1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START(
5 [set-fail-mode br0 standalone -- ])
7 ADD_NAMESPACES(at_ns0, at_ns1)
9 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
10 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
13 3 packets transmitted, 3 received, 0% packet loss, time 0ms
15 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16 3 packets transmitted, 3 received, 0% packet loss, time 0ms
18 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
19 3 packets transmitted, 3 received, 0% packet loss, time 0ms
22 OVS_TRAFFIC_VSWITCHD_STOP
25 AT_SETUP([datapath - ping between two ports on vlan])
26 OVS_TRAFFIC_VSWITCHD_START(
27 [set-fail-mode br0 standalone -- ])
29 ADD_NAMESPACES(at_ns0, at_ns1)
31 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
32 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
34 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
35 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
37 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
38 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
41 3 packets transmitted, 3 received, 0% packet loss, time 0ms
43 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
44 3 packets transmitted, 3 received, 0% packet loss, time 0ms
47 OVS_TRAFFIC_VSWITCHD_STOP
50 AT_SETUP([datapath - ping6 between two ports])
51 OVS_TRAFFIC_VSWITCHD_START(
52 [set-fail-mode br0 standalone -- ])
54 ADD_NAMESPACES(at_ns0, at_ns1)
56 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
57 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
59 dnl Without this sleep, we get occasional failures due to the following error:
60 dnl "connect: Cannot assign requested address"
63 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
64 3 packets transmitted, 3 received, 0% packet loss, time 0ms
66 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
73 OVS_TRAFFIC_VSWITCHD_STOP
76 AT_SETUP([datapath - ping6 between two ports on vlan])
77 OVS_TRAFFIC_VSWITCHD_START(
78 [set-fail-mode br0 standalone -- ])
80 ADD_NAMESPACES(at_ns0, at_ns1)
82 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
83 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
85 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
86 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
88 dnl Without this sleep, we get occasional failures due to the following error:
89 dnl "connect: Cannot assign requested address"
92 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
93 3 packets transmitted, 3 received, 0% packet loss, time 0ms
95 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
96 3 packets transmitted, 3 received, 0% packet loss, time 0ms
98 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
99 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 OVS_TRAFFIC_VSWITCHD_STOP
105 AT_SETUP([datapath - ping over vxlan tunnel])
106 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
108 OVS_TRAFFIC_VSWITCHD_START(
109 [set-fail-mode br0 standalone -- ])
110 ADD_BR([br-underlay], [set-fail-mode br-underlay standalone])
111 ADD_NAMESPACES(at_ns0)
113 dnl Set up underlay link from host into the namespace using veth pair.
114 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
115 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
116 AT_CHECK([ip link set dev br-underlay up])
118 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
119 dnl linux device inside the namespace.
120 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
121 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
124 dnl First, check the underlay
125 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
126 3 packets transmitted, 3 received, 0% packet loss, time 0ms
129 dnl Okay, now check the overlay with different packet sizes
130 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
131 3 packets transmitted, 3 received, 0% packet loss, time 0ms
133 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
134 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
137 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 OVS_TRAFFIC_VSWITCHD_STOP
143 AT_SETUP([conntrack - controller])
145 OVS_TRAFFIC_VSWITCHD_START(
146 [set-fail-mode br0 standalone -- ])
148 ADD_NAMESPACES(at_ns0, at_ns1)
150 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
151 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
153 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
154 AT_DATA([flows.txt], [dnl
155 priority=1,action=drop
156 priority=10,arp,action=normal
157 priority=100,in_port=1,udp,action=ct(commit),controller
158 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
159 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
162 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
164 AT_CAPTURE_FILE([ofctl_monitor.log])
165 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
167 dnl Send an unsolicited reply from port 2. This should be dropped.
168 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
170 dnl OK, now start a new connection from port 1.
171 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
173 dnl Now try a reply from port 2.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl Check this output. We only see the latter two packets, not the first.
177 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
178 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
179 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
180 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
181 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
184 OVS_TRAFFIC_VSWITCHD_STOP
187 AT_SETUP([conntrack - IPv4 HTTP])
189 OVS_TRAFFIC_VSWITCHD_START(
190 [set-fail-mode br0 standalone -- ])
192 ADD_NAMESPACES(at_ns0, at_ns1)
194 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
195 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
197 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
198 AT_DATA([flows.txt], [dnl
199 priority=1,action=drop
200 priority=10,arp,action=normal
201 priority=10,icmp,action=normal
202 priority=100,in_port=1,tcp,action=ct(commit),2
203 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
204 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
207 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
209 dnl Basic connectivity check.
210 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
212 dnl HTTP requests from ns0->ns1 should work fine.
213 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
214 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
216 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
217 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
220 dnl HTTP requests from ns1->ns0 should fail due to network failure.
221 dnl Try 3 times, in 1 second intervals.
222 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
223 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
225 OVS_TRAFFIC_VSWITCHD_STOP
228 AT_SETUP([conntrack - IPv6 HTTP])
230 OVS_TRAFFIC_VSWITCHD_START(
231 [set-fail-mode br0 standalone -- ])
233 ADD_NAMESPACES(at_ns0, at_ns1)
235 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
236 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
238 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
239 AT_DATA([flows.txt], [dnl
240 priority=1,action=drop
241 priority=10,icmp6,action=normal
242 priority=100,in_port=1,tcp6,action=ct(commit),2
243 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
244 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
247 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
249 dnl Without this sleep, we get occasional failures due to the following error:
250 dnl "connect: Cannot assign requested address"
253 dnl HTTP requests from ns0->ns1 should work fine.
254 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
256 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
258 dnl HTTP requests from ns1->ns0 should fail due to network failure.
259 dnl Try 3 times, in 1 second intervals.
260 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
261 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
263 OVS_TRAFFIC_VSWITCHD_STOP
266 AT_SETUP([conntrack - commit, recirc])
268 OVS_TRAFFIC_VSWITCHD_START(
269 [set-fail-mode br0 standalone -- ])
271 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
273 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
274 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
275 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
276 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
278 dnl Allow any traffic from ns0->ns1, ns2->ns3.
279 AT_DATA([flows.txt], [dnl
280 priority=1,action=drop
281 priority=10,arp,action=normal
282 priority=10,icmp,action=normal
283 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
284 priority=100,in_port=1,tcp,ct_state=+trk,action=2
285 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
286 priority=100,in_port=2,tcp,ct_state=+trk,action=1
287 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
288 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
289 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
290 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
291 priority=100,in_port=4,tcp,ct_state=+trk,action=3
294 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
296 dnl HTTP requests from p0->p1 should work fine.
297 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
298 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
300 dnl HTTP requests from p2->p3 should work fine.
301 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
302 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
304 OVS_TRAFFIC_VSWITCHD_STOP
307 AT_SETUP([conntrack - preserve registers])
309 OVS_TRAFFIC_VSWITCHD_START(
310 [set-fail-mode br0 standalone -- ])
312 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
314 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
315 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
316 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
317 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
319 dnl Allow any traffic from ns0->ns1, ns2->ns3.
320 AT_DATA([flows.txt], [dnl
321 priority=1,action=drop
322 priority=10,arp,action=normal
323 priority=10,icmp,action=normal
324 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
325 priority=100,in_port=1,tcp,ct_state=+trk,action=2
326 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
327 priority=100,in_port=2,tcp,ct_state=+trk,action=1
328 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
329 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
330 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
331 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
332 priority=100,in_port=4,tcp,ct_state=+trk,action=3
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
337 dnl HTTP requests from p0->p1 should work fine.
338 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
339 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
341 dnl HTTP requests from p2->p3 should work fine.
342 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
343 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
345 OVS_TRAFFIC_VSWITCHD_STOP
348 AT_SETUP([conntrack - invalid])
350 OVS_TRAFFIC_VSWITCHD_START(
351 [set-fail-mode br0 standalone -- ])
353 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
355 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
356 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
357 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
358 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
360 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
361 dnl the opposite direction. This should fail.
362 dnl Pass traffic from ns3->ns4 without committing, and this time match
363 dnl invalid traffic and allow it through.
364 AT_DATA([flows.txt], [dnl
365 priority=1,action=drop
366 priority=10,arp,action=normal
367 priority=10,icmp,action=normal
368 priority=100,in_port=1,tcp,action=ct(),2
369 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
370 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
371 priority=100,in_port=3,tcp,action=ct(),4
372 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
373 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
374 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
377 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
379 dnl We set up our rules to allow the request without committing. The return
380 dnl traffic can't be identified, because the initial request wasn't committed.
381 dnl For the first pair of ports, this means that the connection fails.
382 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
383 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
385 dnl For the second pair, we allow packets from invalid connections, so it works.
386 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
387 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
389 OVS_TRAFFIC_VSWITCHD_STOP
392 AT_SETUP([conntrack - zones])
394 OVS_TRAFFIC_VSWITCHD_START(
395 [set-fail-mode br0 standalone -- ])
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
418 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
437 OVS_TRAFFIC_VSWITCHD_STOP
440 AT_SETUP([conntrack - zones from field])
442 OVS_TRAFFIC_VSWITCHD_START(
443 [set-fail-mode br0 standalone -- ])
445 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
447 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
448 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
449 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
450 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
452 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
453 AT_DATA([flows.txt], [dnl
454 priority=1,action=drop
455 priority=10,arp,action=normal
456 priority=10,icmp,action=normal
457 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
458 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
459 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
460 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
461 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
465 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
467 dnl HTTP requests from p0->p1 should work fine.
468 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
469 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
471 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
472 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
475 dnl HTTP requests from p2->p3 should fail due to network failure.
476 dnl Try 3 times, in 1 second intervals.
477 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
478 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
480 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
481 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
484 OVS_TRAFFIC_VSWITCHD_STOP
487 AT_SETUP([conntrack - multiple bridges])
489 OVS_TRAFFIC_VSWITCHD_START(
490 [set-fail-mode br0 standalone --\
492 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
493 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
495 ADD_NAMESPACES(at_ns0, at_ns1)
497 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
498 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
500 dnl Allow any traffic from ns0->br1, allow established in reverse.
501 AT_DATA([flows-br0.txt], [dnl
502 priority=1,action=drop
503 priority=10,arp,action=normal
504 priority=10,icmp,action=normal
505 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
506 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
507 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
510 dnl Allow any traffic from br0->ns1, allow established in reverse.
511 AT_DATA([flows-br1.txt], [dnl
512 priority=1,action=drop
513 priority=10,arp,action=normal
514 priority=10,icmp,action=normal
515 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
516 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
517 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
518 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
519 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
522 AT_CHECK([ovs-ofctl add-flows br0 flows-br0.txt])
523 AT_CHECK([ovs-ofctl add-flows br1 flows-br1.txt])
525 dnl HTTP requests from p0->p1 should work fine.
526 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
527 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
529 OVS_TRAFFIC_VSWITCHD_STOP
532 AT_SETUP([conntrack - multiple zones])
534 OVS_TRAFFIC_VSWITCHD_START(
535 [set-fail-mode br0 standalone -- ])
537 ADD_NAMESPACES(at_ns0, at_ns1)
539 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
540 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
542 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
543 AT_DATA([flows.txt], [dnl
544 priority=1,action=drop
545 priority=10,arp,action=normal
546 priority=10,icmp,action=normal
547 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
548 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
549 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
552 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
554 dnl HTTP requests from p0->p1 should work fine.
555 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558 dnl (again) HTTP requests from p0->p1 should work fine.
559 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
561 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
562 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
563 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
566 OVS_TRAFFIC_VSWITCHD_STOP
569 AT_SETUP([conntrack - multiple zones, local])
571 OVS_TRAFFIC_VSWITCHD_START(
572 [set-fail-mode br0 secure -- ])
574 ADD_NAMESPACES(at_ns0)
576 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577 AT_CHECK([ip link set dev br0 up])
578 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
581 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582 dnl return traffic from ns0 back to the local stack.
583 AT_DATA([flows.txt], [dnl
584 priority=1,action=drop
585 priority=10,arp,action=normal
586 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
594 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
596 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
597 3 packets transmitted, 3 received, 0% packet loss, time 0ms
600 dnl HTTP requests from root namespace to p0 should work fine.
601 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
604 dnl (again) HTTP requests from root namespace to p0 should work fine.
605 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
607 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
609 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
610 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
611 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
614 OVS_TRAFFIC_VSWITCHD_STOP
617 AT_SETUP([conntrack - multi-stage pipeline, local])
619 OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
622 ADD_NAMESPACES(at_ns0)
624 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
625 AT_CHECK([ip link set dev br0 up])
626 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
627 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
629 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
630 dnl return traffic from ns0 back to the local stack.
631 AT_DATA([flows.txt], [dnl
633 table=0,priority=1,action=drop
634 table=0,priority=10,arp,action=normal
636 dnl Load the output port to REG0
637 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
638 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
641 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
642 dnl - All other connections go through conntracker using the input port as
643 dnl a connection tracking zone.
644 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
645 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
646 table=1,priority=1,action=drop
649 dnl - Allow all connections from LOCAL port (commit and skip to output)
650 dnl - Allow other established connections to go through conntracker using
651 dnl output port as a connection tracking zone.
652 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
653 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
654 table=2,priority=1,action=drop
656 dnl Only allow established traffic from egress ct lookup
657 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
658 table=3,priority=1,action=drop
661 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
664 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
666 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
667 3 packets transmitted, 3 received, 0% packet loss, time 0ms
670 dnl HTTP requests from root namespace to p0 should work fine.
671 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
672 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
674 dnl (again) HTTP requests from root namespace to p0 should work fine.
675 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
677 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
678 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
679 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
680 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
681 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
684 OVS_TRAFFIC_VSWITCHD_STOP
687 AT_SETUP([conntrack - ct_mark])
689 OVS_TRAFFIC_VSWITCHD_START(
690 [set-fail-mode br0 standalone -- ])
692 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
694 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
695 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
696 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
697 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
699 dnl Allow traffic between ns0<->ns1 using the ct_mark.
700 dnl Check that different marks do not match for traffic between ns2<->ns3.
701 AT_DATA([flows.txt], [dnl
702 priority=1,action=drop
703 priority=10,arp,action=normal
704 priority=10,icmp,action=normal
705 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
706 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
707 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
708 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
709 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
710 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
713 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
715 dnl HTTP requests from p0->p1 should work fine.
716 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
717 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
719 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
720 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
723 dnl HTTP requests from p2->p3 should fail due to network failure.
724 dnl Try 3 times, in 1 second intervals.
725 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
726 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
728 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
729 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
732 OVS_TRAFFIC_VSWITCHD_STOP
735 AT_SETUP([conntrack - ct_mark from register])
737 OVS_TRAFFIC_VSWITCHD_START(
738 [set-fail-mode br0 standalone -- ])
740 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
742 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
743 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
744 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
745 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
747 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
748 AT_DATA([flows.txt], [dnl
749 priority=1,action=drop
750 priority=10,arp,action=normal
751 priority=10,icmp,action=normal
752 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
753 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
754 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
755 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
756 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
757 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
760 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
762 dnl HTTP requests from p0->p1 should work fine.
763 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
764 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
766 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
767 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
770 dnl HTTP requests from p2->p3 should fail due to network failure.
771 dnl Try 3 times, in 1 second intervals.
772 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
773 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
775 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
776 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
779 OVS_TRAFFIC_VSWITCHD_STOP
782 AT_SETUP([conntrack - ct_label])
784 OVS_TRAFFIC_VSWITCHD_START(
785 [set-fail-mode br0 standalone -- ])
787 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
789 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
790 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
791 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
792 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
794 dnl Allow traffic between ns0<->ns1 using the ct_label.
795 dnl Check that different labels do not match for traffic between ns2<->ns3.
796 AT_DATA([flows.txt], [dnl
797 priority=1,action=drop
798 priority=10,arp,action=normal
799 priority=10,icmp,action=normal
800 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
801 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
802 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
803 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
804 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
805 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
808 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
810 dnl HTTP requests from p0->p1 should work fine.
811 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
812 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
814 dnl HTTP requests from p2->p3 should fail due to network failure.
815 dnl Try 3 times, in 1 second intervals.
816 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
817 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
819 OVS_TRAFFIC_VSWITCHD_STOP
822 AT_SETUP([conntrack - ICMP related])
824 OVS_TRAFFIC_VSWITCHD_START(
825 [set-fail-mode br0 secure -- ])
827 ADD_NAMESPACES(at_ns0, at_ns1)
829 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
830 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
832 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
833 AT_DATA([flows.txt], [dnl
834 priority=1,action=drop
835 priority=10,arp,action=normal
836 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
837 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
838 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
841 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
843 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
844 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
845 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
847 AT_CHECK([ovs-appctl revalidator/purge], [0])
848 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
849 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
850 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
851 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
852 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
856 OVS_TRAFFIC_VSWITCHD_STOP
859 AT_SETUP([conntrack - ICMP related 2])
861 OVS_TRAFFIC_VSWITCHD_START(
862 [set-fail-mode br0 standalone -- ])
864 ADD_NAMESPACES(at_ns0, at_ns1)
866 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
867 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
869 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
870 AT_DATA([flows.txt], [dnl
871 priority=1,action=drop
872 priority=10,arp,action=normal
873 priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,table=0)
874 priority=100,in_port=1,ct_state=+trk,actions=controller
875 priority=100,in_port=2,ct_state=-trk,action=ct(table=0)
876 priority=100,in_port=2,ct_state=+trk+rel+rpl,action=controller
879 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
881 AT_CAPTURE_FILE([ofctl_monitor.log])
882 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
884 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
885 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
887 dnl 2. Send and UDP packet to port 5555
888 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
890 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
891 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
893 dnl Check this output. We only see the latter two packets, not the first.
894 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
895 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
896 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
897 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
898 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
901 OVS_TRAFFIC_VSWITCHD_STOP
904 AT_SETUP([conntrack - FTP])
905 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
907 OVS_TRAFFIC_VSWITCHD_START(
908 [set-fail-mode br0 standalone -- ])
910 ADD_NAMESPACES(at_ns0, at_ns1)
912 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
913 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
915 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
916 AT_DATA([flows1.txt], [dnl
917 priority=1,action=drop
918 priority=10,arp,action=normal
919 priority=10,icmp,action=normal
920 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
921 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
922 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
923 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
926 dnl Similar policy but without allowing all traffic from ns0->ns1.
927 AT_DATA([flows2.txt], [dnl
928 priority=1,action=drop
929 priority=10,arp,action=normal
930 priority=10,icmp,action=normal
931 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
932 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
933 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
934 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
935 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
936 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
937 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
940 AT_CHECK([ovs-ofctl add-flows br0 flows1.txt])
942 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
943 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
945 dnl FTP requests from p1->p0 should fail due to network failure.
946 dnl Try 3 times, in 1 second intervals.
947 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
948 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
951 dnl FTP requests from p0->p1 should work fine.
952 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
953 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
954 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
957 dnl Try the second set of flows.
959 AT_CHECK([ovs-ofctl del-flows br0])
960 AT_CHECK([ovs-ofctl add-flows br0 flows2.txt])
962 dnl FTP requests from p1->p0 should fail due to network failure.
963 dnl Try 3 times, in 1 second intervals.
964 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
965 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
968 dnl Active FTP requests from p0->p1 should work fine.
969 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
970 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
971 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
972 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
975 AT_CHECK([conntrack -F 2>/dev/null])
977 dnl Passive FTP requests from p0->p1 should work fine.
978 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
979 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
980 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
981 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
984 OVS_TRAFFIC_VSWITCHD_STOP
987 AT_SETUP([conntrack - FTP with multiple expectations])
988 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
990 OVS_TRAFFIC_VSWITCHD_START(
991 [set-fail-mode br0 standalone -- ])
993 ADD_NAMESPACES(at_ns0, at_ns1)
995 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
996 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
998 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
999 AT_DATA([flows.txt], [dnl
1000 priority=1,action=drop
1001 priority=10,arp,action=normal
1002 priority=10,icmp,action=normal
1003 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1004 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1005 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1006 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1007 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1008 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1009 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1010 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1011 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1012 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1015 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1017 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1018 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1020 dnl FTP requests from p1->p0 should fail due to network failure.
1021 dnl Try 3 times, in 1 second intervals.
1022 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1023 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1026 dnl Active FTP requests from p0->p1 should work fine.
1027 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1028 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1029 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1030 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1031 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1032 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1035 AT_CHECK([conntrack -F 2>/dev/null])
1037 dnl Passive FTP requests from p0->p1 should work fine.
1038 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1039 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1040 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1041 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1042 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1043 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1046 OVS_TRAFFIC_VSWITCHD_STOP
1049 AT_SETUP([conntrack - IPv4 fragmentation ])
1051 OVS_TRAFFIC_VSWITCHD_START(
1052 [set-fail-mode br0 secure -- ])
1054 ADD_NAMESPACES(at_ns0, at_ns1)
1056 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1057 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1059 dnl Sending ping through conntrack
1060 AT_DATA([flows.txt], [dnl
1061 priority=1,action=drop
1062 priority=10,arp,action=normal
1063 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1064 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1065 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1068 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1070 dnl Basic connectivity check.
1071 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1072 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1075 dnl Ipv4 fragmentation connectivity check.
1076 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1077 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1080 dnl Ipv4 larger fragmentation connectivity check.
1081 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1082 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1085 OVS_TRAFFIC_VSWITCHD_STOP
1088 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1090 OVS_TRAFFIC_VSWITCHD_START(
1091 [set-fail-mode br0 secure -- ])
1093 ADD_NAMESPACES(at_ns0, at_ns1)
1095 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1096 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1097 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1098 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1100 dnl Sending ping through conntrack
1101 AT_DATA([flows.txt], [dnl
1102 priority=1,action=drop
1103 priority=10,arp,action=normal
1104 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1105 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1106 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1109 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1111 dnl Basic connectivity check.
1112 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1113 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1116 dnl Ipv4 fragmentation connectivity check.
1117 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1118 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1121 dnl Ipv4 larger fragmentation connectivity check.
1122 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1123 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1126 OVS_TRAFFIC_VSWITCHD_STOP
1129 AT_SETUP([conntrack - IPv6 fragmentation])
1131 OVS_TRAFFIC_VSWITCHD_START(
1132 [set-fail-mode br0 secure -- ])
1134 ADD_NAMESPACES(at_ns0, at_ns1)
1136 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1137 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1139 dnl Sending ping through conntrack
1140 AT_DATA([flows.txt], [dnl
1141 priority=1,action=drop
1142 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1143 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1144 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1145 priority=100,icmp6,icmp_type=135,action=normal
1146 priority=100,icmp6,icmp_type=136,action=normal
1149 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1151 dnl Without this sleep, we get occasional failures due to the following error:
1152 dnl "connect: Cannot assign requested address"
1155 dnl Basic connectivity check.
1156 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1157 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1160 dnl Ipv4 fragmentation connectivity check.
1161 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1162 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1165 dnl Ipv4 larger fragmentation connectivity check.
1166 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1167 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1170 OVS_TRAFFIC_VSWITCHD_STOP
1173 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1175 OVS_TRAFFIC_VSWITCHD_START(
1176 [set-fail-mode br0 secure -- ])
1178 ADD_NAMESPACES(at_ns0, at_ns1)
1180 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1181 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1183 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1184 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1186 dnl Sending ping through conntrack
1187 AT_DATA([flows.txt], [dnl
1188 priority=1,action=drop
1189 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1190 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1191 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1192 priority=100,icmp6,icmp_type=135,action=normal
1193 priority=100,icmp6,icmp_type=136,action=normal
1196 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1198 dnl Without this sleep, we get occasional failures due to the following error:
1199 dnl "connect: Cannot assign requested address"
1202 dnl Basic connectivity check.
1203 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1204 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1207 dnl Ipv4 fragmentation connectivity check.
1208 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1212 dnl Ipv4 larger fragmentation connectivity check.
1213 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1214 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1217 OVS_TRAFFIC_VSWITCHD_STOP
1220 AT_SETUP([conntrack - Fragmentation over vxlan])
1221 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1224 OVS_TRAFFIC_VSWITCHD_START(
1225 [set-fail-mode br0 standalone --])
1226 ADD_BR([br-underlay], [set-fail-mode br-underlay standalone])
1227 ADD_NAMESPACES(at_ns0)
1229 dnl Sending ping through conntrack
1230 AT_DATA([flows.txt], [dnl
1231 priority=1,action=drop
1232 priority=10,arp,action=normal
1233 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1234 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1235 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1238 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1240 dnl Set up underlay link from host into the namespace using veth pair.
1241 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1242 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1243 AT_CHECK([ip link set dev br-underlay up])
1245 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1246 dnl linux device inside the namespace.
1247 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1248 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1249 [id 0 dstport 4789])
1251 dnl First, check the underlay
1252 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1256 dnl Okay, now check the overlay with different packet sizes
1257 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1258 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1260 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1261 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1263 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1264 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1267 OVS_TRAFFIC_VSWITCHD_STOP
1270 AT_SETUP([conntrack - resubmit to ct multiple times])
1273 OVS_TRAFFIC_VSWITCHD_START(
1274 [set-fail-mode br0 secure -- ])
1276 ADD_NAMESPACES(at_ns0, at_ns1)
1278 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1279 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1281 AT_DATA([flows.txt], [dnl
1282 table=0,priority=150,arp,action=normal
1283 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1285 table=1,priority=100,ip,action=ct(table=3)
1286 table=2,priority=100,ip,action=ct(table=3)
1288 table=3,ip,action=drop
1291 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1293 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1294 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1297 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1298 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1299 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1300 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1301 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1302 table=3, n_packets=2, n_bytes=196, ip actions=drop
1306 OVS_TRAFFIC_VSWITCHD_STOP