ofproto: Correctly reject duplicate bucket ID for OFPGC_INSERT_BUCKET.

[cascardo/ovs.git] / tests / system-traffic.at

AT_BANNER([datapath-sanity])

AT_SETUP([datapath - ping between two ports])
OVS_TRAFFIC_VSWITCHD_START()

AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([datapath - ping between two ports on vlan])
OVS_TRAFFIC_VSWITCHD_START()

AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")

NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([datapath - ping6 between two ports])
OVS_TRAFFIC_VSWITCHD_START()

AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
ADD_VETH(p1, at_ns1, br0, "fc00::2/96")

dnl Without this sleep, we get occasional failures due to the following error:
dnl "connect: Cannot assign requested address"
sleep 2;

NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([datapath - ping6 between two ports on vlan])
OVS_TRAFFIC_VSWITCHD_START()

AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
ADD_VETH(p1, at_ns1, br0, "fc00::2/96")

ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")

dnl Without this sleep, we get occasional failures due to the following error:
dnl "connect: Cannot assign requested address"
sleep 2;

NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([datapath - ping over vxlan tunnel])
AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])

OVS_TRAFFIC_VSWITCHD_START()
ADD_BR([br-underlay])

AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])

ADD_NAMESPACES(at_ns0)

dnl Set up underlay link from host into the namespace using veth pair.
ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
AT_CHECK([ip link set dev br-underlay up])

dnl Set up tunnel endpoints on OVS outside the namespace and with a native
dnl linux device inside the namespace.
ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
                  [id 0 dstport 4789])

dnl First, check the underlay
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Okay, now check the overlay with different packet sizes
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - controller])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,udp,action=ct(commit),controller
priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

AT_CAPTURE_FILE([ofctl_monitor.log])
AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])

dnl Send an unsolicited reply from port 2. This should be dropped.
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])

dnl OK, now start a new connection from port 1.
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])

dnl Now try a reply from port 2.
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])

dnl Check this output. We only see the latter two packets, not the first.
AT_CHECK([cat ofctl_monitor.log], [0], [dnl
NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv4 HTTP])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(commit),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Basic connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])

dnl HTTP requests from ns0->ns1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
])

dnl HTTP requests from ns1->ns0 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv6 HTTP])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
ADD_VETH(p1, at_ns1, br0, "fc00::2/96")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,icmp6,action=normal
priority=100,in_port=1,tcp6,action=ct(commit),2
priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Without this sleep, we get occasional failures due to the following error:
dnl "connect: Cannot assign requested address"
sleep 2;

dnl HTTP requests from ns0->ns1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])

NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl HTTP requests from ns1->ns0 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - commit, recirc])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow any traffic from ns0->ns1, ns2->ns3.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
priority=100,in_port=1,tcp,ct_state=+trk,action=2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,tcp,ct_state=+trk,action=1
priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
priority=100,in_port=4,tcp,ct_state=+trk,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl HTTP requests from p2->p3 should work fine.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - preserve registers])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow any traffic from ns0->ns1, ns2->ns3.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
priority=100,in_port=1,tcp,ct_state=+trk,action=2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,tcp,ct_state=+trk,action=1
priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
priority=100,in_port=4,tcp,ct_state=+trk,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl HTTP requests from p2->p3 should work fine.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - invalid])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
dnl the opposite direction. This should fail.
dnl Pass traffic from ns3->ns4 without committing, and this time match
dnl invalid traffic and allow it through.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
priority=100,in_port=3,tcp,action=ct(),4
priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl We set up our rules to allow the request without committing. The return
dnl traffic can't be identified, because the initial request wasn't committed.
dnl For the first pair of ports, this means that the connection fails.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])

dnl For the second pair, we allow packets from invalid connections, so it works.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - zones])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
dnl For ns2->ns3, use a different zone and see that the match fails.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
])

dnl HTTP requests from p2->p3 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - zones from field])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
])

dnl HTTP requests from p2->p3 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - multiple bridges])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START(
   [_ADD_BR([br1]) --\
    add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
    add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")

dnl Allow any traffic from ns0->br1, allow established in reverse.
AT_DATA([flows-br0.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
])

dnl Allow any traffic from br0->ns1, allow established in reverse.
AT_DATA([flows-br1.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - multiple zones])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl (again) HTTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - multiple zones, local])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0)

AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
AT_CHECK([ip link set dev br0 up])
on_exit 'ip addr del dev br0 "10.1.1.1/24"'
ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")

dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
dnl return traffic from ns0 back to the local stack.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl HTTP requests from root namespace to p0 should work fine.
NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl (again) HTTP requests from root namespace to  p0 should work fine.
AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - multiple namespaces, internal ports])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START(
   [set-fail-mode br0 secure -- ])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
dnl
dnl If skb->nfct is leaking from inside the namespace, this test will fail.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
])

AT_CHECK([ovs-ofctl add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl (again) HTTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP(["dnl
/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
/removing policing failed: No such device/d"])
AT_CLEANUP

AT_SETUP([conntrack - multi-stage pipeline, local])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0)

AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
AT_CHECK([ip link set dev br0 up])
on_exit 'ip addr del dev br0 "10.1.1.1/24"'
ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")

dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
dnl return traffic from ns0 back to the local stack.
AT_DATA([flows.txt], [dnl
dnl default
table=0,priority=1,action=drop
table=0,priority=10,arp,action=normal

dnl Load the output port to REG0
table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1

dnl Ingress pipeline
dnl - Allow all connections from LOCAL port (commit and proceed to egress)
dnl - All other connections go through conntracker using the input port as
dnl   a connection tracking zone.
table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
table=1,priority=1,action=drop

dnl Egress pipeline
dnl - Allow all connections from LOCAL port (commit and skip to output)
dnl - Allow other established connections to go through conntracker using
dnl   output port as a connection tracking zone.
table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
table=2,priority=1,action=drop

dnl Only allow established traffic from egress ct lookup
table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
table=3,priority=1,action=drop

dnl output table
table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl HTTP requests from root namespace to p0 should work fine.
NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl (again) HTTP requests from root namespace to p0 should work fine.
AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - ct_mark])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow traffic between ns0<->ns1 using the ct_mark.
dnl Check that different marks do not match for traffic between ns2<->ns3.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
])

dnl HTTP requests from p2->p3 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - ct_mark from register])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
])

dnl HTTP requests from p2->p3 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])

AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - ct_label])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")

dnl Allow traffic between ns0<->ns1 using the ct_label.
dnl Check that different labels do not match for traffic between ns2<->ns3.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl HTTP requests from p0->p1 should work fine.
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])

dnl HTTP requests from p2->p3 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - ICMP related])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl If we simulate a UDP request to a port that isn't serving any real traffic,
dnl then the destination responds with an ICMP "destination unreachable"
dnl message, it should be marked as "related".
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
0000 0000 0000 0000 0000 0000 0800 4500 dnl
001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
0102 839c 1388 000a f1a6 610a'])

AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
0000 0000 0000 0000 0000 0000 0800 45c0 dnl
003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
0101 0303 131d 0000 0000 dnl
4500 001e bb85 4000 4011 6945 0a01 0101 dnl
0a01 0102 839c 1388 000a f1a6 610a'])

AT_CHECK([ovs-appctl revalidator/purge], [0])
AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
 priority=10,arp actions=NORMAL
NXST_FLOW reply:
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - ICMP related 2])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
priority=100,in_port=1,ip,ct_state=+trk,actions=controller
priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
])

AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])

AT_CAPTURE_FILE([ofctl_monitor.log])
AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])

dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])

dnl 2. Send and UDP packet to port 5555
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])

dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])

dnl Check this output. We only see the latter two packets, not the first.
AT_CHECK([cat ofctl_monitor.log], [0], [dnl
NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - FTP])
AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
AT_DATA([flows1.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
])

dnl Similar policy but without allowing all traffic from ns0->ns1.
AT_DATA([flows2.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
])

AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])

NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])

dnl FTP requests from p1->p0 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
])

dnl FTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
])

dnl Try the second set of flows.
AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
conntrack -F

dnl FTP requests from p1->p0 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
])

dnl Active FTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
])

AT_CHECK([conntrack -F 2>/dev/null])

dnl Passive FTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - FTP with multiple expectations])
AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=10,icmp,action=normal
priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])

dnl FTP requests from p1->p0 should fail due to network failure.
dnl Try 3 times, in 1 second intervals.
NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
])

dnl Active FTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
])

AT_CHECK([conntrack -F 2>/dev/null])

dnl Passive FTP requests from p0->p1 should work fine.
NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv4 fragmentation ])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

dnl Sending ping through conntrack
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Basic connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 larger fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv4 fragmentation + vlan])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")

dnl Sending ping through conntrack
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Basic connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 larger fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv6 fragmentation])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
ADD_VETH(p1, at_ns1, br0, "fc00::2/96")

dnl Sending ping through conntrack
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
priority=100,icmp6,icmp_type=135,action=normal
priority=100,icmp6,icmp_type=136,action=normal
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Without this sleep, we get occasional failures due to the following error:
dnl "connect: Cannot assign requested address"
sleep 2;

dnl Basic connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 larger fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - IPv6 fragmentation + vlan])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
ADD_VETH(p1, at_ns1, br0, "fc00::2/96")

ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")

dnl Sending ping through conntrack
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
priority=100,icmp6,icmp_type=135,action=normal
priority=100,icmp6,icmp_type=136,action=normal
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Without this sleep, we get occasional failures due to the following error:
dnl "connect: Cannot assign requested address"
sleep 2;

dnl Basic connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Ipv4 larger fragmentation connectivity check.
NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - Fragmentation over vxlan])
AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
CHECK_CONNTRACK()

OVS_TRAFFIC_VSWITCHD_START()
ADD_BR([br-underlay])
AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])

ADD_NAMESPACES(at_ns0)

dnl Sending ping through conntrack
AT_DATA([flows.txt], [dnl
priority=1,action=drop
priority=10,arp,action=normal
priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
])

AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])

dnl Set up underlay link from host into the namespace using veth pair.
ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
AT_CHECK([ip link set dev br-underlay up])

dnl Set up tunnel endpoints on OVS outside the namespace and with a native
dnl linux device inside the namespace.
ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
                  [id 0 dstport 4789])

dnl First, check the underlay
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

dnl Okay, now check the overlay with different packet sizes
NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - resubmit to ct multiple times])
CHECK_CONNTRACK()

OVS_TRAFFIC_VSWITCHD_START(
   [set-fail-mode br0 secure -- ])

ADD_NAMESPACES(at_ns0, at_ns1)

ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")

AT_DATA([flows.txt], [dnl
table=0,priority=150,arp,action=normal
table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)

table=1,priority=100,ip,action=ct(table=3)
table=2,priority=100,ip,action=ct(table=3)

table=3,ip,action=drop
])

AT_CHECK([ovs-ofctl add-flows br0 flows.txt])

NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1 packets transmitted, 0 received, 100% packet loss, time 0ms
])

AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
 table=3, n_packets=2, n_bytes=196, ip actions=drop
NXST_FLOW reply:
])

OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP