1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
110 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
222 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 dnl HTTP requests from ns1->ns0 should fail due to network failure.
263 dnl Try 3 times, in 1 second intervals.
264 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
265 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
267 OVS_TRAFFIC_VSWITCHD_STOP
270 AT_SETUP([conntrack - commit, recirc])
272 OVS_TRAFFIC_VSWITCHD_START()
274 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
276 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
277 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
278 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
279 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
281 dnl Allow any traffic from ns0->ns1, ns2->ns3.
282 AT_DATA([flows.txt], [dnl
283 priority=1,action=drop
284 priority=10,arp,action=normal
285 priority=10,icmp,action=normal
286 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
287 priority=100,in_port=1,tcp,ct_state=+trk,action=2
288 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
289 priority=100,in_port=2,tcp,ct_state=+trk,action=1
290 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
291 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
292 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
293 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
294 priority=100,in_port=4,tcp,ct_state=+trk,action=3
297 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
299 dnl HTTP requests from p0->p1 should work fine.
300 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
301 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
303 dnl HTTP requests from p2->p3 should work fine.
304 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
305 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
307 OVS_TRAFFIC_VSWITCHD_STOP
310 AT_SETUP([conntrack - preserve registers])
312 OVS_TRAFFIC_VSWITCHD_START()
314 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
316 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
317 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
318 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
319 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
321 dnl Allow any traffic from ns0->ns1, ns2->ns3.
322 AT_DATA([flows.txt], [dnl
323 priority=1,action=drop
324 priority=10,arp,action=normal
325 priority=10,icmp,action=normal
326 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
327 priority=100,in_port=1,tcp,ct_state=+trk,action=2
328 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
329 priority=100,in_port=2,tcp,ct_state=+trk,action=1
330 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
331 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
332 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
333 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
334 priority=100,in_port=4,tcp,ct_state=+trk,action=3
337 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
339 dnl HTTP requests from p0->p1 should work fine.
340 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
341 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
343 dnl HTTP requests from p2->p3 should work fine.
344 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
345 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
347 OVS_TRAFFIC_VSWITCHD_STOP
350 AT_SETUP([conntrack - invalid])
352 OVS_TRAFFIC_VSWITCHD_START()
354 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
356 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
357 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
358 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
359 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
361 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
362 dnl the opposite direction. This should fail.
363 dnl Pass traffic from ns3->ns4 without committing, and this time match
364 dnl invalid traffic and allow it through.
365 AT_DATA([flows.txt], [dnl
366 priority=1,action=drop
367 priority=10,arp,action=normal
368 priority=10,icmp,action=normal
369 priority=100,in_port=1,tcp,action=ct(),2
370 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
371 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
372 priority=100,in_port=3,tcp,action=ct(),4
373 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
374 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
375 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
378 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
380 dnl We set up our rules to allow the request without committing. The return
381 dnl traffic can't be identified, because the initial request wasn't committed.
382 dnl For the first pair of ports, this means that the connection fails.
383 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
384 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
386 dnl For the second pair, we allow packets from invalid connections, so it works.
387 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
388 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
390 OVS_TRAFFIC_VSWITCHD_STOP
393 AT_SETUP([conntrack - zones])
395 OVS_TRAFFIC_VSWITCHD_START()
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
418 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
437 OVS_TRAFFIC_VSWITCHD_STOP
440 AT_SETUP([conntrack - zones from field])
442 OVS_TRAFFIC_VSWITCHD_START()
444 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
446 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
447 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
448 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
449 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
451 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
452 AT_DATA([flows.txt], [dnl
453 priority=1,action=drop
454 priority=10,arp,action=normal
455 priority=10,icmp,action=normal
456 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
457 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
458 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
459 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
460 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
461 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
464 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
466 dnl HTTP requests from p0->p1 should work fine.
467 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
468 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
470 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
471 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
474 dnl HTTP requests from p2->p3 should fail due to network failure.
475 dnl Try 3 times, in 1 second intervals.
476 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
477 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
479 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
480 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
483 OVS_TRAFFIC_VSWITCHD_STOP
486 AT_SETUP([conntrack - multiple bridges])
488 OVS_TRAFFIC_VSWITCHD_START(
490 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
491 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
493 ADD_NAMESPACES(at_ns0, at_ns1)
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
498 dnl Allow any traffic from ns0->br1, allow established in reverse.
499 AT_DATA([flows-br0.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=10,icmp,action=normal
503 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
504 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
505 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
508 dnl Allow any traffic from br0->ns1, allow established in reverse.
509 AT_DATA([flows-br1.txt], [dnl
510 priority=1,action=drop
511 priority=10,arp,action=normal
512 priority=10,icmp,action=normal
513 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
514 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
515 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
516 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
517 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
520 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
521 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
523 dnl HTTP requests from p0->p1 should work fine.
524 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
525 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
527 OVS_TRAFFIC_VSWITCHD_STOP
530 AT_SETUP([conntrack - multiple zones])
532 OVS_TRAFFIC_VSWITCHD_START()
534 ADD_NAMESPACES(at_ns0, at_ns1)
536 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
537 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
539 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
540 AT_DATA([flows.txt], [dnl
541 priority=1,action=drop
542 priority=10,arp,action=normal
543 priority=10,icmp,action=normal
544 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
545 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
546 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
549 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
551 dnl HTTP requests from p0->p1 should work fine.
552 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
553 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
555 dnl (again) HTTP requests from p0->p1 should work fine.
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
559 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
560 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
563 OVS_TRAFFIC_VSWITCHD_STOP
566 AT_SETUP([conntrack - multiple zones, local])
568 OVS_TRAFFIC_VSWITCHD_START()
570 ADD_NAMESPACES(at_ns0)
572 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
573 AT_CHECK([ip link set dev br0 up])
574 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
575 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
577 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
578 dnl return traffic from ns0 back to the local stack.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,arp,action=normal
582 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
583 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
584 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
585 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
586 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
587 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
590 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
592 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
593 3 packets transmitted, 3 received, 0% packet loss, time 0ms
596 dnl HTTP requests from root namespace to p0 should work fine.
597 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
598 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
600 dnl (again) HTTP requests from root namespace to p0 should work fine.
601 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
603 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
604 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
605 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
606 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
607 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
610 OVS_TRAFFIC_VSWITCHD_STOP
613 AT_SETUP([conntrack - multiple namespaces, internal ports])
615 OVS_TRAFFIC_VSWITCHD_START(
616 [set-fail-mode br0 secure -- ])
618 ADD_NAMESPACES(at_ns0, at_ns1)
620 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
621 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
623 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
625 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
626 AT_DATA([flows.txt], [dnl
627 priority=1,action=drop
628 priority=10,arp,action=normal
629 priority=10,icmp,action=normal
630 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
631 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
632 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
635 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
637 dnl HTTP requests from p0->p1 should work fine.
638 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
639 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
641 dnl (again) HTTP requests from p0->p1 should work fine.
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
645 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
648 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
649 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
650 /removing policing failed: No such device/d"])
653 AT_SETUP([conntrack - multi-stage pipeline, local])
655 OVS_TRAFFIC_VSWITCHD_START()
657 ADD_NAMESPACES(at_ns0)
659 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
660 AT_CHECK([ip link set dev br0 up])
661 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
662 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
664 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
665 dnl return traffic from ns0 back to the local stack.
666 AT_DATA([flows.txt], [dnl
668 table=0,priority=1,action=drop
669 table=0,priority=10,arp,action=normal
671 dnl Load the output port to REG0
672 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
673 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
676 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
677 dnl - All other connections go through conntracker using the input port as
678 dnl a connection tracking zone.
679 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
680 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
681 table=1,priority=1,action=drop
684 dnl - Allow all connections from LOCAL port (commit and skip to output)
685 dnl - Allow other established connections to go through conntracker using
686 dnl output port as a connection tracking zone.
687 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
688 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
689 table=2,priority=1,action=drop
691 dnl Only allow established traffic from egress ct lookup
692 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
693 table=3,priority=1,action=drop
696 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
699 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
701 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
702 3 packets transmitted, 3 received, 0% packet loss, time 0ms
705 dnl HTTP requests from root namespace to p0 should work fine.
706 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
707 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
709 dnl (again) HTTP requests from root namespace to p0 should work fine.
710 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
712 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
713 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
714 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
715 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
716 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
719 OVS_TRAFFIC_VSWITCHD_STOP
722 AT_SETUP([conntrack - ct_mark])
724 OVS_TRAFFIC_VSWITCHD_START()
726 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
728 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
729 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
730 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
731 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
733 dnl Allow traffic between ns0<->ns1 using the ct_mark.
734 dnl Check that different marks do not match for traffic between ns2<->ns3.
735 AT_DATA([flows.txt], [dnl
736 priority=1,action=drop
737 priority=10,arp,action=normal
738 priority=10,icmp,action=normal
739 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
740 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
741 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
742 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
743 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
744 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
747 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
749 dnl HTTP requests from p0->p1 should work fine.
750 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
751 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
753 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
754 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
757 dnl HTTP requests from p2->p3 should fail due to network failure.
758 dnl Try 3 times, in 1 second intervals.
759 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
760 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
762 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
763 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
766 OVS_TRAFFIC_VSWITCHD_STOP
769 AT_SETUP([conntrack - ct_mark from register])
771 OVS_TRAFFIC_VSWITCHD_START()
773 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
775 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
776 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
777 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
778 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
780 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
781 AT_DATA([flows.txt], [dnl
782 priority=1,action=drop
783 priority=10,arp,action=normal
784 priority=10,icmp,action=normal
785 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
786 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
787 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
788 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
789 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
790 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
793 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
795 dnl HTTP requests from p0->p1 should work fine.
796 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
797 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
799 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
800 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
803 dnl HTTP requests from p2->p3 should fail due to network failure.
804 dnl Try 3 times, in 1 second intervals.
805 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
806 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
808 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
809 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
812 OVS_TRAFFIC_VSWITCHD_STOP
815 AT_SETUP([conntrack - ct_label])
817 OVS_TRAFFIC_VSWITCHD_START()
819 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
821 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
822 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
823 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
824 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
826 dnl Allow traffic between ns0<->ns1 using the ct_label.
827 dnl Check that different labels do not match for traffic between ns2<->ns3.
828 AT_DATA([flows.txt], [dnl
829 priority=1,action=drop
830 priority=10,arp,action=normal
831 priority=10,icmp,action=normal
832 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
833 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
834 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
835 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
836 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
837 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
840 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
842 dnl HTTP requests from p0->p1 should work fine.
843 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
844 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
846 dnl HTTP requests from p2->p3 should fail due to network failure.
847 dnl Try 3 times, in 1 second intervals.
848 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
849 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
851 OVS_TRAFFIC_VSWITCHD_STOP
854 AT_SETUP([conntrack - ICMP related])
856 OVS_TRAFFIC_VSWITCHD_START()
858 ADD_NAMESPACES(at_ns0, at_ns1)
860 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
861 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
863 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
864 AT_DATA([flows.txt], [dnl
865 priority=1,action=drop
866 priority=10,arp,action=normal
867 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
868 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
869 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
872 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
874 dnl If we simulate a UDP request to a port that isn't serving any real traffic,
875 dnl then the destination responds with an ICMP "destination unreachable"
876 dnl message, it should be marked as "related".
877 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
878 0000 0000 0000 0000 0000 0000 0800 4500 dnl
879 001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
880 0102 839c 1388 000a f1a6 610a'])
882 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
883 0000 0000 0000 0000 0000 0000 0800 45c0 dnl
884 003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
885 0101 0303 131d 0000 0000 dnl
886 4500 001e bb85 4000 4011 6945 0a01 0101 dnl
887 0a01 0102 839c 1388 000a f1a6 610a'])
889 AT_CHECK([ovs-appctl revalidator/purge], [0])
890 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
891 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
892 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
893 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
894 priority=10,arp actions=NORMAL
898 OVS_TRAFFIC_VSWITCHD_STOP
901 AT_SETUP([conntrack - ICMP related 2])
903 OVS_TRAFFIC_VSWITCHD_START()
905 ADD_NAMESPACES(at_ns0, at_ns1)
907 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
908 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
910 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
911 AT_DATA([flows.txt], [dnl
912 priority=1,action=drop
913 priority=10,arp,action=normal
914 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
915 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
916 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
917 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
920 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
922 AT_CAPTURE_FILE([ofctl_monitor.log])
923 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
925 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
926 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
928 dnl 2. Send and UDP packet to port 5555
929 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
931 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
932 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
934 dnl Check this output. We only see the latter two packets, not the first.
935 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
936 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
937 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
938 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
939 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
942 OVS_TRAFFIC_VSWITCHD_STOP
945 AT_SETUP([conntrack - FTP])
946 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
948 OVS_TRAFFIC_VSWITCHD_START()
950 ADD_NAMESPACES(at_ns0, at_ns1)
952 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
953 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
955 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
956 AT_DATA([flows1.txt], [dnl
957 priority=1,action=drop
958 priority=10,arp,action=normal
959 priority=10,icmp,action=normal
960 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
961 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
962 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
963 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
966 dnl Similar policy but without allowing all traffic from ns0->ns1.
967 AT_DATA([flows2.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
972 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
973 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
974 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
975 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
976 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
977 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
980 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
982 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
983 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
985 dnl FTP requests from p1->p0 should fail due to network failure.
986 dnl Try 3 times, in 1 second intervals.
987 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
988 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
991 dnl FTP requests from p0->p1 should work fine.
992 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
994 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
997 dnl Try the second set of flows.
998 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1001 dnl FTP requests from p1->p0 should fail due to network failure.
1002 dnl Try 3 times, in 1 second intervals.
1003 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1004 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1007 dnl Active FTP requests from p0->p1 should work fine.
1008 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1009 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1010 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1011 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1014 AT_CHECK([conntrack -F 2>/dev/null])
1016 dnl Passive FTP requests from p0->p1 should work fine.
1017 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1018 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1019 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1020 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1023 OVS_TRAFFIC_VSWITCHD_STOP
1026 AT_SETUP([conntrack - FTP with multiple expectations])
1027 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1029 OVS_TRAFFIC_VSWITCHD_START()
1031 ADD_NAMESPACES(at_ns0, at_ns1)
1033 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1034 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1036 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1037 AT_DATA([flows.txt], [dnl
1038 priority=1,action=drop
1039 priority=10,arp,action=normal
1040 priority=10,icmp,action=normal
1041 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1042 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1043 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1044 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1045 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1046 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1047 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1048 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1049 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1050 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1053 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1055 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1056 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1058 dnl FTP requests from p1->p0 should fail due to network failure.
1059 dnl Try 3 times, in 1 second intervals.
1060 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1061 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1064 dnl Active FTP requests from p0->p1 should work fine.
1065 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1066 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1067 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1068 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1069 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1070 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1073 AT_CHECK([conntrack -F 2>/dev/null])
1075 dnl Passive FTP requests from p0->p1 should work fine.
1076 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1077 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1078 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1079 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1080 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1081 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1084 OVS_TRAFFIC_VSWITCHD_STOP
1087 AT_SETUP([conntrack - IPv4 fragmentation ])
1089 OVS_TRAFFIC_VSWITCHD_START()
1091 ADD_NAMESPACES(at_ns0, at_ns1)
1093 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1094 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1096 dnl Sending ping through conntrack
1097 AT_DATA([flows.txt], [dnl
1098 priority=1,action=drop
1099 priority=10,arp,action=normal
1100 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1101 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1102 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1105 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1107 dnl Basic connectivity check.
1108 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1109 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1112 dnl Ipv4 fragmentation connectivity check.
1113 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1114 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1117 dnl Ipv4 larger fragmentation connectivity check.
1118 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1122 OVS_TRAFFIC_VSWITCHD_STOP
1125 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1127 OVS_TRAFFIC_VSWITCHD_START()
1129 ADD_NAMESPACES(at_ns0, at_ns1)
1131 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1132 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1133 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1134 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1136 dnl Sending ping through conntrack
1137 AT_DATA([flows.txt], [dnl
1138 priority=1,action=drop
1139 priority=10,arp,action=normal
1140 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1141 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1142 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1145 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1147 dnl Basic connectivity check.
1148 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1149 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1152 dnl Ipv4 fragmentation connectivity check.
1153 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1154 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1157 dnl Ipv4 larger fragmentation connectivity check.
1158 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1159 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1162 OVS_TRAFFIC_VSWITCHD_STOP
1165 AT_SETUP([conntrack - IPv6 fragmentation])
1167 OVS_TRAFFIC_VSWITCHD_START()
1169 ADD_NAMESPACES(at_ns0, at_ns1)
1171 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1172 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1174 dnl Sending ping through conntrack
1175 AT_DATA([flows.txt], [dnl
1176 priority=1,action=drop
1177 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1178 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1179 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1180 priority=100,icmp6,icmp_type=135,action=normal
1181 priority=100,icmp6,icmp_type=136,action=normal
1184 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1186 dnl Without this sleep, we get occasional failures due to the following error:
1187 dnl "connect: Cannot assign requested address"
1190 dnl Basic connectivity check.
1191 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1192 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1195 dnl Ipv4 fragmentation connectivity check.
1196 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1197 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1200 dnl Ipv4 larger fragmentation connectivity check.
1201 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1202 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1205 OVS_TRAFFIC_VSWITCHD_STOP
1208 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1210 OVS_TRAFFIC_VSWITCHD_START()
1212 ADD_NAMESPACES(at_ns0, at_ns1)
1214 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1215 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1217 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1218 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1220 dnl Sending ping through conntrack
1221 AT_DATA([flows.txt], [dnl
1222 priority=1,action=drop
1223 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1224 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1225 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1226 priority=100,icmp6,icmp_type=135,action=normal
1227 priority=100,icmp6,icmp_type=136,action=normal
1230 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1232 dnl Without this sleep, we get occasional failures due to the following error:
1233 dnl "connect: Cannot assign requested address"
1236 dnl Basic connectivity check.
1237 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1238 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1241 dnl Ipv4 fragmentation connectivity check.
1242 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1243 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1246 dnl Ipv4 larger fragmentation connectivity check.
1247 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1248 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1251 OVS_TRAFFIC_VSWITCHD_STOP
1254 AT_SETUP([conntrack - Fragmentation over vxlan])
1255 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1258 OVS_TRAFFIC_VSWITCHD_START()
1259 ADD_BR([br-underlay])
1260 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1262 ADD_NAMESPACES(at_ns0)
1264 dnl Sending ping through conntrack
1265 AT_DATA([flows.txt], [dnl
1266 priority=1,action=drop
1267 priority=10,arp,action=normal
1268 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1269 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1270 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1273 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1275 dnl Set up underlay link from host into the namespace using veth pair.
1276 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1277 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1278 AT_CHECK([ip link set dev br-underlay up])
1280 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1281 dnl linux device inside the namespace.
1282 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1283 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1284 [id 0 dstport 4789])
1286 dnl First, check the underlay
1287 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1288 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1291 dnl Okay, now check the overlay with different packet sizes
1292 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1295 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1296 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1298 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1299 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1302 OVS_TRAFFIC_VSWITCHD_STOP
1305 AT_SETUP([conntrack - resubmit to ct multiple times])
1308 OVS_TRAFFIC_VSWITCHD_START(
1309 [set-fail-mode br0 secure -- ])
1311 ADD_NAMESPACES(at_ns0, at_ns1)
1313 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1314 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1316 AT_DATA([flows.txt], [dnl
1317 table=0,priority=150,arp,action=normal
1318 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1320 table=1,priority=100,ip,action=ct(table=3)
1321 table=2,priority=100,ip,action=ct(table=3)
1323 table=3,ip,action=drop
1326 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1328 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1329 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1332 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1333 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1334 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1335 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1336 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1337 table=3, n_packets=2, n_bytes=196, ip actions=drop
1341 OVS_TRAFFIC_VSWITCHD_STOP