1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
222 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
263 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
266 dnl HTTP requests from ns1->ns0 should fail due to network failure.
267 dnl Try 3 times, in 1 second intervals.
268 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
269 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
271 OVS_TRAFFIC_VSWITCHD_STOP
274 AT_SETUP([conntrack - commit, recirc])
276 OVS_TRAFFIC_VSWITCHD_START()
278 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
280 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
281 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
282 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
283 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
285 dnl Allow any traffic from ns0->ns1, ns2->ns3.
286 AT_DATA([flows.txt], [dnl
287 priority=1,action=drop
288 priority=10,arp,action=normal
289 priority=10,icmp,action=normal
290 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
291 priority=100,in_port=1,tcp,ct_state=+trk,action=2
292 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
293 priority=100,in_port=2,tcp,ct_state=+trk,action=1
294 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
295 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
296 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
297 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
298 priority=100,in_port=4,tcp,ct_state=+trk,action=3
301 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
303 dnl HTTP requests from p0->p1 should work fine.
304 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
305 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
307 dnl HTTP requests from p2->p3 should work fine.
308 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
309 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
311 OVS_TRAFFIC_VSWITCHD_STOP
314 AT_SETUP([conntrack - preserve registers])
316 OVS_TRAFFIC_VSWITCHD_START()
318 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
320 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
321 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
322 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
323 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
325 dnl Allow any traffic from ns0->ns1, ns2->ns3.
326 AT_DATA([flows.txt], [dnl
327 priority=1,action=drop
328 priority=10,arp,action=normal
329 priority=10,icmp,action=normal
330 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
331 priority=100,in_port=1,tcp,ct_state=+trk,action=2
332 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
333 priority=100,in_port=2,tcp,ct_state=+trk,action=1
334 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
335 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
336 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
337 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
338 priority=100,in_port=4,tcp,ct_state=+trk,action=3
341 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
343 dnl HTTP requests from p0->p1 should work fine.
344 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
345 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
347 dnl HTTP requests from p2->p3 should work fine.
348 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
349 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
351 OVS_TRAFFIC_VSWITCHD_STOP
354 AT_SETUP([conntrack - invalid])
356 OVS_TRAFFIC_VSWITCHD_START()
358 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
360 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
361 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
362 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
363 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
365 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
366 dnl the opposite direction. This should fail.
367 dnl Pass traffic from ns3->ns4 without committing, and this time match
368 dnl invalid traffic and allow it through.
369 AT_DATA([flows.txt], [dnl
370 priority=1,action=drop
371 priority=10,arp,action=normal
372 priority=10,icmp,action=normal
373 priority=100,in_port=1,tcp,action=ct(),2
374 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
375 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
376 priority=100,in_port=3,tcp,action=ct(),4
377 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
378 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
379 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
382 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
384 dnl We set up our rules to allow the request without committing. The return
385 dnl traffic can't be identified, because the initial request wasn't committed.
386 dnl For the first pair of ports, this means that the connection fails.
387 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
388 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
390 dnl For the second pair, we allow packets from invalid connections, so it works.
391 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
392 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
394 OVS_TRAFFIC_VSWITCHD_STOP
397 AT_SETUP([conntrack - zones])
399 OVS_TRAFFIC_VSWITCHD_START()
401 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
403 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
404 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
405 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
406 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
408 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
409 dnl For ns2->ns3, use a different zone and see that the match fails.
410 AT_DATA([flows.txt], [dnl
411 priority=1,action=drop
412 priority=10,arp,action=normal
413 priority=10,icmp,action=normal
414 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
415 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
416 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
417 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
418 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
419 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
422 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
424 dnl HTTP requests from p0->p1 should work fine.
425 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
426 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
428 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
429 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
432 dnl HTTP requests from p2->p3 should fail due to network failure.
433 dnl Try 3 times, in 1 second intervals.
434 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
435 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
437 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
438 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
441 OVS_TRAFFIC_VSWITCHD_STOP
444 AT_SETUP([conntrack - zones from field])
446 OVS_TRAFFIC_VSWITCHD_START()
448 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
450 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
451 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
452 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
453 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
455 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
456 AT_DATA([flows.txt], [dnl
457 priority=1,action=drop
458 priority=10,arp,action=normal
459 priority=10,icmp,action=normal
460 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
461 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
463 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
464 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
465 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
468 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
470 dnl HTTP requests from p0->p1 should work fine.
471 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
472 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
474 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
475 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
478 dnl HTTP requests from p2->p3 should fail due to network failure.
479 dnl Try 3 times, in 1 second intervals.
480 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
481 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
483 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
484 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
487 OVS_TRAFFIC_VSWITCHD_STOP
490 AT_SETUP([conntrack - multiple bridges])
492 OVS_TRAFFIC_VSWITCHD_START(
494 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
495 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
497 ADD_NAMESPACES(at_ns0, at_ns1)
499 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
500 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
502 dnl Allow any traffic from ns0->br1, allow established in reverse.
503 AT_DATA([flows-br0.txt], [dnl
504 priority=1,action=drop
505 priority=10,arp,action=normal
506 priority=10,icmp,action=normal
507 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
508 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
509 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
512 dnl Allow any traffic from br0->ns1, allow established in reverse.
513 AT_DATA([flows-br1.txt], [dnl
514 priority=1,action=drop
515 priority=10,arp,action=normal
516 priority=10,icmp,action=normal
517 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
518 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
519 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
520 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
521 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
524 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
525 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
527 dnl HTTP requests from p0->p1 should work fine.
528 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
529 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
531 OVS_TRAFFIC_VSWITCHD_STOP
534 AT_SETUP([conntrack - multiple zones])
536 OVS_TRAFFIC_VSWITCHD_START()
538 ADD_NAMESPACES(at_ns0, at_ns1)
540 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
541 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
543 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
544 AT_DATA([flows.txt], [dnl
545 priority=1,action=drop
546 priority=10,arp,action=normal
547 priority=10,icmp,action=normal
548 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
549 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
550 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
553 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
555 dnl HTTP requests from p0->p1 should work fine.
556 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
557 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
559 dnl (again) HTTP requests from p0->p1 should work fine.
560 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
562 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
563 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
564 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
567 OVS_TRAFFIC_VSWITCHD_STOP
570 AT_SETUP([conntrack - multiple zones, local])
572 OVS_TRAFFIC_VSWITCHD_START()
574 ADD_NAMESPACES(at_ns0)
576 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577 AT_CHECK([ip link set dev br0 up])
578 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
581 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582 dnl return traffic from ns0 back to the local stack.
583 AT_DATA([flows.txt], [dnl
584 priority=1,action=drop
585 priority=10,arp,action=normal
586 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
594 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
596 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
597 3 packets transmitted, 3 received, 0% packet loss, time 0ms
600 dnl HTTP requests from root namespace to p0 should work fine.
601 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
604 dnl (again) HTTP requests from root namespace to p0 should work fine.
605 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
607 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
609 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
610 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
611 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
614 OVS_TRAFFIC_VSWITCHD_STOP
617 AT_SETUP([conntrack - multiple namespaces, internal ports])
619 OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
622 ADD_NAMESPACES(at_ns0, at_ns1)
624 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
625 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
627 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
629 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
630 AT_DATA([flows.txt], [dnl
631 priority=1,action=drop
632 priority=10,arp,action=normal
633 priority=10,icmp,action=normal
634 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
635 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
636 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
639 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
641 dnl HTTP requests from p0->p1 should work fine.
642 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
643 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
645 dnl (again) HTTP requests from p0->p1 should work fine.
646 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
648 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
649 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
652 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
653 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
654 /removing policing failed: No such device/d"])
657 AT_SETUP([conntrack - multi-stage pipeline, local])
659 OVS_TRAFFIC_VSWITCHD_START()
661 ADD_NAMESPACES(at_ns0)
663 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
664 AT_CHECK([ip link set dev br0 up])
665 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
666 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
668 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
669 dnl return traffic from ns0 back to the local stack.
670 AT_DATA([flows.txt], [dnl
672 table=0,priority=1,action=drop
673 table=0,priority=10,arp,action=normal
675 dnl Load the output port to REG0
676 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
677 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
680 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
681 dnl - All other connections go through conntracker using the input port as
682 dnl a connection tracking zone.
683 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
684 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
685 table=1,priority=1,action=drop
688 dnl - Allow all connections from LOCAL port (commit and skip to output)
689 dnl - Allow other established connections to go through conntracker using
690 dnl output port as a connection tracking zone.
691 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
692 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
693 table=2,priority=1,action=drop
695 dnl Only allow established traffic from egress ct lookup
696 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
697 table=3,priority=1,action=drop
700 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
703 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
705 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
706 3 packets transmitted, 3 received, 0% packet loss, time 0ms
709 dnl HTTP requests from root namespace to p0 should work fine.
710 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
713 dnl (again) HTTP requests from root namespace to p0 should work fine.
714 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
716 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
717 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
718 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
719 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
720 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
723 OVS_TRAFFIC_VSWITCHD_STOP
726 AT_SETUP([conntrack - ct_mark])
728 OVS_TRAFFIC_VSWITCHD_START()
730 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
732 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
733 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
734 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
735 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
737 dnl Allow traffic between ns0<->ns1 using the ct_mark.
738 dnl Check that different marks do not match for traffic between ns2<->ns3.
739 AT_DATA([flows.txt], [dnl
740 priority=1,action=drop
741 priority=10,arp,action=normal
742 priority=10,icmp,action=normal
743 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
744 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
745 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
746 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
747 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
748 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
751 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
753 dnl HTTP requests from p0->p1 should work fine.
754 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
755 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
757 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
758 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
761 dnl HTTP requests from p2->p3 should fail due to network failure.
762 dnl Try 3 times, in 1 second intervals.
763 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
764 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
766 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
767 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
770 OVS_TRAFFIC_VSWITCHD_STOP
773 AT_SETUP([conntrack - ct_mark from register])
775 OVS_TRAFFIC_VSWITCHD_START()
777 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
779 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
780 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
781 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
782 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
784 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
785 AT_DATA([flows.txt], [dnl
786 priority=1,action=drop
787 priority=10,arp,action=normal
788 priority=10,icmp,action=normal
789 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
790 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
791 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
792 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
793 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
794 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
797 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
799 dnl HTTP requests from p0->p1 should work fine.
800 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
801 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
803 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
804 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
807 dnl HTTP requests from p2->p3 should fail due to network failure.
808 dnl Try 3 times, in 1 second intervals.
809 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
810 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
812 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
813 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
816 OVS_TRAFFIC_VSWITCHD_STOP
819 AT_SETUP([conntrack - ct_label])
821 OVS_TRAFFIC_VSWITCHD_START()
823 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
825 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
826 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
827 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
828 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
830 dnl Allow traffic between ns0<->ns1 using the ct_label.
831 dnl Check that different labels do not match for traffic between ns2<->ns3.
832 AT_DATA([flows.txt], [dnl
833 priority=1,action=drop
834 priority=10,arp,action=normal
835 priority=10,icmp,action=normal
836 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
837 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
838 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
839 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
840 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
841 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
844 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
846 dnl HTTP requests from p0->p1 should work fine.
847 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
848 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
850 dnl HTTP requests from p2->p3 should fail due to network failure.
851 dnl Try 3 times, in 1 second intervals.
852 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
853 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
855 OVS_TRAFFIC_VSWITCHD_STOP
858 AT_SETUP([conntrack - ICMP related])
860 OVS_TRAFFIC_VSWITCHD_START()
862 ADD_NAMESPACES(at_ns0, at_ns1)
864 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
865 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
867 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
868 AT_DATA([flows.txt], [dnl
869 priority=1,action=drop
870 priority=10,arp,action=normal
871 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
872 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
873 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
876 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
878 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
879 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
881 AT_CHECK([ovs-appctl revalidator/purge], [0])
882 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
883 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
884 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
885 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
886 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
890 OVS_TRAFFIC_VSWITCHD_STOP
893 AT_SETUP([conntrack - ICMP related 2])
895 OVS_TRAFFIC_VSWITCHD_START()
897 ADD_NAMESPACES(at_ns0, at_ns1)
899 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
900 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
902 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
903 AT_DATA([flows.txt], [dnl
904 priority=1,action=drop
905 priority=10,arp,action=normal
906 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
907 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
908 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
909 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
912 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
914 AT_CAPTURE_FILE([ofctl_monitor.log])
915 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
917 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
918 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
920 dnl 2. Send and UDP packet to port 5555
921 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
923 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
924 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
926 dnl Check this output. We only see the latter two packets, not the first.
927 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
928 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
929 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
930 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
931 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
934 OVS_TRAFFIC_VSWITCHD_STOP
937 AT_SETUP([conntrack - FTP])
938 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
940 OVS_TRAFFIC_VSWITCHD_START()
942 ADD_NAMESPACES(at_ns0, at_ns1)
944 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
945 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
947 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
948 AT_DATA([flows1.txt], [dnl
949 priority=1,action=drop
950 priority=10,arp,action=normal
951 priority=10,icmp,action=normal
952 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
953 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
954 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
955 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
958 dnl Similar policy but without allowing all traffic from ns0->ns1.
959 AT_DATA([flows2.txt], [dnl
960 priority=1,action=drop
961 priority=10,arp,action=normal
962 priority=10,icmp,action=normal
963 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
964 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
965 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
966 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
967 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
968 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
969 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
972 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
974 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
975 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
977 dnl FTP requests from p1->p0 should fail due to network failure.
978 dnl Try 3 times, in 1 second intervals.
979 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
980 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
983 dnl FTP requests from p0->p1 should work fine.
984 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
989 dnl Try the second set of flows.
990 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
991 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
993 dnl FTP requests from p1->p0 should fail due to network failure.
994 dnl Try 3 times, in 1 second intervals.
995 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
999 dnl Active FTP requests from p0->p1 should work fine.
1000 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1001 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1002 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1003 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1006 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1008 dnl Passive FTP requests from p0->p1 should work fine.
1009 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1010 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1011 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1012 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1015 OVS_TRAFFIC_VSWITCHD_STOP
1019 AT_SETUP([conntrack - IPv6 FTP])
1020 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1022 OVS_TRAFFIC_VSWITCHD_START()
1024 ADD_NAMESPACES(at_ns0, at_ns1)
1026 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1027 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1029 dnl Allow any traffic from ns0->ns1.
1030 dnl Only allow nd, return traffic from ns1->ns0.
1031 AT_DATA([flows.txt], [dnl
1032 dnl Track all IPv6 traffic and drop the rest.
1033 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1034 table=0 priority=100 in_port=1 icmp6, action=2
1035 table=0 priority=100 in_port=2 icmp6, action=1
1036 table=0 priority=10 ip6, action=ct(table=1)
1037 table=0 priority=0 action=drop
1041 dnl Allow new TCPv6 FTP control connections from port 1.
1042 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1043 dnl Allow related TCPv6 connections from port 2.
1044 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1045 dnl Allow established TCPv6 connections both ways.
1046 table=1 in_port=1 ct_state=+est, tcp6, action=2
1047 table=1 in_port=2 ct_state=+est, tcp6, action=1
1048 dnl Drop everything else.
1049 table=1 priority=0, action=drop
1052 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1054 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1056 dnl FTP requests from p0->p1 should work fine.
1057 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1059 dnl Discards CLOSE_WAIT and CLOSING
1060 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1061 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1062 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1065 OVS_TRAFFIC_VSWITCHD_STOP
1069 AT_SETUP([conntrack - FTP with multiple expectations])
1070 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1072 OVS_TRAFFIC_VSWITCHD_START()
1074 ADD_NAMESPACES(at_ns0, at_ns1)
1076 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1077 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1079 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1080 AT_DATA([flows.txt], [dnl
1081 priority=1,action=drop
1082 priority=10,arp,action=normal
1083 priority=10,icmp,action=normal
1084 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1085 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1086 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1087 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1088 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1089 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1090 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1091 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1092 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1093 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1096 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1098 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1099 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1101 dnl FTP requests from p1->p0 should fail due to network failure.
1102 dnl Try 3 times, in 1 second intervals.
1103 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1104 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1107 dnl Active FTP requests from p0->p1 should work fine.
1108 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1109 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1110 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1111 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1112 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1113 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1116 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1118 dnl Passive FTP requests from p0->p1 should work fine.
1119 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1120 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1121 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1123 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1124 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1127 OVS_TRAFFIC_VSWITCHD_STOP
1130 AT_SETUP([conntrack - IPv4 fragmentation ])
1132 OVS_TRAFFIC_VSWITCHD_START()
1134 ADD_NAMESPACES(at_ns0, at_ns1)
1136 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1137 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1139 dnl Sending ping through conntrack
1140 AT_DATA([flows.txt], [dnl
1141 priority=1,action=drop
1142 priority=10,arp,action=normal
1143 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1144 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1145 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1148 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1150 dnl Basic connectivity check.
1151 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1152 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1155 dnl Ipv4 fragmentation connectivity check.
1156 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1157 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1160 dnl Ipv4 larger fragmentation connectivity check.
1161 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1162 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1165 OVS_TRAFFIC_VSWITCHD_STOP
1168 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1170 OVS_TRAFFIC_VSWITCHD_START()
1172 ADD_NAMESPACES(at_ns0, at_ns1)
1174 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1175 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1176 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1177 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1179 dnl Sending ping through conntrack
1180 AT_DATA([flows.txt], [dnl
1181 priority=1,action=drop
1182 priority=10,arp,action=normal
1183 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1184 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1185 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1188 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1190 dnl Basic connectivity check.
1191 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1192 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1195 dnl Ipv4 fragmentation connectivity check.
1196 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1197 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1200 dnl Ipv4 larger fragmentation connectivity check.
1201 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1202 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1205 OVS_TRAFFIC_VSWITCHD_STOP
1208 AT_SETUP([conntrack - IPv6 fragmentation])
1210 OVS_TRAFFIC_VSWITCHD_START()
1212 ADD_NAMESPACES(at_ns0, at_ns1)
1214 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1215 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1217 dnl Sending ping through conntrack
1218 AT_DATA([flows.txt], [dnl
1219 priority=1,action=drop
1220 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1221 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1222 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1223 priority=100,icmp6,icmp_type=135,action=normal
1224 priority=100,icmp6,icmp_type=136,action=normal
1227 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1229 dnl Without this sleep, we get occasional failures due to the following error:
1230 dnl "connect: Cannot assign requested address"
1233 dnl Basic connectivity check.
1234 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1235 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1238 dnl Ipv4 fragmentation connectivity check.
1239 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1240 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1243 dnl Ipv4 larger fragmentation connectivity check.
1244 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1245 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1248 OVS_TRAFFIC_VSWITCHD_STOP
1251 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1253 OVS_TRAFFIC_VSWITCHD_START()
1255 ADD_NAMESPACES(at_ns0, at_ns1)
1257 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1258 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1260 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1261 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1263 dnl Sending ping through conntrack
1264 AT_DATA([flows.txt], [dnl
1265 priority=1,action=drop
1266 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1267 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1268 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1269 priority=100,icmp6,icmp_type=135,action=normal
1270 priority=100,icmp6,icmp_type=136,action=normal
1273 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1275 dnl Without this sleep, we get occasional failures due to the following error:
1276 dnl "connect: Cannot assign requested address"
1279 dnl Basic connectivity check.
1280 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1281 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1284 dnl Ipv4 fragmentation connectivity check.
1285 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1286 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1289 dnl Ipv4 larger fragmentation connectivity check.
1290 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1291 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1294 OVS_TRAFFIC_VSWITCHD_STOP
1297 AT_SETUP([conntrack - Fragmentation over vxlan])
1301 OVS_TRAFFIC_VSWITCHD_START()
1302 ADD_BR([br-underlay])
1303 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1305 ADD_NAMESPACES(at_ns0)
1307 dnl Sending ping through conntrack
1308 AT_DATA([flows.txt], [dnl
1309 priority=1,action=drop
1310 priority=10,arp,action=normal
1311 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1312 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1313 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1316 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1318 dnl Set up underlay link from host into the namespace using veth pair.
1319 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1320 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1321 AT_CHECK([ip link set dev br-underlay up])
1323 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1324 dnl linux device inside the namespace.
1325 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1326 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1327 [id 0 dstport 4789])
1329 dnl First, check the underlay
1330 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1331 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1334 dnl Okay, now check the overlay with different packet sizes
1335 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1336 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1338 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1339 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1341 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1342 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1345 OVS_TRAFFIC_VSWITCHD_STOP
1349 AT_SETUP([conntrack - resubmit to ct multiple times])
1352 OVS_TRAFFIC_VSWITCHD_START(
1353 [set-fail-mode br0 secure -- ])
1355 ADD_NAMESPACES(at_ns0, at_ns1)
1357 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1358 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1360 AT_DATA([flows.txt], [dnl
1361 table=0,priority=150,arp,action=normal
1362 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1364 table=1,priority=100,ip,action=ct(table=3)
1365 table=2,priority=100,ip,action=ct(table=3)
1367 table=3,ip,action=drop
1370 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1372 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1373 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1376 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1377 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1378 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1379 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1380 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1381 table=3, n_packets=2, n_bytes=196, ip actions=drop
1385 OVS_TRAFFIC_VSWITCHD_STOP
1389 AT_SETUP([conntrack - simple SNAT])
1391 OVS_TRAFFIC_VSWITCHD_START()
1393 ADD_NAMESPACES(at_ns0, at_ns1)
1395 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1396 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1397 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1399 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1400 AT_DATA([flows.txt], [dnl
1401 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1402 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1403 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1406 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1407 priority=10 arp action=normal
1408 priority=0,action=drop
1410 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1411 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1412 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1413 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1415 dnl Swaps the fields of the ARP message to turn a query to a response.
1416 table=10 priority=100 arp xreg0=0 action=normal
1417 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1418 table=10 priority=0 action=drop
1421 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1423 dnl HTTP requests from p0->p1 should work fine.
1424 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1425 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1427 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1428 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1431 OVS_TRAFFIC_VSWITCHD_STOP
1435 AT_SETUP([conntrack - SNAT with port range])
1437 OVS_TRAFFIC_VSWITCHD_START()
1439 ADD_NAMESPACES(at_ns0, at_ns1)
1441 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1442 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1443 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1445 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1446 AT_DATA([flows.txt], [dnl
1447 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1448 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1449 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1450 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1453 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1454 priority=10 arp action=normal
1455 priority=0,action=drop
1457 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1458 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1459 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1460 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1462 dnl Swaps the fields of the ARP message to turn a query to a response.
1463 table=10 priority=100 arp xreg0=0 action=normal
1464 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1465 table=10 priority=0 action=drop
1468 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1470 dnl HTTP requests from p0->p1 should work fine.
1471 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1472 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1474 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1475 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1478 OVS_TRAFFIC_VSWITCHD_STOP
1482 AT_SETUP([conntrack - more complex SNAT])
1484 OVS_TRAFFIC_VSWITCHD_START()
1486 ADD_NAMESPACES(at_ns0, at_ns1)
1488 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1489 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1490 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1492 AT_DATA([flows.txt], [dnl
1493 dnl Track all IP traffic, NAT existing connections.
1494 priority=100 ip action=ct(table=1,zone=1,nat)
1496 dnl Allow ARP, but generate responses for NATed addresses
1497 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1498 priority=10 arp action=normal
1499 priority=0 action=drop
1501 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1502 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1503 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1504 dnl Only allow established traffic from ns1->ns0.
1505 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1506 table=1 priority=0 action=drop
1508 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1509 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1510 dnl Zero result means not found.
1511 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1512 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1513 dnl ARP TPA IP in reg2.
1514 table=10 priority=100 arp xreg0=0 action=normal
1515 dnl Swaps the fields of the ARP message to turn a query to a response.
1516 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1517 table=10 priority=0 action=drop
1520 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1522 dnl HTTP requests from p0->p1 should work fine.
1523 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1524 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1526 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1527 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1530 OVS_TRAFFIC_VSWITCHD_STOP
1533 AT_SETUP([conntrack - simple DNAT])
1535 OVS_TRAFFIC_VSWITCHD_START()
1537 ADD_NAMESPACES(at_ns0, at_ns1)
1539 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1540 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1541 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1543 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1544 AT_DATA([flows.txt], [dnl
1545 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1546 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1547 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1548 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1551 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1552 priority=10 arp action=normal
1553 priority=0,action=drop
1555 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1556 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1557 dnl Zero result means not found.
1558 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1559 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1561 table=10 priority=100 arp xreg0=0 action=normal
1562 dnl Swaps the fields of the ARP message to turn a query to a response.
1563 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1564 table=10 priority=0 action=drop
1567 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1569 dnl Should work with the virtual IP address through NAT
1570 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1571 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1573 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1574 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1577 dnl Should work with the assigned IP address as well
1578 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1580 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1581 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1584 OVS_TRAFFIC_VSWITCHD_STOP
1587 AT_SETUP([conntrack - more complex DNAT])
1589 OVS_TRAFFIC_VSWITCHD_START()
1591 ADD_NAMESPACES(at_ns0, at_ns1)
1593 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1594 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1595 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1597 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1598 AT_DATA([flows.txt], [dnl
1599 dnl Track all IP traffic
1600 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1602 dnl Allow ARP, but generate responses for NATed addresses
1603 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1604 table=0 priority=10 arp action=normal
1605 table=0 priority=0 action=drop
1607 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1608 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1609 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1610 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1611 dnl Only allow established traffic from ns1->ns0.
1612 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1613 table=1 priority=0 action=drop
1615 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1616 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1617 dnl Zero result means not found.
1618 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1619 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1621 table=10 priority=100 arp xreg0=0 action=normal
1622 dnl Swaps the fields of the ARP message to turn a query to a response.
1623 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1624 table=10 priority=0 action=drop
1627 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1629 dnl Should work with the virtual IP address through NAT
1630 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1631 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1633 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1634 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1637 dnl Should work with the assigned IP address as well
1638 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1640 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1641 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1644 OVS_TRAFFIC_VSWITCHD_STOP
1647 AT_SETUP([conntrack - ICMP related with NAT])
1649 OVS_TRAFFIC_VSWITCHD_START()
1651 ADD_NAMESPACES(at_ns0, at_ns1)
1653 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1654 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1655 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1657 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1658 dnl Make sure ICMP responses are reverse-NATted.
1659 AT_DATA([flows.txt], [dnl
1660 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1661 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1662 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1665 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1666 priority=10 arp action=normal
1667 priority=0,action=drop
1669 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1670 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1671 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1672 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1674 dnl Swaps the fields of the ARP message to turn a query to a response.
1675 table=10 priority=100 arp xreg0=0 action=normal
1676 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1677 table=10 priority=0 action=drop
1680 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1682 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1683 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1685 AT_CHECK([ovs-appctl revalidator/purge], [0])
1686 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1687 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1688 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1689 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1690 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1691 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1692 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1693 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1694 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1695 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1696 OFPST_FLOW reply (OF1.5):
1699 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1700 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
1703 OVS_TRAFFIC_VSWITCHD_STOP
1707 AT_SETUP([conntrack - FTP with NAT])
1708 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1711 OVS_TRAFFIC_VSWITCHD_START()
1713 ADD_NAMESPACES(at_ns0, at_ns1)
1715 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1716 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1717 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1719 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1721 AT_DATA([flows.txt], [dnl
1722 dnl track all IP traffic, de-mangle non-NEW connections
1723 table=0 in_port=1, ip, action=ct(table=1,nat)
1724 table=0 in_port=2, ip, action=ct(table=2,nat)
1728 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1729 table=0 priority=10 arp action=normal
1730 table=0 priority=0 action=drop
1732 dnl Table 1: port 1 -> 2
1734 dnl Allow new FTP connections. These need to be commited.
1735 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1736 dnl Allow established TCP connections, make sure they are NATted already.
1737 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1739 dnl Table 1: droppers
1741 table=1 priority=10, tcp, action=drop
1742 table=1 priority=0,action=drop
1744 dnl Table 2: port 2 -> 1
1746 dnl Allow established TCP connections, make sure they are reverse NATted
1747 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1748 dnl Allow (new) related (data) connections. These need to be commited.
1749 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1750 dnl Allow related ICMP packets, make sure they are reverse NATted
1751 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1753 dnl Table 2: droppers
1755 table=2 priority=10, tcp, action=drop
1756 table=2 priority=0, action=drop
1758 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1760 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1761 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1762 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1764 dnl Swaps the fields of the ARP message to turn a query to a response.
1765 table=10 priority=100 arp xreg0=0 action=normal
1766 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1767 table=10 priority=0 action=drop
1770 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1772 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1773 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1775 dnl FTP requests from p0->p1 should work fine.
1776 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1778 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1779 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1780 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1783 OVS_TRAFFIC_VSWITCHD_STOP
1787 AT_SETUP([conntrack - FTP with NAT 2])
1788 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1790 OVS_TRAFFIC_VSWITCHD_START()
1792 ADD_NAMESPACES(at_ns0, at_ns1)
1794 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1795 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1796 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1798 dnl Allow any traffic from ns0->ns1.
1799 dnl Only allow nd, return traffic from ns1->ns0.
1800 AT_DATA([flows.txt], [dnl
1801 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1802 table=0 ip, action=ct(table=1)
1806 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1807 table=0 priority=10 arp action=normal
1808 table=0 priority=0 action=drop
1812 dnl Allow new FTP connections. These need to be commited.
1813 dnl This does helper for new packets.
1814 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1815 dnl Allow and NAT established TCP connections
1816 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1817 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1818 dnl Allow and NAT (new) related active (data) connections.
1819 dnl These need to be commited.
1820 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1821 dnl Allow related ICMP packets.
1822 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1823 dnl Drop everything else.
1824 table=1 priority=0, action=drop
1826 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1828 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1829 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1830 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1832 dnl Swaps the fields of the ARP message to turn a query to a response.
1833 table=10 priority=100 arp xreg0=0 action=normal
1834 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1835 table=10 priority=0 action=drop
1838 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1840 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1842 dnl FTP requests from p0->p1 should work fine.
1843 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1845 dnl Discards CLOSE_WAIT and CLOSING
1846 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1847 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1848 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1851 OVS_TRAFFIC_VSWITCHD_STOP
1854 AT_SETUP([conntrack - IPv6 HTTP with NAT])
1856 OVS_TRAFFIC_VSWITCHD_START()
1858 ADD_NAMESPACES(at_ns0, at_ns1)
1860 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1861 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1862 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1863 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1865 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1866 AT_DATA([flows.txt], [dnl
1867 priority=1,action=drop
1868 priority=10,icmp6,action=normal
1869 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
1870 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
1871 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
1872 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
1875 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1877 dnl Without this sleep, we get occasional failures due to the following error:
1878 dnl "connect: Cannot assign requested address"
1881 dnl HTTP requests from ns0->ns1 should work fine.
1882 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
1884 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1886 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1887 dnl Try 3 times, in 1 second intervals.
1888 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
1889 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
1891 OVS_TRAFFIC_VSWITCHD_STOP
1895 AT_SETUP([conntrack - IPv6 FTP with NAT])
1896 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1898 OVS_TRAFFIC_VSWITCHD_START()
1900 ADD_NAMESPACES(at_ns0, at_ns1)
1902 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1903 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1904 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1905 dnl Would be nice if NAT could translate neighbor discovery messages, too.
1906 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1908 dnl Allow any traffic from ns0->ns1.
1909 dnl Only allow nd, return traffic from ns1->ns0.
1910 AT_DATA([flows.txt], [dnl
1911 dnl Allow other ICMPv6 both ways (without commit).
1912 table=1 priority=100 in_port=1 icmp6, action=2
1913 table=1 priority=100 in_port=2 icmp6, action=1
1914 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
1915 table=0 priority=10 ip6, action=ct(nat,table=1)
1916 table=0 priority=0 action=drop
1920 dnl Allow new TCPv6 FTP control connections.
1921 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
1922 dnl Allow related TCPv6 connections from port 2 to the NATted address.
1923 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
1924 dnl Allow established TCPv6 connections both ways, enforce NATting
1925 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
1926 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
1927 dnl Drop everything else.
1928 table=1 priority=0, action=drop
1931 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1933 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1935 dnl FTP requests from p0->p1 should work fine.
1936 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1938 dnl Discards CLOSE_WAIT and CLOSING
1939 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1940 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1941 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1944 OVS_TRAFFIC_VSWITCHD_STOP