1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Without this sleep, we get occasional failures due to the following error:
83 dnl "connect: Cannot assign requested address"
86 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
87 3 packets transmitted, 3 received, 0% packet loss, time 0ms
89 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
90 3 packets transmitted, 3 received, 0% packet loss, time 0ms
92 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
93 3 packets transmitted, 3 received, 0% packet loss, time 0ms
96 OVS_TRAFFIC_VSWITCHD_STOP
99 AT_SETUP([datapath - ping6 between two ports on vlan])
100 OVS_TRAFFIC_VSWITCHD_START()
102 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
104 ADD_NAMESPACES(at_ns0, at_ns1)
106 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
107 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
109 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
110 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
112 dnl Without this sleep, we get occasional failures due to the following error:
113 dnl "connect: Cannot assign requested address"
116 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
117 3 packets transmitted, 3 received, 0% packet loss, time 0ms
119 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
120 3 packets transmitted, 3 received, 0% packet loss, time 0ms
122 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
123 3 packets transmitted, 3 received, 0% packet loss, time 0ms
126 OVS_TRAFFIC_VSWITCHD_STOP
129 AT_SETUP([datapath - ping over vxlan tunnel])
132 OVS_TRAFFIC_VSWITCHD_START()
133 ADD_BR([br-underlay])
135 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
136 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
138 ADD_NAMESPACES(at_ns0)
140 dnl Set up underlay link from host into the namespace using veth pair.
141 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
142 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
143 AT_CHECK([ip link set dev br-underlay up])
145 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
146 dnl linux device inside the namespace.
147 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
148 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
151 dnl First, check the underlay
152 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
156 dnl Okay, now check the overlay with different packet sizes
157 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
158 3 packets transmitted, 3 received, 0% packet loss, time 0ms
160 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
161 3 packets transmitted, 3 received, 0% packet loss, time 0ms
163 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
164 3 packets transmitted, 3 received, 0% packet loss, time 0ms
167 OVS_TRAFFIC_VSWITCHD_STOP
170 AT_SETUP([datapath - ping over gre tunnel])
173 OVS_TRAFFIC_VSWITCHD_START()
174 ADD_BR([br-underlay])
176 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
177 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
179 ADD_NAMESPACES(at_ns0)
181 dnl Set up underlay link from host into the namespace using veth pair.
182 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
183 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
184 AT_CHECK([ip link set dev br-underlay up])
186 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
187 dnl linux device inside the namespace.
188 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
189 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
191 dnl First, check the underlay
192 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
193 3 packets transmitted, 3 received, 0% packet loss, time 0ms
196 dnl Okay, now check the overlay with different packet sizes
197 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
198 3 packets transmitted, 3 received, 0% packet loss, time 0ms
200 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
201 3 packets transmitted, 3 received, 0% packet loss, time 0ms
203 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
204 3 packets transmitted, 3 received, 0% packet loss, time 0ms
207 OVS_TRAFFIC_VSWITCHD_STOP
210 AT_SETUP([datapath - ping over geneve tunnel])
213 OVS_TRAFFIC_VSWITCHD_START()
214 ADD_BR([br-underlay])
216 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
217 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
219 ADD_NAMESPACES(at_ns0)
221 dnl Set up underlay link from host into the namespace using veth pair.
222 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
223 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
224 AT_CHECK([ip link set dev br-underlay up])
226 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
227 dnl linux device inside the namespace.
228 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
229 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
232 dnl First, check the underlay
233 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
234 3 packets transmitted, 3 received, 0% packet loss, time 0ms
237 dnl Okay, now check the overlay with different packet sizes
238 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
239 3 packets transmitted, 3 received, 0% packet loss, time 0ms
241 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
244 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
245 3 packets transmitted, 3 received, 0% packet loss, time 0ms
248 OVS_TRAFFIC_VSWITCHD_STOP
251 AT_SETUP([conntrack - controller])
253 OVS_TRAFFIC_VSWITCHD_START()
255 ADD_NAMESPACES(at_ns0, at_ns1)
257 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
258 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
260 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
261 AT_DATA([flows.txt], [dnl
262 priority=1,action=drop
263 priority=10,arp,action=normal
264 priority=100,in_port=1,udp,action=ct(commit),controller
265 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
266 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
269 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
271 AT_CAPTURE_FILE([ofctl_monitor.log])
272 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
274 dnl Send an unsolicited reply from port 2. This should be dropped.
275 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
277 dnl OK, now start a new connection from port 1.
278 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
280 dnl Now try a reply from port 2.
281 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
283 dnl Check this output. We only see the latter two packets, not the first.
284 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
285 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
286 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
287 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
288 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
291 OVS_TRAFFIC_VSWITCHD_STOP
294 AT_SETUP([conntrack - IPv4 HTTP])
296 OVS_TRAFFIC_VSWITCHD_START()
298 ADD_NAMESPACES(at_ns0, at_ns1)
300 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
301 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
303 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
304 AT_DATA([flows.txt], [dnl
305 priority=1,action=drop
306 priority=10,arp,action=normal
307 priority=10,icmp,action=normal
308 priority=100,in_port=1,tcp,action=ct(commit),2
309 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
310 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
313 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
315 dnl Basic connectivity check.
316 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
318 dnl HTTP requests from ns0->ns1 should work fine.
319 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
320 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
322 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
323 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
326 dnl HTTP requests from ns1->ns0 should fail due to network failure.
327 dnl Try 3 times, in 1 second intervals.
328 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
329 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
331 OVS_TRAFFIC_VSWITCHD_STOP
334 AT_SETUP([conntrack - IPv6 HTTP])
336 OVS_TRAFFIC_VSWITCHD_START()
338 ADD_NAMESPACES(at_ns0, at_ns1)
340 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
341 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
343 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
344 AT_DATA([flows.txt], [dnl
345 priority=1,action=drop
346 priority=10,icmp6,action=normal
347 priority=100,in_port=1,tcp6,action=ct(commit),2
348 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
349 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
352 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
354 dnl Without this sleep, we get occasional failures due to the following error:
355 dnl "connect: Cannot assign requested address"
358 dnl HTTP requests from ns0->ns1 should work fine.
359 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
361 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
363 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
364 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
367 dnl HTTP requests from ns1->ns0 should fail due to network failure.
368 dnl Try 3 times, in 1 second intervals.
369 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
370 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
372 OVS_TRAFFIC_VSWITCHD_STOP
375 AT_SETUP([conntrack - commit, recirc])
377 OVS_TRAFFIC_VSWITCHD_START()
379 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
381 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
382 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
383 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
384 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
386 dnl Allow any traffic from ns0->ns1, ns2->ns3.
387 AT_DATA([flows.txt], [dnl
388 priority=1,action=drop
389 priority=10,arp,action=normal
390 priority=10,icmp,action=normal
391 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
392 priority=100,in_port=1,tcp,ct_state=+trk,action=2
393 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
394 priority=100,in_port=2,tcp,ct_state=+trk,action=1
395 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
396 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
397 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
398 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
399 priority=100,in_port=4,tcp,ct_state=+trk,action=3
402 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
404 dnl HTTP requests from p0->p1 should work fine.
405 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
406 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
408 dnl HTTP requests from p2->p3 should work fine.
409 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
410 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
412 OVS_TRAFFIC_VSWITCHD_STOP
415 AT_SETUP([conntrack - preserve registers])
417 OVS_TRAFFIC_VSWITCHD_START()
419 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
421 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
422 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
423 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
424 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
426 dnl Allow any traffic from ns0->ns1, ns2->ns3.
427 AT_DATA([flows.txt], [dnl
428 priority=1,action=drop
429 priority=10,arp,action=normal
430 priority=10,icmp,action=normal
431 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
432 priority=100,in_port=1,tcp,ct_state=+trk,action=2
433 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
434 priority=100,in_port=2,tcp,ct_state=+trk,action=1
435 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
436 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
437 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
438 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
439 priority=100,in_port=4,tcp,ct_state=+trk,action=3
442 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
444 dnl HTTP requests from p0->p1 should work fine.
445 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
446 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
448 dnl HTTP requests from p2->p3 should work fine.
449 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
450 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
452 OVS_TRAFFIC_VSWITCHD_STOP
455 AT_SETUP([conntrack - invalid])
457 OVS_TRAFFIC_VSWITCHD_START()
459 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
461 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
462 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
463 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
464 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
466 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
467 dnl the opposite direction. This should fail.
468 dnl Pass traffic from ns3->ns4 without committing, and this time match
469 dnl invalid traffic and allow it through.
470 AT_DATA([flows.txt], [dnl
471 priority=1,action=drop
472 priority=10,arp,action=normal
473 priority=10,icmp,action=normal
474 priority=100,in_port=1,tcp,action=ct(),2
475 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
476 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
477 priority=100,in_port=3,tcp,action=ct(),4
478 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
479 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
480 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
483 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
485 dnl We set up our rules to allow the request without committing. The return
486 dnl traffic can't be identified, because the initial request wasn't committed.
487 dnl For the first pair of ports, this means that the connection fails.
488 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
489 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
491 dnl For the second pair, we allow packets from invalid connections, so it works.
492 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
493 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
495 OVS_TRAFFIC_VSWITCHD_STOP
498 AT_SETUP([conntrack - zones])
500 OVS_TRAFFIC_VSWITCHD_START()
502 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
504 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
505 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
506 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
507 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
509 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
510 dnl For ns2->ns3, use a different zone and see that the match fails.
511 AT_DATA([flows.txt], [dnl
512 priority=1,action=drop
513 priority=10,arp,action=normal
514 priority=10,icmp,action=normal
515 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
516 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
517 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
518 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
519 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
520 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
523 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
525 dnl HTTP requests from p0->p1 should work fine.
526 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
527 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
529 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
530 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
533 dnl HTTP requests from p2->p3 should fail due to network failure.
534 dnl Try 3 times, in 1 second intervals.
535 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
536 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
538 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
539 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
542 OVS_TRAFFIC_VSWITCHD_STOP
545 AT_SETUP([conntrack - zones from field])
547 OVS_TRAFFIC_VSWITCHD_START()
549 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
551 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
552 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
553 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
554 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
556 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
557 AT_DATA([flows.txt], [dnl
558 priority=1,action=drop
559 priority=10,arp,action=normal
560 priority=10,icmp,action=normal
561 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
562 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
563 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
564 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
565 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
566 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
569 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
571 dnl HTTP requests from p0->p1 should work fine.
572 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
573 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
575 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
576 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
579 dnl HTTP requests from p2->p3 should fail due to network failure.
580 dnl Try 3 times, in 1 second intervals.
581 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
582 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
584 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
585 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
588 OVS_TRAFFIC_VSWITCHD_STOP
591 AT_SETUP([conntrack - multiple bridges])
593 OVS_TRAFFIC_VSWITCHD_START(
595 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
596 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
598 ADD_NAMESPACES(at_ns0, at_ns1)
600 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
601 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
603 dnl Allow any traffic from ns0->br1, allow established in reverse.
604 AT_DATA([flows-br0.txt], [dnl
605 priority=1,action=drop
606 priority=10,arp,action=normal
607 priority=10,icmp,action=normal
608 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
609 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
610 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
613 dnl Allow any traffic from br0->ns1, allow established in reverse.
614 AT_DATA([flows-br1.txt], [dnl
615 priority=1,action=drop
616 priority=10,arp,action=normal
617 priority=10,icmp,action=normal
618 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
619 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
620 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
621 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
622 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
625 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
626 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
628 dnl HTTP requests from p0->p1 should work fine.
629 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
630 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
632 OVS_TRAFFIC_VSWITCHD_STOP
635 AT_SETUP([conntrack - multiple zones])
637 OVS_TRAFFIC_VSWITCHD_START()
639 ADD_NAMESPACES(at_ns0, at_ns1)
641 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
642 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
644 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
645 AT_DATA([flows.txt], [dnl
646 priority=1,action=drop
647 priority=10,arp,action=normal
648 priority=10,icmp,action=normal
649 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
650 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
651 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
654 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
656 dnl HTTP requests from p0->p1 should work fine.
657 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
658 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
660 dnl (again) HTTP requests from p0->p1 should work fine.
661 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
663 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
664 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
665 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
668 OVS_TRAFFIC_VSWITCHD_STOP
671 AT_SETUP([conntrack - multiple zones, local])
673 OVS_TRAFFIC_VSWITCHD_START()
675 ADD_NAMESPACES(at_ns0)
677 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
678 AT_CHECK([ip link set dev br0 up])
679 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
680 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
682 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
683 dnl return traffic from ns0 back to the local stack.
684 AT_DATA([flows.txt], [dnl
685 priority=1,action=drop
686 priority=10,arp,action=normal
687 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
688 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
689 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
690 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
691 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
692 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
695 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
697 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
698 3 packets transmitted, 3 received, 0% packet loss, time 0ms
701 dnl HTTP requests from root namespace to p0 should work fine.
702 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
703 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
705 dnl (again) HTTP requests from root namespace to p0 should work fine.
706 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
708 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
709 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
710 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
711 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
712 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
715 OVS_TRAFFIC_VSWITCHD_STOP
718 AT_SETUP([conntrack - multiple namespaces, internal ports])
720 OVS_TRAFFIC_VSWITCHD_START(
721 [set-fail-mode br0 secure -- ])
723 ADD_NAMESPACES(at_ns0, at_ns1)
725 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
726 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
728 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
730 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
731 AT_DATA([flows.txt], [dnl
732 priority=1,action=drop
733 priority=10,arp,action=normal
734 priority=10,icmp,action=normal
735 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
736 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
737 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
740 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
742 dnl HTTP requests from p0->p1 should work fine.
743 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
744 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
746 dnl (again) HTTP requests from p0->p1 should work fine.
747 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
749 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
750 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
753 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
754 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
755 /removing policing failed: No such device/d"])
758 AT_SETUP([conntrack - multi-stage pipeline, local])
760 OVS_TRAFFIC_VSWITCHD_START()
762 ADD_NAMESPACES(at_ns0)
764 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
765 AT_CHECK([ip link set dev br0 up])
766 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
767 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
769 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
770 dnl return traffic from ns0 back to the local stack.
771 AT_DATA([flows.txt], [dnl
773 table=0,priority=1,action=drop
774 table=0,priority=10,arp,action=normal
776 dnl Load the output port to REG0
777 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
778 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
781 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
782 dnl - All other connections go through conntracker using the input port as
783 dnl a connection tracking zone.
784 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
785 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
786 table=1,priority=1,action=drop
789 dnl - Allow all connections from LOCAL port (commit and skip to output)
790 dnl - Allow other established connections to go through conntracker using
791 dnl output port as a connection tracking zone.
792 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
793 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
794 table=2,priority=1,action=drop
796 dnl Only allow established traffic from egress ct lookup
797 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
798 table=3,priority=1,action=drop
801 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
804 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
806 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
807 3 packets transmitted, 3 received, 0% packet loss, time 0ms
810 dnl HTTP requests from root namespace to p0 should work fine.
811 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
812 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
814 dnl (again) HTTP requests from root namespace to p0 should work fine.
815 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
817 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
818 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
819 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
820 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
821 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
824 OVS_TRAFFIC_VSWITCHD_STOP
827 AT_SETUP([conntrack - ct_mark])
829 OVS_TRAFFIC_VSWITCHD_START()
831 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
833 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
834 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
835 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
836 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
838 dnl Allow traffic between ns0<->ns1 using the ct_mark.
839 dnl Check that different marks do not match for traffic between ns2<->ns3.
840 AT_DATA([flows.txt], [dnl
841 priority=1,action=drop
842 priority=10,arp,action=normal
843 priority=10,icmp,action=normal
844 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
845 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
846 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
847 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
848 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
849 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
852 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
854 dnl HTTP requests from p0->p1 should work fine.
855 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
856 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
858 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
859 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
862 dnl HTTP requests from p2->p3 should fail due to network failure.
863 dnl Try 3 times, in 1 second intervals.
864 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
865 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
867 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
868 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
871 OVS_TRAFFIC_VSWITCHD_STOP
874 AT_SETUP([conntrack - ct_mark bit-fiddling])
876 OVS_TRAFFIC_VSWITCHD_START()
878 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
880 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
881 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
883 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
884 dnl cause an additional bit to be set in the connection (and be allowed).
885 AT_DATA([flows.txt], [dnl
886 table=0,priority=1,action=drop
887 table=0,priority=10,arp,action=normal
888 table=0,priority=10,icmp,action=normal
889 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
890 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
891 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
892 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
893 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
896 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
898 dnl HTTP requests from p0->p1 should work fine.
899 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
900 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
902 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
903 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=TIME_WAIT)
906 OVS_TRAFFIC_VSWITCHD_STOP
909 AT_SETUP([conntrack - ct_mark from register])
911 OVS_TRAFFIC_VSWITCHD_START()
913 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
915 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
916 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
917 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
918 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
920 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
921 AT_DATA([flows.txt], [dnl
922 priority=1,action=drop
923 priority=10,arp,action=normal
924 priority=10,icmp,action=normal
925 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
926 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
927 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
928 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
929 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
930 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
933 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
935 dnl HTTP requests from p0->p1 should work fine.
936 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
937 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
939 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
940 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
943 dnl HTTP requests from p2->p3 should fail due to network failure.
944 dnl Try 3 times, in 1 second intervals.
945 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
946 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
948 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
949 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
952 OVS_TRAFFIC_VSWITCHD_STOP
955 AT_SETUP([conntrack - ct_label])
957 OVS_TRAFFIC_VSWITCHD_START()
959 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
961 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
962 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
963 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
964 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
966 dnl Allow traffic between ns0<->ns1 using the ct_label.
967 dnl Check that different labels do not match for traffic between ns2<->ns3.
968 AT_DATA([flows.txt], [dnl
969 priority=1,action=drop
970 priority=10,arp,action=normal
971 priority=10,icmp,action=normal
972 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
973 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
974 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
975 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
976 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
977 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
980 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
982 dnl HTTP requests from p0->p1 should work fine.
983 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
984 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
986 dnl HTTP requests from p2->p3 should fail due to network failure.
987 dnl Try 3 times, in 1 second intervals.
988 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
989 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
991 OVS_TRAFFIC_VSWITCHD_STOP
994 AT_SETUP([conntrack - ct_label bit-fiddling])
996 OVS_TRAFFIC_VSWITCHD_START()
998 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1000 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1001 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1003 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1004 dnl cause an additional bit to be set in the connection labels (and be allowed)
1005 AT_DATA([flows.txt], [dnl
1006 table=0,priority=1,action=drop
1007 table=0,priority=10,arp,action=normal
1008 table=0,priority=10,icmp,action=normal
1009 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1010 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1011 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1012 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1013 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1016 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1018 dnl HTTP requests from p0->p1 should work fine.
1019 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1020 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1022 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
1023 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=TIME_WAIT)
1026 OVS_TRAFFIC_VSWITCHD_STOP
1029 AT_SETUP([conntrack - ct metadata, multiple zones])
1031 OVS_TRAFFIC_VSWITCHD_START()
1033 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1035 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1036 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1038 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1039 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1040 dnl and we should see that the conntrack entries only apply the ct_mark and
1041 dnl ct_labels to the connection in zone=1.
1042 AT_DATA([flows.txt], [dnl
1043 table=0,priority=1,action=drop
1044 table=0,priority=10,arp,action=normal
1045 table=0,priority=10,icmp,action=normal
1046 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1047 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1048 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1049 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1050 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1053 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1055 dnl HTTP requests from p0->p1 should work fine.
1056 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1057 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1059 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
1060 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=TIME_WAIT)
1061 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1064 OVS_TRAFFIC_VSWITCHD_STOP
1067 AT_SETUP([conntrack - ICMP related])
1069 OVS_TRAFFIC_VSWITCHD_START()
1071 ADD_NAMESPACES(at_ns0, at_ns1)
1073 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1074 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1076 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1077 AT_DATA([flows.txt], [dnl
1078 priority=1,action=drop
1079 priority=10,arp,action=normal
1080 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1081 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1082 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1085 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1087 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1088 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1090 AT_CHECK([ovs-appctl revalidator/purge], [0])
1091 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1092 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1093 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1094 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1095 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1099 OVS_TRAFFIC_VSWITCHD_STOP
1102 AT_SETUP([conntrack - ICMP related 2])
1104 OVS_TRAFFIC_VSWITCHD_START()
1106 ADD_NAMESPACES(at_ns0, at_ns1)
1108 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1109 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1111 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1112 AT_DATA([flows.txt], [dnl
1113 priority=1,action=drop
1114 priority=10,arp,action=normal
1115 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1116 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1117 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1118 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1121 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1123 AT_CAPTURE_FILE([ofctl_monitor.log])
1124 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1126 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1127 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1129 dnl 2. Send and UDP packet to port 5555
1130 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1132 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1133 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1135 dnl Check this output. We only see the latter two packets, not the first.
1136 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1137 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1138 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1139 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1140 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1143 OVS_TRAFFIC_VSWITCHD_STOP
1146 AT_SETUP([conntrack - FTP])
1147 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1149 OVS_TRAFFIC_VSWITCHD_START()
1151 ADD_NAMESPACES(at_ns0, at_ns1)
1153 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1154 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1156 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1157 AT_DATA([flows1.txt], [dnl
1158 priority=1,action=drop
1159 priority=10,arp,action=normal
1160 priority=10,icmp,action=normal
1161 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1162 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1163 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1164 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1167 dnl Similar policy but without allowing all traffic from ns0->ns1.
1168 AT_DATA([flows2.txt], [dnl
1169 priority=1,action=drop
1170 priority=10,arp,action=normal
1171 priority=10,icmp,action=normal
1172 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1173 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1174 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1175 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1176 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1177 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1178 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1181 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1183 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1184 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1186 dnl FTP requests from p1->p0 should fail due to network failure.
1187 dnl Try 3 times, in 1 second intervals.
1188 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1189 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1192 dnl FTP requests from p0->p1 should work fine.
1193 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1194 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1195 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1198 dnl Try the second set of flows.
1199 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1200 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1202 dnl FTP requests from p1->p0 should fail due to network failure.
1203 dnl Try 3 times, in 1 second intervals.
1204 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1205 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1208 dnl Active FTP requests from p0->p1 should work fine.
1209 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1210 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1211 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1212 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1215 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1217 dnl Passive FTP requests from p0->p1 should work fine.
1218 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1219 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1220 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1221 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1224 OVS_TRAFFIC_VSWITCHD_STOP
1228 AT_SETUP([conntrack - IPv6 FTP])
1229 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1231 OVS_TRAFFIC_VSWITCHD_START()
1233 ADD_NAMESPACES(at_ns0, at_ns1)
1235 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1236 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1238 dnl Allow any traffic from ns0->ns1.
1239 dnl Only allow nd, return traffic from ns1->ns0.
1240 AT_DATA([flows.txt], [dnl
1241 dnl Track all IPv6 traffic and drop the rest.
1242 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1243 table=0 priority=100 in_port=1 icmp6, action=2
1244 table=0 priority=100 in_port=2 icmp6, action=1
1245 table=0 priority=10 ip6, action=ct(table=1)
1246 table=0 priority=0 action=drop
1250 dnl Allow new TCPv6 FTP control connections from port 1.
1251 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1252 dnl Allow related TCPv6 connections from port 2.
1253 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1254 dnl Allow established TCPv6 connections both ways.
1255 table=1 in_port=1 ct_state=+est, tcp6, action=2
1256 table=1 in_port=2 ct_state=+est, tcp6, action=1
1257 dnl Drop everything else.
1258 table=1 priority=0, action=drop
1261 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1263 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1265 dnl FTP requests from p0->p1 should work fine.
1266 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1268 dnl Discards CLOSE_WAIT and CLOSING
1269 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1270 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1271 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1274 OVS_TRAFFIC_VSWITCHD_STOP
1278 AT_SETUP([conntrack - FTP with multiple expectations])
1279 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1281 OVS_TRAFFIC_VSWITCHD_START()
1283 ADD_NAMESPACES(at_ns0, at_ns1)
1285 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1286 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1288 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1289 AT_DATA([flows.txt], [dnl
1290 priority=1,action=drop
1291 priority=10,arp,action=normal
1292 priority=10,icmp,action=normal
1293 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1294 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1295 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1296 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1297 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1298 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1299 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1300 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1301 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1302 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1305 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1307 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1308 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1310 dnl FTP requests from p1->p0 should fail due to network failure.
1311 dnl Try 3 times, in 1 second intervals.
1312 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1313 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1316 dnl Active FTP requests from p0->p1 should work fine.
1317 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1318 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1319 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1320 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1321 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1322 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1325 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1327 dnl Passive FTP requests from p0->p1 should work fine.
1328 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1329 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1330 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1331 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1332 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1333 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1336 OVS_TRAFFIC_VSWITCHD_STOP
1339 AT_SETUP([conntrack - IPv4 fragmentation ])
1341 OVS_TRAFFIC_VSWITCHD_START()
1343 ADD_NAMESPACES(at_ns0, at_ns1)
1345 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1346 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1348 dnl Sending ping through conntrack
1349 AT_DATA([flows.txt], [dnl
1350 priority=1,action=drop
1351 priority=10,arp,action=normal
1352 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1353 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1354 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1357 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1359 dnl Basic connectivity check.
1360 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1361 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1364 dnl Ipv4 fragmentation connectivity check.
1365 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1366 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1369 dnl Ipv4 larger fragmentation connectivity check.
1370 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1371 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1374 OVS_TRAFFIC_VSWITCHD_STOP
1377 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1379 OVS_TRAFFIC_VSWITCHD_START()
1381 ADD_NAMESPACES(at_ns0, at_ns1)
1383 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1384 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1386 AT_DATA([flows.txt], [dnl
1387 priority=1,action=drop
1388 priority=10,arp,action=normal
1390 dnl Only allow non-fragmented messages and 1st fragments of each message
1391 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1392 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1393 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1394 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1397 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1399 dnl Basic connectivity check.
1400 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1401 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1404 dnl Ipv4 fragmentation connectivity check.
1405 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1406 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1409 OVS_TRAFFIC_VSWITCHD_STOP
1412 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1414 OVS_TRAFFIC_VSWITCHD_START()
1416 ADD_NAMESPACES(at_ns0, at_ns1)
1418 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1419 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1420 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1421 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1423 dnl Sending ping through conntrack
1424 AT_DATA([flows.txt], [dnl
1425 priority=1,action=drop
1426 priority=10,arp,action=normal
1427 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1428 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1429 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1432 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1434 dnl Basic connectivity check.
1435 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1436 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1439 dnl Ipv4 fragmentation connectivity check.
1440 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1441 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1444 dnl Ipv4 larger fragmentation connectivity check.
1445 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1446 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1449 OVS_TRAFFIC_VSWITCHD_STOP
1452 AT_SETUP([conntrack - IPv6 fragmentation])
1454 OVS_TRAFFIC_VSWITCHD_START()
1456 ADD_NAMESPACES(at_ns0, at_ns1)
1458 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1459 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1461 dnl Sending ping through conntrack
1462 AT_DATA([flows.txt], [dnl
1463 priority=1,action=drop
1464 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1465 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1466 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1467 priority=100,icmp6,icmp_type=135,action=normal
1468 priority=100,icmp6,icmp_type=136,action=normal
1471 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1473 dnl Without this sleep, we get occasional failures due to the following error:
1474 dnl "connect: Cannot assign requested address"
1477 dnl Basic connectivity check.
1478 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1479 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1482 dnl Ipv6 fragmentation connectivity check.
1483 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1484 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1487 dnl Ipv6 larger fragmentation connectivity check.
1488 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1489 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1492 OVS_TRAFFIC_VSWITCHD_STOP
1495 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1497 OVS_TRAFFIC_VSWITCHD_START()
1499 ADD_NAMESPACES(at_ns0, at_ns1)
1501 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1502 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1504 AT_DATA([flows.txt], [dnl
1505 priority=1,action=drop
1507 dnl Only allow non-fragmented messages and 1st fragments of each message
1508 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1509 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1510 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1511 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1513 dnl Neighbour Discovery
1514 priority=100,icmp6,icmp_type=135,action=normal
1515 priority=100,icmp6,icmp_type=136,action=normal
1518 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1520 dnl Without this sleep, we get occasional failures due to the following error:
1521 dnl "connect: Cannot assign requested address"
1524 dnl Basic connectivity check.
1525 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1526 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1529 dnl Send an IPv6 fragment. Some time later, it should expire.
1530 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1531 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1534 dnl At this point, the kernel will either crash or everything is OK.
1536 OVS_TRAFFIC_VSWITCHD_STOP
1539 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1541 OVS_TRAFFIC_VSWITCHD_START()
1543 ADD_NAMESPACES(at_ns0, at_ns1)
1545 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1546 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1548 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1549 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1551 dnl Sending ping through conntrack
1552 AT_DATA([flows.txt], [dnl
1553 priority=1,action=drop
1554 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1555 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1556 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1557 priority=100,icmp6,icmp_type=135,action=normal
1558 priority=100,icmp6,icmp_type=136,action=normal
1561 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1563 dnl Without this sleep, we get occasional failures due to the following error:
1564 dnl "connect: Cannot assign requested address"
1567 dnl Basic connectivity check.
1568 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1569 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1572 dnl Ipv4 fragmentation connectivity check.
1573 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1574 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1577 dnl Ipv4 larger fragmentation connectivity check.
1578 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1579 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1582 OVS_TRAFFIC_VSWITCHD_STOP
1585 AT_SETUP([conntrack - Fragmentation over vxlan])
1589 OVS_TRAFFIC_VSWITCHD_START()
1590 ADD_BR([br-underlay])
1591 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1593 ADD_NAMESPACES(at_ns0)
1595 dnl Sending ping through conntrack
1596 AT_DATA([flows.txt], [dnl
1597 priority=1,action=drop
1598 priority=10,arp,action=normal
1599 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1600 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1601 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1604 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1606 dnl Set up underlay link from host into the namespace using veth pair.
1607 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1608 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1609 AT_CHECK([ip link set dev br-underlay up])
1611 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1612 dnl linux device inside the namespace.
1613 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1614 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1615 [id 0 dstport 4789])
1617 dnl First, check the underlay
1618 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1619 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1622 dnl Okay, now check the overlay with different packet sizes
1623 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1624 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1626 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1627 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1629 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1630 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1633 OVS_TRAFFIC_VSWITCHD_STOP
1636 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1640 OVS_TRAFFIC_VSWITCHD_START()
1641 ADD_BR([br-underlay])
1642 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1644 ADD_NAMESPACES(at_ns0)
1646 dnl Sending ping through conntrack
1647 AT_DATA([flows.txt], [dnl
1648 priority=1,action=drop
1649 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1650 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1651 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1653 dnl Neighbour Discovery
1654 priority=1000,icmp6,icmp_type=135,action=normal
1655 priority=1000,icmp6,icmp_type=136,action=normal
1658 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1660 dnl Set up underlay link from host into the namespace using veth pair.
1661 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1662 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1663 AT_CHECK([ip link set dev br-underlay up])
1665 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1666 dnl linux device inside the namespace.
1667 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1668 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1669 [id 0 dstport 4789])
1671 dnl Without this sleep, we get occasional failures due to the following error:
1672 dnl "connect: Cannot assign requested address"
1675 dnl First, check the underlay
1676 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1677 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1680 dnl Okay, now check the overlay with different packet sizes
1681 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1682 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1684 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1685 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1687 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1688 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1691 OVS_TRAFFIC_VSWITCHD_STOP
1694 AT_SETUP([conntrack - resubmit to ct multiple times])
1697 OVS_TRAFFIC_VSWITCHD_START(
1698 [set-fail-mode br0 secure -- ])
1700 ADD_NAMESPACES(at_ns0, at_ns1)
1702 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1703 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1705 AT_DATA([flows.txt], [dnl
1706 table=0,priority=150,arp,action=normal
1707 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1709 table=1,priority=100,ip,action=ct(table=3)
1710 table=2,priority=100,ip,action=ct(table=3)
1712 table=3,ip,action=drop
1715 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1717 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1718 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1721 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1722 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1723 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1724 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1725 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1726 table=3, n_packets=2, n_bytes=196, ip actions=drop
1730 OVS_TRAFFIC_VSWITCHD_STOP
1734 AT_SETUP([conntrack - simple SNAT])
1736 OVS_TRAFFIC_VSWITCHD_START()
1738 ADD_NAMESPACES(at_ns0, at_ns1)
1740 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1741 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1742 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1744 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1745 AT_DATA([flows.txt], [dnl
1746 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1747 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1748 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1751 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1752 priority=10 arp action=normal
1753 priority=0,action=drop
1755 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1756 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1757 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1758 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1760 dnl Swaps the fields of the ARP message to turn a query to a response.
1761 table=10 priority=100 arp xreg0=0 action=normal
1762 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1763 table=10 priority=0 action=drop
1766 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1768 dnl HTTP requests from p0->p1 should work fine.
1769 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1770 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1772 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1773 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1776 OVS_TRAFFIC_VSWITCHD_STOP
1780 AT_SETUP([conntrack - SNAT with port range])
1782 OVS_TRAFFIC_VSWITCHD_START()
1784 ADD_NAMESPACES(at_ns0, at_ns1)
1786 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1787 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1788 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1790 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1791 AT_DATA([flows.txt], [dnl
1792 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1793 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1794 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1795 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1798 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1799 priority=10 arp action=normal
1800 priority=0,action=drop
1802 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1803 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1804 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1805 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1807 dnl Swaps the fields of the ARP message to turn a query to a response.
1808 table=10 priority=100 arp xreg0=0 action=normal
1809 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1810 table=10 priority=0 action=drop
1813 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1815 dnl HTTP requests from p0->p1 should work fine.
1816 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1817 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1819 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1820 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1823 OVS_TRAFFIC_VSWITCHD_STOP
1827 AT_SETUP([conntrack - more complex SNAT])
1829 OVS_TRAFFIC_VSWITCHD_START()
1831 ADD_NAMESPACES(at_ns0, at_ns1)
1833 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1834 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1835 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1837 AT_DATA([flows.txt], [dnl
1838 dnl Track all IP traffic, NAT existing connections.
1839 priority=100 ip action=ct(table=1,zone=1,nat)
1841 dnl Allow ARP, but generate responses for NATed addresses
1842 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1843 priority=10 arp action=normal
1844 priority=0 action=drop
1846 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1847 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1848 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1849 dnl Only allow established traffic from ns1->ns0.
1850 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1851 table=1 priority=0 action=drop
1853 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1854 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1855 dnl Zero result means not found.
1856 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1857 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1858 dnl ARP TPA IP in reg2.
1859 table=10 priority=100 arp xreg0=0 action=normal
1860 dnl Swaps the fields of the ARP message to turn a query to a response.
1861 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1862 table=10 priority=0 action=drop
1865 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1867 dnl HTTP requests from p0->p1 should work fine.
1868 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1869 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1871 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1872 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1875 OVS_TRAFFIC_VSWITCHD_STOP
1878 AT_SETUP([conntrack - simple DNAT])
1880 OVS_TRAFFIC_VSWITCHD_START()
1882 ADD_NAMESPACES(at_ns0, at_ns1)
1884 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1885 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1886 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1888 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1889 AT_DATA([flows.txt], [dnl
1890 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1891 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1892 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1893 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1896 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1897 priority=10 arp action=normal
1898 priority=0,action=drop
1900 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1901 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1902 dnl Zero result means not found.
1903 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1904 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1906 table=10 priority=100 arp xreg0=0 action=normal
1907 dnl Swaps the fields of the ARP message to turn a query to a response.
1908 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1909 table=10 priority=0 action=drop
1912 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1914 dnl Should work with the virtual IP address through NAT
1915 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1916 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1918 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1919 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1922 dnl Should work with the assigned IP address as well
1923 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1925 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1926 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1929 OVS_TRAFFIC_VSWITCHD_STOP
1932 AT_SETUP([conntrack - more complex DNAT])
1934 OVS_TRAFFIC_VSWITCHD_START()
1936 ADD_NAMESPACES(at_ns0, at_ns1)
1938 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1939 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1940 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1942 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1943 AT_DATA([flows.txt], [dnl
1944 dnl Track all IP traffic
1945 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1947 dnl Allow ARP, but generate responses for NATed addresses
1948 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1949 table=0 priority=10 arp action=normal
1950 table=0 priority=0 action=drop
1952 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1953 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1954 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1955 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1956 dnl Only allow established traffic from ns1->ns0.
1957 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1958 table=1 priority=0 action=drop
1960 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1961 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1962 dnl Zero result means not found.
1963 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1964 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1966 table=10 priority=100 arp xreg0=0 action=normal
1967 dnl Swaps the fields of the ARP message to turn a query to a response.
1968 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1969 table=10 priority=0 action=drop
1972 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1974 dnl Should work with the virtual IP address through NAT
1975 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1976 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1978 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1979 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1982 dnl Should work with the assigned IP address as well
1983 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1989 OVS_TRAFFIC_VSWITCHD_STOP
1992 AT_SETUP([conntrack - ICMP related with NAT])
1994 OVS_TRAFFIC_VSWITCHD_START()
1996 ADD_NAMESPACES(at_ns0, at_ns1)
1998 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1999 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2000 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2002 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2003 dnl Make sure ICMP responses are reverse-NATted.
2004 AT_DATA([flows.txt], [dnl
2005 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2006 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2007 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2010 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2011 priority=10 arp action=normal
2012 priority=0,action=drop
2014 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2015 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2016 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2017 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2019 dnl Swaps the fields of the ARP message to turn a query to a response.
2020 table=10 priority=100 arp xreg0=0 action=normal
2021 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2022 table=10 priority=0 action=drop
2025 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2027 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2028 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2030 AT_CHECK([ovs-appctl revalidator/purge], [0])
2031 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2032 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2033 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2034 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2035 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2036 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2037 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2038 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2039 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2040 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2041 OFPST_FLOW reply (OF1.5):
2044 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2045 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2048 OVS_TRAFFIC_VSWITCHD_STOP
2052 AT_SETUP([conntrack - FTP with NAT])
2053 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2056 OVS_TRAFFIC_VSWITCHD_START()
2058 ADD_NAMESPACES(at_ns0, at_ns1)
2060 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2061 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2062 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2064 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2066 AT_DATA([flows.txt], [dnl
2067 dnl track all IP traffic, de-mangle non-NEW connections
2068 table=0 in_port=1, ip, action=ct(table=1,nat)
2069 table=0 in_port=2, ip, action=ct(table=2,nat)
2073 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2074 table=0 priority=10 arp action=normal
2075 table=0 priority=0 action=drop
2077 dnl Table 1: port 1 -> 2
2079 dnl Allow new FTP connections. These need to be commited.
2080 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2081 dnl Allow established TCP connections, make sure they are NATted already.
2082 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2084 dnl Table 1: droppers
2086 table=1 priority=10, tcp, action=drop
2087 table=1 priority=0,action=drop
2089 dnl Table 2: port 2 -> 1
2091 dnl Allow established TCP connections, make sure they are reverse NATted
2092 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2093 dnl Allow (new) related (data) connections. These need to be commited.
2094 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2095 dnl Allow related ICMP packets, make sure they are reverse NATted
2096 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2098 dnl Table 2: droppers
2100 table=2 priority=10, tcp, action=drop
2101 table=2 priority=0, action=drop
2103 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2105 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2106 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2107 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2109 dnl Swaps the fields of the ARP message to turn a query to a response.
2110 table=10 priority=100 arp xreg0=0 action=normal
2111 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2112 table=10 priority=0 action=drop
2115 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2117 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2118 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2120 dnl FTP requests from p0->p1 should work fine.
2121 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2123 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
2124 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2125 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2128 OVS_TRAFFIC_VSWITCHD_STOP
2132 AT_SETUP([conntrack - FTP with NAT 2])
2133 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2135 OVS_TRAFFIC_VSWITCHD_START()
2137 ADD_NAMESPACES(at_ns0, at_ns1)
2139 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2140 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2141 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2143 dnl Allow any traffic from ns0->ns1.
2144 dnl Only allow nd, return traffic from ns1->ns0.
2145 AT_DATA([flows.txt], [dnl
2146 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2147 table=0 ip, action=ct(table=1)
2151 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2152 table=0 priority=10 arp action=normal
2153 table=0 priority=0 action=drop
2157 dnl Allow new FTP connections. These need to be commited.
2158 dnl This does helper for new packets.
2159 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2160 dnl Allow and NAT established TCP connections
2161 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2162 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2163 dnl Allow and NAT (new) related active (data) connections.
2164 dnl These need to be commited.
2165 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2166 dnl Allow related ICMP packets.
2167 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2168 dnl Drop everything else.
2169 table=1 priority=0, action=drop
2171 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2173 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2174 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2175 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2177 dnl Swaps the fields of the ARP message to turn a query to a response.
2178 table=10 priority=100 arp xreg0=0 action=normal
2179 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2180 table=10 priority=0 action=drop
2183 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2185 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2187 dnl FTP requests from p0->p1 should work fine.
2188 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2190 dnl Discards CLOSE_WAIT and CLOSING
2191 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2192 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2193 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2196 OVS_TRAFFIC_VSWITCHD_STOP
2199 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2201 OVS_TRAFFIC_VSWITCHD_START()
2203 ADD_NAMESPACES(at_ns0, at_ns1)
2205 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2206 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2207 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2208 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2210 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2211 AT_DATA([flows.txt], [dnl
2212 priority=1,action=drop
2213 priority=10,icmp6,action=normal
2214 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2215 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2216 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2217 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2220 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2222 dnl Without this sleep, we get occasional failures due to the following error:
2223 dnl "connect: Cannot assign requested address"
2226 dnl HTTP requests from ns0->ns1 should work fine.
2227 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2229 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2231 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2232 dnl Try 3 times, in 1 second intervals.
2233 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2234 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2236 OVS_TRAFFIC_VSWITCHD_STOP
2240 AT_SETUP([conntrack - IPv6 FTP with NAT])
2241 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2243 OVS_TRAFFIC_VSWITCHD_START()
2245 ADD_NAMESPACES(at_ns0, at_ns1)
2247 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2248 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2249 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2250 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2251 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2253 dnl Allow any traffic from ns0->ns1.
2254 dnl Only allow nd, return traffic from ns1->ns0.
2255 AT_DATA([flows.txt], [dnl
2256 dnl Allow other ICMPv6 both ways (without commit).
2257 table=1 priority=100 in_port=1 icmp6, action=2
2258 table=1 priority=100 in_port=2 icmp6, action=1
2259 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2260 table=0 priority=10 ip6, action=ct(nat,table=1)
2261 table=0 priority=0 action=drop
2265 dnl Allow new TCPv6 FTP control connections.
2266 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2267 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2268 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2269 dnl Allow established TCPv6 connections both ways, enforce NATting
2270 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2271 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2272 dnl Drop everything else.
2273 table=1 priority=0, action=drop
2276 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2278 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2280 dnl FTP requests from p0->p1 should work fine.
2281 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2283 dnl Discards CLOSE_WAIT and CLOSING
2284 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2285 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2286 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2289 OVS_TRAFFIC_VSWITCHD_STOP