projects / cascardo / ovs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
system-traffic: Use NC_EOF_OPT in truncate tests.
[cascardo/ovs.git] / tests / system-traffic.at
1 AT_BANNER([datapath-sanity])
2
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
5
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
7
8 ADD_NAMESPACES(at_ns0, at_ns1)
9
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
15 ])
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
18 ])
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
21 ])
22
23 OVS_TRAFFIC_VSWITCHD_STOP
24 AT_CLEANUP
25
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
28
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31 ADD_NAMESPACES(at_ns0, at_ns1)
32
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
38 ])
39
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
42
43 OVS_TRAFFIC_VSWITCHD_STOP
44 AT_CLEANUP
45
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
48
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
50
51 ADD_NAMESPACES(at_ns0, at_ns1)
52
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
55
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
58
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
61 ])
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
64 ])
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
67 ])
68
69 OVS_TRAFFIC_VSWITCHD_STOP
70 AT_CLEANUP
71
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
74
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
76
77 ADD_NAMESPACES(at_ns0, at_ns1)
78
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
81
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
86
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
89 ])
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
92 ])
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
95 ])
96
97 OVS_TRAFFIC_VSWITCHD_STOP
98 AT_CLEANUP
99
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
102
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
104
105 ADD_NAMESPACES(at_ns0, at_ns1)
106
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
109
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
112
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
117
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
120 ])
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
123 ])
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
126 ])
127
128 OVS_TRAFFIC_VSWITCHD_STOP
129 AT_CLEANUP
130
131 AT_SETUP([datapath - ping over vxlan tunnel])
132 OVS_CHECK_VXLAN()
133
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
136
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
139
140 ADD_NAMESPACES(at_ns0)
141
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
146
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
151                   [id 0 dstport 4789])
152
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
156 ])
157
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
161 ])
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
164 ])
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
167 ])
168
169 OVS_TRAFFIC_VSWITCHD_STOP
170 AT_CLEANUP
171
172 AT_SETUP([datapath - ping over gre tunnel])
173 OVS_CHECK_GRE()
174
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
177
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
180
181 ADD_NAMESPACES(at_ns0)
182
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
187
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
192
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
196 ])
197
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
201 ])
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
204 ])
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
207 ])
208
209 OVS_TRAFFIC_VSWITCHD_STOP
210 AT_CLEANUP
211
212 AT_SETUP([datapath - ping over geneve tunnel])
213 OVS_CHECK_GENEVE()
214
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
217
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
220
221 ADD_NAMESPACES(at_ns0)
222
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
227
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
232                   [vni 0])
233
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
237 ])
238
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
242 ])
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 ])
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
248 ])
249
250 OVS_TRAFFIC_VSWITCHD_STOP
251 AT_CLEANUP
252
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
256
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
262
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
271
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
280
281 dnl basic test
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
287 ])
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
289
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
294
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" |  sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
298 n_bytes=100
299 ])
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
303 n_bytes=242
304 ])
305
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
312 ])
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
314
315 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
316
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
320 n_bytes=684
321 ])
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
324 n_bytes=542
325 ])
326
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
331 ])
332
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
336
337 CHECK_KERNEL_DP(
338 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(2),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
339 AT_CHECK([tail -3 stdout], [0],
340 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
341 This flow is handled by the userspace slow path because it:
342         - Uses action(s) not supported by datapath.
343 ])
344 )
345
346 dnl SLOW_ACTION test2: check actual packet truncate
347 AT_CHECK([ovs-ofctl del-flows br0])
348 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
349 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
350
351 dnl 100 + 100 + 242 + min(65535,242) = 684
352 AT_CHECK([ovs-appctl revalidator/purge], [0])
353 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
354 n_bytes=684
355 ])
356
357 dnl 242 + 100 + min(242,200) = 542
358 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
359 n_bytes=542
360 ])
361
362 OVS_TRAFFIC_VSWITCHD_STOP
363 AT_CLEANUP
364
365 dnl Create 2 bridges and 2 namespaces to test truncate over
366 dnl GRE tunnel:
367 dnl   br0: overlay bridge
368 dnl   ns1: connect to br0, with IP:10.1.1.2
369 dnl   br-underlay: with IP: 172.31.1.100
370 dnl   ns0: connect to br-underlay, with IP: 10.1.1.1
371 AT_SETUP([datapath - truncate and output to gre tunnel])
372 OVS_CHECK_GRE()
373 OVS_TRAFFIC_VSWITCHD_START()
374
375 ADD_BR([br-underlay])
376 ADD_NAMESPACES(at_ns0)
377 ADD_NAMESPACES(at_ns1)
378 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
379 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
380
381 dnl Set up underlay link from host into the namespace using veth pair.
382 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
383 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
384 AT_CHECK([ip link set dev br-underlay up])
385
386 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
387 dnl linux device inside the namespace.
388 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
389 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
390 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
391 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
392 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
393
394 dnl Set up (p1 and ovs-p1) at br0
395 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
396 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
397 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
398 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
399
400 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
401 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
402 on_exit 'ip link del ovs-p2'
403 AT_CHECK([ip link set dev ovs-p2 up])
404 AT_CHECK([ip link set dev p2 up])
405 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
406 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
407
408 dnl use this file as payload file for ncat
409 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
410 on_exit 'rm -f payload200.bin'
411
412 AT_CHECK([ovs-ofctl del-flows br0])
413 AT_DATA([flows.txt], [dnl
414 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
415 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
416 priority=1,in_port=4,ip,actions=drop
417 priority=1,actions=drop
418 ])
419 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
420
421 AT_CHECK([ovs-ofctl del-flows br-underlay])
422 AT_DATA([flows-underlay.txt], [dnl
423 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
424 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
425 priority=1,actions=drop
426 ])
427
428 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
429
430 dnl check tunnel push path, from at_ns1 to at_ns0
431 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
432 AT_CHECK([ovs-appctl revalidator/purge], [0])
433
434 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
435 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
436 n_bytes=242
437 ])
438 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
439 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
440 n_bytes=138
441 ])
442
443 dnl check tunnel pop path, from at_ns0 to at_ns1
444 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
445 dnl After truncation = 100 byte at loopback device p2(4)
446 AT_CHECK([ovs-appctl revalidator/purge], [0])
447 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', '  '{print $5}'], [0], [dnl
448 n_bytes=100
449 ])
450
451 dnl SLOW_ACTION: disable datapath truncate support
452 dnl Repeat the test above, but exercise the SLOW_ACTION code path
453 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
454 [Datapath truncate action diabled
455 ])
456
457 dnl SLOW_ACTION test1: check datapatch actions
458 AT_CHECK([ovs-ofctl del-flows br0])
459 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
460
461 CHECK_KERNEL_DP(
462 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(5),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=17,tos=4,ttl=128,frag=no),udp(src=8,dst=9)'], [0], [stdout])
463 AT_CHECK([tail -3 stdout], [0],
464 [Datapath actions: trunc(100),set(tunnel(dst=172.31.1.1,ttl=64,flags(df))),4
465 This flow is handled by the userspace slow path because it:
466         - Uses action(s) not supported by datapath.
467 ])
468 )
469
470 dnl SLOW_ACTION test2: check actual packet truncate
471 AT_CHECK([ovs-ofctl del-flows br0])
472 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
473 AT_CHECK([ovs-ofctl del-flows br-underlay])
474 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
475
476 dnl check tunnel push path, from at_ns1 to at_ns0
477 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
478 AT_CHECK([ovs-appctl revalidator/purge], [0])
479
480 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
481 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
482 n_bytes=242
483 ])
484 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
485 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
486 n_bytes=138
487 ])
488
489 dnl check tunnel pop path, from at_ns0 to at_ns1
490 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
491 dnl After truncation = 100 byte at loopback device p2(4)
492 AT_CHECK([ovs-appctl revalidator/purge], [0])
493 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', '  '{print $5}'], [0], [dnl
494 n_bytes=100
495 ])
496
497 OVS_TRAFFIC_VSWITCHD_STOP
498 AT_CLEANUP
499
500 AT_SETUP([conntrack - controller])
501 CHECK_CONNTRACK()
502 OVS_TRAFFIC_VSWITCHD_START()
503
504 ADD_NAMESPACES(at_ns0, at_ns1)
505
506 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
507 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
508
509 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
510 AT_DATA([flows.txt], [dnl
511 priority=1,action=drop
512 priority=10,arp,action=normal
513 priority=100,in_port=1,udp,action=ct(commit),controller
514 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
515 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
516 ])
517
518 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
519
520 AT_CAPTURE_FILE([ofctl_monitor.log])
521 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
522
523 dnl Send an unsolicited reply from port 2. This should be dropped.
524 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
525
526 dnl OK, now start a new connection from port 1.
527 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
528
529 dnl Now try a reply from port 2.
530 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
531
532 dnl Check this output. We only see the latter two packets, not the first.
533 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
534 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
535 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
536 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
537 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
538 ])
539
540 OVS_TRAFFIC_VSWITCHD_STOP
541 AT_CLEANUP
542
543 AT_SETUP([conntrack - IPv4 HTTP])
544 CHECK_CONNTRACK()
545 OVS_TRAFFIC_VSWITCHD_START()
546
547 ADD_NAMESPACES(at_ns0, at_ns1)
548
549 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
550 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
551
552 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
553 AT_DATA([flows.txt], [dnl
554 priority=1,action=drop
555 priority=10,arp,action=normal
556 priority=10,icmp,action=normal
557 priority=100,in_port=1,tcp,action=ct(commit),2
558 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
559 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
560 ])
561
562 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
563
564 dnl HTTP requests from ns0->ns1 should work fine.
565 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
566 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
567
568 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
569 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
570 ])
571
572 dnl HTTP requests from ns1->ns0 should fail due to network failure.
573 dnl Try 3 times, in 1 second intervals.
574 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
575 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
576
577 OVS_TRAFFIC_VSWITCHD_STOP
578 AT_CLEANUP
579
580 AT_SETUP([conntrack - IPv6 HTTP])
581 CHECK_CONNTRACK()
582 OVS_TRAFFIC_VSWITCHD_START()
583
584 ADD_NAMESPACES(at_ns0, at_ns1)
585
586 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
587 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
588
589 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
590 AT_DATA([flows.txt], [dnl
591 priority=1,action=drop
592 priority=10,icmp6,action=normal
593 priority=100,in_port=1,tcp6,action=ct(commit),2
594 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
595 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
596 ])
597
598 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
599
600 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
601 dnl waiting, we get occasional failures due to the following error:
602 dnl "connect: Cannot assign requested address"
603 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
604
605 dnl HTTP requests from ns0->ns1 should work fine.
606 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
607
608 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
609
610 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
611 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
612 ])
613
614 dnl HTTP requests from ns1->ns0 should fail due to network failure.
615 dnl Try 3 times, in 1 second intervals.
616 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
617 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
618
619 OVS_TRAFFIC_VSWITCHD_STOP
620 AT_CLEANUP
621
622 AT_SETUP([conntrack - commit, recirc])
623 CHECK_CONNTRACK()
624 OVS_TRAFFIC_VSWITCHD_START()
625
626 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
627
628 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
629 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
630 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
631 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
632
633 dnl Allow any traffic from ns0->ns1, ns2->ns3.
634 AT_DATA([flows.txt], [dnl
635 priority=1,action=drop
636 priority=10,arp,action=normal
637 priority=10,icmp,action=normal
638 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
639 priority=100,in_port=1,tcp,ct_state=+trk,action=2
640 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
641 priority=100,in_port=2,tcp,ct_state=+trk,action=1
642 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
643 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
644 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
645 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
646 priority=100,in_port=4,tcp,ct_state=+trk,action=3
647 ])
648
649 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
650
651 dnl HTTP requests from p0->p1 should work fine.
652 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
653 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
654
655 dnl HTTP requests from p2->p3 should work fine.
656 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
657 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
658
659 OVS_TRAFFIC_VSWITCHD_STOP
660 AT_CLEANUP
661
662 AT_SETUP([conntrack - preserve registers])
663 CHECK_CONNTRACK()
664 OVS_TRAFFIC_VSWITCHD_START()
665
666 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
667
668 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
669 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
670 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
671 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
672
673 dnl Allow any traffic from ns0->ns1, ns2->ns3.
674 AT_DATA([flows.txt], [dnl
675 priority=1,action=drop
676 priority=10,arp,action=normal
677 priority=10,icmp,action=normal
678 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
679 priority=100,in_port=1,tcp,ct_state=+trk,action=2
680 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
681 priority=100,in_port=2,tcp,ct_state=+trk,action=1
682 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
683 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
684 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
685 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
686 priority=100,in_port=4,tcp,ct_state=+trk,action=3
687 ])
688
689 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
690
691 dnl HTTP requests from p0->p1 should work fine.
692 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
693 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
694
695 dnl HTTP requests from p2->p3 should work fine.
696 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
697 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
698
699 OVS_TRAFFIC_VSWITCHD_STOP
700 AT_CLEANUP
701
702 AT_SETUP([conntrack - invalid])
703 CHECK_CONNTRACK()
704 OVS_TRAFFIC_VSWITCHD_START()
705
706 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
707
708 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
709 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
710 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
711 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
712
713 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
714 dnl the opposite direction. This should fail.
715 dnl Pass traffic from ns3->ns4 without committing, and this time match
716 dnl invalid traffic and allow it through.
717 AT_DATA([flows.txt], [dnl
718 priority=1,action=drop
719 priority=10,arp,action=normal
720 priority=10,icmp,action=normal
721 priority=100,in_port=1,tcp,action=ct(),2
722 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
723 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
724 priority=100,in_port=3,tcp,action=ct(),4
725 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
726 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
727 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
728 ])
729
730 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
731
732 dnl We set up our rules to allow the request without committing. The return
733 dnl traffic can't be identified, because the initial request wasn't committed.
734 dnl For the first pair of ports, this means that the connection fails.
735 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
736 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
737
738 dnl For the second pair, we allow packets from invalid connections, so it works.
739 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
740 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
741
742 OVS_TRAFFIC_VSWITCHD_STOP
743 AT_CLEANUP
744
745 AT_SETUP([conntrack - zones])
746 CHECK_CONNTRACK()
747 OVS_TRAFFIC_VSWITCHD_START()
748
749 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
750
751 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
752 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
753 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
754 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
755
756 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
757 dnl For ns2->ns3, use a different zone and see that the match fails.
758 AT_DATA([flows.txt], [dnl
759 priority=1,action=drop
760 priority=10,arp,action=normal
761 priority=10,icmp,action=normal
762 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
763 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
764 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
765 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
766 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
767 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
768 ])
769
770 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
771
772 dnl HTTP requests from p0->p1 should work fine.
773 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
774 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
775
776 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
777 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
778 ])
779
780 dnl HTTP requests from p2->p3 should fail due to network failure.
781 dnl Try 3 times, in 1 second intervals.
782 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
783 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
784
785 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
786 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
787 ])
788
789 OVS_TRAFFIC_VSWITCHD_STOP
790 AT_CLEANUP
791
792 AT_SETUP([conntrack - zones from field])
793 CHECK_CONNTRACK()
794 OVS_TRAFFIC_VSWITCHD_START()
795
796 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
797
798 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
799 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
800 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
801 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
802
803 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
804 AT_DATA([flows.txt], [dnl
805 priority=1,action=drop
806 priority=10,arp,action=normal
807 priority=10,icmp,action=normal
808 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
809 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
810 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
811 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
812 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
813 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
814 ])
815
816 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
817
818 dnl HTTP requests from p0->p1 should work fine.
819 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
820 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
821
822 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
823 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
824 ])
825
826 dnl HTTP requests from p2->p3 should fail due to network failure.
827 dnl Try 3 times, in 1 second intervals.
828 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
829 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
830
831 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
832 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
833 ])
834
835 OVS_TRAFFIC_VSWITCHD_STOP
836 AT_CLEANUP
837
838 AT_SETUP([conntrack - multiple bridges])
839 CHECK_CONNTRACK()
840 OVS_TRAFFIC_VSWITCHD_START(
841    [_ADD_BR([br1]) --\
842     add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
843     add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
844
845 ADD_NAMESPACES(at_ns0, at_ns1)
846
847 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
848 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
849
850 dnl Allow any traffic from ns0->br1, allow established in reverse.
851 AT_DATA([flows-br0.txt], [dnl
852 priority=1,action=drop
853 priority=10,arp,action=normal
854 priority=10,icmp,action=normal
855 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
856 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
857 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
858 ])
859
860 dnl Allow any traffic from br0->ns1, allow established in reverse.
861 AT_DATA([flows-br1.txt], [dnl
862 priority=1,action=drop
863 priority=10,arp,action=normal
864 priority=10,icmp,action=normal
865 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
866 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
867 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
868 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
869 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
870 ])
871
872 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
873 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
874
875 dnl HTTP requests from p0->p1 should work fine.
876 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
877 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
878
879 OVS_TRAFFIC_VSWITCHD_STOP
880 AT_CLEANUP
881
882 AT_SETUP([conntrack - multiple zones])
883 CHECK_CONNTRACK()
884 OVS_TRAFFIC_VSWITCHD_START()
885
886 ADD_NAMESPACES(at_ns0, at_ns1)
887
888 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
889 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
890
891 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
892 AT_DATA([flows.txt], [dnl
893 priority=1,action=drop
894 priority=10,arp,action=normal
895 priority=10,icmp,action=normal
896 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
897 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
898 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
899 ])
900
901 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
902
903 dnl HTTP requests from p0->p1 should work fine.
904 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
905 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
906
907 dnl (again) HTTP requests from p0->p1 should work fine.
908 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
909
910 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
911 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
912 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
913 ])
914
915 OVS_TRAFFIC_VSWITCHD_STOP
916 AT_CLEANUP
917
918 AT_SETUP([conntrack - multiple zones, local])
919 CHECK_CONNTRACK()
920 OVS_TRAFFIC_VSWITCHD_START()
921
922 ADD_NAMESPACES(at_ns0)
923
924 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
925 AT_CHECK([ip link set dev br0 up])
926 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
927 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
928
929 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
930 dnl return traffic from ns0 back to the local stack.
931 AT_DATA([flows.txt], [dnl
932 priority=1,action=drop
933 priority=10,arp,action=normal
934 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
935 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
936 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
937 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
938 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
939 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
940 ])
941
942 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
943
944 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
945 3 packets transmitted, 3 received, 0% packet loss, time 0ms
946 ])
947
948 dnl HTTP requests from root namespace to p0 should work fine.
949 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
950 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
951
952 dnl (again) HTTP requests from root namespace to  p0 should work fine.
953 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
954
955 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
956 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
957 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
958 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
959 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
960 ])
961
962 OVS_TRAFFIC_VSWITCHD_STOP
963 AT_CLEANUP
964
965 AT_SETUP([conntrack - multiple namespaces, internal ports])
966 CHECK_CONNTRACK()
967 OVS_TRAFFIC_VSWITCHD_START(
968    [set-fail-mode br0 secure -- ])
969
970 ADD_NAMESPACES(at_ns0, at_ns1)
971
972 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
973 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
974
975 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
976 dnl
977 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
978 AT_DATA([flows.txt], [dnl
979 priority=1,action=drop
980 priority=10,arp,action=normal
981 priority=10,icmp,action=normal
982 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
983 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
984 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
985 ])
986
987 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
988
989 dnl HTTP requests from p0->p1 should work fine.
990 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
991 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
992
993 dnl (again) HTTP requests from p0->p1 should work fine.
994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
995
996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
997 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
998 ])
999
1000 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1001 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1002 /removing policing failed: No such device/d"])
1003 AT_CLEANUP
1004
1005 AT_SETUP([conntrack - multi-stage pipeline, local])
1006 CHECK_CONNTRACK()
1007 OVS_TRAFFIC_VSWITCHD_START()
1008
1009 ADD_NAMESPACES(at_ns0)
1010
1011 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1012 AT_CHECK([ip link set dev br0 up])
1013 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1014 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1015
1016 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1017 dnl return traffic from ns0 back to the local stack.
1018 AT_DATA([flows.txt], [dnl
1019 dnl default
1020 table=0,priority=1,action=drop
1021 table=0,priority=10,arp,action=normal
1022
1023 dnl Load the output port to REG0
1024 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1025 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1026
1027 dnl Ingress pipeline
1028 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1029 dnl - All other connections go through conntracker using the input port as
1030 dnl   a connection tracking zone.
1031 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1032 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1033 table=1,priority=1,action=drop
1034
1035 dnl Egress pipeline
1036 dnl - Allow all connections from LOCAL port (commit and skip to output)
1037 dnl - Allow other established connections to go through conntracker using
1038 dnl   output port as a connection tracking zone.
1039 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1040 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1041 table=2,priority=1,action=drop
1042
1043 dnl Only allow established traffic from egress ct lookup
1044 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1045 table=3,priority=1,action=drop
1046
1047 dnl output table
1048 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1049 ])
1050
1051 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1052
1053 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1054 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1055 ])
1056
1057 dnl HTTP requests from root namespace to p0 should work fine.
1058 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1059 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1060
1061 dnl (again) HTTP requests from root namespace to p0 should work fine.
1062 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1063
1064 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1065 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1066 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1067 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1068 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1069 ])
1070
1071 OVS_TRAFFIC_VSWITCHD_STOP
1072 AT_CLEANUP
1073
1074 AT_SETUP([conntrack - ct_mark])
1075 CHECK_CONNTRACK()
1076 OVS_TRAFFIC_VSWITCHD_START()
1077
1078 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1079
1080 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1081 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1082 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1083 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1084
1085 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1086 dnl Check that different marks do not match for traffic between ns2<->ns3.
1087 AT_DATA([flows.txt], [dnl
1088 priority=1,action=drop
1089 priority=10,arp,action=normal
1090 priority=10,icmp,action=normal
1091 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1092 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1093 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1094 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1095 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1096 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1097 ])
1098
1099 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1100
1101 dnl HTTP requests from p0->p1 should work fine.
1102 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1103 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1104
1105 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1106 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1107 ])
1108
1109 dnl HTTP requests from p2->p3 should fail due to network failure.
1110 dnl Try 3 times, in 1 second intervals.
1111 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1112 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1113
1114 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1115 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1116 ])
1117
1118 OVS_TRAFFIC_VSWITCHD_STOP
1119 AT_CLEANUP
1120
1121 AT_SETUP([conntrack - ct_mark bit-fiddling])
1122 CHECK_CONNTRACK()
1123 OVS_TRAFFIC_VSWITCHD_START()
1124
1125 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1126
1127 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1128 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1129
1130 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1131 dnl cause an additional bit to be set in the connection (and be allowed).
1132 AT_DATA([flows.txt], [dnl
1133 table=0,priority=1,action=drop
1134 table=0,priority=10,arp,action=normal
1135 table=0,priority=10,icmp,action=normal
1136 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1137 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1138 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1139 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1140 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1141 ])
1142
1143 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1144
1145 dnl HTTP requests from p0->p1 should work fine.
1146 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1147 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1148
1149 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1150 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1151 ])
1152
1153 OVS_TRAFFIC_VSWITCHD_STOP
1154 AT_CLEANUP
1155
1156 AT_SETUP([conntrack - ct_mark from register])
1157 CHECK_CONNTRACK()
1158 OVS_TRAFFIC_VSWITCHD_START()
1159
1160 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1161
1162 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1163 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1164 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1165 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1166
1167 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1168 AT_DATA([flows.txt], [dnl
1169 priority=1,action=drop
1170 priority=10,arp,action=normal
1171 priority=10,icmp,action=normal
1172 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1173 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1174 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1175 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1176 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1177 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1178 ])
1179
1180 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1181
1182 dnl HTTP requests from p0->p1 should work fine.
1183 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1184 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1185
1186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1188 ])
1189
1190 dnl HTTP requests from p2->p3 should fail due to network failure.
1191 dnl Try 3 times, in 1 second intervals.
1192 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1193 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1194
1195 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1196 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1197 ])
1198
1199 OVS_TRAFFIC_VSWITCHD_STOP
1200 AT_CLEANUP
1201
1202 AT_SETUP([conntrack - ct_label])
1203 CHECK_CONNTRACK()
1204 OVS_TRAFFIC_VSWITCHD_START()
1205
1206 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1207
1208 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1209 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1210 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1211 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1212
1213 dnl Allow traffic between ns0<->ns1 using the ct_label.
1214 dnl Check that different labels do not match for traffic between ns2<->ns3.
1215 AT_DATA([flows.txt], [dnl
1216 priority=1,action=drop
1217 priority=10,arp,action=normal
1218 priority=10,icmp,action=normal
1219 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1220 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1221 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1222 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1223 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1224 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1225 ])
1226
1227 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1228
1229 dnl HTTP requests from p0->p1 should work fine.
1230 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1231 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1232
1233 dnl HTTP requests from p2->p3 should fail due to network failure.
1234 dnl Try 3 times, in 1 second intervals.
1235 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1236 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1237
1238 OVS_TRAFFIC_VSWITCHD_STOP
1239 AT_CLEANUP
1240
1241 AT_SETUP([conntrack - ct_label bit-fiddling])
1242 CHECK_CONNTRACK()
1243 OVS_TRAFFIC_VSWITCHD_START()
1244
1245 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1246
1247 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1248 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1249
1250 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1251 dnl cause an additional bit to be set in the connection labels (and be allowed)
1252 AT_DATA([flows.txt], [dnl
1253 table=0,priority=1,action=drop
1254 table=0,priority=10,arp,action=normal
1255 table=0,priority=10,icmp,action=normal
1256 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1257 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1258 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1259 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1260 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1261 ])
1262
1263 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1264
1265 dnl HTTP requests from p0->p1 should work fine.
1266 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1267 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1268
1269 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1270 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1271 ])
1272
1273 OVS_TRAFFIC_VSWITCHD_STOP
1274 AT_CLEANUP
1275
1276 AT_SETUP([conntrack - ct metadata, multiple zones])
1277 CHECK_CONNTRACK()
1278 OVS_TRAFFIC_VSWITCHD_START()
1279
1280 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1281
1282 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1283 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1284
1285 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1286 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1287 dnl and we should see that the conntrack entries only apply the ct_mark and
1288 dnl ct_labels to the connection in zone=1.
1289 AT_DATA([flows.txt], [dnl
1290 table=0,priority=1,action=drop
1291 table=0,priority=10,arp,action=normal
1292 table=0,priority=10,icmp,action=normal
1293 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1294 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1295 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1296 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1297 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1298 ])
1299
1300 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1301
1302 dnl HTTP requests from p0->p1 should work fine.
1303 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1304 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1305
1306 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1307 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1308 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1309 ])
1310
1311 OVS_TRAFFIC_VSWITCHD_STOP
1312 AT_CLEANUP
1313
1314 AT_SETUP([conntrack - ICMP related])
1315 CHECK_CONNTRACK()
1316 OVS_TRAFFIC_VSWITCHD_START()
1317
1318 ADD_NAMESPACES(at_ns0, at_ns1)
1319
1320 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1321 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1322
1323 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1324 AT_DATA([flows.txt], [dnl
1325 priority=1,action=drop
1326 priority=10,arp,action=normal
1327 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1328 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1329 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1330 ])
1331
1332 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1333
1334 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1335 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1336
1337 AT_CHECK([ovs-appctl revalidator/purge], [0])
1338 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1339  n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1340  n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1341  n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1342  n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1343 NXST_FLOW reply:
1344 ])
1345
1346 OVS_TRAFFIC_VSWITCHD_STOP
1347 AT_CLEANUP
1348
1349 AT_SETUP([conntrack - ICMP related 2])
1350 CHECK_CONNTRACK()
1351 OVS_TRAFFIC_VSWITCHD_START()
1352
1353 ADD_NAMESPACES(at_ns0, at_ns1)
1354
1355 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1356 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1357
1358 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1359 AT_DATA([flows.txt], [dnl
1360 priority=1,action=drop
1361 priority=10,arp,action=normal
1362 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1363 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1364 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1365 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1366 ])
1367
1368 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1369
1370 AT_CAPTURE_FILE([ofctl_monitor.log])
1371 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1372
1373 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1374 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1375
1376 dnl 2. Send and UDP packet to port 5555
1377 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1378
1379 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1380 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1381
1382 dnl Check this output. We only see the latter two packets, not the first.
1383 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1384 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1385 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1386 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1387 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1388 ])
1389
1390 OVS_TRAFFIC_VSWITCHD_STOP
1391 AT_CLEANUP
1392
1393 AT_SETUP([conntrack - FTP])
1394 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1395 CHECK_CONNTRACK()
1396 OVS_TRAFFIC_VSWITCHD_START()
1397
1398 ADD_NAMESPACES(at_ns0, at_ns1)
1399
1400 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1401 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1402
1403 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1404 AT_DATA([flows1.txt], [dnl
1405 priority=1,action=drop
1406 priority=10,arp,action=normal
1407 priority=10,icmp,action=normal
1408 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1409 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1410 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1411 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1412 ])
1413
1414 dnl Similar policy but without allowing all traffic from ns0->ns1.
1415 AT_DATA([flows2.txt], [dnl
1416 priority=1,action=drop
1417 priority=10,arp,action=normal
1418 priority=10,icmp,action=normal
1419 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1420 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1421 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1422 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1423 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1424 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1425 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1426 ])
1427
1428 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1429
1430 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1431 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1432 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1433
1434 dnl FTP requests from p1->p0 should fail due to network failure.
1435 dnl Try 3 times, in 1 second intervals.
1436 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1437 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1438 ])
1439
1440 dnl FTP requests from p0->p1 should work fine.
1441 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1442 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1443 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1444 ])
1445
1446 dnl Try the second set of flows.
1447 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1448 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1449
1450 dnl FTP requests from p1->p0 should fail due to network failure.
1451 dnl Try 3 times, in 1 second intervals.
1452 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1453 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1454 ])
1455
1456 dnl Active FTP requests from p0->p1 should work fine.
1457 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1458 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1459 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1460 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1461 ])
1462
1463 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1464
1465 dnl Passive FTP requests from p0->p1 should work fine.
1466 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1467 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1468 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1469 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1470 ])
1471
1472 OVS_TRAFFIC_VSWITCHD_STOP
1473 AT_CLEANUP
1474
1475
1476 AT_SETUP([conntrack - IPv6 FTP])
1477 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1478 CHECK_CONNTRACK()
1479 OVS_TRAFFIC_VSWITCHD_START()
1480
1481 ADD_NAMESPACES(at_ns0, at_ns1)
1482
1483 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1484 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1485
1486 dnl Allow any traffic from ns0->ns1.
1487 dnl Only allow nd, return traffic from ns1->ns0.
1488 AT_DATA([flows.txt], [dnl
1489 dnl Track all IPv6 traffic and drop the rest.
1490 dnl Allow ICMPv6 both ways.  No commit, so pings will not be tracked.
1491 table=0 priority=100 in_port=1 icmp6, action=2
1492 table=0 priority=100 in_port=2 icmp6, action=1
1493 table=0 priority=10 ip6, action=ct(table=1)
1494 table=0 priority=0 action=drop
1495 dnl
1496 dnl Table 1
1497 dnl
1498 dnl Allow new TCPv6 FTP control connections from port 1.
1499 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1500 dnl Allow related TCPv6 connections from port 2.
1501 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1502 dnl Allow established TCPv6 connections both ways.
1503 table=1 in_port=1 ct_state=+est, tcp6, action=2
1504 table=1 in_port=2 ct_state=+est, tcp6, action=1
1505 dnl Drop everything else.
1506 table=1 priority=0, action=drop
1507 ])
1508
1509 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1510
1511 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1512 dnl waiting, we get occasional failures due to the following error:
1513 dnl "connect: Cannot assign requested address"
1514 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1515
1516 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1517 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1518
1519 dnl FTP requests from p0->p1 should work fine.
1520 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1521
1522 dnl Discards CLOSE_WAIT and CLOSING
1523 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1524 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1525 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1526 ])
1527
1528 OVS_TRAFFIC_VSWITCHD_STOP
1529 AT_CLEANUP
1530
1531
1532 AT_SETUP([conntrack - FTP with multiple expectations])
1533 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1534 CHECK_CONNTRACK()
1535 OVS_TRAFFIC_VSWITCHD_START()
1536
1537 ADD_NAMESPACES(at_ns0, at_ns1)
1538
1539 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1540 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1541
1542 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1543 AT_DATA([flows.txt], [dnl
1544 priority=1,action=drop
1545 priority=10,arp,action=normal
1546 priority=10,icmp,action=normal
1547 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1548 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1549 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1550 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1551 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1552 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1553 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1554 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1555 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1556 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1557 ])
1558
1559 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1560
1561 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1562 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1563
1564 dnl FTP requests from p1->p0 should fail due to network failure.
1565 dnl Try 3 times, in 1 second intervals.
1566 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1567 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1568 ])
1569
1570 dnl Active FTP requests from p0->p1 should work fine.
1571 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1573 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1574 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1575 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1576 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1577 ])
1578
1579 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1580
1581 dnl Passive FTP requests from p0->p1 should work fine.
1582 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1583 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1584 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1585 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1586 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1587 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1588 ])
1589
1590 OVS_TRAFFIC_VSWITCHD_STOP
1591 AT_CLEANUP
1592
1593 AT_SETUP([conntrack - IPv4 fragmentation ])
1594 CHECK_CONNTRACK()
1595 OVS_TRAFFIC_VSWITCHD_START()
1596
1597 ADD_NAMESPACES(at_ns0, at_ns1)
1598
1599 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1600 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1601
1602 dnl Sending ping through conntrack
1603 AT_DATA([flows.txt], [dnl
1604 priority=1,action=drop
1605 priority=10,arp,action=normal
1606 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1607 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1608 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1609 ])
1610
1611 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1612
1613 dnl Ipv4 fragmentation connectivity check.
1614 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1615 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1616 ])
1617
1618 dnl Ipv4 larger fragmentation connectivity check.
1619 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1620 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1621 ])
1622
1623 OVS_TRAFFIC_VSWITCHD_STOP
1624 AT_CLEANUP
1625
1626 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1627 CHECK_CONNTRACK()
1628 OVS_TRAFFIC_VSWITCHD_START()
1629
1630 ADD_NAMESPACES(at_ns0, at_ns1)
1631
1632 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1633 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1634
1635 AT_DATA([flows.txt], [dnl
1636 priority=1,action=drop
1637 priority=10,arp,action=normal
1638
1639 dnl Only allow non-fragmented messages and 1st fragments of each message
1640 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1641 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1642 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1643 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1644 ])
1645
1646 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1647
1648 dnl Ipv4 fragmentation connectivity check.
1649 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1650 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1651 ])
1652
1653 OVS_TRAFFIC_VSWITCHD_STOP
1654 AT_CLEANUP
1655
1656 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1657 CHECK_CONNTRACK()
1658 OVS_TRAFFIC_VSWITCHD_START()
1659
1660 ADD_NAMESPACES(at_ns0, at_ns1)
1661
1662 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1663 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1664 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1665 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1666
1667 dnl Sending ping through conntrack
1668 AT_DATA([flows.txt], [dnl
1669 priority=1,action=drop
1670 priority=10,arp,action=normal
1671 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1672 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1673 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1674 ])
1675
1676 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1677
1678 dnl Ipv4 fragmentation connectivity check.
1679 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1680 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1681 ])
1682
1683 dnl Ipv4 larger fragmentation connectivity check.
1684 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1685 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1686 ])
1687
1688 OVS_TRAFFIC_VSWITCHD_STOP
1689 AT_CLEANUP
1690
1691 AT_SETUP([conntrack - IPv6 fragmentation])
1692 CHECK_CONNTRACK()
1693 OVS_TRAFFIC_VSWITCHD_START()
1694
1695 ADD_NAMESPACES(at_ns0, at_ns1)
1696
1697 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1698 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1699
1700 dnl Sending ping through conntrack
1701 AT_DATA([flows.txt], [dnl
1702 priority=1,action=drop
1703 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1704 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1705 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1706 priority=100,icmp6,icmp_type=135,action=normal
1707 priority=100,icmp6,icmp_type=136,action=normal
1708 ])
1709
1710 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1711
1712 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1713 dnl waiting, we get occasional failures due to the following error:
1714 dnl "connect: Cannot assign requested address"
1715 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1716
1717 dnl Ipv6 fragmentation connectivity check.
1718 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1719 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1720 ])
1721
1722 dnl Ipv6 larger fragmentation connectivity check.
1723 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1724 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1725 ])
1726
1727 OVS_TRAFFIC_VSWITCHD_STOP
1728 AT_CLEANUP
1729
1730 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1731 CHECK_CONNTRACK()
1732 OVS_TRAFFIC_VSWITCHD_START()
1733
1734 ADD_NAMESPACES(at_ns0, at_ns1)
1735
1736 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1737 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1738
1739 AT_DATA([flows.txt], [dnl
1740 priority=1,action=drop
1741
1742 dnl Only allow non-fragmented messages and 1st fragments of each message
1743 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1744 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1745 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1746 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1747
1748 dnl Neighbour Discovery
1749 priority=100,icmp6,icmp_type=135,action=normal
1750 priority=100,icmp6,icmp_type=136,action=normal
1751 ])
1752
1753 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1754
1755 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1756 dnl waiting, we get occasional failures due to the following error:
1757 dnl "connect: Cannot assign requested address"
1758 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1759
1760 dnl Send an IPv6 fragment. Some time later, it should expire.
1761 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1762 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1763 ])
1764
1765 dnl At this point, the kernel will either crash or everything is OK.
1766
1767 OVS_TRAFFIC_VSWITCHD_STOP
1768 AT_CLEANUP
1769
1770 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1771 CHECK_CONNTRACK()
1772 OVS_TRAFFIC_VSWITCHD_START()
1773
1774 ADD_NAMESPACES(at_ns0, at_ns1)
1775
1776 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1777 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1778
1779 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1780 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1781
1782 dnl Sending ping through conntrack
1783 AT_DATA([flows.txt], [dnl
1784 priority=1,action=drop
1785 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1786 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1787 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1788 priority=100,icmp6,icmp_type=135,action=normal
1789 priority=100,icmp6,icmp_type=136,action=normal
1790 ])
1791
1792 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1793
1794 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1795 dnl waiting, we get occasional failures due to the following error:
1796 dnl "connect: Cannot assign requested address"
1797 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1798
1799 dnl Ipv4 fragmentation connectivity check.
1800 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1801 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1802 ])
1803
1804 dnl Ipv4 larger fragmentation connectivity check.
1805 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1806 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1807 ])
1808
1809 OVS_TRAFFIC_VSWITCHD_STOP
1810 AT_CLEANUP
1811
1812 AT_SETUP([conntrack - Fragmentation over vxlan])
1813 OVS_CHECK_VXLAN()
1814 CHECK_CONNTRACK()
1815
1816 OVS_TRAFFIC_VSWITCHD_START()
1817 ADD_BR([br-underlay])
1818 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1819
1820 ADD_NAMESPACES(at_ns0)
1821
1822 dnl Sending ping through conntrack
1823 AT_DATA([flows.txt], [dnl
1824 priority=1,action=drop
1825 priority=10,arp,action=normal
1826 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1827 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1828 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1829 ])
1830
1831 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1832
1833 dnl Set up underlay link from host into the namespace using veth pair.
1834 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1835 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1836 AT_CHECK([ip link set dev br-underlay up])
1837
1838 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1839 dnl linux device inside the namespace.
1840 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1841 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1842                   [id 0 dstport 4789])
1843
1844 dnl First, check the underlay
1845 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1846 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1847 ])
1848
1849 dnl Okay, now check the overlay with different packet sizes
1850 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1851 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1852 ])
1853 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1854 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1855 ])
1856 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1857 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1858 ])
1859
1860 OVS_TRAFFIC_VSWITCHD_STOP
1861 AT_CLEANUP
1862
1863 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1864 OVS_CHECK_VXLAN()
1865 CHECK_CONNTRACK()
1866
1867 OVS_TRAFFIC_VSWITCHD_START()
1868 ADD_BR([br-underlay])
1869 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1870
1871 ADD_NAMESPACES(at_ns0)
1872
1873 dnl Sending ping through conntrack
1874 AT_DATA([flows.txt], [dnl
1875 priority=1,action=drop
1876 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1877 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1878 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1879
1880 dnl Neighbour Discovery
1881 priority=1000,icmp6,icmp_type=135,action=normal
1882 priority=1000,icmp6,icmp_type=136,action=normal
1883 ])
1884
1885 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1886
1887 dnl Set up underlay link from host into the namespace using veth pair.
1888 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1889 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1890 AT_CHECK([ip link set dev br-underlay up])
1891
1892 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1893 dnl linux device inside the namespace.
1894 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1895 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1896                   [id 0 dstport 4789])
1897
1898 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1899 dnl waiting, we get occasional failures due to the following error:
1900 dnl "connect: Cannot assign requested address"
1901 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1902
1903 dnl First, check the underlay
1904 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1905 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1906 ])
1907
1908 dnl Okay, now check the overlay with different packet sizes
1909 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1910 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1911 ])
1912 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1913 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1914 ])
1915 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1916 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1917 ])
1918
1919 OVS_TRAFFIC_VSWITCHD_STOP
1920 AT_CLEANUP
1921
1922 AT_SETUP([conntrack - resubmit to ct multiple times])
1923 CHECK_CONNTRACK()
1924
1925 OVS_TRAFFIC_VSWITCHD_START(
1926    [set-fail-mode br0 secure -- ])
1927
1928 ADD_NAMESPACES(at_ns0, at_ns1)
1929
1930 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1931 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1932
1933 AT_DATA([flows.txt], [dnl
1934 table=0,priority=150,arp,action=normal
1935 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1936
1937 table=1,priority=100,ip,action=ct(table=3)
1938 table=2,priority=100,ip,action=ct(table=3)
1939
1940 table=3,ip,action=drop
1941 ])
1942
1943 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1944
1945 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1946 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1947 ])
1948
1949 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1950  n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1951  n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1952  table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1953  table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1954  table=3, n_packets=2, n_bytes=196, ip actions=drop
1955 NXST_FLOW reply:
1956 ])
1957
1958 OVS_TRAFFIC_VSWITCHD_STOP
1959 AT_CLEANUP
1960
1961
1962 AT_SETUP([conntrack - simple SNAT])
1963 CHECK_CONNTRACK()
1964 OVS_TRAFFIC_VSWITCHD_START()
1965
1966 ADD_NAMESPACES(at_ns0, at_ns1)
1967
1968 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1969 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1970 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1971
1972 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1973 AT_DATA([flows.txt], [dnl
1974 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1975 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1976 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1977 dnl
1978 dnl ARP
1979 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1980 priority=10 arp action=normal
1981 priority=0,action=drop
1982 dnl
1983 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1984 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1985 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1986 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1987 dnl TPA IP in reg2.
1988 dnl Swaps the fields of the ARP message to turn a query to a response.
1989 table=10 priority=100 arp xreg0=0 action=normal
1990 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1991 table=10 priority=0 action=drop
1992 ])
1993
1994 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1995
1996 dnl HTTP requests from p0->p1 should work fine.
1997 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1998 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1999
2000 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2001 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2002 ])
2003
2004 OVS_TRAFFIC_VSWITCHD_STOP
2005 AT_CLEANUP
2006
2007
2008 AT_SETUP([conntrack - SNAT with port range])
2009 CHECK_CONNTRACK()
2010 OVS_TRAFFIC_VSWITCHD_START()
2011
2012 ADD_NAMESPACES(at_ns0, at_ns1)
2013
2014 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2015 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2016 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2017
2018 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2019 AT_DATA([flows.txt], [dnl
2020 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2021 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2022 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2023 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2024 dnl
2025 dnl ARP
2026 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2027 priority=10 arp action=normal
2028 priority=0,action=drop
2029 dnl
2030 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2031 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2032 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2033 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2034 dnl TPA IP in reg2.
2035 dnl Swaps the fields of the ARP message to turn a query to a response.
2036 table=10 priority=100 arp xreg0=0 action=normal
2037 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2038 table=10 priority=0 action=drop
2039 ])
2040
2041 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2042
2043 dnl HTTP requests from p0->p1 should work fine.
2044 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2045 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2046
2047 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2048 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2049 ])
2050
2051 OVS_TRAFFIC_VSWITCHD_STOP
2052 AT_CLEANUP
2053
2054
2055 AT_SETUP([conntrack - more complex SNAT])
2056 CHECK_CONNTRACK()
2057 OVS_TRAFFIC_VSWITCHD_START()
2058
2059 ADD_NAMESPACES(at_ns0, at_ns1)
2060
2061 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2062 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2063 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2064
2065 AT_DATA([flows.txt], [dnl
2066 dnl Track all IP traffic, NAT existing connections.
2067 priority=100 ip action=ct(table=1,zone=1,nat)
2068 dnl
2069 dnl Allow ARP, but generate responses for NATed addresses
2070 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2071 priority=10 arp action=normal
2072 priority=0 action=drop
2073 dnl
2074 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2075 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2076 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2077 dnl Only allow established traffic from ns1->ns0.
2078 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2079 table=1 priority=0 action=drop
2080 dnl
2081 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2082 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2083 dnl Zero result means not found.
2084 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2085 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2086 dnl ARP TPA IP in reg2.
2087 table=10 priority=100 arp xreg0=0 action=normal
2088 dnl Swaps the fields of the ARP message to turn a query to a response.
2089 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2090 table=10 priority=0 action=drop
2091 ])
2092
2093 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2094
2095 dnl HTTP requests from p0->p1 should work fine.
2096 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2097 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2098
2099 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2100 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2101 ])
2102
2103 OVS_TRAFFIC_VSWITCHD_STOP
2104 AT_CLEANUP
2105
2106 AT_SETUP([conntrack - simple DNAT])
2107 CHECK_CONNTRACK()
2108 OVS_TRAFFIC_VSWITCHD_START()
2109
2110 ADD_NAMESPACES(at_ns0, at_ns1)
2111
2112 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2113 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2114 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2115
2116 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2117 AT_DATA([flows.txt], [dnl
2118 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2119 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2120 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2121 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2122 dnl
2123 dnl ARP
2124 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2125 priority=10 arp action=normal
2126 priority=0,action=drop
2127 dnl
2128 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2129 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2130 dnl Zero result means not found.
2131 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2132 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2133 dnl TPA IP in reg2.
2134 table=10 priority=100 arp xreg0=0 action=normal
2135 dnl Swaps the fields of the ARP message to turn a query to a response.
2136 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2137 table=10 priority=0 action=drop
2138 ])
2139
2140 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2141
2142 dnl Should work with the virtual IP address through NAT
2143 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2144 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2145
2146 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2147 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2148 ])
2149
2150 dnl Should work with the assigned IP address as well
2151 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2152
2153 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2154 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2155 ])
2156
2157 OVS_TRAFFIC_VSWITCHD_STOP
2158 AT_CLEANUP
2159
2160 AT_SETUP([conntrack - more complex DNAT])
2161 CHECK_CONNTRACK()
2162 OVS_TRAFFIC_VSWITCHD_START()
2163
2164 ADD_NAMESPACES(at_ns0, at_ns1)
2165
2166 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2167 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2168 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2169
2170 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2171 AT_DATA([flows.txt], [dnl
2172 dnl Track all IP traffic
2173 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2174 dnl
2175 dnl Allow ARP, but generate responses for NATed addresses
2176 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2177 table=0 priority=10 arp action=normal
2178 table=0 priority=0 action=drop
2179 dnl
2180 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2181 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2182 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2183 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2184 dnl Only allow established traffic from ns1->ns0.
2185 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2186 table=1 priority=0 action=drop
2187 dnl
2188 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2189 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2190 dnl Zero result means not found.
2191 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2192 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2193 dnl TPA IP in reg2.
2194 table=10 priority=100 arp xreg0=0 action=normal
2195 dnl Swaps the fields of the ARP message to turn a query to a response.
2196 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2197 table=10 priority=0 action=drop
2198 ])
2199
2200 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2201
2202 dnl Should work with the virtual IP address through NAT
2203 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2204 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2205
2206 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2207 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2208 ])
2209
2210 dnl Should work with the assigned IP address as well
2211 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2212
2213 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2214 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2215 ])
2216
2217 OVS_TRAFFIC_VSWITCHD_STOP
2218 AT_CLEANUP
2219
2220 AT_SETUP([conntrack - ICMP related with NAT])
2221 CHECK_CONNTRACK()
2222 OVS_TRAFFIC_VSWITCHD_START()
2223
2224 ADD_NAMESPACES(at_ns0, at_ns1)
2225
2226 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2227 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2228 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2229
2230 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2231 dnl Make sure ICMP responses are reverse-NATted.
2232 AT_DATA([flows.txt], [dnl
2233 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2234 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2235 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2236 dnl
2237 dnl ARP
2238 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2239 priority=10 arp action=normal
2240 priority=0,action=drop
2241 dnl
2242 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2243 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2244 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2245 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2246 dnl TPA IP in reg2.
2247 dnl Swaps the fields of the ARP message to turn a query to a response.
2248 table=10 priority=100 arp xreg0=0 action=normal
2249 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2250 table=10 priority=0 action=drop
2251 ])
2252
2253 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2254
2255 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2256 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2257
2258 AT_CHECK([ovs-appctl revalidator/purge], [0])
2259 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2260  n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2261  n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2262  n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2263  n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2264  n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2265  table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2266  table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2267  table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2268  table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2269 OFPST_FLOW reply (OF1.5):
2270 ])
2271
2272 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2273 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2274 ])
2275
2276 OVS_TRAFFIC_VSWITCHD_STOP
2277 AT_CLEANUP
2278
2279
2280 AT_SETUP([conntrack - FTP with NAT])
2281 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2282 CHECK_CONNTRACK()
2283
2284 OVS_TRAFFIC_VSWITCHD_START()
2285
2286 ADD_NAMESPACES(at_ns0, at_ns1)
2287
2288 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2289 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2290 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2291
2292 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2293
2294 AT_DATA([flows.txt], [dnl
2295 dnl track all IP traffic, de-mangle non-NEW connections
2296 table=0 in_port=1, ip, action=ct(table=1,nat)
2297 table=0 in_port=2, ip, action=ct(table=2,nat)
2298 dnl
2299 dnl ARP
2300 dnl
2301 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2302 table=0 priority=10 arp action=normal
2303 table=0 priority=0 action=drop
2304 dnl
2305 dnl Table 1: port 1 -> 2
2306 dnl
2307 dnl Allow new FTP connections. These need to be commited.
2308 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2309 dnl Allow established TCP connections, make sure they are NATted already.
2310 table=1 ct_state=+est, tcp, nw_src=10.1.1.240,     action=2
2311 dnl
2312 dnl Table 1: droppers
2313 dnl
2314 table=1 priority=10, tcp, action=drop
2315 table=1 priority=0,action=drop
2316 dnl
2317 dnl Table 2: port 2 -> 1
2318 dnl
2319 dnl Allow established TCP connections, make sure they are reverse NATted
2320 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2321 dnl Allow (new) related (data) connections.  These need to be commited.
2322 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2323 dnl Allow related ICMP packets, make sure they are reverse NATted
2324 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2325 dnl
2326 dnl Table 2: droppers
2327 dnl
2328 table=2 priority=10, tcp, action=drop
2329 table=2 priority=0, action=drop
2330 dnl
2331 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2332 dnl
2333 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2334 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2335 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2336 dnl TPA IP in reg2.
2337 dnl Swaps the fields of the ARP message to turn a query to a response.
2338 table=10 priority=100 arp xreg0=0 action=normal
2339 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2340 table=10 priority=0 action=drop
2341 ])
2342
2343 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2344
2345 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2346 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2347 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2348
2349 dnl FTP requests from p0->p1 should work fine.
2350 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2351
2352 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2353 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2354 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2355 ])
2356
2357 OVS_TRAFFIC_VSWITCHD_STOP
2358 AT_CLEANUP
2359
2360
2361 AT_SETUP([conntrack - FTP with NAT 2])
2362 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2363 CHECK_CONNTRACK()
2364 OVS_TRAFFIC_VSWITCHD_START()
2365
2366 ADD_NAMESPACES(at_ns0, at_ns1)
2367
2368 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2369 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2370 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2371
2372 dnl Allow any traffic from ns0->ns1.
2373 dnl Only allow nd, return traffic from ns1->ns0.
2374 AT_DATA([flows.txt], [dnl
2375 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2376 table=0 ip, action=ct(table=1)
2377 dnl
2378 dnl ARP
2379 dnl
2380 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2381 table=0 priority=10 arp action=normal
2382 table=0 priority=0 action=drop
2383 dnl
2384 dnl Table 1
2385 dnl
2386 dnl Allow new FTP connections. These need to be commited.
2387 dnl This does helper for new packets.
2388 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2389 dnl Allow and NAT established TCP connections
2390 table=1 in_port=1 ct_state=+est, tcp,     action=ct(nat),2
2391 table=1 in_port=2 ct_state=+est, tcp,     action=ct(nat),1
2392 dnl Allow and NAT (new) related active (data) connections.
2393 dnl These need to be commited.
2394 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2395 dnl Allow related ICMP packets.
2396 table=1 in_port=2 ct_state=+rel, icmp,    action=ct(nat),1
2397 dnl Drop everything else.
2398 table=1 priority=0, action=drop
2399 dnl
2400 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2401 dnl
2402 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2403 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2404 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2405 dnl TPA IP in reg2.
2406 dnl Swaps the fields of the ARP message to turn a query to a response.
2407 table=10 priority=100 arp xreg0=0 action=normal
2408 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2409 table=10 priority=0 action=drop
2410 ])
2411
2412 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2413
2414 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2415 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2416
2417 dnl FTP requests from p0->p1 should work fine.
2418 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2419
2420 dnl Discards CLOSE_WAIT and CLOSING
2421 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2422 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2423 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2424 ])
2425
2426 OVS_TRAFFIC_VSWITCHD_STOP
2427 AT_CLEANUP
2428
2429 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2430 CHECK_CONNTRACK()
2431 OVS_TRAFFIC_VSWITCHD_START()
2432
2433 ADD_NAMESPACES(at_ns0, at_ns1)
2434
2435 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2436 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2437 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2438 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2439
2440 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2441 AT_DATA([flows.txt], [dnl
2442 priority=1,action=drop
2443 priority=10,icmp6,action=normal
2444 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2445 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2446 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2447 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2448 ])
2449
2450 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2451
2452 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2453 dnl waiting, we get occasional failures due to the following error:
2454 dnl "connect: Cannot assign requested address"
2455 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2456
2457 dnl HTTP requests from ns0->ns1 should work fine.
2458 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2459
2460 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2461
2462 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2463 dnl Try 3 times, in 1 second intervals.
2464 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2465 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2466
2467 OVS_TRAFFIC_VSWITCHD_STOP
2468 AT_CLEANUP
2469
2470
2471 AT_SETUP([conntrack - IPv6 FTP with NAT])
2472 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2473 CHECK_CONNTRACK()
2474 OVS_TRAFFIC_VSWITCHD_START()
2475
2476 ADD_NAMESPACES(at_ns0, at_ns1)
2477
2478 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2479 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2480 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2481 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2482 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2483
2484 dnl Allow any traffic from ns0->ns1.
2485 dnl Only allow nd, return traffic from ns1->ns0.
2486 AT_DATA([flows.txt], [dnl
2487 dnl Allow other ICMPv6 both ways (without commit).
2488 table=1 priority=100 in_port=1 icmp6, action=2
2489 table=1 priority=100 in_port=2 icmp6, action=1
2490 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2491 table=0 priority=10 ip6, action=ct(nat,table=1)
2492 table=0 priority=0 action=drop
2493 dnl
2494 dnl Table 1
2495 dnl
2496 dnl Allow new TCPv6 FTP control connections.
2497 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21  action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2498 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2499 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2500 dnl Allow established TCPv6 connections both ways, enforce NATting
2501 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240   action=2
2502 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1     action=1
2503 dnl Drop everything else.
2504 table=1 priority=0, action=drop
2505 ])
2506
2507 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2508
2509 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2510 dnl waiting, we get occasional failures due to the following error:
2511 dnl "connect: Cannot assign requested address"
2512 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2513
2514 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2515 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2516
2517 dnl FTP requests from p0->p1 should work fine.
2518 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2519
2520 dnl Discards CLOSE_WAIT and CLOSING
2521 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2522 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2523 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2524 ])
2525
2526 OVS_TRAFFIC_VSWITCHD_STOP
2527 AT_CLEANUP
2528
2529 AT_SETUP([conntrack - DNAT load balancing])
2530 CHECK_CONNTRACK()
2531 OVS_TRAFFIC_VSWITCHD_START()
2532
2533 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2534
2535 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2536 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2537 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2538 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2539 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2540 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2541 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2542 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2543
2544 dnl Select group for load balancing.  One bucket per server.  Each bucket
2545 dnl tracks and NATs the connection and recirculates to table 4 for egress
2546 dnl routing.  Packets of existing connections are always NATted based on
2547 dnl connection state, only new connections are NATted according to the
2548 dnl specific NAT parameters in each bucket.
2549 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2550
2551 AT_DATA([flows.txt], [dnl
2552 dnl Track connections to the virtual IP address.
2553 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2554 dnl All other IP traffic is allowed but the connection state is no commited.
2555 table=0 priority=90 ip action=ct(table=4,nat)
2556 dnl
2557 dnl Allow ARP, but generate responses for virtual addresses
2558 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2559 table=0 priority=10 arp action=normal
2560 table=0 priority=0 action=drop
2561 dnl
2562 dnl Routing table
2563 dnl
2564 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2565 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2566 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2567 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2568 table=4 priority=0 action=drop
2569 dnl
2570 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2571 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2572 dnl Zero result means not found.
2573 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2574 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2575 dnl TPA IP in reg2.
2576 table=10 priority=100 arp xreg0=0 action=normal
2577 dnl Swaps the fields of the ARP message to turn a query to a response.
2578 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2579 table=10 priority=0 action=controller
2580 ])
2581
2582 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2583
2584 dnl Start web servers
2585 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2586 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2587 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2588
2589 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2590 on_exit 'ovs-appctl revalidator/purge'
2591 on_exit 'ovs-appctl dpif/dump-flows br0'
2592
2593 dnl Should work with the virtual IP address through NAT
2594 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2595     echo Request $i
2596     NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2597 done
2598
2599 dnl Each server should have at least one connection.
2600 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2601 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2602 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2603 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2604 ])
2605
2606 ovs-appctl dpif/dump-flows br0
2607 ovs-appctl revalidator/purge
2608 ovs-ofctl -O OpenFlow15 dump-flows br0
2609 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2610
2611 OVS_TRAFFIC_VSWITCHD_STOP
2612 AT_CLEANUP
2613
2614
2615 AT_SETUP([conntrack - DNAT load balancing with NC])
2616 CHECK_CONNTRACK()
2617 OVS_TRAFFIC_VSWITCHD_START()
2618
2619 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2620
2621 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2622 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2623 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2624 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2625 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2626 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2627 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2628 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2629 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2630 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2631
2632 dnl Select group for load balancing.  One bucket per server.  Each bucket
2633 dnl tracks and NATs the connection and recirculates to table 4 for egress
2634 dnl routing.  Packets of existing connections are always NATted based on
2635 dnl connection state, only new connections are NATted according to the
2636 dnl specific NAT parameters in each bucket.
2637 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2638
2639 AT_DATA([flows.txt], [dnl
2640 dnl Track connections to the virtual IP address.
2641 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2642 dnl All other IP traffic is allowed but the connection state is no commited.
2643 table=0 priority=90 ip action=ct(table=4,nat)
2644 dnl
2645 dnl Allow ARP, but generate responses for virtual addresses
2646 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2647 table=0 priority=10 arp action=normal
2648 table=0 priority=0 action=drop
2649 dnl
2650 dnl Routing table
2651 dnl
2652 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2653 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2654 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2655 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2656 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2657 table=4 priority=0 action=drop
2658 dnl
2659 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2660 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2661 dnl Zero result means not found.
2662 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2663 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2664 dnl TPA IP in reg2.
2665 table=10 priority=100 arp xreg0=0 action=normal
2666 dnl Swaps the fields of the ARP message to turn a query to a response.
2667 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2668 table=10 priority=0 action=controller
2669 ])
2670
2671 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2672
2673 dnl Start web servers
2674 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2675 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2676 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2677
2678 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2679 on_exit 'ovs-appctl revalidator/purge'
2680 on_exit 'ovs-appctl dpif/dump-flows br0'
2681
2682 sleep 5
2683
2684 dnl Should work with the virtual IP address through NAT
2685 for i in 1 2 3 4 5 6 7 8 9; do
2686     echo Request $i
2687     NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2688     NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2689 done
2690
2691 conntrack -L 2>&1
2692
2693 ovs-appctl dpif/dump-flows br0
2694 ovs-appctl revalidator/purge
2695 ovs-ofctl -O OpenFlow15 dump-flows br0
2696 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2697
2698 OVS_TRAFFIC_VSWITCHD_STOP
2699 AT_CLEANUP
Unnamed repository; edit this file 'description' to name the repository.