1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 OVS_TRAFFIC_VSWITCHD_STOP
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
105 ADD_NAMESPACES(at_ns0, at_ns1)
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping over vxlan tunnel])
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
140 ADD_NAMESPACES(at_ns0)
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
169 OVS_TRAFFIC_VSWITCHD_STOP
172 AT_SETUP([datapath - ping over gre tunnel])
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
181 ADD_NAMESPACES(at_ns0)
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
209 OVS_TRAFFIC_VSWITCHD_STOP
212 AT_SETUP([datapath - ping over geneve tunnel])
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
221 ADD_NAMESPACES(at_ns0)
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
250 OVS_TRAFFIC_VSWITCHD_STOP
253 AT_SETUP([conntrack - controller])
255 OVS_TRAFFIC_VSWITCHD_START()
257 ADD_NAMESPACES(at_ns0, at_ns1)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
262 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
263 AT_DATA([flows.txt], [dnl
264 priority=1,action=drop
265 priority=10,arp,action=normal
266 priority=100,in_port=1,udp,action=ct(commit),controller
267 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
268 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
271 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
273 AT_CAPTURE_FILE([ofctl_monitor.log])
274 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
276 dnl Send an unsolicited reply from port 2. This should be dropped.
277 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
279 dnl OK, now start a new connection from port 1.
280 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
282 dnl Now try a reply from port 2.
283 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
285 dnl Check this output. We only see the latter two packets, not the first.
286 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
287 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
288 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
289 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
290 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
293 OVS_TRAFFIC_VSWITCHD_STOP
296 AT_SETUP([conntrack - IPv4 HTTP])
298 OVS_TRAFFIC_VSWITCHD_START()
300 ADD_NAMESPACES(at_ns0, at_ns1)
302 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
303 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
305 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
306 AT_DATA([flows.txt], [dnl
307 priority=1,action=drop
308 priority=10,arp,action=normal
309 priority=10,icmp,action=normal
310 priority=100,in_port=1,tcp,action=ct(commit),2
311 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
312 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
315 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
317 dnl Basic connectivity check.
318 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
320 dnl HTTP requests from ns0->ns1 should work fine.
321 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
322 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
324 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
325 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
328 dnl HTTP requests from ns1->ns0 should fail due to network failure.
329 dnl Try 3 times, in 1 second intervals.
330 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
331 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
333 OVS_TRAFFIC_VSWITCHD_STOP
336 AT_SETUP([conntrack - IPv6 HTTP])
338 OVS_TRAFFIC_VSWITCHD_START()
340 ADD_NAMESPACES(at_ns0, at_ns1)
342 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
343 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
345 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
346 AT_DATA([flows.txt], [dnl
347 priority=1,action=drop
348 priority=10,icmp6,action=normal
349 priority=100,in_port=1,tcp6,action=ct(commit),2
350 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
351 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
354 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
356 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
357 dnl waiting, we get occasional failures due to the following error:
358 dnl "connect: Cannot assign requested address"
359 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
361 dnl HTTP requests from ns0->ns1 should work fine.
362 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
364 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
366 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
367 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
370 dnl HTTP requests from ns1->ns0 should fail due to network failure.
371 dnl Try 3 times, in 1 second intervals.
372 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
373 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
375 OVS_TRAFFIC_VSWITCHD_STOP
378 AT_SETUP([conntrack - commit, recirc])
380 OVS_TRAFFIC_VSWITCHD_START()
382 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
384 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
385 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
386 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
387 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
389 dnl Allow any traffic from ns0->ns1, ns2->ns3.
390 AT_DATA([flows.txt], [dnl
391 priority=1,action=drop
392 priority=10,arp,action=normal
393 priority=10,icmp,action=normal
394 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
395 priority=100,in_port=1,tcp,ct_state=+trk,action=2
396 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
397 priority=100,in_port=2,tcp,ct_state=+trk,action=1
398 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
399 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
400 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
401 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
402 priority=100,in_port=4,tcp,ct_state=+trk,action=3
405 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
407 dnl HTTP requests from p0->p1 should work fine.
408 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
409 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
411 dnl HTTP requests from p2->p3 should work fine.
412 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
413 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
415 OVS_TRAFFIC_VSWITCHD_STOP
418 AT_SETUP([conntrack - preserve registers])
420 OVS_TRAFFIC_VSWITCHD_START()
422 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
424 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
425 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
426 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
427 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
429 dnl Allow any traffic from ns0->ns1, ns2->ns3.
430 AT_DATA([flows.txt], [dnl
431 priority=1,action=drop
432 priority=10,arp,action=normal
433 priority=10,icmp,action=normal
434 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
435 priority=100,in_port=1,tcp,ct_state=+trk,action=2
436 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
437 priority=100,in_port=2,tcp,ct_state=+trk,action=1
438 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
439 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
440 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
441 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
442 priority=100,in_port=4,tcp,ct_state=+trk,action=3
445 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
447 dnl HTTP requests from p0->p1 should work fine.
448 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
449 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
451 dnl HTTP requests from p2->p3 should work fine.
452 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
453 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
455 OVS_TRAFFIC_VSWITCHD_STOP
458 AT_SETUP([conntrack - invalid])
460 OVS_TRAFFIC_VSWITCHD_START()
462 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
464 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
465 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
466 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
467 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
469 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
470 dnl the opposite direction. This should fail.
471 dnl Pass traffic from ns3->ns4 without committing, and this time match
472 dnl invalid traffic and allow it through.
473 AT_DATA([flows.txt], [dnl
474 priority=1,action=drop
475 priority=10,arp,action=normal
476 priority=10,icmp,action=normal
477 priority=100,in_port=1,tcp,action=ct(),2
478 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
479 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
480 priority=100,in_port=3,tcp,action=ct(),4
481 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
482 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
483 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
486 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
488 dnl We set up our rules to allow the request without committing. The return
489 dnl traffic can't be identified, because the initial request wasn't committed.
490 dnl For the first pair of ports, this means that the connection fails.
491 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
492 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
494 dnl For the second pair, we allow packets from invalid connections, so it works.
495 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
496 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
498 OVS_TRAFFIC_VSWITCHD_STOP
501 AT_SETUP([conntrack - zones])
503 OVS_TRAFFIC_VSWITCHD_START()
505 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
507 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
508 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
509 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
510 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
512 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
513 dnl For ns2->ns3, use a different zone and see that the match fails.
514 AT_DATA([flows.txt], [dnl
515 priority=1,action=drop
516 priority=10,arp,action=normal
517 priority=10,icmp,action=normal
518 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
519 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
520 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
521 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
522 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
523 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
526 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
528 dnl HTTP requests from p0->p1 should work fine.
529 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
530 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
532 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
533 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
536 dnl HTTP requests from p2->p3 should fail due to network failure.
537 dnl Try 3 times, in 1 second intervals.
538 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
539 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
541 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
542 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
545 OVS_TRAFFIC_VSWITCHD_STOP
548 AT_SETUP([conntrack - zones from field])
550 OVS_TRAFFIC_VSWITCHD_START()
552 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
554 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
555 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
556 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
557 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
559 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
560 AT_DATA([flows.txt], [dnl
561 priority=1,action=drop
562 priority=10,arp,action=normal
563 priority=10,icmp,action=normal
564 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
565 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
566 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
567 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
568 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
569 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
572 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
574 dnl HTTP requests from p0->p1 should work fine.
575 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
576 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
578 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
579 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
582 dnl HTTP requests from p2->p3 should fail due to network failure.
583 dnl Try 3 times, in 1 second intervals.
584 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
585 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
587 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
588 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
591 OVS_TRAFFIC_VSWITCHD_STOP
594 AT_SETUP([conntrack - multiple bridges])
596 OVS_TRAFFIC_VSWITCHD_START(
598 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
599 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
601 ADD_NAMESPACES(at_ns0, at_ns1)
603 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
604 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
606 dnl Allow any traffic from ns0->br1, allow established in reverse.
607 AT_DATA([flows-br0.txt], [dnl
608 priority=1,action=drop
609 priority=10,arp,action=normal
610 priority=10,icmp,action=normal
611 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
612 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
613 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
616 dnl Allow any traffic from br0->ns1, allow established in reverse.
617 AT_DATA([flows-br1.txt], [dnl
618 priority=1,action=drop
619 priority=10,arp,action=normal
620 priority=10,icmp,action=normal
621 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
622 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
623 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
624 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
625 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
628 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
629 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
631 dnl HTTP requests from p0->p1 should work fine.
632 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
633 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
635 OVS_TRAFFIC_VSWITCHD_STOP
638 AT_SETUP([conntrack - multiple zones])
640 OVS_TRAFFIC_VSWITCHD_START()
642 ADD_NAMESPACES(at_ns0, at_ns1)
644 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
645 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
647 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
648 AT_DATA([flows.txt], [dnl
649 priority=1,action=drop
650 priority=10,arp,action=normal
651 priority=10,icmp,action=normal
652 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
653 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
654 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
657 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
659 dnl HTTP requests from p0->p1 should work fine.
660 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
661 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
663 dnl (again) HTTP requests from p0->p1 should work fine.
664 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
666 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
667 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
668 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
671 OVS_TRAFFIC_VSWITCHD_STOP
674 AT_SETUP([conntrack - multiple zones, local])
676 OVS_TRAFFIC_VSWITCHD_START()
678 ADD_NAMESPACES(at_ns0)
680 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
681 AT_CHECK([ip link set dev br0 up])
682 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
683 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
685 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
686 dnl return traffic from ns0 back to the local stack.
687 AT_DATA([flows.txt], [dnl
688 priority=1,action=drop
689 priority=10,arp,action=normal
690 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
691 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
692 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
693 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
694 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
695 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
698 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
700 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
701 3 packets transmitted, 3 received, 0% packet loss, time 0ms
704 dnl HTTP requests from root namespace to p0 should work fine.
705 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
706 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
708 dnl (again) HTTP requests from root namespace to p0 should work fine.
709 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
711 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
712 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
713 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
714 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
715 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
718 OVS_TRAFFIC_VSWITCHD_STOP
721 AT_SETUP([conntrack - multiple namespaces, internal ports])
723 OVS_TRAFFIC_VSWITCHD_START(
724 [set-fail-mode br0 secure -- ])
726 ADD_NAMESPACES(at_ns0, at_ns1)
728 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
729 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
731 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
733 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
734 AT_DATA([flows.txt], [dnl
735 priority=1,action=drop
736 priority=10,arp,action=normal
737 priority=10,icmp,action=normal
738 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
739 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
740 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
743 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
745 dnl HTTP requests from p0->p1 should work fine.
746 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
747 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
749 dnl (again) HTTP requests from p0->p1 should work fine.
750 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
752 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
753 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
756 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
757 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
758 /removing policing failed: No such device/d"])
761 AT_SETUP([conntrack - multi-stage pipeline, local])
763 OVS_TRAFFIC_VSWITCHD_START()
765 ADD_NAMESPACES(at_ns0)
767 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
768 AT_CHECK([ip link set dev br0 up])
769 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
770 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
772 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
773 dnl return traffic from ns0 back to the local stack.
774 AT_DATA([flows.txt], [dnl
776 table=0,priority=1,action=drop
777 table=0,priority=10,arp,action=normal
779 dnl Load the output port to REG0
780 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
781 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
784 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
785 dnl - All other connections go through conntracker using the input port as
786 dnl a connection tracking zone.
787 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
788 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
789 table=1,priority=1,action=drop
792 dnl - Allow all connections from LOCAL port (commit and skip to output)
793 dnl - Allow other established connections to go through conntracker using
794 dnl output port as a connection tracking zone.
795 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
796 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
797 table=2,priority=1,action=drop
799 dnl Only allow established traffic from egress ct lookup
800 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
801 table=3,priority=1,action=drop
804 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
807 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
809 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
810 3 packets transmitted, 3 received, 0% packet loss, time 0ms
813 dnl HTTP requests from root namespace to p0 should work fine.
814 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
815 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
817 dnl (again) HTTP requests from root namespace to p0 should work fine.
818 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
820 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
821 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
822 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
823 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
824 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
827 OVS_TRAFFIC_VSWITCHD_STOP
830 AT_SETUP([conntrack - ct_mark])
832 OVS_TRAFFIC_VSWITCHD_START()
834 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
836 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
837 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
838 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
839 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
841 dnl Allow traffic between ns0<->ns1 using the ct_mark.
842 dnl Check that different marks do not match for traffic between ns2<->ns3.
843 AT_DATA([flows.txt], [dnl
844 priority=1,action=drop
845 priority=10,arp,action=normal
846 priority=10,icmp,action=normal
847 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
848 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
849 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
850 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
851 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
852 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
855 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
857 dnl HTTP requests from p0->p1 should work fine.
858 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
859 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
861 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
862 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
865 dnl HTTP requests from p2->p3 should fail due to network failure.
866 dnl Try 3 times, in 1 second intervals.
867 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
868 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
870 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
871 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
874 OVS_TRAFFIC_VSWITCHD_STOP
877 AT_SETUP([conntrack - ct_mark bit-fiddling])
879 OVS_TRAFFIC_VSWITCHD_START()
881 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
883 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
884 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
886 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
887 dnl cause an additional bit to be set in the connection (and be allowed).
888 AT_DATA([flows.txt], [dnl
889 table=0,priority=1,action=drop
890 table=0,priority=10,arp,action=normal
891 table=0,priority=10,icmp,action=normal
892 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
893 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
894 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
895 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
896 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
899 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
901 dnl HTTP requests from p0->p1 should work fine.
902 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
903 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
905 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
906 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=TIME_WAIT)
909 OVS_TRAFFIC_VSWITCHD_STOP
912 AT_SETUP([conntrack - ct_mark from register])
914 OVS_TRAFFIC_VSWITCHD_START()
916 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
918 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
919 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
920 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
921 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
923 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
924 AT_DATA([flows.txt], [dnl
925 priority=1,action=drop
926 priority=10,arp,action=normal
927 priority=10,icmp,action=normal
928 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
929 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
930 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
931 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
932 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
933 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
936 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
938 dnl HTTP requests from p0->p1 should work fine.
939 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
940 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
942 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
943 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
946 dnl HTTP requests from p2->p3 should fail due to network failure.
947 dnl Try 3 times, in 1 second intervals.
948 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
949 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
951 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
952 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
955 OVS_TRAFFIC_VSWITCHD_STOP
958 AT_SETUP([conntrack - ct_label])
960 OVS_TRAFFIC_VSWITCHD_START()
962 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
964 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
965 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
966 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
967 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
969 dnl Allow traffic between ns0<->ns1 using the ct_label.
970 dnl Check that different labels do not match for traffic between ns2<->ns3.
971 AT_DATA([flows.txt], [dnl
972 priority=1,action=drop
973 priority=10,arp,action=normal
974 priority=10,icmp,action=normal
975 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
976 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
977 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
978 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
979 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
980 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
983 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
985 dnl HTTP requests from p0->p1 should work fine.
986 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
987 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
989 dnl HTTP requests from p2->p3 should fail due to network failure.
990 dnl Try 3 times, in 1 second intervals.
991 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
992 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
994 OVS_TRAFFIC_VSWITCHD_STOP
997 AT_SETUP([conntrack - ct_label bit-fiddling])
999 OVS_TRAFFIC_VSWITCHD_START()
1001 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1003 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1004 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1006 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1007 dnl cause an additional bit to be set in the connection labels (and be allowed)
1008 AT_DATA([flows.txt], [dnl
1009 table=0,priority=1,action=drop
1010 table=0,priority=10,arp,action=normal
1011 table=0,priority=10,icmp,action=normal
1012 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1013 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1014 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1015 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1016 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1019 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1021 dnl HTTP requests from p0->p1 should work fine.
1022 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1023 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1025 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
1026 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=TIME_WAIT)
1029 OVS_TRAFFIC_VSWITCHD_STOP
1032 AT_SETUP([conntrack - ct metadata, multiple zones])
1034 OVS_TRAFFIC_VSWITCHD_START()
1036 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1038 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1039 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1041 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1042 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1043 dnl and we should see that the conntrack entries only apply the ct_mark and
1044 dnl ct_labels to the connection in zone=1.
1045 AT_DATA([flows.txt], [dnl
1046 table=0,priority=1,action=drop
1047 table=0,priority=10,arp,action=normal
1048 table=0,priority=10,icmp,action=normal
1049 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1050 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1051 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1052 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1053 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1056 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1058 dnl HTTP requests from p0->p1 should work fine.
1059 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1060 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1062 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
1063 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=TIME_WAIT)
1064 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1067 OVS_TRAFFIC_VSWITCHD_STOP
1070 AT_SETUP([conntrack - ICMP related])
1072 OVS_TRAFFIC_VSWITCHD_START()
1074 ADD_NAMESPACES(at_ns0, at_ns1)
1076 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1077 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1079 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1080 AT_DATA([flows.txt], [dnl
1081 priority=1,action=drop
1082 priority=10,arp,action=normal
1083 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1084 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1085 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1088 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1090 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1091 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1093 AT_CHECK([ovs-appctl revalidator/purge], [0])
1094 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1095 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1096 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1097 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1098 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1102 OVS_TRAFFIC_VSWITCHD_STOP
1105 AT_SETUP([conntrack - ICMP related 2])
1107 OVS_TRAFFIC_VSWITCHD_START()
1109 ADD_NAMESPACES(at_ns0, at_ns1)
1111 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1112 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1114 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1115 AT_DATA([flows.txt], [dnl
1116 priority=1,action=drop
1117 priority=10,arp,action=normal
1118 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1119 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1120 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1121 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1124 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1126 AT_CAPTURE_FILE([ofctl_monitor.log])
1127 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1129 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1130 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1132 dnl 2. Send and UDP packet to port 5555
1133 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1135 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1136 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1138 dnl Check this output. We only see the latter two packets, not the first.
1139 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1140 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1141 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1142 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1143 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1146 OVS_TRAFFIC_VSWITCHD_STOP
1149 AT_SETUP([conntrack - FTP])
1150 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1152 OVS_TRAFFIC_VSWITCHD_START()
1154 ADD_NAMESPACES(at_ns0, at_ns1)
1156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1160 AT_DATA([flows1.txt], [dnl
1161 priority=1,action=drop
1162 priority=10,arp,action=normal
1163 priority=10,icmp,action=normal
1164 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1165 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1166 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1167 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1170 dnl Similar policy but without allowing all traffic from ns0->ns1.
1171 AT_DATA([flows2.txt], [dnl
1172 priority=1,action=drop
1173 priority=10,arp,action=normal
1174 priority=10,icmp,action=normal
1175 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1176 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1177 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1178 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1179 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1180 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1181 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1184 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1186 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1187 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1188 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1190 dnl FTP requests from p1->p0 should fail due to network failure.
1191 dnl Try 3 times, in 1 second intervals.
1192 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1193 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1196 dnl FTP requests from p0->p1 should work fine.
1197 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1198 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1199 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1202 dnl Try the second set of flows.
1203 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1204 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1206 dnl FTP requests from p1->p0 should fail due to network failure.
1207 dnl Try 3 times, in 1 second intervals.
1208 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1209 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1212 dnl Active FTP requests from p0->p1 should work fine.
1213 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1214 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1215 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1216 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1219 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1221 dnl Passive FTP requests from p0->p1 should work fine.
1222 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1223 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1224 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1225 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1228 OVS_TRAFFIC_VSWITCHD_STOP
1232 AT_SETUP([conntrack - IPv6 FTP])
1233 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1235 OVS_TRAFFIC_VSWITCHD_START()
1237 ADD_NAMESPACES(at_ns0, at_ns1)
1239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1242 dnl Allow any traffic from ns0->ns1.
1243 dnl Only allow nd, return traffic from ns1->ns0.
1244 AT_DATA([flows.txt], [dnl
1245 dnl Track all IPv6 traffic and drop the rest.
1246 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1247 table=0 priority=100 in_port=1 icmp6, action=2
1248 table=0 priority=100 in_port=2 icmp6, action=1
1249 table=0 priority=10 ip6, action=ct(table=1)
1250 table=0 priority=0 action=drop
1254 dnl Allow new TCPv6 FTP control connections from port 1.
1255 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1256 dnl Allow related TCPv6 connections from port 2.
1257 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1258 dnl Allow established TCPv6 connections both ways.
1259 table=1 in_port=1 ct_state=+est, tcp6, action=2
1260 table=1 in_port=2 ct_state=+est, tcp6, action=1
1261 dnl Drop everything else.
1262 table=1 priority=0, action=drop
1265 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1267 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1268 dnl waiting, we get occasional failures due to the following error:
1269 dnl "connect: Cannot assign requested address"
1270 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1272 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1273 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1275 dnl FTP requests from p0->p1 should work fine.
1276 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1278 dnl Discards CLOSE_WAIT and CLOSING
1279 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1280 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1281 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1284 OVS_TRAFFIC_VSWITCHD_STOP
1288 AT_SETUP([conntrack - FTP with multiple expectations])
1289 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1291 OVS_TRAFFIC_VSWITCHD_START()
1293 ADD_NAMESPACES(at_ns0, at_ns1)
1295 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1296 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1298 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1299 AT_DATA([flows.txt], [dnl
1300 priority=1,action=drop
1301 priority=10,arp,action=normal
1302 priority=10,icmp,action=normal
1303 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1304 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1305 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1306 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1307 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1308 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1309 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1310 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1311 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1312 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1315 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1317 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1318 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1320 dnl FTP requests from p1->p0 should fail due to network failure.
1321 dnl Try 3 times, in 1 second intervals.
1322 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1323 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1326 dnl Active FTP requests from p0->p1 should work fine.
1327 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1328 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1329 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1330 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1331 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1332 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1335 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1337 dnl Passive FTP requests from p0->p1 should work fine.
1338 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1339 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1340 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1341 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1342 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1343 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1346 OVS_TRAFFIC_VSWITCHD_STOP
1349 AT_SETUP([conntrack - IPv4 fragmentation ])
1351 OVS_TRAFFIC_VSWITCHD_START()
1353 ADD_NAMESPACES(at_ns0, at_ns1)
1355 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1356 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1358 dnl Sending ping through conntrack
1359 AT_DATA([flows.txt], [dnl
1360 priority=1,action=drop
1361 priority=10,arp,action=normal
1362 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1363 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1364 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1367 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1369 dnl Basic connectivity check.
1370 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1371 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1374 dnl Ipv4 fragmentation connectivity check.
1375 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1376 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1379 dnl Ipv4 larger fragmentation connectivity check.
1380 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1381 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1384 OVS_TRAFFIC_VSWITCHD_STOP
1387 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1389 OVS_TRAFFIC_VSWITCHD_START()
1391 ADD_NAMESPACES(at_ns0, at_ns1)
1393 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1394 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1396 AT_DATA([flows.txt], [dnl
1397 priority=1,action=drop
1398 priority=10,arp,action=normal
1400 dnl Only allow non-fragmented messages and 1st fragments of each message
1401 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1402 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1403 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1404 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1407 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1409 dnl Basic connectivity check.
1410 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1411 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1414 dnl Ipv4 fragmentation connectivity check.
1415 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1416 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1419 OVS_TRAFFIC_VSWITCHD_STOP
1422 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1424 OVS_TRAFFIC_VSWITCHD_START()
1426 ADD_NAMESPACES(at_ns0, at_ns1)
1428 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1429 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1430 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1431 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1433 dnl Sending ping through conntrack
1434 AT_DATA([flows.txt], [dnl
1435 priority=1,action=drop
1436 priority=10,arp,action=normal
1437 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1438 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1439 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1442 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1444 dnl Basic connectivity check.
1445 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1446 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1449 dnl Ipv4 fragmentation connectivity check.
1450 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1451 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1454 dnl Ipv4 larger fragmentation connectivity check.
1455 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1456 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1459 OVS_TRAFFIC_VSWITCHD_STOP
1462 AT_SETUP([conntrack - IPv6 fragmentation])
1464 OVS_TRAFFIC_VSWITCHD_START()
1466 ADD_NAMESPACES(at_ns0, at_ns1)
1468 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1469 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1471 dnl Sending ping through conntrack
1472 AT_DATA([flows.txt], [dnl
1473 priority=1,action=drop
1474 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1475 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1476 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1477 priority=100,icmp6,icmp_type=135,action=normal
1478 priority=100,icmp6,icmp_type=136,action=normal
1481 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1483 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1484 dnl waiting, we get occasional failures due to the following error:
1485 dnl "connect: Cannot assign requested address"
1486 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1488 dnl Basic connectivity check.
1489 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1490 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1493 dnl Ipv6 fragmentation connectivity check.
1494 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1495 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1498 dnl Ipv6 larger fragmentation connectivity check.
1499 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1500 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1503 OVS_TRAFFIC_VSWITCHD_STOP
1506 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1508 OVS_TRAFFIC_VSWITCHD_START()
1510 ADD_NAMESPACES(at_ns0, at_ns1)
1512 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1513 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1515 AT_DATA([flows.txt], [dnl
1516 priority=1,action=drop
1518 dnl Only allow non-fragmented messages and 1st fragments of each message
1519 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1520 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1521 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1522 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1524 dnl Neighbour Discovery
1525 priority=100,icmp6,icmp_type=135,action=normal
1526 priority=100,icmp6,icmp_type=136,action=normal
1529 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1531 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1532 dnl waiting, we get occasional failures due to the following error:
1533 dnl "connect: Cannot assign requested address"
1534 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1536 dnl Basic connectivity check.
1537 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1538 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1541 dnl Send an IPv6 fragment. Some time later, it should expire.
1542 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1543 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1546 dnl At this point, the kernel will either crash or everything is OK.
1548 OVS_TRAFFIC_VSWITCHD_STOP
1551 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1553 OVS_TRAFFIC_VSWITCHD_START()
1555 ADD_NAMESPACES(at_ns0, at_ns1)
1557 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1558 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1560 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1561 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1563 dnl Sending ping through conntrack
1564 AT_DATA([flows.txt], [dnl
1565 priority=1,action=drop
1566 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1567 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1568 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1569 priority=100,icmp6,icmp_type=135,action=normal
1570 priority=100,icmp6,icmp_type=136,action=normal
1573 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1575 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1576 dnl waiting, we get occasional failures due to the following error:
1577 dnl "connect: Cannot assign requested address"
1578 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1580 dnl Basic connectivity check.
1581 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1582 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1585 dnl Ipv4 fragmentation connectivity check.
1586 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1587 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1590 dnl Ipv4 larger fragmentation connectivity check.
1591 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1592 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1595 OVS_TRAFFIC_VSWITCHD_STOP
1598 AT_SETUP([conntrack - Fragmentation over vxlan])
1602 OVS_TRAFFIC_VSWITCHD_START()
1603 ADD_BR([br-underlay])
1604 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1606 ADD_NAMESPACES(at_ns0)
1608 dnl Sending ping through conntrack
1609 AT_DATA([flows.txt], [dnl
1610 priority=1,action=drop
1611 priority=10,arp,action=normal
1612 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1613 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1614 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1617 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1619 dnl Set up underlay link from host into the namespace using veth pair.
1620 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1621 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1622 AT_CHECK([ip link set dev br-underlay up])
1624 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1625 dnl linux device inside the namespace.
1626 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1627 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1628 [id 0 dstport 4789])
1630 dnl First, check the underlay
1631 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1632 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1635 dnl Okay, now check the overlay with different packet sizes
1636 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1637 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1639 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1640 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1642 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1643 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1646 OVS_TRAFFIC_VSWITCHD_STOP
1649 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1653 OVS_TRAFFIC_VSWITCHD_START()
1654 ADD_BR([br-underlay])
1655 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1657 ADD_NAMESPACES(at_ns0)
1659 dnl Sending ping through conntrack
1660 AT_DATA([flows.txt], [dnl
1661 priority=1,action=drop
1662 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1663 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1664 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1666 dnl Neighbour Discovery
1667 priority=1000,icmp6,icmp_type=135,action=normal
1668 priority=1000,icmp6,icmp_type=136,action=normal
1671 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1673 dnl Set up underlay link from host into the namespace using veth pair.
1674 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1675 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1676 AT_CHECK([ip link set dev br-underlay up])
1678 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1679 dnl linux device inside the namespace.
1680 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1681 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1682 [id 0 dstport 4789])
1684 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1685 dnl waiting, we get occasional failures due to the following error:
1686 dnl "connect: Cannot assign requested address"
1687 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1689 dnl First, check the underlay
1690 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1691 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1694 dnl Okay, now check the overlay with different packet sizes
1695 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1696 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1698 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1699 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1701 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1702 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1705 OVS_TRAFFIC_VSWITCHD_STOP
1708 AT_SETUP([conntrack - resubmit to ct multiple times])
1711 OVS_TRAFFIC_VSWITCHD_START(
1712 [set-fail-mode br0 secure -- ])
1714 ADD_NAMESPACES(at_ns0, at_ns1)
1716 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1717 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1719 AT_DATA([flows.txt], [dnl
1720 table=0,priority=150,arp,action=normal
1721 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1723 table=1,priority=100,ip,action=ct(table=3)
1724 table=2,priority=100,ip,action=ct(table=3)
1726 table=3,ip,action=drop
1729 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1731 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1732 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1735 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1736 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1737 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1738 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1739 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1740 table=3, n_packets=2, n_bytes=196, ip actions=drop
1744 OVS_TRAFFIC_VSWITCHD_STOP
1748 AT_SETUP([conntrack - simple SNAT])
1750 OVS_TRAFFIC_VSWITCHD_START()
1752 ADD_NAMESPACES(at_ns0, at_ns1)
1754 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1755 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1756 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1758 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1759 AT_DATA([flows.txt], [dnl
1760 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1761 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1762 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1765 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1766 priority=10 arp action=normal
1767 priority=0,action=drop
1769 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1770 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1771 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1772 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1774 dnl Swaps the fields of the ARP message to turn a query to a response.
1775 table=10 priority=100 arp xreg0=0 action=normal
1776 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1777 table=10 priority=0 action=drop
1780 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1782 dnl HTTP requests from p0->p1 should work fine.
1783 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1784 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1786 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1787 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1790 OVS_TRAFFIC_VSWITCHD_STOP
1794 AT_SETUP([conntrack - SNAT with port range])
1796 OVS_TRAFFIC_VSWITCHD_START()
1798 ADD_NAMESPACES(at_ns0, at_ns1)
1800 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1801 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1802 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1804 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1805 AT_DATA([flows.txt], [dnl
1806 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1807 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1808 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1809 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1812 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1813 priority=10 arp action=normal
1814 priority=0,action=drop
1816 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1817 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1818 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1819 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1821 dnl Swaps the fields of the ARP message to turn a query to a response.
1822 table=10 priority=100 arp xreg0=0 action=normal
1823 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1824 table=10 priority=0 action=drop
1827 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1829 dnl HTTP requests from p0->p1 should work fine.
1830 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1831 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1833 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1834 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1837 OVS_TRAFFIC_VSWITCHD_STOP
1841 AT_SETUP([conntrack - more complex SNAT])
1843 OVS_TRAFFIC_VSWITCHD_START()
1845 ADD_NAMESPACES(at_ns0, at_ns1)
1847 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1848 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1849 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1851 AT_DATA([flows.txt], [dnl
1852 dnl Track all IP traffic, NAT existing connections.
1853 priority=100 ip action=ct(table=1,zone=1,nat)
1855 dnl Allow ARP, but generate responses for NATed addresses
1856 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1857 priority=10 arp action=normal
1858 priority=0 action=drop
1860 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1861 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1862 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1863 dnl Only allow established traffic from ns1->ns0.
1864 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1865 table=1 priority=0 action=drop
1867 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1868 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1869 dnl Zero result means not found.
1870 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1871 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1872 dnl ARP TPA IP in reg2.
1873 table=10 priority=100 arp xreg0=0 action=normal
1874 dnl Swaps the fields of the ARP message to turn a query to a response.
1875 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1876 table=10 priority=0 action=drop
1879 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1881 dnl HTTP requests from p0->p1 should work fine.
1882 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1883 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1885 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1886 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1889 OVS_TRAFFIC_VSWITCHD_STOP
1892 AT_SETUP([conntrack - simple DNAT])
1894 OVS_TRAFFIC_VSWITCHD_START()
1896 ADD_NAMESPACES(at_ns0, at_ns1)
1898 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1899 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1900 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1902 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1903 AT_DATA([flows.txt], [dnl
1904 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1905 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1906 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1907 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1910 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1911 priority=10 arp action=normal
1912 priority=0,action=drop
1914 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1915 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1916 dnl Zero result means not found.
1917 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1918 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1920 table=10 priority=100 arp xreg0=0 action=normal
1921 dnl Swaps the fields of the ARP message to turn a query to a response.
1922 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1923 table=10 priority=0 action=drop
1926 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1928 dnl Should work with the virtual IP address through NAT
1929 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1930 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1932 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1933 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1936 dnl Should work with the assigned IP address as well
1937 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1939 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1940 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1943 OVS_TRAFFIC_VSWITCHD_STOP
1946 AT_SETUP([conntrack - more complex DNAT])
1948 OVS_TRAFFIC_VSWITCHD_START()
1950 ADD_NAMESPACES(at_ns0, at_ns1)
1952 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1953 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1954 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1956 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1957 AT_DATA([flows.txt], [dnl
1958 dnl Track all IP traffic
1959 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1961 dnl Allow ARP, but generate responses for NATed addresses
1962 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1963 table=0 priority=10 arp action=normal
1964 table=0 priority=0 action=drop
1966 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1967 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1968 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1969 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1970 dnl Only allow established traffic from ns1->ns0.
1971 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1972 table=1 priority=0 action=drop
1974 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1975 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1976 dnl Zero result means not found.
1977 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1978 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1980 table=10 priority=100 arp xreg0=0 action=normal
1981 dnl Swaps the fields of the ARP message to turn a query to a response.
1982 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1983 table=10 priority=0 action=drop
1986 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1988 dnl Should work with the virtual IP address through NAT
1989 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1990 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1992 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1993 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1996 dnl Should work with the assigned IP address as well
1997 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1999 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
2000 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
2003 OVS_TRAFFIC_VSWITCHD_STOP
2006 AT_SETUP([conntrack - ICMP related with NAT])
2008 OVS_TRAFFIC_VSWITCHD_START()
2010 ADD_NAMESPACES(at_ns0, at_ns1)
2012 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2013 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2014 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2016 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2017 dnl Make sure ICMP responses are reverse-NATted.
2018 AT_DATA([flows.txt], [dnl
2019 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2020 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2021 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2024 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2025 priority=10 arp action=normal
2026 priority=0,action=drop
2028 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2029 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2030 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2031 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2033 dnl Swaps the fields of the ARP message to turn a query to a response.
2034 table=10 priority=100 arp xreg0=0 action=normal
2035 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2036 table=10 priority=0 action=drop
2039 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2041 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2042 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2044 AT_CHECK([ovs-appctl revalidator/purge], [0])
2045 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2046 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2047 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2048 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2049 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2050 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2051 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2052 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2053 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2054 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2055 OFPST_FLOW reply (OF1.5):
2058 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2059 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2062 OVS_TRAFFIC_VSWITCHD_STOP
2066 AT_SETUP([conntrack - FTP with NAT])
2067 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2070 OVS_TRAFFIC_VSWITCHD_START()
2072 ADD_NAMESPACES(at_ns0, at_ns1)
2074 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2075 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2076 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2078 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2080 AT_DATA([flows.txt], [dnl
2081 dnl track all IP traffic, de-mangle non-NEW connections
2082 table=0 in_port=1, ip, action=ct(table=1,nat)
2083 table=0 in_port=2, ip, action=ct(table=2,nat)
2087 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2088 table=0 priority=10 arp action=normal
2089 table=0 priority=0 action=drop
2091 dnl Table 1: port 1 -> 2
2093 dnl Allow new FTP connections. These need to be commited.
2094 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2095 dnl Allow established TCP connections, make sure they are NATted already.
2096 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2098 dnl Table 1: droppers
2100 table=1 priority=10, tcp, action=drop
2101 table=1 priority=0,action=drop
2103 dnl Table 2: port 2 -> 1
2105 dnl Allow established TCP connections, make sure they are reverse NATted
2106 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2107 dnl Allow (new) related (data) connections. These need to be commited.
2108 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2109 dnl Allow related ICMP packets, make sure they are reverse NATted
2110 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2112 dnl Table 2: droppers
2114 table=2 priority=10, tcp, action=drop
2115 table=2 priority=0, action=drop
2117 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2119 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2120 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2121 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2123 dnl Swaps the fields of the ARP message to turn a query to a response.
2124 table=10 priority=100 arp xreg0=0 action=normal
2125 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2126 table=10 priority=0 action=drop
2129 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2131 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2132 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2133 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2135 dnl FTP requests from p0->p1 should work fine.
2136 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2138 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
2139 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2140 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2143 OVS_TRAFFIC_VSWITCHD_STOP
2147 AT_SETUP([conntrack - FTP with NAT 2])
2148 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2150 OVS_TRAFFIC_VSWITCHD_START()
2152 ADD_NAMESPACES(at_ns0, at_ns1)
2154 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2155 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2156 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2158 dnl Allow any traffic from ns0->ns1.
2159 dnl Only allow nd, return traffic from ns1->ns0.
2160 AT_DATA([flows.txt], [dnl
2161 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2162 table=0 ip, action=ct(table=1)
2166 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2167 table=0 priority=10 arp action=normal
2168 table=0 priority=0 action=drop
2172 dnl Allow new FTP connections. These need to be commited.
2173 dnl This does helper for new packets.
2174 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2175 dnl Allow and NAT established TCP connections
2176 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2177 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2178 dnl Allow and NAT (new) related active (data) connections.
2179 dnl These need to be commited.
2180 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2181 dnl Allow related ICMP packets.
2182 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2183 dnl Drop everything else.
2184 table=1 priority=0, action=drop
2186 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2188 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2189 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2190 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2192 dnl Swaps the fields of the ARP message to turn a query to a response.
2193 table=10 priority=100 arp xreg0=0 action=normal
2194 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2195 table=10 priority=0 action=drop
2198 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2200 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2201 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2203 dnl FTP requests from p0->p1 should work fine.
2204 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2206 dnl Discards CLOSE_WAIT and CLOSING
2207 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2208 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2209 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2212 OVS_TRAFFIC_VSWITCHD_STOP
2215 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2217 OVS_TRAFFIC_VSWITCHD_START()
2219 ADD_NAMESPACES(at_ns0, at_ns1)
2221 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2222 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2223 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2224 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2226 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2227 AT_DATA([flows.txt], [dnl
2228 priority=1,action=drop
2229 priority=10,icmp6,action=normal
2230 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2231 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2232 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2233 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2236 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2238 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2239 dnl waiting, we get occasional failures due to the following error:
2240 dnl "connect: Cannot assign requested address"
2241 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2243 dnl HTTP requests from ns0->ns1 should work fine.
2244 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2246 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2248 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2249 dnl Try 3 times, in 1 second intervals.
2250 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2251 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2253 OVS_TRAFFIC_VSWITCHD_STOP
2257 AT_SETUP([conntrack - IPv6 FTP with NAT])
2258 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2260 OVS_TRAFFIC_VSWITCHD_START()
2262 ADD_NAMESPACES(at_ns0, at_ns1)
2264 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2265 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2266 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2267 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2268 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2270 dnl Allow any traffic from ns0->ns1.
2271 dnl Only allow nd, return traffic from ns1->ns0.
2272 AT_DATA([flows.txt], [dnl
2273 dnl Allow other ICMPv6 both ways (without commit).
2274 table=1 priority=100 in_port=1 icmp6, action=2
2275 table=1 priority=100 in_port=2 icmp6, action=1
2276 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2277 table=0 priority=10 ip6, action=ct(nat,table=1)
2278 table=0 priority=0 action=drop
2282 dnl Allow new TCPv6 FTP control connections.
2283 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2284 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2285 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2286 dnl Allow established TCPv6 connections both ways, enforce NATting
2287 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2288 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2289 dnl Drop everything else.
2290 table=1 priority=0, action=drop
2293 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2295 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2296 dnl waiting, we get occasional failures due to the following error:
2297 dnl "connect: Cannot assign requested address"
2298 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2300 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2301 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2303 dnl FTP requests from p0->p1 should work fine.
2304 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2306 dnl Discards CLOSE_WAIT and CLOSING
2307 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2308 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2309 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2312 OVS_TRAFFIC_VSWITCHD_STOP
2315 AT_SETUP([conntrack - DNAT load balancing])
2317 OVS_TRAFFIC_VSWITCHD_START()
2319 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2321 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2322 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2323 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2324 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2325 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2326 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2327 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2328 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2330 dnl Select group for load balancing. One bucket per server. Each bucket
2331 dnl tracks and NATs the connection and recirculates to table 4 for egress
2332 dnl routing. Packets of existing connections are always NATted based on
2333 dnl connection state, only new connections are NATted according to the
2334 dnl specific NAT parameters in each bucket.
2335 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2337 AT_DATA([flows.txt], [dnl
2338 dnl Track connections to the virtual IP address.
2339 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2340 dnl All other IP traffic is allowed but the connection state is no commited.
2341 table=0 priority=90 ip action=ct(table=4,nat)
2343 dnl Allow ARP, but generate responses for virtual addresses
2344 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2345 table=0 priority=10 arp action=normal
2346 table=0 priority=0 action=drop
2350 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2351 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2352 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2353 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2354 table=4 priority=0 action=drop
2356 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2357 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2358 dnl Zero result means not found.
2359 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2360 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2362 table=10 priority=100 arp xreg0=0 action=normal
2363 dnl Swaps the fields of the ARP message to turn a query to a response.
2364 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2365 table=10 priority=0 action=controller
2368 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2370 dnl Start web servers
2371 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2372 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2373 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2375 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2376 on_exit 'ovs-appctl revalidator/purge'
2377 on_exit 'ovs-appctl dpif/dump-flows br0'
2379 dnl Should work with the virtual IP address through NAT
2380 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2382 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2385 dnl Each server should have at least one connection.
2386 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2387 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2388 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2389 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2392 ovs-appctl dpif/dump-flows br0
2393 ovs-appctl revalidator/purge
2394 ovs-ofctl -O OpenFlow15 dump-flows br0
2395 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2397 OVS_TRAFFIC_VSWITCHD_STOP
2401 AT_SETUP([conntrack - DNAT load balancing with NC])
2403 OVS_TRAFFIC_VSWITCHD_START()
2405 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2407 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2408 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2409 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2410 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2411 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2412 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2413 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2414 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2415 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2416 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2418 dnl Select group for load balancing. One bucket per server. Each bucket
2419 dnl tracks and NATs the connection and recirculates to table 4 for egress
2420 dnl routing. Packets of existing connections are always NATted based on
2421 dnl connection state, only new connections are NATted according to the
2422 dnl specific NAT parameters in each bucket.
2423 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2425 AT_DATA([flows.txt], [dnl
2426 dnl Track connections to the virtual IP address.
2427 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2428 dnl All other IP traffic is allowed but the connection state is no commited.
2429 table=0 priority=90 ip action=ct(table=4,nat)
2431 dnl Allow ARP, but generate responses for virtual addresses
2432 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2433 table=0 priority=10 arp action=normal
2434 table=0 priority=0 action=drop
2438 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2439 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2440 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2441 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2442 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2443 table=4 priority=0 action=drop
2445 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2446 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2447 dnl Zero result means not found.
2448 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2449 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2451 table=10 priority=100 arp xreg0=0 action=normal
2452 dnl Swaps the fields of the ARP message to turn a query to a response.
2453 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2454 table=10 priority=0 action=controller
2457 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2459 dnl Start web servers
2460 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2461 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2462 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2464 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2465 on_exit 'ovs-appctl revalidator/purge'
2466 on_exit 'ovs-appctl dpif/dump-flows br0'
2470 dnl Should work with the virtual IP address through NAT
2471 for i in 1 2 3 4 5 6 7 8 9; do
2473 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2474 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2479 ovs-appctl dpif/dump-flows br0
2480 ovs-appctl revalidator/purge
2481 ovs-ofctl -O OpenFlow15 dump-flows br0
2482 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2484 OVS_TRAFFIC_VSWITCHD_STOP