1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
110 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
222 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 dnl HTTP requests from ns1->ns0 should fail due to network failure.
263 dnl Try 3 times, in 1 second intervals.
264 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
265 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
267 OVS_TRAFFIC_VSWITCHD_STOP
270 AT_SETUP([conntrack - commit, recirc])
272 OVS_TRAFFIC_VSWITCHD_START()
274 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
276 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
277 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
278 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
279 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
281 dnl Allow any traffic from ns0->ns1, ns2->ns3.
282 AT_DATA([flows.txt], [dnl
283 priority=1,action=drop
284 priority=10,arp,action=normal
285 priority=10,icmp,action=normal
286 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
287 priority=100,in_port=1,tcp,ct_state=+trk,action=2
288 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
289 priority=100,in_port=2,tcp,ct_state=+trk,action=1
290 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
291 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
292 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
293 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
294 priority=100,in_port=4,tcp,ct_state=+trk,action=3
297 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
299 dnl HTTP requests from p0->p1 should work fine.
300 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
301 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
303 dnl HTTP requests from p2->p3 should work fine.
304 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
305 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
307 OVS_TRAFFIC_VSWITCHD_STOP
310 AT_SETUP([conntrack - preserve registers])
312 OVS_TRAFFIC_VSWITCHD_START()
314 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
316 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
317 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
318 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
319 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
321 dnl Allow any traffic from ns0->ns1, ns2->ns3.
322 AT_DATA([flows.txt], [dnl
323 priority=1,action=drop
324 priority=10,arp,action=normal
325 priority=10,icmp,action=normal
326 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
327 priority=100,in_port=1,tcp,ct_state=+trk,action=2
328 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
329 priority=100,in_port=2,tcp,ct_state=+trk,action=1
330 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
331 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
332 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
333 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
334 priority=100,in_port=4,tcp,ct_state=+trk,action=3
337 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
339 dnl HTTP requests from p0->p1 should work fine.
340 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
341 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
343 dnl HTTP requests from p2->p3 should work fine.
344 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
345 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
347 OVS_TRAFFIC_VSWITCHD_STOP
350 AT_SETUP([conntrack - invalid])
352 OVS_TRAFFIC_VSWITCHD_START()
354 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
356 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
357 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
358 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
359 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
361 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
362 dnl the opposite direction. This should fail.
363 dnl Pass traffic from ns3->ns4 without committing, and this time match
364 dnl invalid traffic and allow it through.
365 AT_DATA([flows.txt], [dnl
366 priority=1,action=drop
367 priority=10,arp,action=normal
368 priority=10,icmp,action=normal
369 priority=100,in_port=1,tcp,action=ct(),2
370 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
371 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
372 priority=100,in_port=3,tcp,action=ct(),4
373 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
374 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
375 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
378 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
380 dnl We set up our rules to allow the request without committing. The return
381 dnl traffic can't be identified, because the initial request wasn't committed.
382 dnl For the first pair of ports, this means that the connection fails.
383 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
384 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
386 dnl For the second pair, we allow packets from invalid connections, so it works.
387 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
388 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
390 OVS_TRAFFIC_VSWITCHD_STOP
393 AT_SETUP([conntrack - zones])
395 OVS_TRAFFIC_VSWITCHD_START()
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
418 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
437 OVS_TRAFFIC_VSWITCHD_STOP
440 AT_SETUP([conntrack - zones from field])
442 OVS_TRAFFIC_VSWITCHD_START()
444 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
446 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
447 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
448 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
449 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
451 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
452 AT_DATA([flows.txt], [dnl
453 priority=1,action=drop
454 priority=10,arp,action=normal
455 priority=10,icmp,action=normal
456 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
457 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
458 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
459 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
460 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
461 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
464 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
466 dnl HTTP requests from p0->p1 should work fine.
467 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
468 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
470 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
471 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
474 dnl HTTP requests from p2->p3 should fail due to network failure.
475 dnl Try 3 times, in 1 second intervals.
476 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
477 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
479 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
480 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
483 OVS_TRAFFIC_VSWITCHD_STOP
486 AT_SETUP([conntrack - multiple bridges])
488 OVS_TRAFFIC_VSWITCHD_START(
490 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
491 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
493 ADD_NAMESPACES(at_ns0, at_ns1)
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
498 dnl Allow any traffic from ns0->br1, allow established in reverse.
499 AT_DATA([flows-br0.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=10,icmp,action=normal
503 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
504 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
505 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
508 dnl Allow any traffic from br0->ns1, allow established in reverse.
509 AT_DATA([flows-br1.txt], [dnl
510 priority=1,action=drop
511 priority=10,arp,action=normal
512 priority=10,icmp,action=normal
513 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
514 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
515 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
516 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
517 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
520 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
521 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
523 dnl HTTP requests from p0->p1 should work fine.
524 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
525 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
527 OVS_TRAFFIC_VSWITCHD_STOP
530 AT_SETUP([conntrack - multiple zones])
532 OVS_TRAFFIC_VSWITCHD_START()
534 ADD_NAMESPACES(at_ns0, at_ns1)
536 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
537 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
539 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
540 AT_DATA([flows.txt], [dnl
541 priority=1,action=drop
542 priority=10,arp,action=normal
543 priority=10,icmp,action=normal
544 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
545 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
546 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
549 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
551 dnl HTTP requests from p0->p1 should work fine.
552 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
553 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
555 dnl (again) HTTP requests from p0->p1 should work fine.
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
559 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
560 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
563 OVS_TRAFFIC_VSWITCHD_STOP
566 AT_SETUP([conntrack - multiple zones, local])
568 OVS_TRAFFIC_VSWITCHD_START()
570 ADD_NAMESPACES(at_ns0)
572 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
573 AT_CHECK([ip link set dev br0 up])
574 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
575 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
577 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
578 dnl return traffic from ns0 back to the local stack.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,arp,action=normal
582 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
583 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
584 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
585 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
586 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
587 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
590 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
592 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
593 3 packets transmitted, 3 received, 0% packet loss, time 0ms
596 dnl HTTP requests from root namespace to p0 should work fine.
597 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
598 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
600 dnl (again) HTTP requests from root namespace to p0 should work fine.
601 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
603 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
604 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
605 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
606 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
607 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
610 OVS_TRAFFIC_VSWITCHD_STOP
613 AT_SETUP([conntrack - multi-stage pipeline, local])
615 OVS_TRAFFIC_VSWITCHD_START()
617 ADD_NAMESPACES(at_ns0)
619 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
620 AT_CHECK([ip link set dev br0 up])
621 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
622 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
624 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
625 dnl return traffic from ns0 back to the local stack.
626 AT_DATA([flows.txt], [dnl
628 table=0,priority=1,action=drop
629 table=0,priority=10,arp,action=normal
631 dnl Load the output port to REG0
632 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
633 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
636 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
637 dnl - All other connections go through conntracker using the input port as
638 dnl a connection tracking zone.
639 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
640 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
641 table=1,priority=1,action=drop
644 dnl - Allow all connections from LOCAL port (commit and skip to output)
645 dnl - Allow other established connections to go through conntracker using
646 dnl output port as a connection tracking zone.
647 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
648 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
649 table=2,priority=1,action=drop
651 dnl Only allow established traffic from egress ct lookup
652 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
653 table=3,priority=1,action=drop
656 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
659 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
661 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
662 3 packets transmitted, 3 received, 0% packet loss, time 0ms
665 dnl HTTP requests from root namespace to p0 should work fine.
666 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
667 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
669 dnl (again) HTTP requests from root namespace to p0 should work fine.
670 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
672 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
673 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
674 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
675 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
676 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
679 OVS_TRAFFIC_VSWITCHD_STOP
682 AT_SETUP([conntrack - ct_mark])
684 OVS_TRAFFIC_VSWITCHD_START()
686 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
688 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
689 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
690 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
691 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
693 dnl Allow traffic between ns0<->ns1 using the ct_mark.
694 dnl Check that different marks do not match for traffic between ns2<->ns3.
695 AT_DATA([flows.txt], [dnl
696 priority=1,action=drop
697 priority=10,arp,action=normal
698 priority=10,icmp,action=normal
699 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
700 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
701 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
702 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
703 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
704 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
707 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
709 dnl HTTP requests from p0->p1 should work fine.
710 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
713 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
714 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
717 dnl HTTP requests from p2->p3 should fail due to network failure.
718 dnl Try 3 times, in 1 second intervals.
719 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
720 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
722 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
723 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
726 OVS_TRAFFIC_VSWITCHD_STOP
729 AT_SETUP([conntrack - ct_mark from register])
731 OVS_TRAFFIC_VSWITCHD_START()
733 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
735 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
736 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
737 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
738 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
740 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
741 AT_DATA([flows.txt], [dnl
742 priority=1,action=drop
743 priority=10,arp,action=normal
744 priority=10,icmp,action=normal
745 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
746 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
747 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
748 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
749 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
750 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
753 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
755 dnl HTTP requests from p0->p1 should work fine.
756 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
757 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
759 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
760 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
763 dnl HTTP requests from p2->p3 should fail due to network failure.
764 dnl Try 3 times, in 1 second intervals.
765 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
766 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
768 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
769 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
772 OVS_TRAFFIC_VSWITCHD_STOP
775 AT_SETUP([conntrack - ct_label])
777 OVS_TRAFFIC_VSWITCHD_START()
779 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
781 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
782 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
783 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
784 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
786 dnl Allow traffic between ns0<->ns1 using the ct_label.
787 dnl Check that different labels do not match for traffic between ns2<->ns3.
788 AT_DATA([flows.txt], [dnl
789 priority=1,action=drop
790 priority=10,arp,action=normal
791 priority=10,icmp,action=normal
792 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
793 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
794 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
795 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
796 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
797 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
800 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
802 dnl HTTP requests from p0->p1 should work fine.
803 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
804 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
806 dnl HTTP requests from p2->p3 should fail due to network failure.
807 dnl Try 3 times, in 1 second intervals.
808 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
809 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
811 OVS_TRAFFIC_VSWITCHD_STOP
814 AT_SETUP([conntrack - ICMP related])
816 OVS_TRAFFIC_VSWITCHD_START()
818 ADD_NAMESPACES(at_ns0, at_ns1)
820 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
821 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
823 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
824 AT_DATA([flows.txt], [dnl
825 priority=1,action=drop
826 priority=10,arp,action=normal
827 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
828 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
829 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
832 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
834 dnl If we simulate a UDP request to a port that isn't serving any real traffic,
835 dnl then the destination responds with an ICMP "destination unreachable"
836 dnl message, it should be marked as "related".
837 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
838 0000 0000 0000 0000 0000 0000 0800 4500 dnl
839 001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
840 0102 839c 1388 000a f1a6 610a'])
842 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
843 0000 0000 0000 0000 0000 0000 0800 45c0 dnl
844 003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
845 0101 0303 131d 0000 0000 dnl
846 4500 001e bb85 4000 4011 6945 0a01 0101 dnl
847 0a01 0102 839c 1388 000a f1a6 610a'])
849 AT_CHECK([ovs-appctl revalidator/purge], [0])
850 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
851 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
852 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
853 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
854 priority=10,arp actions=NORMAL
858 OVS_TRAFFIC_VSWITCHD_STOP
861 AT_SETUP([conntrack - ICMP related 2])
863 OVS_TRAFFIC_VSWITCHD_START()
865 ADD_NAMESPACES(at_ns0, at_ns1)
867 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
868 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
870 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
871 AT_DATA([flows.txt], [dnl
872 priority=1,action=drop
873 priority=10,arp,action=normal
874 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
875 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
876 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
877 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
880 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
882 AT_CAPTURE_FILE([ofctl_monitor.log])
883 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
885 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
886 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
888 dnl 2. Send and UDP packet to port 5555
889 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
891 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
892 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
894 dnl Check this output. We only see the latter two packets, not the first.
895 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
896 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
897 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
898 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
899 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
902 OVS_TRAFFIC_VSWITCHD_STOP
905 AT_SETUP([conntrack - FTP])
906 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
908 OVS_TRAFFIC_VSWITCHD_START()
910 ADD_NAMESPACES(at_ns0, at_ns1)
912 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
913 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
915 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
916 AT_DATA([flows1.txt], [dnl
917 priority=1,action=drop
918 priority=10,arp,action=normal
919 priority=10,icmp,action=normal
920 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
921 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
922 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
923 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
926 dnl Similar policy but without allowing all traffic from ns0->ns1.
927 AT_DATA([flows2.txt], [dnl
928 priority=1,action=drop
929 priority=10,arp,action=normal
930 priority=10,icmp,action=normal
931 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
932 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
933 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
934 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
935 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
936 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
937 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
940 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
942 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
943 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
945 dnl FTP requests from p1->p0 should fail due to network failure.
946 dnl Try 3 times, in 1 second intervals.
947 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
948 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
951 dnl FTP requests from p0->p1 should work fine.
952 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
953 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
954 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
957 dnl Try the second set of flows.
958 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
961 dnl FTP requests from p1->p0 should fail due to network failure.
962 dnl Try 3 times, in 1 second intervals.
963 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
964 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
967 dnl Active FTP requests from p0->p1 should work fine.
968 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
969 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
970 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
971 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
974 AT_CHECK([conntrack -F 2>/dev/null])
976 dnl Passive FTP requests from p0->p1 should work fine.
977 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
978 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
979 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
980 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
983 OVS_TRAFFIC_VSWITCHD_STOP
986 AT_SETUP([conntrack - FTP with multiple expectations])
987 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
989 OVS_TRAFFIC_VSWITCHD_START()
991 ADD_NAMESPACES(at_ns0, at_ns1)
993 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
994 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
996 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
997 AT_DATA([flows.txt], [dnl
998 priority=1,action=drop
999 priority=10,arp,action=normal
1000 priority=10,icmp,action=normal
1001 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1002 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1003 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1004 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1005 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1006 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1007 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1008 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1009 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1010 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1013 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1015 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1016 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1018 dnl FTP requests from p1->p0 should fail due to network failure.
1019 dnl Try 3 times, in 1 second intervals.
1020 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1021 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1024 dnl Active FTP requests from p0->p1 should work fine.
1025 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1026 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1027 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1028 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1029 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1030 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1033 AT_CHECK([conntrack -F 2>/dev/null])
1035 dnl Passive FTP requests from p0->p1 should work fine.
1036 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1037 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1038 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1039 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1040 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1041 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1044 OVS_TRAFFIC_VSWITCHD_STOP
1047 AT_SETUP([conntrack - IPv4 fragmentation ])
1049 OVS_TRAFFIC_VSWITCHD_START()
1051 ADD_NAMESPACES(at_ns0, at_ns1)
1053 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1054 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1056 dnl Sending ping through conntrack
1057 AT_DATA([flows.txt], [dnl
1058 priority=1,action=drop
1059 priority=10,arp,action=normal
1060 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1061 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1062 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1065 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1067 dnl Basic connectivity check.
1068 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1069 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1072 dnl Ipv4 fragmentation connectivity check.
1073 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1074 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1077 dnl Ipv4 larger fragmentation connectivity check.
1078 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1079 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1082 OVS_TRAFFIC_VSWITCHD_STOP
1085 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1087 OVS_TRAFFIC_VSWITCHD_START()
1089 ADD_NAMESPACES(at_ns0, at_ns1)
1091 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1092 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1093 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1094 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1096 dnl Sending ping through conntrack
1097 AT_DATA([flows.txt], [dnl
1098 priority=1,action=drop
1099 priority=10,arp,action=normal
1100 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1101 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1102 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1105 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1107 dnl Basic connectivity check.
1108 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1109 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1112 dnl Ipv4 fragmentation connectivity check.
1113 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1114 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1117 dnl Ipv4 larger fragmentation connectivity check.
1118 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1122 OVS_TRAFFIC_VSWITCHD_STOP
1125 AT_SETUP([conntrack - IPv6 fragmentation])
1127 OVS_TRAFFIC_VSWITCHD_START()
1129 ADD_NAMESPACES(at_ns0, at_ns1)
1131 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1132 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1134 dnl Sending ping through conntrack
1135 AT_DATA([flows.txt], [dnl
1136 priority=1,action=drop
1137 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1138 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1139 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1140 priority=100,icmp6,icmp_type=135,action=normal
1141 priority=100,icmp6,icmp_type=136,action=normal
1144 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1146 dnl Without this sleep, we get occasional failures due to the following error:
1147 dnl "connect: Cannot assign requested address"
1150 dnl Basic connectivity check.
1151 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1152 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1155 dnl Ipv4 fragmentation connectivity check.
1156 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1157 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1160 dnl Ipv4 larger fragmentation connectivity check.
1161 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1162 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1165 OVS_TRAFFIC_VSWITCHD_STOP
1168 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1170 OVS_TRAFFIC_VSWITCHD_START()
1172 ADD_NAMESPACES(at_ns0, at_ns1)
1174 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1175 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1177 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1178 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1180 dnl Sending ping through conntrack
1181 AT_DATA([flows.txt], [dnl
1182 priority=1,action=drop
1183 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1184 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1185 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1186 priority=100,icmp6,icmp_type=135,action=normal
1187 priority=100,icmp6,icmp_type=136,action=normal
1190 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1192 dnl Without this sleep, we get occasional failures due to the following error:
1193 dnl "connect: Cannot assign requested address"
1196 dnl Basic connectivity check.
1197 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1198 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1201 dnl Ipv4 fragmentation connectivity check.
1202 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1206 dnl Ipv4 larger fragmentation connectivity check.
1207 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1208 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1211 OVS_TRAFFIC_VSWITCHD_STOP
1214 AT_SETUP([conntrack - Fragmentation over vxlan])
1215 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1218 OVS_TRAFFIC_VSWITCHD_START()
1219 ADD_BR([br-underlay])
1220 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1222 ADD_NAMESPACES(at_ns0)
1224 dnl Sending ping through conntrack
1225 AT_DATA([flows.txt], [dnl
1226 priority=1,action=drop
1227 priority=10,arp,action=normal
1228 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1229 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1230 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1233 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1235 dnl Set up underlay link from host into the namespace using veth pair.
1236 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1237 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1238 AT_CHECK([ip link set dev br-underlay up])
1240 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1241 dnl linux device inside the namespace.
1242 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1243 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1244 [id 0 dstport 4789])
1246 dnl First, check the underlay
1247 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1248 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1251 dnl Okay, now check the overlay with different packet sizes
1252 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1255 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1256 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1258 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1259 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1262 OVS_TRAFFIC_VSWITCHD_STOP
1265 AT_SETUP([conntrack - resubmit to ct multiple times])
1268 OVS_TRAFFIC_VSWITCHD_START(
1269 [set-fail-mode br0 secure -- ])
1271 ADD_NAMESPACES(at_ns0, at_ns1)
1273 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1274 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1276 AT_DATA([flows.txt], [dnl
1277 table=0,priority=150,arp,action=normal
1278 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1280 table=1,priority=100,ip,action=ct(table=3)
1281 table=2,priority=100,ip,action=ct(table=3)
1283 table=3,ip,action=drop
1286 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1288 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1289 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1292 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1293 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1294 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1295 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1296 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1297 table=3, n_packets=2, n_bytes=196, ip actions=drop
1301 OVS_TRAFFIC_VSWITCHD_STOP