1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 OVS_TRAFFIC_VSWITCHD_STOP
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
105 ADD_NAMESPACES(at_ns0, at_ns1)
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping over vxlan tunnel])
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
140 ADD_NAMESPACES(at_ns0)
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
169 OVS_TRAFFIC_VSWITCHD_STOP
172 AT_SETUP([datapath - ping over gre tunnel])
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
181 ADD_NAMESPACES(at_ns0)
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
209 OVS_TRAFFIC_VSWITCHD_STOP
212 AT_SETUP([datapath - ping over geneve tunnel])
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
221 ADD_NAMESPACES(at_ns0)
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
250 OVS_TRAFFIC_VSWITCHD_STOP
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
315 NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
338 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(2),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
339 AT_CHECK([tail -3 stdout], [0],
340 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
341 This flow is handled by the userspace slow path because it:
342 - Uses action(s) not supported by datapath.
346 dnl SLOW_ACTION test2: check actual packet truncate
347 AT_CHECK([ovs-ofctl del-flows br0])
348 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
349 NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
351 dnl 100 + 100 + 242 + min(65535,242) = 684
352 AT_CHECK([ovs-appctl revalidator/purge], [0])
353 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
357 dnl 242 + 100 + min(242,200) = 542
358 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
362 OVS_TRAFFIC_VSWITCHD_STOP
365 dnl Create 2 bridges and 2 namespaces to test truncate over
367 dnl br0: overlay bridge
368 dnl ns1: connect to br0, with IP:10.1.1.2
369 dnl br-underlay: with IP: 172.31.1.100
370 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
371 AT_SETUP([datapath - truncate and output to gre tunnel])
373 OVS_TRAFFIC_VSWITCHD_START()
375 ADD_BR([br-underlay])
376 ADD_NAMESPACES(at_ns0)
377 ADD_NAMESPACES(at_ns1)
378 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
379 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
381 dnl Set up underlay link from host into the namespace using veth pair.
382 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
383 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
384 AT_CHECK([ip link set dev br-underlay up])
386 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
387 dnl linux device inside the namespace.
388 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
389 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
390 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
391 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
392 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
394 dnl Set up (p1 and ovs-p1) at br0
395 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
396 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
397 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
398 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
400 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
401 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
402 on_exit 'ip link del ovs-p2'
403 AT_CHECK([ip link set dev ovs-p2 up])
404 AT_CHECK([ip link set dev p2 up])
405 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
406 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
408 dnl use this file as payload file for ncat
409 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
410 on_exit 'rm -f payload200.bin'
412 AT_CHECK([ovs-ofctl del-flows br0])
413 AT_DATA([flows.txt], [dnl
414 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
415 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
416 priority=1,in_port=4,ip,actions=drop
417 priority=1,actions=drop
419 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
421 AT_CHECK([ovs-ofctl del-flows br-underlay])
422 AT_DATA([flows-underlay.txt], [dnl
423 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
424 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
425 priority=1,actions=drop
428 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
430 dnl check tunnel push path, from at_ns1 to at_ns0
431 NS_CHECK_EXEC([at_ns1], [nc -u 10.1.1.1 1234 < payload200.bin])
432 AT_CHECK([ovs-appctl revalidator/purge], [0])
434 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
435 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
438 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
439 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
443 dnl check tunnel pop path, from at_ns0 to at_ns1
444 NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 5678 < payload200.bin])
445 dnl After truncation = 100 byte at loopback device p2(4)
446 AT_CHECK([ovs-appctl revalidator/purge], [0])
447 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
451 dnl SLOW_ACTION: disable datapath truncate support
452 dnl Repeat the test above, but exercise the SLOW_ACTION code path
453 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
454 [Datapath truncate action diabled
457 dnl SLOW_ACTION test1: check datapatch actions
458 AT_CHECK([ovs-ofctl del-flows br0])
459 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
462 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(5),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=17,tos=4,ttl=128,frag=no),udp(src=8,dst=9)'], [0], [stdout])
463 AT_CHECK([tail -3 stdout], [0],
464 [Datapath actions: trunc(100),set(tunnel(dst=172.31.1.1,ttl=64,flags(df))),4
465 This flow is handled by the userspace slow path because it:
466 - Uses action(s) not supported by datapath.
470 dnl SLOW_ACTION test2: check actual packet truncate
471 AT_CHECK([ovs-ofctl del-flows br0])
472 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
473 AT_CHECK([ovs-ofctl del-flows br-underlay])
474 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
476 dnl check tunnel push path, from at_ns1 to at_ns0
477 NS_CHECK_EXEC([at_ns1], [nc -u 10.1.1.1 1234 < payload200.bin])
478 AT_CHECK([ovs-appctl revalidator/purge], [0])
480 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
481 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
484 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
485 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
489 dnl check tunnel pop path, from at_ns0 to at_ns1
490 NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 5678 < payload200.bin])
491 dnl After truncation = 100 byte at loopback device p2(4)
492 AT_CHECK([ovs-appctl revalidator/purge], [0])
493 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
497 OVS_TRAFFIC_VSWITCHD_STOP
500 AT_SETUP([conntrack - controller])
502 OVS_TRAFFIC_VSWITCHD_START()
504 ADD_NAMESPACES(at_ns0, at_ns1)
506 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
507 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
509 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
510 AT_DATA([flows.txt], [dnl
511 priority=1,action=drop
512 priority=10,arp,action=normal
513 priority=100,in_port=1,udp,action=ct(commit),controller
514 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
515 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
518 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
520 AT_CAPTURE_FILE([ofctl_monitor.log])
521 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
523 dnl Send an unsolicited reply from port 2. This should be dropped.
524 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
526 dnl OK, now start a new connection from port 1.
527 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
529 dnl Now try a reply from port 2.
530 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
532 dnl Check this output. We only see the latter two packets, not the first.
533 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
534 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
535 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
536 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
537 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
540 OVS_TRAFFIC_VSWITCHD_STOP
543 AT_SETUP([conntrack - IPv4 HTTP])
545 OVS_TRAFFIC_VSWITCHD_START()
547 ADD_NAMESPACES(at_ns0, at_ns1)
549 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
550 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
552 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
553 AT_DATA([flows.txt], [dnl
554 priority=1,action=drop
555 priority=10,arp,action=normal
556 priority=10,icmp,action=normal
557 priority=100,in_port=1,tcp,action=ct(commit),2
558 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
559 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
562 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
564 dnl Basic connectivity check.
565 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
567 dnl HTTP requests from ns0->ns1 should work fine.
568 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
569 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
571 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
572 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
575 dnl HTTP requests from ns1->ns0 should fail due to network failure.
576 dnl Try 3 times, in 1 second intervals.
577 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
578 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
580 OVS_TRAFFIC_VSWITCHD_STOP
583 AT_SETUP([conntrack - IPv6 HTTP])
585 OVS_TRAFFIC_VSWITCHD_START()
587 ADD_NAMESPACES(at_ns0, at_ns1)
589 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
590 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
592 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
593 AT_DATA([flows.txt], [dnl
594 priority=1,action=drop
595 priority=10,icmp6,action=normal
596 priority=100,in_port=1,tcp6,action=ct(commit),2
597 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
598 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
601 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
603 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
604 dnl waiting, we get occasional failures due to the following error:
605 dnl "connect: Cannot assign requested address"
606 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
608 dnl HTTP requests from ns0->ns1 should work fine.
609 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
611 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
613 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
614 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
617 dnl HTTP requests from ns1->ns0 should fail due to network failure.
618 dnl Try 3 times, in 1 second intervals.
619 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
620 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
622 OVS_TRAFFIC_VSWITCHD_STOP
625 AT_SETUP([conntrack - commit, recirc])
627 OVS_TRAFFIC_VSWITCHD_START()
629 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
631 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
632 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
633 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
634 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
636 dnl Allow any traffic from ns0->ns1, ns2->ns3.
637 AT_DATA([flows.txt], [dnl
638 priority=1,action=drop
639 priority=10,arp,action=normal
640 priority=10,icmp,action=normal
641 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
642 priority=100,in_port=1,tcp,ct_state=+trk,action=2
643 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
644 priority=100,in_port=2,tcp,ct_state=+trk,action=1
645 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
646 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
647 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
648 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
649 priority=100,in_port=4,tcp,ct_state=+trk,action=3
652 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
654 dnl HTTP requests from p0->p1 should work fine.
655 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
656 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
658 dnl HTTP requests from p2->p3 should work fine.
659 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
660 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
662 OVS_TRAFFIC_VSWITCHD_STOP
665 AT_SETUP([conntrack - preserve registers])
667 OVS_TRAFFIC_VSWITCHD_START()
669 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
671 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
672 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
673 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
674 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
676 dnl Allow any traffic from ns0->ns1, ns2->ns3.
677 AT_DATA([flows.txt], [dnl
678 priority=1,action=drop
679 priority=10,arp,action=normal
680 priority=10,icmp,action=normal
681 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
682 priority=100,in_port=1,tcp,ct_state=+trk,action=2
683 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
684 priority=100,in_port=2,tcp,ct_state=+trk,action=1
685 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
686 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
687 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
688 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
689 priority=100,in_port=4,tcp,ct_state=+trk,action=3
692 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
694 dnl HTTP requests from p0->p1 should work fine.
695 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
696 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
698 dnl HTTP requests from p2->p3 should work fine.
699 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
700 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
702 OVS_TRAFFIC_VSWITCHD_STOP
705 AT_SETUP([conntrack - invalid])
707 OVS_TRAFFIC_VSWITCHD_START()
709 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
711 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
712 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
713 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
714 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
716 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
717 dnl the opposite direction. This should fail.
718 dnl Pass traffic from ns3->ns4 without committing, and this time match
719 dnl invalid traffic and allow it through.
720 AT_DATA([flows.txt], [dnl
721 priority=1,action=drop
722 priority=10,arp,action=normal
723 priority=10,icmp,action=normal
724 priority=100,in_port=1,tcp,action=ct(),2
725 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
726 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
727 priority=100,in_port=3,tcp,action=ct(),4
728 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
729 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
730 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
733 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
735 dnl We set up our rules to allow the request without committing. The return
736 dnl traffic can't be identified, because the initial request wasn't committed.
737 dnl For the first pair of ports, this means that the connection fails.
738 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
739 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
741 dnl For the second pair, we allow packets from invalid connections, so it works.
742 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
743 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
745 OVS_TRAFFIC_VSWITCHD_STOP
748 AT_SETUP([conntrack - zones])
750 OVS_TRAFFIC_VSWITCHD_START()
752 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
754 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
755 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
756 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
757 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
759 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
760 dnl For ns2->ns3, use a different zone and see that the match fails.
761 AT_DATA([flows.txt], [dnl
762 priority=1,action=drop
763 priority=10,arp,action=normal
764 priority=10,icmp,action=normal
765 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
766 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
767 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
768 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
769 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
770 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
773 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
775 dnl HTTP requests from p0->p1 should work fine.
776 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
777 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
779 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
780 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
783 dnl HTTP requests from p2->p3 should fail due to network failure.
784 dnl Try 3 times, in 1 second intervals.
785 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
786 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
788 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
789 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
792 OVS_TRAFFIC_VSWITCHD_STOP
795 AT_SETUP([conntrack - zones from field])
797 OVS_TRAFFIC_VSWITCHD_START()
799 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
801 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
802 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
803 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
804 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
806 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
807 AT_DATA([flows.txt], [dnl
808 priority=1,action=drop
809 priority=10,arp,action=normal
810 priority=10,icmp,action=normal
811 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
812 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
813 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
814 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
815 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
816 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
819 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
821 dnl HTTP requests from p0->p1 should work fine.
822 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
823 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
825 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
826 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
829 dnl HTTP requests from p2->p3 should fail due to network failure.
830 dnl Try 3 times, in 1 second intervals.
831 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
832 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
834 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
835 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
838 OVS_TRAFFIC_VSWITCHD_STOP
841 AT_SETUP([conntrack - multiple bridges])
843 OVS_TRAFFIC_VSWITCHD_START(
845 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
846 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
848 ADD_NAMESPACES(at_ns0, at_ns1)
850 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
851 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
853 dnl Allow any traffic from ns0->br1, allow established in reverse.
854 AT_DATA([flows-br0.txt], [dnl
855 priority=1,action=drop
856 priority=10,arp,action=normal
857 priority=10,icmp,action=normal
858 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
859 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
860 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
863 dnl Allow any traffic from br0->ns1, allow established in reverse.
864 AT_DATA([flows-br1.txt], [dnl
865 priority=1,action=drop
866 priority=10,arp,action=normal
867 priority=10,icmp,action=normal
868 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
869 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
870 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
871 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
872 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
875 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
876 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
878 dnl HTTP requests from p0->p1 should work fine.
879 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
880 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
882 OVS_TRAFFIC_VSWITCHD_STOP
885 AT_SETUP([conntrack - multiple zones])
887 OVS_TRAFFIC_VSWITCHD_START()
889 ADD_NAMESPACES(at_ns0, at_ns1)
891 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
892 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
894 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
895 AT_DATA([flows.txt], [dnl
896 priority=1,action=drop
897 priority=10,arp,action=normal
898 priority=10,icmp,action=normal
899 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
900 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
901 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
904 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
906 dnl HTTP requests from p0->p1 should work fine.
907 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
908 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
910 dnl (again) HTTP requests from p0->p1 should work fine.
911 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
913 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
914 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
915 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
918 OVS_TRAFFIC_VSWITCHD_STOP
921 AT_SETUP([conntrack - multiple zones, local])
923 OVS_TRAFFIC_VSWITCHD_START()
925 ADD_NAMESPACES(at_ns0)
927 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
928 AT_CHECK([ip link set dev br0 up])
929 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
930 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
932 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
933 dnl return traffic from ns0 back to the local stack.
934 AT_DATA([flows.txt], [dnl
935 priority=1,action=drop
936 priority=10,arp,action=normal
937 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
938 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
939 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
940 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
941 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
942 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
945 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
947 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
948 3 packets transmitted, 3 received, 0% packet loss, time 0ms
951 dnl HTTP requests from root namespace to p0 should work fine.
952 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
953 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
955 dnl (again) HTTP requests from root namespace to p0 should work fine.
956 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
958 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
959 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
960 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
961 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
962 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
965 OVS_TRAFFIC_VSWITCHD_STOP
968 AT_SETUP([conntrack - multiple namespaces, internal ports])
970 OVS_TRAFFIC_VSWITCHD_START(
971 [set-fail-mode br0 secure -- ])
973 ADD_NAMESPACES(at_ns0, at_ns1)
975 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
976 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
978 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
980 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
981 AT_DATA([flows.txt], [dnl
982 priority=1,action=drop
983 priority=10,arp,action=normal
984 priority=10,icmp,action=normal
985 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
986 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
987 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
990 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
992 dnl HTTP requests from p0->p1 should work fine.
993 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
996 dnl (again) HTTP requests from p0->p1 should work fine.
997 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
999 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1000 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1003 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1004 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1005 /removing policing failed: No such device/d"])
1008 AT_SETUP([conntrack - multi-stage pipeline, local])
1010 OVS_TRAFFIC_VSWITCHD_START()
1012 ADD_NAMESPACES(at_ns0)
1014 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1015 AT_CHECK([ip link set dev br0 up])
1016 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1017 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1019 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1020 dnl return traffic from ns0 back to the local stack.
1021 AT_DATA([flows.txt], [dnl
1023 table=0,priority=1,action=drop
1024 table=0,priority=10,arp,action=normal
1026 dnl Load the output port to REG0
1027 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1028 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1030 dnl Ingress pipeline
1031 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1032 dnl - All other connections go through conntracker using the input port as
1033 dnl a connection tracking zone.
1034 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1035 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1036 table=1,priority=1,action=drop
1039 dnl - Allow all connections from LOCAL port (commit and skip to output)
1040 dnl - Allow other established connections to go through conntracker using
1041 dnl output port as a connection tracking zone.
1042 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1043 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1044 table=2,priority=1,action=drop
1046 dnl Only allow established traffic from egress ct lookup
1047 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1048 table=3,priority=1,action=drop
1051 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1054 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1056 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1057 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1060 dnl HTTP requests from root namespace to p0 should work fine.
1061 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1062 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1064 dnl (again) HTTP requests from root namespace to p0 should work fine.
1065 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1067 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1068 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1069 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1070 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1071 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1074 OVS_TRAFFIC_VSWITCHD_STOP
1077 AT_SETUP([conntrack - ct_mark])
1079 OVS_TRAFFIC_VSWITCHD_START()
1081 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1083 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1084 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1085 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1086 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1088 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1089 dnl Check that different marks do not match for traffic between ns2<->ns3.
1090 AT_DATA([flows.txt], [dnl
1091 priority=1,action=drop
1092 priority=10,arp,action=normal
1093 priority=10,icmp,action=normal
1094 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1095 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1096 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1097 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1098 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1099 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1102 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1104 dnl HTTP requests from p0->p1 should work fine.
1105 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1106 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1108 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1109 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1112 dnl HTTP requests from p2->p3 should fail due to network failure.
1113 dnl Try 3 times, in 1 second intervals.
1114 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1115 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1117 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1118 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1121 OVS_TRAFFIC_VSWITCHD_STOP
1124 AT_SETUP([conntrack - ct_mark bit-fiddling])
1126 OVS_TRAFFIC_VSWITCHD_START()
1128 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1130 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1131 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1133 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1134 dnl cause an additional bit to be set in the connection (and be allowed).
1135 AT_DATA([flows.txt], [dnl
1136 table=0,priority=1,action=drop
1137 table=0,priority=10,arp,action=normal
1138 table=0,priority=10,icmp,action=normal
1139 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1140 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1141 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1142 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1143 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1146 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1148 dnl HTTP requests from p0->p1 should work fine.
1149 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1150 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1152 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1153 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1156 OVS_TRAFFIC_VSWITCHD_STOP
1159 AT_SETUP([conntrack - ct_mark from register])
1161 OVS_TRAFFIC_VSWITCHD_START()
1163 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1165 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1166 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1167 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1168 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1170 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1171 AT_DATA([flows.txt], [dnl
1172 priority=1,action=drop
1173 priority=10,arp,action=normal
1174 priority=10,icmp,action=normal
1175 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1176 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1177 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1178 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1179 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1180 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1183 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1185 dnl HTTP requests from p0->p1 should work fine.
1186 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1187 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1189 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1190 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1193 dnl HTTP requests from p2->p3 should fail due to network failure.
1194 dnl Try 3 times, in 1 second intervals.
1195 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1196 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1198 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1199 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1202 OVS_TRAFFIC_VSWITCHD_STOP
1205 AT_SETUP([conntrack - ct_label])
1207 OVS_TRAFFIC_VSWITCHD_START()
1209 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1211 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1212 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1213 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1214 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1216 dnl Allow traffic between ns0<->ns1 using the ct_label.
1217 dnl Check that different labels do not match for traffic between ns2<->ns3.
1218 AT_DATA([flows.txt], [dnl
1219 priority=1,action=drop
1220 priority=10,arp,action=normal
1221 priority=10,icmp,action=normal
1222 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1223 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1224 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1225 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1226 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1227 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1230 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1232 dnl HTTP requests from p0->p1 should work fine.
1233 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1234 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1236 dnl HTTP requests from p2->p3 should fail due to network failure.
1237 dnl Try 3 times, in 1 second intervals.
1238 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1239 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1241 OVS_TRAFFIC_VSWITCHD_STOP
1244 AT_SETUP([conntrack - ct_label bit-fiddling])
1246 OVS_TRAFFIC_VSWITCHD_START()
1248 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1250 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1251 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1253 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1254 dnl cause an additional bit to be set in the connection labels (and be allowed)
1255 AT_DATA([flows.txt], [dnl
1256 table=0,priority=1,action=drop
1257 table=0,priority=10,arp,action=normal
1258 table=0,priority=10,icmp,action=normal
1259 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1260 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1261 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1262 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1263 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1266 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1268 dnl HTTP requests from p0->p1 should work fine.
1269 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1270 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1272 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1273 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1276 OVS_TRAFFIC_VSWITCHD_STOP
1279 AT_SETUP([conntrack - ct metadata, multiple zones])
1281 OVS_TRAFFIC_VSWITCHD_START()
1283 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1285 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1286 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1288 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1289 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1290 dnl and we should see that the conntrack entries only apply the ct_mark and
1291 dnl ct_labels to the connection in zone=1.
1292 AT_DATA([flows.txt], [dnl
1293 table=0,priority=1,action=drop
1294 table=0,priority=10,arp,action=normal
1295 table=0,priority=10,icmp,action=normal
1296 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1297 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1298 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1299 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1300 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1303 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1305 dnl HTTP requests from p0->p1 should work fine.
1306 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1307 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1309 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1310 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1311 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1314 OVS_TRAFFIC_VSWITCHD_STOP
1317 AT_SETUP([conntrack - ICMP related])
1319 OVS_TRAFFIC_VSWITCHD_START()
1321 ADD_NAMESPACES(at_ns0, at_ns1)
1323 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1324 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1326 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1327 AT_DATA([flows.txt], [dnl
1328 priority=1,action=drop
1329 priority=10,arp,action=normal
1330 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1331 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1332 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1335 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1337 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1338 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1340 AT_CHECK([ovs-appctl revalidator/purge], [0])
1341 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1342 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1343 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1344 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1345 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1349 OVS_TRAFFIC_VSWITCHD_STOP
1352 AT_SETUP([conntrack - ICMP related 2])
1354 OVS_TRAFFIC_VSWITCHD_START()
1356 ADD_NAMESPACES(at_ns0, at_ns1)
1358 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1359 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1361 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1362 AT_DATA([flows.txt], [dnl
1363 priority=1,action=drop
1364 priority=10,arp,action=normal
1365 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1366 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1367 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1368 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1371 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1373 AT_CAPTURE_FILE([ofctl_monitor.log])
1374 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1376 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1377 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1379 dnl 2. Send and UDP packet to port 5555
1380 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1382 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1383 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1385 dnl Check this output. We only see the latter two packets, not the first.
1386 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1387 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1388 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1389 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1390 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1393 OVS_TRAFFIC_VSWITCHD_STOP
1396 AT_SETUP([conntrack - FTP])
1397 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1399 OVS_TRAFFIC_VSWITCHD_START()
1401 ADD_NAMESPACES(at_ns0, at_ns1)
1403 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1404 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1406 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1407 AT_DATA([flows1.txt], [dnl
1408 priority=1,action=drop
1409 priority=10,arp,action=normal
1410 priority=10,icmp,action=normal
1411 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1412 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1413 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1414 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1417 dnl Similar policy but without allowing all traffic from ns0->ns1.
1418 AT_DATA([flows2.txt], [dnl
1419 priority=1,action=drop
1420 priority=10,arp,action=normal
1421 priority=10,icmp,action=normal
1422 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1423 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1424 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1425 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1426 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1427 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1428 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1431 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1433 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1434 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1435 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1437 dnl FTP requests from p1->p0 should fail due to network failure.
1438 dnl Try 3 times, in 1 second intervals.
1439 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1440 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1443 dnl FTP requests from p0->p1 should work fine.
1444 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1445 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1446 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1449 dnl Try the second set of flows.
1450 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1451 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1453 dnl FTP requests from p1->p0 should fail due to network failure.
1454 dnl Try 3 times, in 1 second intervals.
1455 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1456 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1459 dnl Active FTP requests from p0->p1 should work fine.
1460 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1461 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1462 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1463 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1466 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1468 dnl Passive FTP requests from p0->p1 should work fine.
1469 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1470 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1471 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1472 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1475 OVS_TRAFFIC_VSWITCHD_STOP
1479 AT_SETUP([conntrack - IPv6 FTP])
1480 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1482 OVS_TRAFFIC_VSWITCHD_START()
1484 ADD_NAMESPACES(at_ns0, at_ns1)
1486 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1487 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1489 dnl Allow any traffic from ns0->ns1.
1490 dnl Only allow nd, return traffic from ns1->ns0.
1491 AT_DATA([flows.txt], [dnl
1492 dnl Track all IPv6 traffic and drop the rest.
1493 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1494 table=0 priority=100 in_port=1 icmp6, action=2
1495 table=0 priority=100 in_port=2 icmp6, action=1
1496 table=0 priority=10 ip6, action=ct(table=1)
1497 table=0 priority=0 action=drop
1501 dnl Allow new TCPv6 FTP control connections from port 1.
1502 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1503 dnl Allow related TCPv6 connections from port 2.
1504 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1505 dnl Allow established TCPv6 connections both ways.
1506 table=1 in_port=1 ct_state=+est, tcp6, action=2
1507 table=1 in_port=2 ct_state=+est, tcp6, action=1
1508 dnl Drop everything else.
1509 table=1 priority=0, action=drop
1512 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1514 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1515 dnl waiting, we get occasional failures due to the following error:
1516 dnl "connect: Cannot assign requested address"
1517 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1519 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1520 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1522 dnl FTP requests from p0->p1 should work fine.
1523 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1525 dnl Discards CLOSE_WAIT and CLOSING
1526 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1527 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1528 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1531 OVS_TRAFFIC_VSWITCHD_STOP
1535 AT_SETUP([conntrack - FTP with multiple expectations])
1536 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1538 OVS_TRAFFIC_VSWITCHD_START()
1540 ADD_NAMESPACES(at_ns0, at_ns1)
1542 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1543 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1545 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1546 AT_DATA([flows.txt], [dnl
1547 priority=1,action=drop
1548 priority=10,arp,action=normal
1549 priority=10,icmp,action=normal
1550 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1551 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1552 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1553 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1554 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1555 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1556 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1557 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1558 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1559 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1562 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1564 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1565 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1567 dnl FTP requests from p1->p0 should fail due to network failure.
1568 dnl Try 3 times, in 1 second intervals.
1569 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1570 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1573 dnl Active FTP requests from p0->p1 should work fine.
1574 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1575 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1576 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1577 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1578 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1579 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1582 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1584 dnl Passive FTP requests from p0->p1 should work fine.
1585 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1586 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1587 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1588 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1589 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1590 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1593 OVS_TRAFFIC_VSWITCHD_STOP
1596 AT_SETUP([conntrack - IPv4 fragmentation ])
1598 OVS_TRAFFIC_VSWITCHD_START()
1600 ADD_NAMESPACES(at_ns0, at_ns1)
1602 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1603 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1605 dnl Sending ping through conntrack
1606 AT_DATA([flows.txt], [dnl
1607 priority=1,action=drop
1608 priority=10,arp,action=normal
1609 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1610 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1611 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1614 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1616 dnl Basic connectivity check.
1617 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1618 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1621 dnl Ipv4 fragmentation connectivity check.
1622 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1623 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1626 dnl Ipv4 larger fragmentation connectivity check.
1627 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1628 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1631 OVS_TRAFFIC_VSWITCHD_STOP
1634 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1636 OVS_TRAFFIC_VSWITCHD_START()
1638 ADD_NAMESPACES(at_ns0, at_ns1)
1640 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1641 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1643 AT_DATA([flows.txt], [dnl
1644 priority=1,action=drop
1645 priority=10,arp,action=normal
1647 dnl Only allow non-fragmented messages and 1st fragments of each message
1648 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1649 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1650 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1651 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1654 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1656 dnl Basic connectivity check.
1657 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1658 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1661 dnl Ipv4 fragmentation connectivity check.
1662 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1663 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1666 OVS_TRAFFIC_VSWITCHD_STOP
1669 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1671 OVS_TRAFFIC_VSWITCHD_START()
1673 ADD_NAMESPACES(at_ns0, at_ns1)
1675 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1676 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1677 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1678 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1680 dnl Sending ping through conntrack
1681 AT_DATA([flows.txt], [dnl
1682 priority=1,action=drop
1683 priority=10,arp,action=normal
1684 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1685 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1686 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1689 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1691 dnl Basic connectivity check.
1692 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1693 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1696 dnl Ipv4 fragmentation connectivity check.
1697 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1698 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1701 dnl Ipv4 larger fragmentation connectivity check.
1702 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1703 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1706 OVS_TRAFFIC_VSWITCHD_STOP
1709 AT_SETUP([conntrack - IPv6 fragmentation])
1711 OVS_TRAFFIC_VSWITCHD_START()
1713 ADD_NAMESPACES(at_ns0, at_ns1)
1715 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1716 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1718 dnl Sending ping through conntrack
1719 AT_DATA([flows.txt], [dnl
1720 priority=1,action=drop
1721 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1722 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1723 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1724 priority=100,icmp6,icmp_type=135,action=normal
1725 priority=100,icmp6,icmp_type=136,action=normal
1728 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1730 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1731 dnl waiting, we get occasional failures due to the following error:
1732 dnl "connect: Cannot assign requested address"
1733 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1735 dnl Basic connectivity check.
1736 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1737 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1740 dnl Ipv6 fragmentation connectivity check.
1741 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1742 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1745 dnl Ipv6 larger fragmentation connectivity check.
1746 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1747 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1750 OVS_TRAFFIC_VSWITCHD_STOP
1753 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1755 OVS_TRAFFIC_VSWITCHD_START()
1757 ADD_NAMESPACES(at_ns0, at_ns1)
1759 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1760 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1762 AT_DATA([flows.txt], [dnl
1763 priority=1,action=drop
1765 dnl Only allow non-fragmented messages and 1st fragments of each message
1766 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1767 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1768 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1769 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1771 dnl Neighbour Discovery
1772 priority=100,icmp6,icmp_type=135,action=normal
1773 priority=100,icmp6,icmp_type=136,action=normal
1776 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1778 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1779 dnl waiting, we get occasional failures due to the following error:
1780 dnl "connect: Cannot assign requested address"
1781 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1783 dnl Basic connectivity check.
1784 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1785 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1788 dnl Send an IPv6 fragment. Some time later, it should expire.
1789 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1790 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1793 dnl At this point, the kernel will either crash or everything is OK.
1795 OVS_TRAFFIC_VSWITCHD_STOP
1798 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1800 OVS_TRAFFIC_VSWITCHD_START()
1802 ADD_NAMESPACES(at_ns0, at_ns1)
1804 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1805 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1807 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1808 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1810 dnl Sending ping through conntrack
1811 AT_DATA([flows.txt], [dnl
1812 priority=1,action=drop
1813 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1814 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1815 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1816 priority=100,icmp6,icmp_type=135,action=normal
1817 priority=100,icmp6,icmp_type=136,action=normal
1820 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1822 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1823 dnl waiting, we get occasional failures due to the following error:
1824 dnl "connect: Cannot assign requested address"
1825 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1827 dnl Basic connectivity check.
1828 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1829 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1832 dnl Ipv4 fragmentation connectivity check.
1833 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1834 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1837 dnl Ipv4 larger fragmentation connectivity check.
1838 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1839 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1842 OVS_TRAFFIC_VSWITCHD_STOP
1845 AT_SETUP([conntrack - Fragmentation over vxlan])
1849 OVS_TRAFFIC_VSWITCHD_START()
1850 ADD_BR([br-underlay])
1851 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1853 ADD_NAMESPACES(at_ns0)
1855 dnl Sending ping through conntrack
1856 AT_DATA([flows.txt], [dnl
1857 priority=1,action=drop
1858 priority=10,arp,action=normal
1859 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1860 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1861 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1864 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1866 dnl Set up underlay link from host into the namespace using veth pair.
1867 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1868 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1869 AT_CHECK([ip link set dev br-underlay up])
1871 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1872 dnl linux device inside the namespace.
1873 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1874 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1875 [id 0 dstport 4789])
1877 dnl First, check the underlay
1878 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1879 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1882 dnl Okay, now check the overlay with different packet sizes
1883 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1884 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1886 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1887 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1889 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1890 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1893 OVS_TRAFFIC_VSWITCHD_STOP
1896 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1900 OVS_TRAFFIC_VSWITCHD_START()
1901 ADD_BR([br-underlay])
1902 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1904 ADD_NAMESPACES(at_ns0)
1906 dnl Sending ping through conntrack
1907 AT_DATA([flows.txt], [dnl
1908 priority=1,action=drop
1909 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1910 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1911 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1913 dnl Neighbour Discovery
1914 priority=1000,icmp6,icmp_type=135,action=normal
1915 priority=1000,icmp6,icmp_type=136,action=normal
1918 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1920 dnl Set up underlay link from host into the namespace using veth pair.
1921 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1922 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1923 AT_CHECK([ip link set dev br-underlay up])
1925 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1926 dnl linux device inside the namespace.
1927 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1928 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1929 [id 0 dstport 4789])
1931 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1932 dnl waiting, we get occasional failures due to the following error:
1933 dnl "connect: Cannot assign requested address"
1934 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1936 dnl First, check the underlay
1937 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1938 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1941 dnl Okay, now check the overlay with different packet sizes
1942 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1943 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1945 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1946 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1948 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1949 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1952 OVS_TRAFFIC_VSWITCHD_STOP
1955 AT_SETUP([conntrack - resubmit to ct multiple times])
1958 OVS_TRAFFIC_VSWITCHD_START(
1959 [set-fail-mode br0 secure -- ])
1961 ADD_NAMESPACES(at_ns0, at_ns1)
1963 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1964 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1966 AT_DATA([flows.txt], [dnl
1967 table=0,priority=150,arp,action=normal
1968 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1970 table=1,priority=100,ip,action=ct(table=3)
1971 table=2,priority=100,ip,action=ct(table=3)
1973 table=3,ip,action=drop
1976 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1978 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1979 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1982 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1983 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1984 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1985 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1986 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1987 table=3, n_packets=2, n_bytes=196, ip actions=drop
1991 OVS_TRAFFIC_VSWITCHD_STOP
1995 AT_SETUP([conntrack - simple SNAT])
1997 OVS_TRAFFIC_VSWITCHD_START()
1999 ADD_NAMESPACES(at_ns0, at_ns1)
2001 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2002 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2003 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2005 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2006 AT_DATA([flows.txt], [dnl
2007 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2008 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2009 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2012 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2013 priority=10 arp action=normal
2014 priority=0,action=drop
2016 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2017 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2018 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2019 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2021 dnl Swaps the fields of the ARP message to turn a query to a response.
2022 table=10 priority=100 arp xreg0=0 action=normal
2023 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2024 table=10 priority=0 action=drop
2027 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2029 dnl HTTP requests from p0->p1 should work fine.
2030 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2031 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2033 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2034 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2037 OVS_TRAFFIC_VSWITCHD_STOP
2041 AT_SETUP([conntrack - SNAT with port range])
2043 OVS_TRAFFIC_VSWITCHD_START()
2045 ADD_NAMESPACES(at_ns0, at_ns1)
2047 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2048 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2049 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2051 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2052 AT_DATA([flows.txt], [dnl
2053 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2054 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2055 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2056 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2059 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2060 priority=10 arp action=normal
2061 priority=0,action=drop
2063 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2064 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2065 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2066 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2068 dnl Swaps the fields of the ARP message to turn a query to a response.
2069 table=10 priority=100 arp xreg0=0 action=normal
2070 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2071 table=10 priority=0 action=drop
2074 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2076 dnl HTTP requests from p0->p1 should work fine.
2077 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2078 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2080 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2081 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2084 OVS_TRAFFIC_VSWITCHD_STOP
2088 AT_SETUP([conntrack - more complex SNAT])
2090 OVS_TRAFFIC_VSWITCHD_START()
2092 ADD_NAMESPACES(at_ns0, at_ns1)
2094 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2095 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2096 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2098 AT_DATA([flows.txt], [dnl
2099 dnl Track all IP traffic, NAT existing connections.
2100 priority=100 ip action=ct(table=1,zone=1,nat)
2102 dnl Allow ARP, but generate responses for NATed addresses
2103 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2104 priority=10 arp action=normal
2105 priority=0 action=drop
2107 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2108 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2109 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2110 dnl Only allow established traffic from ns1->ns0.
2111 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2112 table=1 priority=0 action=drop
2114 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2115 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2116 dnl Zero result means not found.
2117 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2118 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2119 dnl ARP TPA IP in reg2.
2120 table=10 priority=100 arp xreg0=0 action=normal
2121 dnl Swaps the fields of the ARP message to turn a query to a response.
2122 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2123 table=10 priority=0 action=drop
2126 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2128 dnl HTTP requests from p0->p1 should work fine.
2129 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2130 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2132 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2133 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2136 OVS_TRAFFIC_VSWITCHD_STOP
2139 AT_SETUP([conntrack - simple DNAT])
2141 OVS_TRAFFIC_VSWITCHD_START()
2143 ADD_NAMESPACES(at_ns0, at_ns1)
2145 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2146 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2147 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2149 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2150 AT_DATA([flows.txt], [dnl
2151 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2152 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2153 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2154 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2157 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2158 priority=10 arp action=normal
2159 priority=0,action=drop
2161 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2162 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2163 dnl Zero result means not found.
2164 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2165 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2167 table=10 priority=100 arp xreg0=0 action=normal
2168 dnl Swaps the fields of the ARP message to turn a query to a response.
2169 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2170 table=10 priority=0 action=drop
2173 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2175 dnl Should work with the virtual IP address through NAT
2176 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2177 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2179 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2180 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2183 dnl Should work with the assigned IP address as well
2184 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2190 OVS_TRAFFIC_VSWITCHD_STOP
2193 AT_SETUP([conntrack - more complex DNAT])
2195 OVS_TRAFFIC_VSWITCHD_START()
2197 ADD_NAMESPACES(at_ns0, at_ns1)
2199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2201 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2203 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2204 AT_DATA([flows.txt], [dnl
2205 dnl Track all IP traffic
2206 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2208 dnl Allow ARP, but generate responses for NATed addresses
2209 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2210 table=0 priority=10 arp action=normal
2211 table=0 priority=0 action=drop
2213 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2214 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2215 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2216 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2217 dnl Only allow established traffic from ns1->ns0.
2218 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2219 table=1 priority=0 action=drop
2221 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2222 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2223 dnl Zero result means not found.
2224 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2225 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2227 table=10 priority=100 arp xreg0=0 action=normal
2228 dnl Swaps the fields of the ARP message to turn a query to a response.
2229 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2230 table=10 priority=0 action=drop
2233 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2235 dnl Should work with the virtual IP address through NAT
2236 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2237 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2239 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2240 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2243 dnl Should work with the assigned IP address as well
2244 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2246 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2247 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2250 OVS_TRAFFIC_VSWITCHD_STOP
2253 AT_SETUP([conntrack - ICMP related with NAT])
2255 OVS_TRAFFIC_VSWITCHD_START()
2257 ADD_NAMESPACES(at_ns0, at_ns1)
2259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2261 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2263 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2264 dnl Make sure ICMP responses are reverse-NATted.
2265 AT_DATA([flows.txt], [dnl
2266 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2267 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2268 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2271 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2272 priority=10 arp action=normal
2273 priority=0,action=drop
2275 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2276 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2277 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2278 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2280 dnl Swaps the fields of the ARP message to turn a query to a response.
2281 table=10 priority=100 arp xreg0=0 action=normal
2282 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2283 table=10 priority=0 action=drop
2286 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2288 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2289 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2291 AT_CHECK([ovs-appctl revalidator/purge], [0])
2292 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2293 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2294 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2295 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2296 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2297 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2298 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2299 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2300 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2301 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2302 OFPST_FLOW reply (OF1.5):
2305 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2306 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2309 OVS_TRAFFIC_VSWITCHD_STOP
2313 AT_SETUP([conntrack - FTP with NAT])
2314 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2317 OVS_TRAFFIC_VSWITCHD_START()
2319 ADD_NAMESPACES(at_ns0, at_ns1)
2321 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2322 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2323 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2325 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2327 AT_DATA([flows.txt], [dnl
2328 dnl track all IP traffic, de-mangle non-NEW connections
2329 table=0 in_port=1, ip, action=ct(table=1,nat)
2330 table=0 in_port=2, ip, action=ct(table=2,nat)
2334 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2335 table=0 priority=10 arp action=normal
2336 table=0 priority=0 action=drop
2338 dnl Table 1: port 1 -> 2
2340 dnl Allow new FTP connections. These need to be commited.
2341 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2342 dnl Allow established TCP connections, make sure they are NATted already.
2343 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2345 dnl Table 1: droppers
2347 table=1 priority=10, tcp, action=drop
2348 table=1 priority=0,action=drop
2350 dnl Table 2: port 2 -> 1
2352 dnl Allow established TCP connections, make sure they are reverse NATted
2353 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2354 dnl Allow (new) related (data) connections. These need to be commited.
2355 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2356 dnl Allow related ICMP packets, make sure they are reverse NATted
2357 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2359 dnl Table 2: droppers
2361 table=2 priority=10, tcp, action=drop
2362 table=2 priority=0, action=drop
2364 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2366 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2367 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2368 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2370 dnl Swaps the fields of the ARP message to turn a query to a response.
2371 table=10 priority=100 arp xreg0=0 action=normal
2372 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2373 table=10 priority=0 action=drop
2376 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2378 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2379 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2380 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2382 dnl FTP requests from p0->p1 should work fine.
2383 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2385 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2386 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2387 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2390 OVS_TRAFFIC_VSWITCHD_STOP
2394 AT_SETUP([conntrack - FTP with NAT 2])
2395 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2397 OVS_TRAFFIC_VSWITCHD_START()
2399 ADD_NAMESPACES(at_ns0, at_ns1)
2401 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2402 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2403 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2405 dnl Allow any traffic from ns0->ns1.
2406 dnl Only allow nd, return traffic from ns1->ns0.
2407 AT_DATA([flows.txt], [dnl
2408 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2409 table=0 ip, action=ct(table=1)
2413 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2414 table=0 priority=10 arp action=normal
2415 table=0 priority=0 action=drop
2419 dnl Allow new FTP connections. These need to be commited.
2420 dnl This does helper for new packets.
2421 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2422 dnl Allow and NAT established TCP connections
2423 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2424 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2425 dnl Allow and NAT (new) related active (data) connections.
2426 dnl These need to be commited.
2427 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2428 dnl Allow related ICMP packets.
2429 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2430 dnl Drop everything else.
2431 table=1 priority=0, action=drop
2433 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2435 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2436 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2437 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2439 dnl Swaps the fields of the ARP message to turn a query to a response.
2440 table=10 priority=100 arp xreg0=0 action=normal
2441 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2442 table=10 priority=0 action=drop
2445 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2447 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2448 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2450 dnl FTP requests from p0->p1 should work fine.
2451 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2453 dnl Discards CLOSE_WAIT and CLOSING
2454 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2455 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2456 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2459 OVS_TRAFFIC_VSWITCHD_STOP
2462 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2464 OVS_TRAFFIC_VSWITCHD_START()
2466 ADD_NAMESPACES(at_ns0, at_ns1)
2468 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2469 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2470 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2471 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2473 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2474 AT_DATA([flows.txt], [dnl
2475 priority=1,action=drop
2476 priority=10,icmp6,action=normal
2477 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2478 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2479 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2480 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2483 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2485 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2486 dnl waiting, we get occasional failures due to the following error:
2487 dnl "connect: Cannot assign requested address"
2488 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2490 dnl HTTP requests from ns0->ns1 should work fine.
2491 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2493 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2495 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2496 dnl Try 3 times, in 1 second intervals.
2497 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2498 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2500 OVS_TRAFFIC_VSWITCHD_STOP
2504 AT_SETUP([conntrack - IPv6 FTP with NAT])
2505 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2507 OVS_TRAFFIC_VSWITCHD_START()
2509 ADD_NAMESPACES(at_ns0, at_ns1)
2511 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2512 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2513 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2514 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2515 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2517 dnl Allow any traffic from ns0->ns1.
2518 dnl Only allow nd, return traffic from ns1->ns0.
2519 AT_DATA([flows.txt], [dnl
2520 dnl Allow other ICMPv6 both ways (without commit).
2521 table=1 priority=100 in_port=1 icmp6, action=2
2522 table=1 priority=100 in_port=2 icmp6, action=1
2523 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2524 table=0 priority=10 ip6, action=ct(nat,table=1)
2525 table=0 priority=0 action=drop
2529 dnl Allow new TCPv6 FTP control connections.
2530 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2531 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2532 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2533 dnl Allow established TCPv6 connections both ways, enforce NATting
2534 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2535 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2536 dnl Drop everything else.
2537 table=1 priority=0, action=drop
2540 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2542 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2543 dnl waiting, we get occasional failures due to the following error:
2544 dnl "connect: Cannot assign requested address"
2545 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2547 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2548 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2550 dnl FTP requests from p0->p1 should work fine.
2551 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2553 dnl Discards CLOSE_WAIT and CLOSING
2554 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2555 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2556 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2559 OVS_TRAFFIC_VSWITCHD_STOP
2562 AT_SETUP([conntrack - DNAT load balancing])
2564 OVS_TRAFFIC_VSWITCHD_START()
2566 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2568 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2569 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2570 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2571 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2572 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2573 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2574 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2575 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2577 dnl Select group for load balancing. One bucket per server. Each bucket
2578 dnl tracks and NATs the connection and recirculates to table 4 for egress
2579 dnl routing. Packets of existing connections are always NATted based on
2580 dnl connection state, only new connections are NATted according to the
2581 dnl specific NAT parameters in each bucket.
2582 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2584 AT_DATA([flows.txt], [dnl
2585 dnl Track connections to the virtual IP address.
2586 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2587 dnl All other IP traffic is allowed but the connection state is no commited.
2588 table=0 priority=90 ip action=ct(table=4,nat)
2590 dnl Allow ARP, but generate responses for virtual addresses
2591 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2592 table=0 priority=10 arp action=normal
2593 table=0 priority=0 action=drop
2597 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2598 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2599 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2600 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2601 table=4 priority=0 action=drop
2603 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2604 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2605 dnl Zero result means not found.
2606 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2607 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2609 table=10 priority=100 arp xreg0=0 action=normal
2610 dnl Swaps the fields of the ARP message to turn a query to a response.
2611 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2612 table=10 priority=0 action=controller
2615 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2617 dnl Start web servers
2618 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2619 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2620 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2622 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2623 on_exit 'ovs-appctl revalidator/purge'
2624 on_exit 'ovs-appctl dpif/dump-flows br0'
2626 dnl Should work with the virtual IP address through NAT
2627 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2629 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2632 dnl Each server should have at least one connection.
2633 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2634 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2635 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2636 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2639 ovs-appctl dpif/dump-flows br0
2640 ovs-appctl revalidator/purge
2641 ovs-ofctl -O OpenFlow15 dump-flows br0
2642 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2644 OVS_TRAFFIC_VSWITCHD_STOP
2648 AT_SETUP([conntrack - DNAT load balancing with NC])
2650 OVS_TRAFFIC_VSWITCHD_START()
2652 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2654 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2655 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2656 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2657 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2658 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2659 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2660 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2661 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2662 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2663 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2665 dnl Select group for load balancing. One bucket per server. Each bucket
2666 dnl tracks and NATs the connection and recirculates to table 4 for egress
2667 dnl routing. Packets of existing connections are always NATted based on
2668 dnl connection state, only new connections are NATted according to the
2669 dnl specific NAT parameters in each bucket.
2670 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2672 AT_DATA([flows.txt], [dnl
2673 dnl Track connections to the virtual IP address.
2674 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2675 dnl All other IP traffic is allowed but the connection state is no commited.
2676 table=0 priority=90 ip action=ct(table=4,nat)
2678 dnl Allow ARP, but generate responses for virtual addresses
2679 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2680 table=0 priority=10 arp action=normal
2681 table=0 priority=0 action=drop
2685 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2686 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2687 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2688 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2689 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2690 table=4 priority=0 action=drop
2692 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2693 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2694 dnl Zero result means not found.
2695 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2696 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2698 table=10 priority=100 arp xreg0=0 action=normal
2699 dnl Swaps the fields of the ARP message to turn a query to a response.
2700 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2701 table=10 priority=0 action=controller
2704 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2706 dnl Start web servers
2707 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2708 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2709 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2711 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2712 on_exit 'ovs-appctl revalidator/purge'
2713 on_exit 'ovs-appctl dpif/dump-flows br0'
2717 dnl Should work with the virtual IP address through NAT
2718 for i in 1 2 3 4 5 6 7 8 9; do
2720 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2721 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2726 ovs-appctl dpif/dump-flows br0
2727 ovs-appctl revalidator/purge
2728 ovs-ofctl -O OpenFlow15 dump-flows br0
2729 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2731 OVS_TRAFFIC_VSWITCHD_STOP