1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START(
5 [set-fail-mode br0 standalone -- ])
7 ADD_NAMESPACES(at_ns0, at_ns1)
9 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
10 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
13 3 packets transmitted, 3 received, 0% packet loss, time 0ms
15 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16 3 packets transmitted, 3 received, 0% packet loss, time 0ms
18 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
19 3 packets transmitted, 3 received, 0% packet loss, time 0ms
22 OVS_TRAFFIC_VSWITCHD_STOP
25 AT_SETUP([datapath - ping between two ports on vlan])
26 OVS_TRAFFIC_VSWITCHD_START(
27 [set-fail-mode br0 standalone -- ])
29 ADD_NAMESPACES(at_ns0, at_ns1)
31 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
32 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
34 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
35 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
37 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
38 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
41 3 packets transmitted, 3 received, 0% packet loss, time 0ms
43 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
44 3 packets transmitted, 3 received, 0% packet loss, time 0ms
47 OVS_TRAFFIC_VSWITCHD_STOP
50 AT_SETUP([datapath - ping6 between two ports])
51 OVS_TRAFFIC_VSWITCHD_START(
52 [set-fail-mode br0 standalone -- ])
54 ADD_NAMESPACES(at_ns0, at_ns1)
56 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
57 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
59 dnl Without this sleep, we get occasional failures due to the following error:
60 dnl "connect: Cannot assign requested address"
63 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
64 3 packets transmitted, 3 received, 0% packet loss, time 0ms
66 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
73 OVS_TRAFFIC_VSWITCHD_STOP
76 AT_SETUP([datapath - ping6 between two ports on vlan])
77 OVS_TRAFFIC_VSWITCHD_START(
78 [set-fail-mode br0 standalone -- ])
80 ADD_NAMESPACES(at_ns0, at_ns1)
82 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
83 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
85 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
86 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
88 dnl Without this sleep, we get occasional failures due to the following error:
89 dnl "connect: Cannot assign requested address"
92 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
93 3 packets transmitted, 3 received, 0% packet loss, time 0ms
95 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
96 3 packets transmitted, 3 received, 0% packet loss, time 0ms
98 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
99 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 OVS_TRAFFIC_VSWITCHD_STOP
105 AT_SETUP([datapath - ping over vxlan tunnel])
106 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
108 OVS_TRAFFIC_VSWITCHD_START(
109 [set-fail-mode br0 standalone -- ])
110 ADD_BR([br-underlay], [set-fail-mode br-underlay standalone])
111 ADD_NAMESPACES(at_ns0)
113 dnl Set up underlay link from host into the namespace using veth pair.
114 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
115 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
116 AT_CHECK([ip link set dev br-underlay up])
118 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
119 dnl linux device inside the namespace.
120 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
121 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
124 dnl First, check the underlay
125 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
126 3 packets transmitted, 3 received, 0% packet loss, time 0ms
129 dnl Okay, now check the overlay with different packet sizes
130 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
131 3 packets transmitted, 3 received, 0% packet loss, time 0ms
133 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
134 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
137 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 OVS_TRAFFIC_VSWITCHD_STOP
143 AT_SETUP([conntrack - controller])
145 OVS_TRAFFIC_VSWITCHD_START(
146 [set-fail-mode br0 standalone -- ])
148 ADD_NAMESPACES(at_ns0, at_ns1)
150 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
151 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
153 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
154 AT_DATA([flows.txt], [dnl
155 priority=1,action=drop
156 priority=10,arp,action=normal
157 priority=100,in_port=1,udp,action=ct(commit),controller
158 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
159 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
162 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
164 AT_CAPTURE_FILE([ofctl_monitor.log])
165 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
167 dnl Send an unsolicited reply from port 2. This should be dropped.
168 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
170 dnl OK, now start a new connection from port 1.
171 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
173 dnl Now try a reply from port 2.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl Check this output. We only see the latter two packets, not the first.
177 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
178 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
179 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
180 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
181 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
184 OVS_TRAFFIC_VSWITCHD_STOP
187 AT_SETUP([conntrack - IPv4 HTTP])
189 OVS_TRAFFIC_VSWITCHD_START(
190 [set-fail-mode br0 standalone -- ])
192 ADD_NAMESPACES(at_ns0, at_ns1)
194 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
195 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
197 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
198 AT_DATA([flows.txt], [dnl
199 priority=1,action=drop
200 priority=10,arp,action=normal
201 priority=10,icmp,action=normal
202 priority=100,in_port=1,tcp,action=ct(commit),2
203 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
204 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
207 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
209 dnl Basic connectivity check.
210 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
212 dnl HTTP requests from ns0->ns1 should work fine.
213 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
214 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
216 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
217 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
220 dnl HTTP requests from ns1->ns0 should fail due to network failure.
221 dnl Try 3 times, in 1 second intervals.
222 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
223 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
225 OVS_TRAFFIC_VSWITCHD_STOP
228 AT_SETUP([conntrack - IPv6 HTTP])
230 OVS_TRAFFIC_VSWITCHD_START(
231 [set-fail-mode br0 standalone -- ])
233 ADD_NAMESPACES(at_ns0, at_ns1)
235 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
236 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
238 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
239 AT_DATA([flows.txt], [dnl
240 priority=1,action=drop
241 priority=10,icmp6,action=normal
242 priority=100,in_port=1,tcp6,action=ct(commit),2
243 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
244 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
247 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
249 dnl Without this sleep, we get occasional failures due to the following error:
250 dnl "connect: Cannot assign requested address"
253 dnl HTTP requests from ns0->ns1 should work fine.
254 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
256 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
258 dnl HTTP requests from ns1->ns0 should fail due to network failure.
259 dnl Try 3 times, in 1 second intervals.
260 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
261 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
263 OVS_TRAFFIC_VSWITCHD_STOP
266 AT_SETUP([conntrack - commit, recirc])
268 OVS_TRAFFIC_VSWITCHD_START(
269 [set-fail-mode br0 standalone -- ])
271 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
273 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
274 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
275 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
276 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
278 dnl Allow any traffic from ns0->ns1, ns2->ns3.
279 AT_DATA([flows.txt], [dnl
280 priority=1,action=drop
281 priority=10,arp,action=normal
282 priority=10,icmp,action=normal
283 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
284 priority=100,in_port=1,tcp,ct_state=+trk,action=2
285 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
286 priority=100,in_port=2,tcp,ct_state=+trk,action=1
287 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
288 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
289 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
290 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
291 priority=100,in_port=4,tcp,ct_state=+trk,action=3
294 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
296 dnl HTTP requests from p0->p1 should work fine.
297 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
298 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
300 dnl HTTP requests from p2->p3 should work fine.
301 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
302 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
304 OVS_TRAFFIC_VSWITCHD_STOP
307 AT_SETUP([conntrack - preserve registers])
309 OVS_TRAFFIC_VSWITCHD_START(
310 [set-fail-mode br0 standalone -- ])
312 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
314 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
315 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
316 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
317 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
319 dnl Allow any traffic from ns0->ns1, ns2->ns3.
320 AT_DATA([flows.txt], [dnl
321 priority=1,action=drop
322 priority=10,arp,action=normal
323 priority=10,icmp,action=normal
324 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
325 priority=100,in_port=1,tcp,ct_state=+trk,action=2
326 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
327 priority=100,in_port=2,tcp,ct_state=+trk,action=1
328 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
329 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
330 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
331 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
332 priority=100,in_port=4,tcp,ct_state=+trk,action=3
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
337 dnl HTTP requests from p0->p1 should work fine.
338 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
339 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
341 dnl HTTP requests from p2->p3 should work fine.
342 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
343 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
345 OVS_TRAFFIC_VSWITCHD_STOP
348 AT_SETUP([conntrack - invalid])
350 OVS_TRAFFIC_VSWITCHD_START(
351 [set-fail-mode br0 standalone -- ])
353 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
355 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
356 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
357 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
358 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
360 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
361 dnl the opposite direction. This should fail.
362 dnl Pass traffic from ns3->ns4 without committing, and this time match
363 dnl invalid traffic and allow it through.
364 AT_DATA([flows.txt], [dnl
365 priority=1,action=drop
366 priority=10,arp,action=normal
367 priority=10,icmp,action=normal
368 priority=100,in_port=1,tcp,action=ct(),2
369 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
370 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
371 priority=100,in_port=3,tcp,action=ct(),4
372 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
373 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
374 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
377 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
379 dnl We set up our rules to allow the request without committing. The return
380 dnl traffic can't be identified, because the initial request wasn't committed.
381 dnl For the first pair of ports, this means that the connection fails.
382 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
383 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
385 dnl For the second pair, we allow packets from invalid connections, so it works.
386 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
387 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
389 OVS_TRAFFIC_VSWITCHD_STOP
392 AT_SETUP([conntrack - zones])
394 OVS_TRAFFIC_VSWITCHD_START(
395 [set-fail-mode br0 standalone -- ])
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
418 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
437 OVS_TRAFFIC_VSWITCHD_STOP
440 AT_SETUP([conntrack - zones from field])
442 OVS_TRAFFIC_VSWITCHD_START(
443 [set-fail-mode br0 standalone -- ])
445 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
447 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
448 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
449 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
450 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
452 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
453 AT_DATA([flows.txt], [dnl
454 priority=1,action=drop
455 priority=10,arp,action=normal
456 priority=10,icmp,action=normal
457 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
458 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
459 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
460 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
461 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
465 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
467 dnl HTTP requests from p0->p1 should work fine.
468 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
469 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
471 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
472 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
475 dnl HTTP requests from p2->p3 should fail due to network failure.
476 dnl Try 3 times, in 1 second intervals.
477 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
478 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
480 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
481 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
484 OVS_TRAFFIC_VSWITCHD_STOP
487 AT_SETUP([conntrack - multiple bridges])
489 OVS_TRAFFIC_VSWITCHD_START(
490 [set-fail-mode br0 standalone --\
492 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
493 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
495 ADD_NAMESPACES(at_ns0, at_ns1)
497 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
498 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
500 dnl Allow any traffic from ns0->br1, allow established in reverse.
501 AT_DATA([flows-br0.txt], [dnl
502 priority=1,action=drop
503 priority=10,arp,action=normal
504 priority=10,icmp,action=normal
505 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
506 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
507 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
510 dnl Allow any traffic from br0->ns1, allow established in reverse.
511 AT_DATA([flows-br1.txt], [dnl
512 priority=1,action=drop
513 priority=10,arp,action=normal
514 priority=10,icmp,action=normal
515 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
516 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
517 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
518 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
519 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
522 AT_CHECK([ovs-ofctl add-flows br0 flows-br0.txt])
523 AT_CHECK([ovs-ofctl add-flows br1 flows-br1.txt])
525 dnl HTTP requests from p0->p1 should work fine.
526 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
527 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
529 OVS_TRAFFIC_VSWITCHD_STOP
532 AT_SETUP([conntrack - multiple zones])
534 OVS_TRAFFIC_VSWITCHD_START(
535 [set-fail-mode br0 standalone -- ])
537 ADD_NAMESPACES(at_ns0, at_ns1)
539 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
540 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
542 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
543 AT_DATA([flows.txt], [dnl
544 priority=1,action=drop
545 priority=10,arp,action=normal
546 priority=10,icmp,action=normal
547 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
548 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
549 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
552 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
554 dnl HTTP requests from p0->p1 should work fine.
555 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558 dnl (again) HTTP requests from p0->p1 should work fine.
559 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
561 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
562 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
563 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
566 OVS_TRAFFIC_VSWITCHD_STOP
569 AT_SETUP([conntrack - ct_mark])
571 OVS_TRAFFIC_VSWITCHD_START(
572 [set-fail-mode br0 standalone -- ])
574 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
576 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
577 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
578 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
579 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
581 dnl Allow traffic between ns0<->ns1 using the ct_mark.
582 dnl Check that different marks do not match for traffic between ns2<->ns3.
583 AT_DATA([flows.txt], [dnl
584 priority=1,action=drop
585 priority=10,arp,action=normal
586 priority=10,icmp,action=normal
587 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
588 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
589 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
590 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
591 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
592 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
595 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
597 dnl HTTP requests from p0->p1 should work fine.
598 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
599 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
601 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
602 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
605 dnl HTTP requests from p2->p3 should fail due to network failure.
606 dnl Try 3 times, in 1 second intervals.
607 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
608 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
610 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
611 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
614 OVS_TRAFFIC_VSWITCHD_STOP
617 AT_SETUP([conntrack - ct_mark from register])
619 OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 standalone -- ])
622 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
624 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
625 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
626 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
627 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
629 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
630 AT_DATA([flows.txt], [dnl
631 priority=1,action=drop
632 priority=10,arp,action=normal
633 priority=10,icmp,action=normal
634 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
635 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
636 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
637 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
638 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
639 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
642 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
644 dnl HTTP requests from p0->p1 should work fine.
645 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
646 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
648 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
649 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
652 dnl HTTP requests from p2->p3 should fail due to network failure.
653 dnl Try 3 times, in 1 second intervals.
654 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
655 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
657 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
658 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
661 OVS_TRAFFIC_VSWITCHD_STOP
664 AT_SETUP([conntrack - ICMP related])
666 OVS_TRAFFIC_VSWITCHD_START(
667 [set-fail-mode br0 secure -- ])
669 ADD_NAMESPACES(at_ns0, at_ns1)
671 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
672 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
674 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
675 AT_DATA([flows.txt], [dnl
676 priority=1,action=drop
677 priority=10,arp,action=normal
678 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
679 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
680 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
683 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
685 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
686 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
687 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
689 AT_CHECK([ovs-appctl revalidator/purge], [0])
690 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
691 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
692 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
693 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
694 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
698 OVS_TRAFFIC_VSWITCHD_STOP
701 AT_SETUP([conntrack - ICMP related 2])
703 OVS_TRAFFIC_VSWITCHD_START(
704 [set-fail-mode br0 standalone -- ])
706 ADD_NAMESPACES(at_ns0, at_ns1)
708 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
709 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
711 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
712 AT_DATA([flows.txt], [dnl
713 priority=1,action=drop
714 priority=10,arp,action=normal
715 priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,table=0)
716 priority=100,in_port=1,ct_state=+trk,actions=controller
717 priority=100,in_port=2,ct_state=-trk,action=ct(table=0)
718 priority=100,in_port=2,ct_state=+trk+rel+rpl,action=controller
721 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
723 AT_CAPTURE_FILE([ofctl_monitor.log])
724 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
726 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
727 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
729 dnl 2. Send and UDP packet to port 5555
730 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
732 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
733 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
735 dnl Check this output. We only see the latter two packets, not the first.
736 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
737 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
738 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
739 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
740 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
743 OVS_TRAFFIC_VSWITCHD_STOP