150
151 sessions = self.vapi.nat44_user_session_dump(local_host, 0)
152 self.assertEqual(1, len(sessions))
153
154 # now send some more data over existing session - it should pass
155
156 # in->out
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]157 p = (
158 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
159 / IP(src=local_host, dst=remote_host)
160 / TCP(sport=local_sport, dport=remote_dport)
161 / Raw("zippity zap")
162 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]163 self.send_and_expect(pg0, [p], pg1)
164
165 # out->in
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]166 p = (
167 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
168 / IP(src=remote_host, dst=outside_addr)
169 / TCP(sport=remote_dport, dport=outside_port)
170 / Raw("flippity flop")
171 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]172 self.send_and_expect(pg1, [p], pg0)
173
174 # now close the session
175
176 # FIN packet in -> out
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]177 p = (
178 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
179 / IP(src=local_host, dst=remote_host)
180 / TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=100, ack=300)
181 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]182 self.send_and_expect(pg0, [p], pg1)
183
184 # FIN+ACK packet out -> in
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]185 p = (
186 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
187 / IP(src=remote_host, dst=outside_addr)
188 / TCP(sport=remote_dport, dport=outside_port, flags="FA", seq=300, ack=101)
189 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]190 self.send_and_expect(pg1, [p], pg0)
191
192 # ACK packet in -> out
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]193 p = (
194 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
195 / IP(src=local_host, dst=remote_host)
196 / TCP(sport=local_sport, dport=remote_dport, flags="A", seq=101, ack=301)
197 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]198 self.send_and_expect(pg0, [p], pg1)
199
200 # session now in transitory timeout
201 # try SYN packet in->out - should be dropped
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]202 p = (
203 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
204 / IP(src=local_host, dst=remote_host)
205 / TCP(sport=local_sport, dport=remote_dport, flags="S")
206 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]207 pg0.add_stream(p)
208 self.pg_enable_capture()
209 self.pg_start()
210
211 self.sleep(new_transitory, "wait for transitory timeout")
212 pg0.assert_nothing_captured(0)
213
214 # session should still exist
215 sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
216 self.assertEqual(1, len(sessions))
217
218 # send FIN+ACK packet in->out - will cause session to be wiped
219 # but won't create a new session
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]220 p = (
Steven Luonge4238aa2024-04-19 09:49:20 -0700[diff] [blame]221 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]222 / IP(src=local_host, dst=remote_host)
223 / TCP(sport=local_sport, dport=remote_dport, flags="FA", seq=300, ack=101)
224 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]225 pg1.add_stream(p)
226 self.pg_enable_capture()
227 self.pg_start()
228 pg0.assert_nothing_captured(0)
229
230 sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
231 self.assertEqual(0, len(sessions))
232
233 # create a new session and make sure the outside port is remapped
234 # SYN packet in->out
235
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]236 p = (
237 Ether(src=pg0.remote_mac, dst=pg0.local_mac)
238 / IP(src=local_host, dst=remote_host)
239 / TCP(sport=local_sport, dport=remote_dport, flags="S")
240 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]241 p = self.send_and_expect(pg0, [p], pg1)[0]
242
243 self.assertEqual(p[IP].src, outside_addr)
244 self.assertNotEqual(p[TCP].sport, local_sport)
245
246 # make sure static mapping works and creates a new session
247 # SYN packet out->in
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]248 p = (
249 Ether(src=pg1.remote_mac, dst=pg1.local_mac)
250 / IP(src=remote_host, dst=outside_addr)
251 / TCP(sport=remote_dport, dport=outside_port, flags="S")
252 )
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]253 self.send_and_expect(pg1, [p], pg0)
254
255 sessions = self.vapi.nat44_user_session_dump(pg0.remote_ip4, 0)
256 self.assertEqual(2, len(sessions))
257
258
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]259if __name__ == "__main__":
Klement Sekeraff334db2021-05-26 13:02:35 +0200[diff] [blame]260 unittest.main(testRunner=VppTestRunner)