projects / cascardo / ovs.git / blob
? search:


75b51049725e7cb5391340f854b8c48c21e3805b
[cascardo/ovs.git] / tests / system-traffic.at
1 AT_BANNER([datapath-sanity])
2
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
5
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
7
8 ADD_NAMESPACES(at_ns0, at_ns1)
9
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
15 ])
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
18 ])
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
21 ])
22
23 OVS_TRAFFIC_VSWITCHD_STOP
24 AT_CLEANUP
25
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
28
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31 ADD_NAMESPACES(at_ns0, at_ns1)
32
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
38 ])
39
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
42
43 OVS_TRAFFIC_VSWITCHD_STOP
44 AT_CLEANUP
45
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
48
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
50
51 ADD_NAMESPACES(at_ns0, at_ns1)
52
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
55
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
58
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
61 ])
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
64 ])
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
67 ])
68
69 OVS_TRAFFIC_VSWITCHD_STOP
70 AT_CLEANUP
71
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
74
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
76
77 ADD_NAMESPACES(at_ns0, at_ns1)
78
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
81
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
86
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
89 ])
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
92 ])
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
95 ])
96
97 OVS_TRAFFIC_VSWITCHD_STOP
98 AT_CLEANUP
99
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
102
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
104
105 ADD_NAMESPACES(at_ns0, at_ns1)
106
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
109
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
112
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
117
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
120 ])
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
123 ])
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
126 ])
127
128 OVS_TRAFFIC_VSWITCHD_STOP
129 AT_CLEANUP
130
131 AT_SETUP([datapath - ping over vxlan tunnel])
132 OVS_CHECK_VXLAN()
133
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
136
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
139
140 ADD_NAMESPACES(at_ns0)
141
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
146
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
151                   [id 0 dstport 4789])
152
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
156 ])
157
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
161 ])
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
164 ])
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
167 ])
168
169 OVS_TRAFFIC_VSWITCHD_STOP
170 AT_CLEANUP
171
172 AT_SETUP([datapath - ping over gre tunnel])
173 OVS_CHECK_GRE()
174
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
177
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
180
181 ADD_NAMESPACES(at_ns0)
182
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
187
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
192
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
196 ])
197
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
201 ])
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
204 ])
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
207 ])
208
209 OVS_TRAFFIC_VSWITCHD_STOP
210 AT_CLEANUP
211
212 AT_SETUP([datapath - ping over geneve tunnel])
213 OVS_CHECK_GENEVE()
214
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
217
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
220
221 ADD_NAMESPACES(at_ns0)
222
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
227
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
232                   [vni 0])
233
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
237 ])
238
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
242 ])
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 ])
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
248 ])
249
250 OVS_TRAFFIC_VSWITCHD_STOP
251 AT_CLEANUP
252
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
256
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
262
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
271
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
280
281 dnl basic test
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
287 ])
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
289
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
294
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" |  sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
298 n_bytes=100
299 ])
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
303 n_bytes=242
304 ])
305
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
312 ])
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
314
315 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
316
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
320 n_bytes=684
321 ])
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
324 n_bytes=542
325 ])
326
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
331 ])
332
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
336
337 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
338 AT_CHECK([tail -3 stdout], [0],
339 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
340 This flow is handled by the userspace slow path because it:
341         - Uses action(s) not supported by datapath.
342 ])
343
344 dnl SLOW_ACTION test2: check actual packet truncate
345 AT_CHECK([ovs-ofctl del-flows br0])
346 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
347 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
348
349 dnl 100 + 100 + 242 + min(65535,242) = 684
350 AT_CHECK([ovs-appctl revalidator/purge], [0])
351 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
352 n_bytes=684
353 ])
354
355 dnl 242 + 100 + min(242,200) = 542
356 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
357 n_bytes=542
358 ])
359
360 OVS_TRAFFIC_VSWITCHD_STOP
361 AT_CLEANUP
362
363 dnl Create 2 bridges and 2 namespaces to test truncate over
364 dnl GRE tunnel:
365 dnl   br0: overlay bridge
366 dnl   ns1: connect to br0, with IP:10.1.1.2
367 dnl   br-underlay: with IP: 172.31.1.100
368 dnl   ns0: connect to br-underlay, with IP: 10.1.1.1
369 AT_SETUP([datapath - truncate and output to gre tunnel])
370 OVS_CHECK_GRE()
371 OVS_TRAFFIC_VSWITCHD_START()
372
373 ADD_BR([br-underlay])
374 ADD_NAMESPACES(at_ns0)
375 ADD_NAMESPACES(at_ns1)
376 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
377 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
378
379 dnl Set up underlay link from host into the namespace using veth pair.
380 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
381 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
382 AT_CHECK([ip link set dev br-underlay up])
383
384 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
385 dnl linux device inside the namespace.
386 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
387 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
388 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
389 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
390 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
391
392 dnl Set up (p1 and ovs-p1) at br0
393 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
394 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
395 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
396 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
397
398 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
399 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
400 on_exit 'ip link del ovs-p2'
401 AT_CHECK([ip link set dev ovs-p2 up])
402 AT_CHECK([ip link set dev p2 up])
403 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
404 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
405
406 dnl use this file as payload file for ncat
407 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
408 on_exit 'rm -f payload200.bin'
409
410 AT_CHECK([ovs-ofctl del-flows br0])
411 AT_DATA([flows.txt], [dnl
412 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
413 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
414 priority=1,in_port=4,ip,actions=drop
415 priority=1,actions=drop
416 ])
417 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
418
419 AT_CHECK([ovs-ofctl del-flows br-underlay])
420 AT_DATA([flows-underlay.txt], [dnl
421 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
422 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
423 priority=1,actions=drop
424 ])
425
426 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
427
428 dnl check tunnel push path, from at_ns1 to at_ns0
429 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
430 AT_CHECK([ovs-appctl revalidator/purge], [0])
431
432 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
433 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
434 n_bytes=242
435 ])
436 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
437 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
438 n_bytes=138
439 ])
440
441 dnl check tunnel pop path, from at_ns0 to at_ns1
442 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
443 dnl After truncation = 100 byte at loopback device p2(4)
444 AT_CHECK([ovs-appctl revalidator/purge], [0])
445 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', '  '{print $5}'], [0], [dnl
446 n_bytes=100
447 ])
448
449 dnl SLOW_ACTION: disable datapath truncate support
450 dnl Repeat the test above, but exercise the SLOW_ACTION code path
451 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
452 [Datapath truncate action diabled
453 ])
454
455 dnl SLOW_ACTION test1: check datapatch actions
456 AT_CHECK([ovs-ofctl del-flows br0])
457 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
458
459 dnl SLOW_ACTION test2: check actual packet truncate
460 AT_CHECK([ovs-ofctl del-flows br0])
461 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
462 AT_CHECK([ovs-ofctl del-flows br-underlay])
463 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
464
465 dnl check tunnel push path, from at_ns1 to at_ns0
466 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
467 AT_CHECK([ovs-appctl revalidator/purge], [0])
468
469 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
470 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
471 n_bytes=242
472 ])
473 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
474 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
475 n_bytes=138
476 ])
477
478 dnl check tunnel pop path, from at_ns0 to at_ns1
479 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
480 dnl After truncation = 100 byte at loopback device p2(4)
481 AT_CHECK([ovs-appctl revalidator/purge], [0])
482 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', '  '{print $5}'], [0], [dnl
483 n_bytes=100
484 ])
485
486 OVS_TRAFFIC_VSWITCHD_STOP
487 AT_CLEANUP
488
489 AT_SETUP([conntrack - controller])
490 CHECK_CONNTRACK()
491 OVS_TRAFFIC_VSWITCHD_START()
492
493 ADD_NAMESPACES(at_ns0, at_ns1)
494
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
497
498 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
499 AT_DATA([flows.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=100,in_port=1,udp,action=ct(commit),controller
503 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
504 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
505 ])
506
507 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
508
509 AT_CAPTURE_FILE([ofctl_monitor.log])
510 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
511
512 dnl Send an unsolicited reply from port 2. This should be dropped.
513 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
514
515 dnl OK, now start a new connection from port 1.
516 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
517
518 dnl Now try a reply from port 2.
519 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
520
521 dnl Check this output. We only see the latter two packets, not the first.
522 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
523 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
524 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
525 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
526 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
527 ])
528
529 OVS_TRAFFIC_VSWITCHD_STOP
530 AT_CLEANUP
531
532 AT_SETUP([conntrack - IPv4 HTTP])
533 CHECK_CONNTRACK()
534 OVS_TRAFFIC_VSWITCHD_START()
535
536 ADD_NAMESPACES(at_ns0, at_ns1)
537
538 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
539 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
540
541 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
542 AT_DATA([flows.txt], [dnl
543 priority=1,action=drop
544 priority=10,arp,action=normal
545 priority=10,icmp,action=normal
546 priority=100,in_port=1,tcp,action=ct(commit),2
547 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
548 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
549 ])
550
551 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
552
553 dnl HTTP requests from ns0->ns1 should work fine.
554 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
555 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
556
557 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
558 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
559 ])
560
561 dnl HTTP requests from ns1->ns0 should fail due to network failure.
562 dnl Try 3 times, in 1 second intervals.
563 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
564 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
565
566 OVS_TRAFFIC_VSWITCHD_STOP
567 AT_CLEANUP
568
569 AT_SETUP([conntrack - IPv6 HTTP])
570 CHECK_CONNTRACK()
571 OVS_TRAFFIC_VSWITCHD_START()
572
573 ADD_NAMESPACES(at_ns0, at_ns1)
574
575 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
576 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
577
578 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,icmp6,action=normal
582 priority=100,in_port=1,tcp6,action=ct(commit),2
583 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
584 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
585 ])
586
587 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
588
589 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
590 dnl waiting, we get occasional failures due to the following error:
591 dnl "connect: Cannot assign requested address"
592 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
593
594 dnl HTTP requests from ns0->ns1 should work fine.
595 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
596
597 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
598
599 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
600 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
601 ])
602
603 dnl HTTP requests from ns1->ns0 should fail due to network failure.
604 dnl Try 3 times, in 1 second intervals.
605 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
606 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
607
608 OVS_TRAFFIC_VSWITCHD_STOP
609 AT_CLEANUP
610
611 AT_SETUP([conntrack - commit, recirc])
612 CHECK_CONNTRACK()
613 OVS_TRAFFIC_VSWITCHD_START()
614
615 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
616
617 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
618 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
619 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
620 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
621
622 dnl Allow any traffic from ns0->ns1, ns2->ns3.
623 AT_DATA([flows.txt], [dnl
624 priority=1,action=drop
625 priority=10,arp,action=normal
626 priority=10,icmp,action=normal
627 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
628 priority=100,in_port=1,tcp,ct_state=+trk,action=2
629 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
630 priority=100,in_port=2,tcp,ct_state=+trk,action=1
631 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
632 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
633 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
634 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
635 priority=100,in_port=4,tcp,ct_state=+trk,action=3
636 ])
637
638 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
639
640 dnl HTTP requests from p0->p1 should work fine.
641 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
643
644 dnl HTTP requests from p2->p3 should work fine.
645 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
646 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
647
648 OVS_TRAFFIC_VSWITCHD_STOP
649 AT_CLEANUP
650
651 AT_SETUP([conntrack - preserve registers])
652 CHECK_CONNTRACK()
653 OVS_TRAFFIC_VSWITCHD_START()
654
655 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
656
657 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
658 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
659 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
660 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
661
662 dnl Allow any traffic from ns0->ns1, ns2->ns3.
663 AT_DATA([flows.txt], [dnl
664 priority=1,action=drop
665 priority=10,arp,action=normal
666 priority=10,icmp,action=normal
667 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
668 priority=100,in_port=1,tcp,ct_state=+trk,action=2
669 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
670 priority=100,in_port=2,tcp,ct_state=+trk,action=1
671 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
672 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
673 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
674 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
675 priority=100,in_port=4,tcp,ct_state=+trk,action=3
676 ])
677
678 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
679
680 dnl HTTP requests from p0->p1 should work fine.
681 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
682 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
683
684 dnl HTTP requests from p2->p3 should work fine.
685 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
686 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
687
688 OVS_TRAFFIC_VSWITCHD_STOP
689 AT_CLEANUP
690
691 AT_SETUP([conntrack - invalid])
692 CHECK_CONNTRACK()
693 OVS_TRAFFIC_VSWITCHD_START()
694
695 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
696
697 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
698 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
699 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
700 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
701
702 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
703 dnl the opposite direction. This should fail.
704 dnl Pass traffic from ns3->ns4 without committing, and this time match
705 dnl invalid traffic and allow it through.
706 AT_DATA([flows.txt], [dnl
707 priority=1,action=drop
708 priority=10,arp,action=normal
709 priority=10,icmp,action=normal
710 priority=100,in_port=1,tcp,action=ct(),2
711 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
712 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
713 priority=100,in_port=3,tcp,action=ct(),4
714 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
715 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
716 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
717 ])
718
719 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
720
721 dnl We set up our rules to allow the request without committing. The return
722 dnl traffic can't be identified, because the initial request wasn't committed.
723 dnl For the first pair of ports, this means that the connection fails.
724 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
725 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
726
727 dnl For the second pair, we allow packets from invalid connections, so it works.
728 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
729 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
730
731 OVS_TRAFFIC_VSWITCHD_STOP
732 AT_CLEANUP
733
734 AT_SETUP([conntrack - zones])
735 CHECK_CONNTRACK()
736 OVS_TRAFFIC_VSWITCHD_START()
737
738 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
739
740 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
741 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
742 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
743 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
744
745 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
746 dnl For ns2->ns3, use a different zone and see that the match fails.
747 AT_DATA([flows.txt], [dnl
748 priority=1,action=drop
749 priority=10,arp,action=normal
750 priority=10,icmp,action=normal
751 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
752 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
753 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
754 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
755 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
756 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
757 ])
758
759 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
760
761 dnl HTTP requests from p0->p1 should work fine.
762 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
763 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
764
765 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
766 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
767 ])
768
769 dnl HTTP requests from p2->p3 should fail due to network failure.
770 dnl Try 3 times, in 1 second intervals.
771 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
772 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
773
774 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
775 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
776 ])
777
778 OVS_TRAFFIC_VSWITCHD_STOP
779 AT_CLEANUP
780
781 AT_SETUP([conntrack - zones from field])
782 CHECK_CONNTRACK()
783 OVS_TRAFFIC_VSWITCHD_START()
784
785 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
786
787 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
788 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
789 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
790 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
791
792 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
793 AT_DATA([flows.txt], [dnl
794 priority=1,action=drop
795 priority=10,arp,action=normal
796 priority=10,icmp,action=normal
797 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
798 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
799 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
800 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
801 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
802 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
803 ])
804
805 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
806
807 dnl HTTP requests from p0->p1 should work fine.
808 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
809 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
810
811 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
812 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
813 ])
814
815 dnl HTTP requests from p2->p3 should fail due to network failure.
816 dnl Try 3 times, in 1 second intervals.
817 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
818 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
819
820 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
821 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
822 ])
823
824 OVS_TRAFFIC_VSWITCHD_STOP
825 AT_CLEANUP
826
827 AT_SETUP([conntrack - multiple bridges])
828 CHECK_CONNTRACK()
829 OVS_TRAFFIC_VSWITCHD_START(
830    [_ADD_BR([br1]) --\
831     add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
832     add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
833
834 ADD_NAMESPACES(at_ns0, at_ns1)
835
836 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
837 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
838
839 dnl Allow any traffic from ns0->br1, allow established in reverse.
840 AT_DATA([flows-br0.txt], [dnl
841 priority=1,action=drop
842 priority=10,arp,action=normal
843 priority=10,icmp,action=normal
844 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
845 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
846 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
847 ])
848
849 dnl Allow any traffic from br0->ns1, allow established in reverse.
850 AT_DATA([flows-br1.txt], [dnl
851 priority=1,action=drop
852 priority=10,arp,action=normal
853 priority=10,icmp,action=normal
854 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
855 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
856 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
857 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
858 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
859 ])
860
861 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
862 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
863
864 dnl HTTP requests from p0->p1 should work fine.
865 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
866 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
867
868 OVS_TRAFFIC_VSWITCHD_STOP
869 AT_CLEANUP
870
871 AT_SETUP([conntrack - multiple zones])
872 CHECK_CONNTRACK()
873 OVS_TRAFFIC_VSWITCHD_START()
874
875 ADD_NAMESPACES(at_ns0, at_ns1)
876
877 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
878 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
879
880 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
881 AT_DATA([flows.txt], [dnl
882 priority=1,action=drop
883 priority=10,arp,action=normal
884 priority=10,icmp,action=normal
885 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
886 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
887 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
888 ])
889
890 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
891
892 dnl HTTP requests from p0->p1 should work fine.
893 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
894 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
895
896 dnl (again) HTTP requests from p0->p1 should work fine.
897 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
898
899 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
900 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
901 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
902 ])
903
904 OVS_TRAFFIC_VSWITCHD_STOP
905 AT_CLEANUP
906
907 AT_SETUP([conntrack - multiple zones, local])
908 CHECK_CONNTRACK()
909 OVS_TRAFFIC_VSWITCHD_START()
910
911 ADD_NAMESPACES(at_ns0)
912
913 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
914 AT_CHECK([ip link set dev br0 up])
915 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
916 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
917
918 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
919 dnl return traffic from ns0 back to the local stack.
920 AT_DATA([flows.txt], [dnl
921 priority=1,action=drop
922 priority=10,arp,action=normal
923 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
924 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
925 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
926 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
927 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
928 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
929 ])
930
931 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
932
933 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
934 3 packets transmitted, 3 received, 0% packet loss, time 0ms
935 ])
936
937 dnl HTTP requests from root namespace to p0 should work fine.
938 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
939 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
940
941 dnl (again) HTTP requests from root namespace to  p0 should work fine.
942 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
943
944 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
945 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
946 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
947 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
948 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
949 ])
950
951 OVS_TRAFFIC_VSWITCHD_STOP
952 AT_CLEANUP
953
954 AT_SETUP([conntrack - multiple namespaces, internal ports])
955 CHECK_CONNTRACK()
956 OVS_TRAFFIC_VSWITCHD_START(
957    [set-fail-mode br0 secure -- ])
958
959 ADD_NAMESPACES(at_ns0, at_ns1)
960
961 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
962 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
963
964 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
965 dnl
966 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
967 AT_DATA([flows.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
972 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
973 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
974 ])
975
976 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
977
978 dnl HTTP requests from p0->p1 should work fine.
979 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
980 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
981
982 dnl (again) HTTP requests from p0->p1 should work fine.
983 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
984
985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
987 ])
988
989 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
990 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
991 /removing policing failed: No such device/d"])
992 AT_CLEANUP
993
994 AT_SETUP([conntrack - multi-stage pipeline, local])
995 CHECK_CONNTRACK()
996 OVS_TRAFFIC_VSWITCHD_START()
997
998 ADD_NAMESPACES(at_ns0)
999
1000 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1001 AT_CHECK([ip link set dev br0 up])
1002 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1003 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1004
1005 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1006 dnl return traffic from ns0 back to the local stack.
1007 AT_DATA([flows.txt], [dnl
1008 dnl default
1009 table=0,priority=1,action=drop
1010 table=0,priority=10,arp,action=normal
1011
1012 dnl Load the output port to REG0
1013 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1014 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1015
1016 dnl Ingress pipeline
1017 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1018 dnl - All other connections go through conntracker using the input port as
1019 dnl   a connection tracking zone.
1020 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1021 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1022 table=1,priority=1,action=drop
1023
1024 dnl Egress pipeline
1025 dnl - Allow all connections from LOCAL port (commit and skip to output)
1026 dnl - Allow other established connections to go through conntracker using
1027 dnl   output port as a connection tracking zone.
1028 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1029 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1030 table=2,priority=1,action=drop
1031
1032 dnl Only allow established traffic from egress ct lookup
1033 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1034 table=3,priority=1,action=drop
1035
1036 dnl output table
1037 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1038 ])
1039
1040 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1041
1042 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1043 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1044 ])
1045
1046 dnl HTTP requests from root namespace to p0 should work fine.
1047 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1048 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1049
1050 dnl (again) HTTP requests from root namespace to p0 should work fine.
1051 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1052
1053 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1054 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1055 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1056 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1057 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1058 ])
1059
1060 OVS_TRAFFIC_VSWITCHD_STOP
1061 AT_CLEANUP
1062
1063 AT_SETUP([conntrack - ct_mark])
1064 CHECK_CONNTRACK()
1065 OVS_TRAFFIC_VSWITCHD_START()
1066
1067 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1068
1069 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1070 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1071 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1072 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1073
1074 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1075 dnl Check that different marks do not match for traffic between ns2<->ns3.
1076 AT_DATA([flows.txt], [dnl
1077 priority=1,action=drop
1078 priority=10,arp,action=normal
1079 priority=10,icmp,action=normal
1080 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1081 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1082 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1083 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1084 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1085 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1086 ])
1087
1088 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1089
1090 dnl HTTP requests from p0->p1 should work fine.
1091 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1092 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1093
1094 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1095 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1096 ])
1097
1098 dnl HTTP requests from p2->p3 should fail due to network failure.
1099 dnl Try 3 times, in 1 second intervals.
1100 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1101 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1102
1103 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1104 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1105 ])
1106
1107 OVS_TRAFFIC_VSWITCHD_STOP
1108 AT_CLEANUP
1109
1110 AT_SETUP([conntrack - ct_mark bit-fiddling])
1111 CHECK_CONNTRACK()
1112 OVS_TRAFFIC_VSWITCHD_START()
1113
1114 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1115
1116 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1117 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1118
1119 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1120 dnl cause an additional bit to be set in the connection (and be allowed).
1121 AT_DATA([flows.txt], [dnl
1122 table=0,priority=1,action=drop
1123 table=0,priority=10,arp,action=normal
1124 table=0,priority=10,icmp,action=normal
1125 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1126 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1127 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1128 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1129 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1130 ])
1131
1132 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1133
1134 dnl HTTP requests from p0->p1 should work fine.
1135 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1136 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1137
1138 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1139 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1140 ])
1141
1142 OVS_TRAFFIC_VSWITCHD_STOP
1143 AT_CLEANUP
1144
1145 AT_SETUP([conntrack - ct_mark from register])
1146 CHECK_CONNTRACK()
1147 OVS_TRAFFIC_VSWITCHD_START()
1148
1149 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1150
1151 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1152 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1153 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1154 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1155
1156 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1157 AT_DATA([flows.txt], [dnl
1158 priority=1,action=drop
1159 priority=10,arp,action=normal
1160 priority=10,icmp,action=normal
1161 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1162 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1163 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1164 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1165 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1166 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1167 ])
1168
1169 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1170
1171 dnl HTTP requests from p0->p1 should work fine.
1172 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1173 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1174
1175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1177 ])
1178
1179 dnl HTTP requests from p2->p3 should fail due to network failure.
1180 dnl Try 3 times, in 1 second intervals.
1181 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1182 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1183
1184 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1185 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1186 ])
1187
1188 OVS_TRAFFIC_VSWITCHD_STOP
1189 AT_CLEANUP
1190
1191 AT_SETUP([conntrack - ct_label])
1192 CHECK_CONNTRACK()
1193 OVS_TRAFFIC_VSWITCHD_START()
1194
1195 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1196
1197 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1198 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1199 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1200 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1201
1202 dnl Allow traffic between ns0<->ns1 using the ct_label.
1203 dnl Check that different labels do not match for traffic between ns2<->ns3.
1204 AT_DATA([flows.txt], [dnl
1205 priority=1,action=drop
1206 priority=10,arp,action=normal
1207 priority=10,icmp,action=normal
1208 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1209 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1210 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1211 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1212 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1213 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1214 ])
1215
1216 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1217
1218 dnl HTTP requests from p0->p1 should work fine.
1219 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1220 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1221
1222 dnl HTTP requests from p2->p3 should fail due to network failure.
1223 dnl Try 3 times, in 1 second intervals.
1224 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1225 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1226
1227 OVS_TRAFFIC_VSWITCHD_STOP
1228 AT_CLEANUP
1229
1230 AT_SETUP([conntrack - ct_label bit-fiddling])
1231 CHECK_CONNTRACK()
1232 OVS_TRAFFIC_VSWITCHD_START()
1233
1234 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1235
1236 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1237 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1238
1239 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1240 dnl cause an additional bit to be set in the connection labels (and be allowed)
1241 AT_DATA([flows.txt], [dnl
1242 table=0,priority=1,action=drop
1243 table=0,priority=10,arp,action=normal
1244 table=0,priority=10,icmp,action=normal
1245 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1246 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1247 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1248 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1249 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1250 ])
1251
1252 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1253
1254 dnl HTTP requests from p0->p1 should work fine.
1255 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1256 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1257
1258 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1259 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1260 ])
1261
1262 OVS_TRAFFIC_VSWITCHD_STOP
1263 AT_CLEANUP
1264
1265 AT_SETUP([conntrack - ct metadata, multiple zones])
1266 CHECK_CONNTRACK()
1267 OVS_TRAFFIC_VSWITCHD_START()
1268
1269 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1270
1271 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1272 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1273
1274 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1275 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1276 dnl and we should see that the conntrack entries only apply the ct_mark and
1277 dnl ct_labels to the connection in zone=1.
1278 AT_DATA([flows.txt], [dnl
1279 table=0,priority=1,action=drop
1280 table=0,priority=10,arp,action=normal
1281 table=0,priority=10,icmp,action=normal
1282 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1283 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1284 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1285 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1286 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1287 ])
1288
1289 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1290
1291 dnl HTTP requests from p0->p1 should work fine.
1292 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1293 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1294
1295 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1296 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1297 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1298 ])
1299
1300 OVS_TRAFFIC_VSWITCHD_STOP
1301 AT_CLEANUP
1302
1303 AT_SETUP([conntrack - ICMP related])
1304 CHECK_CONNTRACK()
1305 OVS_TRAFFIC_VSWITCHD_START()
1306
1307 ADD_NAMESPACES(at_ns0, at_ns1)
1308
1309 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1310 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1311
1312 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1313 AT_DATA([flows.txt], [dnl
1314 priority=1,action=drop
1315 priority=10,arp,action=normal
1316 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1317 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1318 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1319 ])
1320
1321 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1322
1323 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1324 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1325
1326 AT_CHECK([ovs-appctl revalidator/purge], [0])
1327 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1328  n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1329  n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1330  n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1331  n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1332 NXST_FLOW reply:
1333 ])
1334
1335 OVS_TRAFFIC_VSWITCHD_STOP
1336 AT_CLEANUP
1337
1338 AT_SETUP([conntrack - ICMP related 2])
1339 CHECK_CONNTRACK()
1340 OVS_TRAFFIC_VSWITCHD_START()
1341
1342 ADD_NAMESPACES(at_ns0, at_ns1)
1343
1344 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1345 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1346
1347 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1348 AT_DATA([flows.txt], [dnl
1349 priority=1,action=drop
1350 priority=10,arp,action=normal
1351 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1352 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1353 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1354 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1355 ])
1356
1357 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1358
1359 AT_CAPTURE_FILE([ofctl_monitor.log])
1360 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1361
1362 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1363 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1364
1365 dnl 2. Send and UDP packet to port 5555
1366 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1367
1368 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1369 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1370
1371 dnl Check this output. We only see the latter two packets, not the first.
1372 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1373 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1374 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1375 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1376 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1377 ])
1378
1379 OVS_TRAFFIC_VSWITCHD_STOP
1380 AT_CLEANUP
1381
1382 AT_SETUP([conntrack - FTP])
1383 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1384 CHECK_CONNTRACK()
1385 OVS_TRAFFIC_VSWITCHD_START()
1386
1387 ADD_NAMESPACES(at_ns0, at_ns1)
1388
1389 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1390 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1391
1392 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1393 AT_DATA([flows1.txt], [dnl
1394 priority=1,action=drop
1395 priority=10,arp,action=normal
1396 priority=10,icmp,action=normal
1397 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1398 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1399 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1400 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1401 ])
1402
1403 dnl Similar policy but without allowing all traffic from ns0->ns1.
1404 AT_DATA([flows2.txt], [dnl
1405 priority=1,action=drop
1406 priority=10,arp,action=normal
1407 priority=10,icmp,action=normal
1408 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1409 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1410 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1411 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1412 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1413 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1414 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1415 ])
1416
1417 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1418
1419 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1420 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1421 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1422
1423 dnl FTP requests from p1->p0 should fail due to network failure.
1424 dnl Try 3 times, in 1 second intervals.
1425 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1426 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1427 ])
1428
1429 dnl FTP requests from p0->p1 should work fine.
1430 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1431 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1432 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1433 ])
1434
1435 dnl Try the second set of flows.
1436 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1437 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1438
1439 dnl FTP requests from p1->p0 should fail due to network failure.
1440 dnl Try 3 times, in 1 second intervals.
1441 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1442 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1443 ])
1444
1445 dnl Active FTP requests from p0->p1 should work fine.
1446 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1447 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1448 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1449 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1450 ])
1451
1452 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1453
1454 dnl Passive FTP requests from p0->p1 should work fine.
1455 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1456 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1457 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1458 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1459 ])
1460
1461 OVS_TRAFFIC_VSWITCHD_STOP
1462 AT_CLEANUP
1463
1464
1465 AT_SETUP([conntrack - IPv6 FTP])
1466 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1467 CHECK_CONNTRACK()
1468 OVS_TRAFFIC_VSWITCHD_START()
1469
1470 ADD_NAMESPACES(at_ns0, at_ns1)
1471
1472 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1473 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1474
1475 dnl Allow any traffic from ns0->ns1.
1476 dnl Only allow nd, return traffic from ns1->ns0.
1477 AT_DATA([flows.txt], [dnl
1478 dnl Track all IPv6 traffic and drop the rest.
1479 dnl Allow ICMPv6 both ways.  No commit, so pings will not be tracked.
1480 table=0 priority=100 in_port=1 icmp6, action=2
1481 table=0 priority=100 in_port=2 icmp6, action=1
1482 table=0 priority=10 ip6, action=ct(table=1)
1483 table=0 priority=0 action=drop
1484 dnl
1485 dnl Table 1
1486 dnl
1487 dnl Allow new TCPv6 FTP control connections from port 1.
1488 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1489 dnl Allow related TCPv6 connections from port 2.
1490 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1491 dnl Allow established TCPv6 connections both ways.
1492 table=1 in_port=1 ct_state=+est, tcp6, action=2
1493 table=1 in_port=2 ct_state=+est, tcp6, action=1
1494 dnl Drop everything else.
1495 table=1 priority=0, action=drop
1496 ])
1497
1498 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1499
1500 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1501 dnl waiting, we get occasional failures due to the following error:
1502 dnl "connect: Cannot assign requested address"
1503 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1504
1505 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1506 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1507
1508 dnl FTP requests from p0->p1 should work fine.
1509 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1510
1511 dnl Discards CLOSE_WAIT and CLOSING
1512 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1513 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1514 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1515 ])
1516
1517 OVS_TRAFFIC_VSWITCHD_STOP
1518 AT_CLEANUP
1519
1520
1521 AT_SETUP([conntrack - FTP with multiple expectations])
1522 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1523 CHECK_CONNTRACK()
1524 OVS_TRAFFIC_VSWITCHD_START()
1525
1526 ADD_NAMESPACES(at_ns0, at_ns1)
1527
1528 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1529 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1530
1531 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1532 AT_DATA([flows.txt], [dnl
1533 priority=1,action=drop
1534 priority=10,arp,action=normal
1535 priority=10,icmp,action=normal
1536 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1537 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1538 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1539 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1540 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1541 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1542 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1543 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1544 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1545 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1546 ])
1547
1548 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1549
1550 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1551 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1552
1553 dnl FTP requests from p1->p0 should fail due to network failure.
1554 dnl Try 3 times, in 1 second intervals.
1555 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
1556 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1557 ])
1558
1559 dnl Active FTP requests from p0->p1 should work fine.
1560 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1561 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1562 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1563 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1564 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1565 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1566 ])
1567
1568 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1569
1570 dnl Passive FTP requests from p0->p1 should work fine.
1571 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1573 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1574 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1575 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1576 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1577 ])
1578
1579 OVS_TRAFFIC_VSWITCHD_STOP
1580 AT_CLEANUP
1581
1582 AT_SETUP([conntrack - IPv4 fragmentation ])
1583 CHECK_CONNTRACK()
1584 OVS_TRAFFIC_VSWITCHD_START()
1585
1586 ADD_NAMESPACES(at_ns0, at_ns1)
1587
1588 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1589 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1590
1591 dnl Sending ping through conntrack
1592 AT_DATA([flows.txt], [dnl
1593 priority=1,action=drop
1594 priority=10,arp,action=normal
1595 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1596 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1597 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1598 ])
1599
1600 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1601
1602 dnl Ipv4 fragmentation connectivity check.
1603 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1604 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1605 ])
1606
1607 dnl Ipv4 larger fragmentation connectivity check.
1608 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1609 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1610 ])
1611
1612 OVS_TRAFFIC_VSWITCHD_STOP
1613 AT_CLEANUP
1614
1615 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1616 CHECK_CONNTRACK()
1617 OVS_TRAFFIC_VSWITCHD_START()
1618
1619 ADD_NAMESPACES(at_ns0, at_ns1)
1620
1621 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1622 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1623
1624 AT_DATA([flows.txt], [dnl
1625 priority=1,action=drop
1626 priority=10,arp,action=normal
1627
1628 dnl Only allow non-fragmented messages and 1st fragments of each message
1629 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1630 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1631 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1632 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1633 ])
1634
1635 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1636
1637 dnl Ipv4 fragmentation connectivity check.
1638 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1639 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1640 ])
1641
1642 OVS_TRAFFIC_VSWITCHD_STOP
1643 AT_CLEANUP
1644
1645 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1646 CHECK_CONNTRACK()
1647 OVS_TRAFFIC_VSWITCHD_START()
1648
1649 ADD_NAMESPACES(at_ns0, at_ns1)
1650
1651 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1652 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1653 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1654 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1655
1656 dnl Sending ping through conntrack
1657 AT_DATA([flows.txt], [dnl
1658 priority=1,action=drop
1659 priority=10,arp,action=normal
1660 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1661 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1662 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1663 ])
1664
1665 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1666
1667 dnl Ipv4 fragmentation connectivity check.
1668 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1669 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1670 ])
1671
1672 dnl Ipv4 larger fragmentation connectivity check.
1673 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1674 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1675 ])
1676
1677 OVS_TRAFFIC_VSWITCHD_STOP
1678 AT_CLEANUP
1679
1680 AT_SETUP([conntrack - IPv6 fragmentation])
1681 CHECK_CONNTRACK()
1682 OVS_TRAFFIC_VSWITCHD_START()
1683
1684 ADD_NAMESPACES(at_ns0, at_ns1)
1685
1686 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1687 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1688
1689 dnl Sending ping through conntrack
1690 AT_DATA([flows.txt], [dnl
1691 priority=1,action=drop
1692 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1693 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1694 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1695 priority=100,icmp6,icmp_type=135,action=normal
1696 priority=100,icmp6,icmp_type=136,action=normal
1697 ])
1698
1699 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1700
1701 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1702 dnl waiting, we get occasional failures due to the following error:
1703 dnl "connect: Cannot assign requested address"
1704 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1705
1706 dnl Ipv6 fragmentation connectivity check.
1707 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1708 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1709 ])
1710
1711 dnl Ipv6 larger fragmentation connectivity check.
1712 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1713 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1714 ])
1715
1716 OVS_TRAFFIC_VSWITCHD_STOP
1717 AT_CLEANUP
1718
1719 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1720 CHECK_CONNTRACK()
1721 OVS_TRAFFIC_VSWITCHD_START()
1722
1723 ADD_NAMESPACES(at_ns0, at_ns1)
1724
1725 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1726 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1727
1728 AT_DATA([flows.txt], [dnl
1729 priority=1,action=drop
1730
1731 dnl Only allow non-fragmented messages and 1st fragments of each message
1732 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1733 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1734 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1735 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1736
1737 dnl Neighbour Discovery
1738 priority=100,icmp6,icmp_type=135,action=normal
1739 priority=100,icmp6,icmp_type=136,action=normal
1740 ])
1741
1742 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1743
1744 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1745 dnl waiting, we get occasional failures due to the following error:
1746 dnl "connect: Cannot assign requested address"
1747 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1748
1749 dnl Send an IPv6 fragment. Some time later, it should expire.
1750 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1751 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1752 ])
1753
1754 dnl At this point, the kernel will either crash or everything is OK.
1755
1756 OVS_TRAFFIC_VSWITCHD_STOP
1757 AT_CLEANUP
1758
1759 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1760 CHECK_CONNTRACK()
1761 OVS_TRAFFIC_VSWITCHD_START()
1762
1763 ADD_NAMESPACES(at_ns0, at_ns1)
1764
1765 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1766 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1767
1768 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1769 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1770
1771 dnl Sending ping through conntrack
1772 AT_DATA([flows.txt], [dnl
1773 priority=1,action=drop
1774 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1775 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1776 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1777 priority=100,icmp6,icmp_type=135,action=normal
1778 priority=100,icmp6,icmp_type=136,action=normal
1779 ])
1780
1781 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1782
1783 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1784 dnl waiting, we get occasional failures due to the following error:
1785 dnl "connect: Cannot assign requested address"
1786 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1787
1788 dnl Ipv4 fragmentation connectivity check.
1789 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1790 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1791 ])
1792
1793 dnl Ipv4 larger fragmentation connectivity check.
1794 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1795 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1796 ])
1797
1798 OVS_TRAFFIC_VSWITCHD_STOP
1799 AT_CLEANUP
1800
1801 AT_SETUP([conntrack - Fragmentation over vxlan])
1802 OVS_CHECK_VXLAN()
1803 CHECK_CONNTRACK()
1804
1805 OVS_TRAFFIC_VSWITCHD_START()
1806 ADD_BR([br-underlay])
1807 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1808
1809 ADD_NAMESPACES(at_ns0)
1810
1811 dnl Sending ping through conntrack
1812 AT_DATA([flows.txt], [dnl
1813 priority=1,action=drop
1814 priority=10,arp,action=normal
1815 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1816 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1817 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1818 ])
1819
1820 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1821
1822 dnl Set up underlay link from host into the namespace using veth pair.
1823 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1824 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1825 AT_CHECK([ip link set dev br-underlay up])
1826
1827 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1828 dnl linux device inside the namespace.
1829 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1830 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1831                   [id 0 dstport 4789])
1832
1833 dnl First, check the underlay
1834 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1835 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1836 ])
1837
1838 dnl Okay, now check the overlay with different packet sizes
1839 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1840 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1841 ])
1842 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1843 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1844 ])
1845 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1846 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1847 ])
1848
1849 OVS_TRAFFIC_VSWITCHD_STOP
1850 AT_CLEANUP
1851
1852 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1853 OVS_CHECK_VXLAN()
1854 CHECK_CONNTRACK()
1855
1856 OVS_TRAFFIC_VSWITCHD_START()
1857 ADD_BR([br-underlay])
1858 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1859
1860 ADD_NAMESPACES(at_ns0)
1861
1862 dnl Sending ping through conntrack
1863 AT_DATA([flows.txt], [dnl
1864 priority=1,action=drop
1865 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1866 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1867 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1868
1869 dnl Neighbour Discovery
1870 priority=1000,icmp6,icmp_type=135,action=normal
1871 priority=1000,icmp6,icmp_type=136,action=normal
1872 ])
1873
1874 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1875
1876 dnl Set up underlay link from host into the namespace using veth pair.
1877 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1878 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1879 AT_CHECK([ip link set dev br-underlay up])
1880
1881 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1882 dnl linux device inside the namespace.
1883 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1884 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1885                   [id 0 dstport 4789])
1886
1887 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1888 dnl waiting, we get occasional failures due to the following error:
1889 dnl "connect: Cannot assign requested address"
1890 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1891
1892 dnl First, check the underlay
1893 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1894 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1895 ])
1896
1897 dnl Okay, now check the overlay with different packet sizes
1898 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1899 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1900 ])
1901 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1902 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1903 ])
1904 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1905 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1906 ])
1907
1908 OVS_TRAFFIC_VSWITCHD_STOP
1909 AT_CLEANUP
1910
1911 AT_SETUP([conntrack - resubmit to ct multiple times])
1912 CHECK_CONNTRACK()
1913
1914 OVS_TRAFFIC_VSWITCHD_START(
1915    [set-fail-mode br0 secure -- ])
1916
1917 ADD_NAMESPACES(at_ns0, at_ns1)
1918
1919 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1920 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1921
1922 AT_DATA([flows.txt], [dnl
1923 table=0,priority=150,arp,action=normal
1924 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1925
1926 table=1,priority=100,ip,action=ct(table=3)
1927 table=2,priority=100,ip,action=ct(table=3)
1928
1929 table=3,ip,action=drop
1930 ])
1931
1932 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1933
1934 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1935 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1936 ])
1937
1938 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1939  n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1940  n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1941  table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1942  table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1943  table=3, n_packets=2, n_bytes=196, ip actions=drop
1944 NXST_FLOW reply:
1945 ])
1946
1947 OVS_TRAFFIC_VSWITCHD_STOP
1948 AT_CLEANUP
1949
1950
1951 AT_SETUP([conntrack - simple SNAT])
1952 CHECK_CONNTRACK()
1953 OVS_TRAFFIC_VSWITCHD_START()
1954
1955 ADD_NAMESPACES(at_ns0, at_ns1)
1956
1957 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1958 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1959 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1960
1961 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1962 AT_DATA([flows.txt], [dnl
1963 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1964 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1965 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1966 dnl
1967 dnl ARP
1968 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1969 priority=10 arp action=normal
1970 priority=0,action=drop
1971 dnl
1972 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1973 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1974 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1975 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1976 dnl TPA IP in reg2.
1977 dnl Swaps the fields of the ARP message to turn a query to a response.
1978 table=10 priority=100 arp xreg0=0 action=normal
1979 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1980 table=10 priority=0 action=drop
1981 ])
1982
1983 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1984
1985 dnl HTTP requests from p0->p1 should work fine.
1986 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1987 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1988
1989 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1990 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1991 ])
1992
1993 OVS_TRAFFIC_VSWITCHD_STOP
1994 AT_CLEANUP
1995
1996
1997 AT_SETUP([conntrack - SNAT with port range])
1998 CHECK_CONNTRACK()
1999 OVS_TRAFFIC_VSWITCHD_START()
2000
2001 ADD_NAMESPACES(at_ns0, at_ns1)
2002
2003 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2004 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2005 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2006
2007 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2008 AT_DATA([flows.txt], [dnl
2009 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2010 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2011 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2012 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2013 dnl
2014 dnl ARP
2015 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2016 priority=10 arp action=normal
2017 priority=0,action=drop
2018 dnl
2019 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2020 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2021 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2022 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2023 dnl TPA IP in reg2.
2024 dnl Swaps the fields of the ARP message to turn a query to a response.
2025 table=10 priority=100 arp xreg0=0 action=normal
2026 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2027 table=10 priority=0 action=drop
2028 ])
2029
2030 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2031
2032 dnl HTTP requests from p0->p1 should work fine.
2033 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2034 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2035
2036 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2037 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2038 ])
2039
2040 OVS_TRAFFIC_VSWITCHD_STOP
2041 AT_CLEANUP
2042
2043
2044 AT_SETUP([conntrack - more complex SNAT])
2045 CHECK_CONNTRACK()
2046 OVS_TRAFFIC_VSWITCHD_START()
2047
2048 ADD_NAMESPACES(at_ns0, at_ns1)
2049
2050 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2051 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2052 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2053
2054 AT_DATA([flows.txt], [dnl
2055 dnl Track all IP traffic, NAT existing connections.
2056 priority=100 ip action=ct(table=1,zone=1,nat)
2057 dnl
2058 dnl Allow ARP, but generate responses for NATed addresses
2059 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2060 priority=10 arp action=normal
2061 priority=0 action=drop
2062 dnl
2063 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2064 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2065 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2066 dnl Only allow established traffic from ns1->ns0.
2067 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2068 table=1 priority=0 action=drop
2069 dnl
2070 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2071 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2072 dnl Zero result means not found.
2073 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2074 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2075 dnl ARP TPA IP in reg2.
2076 table=10 priority=100 arp xreg0=0 action=normal
2077 dnl Swaps the fields of the ARP message to turn a query to a response.
2078 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2079 table=10 priority=0 action=drop
2080 ])
2081
2082 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2083
2084 dnl HTTP requests from p0->p1 should work fine.
2085 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2086 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2087
2088 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2089 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2090 ])
2091
2092 OVS_TRAFFIC_VSWITCHD_STOP
2093 AT_CLEANUP
2094
2095 AT_SETUP([conntrack - simple DNAT])
2096 CHECK_CONNTRACK()
2097 OVS_TRAFFIC_VSWITCHD_START()
2098
2099 ADD_NAMESPACES(at_ns0, at_ns1)
2100
2101 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2102 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2103 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2104
2105 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2106 AT_DATA([flows.txt], [dnl
2107 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2108 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2109 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2110 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2111 dnl
2112 dnl ARP
2113 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2114 priority=10 arp action=normal
2115 priority=0,action=drop
2116 dnl
2117 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2118 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2119 dnl Zero result means not found.
2120 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2121 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2122 dnl TPA IP in reg2.
2123 table=10 priority=100 arp xreg0=0 action=normal
2124 dnl Swaps the fields of the ARP message to turn a query to a response.
2125 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2126 table=10 priority=0 action=drop
2127 ])
2128
2129 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2130
2131 dnl Should work with the virtual IP address through NAT
2132 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2133 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2134
2135 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2136 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2137 ])
2138
2139 dnl Should work with the assigned IP address as well
2140 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2141
2142 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2143 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2144 ])
2145
2146 OVS_TRAFFIC_VSWITCHD_STOP
2147 AT_CLEANUP
2148
2149 AT_SETUP([conntrack - more complex DNAT])
2150 CHECK_CONNTRACK()
2151 OVS_TRAFFIC_VSWITCHD_START()
2152
2153 ADD_NAMESPACES(at_ns0, at_ns1)
2154
2155 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2156 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2157 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2158
2159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2160 AT_DATA([flows.txt], [dnl
2161 dnl Track all IP traffic
2162 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2163 dnl
2164 dnl Allow ARP, but generate responses for NATed addresses
2165 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2166 table=0 priority=10 arp action=normal
2167 table=0 priority=0 action=drop
2168 dnl
2169 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2170 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2171 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2172 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2173 dnl Only allow established traffic from ns1->ns0.
2174 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2175 table=1 priority=0 action=drop
2176 dnl
2177 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2178 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2179 dnl Zero result means not found.
2180 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2181 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2182 dnl TPA IP in reg2.
2183 table=10 priority=100 arp xreg0=0 action=normal
2184 dnl Swaps the fields of the ARP message to turn a query to a response.
2185 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2186 table=10 priority=0 action=drop
2187 ])
2188
2189 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2190
2191 dnl Should work with the virtual IP address through NAT
2192 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2193 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2194
2195 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2196 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2197 ])
2198
2199 dnl Should work with the assigned IP address as well
2200 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2201
2202 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2203 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2204 ])
2205
2206 OVS_TRAFFIC_VSWITCHD_STOP
2207 AT_CLEANUP
2208
2209 AT_SETUP([conntrack - ICMP related with NAT])
2210 CHECK_CONNTRACK()
2211 OVS_TRAFFIC_VSWITCHD_START()
2212
2213 ADD_NAMESPACES(at_ns0, at_ns1)
2214
2215 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2216 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2217 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2218
2219 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2220 dnl Make sure ICMP responses are reverse-NATted.
2221 AT_DATA([flows.txt], [dnl
2222 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2223 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2224 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2225 dnl
2226 dnl ARP
2227 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2228 priority=10 arp action=normal
2229 priority=0,action=drop
2230 dnl
2231 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2232 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2233 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2234 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2235 dnl TPA IP in reg2.
2236 dnl Swaps the fields of the ARP message to turn a query to a response.
2237 table=10 priority=100 arp xreg0=0 action=normal
2238 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2239 table=10 priority=0 action=drop
2240 ])
2241
2242 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2243
2244 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2245 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2246
2247 AT_CHECK([ovs-appctl revalidator/purge], [0])
2248 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2249  n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2250  n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2251  n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2252  n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2253  n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2254  table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2255  table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2256  table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2257  table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2258 OFPST_FLOW reply (OF1.5):
2259 ])
2260
2261 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2262 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2263 ])
2264
2265 OVS_TRAFFIC_VSWITCHD_STOP
2266 AT_CLEANUP
2267
2268
2269 AT_SETUP([conntrack - FTP with NAT])
2270 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2271 CHECK_CONNTRACK()
2272
2273 OVS_TRAFFIC_VSWITCHD_START()
2274
2275 ADD_NAMESPACES(at_ns0, at_ns1)
2276
2277 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2278 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2279 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2280
2281 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2282
2283 AT_DATA([flows.txt], [dnl
2284 dnl track all IP traffic, de-mangle non-NEW connections
2285 table=0 in_port=1, ip, action=ct(table=1,nat)
2286 table=0 in_port=2, ip, action=ct(table=2,nat)
2287 dnl
2288 dnl ARP
2289 dnl
2290 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2291 table=0 priority=10 arp action=normal
2292 table=0 priority=0 action=drop
2293 dnl
2294 dnl Table 1: port 1 -> 2
2295 dnl
2296 dnl Allow new FTP connections. These need to be commited.
2297 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2298 dnl Allow established TCP connections, make sure they are NATted already.
2299 table=1 ct_state=+est, tcp, nw_src=10.1.1.240,     action=2
2300 dnl
2301 dnl Table 1: droppers
2302 dnl
2303 table=1 priority=10, tcp, action=drop
2304 table=1 priority=0,action=drop
2305 dnl
2306 dnl Table 2: port 2 -> 1
2307 dnl
2308 dnl Allow established TCP connections, make sure they are reverse NATted
2309 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2310 dnl Allow (new) related (data) connections.  These need to be commited.
2311 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2312 dnl Allow related ICMP packets, make sure they are reverse NATted
2313 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2314 dnl
2315 dnl Table 2: droppers
2316 dnl
2317 table=2 priority=10, tcp, action=drop
2318 table=2 priority=0, action=drop
2319 dnl
2320 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2321 dnl
2322 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2323 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2324 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2325 dnl TPA IP in reg2.
2326 dnl Swaps the fields of the ARP message to turn a query to a response.
2327 table=10 priority=100 arp xreg0=0 action=normal
2328 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2329 table=10 priority=0 action=drop
2330 ])
2331
2332 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2333
2334 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2335 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2336 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2337
2338 dnl FTP requests from p0->p1 should work fine.
2339 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2340
2341 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2342 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2343 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2344 ])
2345
2346 OVS_TRAFFIC_VSWITCHD_STOP
2347 AT_CLEANUP
2348
2349
2350 AT_SETUP([conntrack - FTP with NAT 2])
2351 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2352 CHECK_CONNTRACK()
2353 OVS_TRAFFIC_VSWITCHD_START()
2354
2355 ADD_NAMESPACES(at_ns0, at_ns1)
2356
2357 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2358 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2359 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2360
2361 dnl Allow any traffic from ns0->ns1.
2362 dnl Only allow nd, return traffic from ns1->ns0.
2363 AT_DATA([flows.txt], [dnl
2364 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2365 table=0 ip, action=ct(table=1)
2366 dnl
2367 dnl ARP
2368 dnl
2369 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2370 table=0 priority=10 arp action=normal
2371 table=0 priority=0 action=drop
2372 dnl
2373 dnl Table 1
2374 dnl
2375 dnl Allow new FTP connections. These need to be commited.
2376 dnl This does helper for new packets.
2377 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2378 dnl Allow and NAT established TCP connections
2379 table=1 in_port=1 ct_state=+est, tcp,     action=ct(nat),2
2380 table=1 in_port=2 ct_state=+est, tcp,     action=ct(nat),1
2381 dnl Allow and NAT (new) related active (data) connections.
2382 dnl These need to be commited.
2383 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2384 dnl Allow related ICMP packets.
2385 table=1 in_port=2 ct_state=+rel, icmp,    action=ct(nat),1
2386 dnl Drop everything else.
2387 table=1 priority=0, action=drop
2388 dnl
2389 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2390 dnl
2391 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2392 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2393 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2394 dnl TPA IP in reg2.
2395 dnl Swaps the fields of the ARP message to turn a query to a response.
2396 table=10 priority=100 arp xreg0=0 action=normal
2397 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2398 table=10 priority=0 action=drop
2399 ])
2400
2401 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2402
2403 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2404 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2405
2406 dnl FTP requests from p0->p1 should work fine.
2407 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2408
2409 dnl Discards CLOSE_WAIT and CLOSING
2410 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2411 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2412 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2413 ])
2414
2415 OVS_TRAFFIC_VSWITCHD_STOP
2416 AT_CLEANUP
2417
2418 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2419 CHECK_CONNTRACK()
2420 OVS_TRAFFIC_VSWITCHD_START()
2421
2422 ADD_NAMESPACES(at_ns0, at_ns1)
2423
2424 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2425 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2426 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2427 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2428
2429 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2430 AT_DATA([flows.txt], [dnl
2431 priority=1,action=drop
2432 priority=10,icmp6,action=normal
2433 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2434 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2435 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2436 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2437 ])
2438
2439 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2440
2441 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2442 dnl waiting, we get occasional failures due to the following error:
2443 dnl "connect: Cannot assign requested address"
2444 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2445
2446 dnl HTTP requests from ns0->ns1 should work fine.
2447 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2448
2449 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2450
2451 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2452 dnl Try 3 times, in 1 second intervals.
2453 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2454 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2455
2456 OVS_TRAFFIC_VSWITCHD_STOP
2457 AT_CLEANUP
2458
2459
2460 AT_SETUP([conntrack - IPv6 FTP with NAT])
2461 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2462 CHECK_CONNTRACK()
2463 OVS_TRAFFIC_VSWITCHD_START()
2464
2465 ADD_NAMESPACES(at_ns0, at_ns1)
2466
2467 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2468 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2469 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2470 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2471 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2472
2473 dnl Allow any traffic from ns0->ns1.
2474 dnl Only allow nd, return traffic from ns1->ns0.
2475 AT_DATA([flows.txt], [dnl
2476 dnl Allow other ICMPv6 both ways (without commit).
2477 table=1 priority=100 in_port=1 icmp6, action=2
2478 table=1 priority=100 in_port=2 icmp6, action=1
2479 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2480 table=0 priority=10 ip6, action=ct(nat,table=1)
2481 table=0 priority=0 action=drop
2482 dnl
2483 dnl Table 1
2484 dnl
2485 dnl Allow new TCPv6 FTP control connections.
2486 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21  action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2487 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2488 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2489 dnl Allow established TCPv6 connections both ways, enforce NATting
2490 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240   action=2
2491 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1     action=1
2492 dnl Drop everything else.
2493 table=1 priority=0, action=drop
2494 ])
2495
2496 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2497
2498 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2499 dnl waiting, we get occasional failures due to the following error:
2500 dnl "connect: Cannot assign requested address"
2501 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2502
2503 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2504 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2505
2506 dnl FTP requests from p0->p1 should work fine.
2507 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2508
2509 dnl Discards CLOSE_WAIT and CLOSING
2510 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2511 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2512 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2513 ])
2514
2515 OVS_TRAFFIC_VSWITCHD_STOP
2516 AT_CLEANUP
2517
2518 AT_SETUP([conntrack - DNAT load balancing])
2519 CHECK_CONNTRACK()
2520 OVS_TRAFFIC_VSWITCHD_START()
2521
2522 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2523
2524 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2525 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2526 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2527 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2528 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2529 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2530 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2531 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2532
2533 dnl Select group for load balancing.  One bucket per server.  Each bucket
2534 dnl tracks and NATs the connection and recirculates to table 4 for egress
2535 dnl routing.  Packets of existing connections are always NATted based on
2536 dnl connection state, only new connections are NATted according to the
2537 dnl specific NAT parameters in each bucket.
2538 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2539
2540 AT_DATA([flows.txt], [dnl
2541 dnl Track connections to the virtual IP address.
2542 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2543 dnl All other IP traffic is allowed but the connection state is no commited.
2544 table=0 priority=90 ip action=ct(table=4,nat)
2545 dnl
2546 dnl Allow ARP, but generate responses for virtual addresses
2547 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2548 table=0 priority=10 arp action=normal
2549 table=0 priority=0 action=drop
2550 dnl
2551 dnl Routing table
2552 dnl
2553 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2554 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2555 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2556 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2557 table=4 priority=0 action=drop
2558 dnl
2559 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2560 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2561 dnl Zero result means not found.
2562 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2563 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2564 dnl TPA IP in reg2.
2565 table=10 priority=100 arp xreg0=0 action=normal
2566 dnl Swaps the fields of the ARP message to turn a query to a response.
2567 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2568 table=10 priority=0 action=controller
2569 ])
2570
2571 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2572
2573 dnl Start web servers
2574 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2575 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2576 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2577
2578 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2579 on_exit 'ovs-appctl revalidator/purge'
2580 on_exit 'ovs-appctl dpif/dump-flows br0'
2581
2582 dnl Should work with the virtual IP address through NAT
2583 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2584     echo Request $i
2585     NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2586 done
2587
2588 dnl Each server should have at least one connection.
2589 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2590 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2591 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2592 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2593 ])
2594
2595 ovs-appctl dpif/dump-flows br0
2596 ovs-appctl revalidator/purge
2597 ovs-ofctl -O OpenFlow15 dump-flows br0
2598 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2599
2600 OVS_TRAFFIC_VSWITCHD_STOP
2601 AT_CLEANUP
2602
2603
2604 AT_SETUP([conntrack - DNAT load balancing with NC])
2605 CHECK_CONNTRACK()
2606 OVS_TRAFFIC_VSWITCHD_START()
2607
2608 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2609
2610 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2611 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2612 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2613 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2614 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2615 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2616 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2617 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2618 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2619 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2620
2621 dnl Select group for load balancing.  One bucket per server.  Each bucket
2622 dnl tracks and NATs the connection and recirculates to table 4 for egress
2623 dnl routing.  Packets of existing connections are always NATted based on
2624 dnl connection state, only new connections are NATted according to the
2625 dnl specific NAT parameters in each bucket.
2626 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2627
2628 AT_DATA([flows.txt], [dnl
2629 dnl Track connections to the virtual IP address.
2630 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2631 dnl All other IP traffic is allowed but the connection state is no commited.
2632 table=0 priority=90 ip action=ct(table=4,nat)
2633 dnl
2634 dnl Allow ARP, but generate responses for virtual addresses
2635 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2636 table=0 priority=10 arp action=normal
2637 table=0 priority=0 action=drop
2638 dnl
2639 dnl Routing table
2640 dnl
2641 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2642 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2643 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2644 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2645 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2646 table=4 priority=0 action=drop
2647 dnl
2648 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2649 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2650 dnl Zero result means not found.
2651 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2652 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2653 dnl TPA IP in reg2.
2654 table=10 priority=100 arp xreg0=0 action=normal
2655 dnl Swaps the fields of the ARP message to turn a query to a response.
2656 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2657 table=10 priority=0 action=controller
2658 ])
2659
2660 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2661
2662 dnl Start web servers
2663 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2664 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2665 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2666
2667 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2668 on_exit 'ovs-appctl revalidator/purge'
2669 on_exit 'ovs-appctl dpif/dump-flows br0'
2670
2671 sleep 5
2672
2673 dnl Should work with the virtual IP address through NAT
2674 for i in 1 2 3 4 5 6 7 8 9; do
2675     echo Request $i
2676     NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2677     NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2678 done
2679
2680 conntrack -L 2>&1
2681
2682 ovs-appctl dpif/dump-flows br0
2683 ovs-appctl revalidator/purge
2684 ovs-ofctl -O OpenFlow15 dump-flows br0
2685 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2686
2687 OVS_TRAFFIC_VSWITCHD_STOP
2688 AT_CLEANUP
Unnamed repository; edit this file 'description' to name the repository.