1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 OVS_TRAFFIC_VSWITCHD_STOP
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
105 ADD_NAMESPACES(at_ns0, at_ns1)
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping over vxlan tunnel])
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
140 ADD_NAMESPACES(at_ns0)
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
169 OVS_TRAFFIC_VSWITCHD_STOP
172 AT_SETUP([datapath - ping over gre tunnel])
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
181 ADD_NAMESPACES(at_ns0)
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
209 OVS_TRAFFIC_VSWITCHD_STOP
212 AT_SETUP([datapath - ping over geneve tunnel])
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
221 ADD_NAMESPACES(at_ns0)
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
250 OVS_TRAFFIC_VSWITCHD_STOP
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
315 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
337 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
338 AT_CHECK([tail -3 stdout], [0],
339 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
340 This flow is handled by the userspace slow path because it:
341 - Uses action(s) not supported by datapath.
344 dnl SLOW_ACTION test2: check actual packet truncate
345 AT_CHECK([ovs-ofctl del-flows br0])
346 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
347 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
349 dnl 100 + 100 + 242 + min(65535,242) = 684
350 AT_CHECK([ovs-appctl revalidator/purge], [0])
351 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
355 dnl 242 + 100 + min(242,200) = 542
356 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
360 OVS_TRAFFIC_VSWITCHD_STOP
363 dnl Create 2 bridges and 2 namespaces to test truncate over
365 dnl br0: overlay bridge
366 dnl ns1: connect to br0, with IP:10.1.1.2
367 dnl br-underlay: with IP: 172.31.1.100
368 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
369 AT_SETUP([datapath - truncate and output to gre tunnel])
371 OVS_TRAFFIC_VSWITCHD_START()
373 ADD_BR([br-underlay])
374 ADD_NAMESPACES(at_ns0)
375 ADD_NAMESPACES(at_ns1)
376 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
377 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
379 dnl Set up underlay link from host into the namespace using veth pair.
380 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
381 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
382 AT_CHECK([ip link set dev br-underlay up])
384 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
385 dnl linux device inside the namespace.
386 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
387 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
388 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
389 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
390 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
392 dnl Set up (p1 and ovs-p1) at br0
393 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
394 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
395 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
396 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
398 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
399 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
400 on_exit 'ip link del ovs-p2'
401 AT_CHECK([ip link set dev ovs-p2 up])
402 AT_CHECK([ip link set dev p2 up])
403 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
404 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
406 dnl use this file as payload file for ncat
407 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
408 on_exit 'rm -f payload200.bin'
410 AT_CHECK([ovs-ofctl del-flows br0])
411 AT_DATA([flows.txt], [dnl
412 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
413 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
414 priority=1,in_port=4,ip,actions=drop
415 priority=1,actions=drop
417 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
419 AT_CHECK([ovs-ofctl del-flows br-underlay])
420 AT_DATA([flows-underlay.txt], [dnl
421 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
422 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
423 priority=1,actions=drop
426 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
428 dnl check tunnel push path, from at_ns1 to at_ns0
429 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
430 AT_CHECK([ovs-appctl revalidator/purge], [0])
432 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
433 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
436 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
437 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
441 dnl check tunnel pop path, from at_ns0 to at_ns1
442 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
443 dnl After truncation = 100 byte at loopback device p2(4)
444 AT_CHECK([ovs-appctl revalidator/purge], [0])
445 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
449 dnl SLOW_ACTION: disable datapath truncate support
450 dnl Repeat the test above, but exercise the SLOW_ACTION code path
451 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
452 [Datapath truncate action diabled
455 dnl SLOW_ACTION test1: check datapatch actions
456 AT_CHECK([ovs-ofctl del-flows br0])
457 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
459 dnl SLOW_ACTION test2: check actual packet truncate
460 AT_CHECK([ovs-ofctl del-flows br0])
461 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
462 AT_CHECK([ovs-ofctl del-flows br-underlay])
463 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
465 dnl check tunnel push path, from at_ns1 to at_ns0
466 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
467 AT_CHECK([ovs-appctl revalidator/purge], [0])
469 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
470 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
473 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
474 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
478 dnl check tunnel pop path, from at_ns0 to at_ns1
479 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
480 dnl After truncation = 100 byte at loopback device p2(4)
481 AT_CHECK([ovs-appctl revalidator/purge], [0])
482 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
486 OVS_TRAFFIC_VSWITCHD_STOP
489 AT_SETUP([conntrack - controller])
491 OVS_TRAFFIC_VSWITCHD_START()
493 ADD_NAMESPACES(at_ns0, at_ns1)
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
498 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
499 AT_DATA([flows.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=100,in_port=1,udp,action=ct(commit),controller
503 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
504 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
507 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
509 AT_CAPTURE_FILE([ofctl_monitor.log])
510 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
512 dnl Send an unsolicited reply from port 2. This should be dropped.
513 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
515 dnl OK, now start a new connection from port 1.
516 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
518 dnl Now try a reply from port 2.
519 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
521 dnl Check this output. We only see the latter two packets, not the first.
522 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
523 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
524 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
525 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
526 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
529 OVS_TRAFFIC_VSWITCHD_STOP
532 AT_SETUP([conntrack - IPv4 HTTP])
534 OVS_TRAFFIC_VSWITCHD_START()
536 ADD_NAMESPACES(at_ns0, at_ns1)
538 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
539 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
541 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
542 AT_DATA([flows.txt], [dnl
543 priority=1,action=drop
544 priority=10,arp,action=normal
545 priority=10,icmp,action=normal
546 priority=100,in_port=1,tcp,action=ct(commit),2
547 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
548 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
551 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
553 dnl HTTP requests from ns0->ns1 should work fine.
554 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
555 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
557 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
558 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
561 dnl HTTP requests from ns1->ns0 should fail due to network failure.
562 dnl Try 3 times, in 1 second intervals.
563 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
564 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
566 OVS_TRAFFIC_VSWITCHD_STOP
569 AT_SETUP([conntrack - IPv6 HTTP])
571 OVS_TRAFFIC_VSWITCHD_START()
573 ADD_NAMESPACES(at_ns0, at_ns1)
575 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
576 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
578 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,icmp6,action=normal
582 priority=100,in_port=1,tcp6,action=ct(commit),2
583 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
584 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
587 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
589 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
590 dnl waiting, we get occasional failures due to the following error:
591 dnl "connect: Cannot assign requested address"
592 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
594 dnl HTTP requests from ns0->ns1 should work fine.
595 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
597 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
599 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
600 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
603 dnl HTTP requests from ns1->ns0 should fail due to network failure.
604 dnl Try 3 times, in 1 second intervals.
605 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
606 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
608 OVS_TRAFFIC_VSWITCHD_STOP
611 AT_SETUP([conntrack - commit, recirc])
613 OVS_TRAFFIC_VSWITCHD_START()
615 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
617 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
618 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
619 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
620 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
622 dnl Allow any traffic from ns0->ns1, ns2->ns3.
623 AT_DATA([flows.txt], [dnl
624 priority=1,action=drop
625 priority=10,arp,action=normal
626 priority=10,icmp,action=normal
627 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
628 priority=100,in_port=1,tcp,ct_state=+trk,action=2
629 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
630 priority=100,in_port=2,tcp,ct_state=+trk,action=1
631 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
632 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
633 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
634 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
635 priority=100,in_port=4,tcp,ct_state=+trk,action=3
638 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
640 dnl HTTP requests from p0->p1 should work fine.
641 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644 dnl HTTP requests from p2->p3 should work fine.
645 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
646 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
648 OVS_TRAFFIC_VSWITCHD_STOP
651 AT_SETUP([conntrack - preserve registers])
653 OVS_TRAFFIC_VSWITCHD_START()
655 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
657 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
658 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
659 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
660 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
662 dnl Allow any traffic from ns0->ns1, ns2->ns3.
663 AT_DATA([flows.txt], [dnl
664 priority=1,action=drop
665 priority=10,arp,action=normal
666 priority=10,icmp,action=normal
667 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
668 priority=100,in_port=1,tcp,ct_state=+trk,action=2
669 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
670 priority=100,in_port=2,tcp,ct_state=+trk,action=1
671 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
672 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
673 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
674 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
675 priority=100,in_port=4,tcp,ct_state=+trk,action=3
678 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
680 dnl HTTP requests from p0->p1 should work fine.
681 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
682 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
684 dnl HTTP requests from p2->p3 should work fine.
685 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
686 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
688 OVS_TRAFFIC_VSWITCHD_STOP
691 AT_SETUP([conntrack - invalid])
693 OVS_TRAFFIC_VSWITCHD_START()
695 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
697 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
698 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
699 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
700 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
702 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
703 dnl the opposite direction. This should fail.
704 dnl Pass traffic from ns3->ns4 without committing, and this time match
705 dnl invalid traffic and allow it through.
706 AT_DATA([flows.txt], [dnl
707 priority=1,action=drop
708 priority=10,arp,action=normal
709 priority=10,icmp,action=normal
710 priority=100,in_port=1,tcp,action=ct(),2
711 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
712 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
713 priority=100,in_port=3,tcp,action=ct(),4
714 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
715 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
716 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
719 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
721 dnl We set up our rules to allow the request without committing. The return
722 dnl traffic can't be identified, because the initial request wasn't committed.
723 dnl For the first pair of ports, this means that the connection fails.
724 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
725 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
727 dnl For the second pair, we allow packets from invalid connections, so it works.
728 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
729 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
731 OVS_TRAFFIC_VSWITCHD_STOP
734 AT_SETUP([conntrack - zones])
736 OVS_TRAFFIC_VSWITCHD_START()
738 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
740 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
741 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
742 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
743 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
745 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
746 dnl For ns2->ns3, use a different zone and see that the match fails.
747 AT_DATA([flows.txt], [dnl
748 priority=1,action=drop
749 priority=10,arp,action=normal
750 priority=10,icmp,action=normal
751 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
752 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
753 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
754 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
755 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
756 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
759 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
761 dnl HTTP requests from p0->p1 should work fine.
762 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
763 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
765 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
766 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
769 dnl HTTP requests from p2->p3 should fail due to network failure.
770 dnl Try 3 times, in 1 second intervals.
771 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
772 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
774 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
775 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
778 OVS_TRAFFIC_VSWITCHD_STOP
781 AT_SETUP([conntrack - zones from field])
783 OVS_TRAFFIC_VSWITCHD_START()
785 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
787 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
788 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
789 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
790 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
792 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
793 AT_DATA([flows.txt], [dnl
794 priority=1,action=drop
795 priority=10,arp,action=normal
796 priority=10,icmp,action=normal
797 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
798 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
799 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
800 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
801 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
802 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
805 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
807 dnl HTTP requests from p0->p1 should work fine.
808 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
809 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
811 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
812 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
815 dnl HTTP requests from p2->p3 should fail due to network failure.
816 dnl Try 3 times, in 1 second intervals.
817 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
818 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
820 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
821 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
824 OVS_TRAFFIC_VSWITCHD_STOP
827 AT_SETUP([conntrack - multiple bridges])
829 OVS_TRAFFIC_VSWITCHD_START(
831 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
832 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
834 ADD_NAMESPACES(at_ns0, at_ns1)
836 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
837 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
839 dnl Allow any traffic from ns0->br1, allow established in reverse.
840 AT_DATA([flows-br0.txt], [dnl
841 priority=1,action=drop
842 priority=10,arp,action=normal
843 priority=10,icmp,action=normal
844 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
845 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
846 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
849 dnl Allow any traffic from br0->ns1, allow established in reverse.
850 AT_DATA([flows-br1.txt], [dnl
851 priority=1,action=drop
852 priority=10,arp,action=normal
853 priority=10,icmp,action=normal
854 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
855 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
856 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
857 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
858 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
861 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
862 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
864 dnl HTTP requests from p0->p1 should work fine.
865 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
866 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
868 OVS_TRAFFIC_VSWITCHD_STOP
871 AT_SETUP([conntrack - multiple zones])
873 OVS_TRAFFIC_VSWITCHD_START()
875 ADD_NAMESPACES(at_ns0, at_ns1)
877 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
878 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
880 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
881 AT_DATA([flows.txt], [dnl
882 priority=1,action=drop
883 priority=10,arp,action=normal
884 priority=10,icmp,action=normal
885 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
886 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
887 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
890 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
892 dnl HTTP requests from p0->p1 should work fine.
893 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
894 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
896 dnl (again) HTTP requests from p0->p1 should work fine.
897 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
899 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
900 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
901 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
904 OVS_TRAFFIC_VSWITCHD_STOP
907 AT_SETUP([conntrack - multiple zones, local])
909 OVS_TRAFFIC_VSWITCHD_START()
911 ADD_NAMESPACES(at_ns0)
913 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
914 AT_CHECK([ip link set dev br0 up])
915 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
916 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
918 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
919 dnl return traffic from ns0 back to the local stack.
920 AT_DATA([flows.txt], [dnl
921 priority=1,action=drop
922 priority=10,arp,action=normal
923 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
924 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
925 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
926 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
927 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
928 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
931 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
933 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
934 3 packets transmitted, 3 received, 0% packet loss, time 0ms
937 dnl HTTP requests from root namespace to p0 should work fine.
938 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
939 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
941 dnl (again) HTTP requests from root namespace to p0 should work fine.
942 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
944 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
945 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
946 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
947 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
948 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
951 OVS_TRAFFIC_VSWITCHD_STOP
954 AT_SETUP([conntrack - multiple namespaces, internal ports])
956 OVS_TRAFFIC_VSWITCHD_START(
957 [set-fail-mode br0 secure -- ])
959 ADD_NAMESPACES(at_ns0, at_ns1)
961 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
962 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
964 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
966 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
967 AT_DATA([flows.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
972 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
973 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
976 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
978 dnl HTTP requests from p0->p1 should work fine.
979 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
980 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
982 dnl (again) HTTP requests from p0->p1 should work fine.
983 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
989 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
990 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
991 /removing policing failed: No such device/d"])
994 AT_SETUP([conntrack - multi-stage pipeline, local])
996 OVS_TRAFFIC_VSWITCHD_START()
998 ADD_NAMESPACES(at_ns0)
1000 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1001 AT_CHECK([ip link set dev br0 up])
1002 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1003 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1005 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1006 dnl return traffic from ns0 back to the local stack.
1007 AT_DATA([flows.txt], [dnl
1009 table=0,priority=1,action=drop
1010 table=0,priority=10,arp,action=normal
1012 dnl Load the output port to REG0
1013 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1014 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1016 dnl Ingress pipeline
1017 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1018 dnl - All other connections go through conntracker using the input port as
1019 dnl a connection tracking zone.
1020 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1021 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1022 table=1,priority=1,action=drop
1025 dnl - Allow all connections from LOCAL port (commit and skip to output)
1026 dnl - Allow other established connections to go through conntracker using
1027 dnl output port as a connection tracking zone.
1028 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1029 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1030 table=2,priority=1,action=drop
1032 dnl Only allow established traffic from egress ct lookup
1033 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1034 table=3,priority=1,action=drop
1037 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1040 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1042 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1043 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1046 dnl HTTP requests from root namespace to p0 should work fine.
1047 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1048 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1050 dnl (again) HTTP requests from root namespace to p0 should work fine.
1051 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1053 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1054 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1055 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1056 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1057 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1060 OVS_TRAFFIC_VSWITCHD_STOP
1063 AT_SETUP([conntrack - ct_mark])
1065 OVS_TRAFFIC_VSWITCHD_START()
1067 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1069 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1070 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1071 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1072 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1074 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1075 dnl Check that different marks do not match for traffic between ns2<->ns3.
1076 AT_DATA([flows.txt], [dnl
1077 priority=1,action=drop
1078 priority=10,arp,action=normal
1079 priority=10,icmp,action=normal
1080 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1081 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1082 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1083 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1084 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1085 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1088 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1090 dnl HTTP requests from p0->p1 should work fine.
1091 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1092 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1094 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1095 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1098 dnl HTTP requests from p2->p3 should fail due to network failure.
1099 dnl Try 3 times, in 1 second intervals.
1100 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1101 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1103 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1104 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1107 OVS_TRAFFIC_VSWITCHD_STOP
1110 AT_SETUP([conntrack - ct_mark bit-fiddling])
1112 OVS_TRAFFIC_VSWITCHD_START()
1114 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1116 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1117 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1119 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1120 dnl cause an additional bit to be set in the connection (and be allowed).
1121 AT_DATA([flows.txt], [dnl
1122 table=0,priority=1,action=drop
1123 table=0,priority=10,arp,action=normal
1124 table=0,priority=10,icmp,action=normal
1125 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1126 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1127 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1128 table=1,in_port=1,ct_state=-new,tcp,action=2
1129 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1132 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1134 dnl HTTP requests from p0->p1 should work fine.
1135 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1136 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1138 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1139 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1142 OVS_TRAFFIC_VSWITCHD_STOP
1145 AT_SETUP([conntrack - ct_mark from register])
1147 OVS_TRAFFIC_VSWITCHD_START()
1149 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1151 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1152 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1153 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1154 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1156 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1157 AT_DATA([flows.txt], [dnl
1158 priority=1,action=drop
1159 priority=10,arp,action=normal
1160 priority=10,icmp,action=normal
1161 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1162 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1163 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1164 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1165 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1166 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1169 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1171 dnl HTTP requests from p0->p1 should work fine.
1172 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1173 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1179 dnl HTTP requests from p2->p3 should fail due to network failure.
1180 dnl Try 3 times, in 1 second intervals.
1181 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1182 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1184 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1185 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1188 OVS_TRAFFIC_VSWITCHD_STOP
1191 AT_SETUP([conntrack - ct_label])
1193 OVS_TRAFFIC_VSWITCHD_START()
1195 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1197 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1198 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1199 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1200 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1202 dnl Allow traffic between ns0<->ns1 using the ct_label.
1203 dnl Check that different labels do not match for traffic between ns2<->ns3.
1204 AT_DATA([flows.txt], [dnl
1205 priority=1,action=drop
1206 priority=10,arp,action=normal
1207 priority=10,icmp,action=normal
1208 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1209 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1210 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1211 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1212 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1213 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1216 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1218 dnl HTTP requests from p0->p1 should work fine.
1219 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1220 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1222 dnl HTTP requests from p2->p3 should fail due to network failure.
1223 dnl Try 3 times, in 1 second intervals.
1224 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1225 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1227 OVS_TRAFFIC_VSWITCHD_STOP
1230 AT_SETUP([conntrack - ct_label bit-fiddling])
1232 OVS_TRAFFIC_VSWITCHD_START()
1234 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1236 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1237 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1239 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1240 dnl cause an additional bit to be set in the connection labels (and be allowed)
1241 AT_DATA([flows.txt], [dnl
1242 table=0,priority=1,action=drop
1243 table=0,priority=10,arp,action=normal
1244 table=0,priority=10,icmp,action=normal
1245 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1246 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1247 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1248 table=1,in_port=1,tcp,ct_state=-new,action=2
1249 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1252 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1254 dnl HTTP requests from p0->p1 should work fine.
1255 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1256 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1258 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1259 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1262 OVS_TRAFFIC_VSWITCHD_STOP
1265 AT_SETUP([conntrack - ct metadata, multiple zones])
1267 OVS_TRAFFIC_VSWITCHD_START()
1269 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1271 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1272 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1274 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1275 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1276 dnl and we should see that the conntrack entries only apply the ct_mark and
1277 dnl ct_labels to the connection in zone=1.
1278 AT_DATA([flows.txt], [dnl
1279 table=0,priority=1,action=drop
1280 table=0,priority=10,arp,action=normal
1281 table=0,priority=10,icmp,action=normal
1282 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1283 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1284 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1285 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1286 table=1,in_port=2,tcp,action=ct(zone=2),1
1289 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1291 dnl HTTP requests from p0->p1 should work fine.
1292 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1293 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1295 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1296 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1297 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1300 OVS_TRAFFIC_VSWITCHD_STOP
1303 AT_SETUP([conntrack - ICMP related])
1305 OVS_TRAFFIC_VSWITCHD_START()
1307 ADD_NAMESPACES(at_ns0, at_ns1)
1309 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1310 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1312 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1313 AT_DATA([flows.txt], [dnl
1314 priority=1,action=drop
1315 priority=10,arp,action=normal
1316 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1317 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1318 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1321 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1323 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1324 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1326 AT_CHECK([ovs-appctl revalidator/purge], [0])
1327 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1328 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1329 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1330 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1331 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1335 OVS_TRAFFIC_VSWITCHD_STOP
1338 AT_SETUP([conntrack - ICMP related 2])
1340 OVS_TRAFFIC_VSWITCHD_START()
1342 ADD_NAMESPACES(at_ns0, at_ns1)
1344 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1345 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1347 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1348 AT_DATA([flows.txt], [dnl
1349 priority=1,action=drop
1350 priority=10,arp,action=normal
1351 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1352 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1353 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1354 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1357 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1359 AT_CAPTURE_FILE([ofctl_monitor.log])
1360 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1362 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1363 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1365 dnl 2. Send and UDP packet to port 5555
1366 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1368 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1369 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1371 dnl Check this output. We only see the latter two packets, not the first.
1372 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1373 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1374 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1375 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1376 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1379 OVS_TRAFFIC_VSWITCHD_STOP
1382 AT_SETUP([conntrack - FTP])
1383 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1385 OVS_TRAFFIC_VSWITCHD_START()
1387 ADD_NAMESPACES(at_ns0, at_ns1)
1389 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1390 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1392 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1393 AT_DATA([flows1.txt], [dnl
1394 table=0,priority=1,action=drop
1395 table=0,priority=10,arp,action=normal
1396 table=0,priority=10,icmp,action=normal
1397 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1398 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
1399 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
1400 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
1403 dnl Similar policy but without allowing all traffic from ns0->ns1.
1404 AT_DATA([flows2.txt], [dnl
1405 table=0,priority=1,action=drop
1406 table=0,priority=10,arp,action=normal
1407 table=0,priority=10,icmp,action=normal
1409 dnl Allow outgoing TCP connections, and treat them as FTP
1410 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1411 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1412 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
1414 dnl Allow incoming FTP data connections and responses to existing connections
1415 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
1416 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1417 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
1418 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1421 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1423 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1424 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1425 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1427 dnl FTP requests from p1->p0 should fail due to network failure.
1428 dnl Try 3 times, in 1 second intervals.
1429 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1430 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1433 dnl FTP requests from p0->p1 should work fine.
1434 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1435 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1436 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1439 dnl Try the second set of flows.
1440 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1441 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1443 dnl FTP requests from p1->p0 should fail due to network failure.
1444 dnl Try 3 times, in 1 second intervals.
1445 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1446 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1449 dnl Active FTP requests from p0->p1 should work fine.
1450 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1451 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1452 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1453 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1456 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1458 dnl Passive FTP requests from p0->p1 should work fine.
1459 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1460 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1461 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1464 OVS_TRAFFIC_VSWITCHD_STOP
1468 AT_SETUP([conntrack - IPv6 FTP])
1469 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1471 OVS_TRAFFIC_VSWITCHD_START()
1473 ADD_NAMESPACES(at_ns0, at_ns1)
1475 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1476 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1478 dnl Allow any traffic from ns0->ns1.
1479 dnl Only allow nd, return traffic from ns1->ns0.
1480 AT_DATA([flows.txt], [dnl
1481 dnl Track all IPv6 traffic and drop the rest.
1482 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1483 table=0 priority=100 in_port=1 icmp6, action=2
1484 table=0 priority=100 in_port=2 icmp6, action=1
1485 table=0 priority=10 ip6, action=ct(table=1)
1486 table=0 priority=0 action=drop
1490 dnl Allow new TCPv6 FTP control connections from port 1.
1491 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1492 dnl Allow related TCPv6 connections from port 2.
1493 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1494 dnl Allow established TCPv6 connections both ways.
1495 table=1 in_port=1 ct_state=+est, tcp6, action=2
1496 table=1 in_port=2 ct_state=+est, tcp6, action=1
1497 dnl Drop everything else.
1498 table=1 priority=0, action=drop
1501 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1503 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1504 dnl waiting, we get occasional failures due to the following error:
1505 dnl "connect: Cannot assign requested address"
1506 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1508 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1509 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1511 dnl FTP requests from p0->p1 should work fine.
1512 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1514 dnl Discards CLOSE_WAIT and CLOSING
1515 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1516 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1517 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1520 OVS_TRAFFIC_VSWITCHD_STOP
1524 AT_SETUP([conntrack - FTP with multiple expectations])
1525 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1527 OVS_TRAFFIC_VSWITCHD_START()
1529 ADD_NAMESPACES(at_ns0, at_ns1)
1531 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1532 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1534 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1535 AT_DATA([flows.txt], [dnl
1536 table=0,priority=1,action=drop
1537 table=0,priority=10,arp,action=normal
1538 table=0,priority=10,icmp,action=normal
1540 dnl Traffic from ns1
1541 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
1542 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1543 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
1544 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
1545 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1547 dnl Traffic from ns2
1548 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
1549 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1550 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
1551 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1552 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1555 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1557 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1558 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1560 dnl FTP requests from p1->p0 should fail due to network failure.
1561 dnl Try 3 times, in 1 second intervals.
1562 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1563 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1566 dnl Active FTP requests from p0->p1 should work fine.
1567 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1568 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1569 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1570 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1571 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1572 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1575 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1577 dnl Passive FTP requests from p0->p1 should work fine.
1578 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1579 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1580 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1581 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1582 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1583 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1586 OVS_TRAFFIC_VSWITCHD_STOP
1589 AT_SETUP([conntrack - IPv4 fragmentation ])
1591 OVS_TRAFFIC_VSWITCHD_START()
1593 ADD_NAMESPACES(at_ns0, at_ns1)
1595 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1596 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1598 dnl Sending ping through conntrack
1599 AT_DATA([flows.txt], [dnl
1600 priority=1,action=drop
1601 priority=10,arp,action=normal
1602 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1603 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1604 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1607 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1609 dnl Ipv4 fragmentation connectivity check.
1610 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1611 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1614 dnl Ipv4 larger fragmentation connectivity check.
1615 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1616 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1619 OVS_TRAFFIC_VSWITCHD_STOP
1622 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1624 OVS_TRAFFIC_VSWITCHD_START()
1626 ADD_NAMESPACES(at_ns0, at_ns1)
1628 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1629 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1631 AT_DATA([flows.txt], [dnl
1632 priority=1,action=drop
1633 priority=10,arp,action=normal
1635 dnl Only allow non-fragmented messages and 1st fragments of each message
1636 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1637 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1638 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1639 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1642 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1644 dnl Ipv4 fragmentation connectivity check.
1645 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1646 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1649 OVS_TRAFFIC_VSWITCHD_STOP
1652 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1654 OVS_TRAFFIC_VSWITCHD_START()
1656 ADD_NAMESPACES(at_ns0, at_ns1)
1658 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1659 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1660 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1661 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1663 dnl Sending ping through conntrack
1664 AT_DATA([flows.txt], [dnl
1665 priority=1,action=drop
1666 priority=10,arp,action=normal
1667 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1668 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1669 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1672 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1674 dnl Ipv4 fragmentation connectivity check.
1675 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1676 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1679 dnl Ipv4 larger fragmentation connectivity check.
1680 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1681 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1684 OVS_TRAFFIC_VSWITCHD_STOP
1687 AT_SETUP([conntrack - IPv6 fragmentation])
1689 OVS_TRAFFIC_VSWITCHD_START()
1691 ADD_NAMESPACES(at_ns0, at_ns1)
1693 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1694 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1696 dnl Sending ping through conntrack
1697 AT_DATA([flows.txt], [dnl
1698 priority=1,action=drop
1699 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1700 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1701 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1702 priority=100,icmp6,icmp_type=135,action=normal
1703 priority=100,icmp6,icmp_type=136,action=normal
1706 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1708 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1709 dnl waiting, we get occasional failures due to the following error:
1710 dnl "connect: Cannot assign requested address"
1711 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1713 dnl Ipv6 fragmentation connectivity check.
1714 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1715 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1718 dnl Ipv6 larger fragmentation connectivity check.
1719 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1720 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1723 OVS_TRAFFIC_VSWITCHD_STOP
1726 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1728 OVS_TRAFFIC_VSWITCHD_START()
1730 ADD_NAMESPACES(at_ns0, at_ns1)
1732 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1733 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1735 AT_DATA([flows.txt], [dnl
1736 priority=1,action=drop
1738 dnl Only allow non-fragmented messages and 1st fragments of each message
1739 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1740 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1741 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1742 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1744 dnl Neighbour Discovery
1745 priority=100,icmp6,icmp_type=135,action=normal
1746 priority=100,icmp6,icmp_type=136,action=normal
1749 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1751 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1752 dnl waiting, we get occasional failures due to the following error:
1753 dnl "connect: Cannot assign requested address"
1754 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1756 dnl Send an IPv6 fragment. Some time later, it should expire.
1757 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1758 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1761 dnl At this point, the kernel will either crash or everything is OK.
1763 OVS_TRAFFIC_VSWITCHD_STOP
1766 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1768 OVS_TRAFFIC_VSWITCHD_START()
1770 ADD_NAMESPACES(at_ns0, at_ns1)
1772 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1773 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1775 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1776 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1778 dnl Sending ping through conntrack
1779 AT_DATA([flows.txt], [dnl
1780 priority=1,action=drop
1781 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1782 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1783 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1784 priority=100,icmp6,icmp_type=135,action=normal
1785 priority=100,icmp6,icmp_type=136,action=normal
1788 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1790 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1791 dnl waiting, we get occasional failures due to the following error:
1792 dnl "connect: Cannot assign requested address"
1793 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1795 dnl Ipv4 fragmentation connectivity check.
1796 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1797 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1800 dnl Ipv4 larger fragmentation connectivity check.
1801 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1802 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1805 OVS_TRAFFIC_VSWITCHD_STOP
1808 AT_SETUP([conntrack - Fragmentation over vxlan])
1812 OVS_TRAFFIC_VSWITCHD_START()
1813 ADD_BR([br-underlay])
1814 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1816 ADD_NAMESPACES(at_ns0)
1818 dnl Sending ping through conntrack
1819 AT_DATA([flows.txt], [dnl
1820 priority=1,action=drop
1821 priority=10,arp,action=normal
1822 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1823 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1824 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1827 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1829 dnl Set up underlay link from host into the namespace using veth pair.
1830 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1831 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1832 AT_CHECK([ip link set dev br-underlay up])
1834 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1835 dnl linux device inside the namespace.
1836 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1837 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1838 [id 0 dstport 4789])
1840 dnl First, check the underlay
1841 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1842 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1845 dnl Okay, now check the overlay with different packet sizes
1846 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1847 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1849 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1850 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1852 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1853 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1856 OVS_TRAFFIC_VSWITCHD_STOP
1859 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1863 OVS_TRAFFIC_VSWITCHD_START()
1864 ADD_BR([br-underlay])
1865 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1867 ADD_NAMESPACES(at_ns0)
1869 dnl Sending ping through conntrack
1870 AT_DATA([flows.txt], [dnl
1871 priority=1,action=drop
1872 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1873 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1874 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1876 dnl Neighbour Discovery
1877 priority=1000,icmp6,icmp_type=135,action=normal
1878 priority=1000,icmp6,icmp_type=136,action=normal
1881 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1883 dnl Set up underlay link from host into the namespace using veth pair.
1884 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1885 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1886 AT_CHECK([ip link set dev br-underlay up])
1888 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1889 dnl linux device inside the namespace.
1890 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1891 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1892 [id 0 dstport 4789])
1894 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1895 dnl waiting, we get occasional failures due to the following error:
1896 dnl "connect: Cannot assign requested address"
1897 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1899 dnl First, check the underlay
1900 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1901 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1904 dnl Okay, now check the overlay with different packet sizes
1905 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1906 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1908 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1909 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1911 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1912 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1915 OVS_TRAFFIC_VSWITCHD_STOP
1918 AT_SETUP([conntrack - resubmit to ct multiple times])
1921 OVS_TRAFFIC_VSWITCHD_START(
1922 [set-fail-mode br0 secure -- ])
1924 ADD_NAMESPACES(at_ns0, at_ns1)
1926 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1927 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1929 AT_DATA([flows.txt], [dnl
1930 table=0,priority=150,arp,action=normal
1931 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1933 table=1,ip,action=ct(table=3)
1934 table=2,ip,action=ct(table=3)
1936 table=3,ip,action=drop
1939 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1941 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1942 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1945 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1946 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1947 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1948 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1949 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1950 table=3, n_packets=2, n_bytes=196, ip actions=drop
1954 OVS_TRAFFIC_VSWITCHD_STOP
1958 AT_SETUP([conntrack - simple SNAT])
1960 OVS_TRAFFIC_VSWITCHD_START()
1962 ADD_NAMESPACES(at_ns0, at_ns1)
1964 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1965 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1966 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1968 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1969 AT_DATA([flows.txt], [dnl
1970 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1971 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1972 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1975 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1976 priority=10 arp action=normal
1977 priority=0,action=drop
1979 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1980 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1981 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1982 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1984 dnl Swaps the fields of the ARP message to turn a query to a response.
1985 table=10 priority=100 arp xreg0=0 action=normal
1986 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1987 table=10 priority=0 action=drop
1990 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1992 dnl HTTP requests from p0->p1 should work fine.
1993 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1997 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2000 OVS_TRAFFIC_VSWITCHD_STOP
2004 AT_SETUP([conntrack - SNAT with port range])
2006 OVS_TRAFFIC_VSWITCHD_START()
2008 ADD_NAMESPACES(at_ns0, at_ns1)
2010 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2011 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2012 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2014 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2015 AT_DATA([flows.txt], [dnl
2016 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2017 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2018 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2019 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2022 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2023 priority=10 arp action=normal
2024 priority=0,action=drop
2026 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2027 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2028 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2029 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2031 dnl Swaps the fields of the ARP message to turn a query to a response.
2032 table=10 priority=100 arp xreg0=0 action=normal
2033 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2034 table=10 priority=0 action=drop
2037 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2039 dnl HTTP requests from p0->p1 should work fine.
2040 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2041 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2043 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2044 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2047 OVS_TRAFFIC_VSWITCHD_STOP
2051 AT_SETUP([conntrack - more complex SNAT])
2053 OVS_TRAFFIC_VSWITCHD_START()
2055 ADD_NAMESPACES(at_ns0, at_ns1)
2057 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2058 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2059 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2061 AT_DATA([flows.txt], [dnl
2062 dnl Track all IP traffic, NAT existing connections.
2063 priority=100 ip action=ct(table=1,zone=1,nat)
2065 dnl Allow ARP, but generate responses for NATed addresses
2066 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2067 priority=10 arp action=normal
2068 priority=0 action=drop
2070 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2071 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2072 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2073 dnl Only allow established traffic from ns1->ns0.
2074 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2075 table=1 priority=0 action=drop
2077 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2078 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2079 dnl Zero result means not found.
2080 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2081 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2082 dnl ARP TPA IP in reg2.
2083 table=10 priority=100 arp xreg0=0 action=normal
2084 dnl Swaps the fields of the ARP message to turn a query to a response.
2085 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2086 table=10 priority=0 action=drop
2089 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2091 dnl HTTP requests from p0->p1 should work fine.
2092 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2093 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2095 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2096 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2099 OVS_TRAFFIC_VSWITCHD_STOP
2102 AT_SETUP([conntrack - simple DNAT])
2104 OVS_TRAFFIC_VSWITCHD_START()
2106 ADD_NAMESPACES(at_ns0, at_ns1)
2108 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2109 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2110 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2112 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2113 AT_DATA([flows.txt], [dnl
2114 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2115 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2116 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2117 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2120 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2121 priority=10 arp action=normal
2122 priority=0,action=drop
2124 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2125 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2126 dnl Zero result means not found.
2127 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2128 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2130 table=10 priority=100 arp xreg0=0 action=normal
2131 dnl Swaps the fields of the ARP message to turn a query to a response.
2132 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2133 table=10 priority=0 action=drop
2136 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2138 dnl Should work with the virtual IP address through NAT
2139 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2140 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2142 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2143 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2146 dnl Should work with the assigned IP address as well
2147 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2149 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2150 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2153 OVS_TRAFFIC_VSWITCHD_STOP
2156 AT_SETUP([conntrack - more complex DNAT])
2158 OVS_TRAFFIC_VSWITCHD_START()
2160 ADD_NAMESPACES(at_ns0, at_ns1)
2162 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2163 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2164 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2166 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2167 AT_DATA([flows.txt], [dnl
2168 dnl Track all IP traffic
2169 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2171 dnl Allow ARP, but generate responses for NATed addresses
2172 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2173 table=0 priority=10 arp action=normal
2174 table=0 priority=0 action=drop
2176 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2177 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2178 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2179 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2180 dnl Only allow established traffic from ns1->ns0.
2181 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2182 table=1 priority=0 action=drop
2184 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2185 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2186 dnl Zero result means not found.
2187 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2188 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2190 table=10 priority=100 arp xreg0=0 action=normal
2191 dnl Swaps the fields of the ARP message to turn a query to a response.
2192 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2193 table=10 priority=0 action=drop
2196 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2198 dnl Should work with the virtual IP address through NAT
2199 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2200 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2202 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2203 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2206 dnl Should work with the assigned IP address as well
2207 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2209 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2210 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2213 OVS_TRAFFIC_VSWITCHD_STOP
2216 AT_SETUP([conntrack - ICMP related with NAT])
2218 OVS_TRAFFIC_VSWITCHD_START()
2220 ADD_NAMESPACES(at_ns0, at_ns1)
2222 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2223 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2224 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2226 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2227 dnl Make sure ICMP responses are reverse-NATted.
2228 AT_DATA([flows.txt], [dnl
2229 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2230 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2231 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2234 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2235 priority=10 arp action=normal
2236 priority=0,action=drop
2238 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2239 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2240 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2241 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2243 dnl Swaps the fields of the ARP message to turn a query to a response.
2244 table=10 priority=100 arp xreg0=0 action=normal
2245 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2246 table=10 priority=0 action=drop
2249 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2251 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2252 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2254 AT_CHECK([ovs-appctl revalidator/purge], [0])
2255 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2256 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2257 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2258 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2259 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2260 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2261 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2262 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2263 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2264 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2265 OFPST_FLOW reply (OF1.5):
2268 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2269 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2272 OVS_TRAFFIC_VSWITCHD_STOP
2276 AT_SETUP([conntrack - FTP with NAT])
2277 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2280 OVS_TRAFFIC_VSWITCHD_START()
2282 ADD_NAMESPACES(at_ns0, at_ns1)
2284 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2285 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2286 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2288 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2290 AT_DATA([flows.txt], [dnl
2291 dnl track all IP traffic, de-mangle non-NEW connections
2292 table=0 in_port=1, ip, action=ct(table=1,nat)
2293 table=0 in_port=2, ip, action=ct(table=2,nat)
2297 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2298 table=0 priority=10 arp action=normal
2299 table=0 priority=0 action=drop
2301 dnl Table 1: port 1 -> 2
2303 dnl Allow new FTP connections. These need to be commited.
2304 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2305 dnl Allow established TCP connections, make sure they are NATted already.
2306 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2308 dnl Table 1: droppers
2310 table=1 priority=10, tcp, action=drop
2311 table=1 priority=0,action=drop
2313 dnl Table 2: port 2 -> 1
2315 dnl Allow established TCP connections, make sure they are reverse NATted
2316 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2317 dnl Allow (new) related (data) connections. These need to be commited.
2318 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2319 dnl Allow related ICMP packets, make sure they are reverse NATted
2320 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2322 dnl Table 2: droppers
2324 table=2 priority=10, tcp, action=drop
2325 table=2 priority=0, action=drop
2327 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2329 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2330 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2331 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2333 dnl Swaps the fields of the ARP message to turn a query to a response.
2334 table=10 priority=100 arp xreg0=0 action=normal
2335 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2336 table=10 priority=0 action=drop
2339 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2341 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2342 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2343 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2345 dnl FTP requests from p0->p1 should work fine.
2346 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2348 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2349 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2350 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2353 OVS_TRAFFIC_VSWITCHD_STOP
2357 AT_SETUP([conntrack - FTP with NAT 2])
2358 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2360 OVS_TRAFFIC_VSWITCHD_START()
2362 ADD_NAMESPACES(at_ns0, at_ns1)
2364 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2365 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2366 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2368 dnl Allow any traffic from ns0->ns1.
2369 dnl Only allow nd, return traffic from ns1->ns0.
2370 AT_DATA([flows.txt], [dnl
2371 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2372 table=0 ip, action=ct(table=1)
2376 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2377 table=0 priority=10 arp action=normal
2378 table=0 priority=0 action=drop
2382 dnl Allow new FTP connections. These need to be commited.
2383 dnl This does helper for new packets.
2384 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2385 dnl Allow and NAT established TCP connections
2386 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2387 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2388 dnl Allow and NAT (new) related active (data) connections.
2389 dnl These need to be commited.
2390 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2391 dnl Allow related ICMP packets.
2392 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2393 dnl Drop everything else.
2394 table=1 priority=0, action=drop
2396 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2398 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2399 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2400 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2402 dnl Swaps the fields of the ARP message to turn a query to a response.
2403 table=10 priority=100 arp xreg0=0 action=normal
2404 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2405 table=10 priority=0 action=drop
2408 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2410 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2411 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2413 dnl FTP requests from p0->p1 should work fine.
2414 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2416 dnl Discards CLOSE_WAIT and CLOSING
2417 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2418 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2419 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2422 OVS_TRAFFIC_VSWITCHD_STOP
2425 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2427 OVS_TRAFFIC_VSWITCHD_START()
2429 ADD_NAMESPACES(at_ns0, at_ns1)
2431 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2432 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2433 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2434 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2436 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2437 AT_DATA([flows.txt], [dnl
2438 priority=1,action=drop
2439 priority=10,icmp6,action=normal
2440 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2441 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2442 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2443 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2446 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2448 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2449 dnl waiting, we get occasional failures due to the following error:
2450 dnl "connect: Cannot assign requested address"
2451 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2453 dnl HTTP requests from ns0->ns1 should work fine.
2454 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2456 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2458 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2459 dnl Try 3 times, in 1 second intervals.
2460 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2461 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2463 OVS_TRAFFIC_VSWITCHD_STOP
2467 AT_SETUP([conntrack - IPv6 FTP with NAT])
2468 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2470 OVS_TRAFFIC_VSWITCHD_START()
2472 ADD_NAMESPACES(at_ns0, at_ns1)
2474 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2475 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2476 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2477 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2478 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2480 dnl Allow any traffic from ns0->ns1.
2481 dnl Only allow nd, return traffic from ns1->ns0.
2482 AT_DATA([flows.txt], [dnl
2483 dnl Allow other ICMPv6 both ways (without commit).
2484 table=1 priority=100 in_port=1 icmp6, action=2
2485 table=1 priority=100 in_port=2 icmp6, action=1
2486 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2487 table=0 priority=10 ip6, action=ct(nat,table=1)
2488 table=0 priority=0 action=drop
2492 dnl Allow new TCPv6 FTP control connections.
2493 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2494 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2495 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2496 dnl Allow established TCPv6 connections both ways, enforce NATting
2497 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2498 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2499 dnl Drop everything else.
2500 table=1 priority=0, action=drop
2503 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2505 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2506 dnl waiting, we get occasional failures due to the following error:
2507 dnl "connect: Cannot assign requested address"
2508 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2510 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2511 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2513 dnl FTP requests from p0->p1 should work fine.
2514 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2516 dnl Discards CLOSE_WAIT and CLOSING
2517 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2518 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2519 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2522 OVS_TRAFFIC_VSWITCHD_STOP
2525 AT_SETUP([conntrack - DNAT load balancing])
2527 OVS_TRAFFIC_VSWITCHD_START()
2529 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2531 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2532 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2533 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2534 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2535 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2536 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2537 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2538 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2540 dnl Select group for load balancing. One bucket per server. Each bucket
2541 dnl tracks and NATs the connection and recirculates to table 4 for egress
2542 dnl routing. Packets of existing connections are always NATted based on
2543 dnl connection state, only new connections are NATted according to the
2544 dnl specific NAT parameters in each bucket.
2545 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2547 AT_DATA([flows.txt], [dnl
2548 dnl Track connections to the virtual IP address.
2549 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2550 dnl All other IP traffic is allowed but the connection state is no commited.
2551 table=0 priority=90 ip action=ct(table=4,nat)
2553 dnl Allow ARP, but generate responses for virtual addresses
2554 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2555 table=0 priority=10 arp action=normal
2556 table=0 priority=0 action=drop
2560 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2561 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2562 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2563 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2564 table=4 priority=0 action=drop
2566 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2567 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2568 dnl Zero result means not found.
2569 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2570 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2572 table=10 priority=100 arp xreg0=0 action=normal
2573 dnl Swaps the fields of the ARP message to turn a query to a response.
2574 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2575 table=10 priority=0 action=controller
2578 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2580 dnl Start web servers
2581 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2582 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2583 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2585 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2586 on_exit 'ovs-appctl revalidator/purge'
2587 on_exit 'ovs-appctl dpif/dump-flows br0'
2589 dnl Should work with the virtual IP address through NAT
2590 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2592 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2595 dnl Each server should have at least one connection.
2596 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2597 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2598 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2599 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2602 ovs-appctl dpif/dump-flows br0
2603 ovs-appctl revalidator/purge
2604 ovs-ofctl -O OpenFlow15 dump-flows br0
2605 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2607 OVS_TRAFFIC_VSWITCHD_STOP
2611 AT_SETUP([conntrack - DNAT load balancing with NC])
2613 OVS_TRAFFIC_VSWITCHD_START()
2615 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2617 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2618 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2619 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2620 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2621 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2622 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2623 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2624 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2625 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2626 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2628 dnl Select group for load balancing. One bucket per server. Each bucket
2629 dnl tracks and NATs the connection and recirculates to table 4 for egress
2630 dnl routing. Packets of existing connections are always NATted based on
2631 dnl connection state, only new connections are NATted according to the
2632 dnl specific NAT parameters in each bucket.
2633 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2635 AT_DATA([flows.txt], [dnl
2636 dnl Track connections to the virtual IP address.
2637 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2638 dnl All other IP traffic is allowed but the connection state is no commited.
2639 table=0 priority=90 ip action=ct(table=4,nat)
2641 dnl Allow ARP, but generate responses for virtual addresses
2642 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2643 table=0 priority=10 arp action=normal
2644 table=0 priority=0 action=drop
2648 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2649 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2650 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2651 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2652 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2653 table=4 priority=0 action=drop
2655 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2656 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2657 dnl Zero result means not found.
2658 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2659 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2661 table=10 priority=100 arp xreg0=0 action=normal
2662 dnl Swaps the fields of the ARP message to turn a query to a response.
2663 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2664 table=10 priority=0 action=controller
2667 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2669 dnl Start web servers
2670 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2671 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2672 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2674 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2675 on_exit 'ovs-appctl revalidator/purge'
2676 on_exit 'ovs-appctl dpif/dump-flows br0'
2680 dnl Should work with the virtual IP address through NAT
2681 for i in 1 2 3 4 5 6 7 8 9; do
2683 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2684 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2689 ovs-appctl dpif/dump-flows br0
2690 ovs-appctl revalidator/purge
2691 ovs-ofctl -O OpenFlow15 dump-flows br0
2692 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2694 OVS_TRAFFIC_VSWITCHD_STOP