ofproto: Correctly reject duplicate bucket ID for OFPGC_INSERT_BUCKET.
[cascardo/ovs.git] / tests / system-traffic.at
1 AT_BANNER([datapath-sanity])
2
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
5
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
7
8 ADD_NAMESPACES(at_ns0, at_ns1)
9
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
15 ])
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
18 ])
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
21 ])
22
23 OVS_TRAFFIC_VSWITCHD_STOP
24 AT_CLEANUP
25
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
28
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31 ADD_NAMESPACES(at_ns0, at_ns1)
32
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
38
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
41 ])
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
44 ])
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
47 ])
48
49 OVS_TRAFFIC_VSWITCHD_STOP
50 AT_CLEANUP
51
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
54
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
56
57 ADD_NAMESPACES(at_ns0, at_ns1)
58
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
61
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
64 sleep 2;
65
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
68 ])
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
71 ])
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
74 ])
75
76 OVS_TRAFFIC_VSWITCHD_STOP
77 AT_CLEANUP
78
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
81
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
83
84 ADD_NAMESPACES(at_ns0, at_ns1)
85
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
88
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
91
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
94 sleep 2;
95
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
98 ])
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
101 ])
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
104 ])
105
106 OVS_TRAFFIC_VSWITCHD_STOP
107 AT_CLEANUP
108
109 AT_SETUP([datapath - ping over vxlan tunnel])
110 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
111
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
114
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
117
118 ADD_NAMESPACES(at_ns0)
119
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
124
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
129                   [id 0 dstport 4789])
130
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
134 ])
135
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
139 ])
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
142 ])
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
145 ])
146
147 OVS_TRAFFIC_VSWITCHD_STOP
148 AT_CLEANUP
149
150 AT_SETUP([conntrack - controller])
151 CHECK_CONNTRACK()
152 OVS_TRAFFIC_VSWITCHD_START()
153
154 ADD_NAMESPACES(at_ns0, at_ns1)
155
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
158
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
166 ])
167
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
169
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
172
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
175
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
178
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
181
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
188 ])
189
190 OVS_TRAFFIC_VSWITCHD_STOP
191 AT_CLEANUP
192
193 AT_SETUP([conntrack - IPv4 HTTP])
194 CHECK_CONNTRACK()
195 OVS_TRAFFIC_VSWITCHD_START()
196
197 ADD_NAMESPACES(at_ns0, at_ns1)
198
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
201
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
210 ])
211
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
213
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
216
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
220
221 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
222 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
223 ])
224
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
229
230 OVS_TRAFFIC_VSWITCHD_STOP
231 AT_CLEANUP
232
233 AT_SETUP([conntrack - IPv6 HTTP])
234 CHECK_CONNTRACK()
235 OVS_TRAFFIC_VSWITCHD_START()
236
237 ADD_NAMESPACES(at_ns0, at_ns1)
238
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
241
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
249 ])
250
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
252
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
255 sleep 2;
256
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
259
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
261
262 dnl HTTP requests from ns1->ns0 should fail due to network failure.
263 dnl Try 3 times, in 1 second intervals.
264 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
265 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
266
267 OVS_TRAFFIC_VSWITCHD_STOP
268 AT_CLEANUP
269
270 AT_SETUP([conntrack - commit, recirc])
271 CHECK_CONNTRACK()
272 OVS_TRAFFIC_VSWITCHD_START()
273
274 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
275
276 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
277 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
278 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
279 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
280
281 dnl Allow any traffic from ns0->ns1, ns2->ns3.
282 AT_DATA([flows.txt], [dnl
283 priority=1,action=drop
284 priority=10,arp,action=normal
285 priority=10,icmp,action=normal
286 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
287 priority=100,in_port=1,tcp,ct_state=+trk,action=2
288 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
289 priority=100,in_port=2,tcp,ct_state=+trk,action=1
290 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
291 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
292 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
293 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
294 priority=100,in_port=4,tcp,ct_state=+trk,action=3
295 ])
296
297 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
298
299 dnl HTTP requests from p0->p1 should work fine.
300 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
301 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
302
303 dnl HTTP requests from p2->p3 should work fine.
304 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
305 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
306
307 OVS_TRAFFIC_VSWITCHD_STOP
308 AT_CLEANUP
309
310 AT_SETUP([conntrack - preserve registers])
311 CHECK_CONNTRACK()
312 OVS_TRAFFIC_VSWITCHD_START()
313
314 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
315
316 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
317 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
318 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
319 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
320
321 dnl Allow any traffic from ns0->ns1, ns2->ns3.
322 AT_DATA([flows.txt], [dnl
323 priority=1,action=drop
324 priority=10,arp,action=normal
325 priority=10,icmp,action=normal
326 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
327 priority=100,in_port=1,tcp,ct_state=+trk,action=2
328 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
329 priority=100,in_port=2,tcp,ct_state=+trk,action=1
330 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
331 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
332 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
333 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
334 priority=100,in_port=4,tcp,ct_state=+trk,action=3
335 ])
336
337 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
338
339 dnl HTTP requests from p0->p1 should work fine.
340 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
341 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
342
343 dnl HTTP requests from p2->p3 should work fine.
344 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
345 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
346
347 OVS_TRAFFIC_VSWITCHD_STOP
348 AT_CLEANUP
349
350 AT_SETUP([conntrack - invalid])
351 CHECK_CONNTRACK()
352 OVS_TRAFFIC_VSWITCHD_START()
353
354 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
355
356 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
357 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
358 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
359 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
360
361 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
362 dnl the opposite direction. This should fail.
363 dnl Pass traffic from ns3->ns4 without committing, and this time match
364 dnl invalid traffic and allow it through.
365 AT_DATA([flows.txt], [dnl
366 priority=1,action=drop
367 priority=10,arp,action=normal
368 priority=10,icmp,action=normal
369 priority=100,in_port=1,tcp,action=ct(),2
370 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
371 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
372 priority=100,in_port=3,tcp,action=ct(),4
373 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
374 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
375 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
376 ])
377
378 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
379
380 dnl We set up our rules to allow the request without committing. The return
381 dnl traffic can't be identified, because the initial request wasn't committed.
382 dnl For the first pair of ports, this means that the connection fails.
383 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
384 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
385
386 dnl For the second pair, we allow packets from invalid connections, so it works.
387 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
388 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
389
390 OVS_TRAFFIC_VSWITCHD_STOP
391 AT_CLEANUP
392
393 AT_SETUP([conntrack - zones])
394 CHECK_CONNTRACK()
395 OVS_TRAFFIC_VSWITCHD_START()
396
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
398
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
403
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
416 ])
417
418 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
419
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
423
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
426 ])
427
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
432
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
435 ])
436
437 OVS_TRAFFIC_VSWITCHD_STOP
438 AT_CLEANUP
439
440 AT_SETUP([conntrack - zones from field])
441 CHECK_CONNTRACK()
442 OVS_TRAFFIC_VSWITCHD_START()
443
444 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
445
446 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
447 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
448 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
449 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
450
451 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
452 AT_DATA([flows.txt], [dnl
453 priority=1,action=drop
454 priority=10,arp,action=normal
455 priority=10,icmp,action=normal
456 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
457 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
458 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
459 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
460 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
461 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
462 ])
463
464 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
465
466 dnl HTTP requests from p0->p1 should work fine.
467 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
468 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
469
470 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
471 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
472 ])
473
474 dnl HTTP requests from p2->p3 should fail due to network failure.
475 dnl Try 3 times, in 1 second intervals.
476 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
477 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
478
479 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
480 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
481 ])
482
483 OVS_TRAFFIC_VSWITCHD_STOP
484 AT_CLEANUP
485
486 AT_SETUP([conntrack - multiple bridges])
487 CHECK_CONNTRACK()
488 OVS_TRAFFIC_VSWITCHD_START(
489    [_ADD_BR([br1]) --\
490     add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
491     add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
492
493 ADD_NAMESPACES(at_ns0, at_ns1)
494
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
497
498 dnl Allow any traffic from ns0->br1, allow established in reverse.
499 AT_DATA([flows-br0.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=10,icmp,action=normal
503 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
504 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
505 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
506 ])
507
508 dnl Allow any traffic from br0->ns1, allow established in reverse.
509 AT_DATA([flows-br1.txt], [dnl
510 priority=1,action=drop
511 priority=10,arp,action=normal
512 priority=10,icmp,action=normal
513 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
514 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
515 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
516 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
517 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
518 ])
519
520 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
521 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
522
523 dnl HTTP requests from p0->p1 should work fine.
524 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
525 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
526
527 OVS_TRAFFIC_VSWITCHD_STOP
528 AT_CLEANUP
529
530 AT_SETUP([conntrack - multiple zones])
531 CHECK_CONNTRACK()
532 OVS_TRAFFIC_VSWITCHD_START()
533
534 ADD_NAMESPACES(at_ns0, at_ns1)
535
536 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
537 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
538
539 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
540 AT_DATA([flows.txt], [dnl
541 priority=1,action=drop
542 priority=10,arp,action=normal
543 priority=10,icmp,action=normal
544 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
545 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
546 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
547 ])
548
549 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
550
551 dnl HTTP requests from p0->p1 should work fine.
552 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
553 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
554
555 dnl (again) HTTP requests from p0->p1 should work fine.
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
557
558 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
559 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
560 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
561 ])
562
563 OVS_TRAFFIC_VSWITCHD_STOP
564 AT_CLEANUP
565
566 AT_SETUP([conntrack - multiple zones, local])
567 CHECK_CONNTRACK()
568 OVS_TRAFFIC_VSWITCHD_START()
569
570 ADD_NAMESPACES(at_ns0)
571
572 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
573 AT_CHECK([ip link set dev br0 up])
574 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
575 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
576
577 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
578 dnl return traffic from ns0 back to the local stack.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,arp,action=normal
582 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
583 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
584 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
585 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
586 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
587 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
588 ])
589
590 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
591
592 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
593 3 packets transmitted, 3 received, 0% packet loss, time 0ms
594 ])
595
596 dnl HTTP requests from root namespace to p0 should work fine.
597 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
598 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
599
600 dnl (again) HTTP requests from root namespace to  p0 should work fine.
601 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
602
603 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
604 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
605 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
606 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
607 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
608 ])
609
610 OVS_TRAFFIC_VSWITCHD_STOP
611 AT_CLEANUP
612
613 AT_SETUP([conntrack - multiple namespaces, internal ports])
614 CHECK_CONNTRACK()
615 OVS_TRAFFIC_VSWITCHD_START(
616    [set-fail-mode br0 secure -- ])
617
618 ADD_NAMESPACES(at_ns0, at_ns1)
619
620 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
621 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
622
623 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
624 dnl
625 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
626 AT_DATA([flows.txt], [dnl
627 priority=1,action=drop
628 priority=10,arp,action=normal
629 priority=10,icmp,action=normal
630 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
631 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
632 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
633 ])
634
635 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
636
637 dnl HTTP requests from p0->p1 should work fine.
638 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
639 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
640
641 dnl (again) HTTP requests from p0->p1 should work fine.
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
643
644 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
645 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
646 ])
647
648 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
649 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
650 /removing policing failed: No such device/d"])
651 AT_CLEANUP
652
653 AT_SETUP([conntrack - multi-stage pipeline, local])
654 CHECK_CONNTRACK()
655 OVS_TRAFFIC_VSWITCHD_START()
656
657 ADD_NAMESPACES(at_ns0)
658
659 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
660 AT_CHECK([ip link set dev br0 up])
661 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
662 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
663
664 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
665 dnl return traffic from ns0 back to the local stack.
666 AT_DATA([flows.txt], [dnl
667 dnl default
668 table=0,priority=1,action=drop
669 table=0,priority=10,arp,action=normal
670
671 dnl Load the output port to REG0
672 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
673 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
674
675 dnl Ingress pipeline
676 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
677 dnl - All other connections go through conntracker using the input port as
678 dnl   a connection tracking zone.
679 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
680 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
681 table=1,priority=1,action=drop
682
683 dnl Egress pipeline
684 dnl - Allow all connections from LOCAL port (commit and skip to output)
685 dnl - Allow other established connections to go through conntracker using
686 dnl   output port as a connection tracking zone.
687 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
688 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
689 table=2,priority=1,action=drop
690
691 dnl Only allow established traffic from egress ct lookup
692 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
693 table=3,priority=1,action=drop
694
695 dnl output table
696 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
697 ])
698
699 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
700
701 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
702 3 packets transmitted, 3 received, 0% packet loss, time 0ms
703 ])
704
705 dnl HTTP requests from root namespace to p0 should work fine.
706 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
707 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
708
709 dnl (again) HTTP requests from root namespace to p0 should work fine.
710 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
711
712 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
713 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
714 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
715 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
716 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
717 ])
718
719 OVS_TRAFFIC_VSWITCHD_STOP
720 AT_CLEANUP
721
722 AT_SETUP([conntrack - ct_mark])
723 CHECK_CONNTRACK()
724 OVS_TRAFFIC_VSWITCHD_START()
725
726 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
727
728 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
729 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
730 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
731 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
732
733 dnl Allow traffic between ns0<->ns1 using the ct_mark.
734 dnl Check that different marks do not match for traffic between ns2<->ns3.
735 AT_DATA([flows.txt], [dnl
736 priority=1,action=drop
737 priority=10,arp,action=normal
738 priority=10,icmp,action=normal
739 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
740 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
741 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
742 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
743 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
744 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
745 ])
746
747 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
748
749 dnl HTTP requests from p0->p1 should work fine.
750 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
751 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
752
753 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
754 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
755 ])
756
757 dnl HTTP requests from p2->p3 should fail due to network failure.
758 dnl Try 3 times, in 1 second intervals.
759 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
760 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
761
762 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
763 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
764 ])
765
766 OVS_TRAFFIC_VSWITCHD_STOP
767 AT_CLEANUP
768
769 AT_SETUP([conntrack - ct_mark from register])
770 CHECK_CONNTRACK()
771 OVS_TRAFFIC_VSWITCHD_START()
772
773 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
774
775 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
776 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
777 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
778 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
779
780 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
781 AT_DATA([flows.txt], [dnl
782 priority=1,action=drop
783 priority=10,arp,action=normal
784 priority=10,icmp,action=normal
785 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
786 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
787 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
788 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
789 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
790 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
791 ])
792
793 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
794
795 dnl HTTP requests from p0->p1 should work fine.
796 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
797 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
798
799 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
800 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
801 ])
802
803 dnl HTTP requests from p2->p3 should fail due to network failure.
804 dnl Try 3 times, in 1 second intervals.
805 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
806 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
807
808 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
809 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
810 ])
811
812 OVS_TRAFFIC_VSWITCHD_STOP
813 AT_CLEANUP
814
815 AT_SETUP([conntrack - ct_label])
816 CHECK_CONNTRACK()
817 OVS_TRAFFIC_VSWITCHD_START()
818
819 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
820
821 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
822 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
823 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
824 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
825
826 dnl Allow traffic between ns0<->ns1 using the ct_label.
827 dnl Check that different labels do not match for traffic between ns2<->ns3.
828 AT_DATA([flows.txt], [dnl
829 priority=1,action=drop
830 priority=10,arp,action=normal
831 priority=10,icmp,action=normal
832 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
833 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
834 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
835 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
836 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
837 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
838 ])
839
840 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
841
842 dnl HTTP requests from p0->p1 should work fine.
843 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
844 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
845
846 dnl HTTP requests from p2->p3 should fail due to network failure.
847 dnl Try 3 times, in 1 second intervals.
848 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
849 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
850
851 OVS_TRAFFIC_VSWITCHD_STOP
852 AT_CLEANUP
853
854 AT_SETUP([conntrack - ICMP related])
855 CHECK_CONNTRACK()
856 OVS_TRAFFIC_VSWITCHD_START()
857
858 ADD_NAMESPACES(at_ns0, at_ns1)
859
860 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
861 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
862
863 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
864 AT_DATA([flows.txt], [dnl
865 priority=1,action=drop
866 priority=10,arp,action=normal
867 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
868 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
869 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
870 ])
871
872 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
873
874 dnl If we simulate a UDP request to a port that isn't serving any real traffic,
875 dnl then the destination responds with an ICMP "destination unreachable"
876 dnl message, it should be marked as "related".
877 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
878 0000 0000 0000 0000 0000 0000 0800 4500 dnl
879 001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
880 0102 839c 1388 000a f1a6 610a'])
881
882 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
883 0000 0000 0000 0000 0000 0000 0800 45c0 dnl
884 003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
885 0101 0303 131d 0000 0000 dnl
886 4500 001e bb85 4000 4011 6945 0a01 0101 dnl
887 0a01 0102 839c 1388 000a f1a6 610a'])
888
889 AT_CHECK([ovs-appctl revalidator/purge], [0])
890 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
891  n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
892  n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
893  n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
894  priority=10,arp actions=NORMAL
895 NXST_FLOW reply:
896 ])
897
898 OVS_TRAFFIC_VSWITCHD_STOP
899 AT_CLEANUP
900
901 AT_SETUP([conntrack - ICMP related 2])
902 CHECK_CONNTRACK()
903 OVS_TRAFFIC_VSWITCHD_START()
904
905 ADD_NAMESPACES(at_ns0, at_ns1)
906
907 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
908 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
909
910 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
911 AT_DATA([flows.txt], [dnl
912 priority=1,action=drop
913 priority=10,arp,action=normal
914 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
915 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
916 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
917 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
918 ])
919
920 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
921
922 AT_CAPTURE_FILE([ofctl_monitor.log])
923 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
924
925 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
926 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
927
928 dnl 2. Send and UDP packet to port 5555
929 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
930
931 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
932 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
933
934 dnl Check this output. We only see the latter two packets, not the first.
935 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
936 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
937 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
938 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
939 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
940 ])
941
942 OVS_TRAFFIC_VSWITCHD_STOP
943 AT_CLEANUP
944
945 AT_SETUP([conntrack - FTP])
946 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
947 CHECK_CONNTRACK()
948 OVS_TRAFFIC_VSWITCHD_START()
949
950 ADD_NAMESPACES(at_ns0, at_ns1)
951
952 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
953 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
954
955 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
956 AT_DATA([flows1.txt], [dnl
957 priority=1,action=drop
958 priority=10,arp,action=normal
959 priority=10,icmp,action=normal
960 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
961 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
962 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
963 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
964 ])
965
966 dnl Similar policy but without allowing all traffic from ns0->ns1.
967 AT_DATA([flows2.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
972 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
973 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
974 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
975 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
976 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
977 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
978 ])
979
980 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
981
982 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
983 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
984
985 dnl FTP requests from p1->p0 should fail due to network failure.
986 dnl Try 3 times, in 1 second intervals.
987 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
988 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
989 ])
990
991 dnl FTP requests from p0->p1 should work fine.
992 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
994 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
995 ])
996
997 dnl Try the second set of flows.
998 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
999 conntrack -F
1000
1001 dnl FTP requests from p1->p0 should fail due to network failure.
1002 dnl Try 3 times, in 1 second intervals.
1003 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1004 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1005 ])
1006
1007 dnl Active FTP requests from p0->p1 should work fine.
1008 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1009 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1010 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1011 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1012 ])
1013
1014 AT_CHECK([conntrack -F 2>/dev/null])
1015
1016 dnl Passive FTP requests from p0->p1 should work fine.
1017 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1018 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1019 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1020 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1021 ])
1022
1023 OVS_TRAFFIC_VSWITCHD_STOP
1024 AT_CLEANUP
1025
1026 AT_SETUP([conntrack - FTP with multiple expectations])
1027 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1028 CHECK_CONNTRACK()
1029 OVS_TRAFFIC_VSWITCHD_START()
1030
1031 ADD_NAMESPACES(at_ns0, at_ns1)
1032
1033 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1034 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1035
1036 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1037 AT_DATA([flows.txt], [dnl
1038 priority=1,action=drop
1039 priority=10,arp,action=normal
1040 priority=10,icmp,action=normal
1041 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1042 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1043 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1044 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1045 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1046 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1047 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1048 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1049 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1050 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1051 ])
1052
1053 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1054
1055 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1056 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1057
1058 dnl FTP requests from p1->p0 should fail due to network failure.
1059 dnl Try 3 times, in 1 second intervals.
1060 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1061 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1062 ])
1063
1064 dnl Active FTP requests from p0->p1 should work fine.
1065 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1066 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1067 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1068 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1069 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1070 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1071 ])
1072
1073 AT_CHECK([conntrack -F 2>/dev/null])
1074
1075 dnl Passive FTP requests from p0->p1 should work fine.
1076 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1077 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1078 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1079 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1080 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1081 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1082 ])
1083
1084 OVS_TRAFFIC_VSWITCHD_STOP
1085 AT_CLEANUP
1086
1087 AT_SETUP([conntrack - IPv4 fragmentation ])
1088 CHECK_CONNTRACK()
1089 OVS_TRAFFIC_VSWITCHD_START()
1090
1091 ADD_NAMESPACES(at_ns0, at_ns1)
1092
1093 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1094 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1095
1096 dnl Sending ping through conntrack
1097 AT_DATA([flows.txt], [dnl
1098 priority=1,action=drop
1099 priority=10,arp,action=normal
1100 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1101 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1102 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1103 ])
1104
1105 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1106
1107 dnl Basic connectivity check.
1108 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1109 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1110 ])
1111
1112 dnl Ipv4 fragmentation connectivity check.
1113 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1114 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1115 ])
1116
1117 dnl Ipv4 larger fragmentation connectivity check.
1118 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1120 ])
1121
1122 OVS_TRAFFIC_VSWITCHD_STOP
1123 AT_CLEANUP
1124
1125 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1126 CHECK_CONNTRACK()
1127 OVS_TRAFFIC_VSWITCHD_START()
1128
1129 ADD_NAMESPACES(at_ns0, at_ns1)
1130
1131 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1132 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1133 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1134 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1135
1136 dnl Sending ping through conntrack
1137 AT_DATA([flows.txt], [dnl
1138 priority=1,action=drop
1139 priority=10,arp,action=normal
1140 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1141 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1142 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1143 ])
1144
1145 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1146
1147 dnl Basic connectivity check.
1148 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1149 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1150 ])
1151
1152 dnl Ipv4 fragmentation connectivity check.
1153 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1154 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1155 ])
1156
1157 dnl Ipv4 larger fragmentation connectivity check.
1158 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1159 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1160 ])
1161
1162 OVS_TRAFFIC_VSWITCHD_STOP
1163 AT_CLEANUP
1164
1165 AT_SETUP([conntrack - IPv6 fragmentation])
1166 CHECK_CONNTRACK()
1167 OVS_TRAFFIC_VSWITCHD_START()
1168
1169 ADD_NAMESPACES(at_ns0, at_ns1)
1170
1171 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1172 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1173
1174 dnl Sending ping through conntrack
1175 AT_DATA([flows.txt], [dnl
1176 priority=1,action=drop
1177 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1178 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1179 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1180 priority=100,icmp6,icmp_type=135,action=normal
1181 priority=100,icmp6,icmp_type=136,action=normal
1182 ])
1183
1184 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1185
1186 dnl Without this sleep, we get occasional failures due to the following error:
1187 dnl "connect: Cannot assign requested address"
1188 sleep 2;
1189
1190 dnl Basic connectivity check.
1191 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1192 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1193 ])
1194
1195 dnl Ipv4 fragmentation connectivity check.
1196 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1197 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1198 ])
1199
1200 dnl Ipv4 larger fragmentation connectivity check.
1201 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1202 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1203 ])
1204
1205 OVS_TRAFFIC_VSWITCHD_STOP
1206 AT_CLEANUP
1207
1208 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1209 CHECK_CONNTRACK()
1210 OVS_TRAFFIC_VSWITCHD_START()
1211
1212 ADD_NAMESPACES(at_ns0, at_ns1)
1213
1214 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1215 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1216
1217 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1218 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1219
1220 dnl Sending ping through conntrack
1221 AT_DATA([flows.txt], [dnl
1222 priority=1,action=drop
1223 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1224 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1225 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1226 priority=100,icmp6,icmp_type=135,action=normal
1227 priority=100,icmp6,icmp_type=136,action=normal
1228 ])
1229
1230 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1231
1232 dnl Without this sleep, we get occasional failures due to the following error:
1233 dnl "connect: Cannot assign requested address"
1234 sleep 2;
1235
1236 dnl Basic connectivity check.
1237 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1238 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1239 ])
1240
1241 dnl Ipv4 fragmentation connectivity check.
1242 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1243 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1244 ])
1245
1246 dnl Ipv4 larger fragmentation connectivity check.
1247 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1248 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1249 ])
1250
1251 OVS_TRAFFIC_VSWITCHD_STOP
1252 AT_CLEANUP
1253
1254 AT_SETUP([conntrack - Fragmentation over vxlan])
1255 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1256 CHECK_CONNTRACK()
1257
1258 OVS_TRAFFIC_VSWITCHD_START()
1259 ADD_BR([br-underlay])
1260 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1261
1262 ADD_NAMESPACES(at_ns0)
1263
1264 dnl Sending ping through conntrack
1265 AT_DATA([flows.txt], [dnl
1266 priority=1,action=drop
1267 priority=10,arp,action=normal
1268 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1269 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1270 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1271 ])
1272
1273 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1274
1275 dnl Set up underlay link from host into the namespace using veth pair.
1276 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1277 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1278 AT_CHECK([ip link set dev br-underlay up])
1279
1280 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1281 dnl linux device inside the namespace.
1282 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1283 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1284                   [id 0 dstport 4789])
1285
1286 dnl First, check the underlay
1287 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1288 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1289 ])
1290
1291 dnl Okay, now check the overlay with different packet sizes
1292 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1294 ])
1295 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1296 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1297 ])
1298 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1299 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1300 ])
1301
1302 OVS_TRAFFIC_VSWITCHD_STOP
1303 AT_CLEANUP
1304
1305 AT_SETUP([conntrack - resubmit to ct multiple times])
1306 CHECK_CONNTRACK()
1307
1308 OVS_TRAFFIC_VSWITCHD_START(
1309    [set-fail-mode br0 secure -- ])
1310
1311 ADD_NAMESPACES(at_ns0, at_ns1)
1312
1313 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1314 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1315
1316 AT_DATA([flows.txt], [dnl
1317 table=0,priority=150,arp,action=normal
1318 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1319
1320 table=1,priority=100,ip,action=ct(table=3)
1321 table=2,priority=100,ip,action=ct(table=3)
1322
1323 table=3,ip,action=drop
1324 ])
1325
1326 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1327
1328 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1329 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1330 ])
1331
1332 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1333  n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1334  n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1335  table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1336  table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1337  table=3, n_packets=2, n_bytes=196, ip actions=drop
1338 NXST_FLOW reply:
1339 ])
1340
1341 OVS_TRAFFIC_VSWITCHD_STOP
1342 AT_CLEANUP