1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 OVS_TRAFFIC_VSWITCHD_STOP
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
105 ADD_NAMESPACES(at_ns0, at_ns1)
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping over vxlan tunnel])
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
140 ADD_NAMESPACES(at_ns0)
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
169 OVS_TRAFFIC_VSWITCHD_STOP
172 AT_SETUP([datapath - ping over gre tunnel])
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
181 ADD_NAMESPACES(at_ns0)
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
209 OVS_TRAFFIC_VSWITCHD_STOP
212 AT_SETUP([datapath - ping over geneve tunnel])
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
221 ADD_NAMESPACES(at_ns0)
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
250 OVS_TRAFFIC_VSWITCHD_STOP
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
315 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
338 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(2),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
339 AT_CHECK([tail -3 stdout], [0],
340 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
341 This flow is handled by the userspace slow path because it:
342 - Uses action(s) not supported by datapath.
346 dnl SLOW_ACTION test2: check actual packet truncate
347 AT_CHECK([ovs-ofctl del-flows br0])
348 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
349 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
351 dnl 100 + 100 + 242 + min(65535,242) = 684
352 AT_CHECK([ovs-appctl revalidator/purge], [0])
353 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
357 dnl 242 + 100 + min(242,200) = 542
358 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
362 OVS_TRAFFIC_VSWITCHD_STOP
365 dnl Create 2 bridges and 2 namespaces to test truncate over
367 dnl br0: overlay bridge
368 dnl ns1: connect to br0, with IP:10.1.1.2
369 dnl br-underlay: with IP: 172.31.1.100
370 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
371 AT_SETUP([datapath - truncate and output to gre tunnel])
373 OVS_TRAFFIC_VSWITCHD_START()
375 ADD_BR([br-underlay])
376 ADD_NAMESPACES(at_ns0)
377 ADD_NAMESPACES(at_ns1)
378 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
379 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
381 dnl Set up underlay link from host into the namespace using veth pair.
382 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
383 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
384 AT_CHECK([ip link set dev br-underlay up])
386 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
387 dnl linux device inside the namespace.
388 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
389 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
390 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
391 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
392 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
394 dnl Set up (p1 and ovs-p1) at br0
395 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
396 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
397 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
398 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
400 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
401 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
402 on_exit 'ip link del ovs-p2'
403 AT_CHECK([ip link set dev ovs-p2 up])
404 AT_CHECK([ip link set dev p2 up])
405 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
406 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
408 dnl use this file as payload file for ncat
409 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
410 on_exit 'rm -f payload200.bin'
412 AT_CHECK([ovs-ofctl del-flows br0])
413 AT_DATA([flows.txt], [dnl
414 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
415 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
416 priority=1,in_port=4,ip,actions=drop
417 priority=1,actions=drop
419 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
421 AT_CHECK([ovs-ofctl del-flows br-underlay])
422 AT_DATA([flows-underlay.txt], [dnl
423 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
424 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
425 priority=1,actions=drop
428 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
430 dnl check tunnel push path, from at_ns1 to at_ns0
431 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
432 AT_CHECK([ovs-appctl revalidator/purge], [0])
434 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
435 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
438 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
439 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
443 dnl check tunnel pop path, from at_ns0 to at_ns1
444 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
445 dnl After truncation = 100 byte at loopback device p2(4)
446 AT_CHECK([ovs-appctl revalidator/purge], [0])
447 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
451 dnl SLOW_ACTION: disable datapath truncate support
452 dnl Repeat the test above, but exercise the SLOW_ACTION code path
453 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
454 [Datapath truncate action diabled
457 dnl SLOW_ACTION test1: check datapatch actions
458 AT_CHECK([ovs-ofctl del-flows br0])
459 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
462 AT_CHECK([ovs-appctl ofproto/trace system 'in_port(5),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=17,tos=4,ttl=128,frag=no),udp(src=8,dst=9)'], [0], [stdout])
463 AT_CHECK([tail -3 stdout], [0],
464 [Datapath actions: trunc(100),set(tunnel(dst=172.31.1.1,ttl=64,flags(df))),4
465 This flow is handled by the userspace slow path because it:
466 - Uses action(s) not supported by datapath.
470 dnl SLOW_ACTION test2: check actual packet truncate
471 AT_CHECK([ovs-ofctl del-flows br0])
472 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
473 AT_CHECK([ovs-ofctl del-flows br-underlay])
474 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
476 dnl check tunnel push path, from at_ns1 to at_ns0
477 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
478 AT_CHECK([ovs-appctl revalidator/purge], [0])
480 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
481 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
484 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
485 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
489 dnl check tunnel pop path, from at_ns0 to at_ns1
490 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
491 dnl After truncation = 100 byte at loopback device p2(4)
492 AT_CHECK([ovs-appctl revalidator/purge], [0])
493 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
497 OVS_TRAFFIC_VSWITCHD_STOP
500 AT_SETUP([conntrack - controller])
502 OVS_TRAFFIC_VSWITCHD_START()
504 ADD_NAMESPACES(at_ns0, at_ns1)
506 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
507 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
509 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
510 AT_DATA([flows.txt], [dnl
511 priority=1,action=drop
512 priority=10,arp,action=normal
513 priority=100,in_port=1,udp,action=ct(commit),controller
514 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
515 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
518 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
520 AT_CAPTURE_FILE([ofctl_monitor.log])
521 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
523 dnl Send an unsolicited reply from port 2. This should be dropped.
524 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
526 dnl OK, now start a new connection from port 1.
527 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
529 dnl Now try a reply from port 2.
530 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
532 dnl Check this output. We only see the latter two packets, not the first.
533 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
534 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
535 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
536 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
537 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
540 OVS_TRAFFIC_VSWITCHD_STOP
543 AT_SETUP([conntrack - IPv4 HTTP])
545 OVS_TRAFFIC_VSWITCHD_START()
547 ADD_NAMESPACES(at_ns0, at_ns1)
549 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
550 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
552 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
553 AT_DATA([flows.txt], [dnl
554 priority=1,action=drop
555 priority=10,arp,action=normal
556 priority=10,icmp,action=normal
557 priority=100,in_port=1,tcp,action=ct(commit),2
558 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
559 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
562 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
564 dnl HTTP requests from ns0->ns1 should work fine.
565 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
566 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
568 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
569 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
572 dnl HTTP requests from ns1->ns0 should fail due to network failure.
573 dnl Try 3 times, in 1 second intervals.
574 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
575 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
577 OVS_TRAFFIC_VSWITCHD_STOP
580 AT_SETUP([conntrack - IPv6 HTTP])
582 OVS_TRAFFIC_VSWITCHD_START()
584 ADD_NAMESPACES(at_ns0, at_ns1)
586 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
587 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
589 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
590 AT_DATA([flows.txt], [dnl
591 priority=1,action=drop
592 priority=10,icmp6,action=normal
593 priority=100,in_port=1,tcp6,action=ct(commit),2
594 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
595 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
598 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
600 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
601 dnl waiting, we get occasional failures due to the following error:
602 dnl "connect: Cannot assign requested address"
603 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
605 dnl HTTP requests from ns0->ns1 should work fine.
606 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
608 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
610 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
611 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
614 dnl HTTP requests from ns1->ns0 should fail due to network failure.
615 dnl Try 3 times, in 1 second intervals.
616 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
617 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
619 OVS_TRAFFIC_VSWITCHD_STOP
622 AT_SETUP([conntrack - commit, recirc])
624 OVS_TRAFFIC_VSWITCHD_START()
626 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
628 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
629 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
630 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
631 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
633 dnl Allow any traffic from ns0->ns1, ns2->ns3.
634 AT_DATA([flows.txt], [dnl
635 priority=1,action=drop
636 priority=10,arp,action=normal
637 priority=10,icmp,action=normal
638 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
639 priority=100,in_port=1,tcp,ct_state=+trk,action=2
640 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
641 priority=100,in_port=2,tcp,ct_state=+trk,action=1
642 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
643 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
644 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
645 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
646 priority=100,in_port=4,tcp,ct_state=+trk,action=3
649 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
651 dnl HTTP requests from p0->p1 should work fine.
652 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
653 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
655 dnl HTTP requests from p2->p3 should work fine.
656 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
657 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
659 OVS_TRAFFIC_VSWITCHD_STOP
662 AT_SETUP([conntrack - preserve registers])
664 OVS_TRAFFIC_VSWITCHD_START()
666 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
668 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
669 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
670 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
671 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
673 dnl Allow any traffic from ns0->ns1, ns2->ns3.
674 AT_DATA([flows.txt], [dnl
675 priority=1,action=drop
676 priority=10,arp,action=normal
677 priority=10,icmp,action=normal
678 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
679 priority=100,in_port=1,tcp,ct_state=+trk,action=2
680 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
681 priority=100,in_port=2,tcp,ct_state=+trk,action=1
682 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
683 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
684 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
685 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
686 priority=100,in_port=4,tcp,ct_state=+trk,action=3
689 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
691 dnl HTTP requests from p0->p1 should work fine.
692 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
693 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
695 dnl HTTP requests from p2->p3 should work fine.
696 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
697 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
699 OVS_TRAFFIC_VSWITCHD_STOP
702 AT_SETUP([conntrack - invalid])
704 OVS_TRAFFIC_VSWITCHD_START()
706 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
708 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
709 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
710 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
711 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
713 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
714 dnl the opposite direction. This should fail.
715 dnl Pass traffic from ns3->ns4 without committing, and this time match
716 dnl invalid traffic and allow it through.
717 AT_DATA([flows.txt], [dnl
718 priority=1,action=drop
719 priority=10,arp,action=normal
720 priority=10,icmp,action=normal
721 priority=100,in_port=1,tcp,action=ct(),2
722 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
723 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
724 priority=100,in_port=3,tcp,action=ct(),4
725 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
726 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
727 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
730 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
732 dnl We set up our rules to allow the request without committing. The return
733 dnl traffic can't be identified, because the initial request wasn't committed.
734 dnl For the first pair of ports, this means that the connection fails.
735 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
736 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
738 dnl For the second pair, we allow packets from invalid connections, so it works.
739 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
740 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
742 OVS_TRAFFIC_VSWITCHD_STOP
745 AT_SETUP([conntrack - zones])
747 OVS_TRAFFIC_VSWITCHD_START()
749 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
751 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
752 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
753 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
754 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
756 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
757 dnl For ns2->ns3, use a different zone and see that the match fails.
758 AT_DATA([flows.txt], [dnl
759 priority=1,action=drop
760 priority=10,arp,action=normal
761 priority=10,icmp,action=normal
762 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
763 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
764 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
765 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
766 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
767 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
770 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
772 dnl HTTP requests from p0->p1 should work fine.
773 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
774 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
776 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
777 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
780 dnl HTTP requests from p2->p3 should fail due to network failure.
781 dnl Try 3 times, in 1 second intervals.
782 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
783 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
785 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
786 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
789 OVS_TRAFFIC_VSWITCHD_STOP
792 AT_SETUP([conntrack - zones from field])
794 OVS_TRAFFIC_VSWITCHD_START()
796 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
798 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
799 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
800 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
801 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
803 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
804 AT_DATA([flows.txt], [dnl
805 priority=1,action=drop
806 priority=10,arp,action=normal
807 priority=10,icmp,action=normal
808 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
809 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
810 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
811 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
812 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
813 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
816 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
818 dnl HTTP requests from p0->p1 should work fine.
819 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
820 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
822 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
823 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
826 dnl HTTP requests from p2->p3 should fail due to network failure.
827 dnl Try 3 times, in 1 second intervals.
828 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
829 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
831 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
832 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
835 OVS_TRAFFIC_VSWITCHD_STOP
838 AT_SETUP([conntrack - multiple bridges])
840 OVS_TRAFFIC_VSWITCHD_START(
842 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
843 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
845 ADD_NAMESPACES(at_ns0, at_ns1)
847 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
848 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
850 dnl Allow any traffic from ns0->br1, allow established in reverse.
851 AT_DATA([flows-br0.txt], [dnl
852 priority=1,action=drop
853 priority=10,arp,action=normal
854 priority=10,icmp,action=normal
855 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
856 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
857 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
860 dnl Allow any traffic from br0->ns1, allow established in reverse.
861 AT_DATA([flows-br1.txt], [dnl
862 priority=1,action=drop
863 priority=10,arp,action=normal
864 priority=10,icmp,action=normal
865 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
866 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
867 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
868 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
869 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
872 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
873 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
875 dnl HTTP requests from p0->p1 should work fine.
876 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
877 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
879 OVS_TRAFFIC_VSWITCHD_STOP
882 AT_SETUP([conntrack - multiple zones])
884 OVS_TRAFFIC_VSWITCHD_START()
886 ADD_NAMESPACES(at_ns0, at_ns1)
888 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
889 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
891 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
892 AT_DATA([flows.txt], [dnl
893 priority=1,action=drop
894 priority=10,arp,action=normal
895 priority=10,icmp,action=normal
896 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
897 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
898 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
901 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
903 dnl HTTP requests from p0->p1 should work fine.
904 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
905 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
907 dnl (again) HTTP requests from p0->p1 should work fine.
908 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
910 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
911 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
912 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
915 OVS_TRAFFIC_VSWITCHD_STOP
918 AT_SETUP([conntrack - multiple zones, local])
920 OVS_TRAFFIC_VSWITCHD_START()
922 ADD_NAMESPACES(at_ns0)
924 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
925 AT_CHECK([ip link set dev br0 up])
926 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
927 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
929 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
930 dnl return traffic from ns0 back to the local stack.
931 AT_DATA([flows.txt], [dnl
932 priority=1,action=drop
933 priority=10,arp,action=normal
934 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
935 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
936 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
937 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
938 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
939 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
942 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
944 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
945 3 packets transmitted, 3 received, 0% packet loss, time 0ms
948 dnl HTTP requests from root namespace to p0 should work fine.
949 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
950 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
952 dnl (again) HTTP requests from root namespace to p0 should work fine.
953 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
955 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
956 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
957 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
958 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
959 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
962 OVS_TRAFFIC_VSWITCHD_STOP
965 AT_SETUP([conntrack - multiple namespaces, internal ports])
967 OVS_TRAFFIC_VSWITCHD_START(
968 [set-fail-mode br0 secure -- ])
970 ADD_NAMESPACES(at_ns0, at_ns1)
972 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
973 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
975 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
977 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
978 AT_DATA([flows.txt], [dnl
979 priority=1,action=drop
980 priority=10,arp,action=normal
981 priority=10,icmp,action=normal
982 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
983 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
984 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
987 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
989 dnl HTTP requests from p0->p1 should work fine.
990 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
991 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993 dnl (again) HTTP requests from p0->p1 should work fine.
994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
997 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1000 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1001 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1002 /removing policing failed: No such device/d"])
1005 AT_SETUP([conntrack - multi-stage pipeline, local])
1007 OVS_TRAFFIC_VSWITCHD_START()
1009 ADD_NAMESPACES(at_ns0)
1011 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1012 AT_CHECK([ip link set dev br0 up])
1013 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1014 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1016 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1017 dnl return traffic from ns0 back to the local stack.
1018 AT_DATA([flows.txt], [dnl
1020 table=0,priority=1,action=drop
1021 table=0,priority=10,arp,action=normal
1023 dnl Load the output port to REG0
1024 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1025 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1027 dnl Ingress pipeline
1028 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1029 dnl - All other connections go through conntracker using the input port as
1030 dnl a connection tracking zone.
1031 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1032 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1033 table=1,priority=1,action=drop
1036 dnl - Allow all connections from LOCAL port (commit and skip to output)
1037 dnl - Allow other established connections to go through conntracker using
1038 dnl output port as a connection tracking zone.
1039 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1040 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1041 table=2,priority=1,action=drop
1043 dnl Only allow established traffic from egress ct lookup
1044 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1045 table=3,priority=1,action=drop
1048 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1051 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1053 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1054 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1057 dnl HTTP requests from root namespace to p0 should work fine.
1058 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1059 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1061 dnl (again) HTTP requests from root namespace to p0 should work fine.
1062 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1064 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1065 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1066 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1067 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1068 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1071 OVS_TRAFFIC_VSWITCHD_STOP
1074 AT_SETUP([conntrack - ct_mark])
1076 OVS_TRAFFIC_VSWITCHD_START()
1078 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1080 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1081 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1082 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1083 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1085 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1086 dnl Check that different marks do not match for traffic between ns2<->ns3.
1087 AT_DATA([flows.txt], [dnl
1088 priority=1,action=drop
1089 priority=10,arp,action=normal
1090 priority=10,icmp,action=normal
1091 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1092 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1093 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1094 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1095 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1096 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1099 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1101 dnl HTTP requests from p0->p1 should work fine.
1102 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1103 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1105 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1106 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1109 dnl HTTP requests from p2->p3 should fail due to network failure.
1110 dnl Try 3 times, in 1 second intervals.
1111 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1112 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1114 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1115 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1118 OVS_TRAFFIC_VSWITCHD_STOP
1121 AT_SETUP([conntrack - ct_mark bit-fiddling])
1123 OVS_TRAFFIC_VSWITCHD_START()
1125 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1127 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1128 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1130 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1131 dnl cause an additional bit to be set in the connection (and be allowed).
1132 AT_DATA([flows.txt], [dnl
1133 table=0,priority=1,action=drop
1134 table=0,priority=10,arp,action=normal
1135 table=0,priority=10,icmp,action=normal
1136 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1137 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1138 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1139 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1140 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1143 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1145 dnl HTTP requests from p0->p1 should work fine.
1146 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1147 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1149 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1150 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1153 OVS_TRAFFIC_VSWITCHD_STOP
1156 AT_SETUP([conntrack - ct_mark from register])
1158 OVS_TRAFFIC_VSWITCHD_START()
1160 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1162 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1163 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1164 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1165 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1167 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1168 AT_DATA([flows.txt], [dnl
1169 priority=1,action=drop
1170 priority=10,arp,action=normal
1171 priority=10,icmp,action=normal
1172 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1173 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1174 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1175 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1176 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1177 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1180 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1182 dnl HTTP requests from p0->p1 should work fine.
1183 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1184 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1190 dnl HTTP requests from p2->p3 should fail due to network failure.
1191 dnl Try 3 times, in 1 second intervals.
1192 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1193 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1195 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1196 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1199 OVS_TRAFFIC_VSWITCHD_STOP
1202 AT_SETUP([conntrack - ct_label])
1204 OVS_TRAFFIC_VSWITCHD_START()
1206 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1208 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1209 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1210 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1211 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1213 dnl Allow traffic between ns0<->ns1 using the ct_label.
1214 dnl Check that different labels do not match for traffic between ns2<->ns3.
1215 AT_DATA([flows.txt], [dnl
1216 priority=1,action=drop
1217 priority=10,arp,action=normal
1218 priority=10,icmp,action=normal
1219 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1220 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1221 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1222 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1223 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1224 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1227 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1229 dnl HTTP requests from p0->p1 should work fine.
1230 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1231 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1233 dnl HTTP requests from p2->p3 should fail due to network failure.
1234 dnl Try 3 times, in 1 second intervals.
1235 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1236 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1238 OVS_TRAFFIC_VSWITCHD_STOP
1241 AT_SETUP([conntrack - ct_label bit-fiddling])
1243 OVS_TRAFFIC_VSWITCHD_START()
1245 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1247 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1248 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1250 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1251 dnl cause an additional bit to be set in the connection labels (and be allowed)
1252 AT_DATA([flows.txt], [dnl
1253 table=0,priority=1,action=drop
1254 table=0,priority=10,arp,action=normal
1255 table=0,priority=10,icmp,action=normal
1256 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1257 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1258 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1259 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1260 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1263 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1265 dnl HTTP requests from p0->p1 should work fine.
1266 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1267 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1269 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1270 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1273 OVS_TRAFFIC_VSWITCHD_STOP
1276 AT_SETUP([conntrack - ct metadata, multiple zones])
1278 OVS_TRAFFIC_VSWITCHD_START()
1280 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1282 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1283 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1285 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1286 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1287 dnl and we should see that the conntrack entries only apply the ct_mark and
1288 dnl ct_labels to the connection in zone=1.
1289 AT_DATA([flows.txt], [dnl
1290 table=0,priority=1,action=drop
1291 table=0,priority=10,arp,action=normal
1292 table=0,priority=10,icmp,action=normal
1293 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1294 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1295 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1296 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1297 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1300 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1302 dnl HTTP requests from p0->p1 should work fine.
1303 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1304 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1306 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1307 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1308 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1311 OVS_TRAFFIC_VSWITCHD_STOP
1314 AT_SETUP([conntrack - ICMP related])
1316 OVS_TRAFFIC_VSWITCHD_START()
1318 ADD_NAMESPACES(at_ns0, at_ns1)
1320 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1321 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1323 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1324 AT_DATA([flows.txt], [dnl
1325 priority=1,action=drop
1326 priority=10,arp,action=normal
1327 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1328 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1329 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1332 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1334 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1335 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1337 AT_CHECK([ovs-appctl revalidator/purge], [0])
1338 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1339 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1340 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1341 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1342 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1346 OVS_TRAFFIC_VSWITCHD_STOP
1349 AT_SETUP([conntrack - ICMP related 2])
1351 OVS_TRAFFIC_VSWITCHD_START()
1353 ADD_NAMESPACES(at_ns0, at_ns1)
1355 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1356 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1358 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1359 AT_DATA([flows.txt], [dnl
1360 priority=1,action=drop
1361 priority=10,arp,action=normal
1362 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1363 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1364 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1365 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1368 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1370 AT_CAPTURE_FILE([ofctl_monitor.log])
1371 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1373 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1374 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1376 dnl 2. Send and UDP packet to port 5555
1377 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1379 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1380 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1382 dnl Check this output. We only see the latter two packets, not the first.
1383 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1384 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1385 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1386 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1387 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1390 OVS_TRAFFIC_VSWITCHD_STOP
1393 AT_SETUP([conntrack - FTP])
1394 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1396 OVS_TRAFFIC_VSWITCHD_START()
1398 ADD_NAMESPACES(at_ns0, at_ns1)
1400 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1401 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1403 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1404 AT_DATA([flows1.txt], [dnl
1405 priority=1,action=drop
1406 priority=10,arp,action=normal
1407 priority=10,icmp,action=normal
1408 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1409 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1410 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1411 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1414 dnl Similar policy but without allowing all traffic from ns0->ns1.
1415 AT_DATA([flows2.txt], [dnl
1416 priority=1,action=drop
1417 priority=10,arp,action=normal
1418 priority=10,icmp,action=normal
1419 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1420 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1421 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1422 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1423 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1424 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1425 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1428 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1430 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1431 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1432 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1434 dnl FTP requests from p1->p0 should fail due to network failure.
1435 dnl Try 3 times, in 1 second intervals.
1436 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1437 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1440 dnl FTP requests from p0->p1 should work fine.
1441 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1442 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1443 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1446 dnl Try the second set of flows.
1447 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1448 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1450 dnl FTP requests from p1->p0 should fail due to network failure.
1451 dnl Try 3 times, in 1 second intervals.
1452 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1453 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1456 dnl Active FTP requests from p0->p1 should work fine.
1457 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1458 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1459 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1460 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1463 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1465 dnl Passive FTP requests from p0->p1 should work fine.
1466 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1467 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1468 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1469 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1472 OVS_TRAFFIC_VSWITCHD_STOP
1476 AT_SETUP([conntrack - IPv6 FTP])
1477 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1479 OVS_TRAFFIC_VSWITCHD_START()
1481 ADD_NAMESPACES(at_ns0, at_ns1)
1483 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1484 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1486 dnl Allow any traffic from ns0->ns1.
1487 dnl Only allow nd, return traffic from ns1->ns0.
1488 AT_DATA([flows.txt], [dnl
1489 dnl Track all IPv6 traffic and drop the rest.
1490 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1491 table=0 priority=100 in_port=1 icmp6, action=2
1492 table=0 priority=100 in_port=2 icmp6, action=1
1493 table=0 priority=10 ip6, action=ct(table=1)
1494 table=0 priority=0 action=drop
1498 dnl Allow new TCPv6 FTP control connections from port 1.
1499 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1500 dnl Allow related TCPv6 connections from port 2.
1501 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1502 dnl Allow established TCPv6 connections both ways.
1503 table=1 in_port=1 ct_state=+est, tcp6, action=2
1504 table=1 in_port=2 ct_state=+est, tcp6, action=1
1505 dnl Drop everything else.
1506 table=1 priority=0, action=drop
1509 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1511 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1512 dnl waiting, we get occasional failures due to the following error:
1513 dnl "connect: Cannot assign requested address"
1514 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1516 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1517 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1519 dnl FTP requests from p0->p1 should work fine.
1520 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1522 dnl Discards CLOSE_WAIT and CLOSING
1523 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1524 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1525 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1528 OVS_TRAFFIC_VSWITCHD_STOP
1532 AT_SETUP([conntrack - FTP with multiple expectations])
1533 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1535 OVS_TRAFFIC_VSWITCHD_START()
1537 ADD_NAMESPACES(at_ns0, at_ns1)
1539 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1540 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1542 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1543 AT_DATA([flows.txt], [dnl
1544 priority=1,action=drop
1545 priority=10,arp,action=normal
1546 priority=10,icmp,action=normal
1547 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1548 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1549 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1550 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1551 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1552 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1553 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1554 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1555 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1556 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1559 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1561 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1562 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1564 dnl FTP requests from p1->p0 should fail due to network failure.
1565 dnl Try 3 times, in 1 second intervals.
1566 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1567 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1570 dnl Active FTP requests from p0->p1 should work fine.
1571 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1573 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1574 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1575 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1576 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1579 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1581 dnl Passive FTP requests from p0->p1 should work fine.
1582 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1583 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1584 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1585 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1586 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1587 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1590 OVS_TRAFFIC_VSWITCHD_STOP
1593 AT_SETUP([conntrack - IPv4 fragmentation ])
1595 OVS_TRAFFIC_VSWITCHD_START()
1597 ADD_NAMESPACES(at_ns0, at_ns1)
1599 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1600 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1602 dnl Sending ping through conntrack
1603 AT_DATA([flows.txt], [dnl
1604 priority=1,action=drop
1605 priority=10,arp,action=normal
1606 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1607 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1608 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1611 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1613 dnl Ipv4 fragmentation connectivity check.
1614 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1615 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1618 dnl Ipv4 larger fragmentation connectivity check.
1619 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1620 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1623 OVS_TRAFFIC_VSWITCHD_STOP
1626 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1628 OVS_TRAFFIC_VSWITCHD_START()
1630 ADD_NAMESPACES(at_ns0, at_ns1)
1632 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1633 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1635 AT_DATA([flows.txt], [dnl
1636 priority=1,action=drop
1637 priority=10,arp,action=normal
1639 dnl Only allow non-fragmented messages and 1st fragments of each message
1640 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1641 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1642 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1643 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1646 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1648 dnl Ipv4 fragmentation connectivity check.
1649 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1650 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1653 OVS_TRAFFIC_VSWITCHD_STOP
1656 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1658 OVS_TRAFFIC_VSWITCHD_START()
1660 ADD_NAMESPACES(at_ns0, at_ns1)
1662 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1663 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1664 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1665 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1667 dnl Sending ping through conntrack
1668 AT_DATA([flows.txt], [dnl
1669 priority=1,action=drop
1670 priority=10,arp,action=normal
1671 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1672 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1673 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1676 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1678 dnl Ipv4 fragmentation connectivity check.
1679 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1680 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1683 dnl Ipv4 larger fragmentation connectivity check.
1684 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1685 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1688 OVS_TRAFFIC_VSWITCHD_STOP
1691 AT_SETUP([conntrack - IPv6 fragmentation])
1693 OVS_TRAFFIC_VSWITCHD_START()
1695 ADD_NAMESPACES(at_ns0, at_ns1)
1697 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1698 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1700 dnl Sending ping through conntrack
1701 AT_DATA([flows.txt], [dnl
1702 priority=1,action=drop
1703 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1704 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1705 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1706 priority=100,icmp6,icmp_type=135,action=normal
1707 priority=100,icmp6,icmp_type=136,action=normal
1710 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1712 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1713 dnl waiting, we get occasional failures due to the following error:
1714 dnl "connect: Cannot assign requested address"
1715 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1717 dnl Ipv6 fragmentation connectivity check.
1718 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1719 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1722 dnl Ipv6 larger fragmentation connectivity check.
1723 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1724 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1727 OVS_TRAFFIC_VSWITCHD_STOP
1730 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1732 OVS_TRAFFIC_VSWITCHD_START()
1734 ADD_NAMESPACES(at_ns0, at_ns1)
1736 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1737 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1739 AT_DATA([flows.txt], [dnl
1740 priority=1,action=drop
1742 dnl Only allow non-fragmented messages and 1st fragments of each message
1743 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1744 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1745 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1746 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1748 dnl Neighbour Discovery
1749 priority=100,icmp6,icmp_type=135,action=normal
1750 priority=100,icmp6,icmp_type=136,action=normal
1753 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1755 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1756 dnl waiting, we get occasional failures due to the following error:
1757 dnl "connect: Cannot assign requested address"
1758 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1760 dnl Send an IPv6 fragment. Some time later, it should expire.
1761 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1762 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1765 dnl At this point, the kernel will either crash or everything is OK.
1767 OVS_TRAFFIC_VSWITCHD_STOP
1770 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1772 OVS_TRAFFIC_VSWITCHD_START()
1774 ADD_NAMESPACES(at_ns0, at_ns1)
1776 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1777 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1779 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1780 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1782 dnl Sending ping through conntrack
1783 AT_DATA([flows.txt], [dnl
1784 priority=1,action=drop
1785 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1786 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1787 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1788 priority=100,icmp6,icmp_type=135,action=normal
1789 priority=100,icmp6,icmp_type=136,action=normal
1792 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1794 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1795 dnl waiting, we get occasional failures due to the following error:
1796 dnl "connect: Cannot assign requested address"
1797 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1799 dnl Ipv4 fragmentation connectivity check.
1800 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1801 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1804 dnl Ipv4 larger fragmentation connectivity check.
1805 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1806 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1809 OVS_TRAFFIC_VSWITCHD_STOP
1812 AT_SETUP([conntrack - Fragmentation over vxlan])
1816 OVS_TRAFFIC_VSWITCHD_START()
1817 ADD_BR([br-underlay])
1818 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1820 ADD_NAMESPACES(at_ns0)
1822 dnl Sending ping through conntrack
1823 AT_DATA([flows.txt], [dnl
1824 priority=1,action=drop
1825 priority=10,arp,action=normal
1826 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1827 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1828 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1831 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1833 dnl Set up underlay link from host into the namespace using veth pair.
1834 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1835 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1836 AT_CHECK([ip link set dev br-underlay up])
1838 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1839 dnl linux device inside the namespace.
1840 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1841 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1842 [id 0 dstport 4789])
1844 dnl First, check the underlay
1845 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1846 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1849 dnl Okay, now check the overlay with different packet sizes
1850 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1851 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1853 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1854 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1856 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1857 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1860 OVS_TRAFFIC_VSWITCHD_STOP
1863 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1867 OVS_TRAFFIC_VSWITCHD_START()
1868 ADD_BR([br-underlay])
1869 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1871 ADD_NAMESPACES(at_ns0)
1873 dnl Sending ping through conntrack
1874 AT_DATA([flows.txt], [dnl
1875 priority=1,action=drop
1876 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1877 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1878 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1880 dnl Neighbour Discovery
1881 priority=1000,icmp6,icmp_type=135,action=normal
1882 priority=1000,icmp6,icmp_type=136,action=normal
1885 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1887 dnl Set up underlay link from host into the namespace using veth pair.
1888 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1889 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1890 AT_CHECK([ip link set dev br-underlay up])
1892 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1893 dnl linux device inside the namespace.
1894 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1895 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1896 [id 0 dstport 4789])
1898 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1899 dnl waiting, we get occasional failures due to the following error:
1900 dnl "connect: Cannot assign requested address"
1901 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1903 dnl First, check the underlay
1904 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1905 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1908 dnl Okay, now check the overlay with different packet sizes
1909 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1910 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1912 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1913 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1915 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1916 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1919 OVS_TRAFFIC_VSWITCHD_STOP
1922 AT_SETUP([conntrack - resubmit to ct multiple times])
1925 OVS_TRAFFIC_VSWITCHD_START(
1926 [set-fail-mode br0 secure -- ])
1928 ADD_NAMESPACES(at_ns0, at_ns1)
1930 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1931 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1933 AT_DATA([flows.txt], [dnl
1934 table=0,priority=150,arp,action=normal
1935 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1937 table=1,priority=100,ip,action=ct(table=3)
1938 table=2,priority=100,ip,action=ct(table=3)
1940 table=3,ip,action=drop
1943 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1945 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1946 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1949 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1950 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1951 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1952 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1953 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1954 table=3, n_packets=2, n_bytes=196, ip actions=drop
1958 OVS_TRAFFIC_VSWITCHD_STOP
1962 AT_SETUP([conntrack - simple SNAT])
1964 OVS_TRAFFIC_VSWITCHD_START()
1966 ADD_NAMESPACES(at_ns0, at_ns1)
1968 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1969 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1970 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1972 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1973 AT_DATA([flows.txt], [dnl
1974 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1975 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1976 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1979 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1980 priority=10 arp action=normal
1981 priority=0,action=drop
1983 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1984 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1985 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1986 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1988 dnl Swaps the fields of the ARP message to turn a query to a response.
1989 table=10 priority=100 arp xreg0=0 action=normal
1990 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1991 table=10 priority=0 action=drop
1994 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1996 dnl HTTP requests from p0->p1 should work fine.
1997 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1998 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2000 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2001 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2004 OVS_TRAFFIC_VSWITCHD_STOP
2008 AT_SETUP([conntrack - SNAT with port range])
2010 OVS_TRAFFIC_VSWITCHD_START()
2012 ADD_NAMESPACES(at_ns0, at_ns1)
2014 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2015 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2016 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2018 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2019 AT_DATA([flows.txt], [dnl
2020 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2021 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2022 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2023 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2026 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2027 priority=10 arp action=normal
2028 priority=0,action=drop
2030 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2031 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2032 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2033 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2035 dnl Swaps the fields of the ARP message to turn a query to a response.
2036 table=10 priority=100 arp xreg0=0 action=normal
2037 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2038 table=10 priority=0 action=drop
2041 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2043 dnl HTTP requests from p0->p1 should work fine.
2044 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2045 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2047 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2048 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2051 OVS_TRAFFIC_VSWITCHD_STOP
2055 AT_SETUP([conntrack - more complex SNAT])
2057 OVS_TRAFFIC_VSWITCHD_START()
2059 ADD_NAMESPACES(at_ns0, at_ns1)
2061 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2062 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2063 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2065 AT_DATA([flows.txt], [dnl
2066 dnl Track all IP traffic, NAT existing connections.
2067 priority=100 ip action=ct(table=1,zone=1,nat)
2069 dnl Allow ARP, but generate responses for NATed addresses
2070 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2071 priority=10 arp action=normal
2072 priority=0 action=drop
2074 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2075 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2076 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2077 dnl Only allow established traffic from ns1->ns0.
2078 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2079 table=1 priority=0 action=drop
2081 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2082 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2083 dnl Zero result means not found.
2084 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2085 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2086 dnl ARP TPA IP in reg2.
2087 table=10 priority=100 arp xreg0=0 action=normal
2088 dnl Swaps the fields of the ARP message to turn a query to a response.
2089 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2090 table=10 priority=0 action=drop
2093 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2095 dnl HTTP requests from p0->p1 should work fine.
2096 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2097 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2099 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2100 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2103 OVS_TRAFFIC_VSWITCHD_STOP
2106 AT_SETUP([conntrack - simple DNAT])
2108 OVS_TRAFFIC_VSWITCHD_START()
2110 ADD_NAMESPACES(at_ns0, at_ns1)
2112 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2113 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2114 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2116 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2117 AT_DATA([flows.txt], [dnl
2118 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2119 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2120 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2121 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2124 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2125 priority=10 arp action=normal
2126 priority=0,action=drop
2128 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2129 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2130 dnl Zero result means not found.
2131 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2132 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2134 table=10 priority=100 arp xreg0=0 action=normal
2135 dnl Swaps the fields of the ARP message to turn a query to a response.
2136 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2137 table=10 priority=0 action=drop
2140 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2142 dnl Should work with the virtual IP address through NAT
2143 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2144 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2146 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2147 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2150 dnl Should work with the assigned IP address as well
2151 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2153 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2154 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2157 OVS_TRAFFIC_VSWITCHD_STOP
2160 AT_SETUP([conntrack - more complex DNAT])
2162 OVS_TRAFFIC_VSWITCHD_START()
2164 ADD_NAMESPACES(at_ns0, at_ns1)
2166 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2167 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2168 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2170 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2171 AT_DATA([flows.txt], [dnl
2172 dnl Track all IP traffic
2173 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2175 dnl Allow ARP, but generate responses for NATed addresses
2176 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2177 table=0 priority=10 arp action=normal
2178 table=0 priority=0 action=drop
2180 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2181 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2182 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2183 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2184 dnl Only allow established traffic from ns1->ns0.
2185 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2186 table=1 priority=0 action=drop
2188 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2189 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2190 dnl Zero result means not found.
2191 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2192 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2194 table=10 priority=100 arp xreg0=0 action=normal
2195 dnl Swaps the fields of the ARP message to turn a query to a response.
2196 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2197 table=10 priority=0 action=drop
2200 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2202 dnl Should work with the virtual IP address through NAT
2203 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2204 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2206 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2207 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2210 dnl Should work with the assigned IP address as well
2211 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2213 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2214 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2217 OVS_TRAFFIC_VSWITCHD_STOP
2220 AT_SETUP([conntrack - ICMP related with NAT])
2222 OVS_TRAFFIC_VSWITCHD_START()
2224 ADD_NAMESPACES(at_ns0, at_ns1)
2226 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2227 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2228 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2230 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2231 dnl Make sure ICMP responses are reverse-NATted.
2232 AT_DATA([flows.txt], [dnl
2233 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2234 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2235 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2238 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2239 priority=10 arp action=normal
2240 priority=0,action=drop
2242 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2243 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2244 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2245 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2247 dnl Swaps the fields of the ARP message to turn a query to a response.
2248 table=10 priority=100 arp xreg0=0 action=normal
2249 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2250 table=10 priority=0 action=drop
2253 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2255 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2256 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2258 AT_CHECK([ovs-appctl revalidator/purge], [0])
2259 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2260 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2261 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2262 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2263 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2264 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2265 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2266 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2267 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2268 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2269 OFPST_FLOW reply (OF1.5):
2272 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2273 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2276 OVS_TRAFFIC_VSWITCHD_STOP
2280 AT_SETUP([conntrack - FTP with NAT])
2281 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2284 OVS_TRAFFIC_VSWITCHD_START()
2286 ADD_NAMESPACES(at_ns0, at_ns1)
2288 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2289 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2290 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2292 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2294 AT_DATA([flows.txt], [dnl
2295 dnl track all IP traffic, de-mangle non-NEW connections
2296 table=0 in_port=1, ip, action=ct(table=1,nat)
2297 table=0 in_port=2, ip, action=ct(table=2,nat)
2301 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2302 table=0 priority=10 arp action=normal
2303 table=0 priority=0 action=drop
2305 dnl Table 1: port 1 -> 2
2307 dnl Allow new FTP connections. These need to be commited.
2308 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2309 dnl Allow established TCP connections, make sure they are NATted already.
2310 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2312 dnl Table 1: droppers
2314 table=1 priority=10, tcp, action=drop
2315 table=1 priority=0,action=drop
2317 dnl Table 2: port 2 -> 1
2319 dnl Allow established TCP connections, make sure they are reverse NATted
2320 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2321 dnl Allow (new) related (data) connections. These need to be commited.
2322 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2323 dnl Allow related ICMP packets, make sure they are reverse NATted
2324 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2326 dnl Table 2: droppers
2328 table=2 priority=10, tcp, action=drop
2329 table=2 priority=0, action=drop
2331 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2333 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2334 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2335 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2337 dnl Swaps the fields of the ARP message to turn a query to a response.
2338 table=10 priority=100 arp xreg0=0 action=normal
2339 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2340 table=10 priority=0 action=drop
2343 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2345 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2346 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2347 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2349 dnl FTP requests from p0->p1 should work fine.
2350 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2352 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2353 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2354 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2357 OVS_TRAFFIC_VSWITCHD_STOP
2361 AT_SETUP([conntrack - FTP with NAT 2])
2362 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2364 OVS_TRAFFIC_VSWITCHD_START()
2366 ADD_NAMESPACES(at_ns0, at_ns1)
2368 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2369 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2370 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2372 dnl Allow any traffic from ns0->ns1.
2373 dnl Only allow nd, return traffic from ns1->ns0.
2374 AT_DATA([flows.txt], [dnl
2375 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2376 table=0 ip, action=ct(table=1)
2380 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2381 table=0 priority=10 arp action=normal
2382 table=0 priority=0 action=drop
2386 dnl Allow new FTP connections. These need to be commited.
2387 dnl This does helper for new packets.
2388 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2389 dnl Allow and NAT established TCP connections
2390 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2391 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2392 dnl Allow and NAT (new) related active (data) connections.
2393 dnl These need to be commited.
2394 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2395 dnl Allow related ICMP packets.
2396 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2397 dnl Drop everything else.
2398 table=1 priority=0, action=drop
2400 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2402 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2403 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2404 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2406 dnl Swaps the fields of the ARP message to turn a query to a response.
2407 table=10 priority=100 arp xreg0=0 action=normal
2408 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2409 table=10 priority=0 action=drop
2412 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2414 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2415 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2417 dnl FTP requests from p0->p1 should work fine.
2418 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2420 dnl Discards CLOSE_WAIT and CLOSING
2421 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2422 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2423 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2426 OVS_TRAFFIC_VSWITCHD_STOP
2429 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2431 OVS_TRAFFIC_VSWITCHD_START()
2433 ADD_NAMESPACES(at_ns0, at_ns1)
2435 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2436 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2437 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2438 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2440 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2441 AT_DATA([flows.txt], [dnl
2442 priority=1,action=drop
2443 priority=10,icmp6,action=normal
2444 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2445 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2446 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2447 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2450 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2452 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2453 dnl waiting, we get occasional failures due to the following error:
2454 dnl "connect: Cannot assign requested address"
2455 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2457 dnl HTTP requests from ns0->ns1 should work fine.
2458 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2460 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2462 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2463 dnl Try 3 times, in 1 second intervals.
2464 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2465 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2467 OVS_TRAFFIC_VSWITCHD_STOP
2471 AT_SETUP([conntrack - IPv6 FTP with NAT])
2472 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2474 OVS_TRAFFIC_VSWITCHD_START()
2476 ADD_NAMESPACES(at_ns0, at_ns1)
2478 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2479 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2480 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2481 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2482 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2484 dnl Allow any traffic from ns0->ns1.
2485 dnl Only allow nd, return traffic from ns1->ns0.
2486 AT_DATA([flows.txt], [dnl
2487 dnl Allow other ICMPv6 both ways (without commit).
2488 table=1 priority=100 in_port=1 icmp6, action=2
2489 table=1 priority=100 in_port=2 icmp6, action=1
2490 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2491 table=0 priority=10 ip6, action=ct(nat,table=1)
2492 table=0 priority=0 action=drop
2496 dnl Allow new TCPv6 FTP control connections.
2497 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2498 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2499 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2500 dnl Allow established TCPv6 connections both ways, enforce NATting
2501 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2502 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2503 dnl Drop everything else.
2504 table=1 priority=0, action=drop
2507 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2509 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2510 dnl waiting, we get occasional failures due to the following error:
2511 dnl "connect: Cannot assign requested address"
2512 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2514 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2515 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2517 dnl FTP requests from p0->p1 should work fine.
2518 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2520 dnl Discards CLOSE_WAIT and CLOSING
2521 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2522 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2523 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2526 OVS_TRAFFIC_VSWITCHD_STOP
2529 AT_SETUP([conntrack - DNAT load balancing])
2531 OVS_TRAFFIC_VSWITCHD_START()
2533 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2535 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2536 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2537 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2538 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2539 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2540 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2541 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2542 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2544 dnl Select group for load balancing. One bucket per server. Each bucket
2545 dnl tracks and NATs the connection and recirculates to table 4 for egress
2546 dnl routing. Packets of existing connections are always NATted based on
2547 dnl connection state, only new connections are NATted according to the
2548 dnl specific NAT parameters in each bucket.
2549 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2551 AT_DATA([flows.txt], [dnl
2552 dnl Track connections to the virtual IP address.
2553 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2554 dnl All other IP traffic is allowed but the connection state is no commited.
2555 table=0 priority=90 ip action=ct(table=4,nat)
2557 dnl Allow ARP, but generate responses for virtual addresses
2558 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2559 table=0 priority=10 arp action=normal
2560 table=0 priority=0 action=drop
2564 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2565 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2566 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2567 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2568 table=4 priority=0 action=drop
2570 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2571 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2572 dnl Zero result means not found.
2573 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2574 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2576 table=10 priority=100 arp xreg0=0 action=normal
2577 dnl Swaps the fields of the ARP message to turn a query to a response.
2578 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2579 table=10 priority=0 action=controller
2582 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2584 dnl Start web servers
2585 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2586 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2587 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2589 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2590 on_exit 'ovs-appctl revalidator/purge'
2591 on_exit 'ovs-appctl dpif/dump-flows br0'
2593 dnl Should work with the virtual IP address through NAT
2594 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2596 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2599 dnl Each server should have at least one connection.
2600 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2601 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2602 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2603 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2606 ovs-appctl dpif/dump-flows br0
2607 ovs-appctl revalidator/purge
2608 ovs-ofctl -O OpenFlow15 dump-flows br0
2609 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2611 OVS_TRAFFIC_VSWITCHD_STOP
2615 AT_SETUP([conntrack - DNAT load balancing with NC])
2617 OVS_TRAFFIC_VSWITCHD_START()
2619 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2621 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2622 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2623 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2624 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2625 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2626 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2627 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2628 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2629 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2630 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2632 dnl Select group for load balancing. One bucket per server. Each bucket
2633 dnl tracks and NATs the connection and recirculates to table 4 for egress
2634 dnl routing. Packets of existing connections are always NATted based on
2635 dnl connection state, only new connections are NATted according to the
2636 dnl specific NAT parameters in each bucket.
2637 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2639 AT_DATA([flows.txt], [dnl
2640 dnl Track connections to the virtual IP address.
2641 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2642 dnl All other IP traffic is allowed but the connection state is no commited.
2643 table=0 priority=90 ip action=ct(table=4,nat)
2645 dnl Allow ARP, but generate responses for virtual addresses
2646 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2647 table=0 priority=10 arp action=normal
2648 table=0 priority=0 action=drop
2652 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2653 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2654 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2655 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2656 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2657 table=4 priority=0 action=drop
2659 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2660 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2661 dnl Zero result means not found.
2662 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2663 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2665 table=10 priority=100 arp xreg0=0 action=normal
2666 dnl Swaps the fields of the ARP message to turn a query to a response.
2667 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2668 table=10 priority=0 action=controller
2671 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2673 dnl Start web servers
2674 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2675 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2676 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2678 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2679 on_exit 'ovs-appctl revalidator/purge'
2680 on_exit 'ovs-appctl dpif/dump-flows br0'
2684 dnl Should work with the virtual IP address through NAT
2685 for i in 1 2 3 4 5 6 7 8 9; do
2687 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2688 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2693 ovs-appctl dpif/dump-flows br0
2694 ovs-appctl revalidator/purge
2695 ovs-ofctl -O OpenFlow15 dump-flows br0
2696 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2698 OVS_TRAFFIC_VSWITCHD_STOP