1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping6 between two ports])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
82 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83 dnl waiting, we get occasional failures due to the following error:
84 dnl "connect: Cannot assign requested address"
85 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
87 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
88 3 packets transmitted, 3 received, 0% packet loss, time 0ms
90 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 OVS_TRAFFIC_VSWITCHD_STOP
100 AT_SETUP([datapath - ping6 between two ports on vlan])
101 OVS_TRAFFIC_VSWITCHD_START()
103 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
105 ADD_NAMESPACES(at_ns0, at_ns1)
107 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
110 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping over vxlan tunnel])
134 OVS_TRAFFIC_VSWITCHD_START()
135 ADD_BR([br-underlay])
137 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
140 ADD_NAMESPACES(at_ns0)
142 dnl Set up underlay link from host into the namespace using veth pair.
143 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145 AT_CHECK([ip link set dev br-underlay up])
147 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148 dnl linux device inside the namespace.
149 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
153 dnl First, check the underlay
154 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
155 3 packets transmitted, 3 received, 0% packet loss, time 0ms
158 dnl Okay, now check the overlay with different packet sizes
159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
162 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
165 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
166 3 packets transmitted, 3 received, 0% packet loss, time 0ms
169 OVS_TRAFFIC_VSWITCHD_STOP
172 AT_SETUP([datapath - ping over gre tunnel])
175 OVS_TRAFFIC_VSWITCHD_START()
176 ADD_BR([br-underlay])
178 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
181 ADD_NAMESPACES(at_ns0)
183 dnl Set up underlay link from host into the namespace using veth pair.
184 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186 AT_CHECK([ip link set dev br-underlay up])
188 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189 dnl linux device inside the namespace.
190 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
193 dnl First, check the underlay
194 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
198 dnl Okay, now check the overlay with different packet sizes
199 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
200 3 packets transmitted, 3 received, 0% packet loss, time 0ms
202 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
205 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
209 OVS_TRAFFIC_VSWITCHD_STOP
212 AT_SETUP([datapath - ping over geneve tunnel])
215 OVS_TRAFFIC_VSWITCHD_START()
216 ADD_BR([br-underlay])
218 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
221 ADD_NAMESPACES(at_ns0)
223 dnl Set up underlay link from host into the namespace using veth pair.
224 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226 AT_CHECK([ip link set dev br-underlay up])
228 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229 dnl linux device inside the namespace.
230 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
234 dnl First, check the underlay
235 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
239 dnl Okay, now check the overlay with different packet sizes
240 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
243 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
246 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
250 OVS_TRAFFIC_VSWITCHD_STOP
253 AT_SETUP([datapath - basic truncate action])
254 OVS_TRAFFIC_VSWITCHD_START()
255 AT_CHECK([ovs-ofctl del-flows br0])
257 dnl Create p0 and ovs-p0(1)
258 ADD_NAMESPACES(at_ns0)
259 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
263 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265 on_exit 'ip link del ovs-p1'
266 AT_CHECK([ip link set dev ovs-p1 up])
267 AT_CHECK([ip link set dev p1 up])
268 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269 dnl Use p1 to check the truncated packet
270 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
272 dnl Create p2(5) and ovs-p2(4)
273 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274 on_exit 'ip link del ovs-p2'
275 AT_CHECK([ip link set dev ovs-p2 up])
276 AT_CHECK([ip link set dev p2 up])
277 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278 dnl Use p2 to check the truncated packet
279 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
282 AT_CHECK([ovs-ofctl del-flows br0])
283 AT_DATA([flows.txt], [dnl
284 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
290 dnl use this file as payload file for ncat
291 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292 on_exit 'rm -f payload200.bin'
293 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
295 dnl packet with truncated size
296 AT_CHECK([ovs-appctl revalidator/purge], [0])
297 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
300 dnl packet with original size
301 AT_CHECK([ovs-appctl revalidator/purge], [0])
302 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
306 dnl more complicated output actions
307 AT_CHECK([ovs-ofctl del-flows br0])
308 AT_DATA([flows.txt], [dnl
309 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
313 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
315 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
317 dnl 100 + 100 + 242 + min(65535,242) = 684
318 AT_CHECK([ovs-appctl revalidator/purge], [0])
319 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
322 dnl 242 + 100 + min(242,200) = 542
323 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
327 dnl SLOW_ACTION: disable kernel datapath truncate support
328 dnl Repeat the test above, but exercise the SLOW_ACTION code path
329 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330 [Datapath truncate action diabled
333 dnl SLOW_ACTION test1: check datapatch actions
334 AT_CHECK([ovs-ofctl del-flows br0])
335 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
337 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
338 AT_CHECK([tail -3 stdout], [0],
339 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
340 This flow is handled by the userspace slow path because it:
341 - Uses action(s) not supported by datapath.
344 dnl SLOW_ACTION test2: check actual packet truncate
345 AT_CHECK([ovs-ofctl del-flows br0])
346 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
347 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
349 dnl 100 + 100 + 242 + min(65535,242) = 684
350 AT_CHECK([ovs-appctl revalidator/purge], [0])
351 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
355 dnl 242 + 100 + min(242,200) = 542
356 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
360 OVS_TRAFFIC_VSWITCHD_STOP
363 dnl Create 2 bridges and 2 namespaces to test truncate over
365 dnl br0: overlay bridge
366 dnl ns1: connect to br0, with IP:10.1.1.2
367 dnl br-underlay: with IP: 172.31.1.100
368 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
369 AT_SETUP([datapath - truncate and output to gre tunnel])
371 OVS_TRAFFIC_VSWITCHD_START()
373 ADD_BR([br-underlay])
374 ADD_NAMESPACES(at_ns0)
375 ADD_NAMESPACES(at_ns1)
376 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
377 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
379 dnl Set up underlay link from host into the namespace using veth pair.
380 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
381 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
382 AT_CHECK([ip link set dev br-underlay up])
384 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
385 dnl linux device inside the namespace.
386 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
387 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
388 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
389 NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
390 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
392 dnl Set up (p1 and ovs-p1) at br0
393 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
394 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
395 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
396 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
398 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
399 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
400 on_exit 'ip link del ovs-p2'
401 AT_CHECK([ip link set dev ovs-p2 up])
402 AT_CHECK([ip link set dev p2 up])
403 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
404 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
406 dnl use this file as payload file for ncat
407 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
408 on_exit 'rm -f payload200.bin'
410 AT_CHECK([ovs-ofctl del-flows br0])
411 AT_DATA([flows.txt], [dnl
412 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
413 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
414 priority=1,in_port=4,ip,actions=drop
415 priority=1,actions=drop
417 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
419 AT_CHECK([ovs-ofctl del-flows br-underlay])
420 AT_DATA([flows-underlay.txt], [dnl
421 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
422 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
423 priority=1,actions=drop
426 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
428 dnl check tunnel push path, from at_ns1 to at_ns0
429 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
430 AT_CHECK([ovs-appctl revalidator/purge], [0])
432 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
433 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
436 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
437 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
441 dnl check tunnel pop path, from at_ns0 to at_ns1
442 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
443 dnl After truncation = 100 byte at loopback device p2(4)
444 AT_CHECK([ovs-appctl revalidator/purge], [0])
445 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
449 dnl SLOW_ACTION: disable datapath truncate support
450 dnl Repeat the test above, but exercise the SLOW_ACTION code path
451 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
452 [Datapath truncate action diabled
455 dnl SLOW_ACTION test1: check datapatch actions
456 AT_CHECK([ovs-ofctl del-flows br0])
457 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
459 dnl SLOW_ACTION test2: check actual packet truncate
460 AT_CHECK([ovs-ofctl del-flows br0])
461 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
462 AT_CHECK([ovs-ofctl del-flows br-underlay])
463 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
465 dnl check tunnel push path, from at_ns1 to at_ns0
466 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
467 AT_CHECK([ovs-appctl revalidator/purge], [0])
469 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
470 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
473 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
474 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
478 dnl check tunnel pop path, from at_ns0 to at_ns1
479 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
480 dnl After truncation = 100 byte at loopback device p2(4)
481 AT_CHECK([ovs-appctl revalidator/purge], [0])
482 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
486 OVS_TRAFFIC_VSWITCHD_STOP
489 AT_SETUP([conntrack - controller])
491 OVS_TRAFFIC_VSWITCHD_START()
493 ADD_NAMESPACES(at_ns0, at_ns1)
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
498 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
499 AT_DATA([flows.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=100,in_port=1,udp,action=ct(commit),controller
503 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
504 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
507 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
509 AT_CAPTURE_FILE([ofctl_monitor.log])
510 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
512 dnl Send an unsolicited reply from port 2. This should be dropped.
513 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
515 dnl OK, now start a new connection from port 1.
516 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
518 dnl Now try a reply from port 2.
519 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
521 dnl Check this output. We only see the latter two packets, not the first.
522 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
523 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
524 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
525 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
526 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
529 OVS_TRAFFIC_VSWITCHD_STOP
532 AT_SETUP([conntrack - IPv4 HTTP])
534 OVS_TRAFFIC_VSWITCHD_START()
536 ADD_NAMESPACES(at_ns0, at_ns1)
538 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
539 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
541 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
542 AT_DATA([flows.txt], [dnl
543 priority=1,action=drop
544 priority=10,arp,action=normal
545 priority=10,icmp,action=normal
546 priority=100,in_port=1,tcp,action=ct(commit),2
547 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
548 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
551 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
553 dnl HTTP requests from ns0->ns1 should work fine.
554 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
555 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
557 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
558 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
561 dnl HTTP requests from ns1->ns0 should fail due to network failure.
562 dnl Try 3 times, in 1 second intervals.
563 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
564 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
566 OVS_TRAFFIC_VSWITCHD_STOP
569 AT_SETUP([conntrack - IPv6 HTTP])
571 OVS_TRAFFIC_VSWITCHD_START()
573 ADD_NAMESPACES(at_ns0, at_ns1)
575 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
576 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
578 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,icmp6,action=normal
582 priority=100,in_port=1,tcp6,action=ct(commit),2
583 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
584 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
587 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
589 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
590 dnl waiting, we get occasional failures due to the following error:
591 dnl "connect: Cannot assign requested address"
592 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
594 dnl HTTP requests from ns0->ns1 should work fine.
595 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
597 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
599 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
600 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
603 dnl HTTP requests from ns1->ns0 should fail due to network failure.
604 dnl Try 3 times, in 1 second intervals.
605 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
606 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
608 OVS_TRAFFIC_VSWITCHD_STOP
611 AT_SETUP([conntrack - commit, recirc])
613 OVS_TRAFFIC_VSWITCHD_START()
615 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
617 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
618 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
619 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
620 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
622 dnl Allow any traffic from ns0->ns1, ns2->ns3.
623 AT_DATA([flows.txt], [dnl
624 priority=1,action=drop
625 priority=10,arp,action=normal
626 priority=10,icmp,action=normal
627 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
628 priority=100,in_port=1,tcp,ct_state=+trk,action=2
629 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
630 priority=100,in_port=2,tcp,ct_state=+trk,action=1
631 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
632 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
633 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
634 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
635 priority=100,in_port=4,tcp,ct_state=+trk,action=3
638 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
640 dnl HTTP requests from p0->p1 should work fine.
641 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644 dnl HTTP requests from p2->p3 should work fine.
645 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
646 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
648 OVS_TRAFFIC_VSWITCHD_STOP
651 AT_SETUP([conntrack - preserve registers])
653 OVS_TRAFFIC_VSWITCHD_START()
655 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
657 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
658 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
659 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
660 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
662 dnl Allow any traffic from ns0->ns1, ns2->ns3.
663 AT_DATA([flows.txt], [dnl
664 priority=1,action=drop
665 priority=10,arp,action=normal
666 priority=10,icmp,action=normal
667 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
668 priority=100,in_port=1,tcp,ct_state=+trk,action=2
669 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
670 priority=100,in_port=2,tcp,ct_state=+trk,action=1
671 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
672 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
673 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
674 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
675 priority=100,in_port=4,tcp,ct_state=+trk,action=3
678 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
680 dnl HTTP requests from p0->p1 should work fine.
681 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
682 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
684 dnl HTTP requests from p2->p3 should work fine.
685 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
686 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
688 OVS_TRAFFIC_VSWITCHD_STOP
691 AT_SETUP([conntrack - invalid])
693 OVS_TRAFFIC_VSWITCHD_START()
695 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
697 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
698 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
699 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
700 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
702 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
703 dnl the opposite direction. This should fail.
704 dnl Pass traffic from ns3->ns4 without committing, and this time match
705 dnl invalid traffic and allow it through.
706 AT_DATA([flows.txt], [dnl
707 priority=1,action=drop
708 priority=10,arp,action=normal
709 priority=10,icmp,action=normal
710 priority=100,in_port=1,tcp,action=ct(),2
711 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
712 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
713 priority=100,in_port=3,tcp,action=ct(),4
714 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
715 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
716 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
719 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
721 dnl We set up our rules to allow the request without committing. The return
722 dnl traffic can't be identified, because the initial request wasn't committed.
723 dnl For the first pair of ports, this means that the connection fails.
724 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
725 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
727 dnl For the second pair, we allow packets from invalid connections, so it works.
728 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
729 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
731 OVS_TRAFFIC_VSWITCHD_STOP
734 AT_SETUP([conntrack - zones])
736 OVS_TRAFFIC_VSWITCHD_START()
738 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
740 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
741 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
742 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
743 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
745 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
746 dnl For ns2->ns3, use a different zone and see that the match fails.
747 AT_DATA([flows.txt], [dnl
748 priority=1,action=drop
749 priority=10,arp,action=normal
750 priority=10,icmp,action=normal
751 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
752 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
753 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
754 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
755 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
756 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
759 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
761 dnl HTTP requests from p0->p1 should work fine.
762 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
763 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
765 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
766 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
769 dnl HTTP requests from p2->p3 should fail due to network failure.
770 dnl Try 3 times, in 1 second intervals.
771 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
772 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
774 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
775 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
778 OVS_TRAFFIC_VSWITCHD_STOP
781 AT_SETUP([conntrack - zones from field])
783 OVS_TRAFFIC_VSWITCHD_START()
785 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
787 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
788 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
789 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
790 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
792 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
793 AT_DATA([flows.txt], [dnl
794 priority=1,action=drop
795 priority=10,arp,action=normal
796 priority=10,icmp,action=normal
797 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
798 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
799 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
800 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
801 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
802 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
805 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
807 dnl HTTP requests from p0->p1 should work fine.
808 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
809 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
811 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
812 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
815 dnl HTTP requests from p2->p3 should fail due to network failure.
816 dnl Try 3 times, in 1 second intervals.
817 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
818 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
820 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
821 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
824 OVS_TRAFFIC_VSWITCHD_STOP
827 AT_SETUP([conntrack - multiple bridges])
829 OVS_TRAFFIC_VSWITCHD_START(
831 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
832 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
834 ADD_NAMESPACES(at_ns0, at_ns1)
836 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
837 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
839 dnl Allow any traffic from ns0->br1, allow established in reverse.
840 AT_DATA([flows-br0.txt], [dnl
841 priority=1,action=drop
842 priority=10,arp,action=normal
843 priority=10,icmp,action=normal
844 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
845 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
846 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
849 dnl Allow any traffic from br0->ns1, allow established in reverse.
850 AT_DATA([flows-br1.txt], [dnl
851 priority=1,action=drop
852 priority=10,arp,action=normal
853 priority=10,icmp,action=normal
854 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
855 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
856 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
857 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
858 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
861 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
862 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
864 dnl HTTP requests from p0->p1 should work fine.
865 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
866 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
868 OVS_TRAFFIC_VSWITCHD_STOP
871 AT_SETUP([conntrack - multiple zones])
873 OVS_TRAFFIC_VSWITCHD_START()
875 ADD_NAMESPACES(at_ns0, at_ns1)
877 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
878 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
880 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
881 AT_DATA([flows.txt], [dnl
882 priority=1,action=drop
883 priority=10,arp,action=normal
884 priority=10,icmp,action=normal
885 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
886 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
887 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
890 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
892 dnl HTTP requests from p0->p1 should work fine.
893 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
894 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
896 dnl (again) HTTP requests from p0->p1 should work fine.
897 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
899 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
900 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
901 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
904 OVS_TRAFFIC_VSWITCHD_STOP
907 AT_SETUP([conntrack - multiple zones, local])
909 OVS_TRAFFIC_VSWITCHD_START()
911 ADD_NAMESPACES(at_ns0)
913 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
914 AT_CHECK([ip link set dev br0 up])
915 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
916 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
918 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
919 dnl return traffic from ns0 back to the local stack.
920 AT_DATA([flows.txt], [dnl
921 priority=1,action=drop
922 priority=10,arp,action=normal
923 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
924 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
925 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
926 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
927 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
928 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
931 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
933 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
934 3 packets transmitted, 3 received, 0% packet loss, time 0ms
937 dnl HTTP requests from root namespace to p0 should work fine.
938 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
939 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
941 dnl (again) HTTP requests from root namespace to p0 should work fine.
942 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
944 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
945 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
946 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
947 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
948 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
951 OVS_TRAFFIC_VSWITCHD_STOP
954 AT_SETUP([conntrack - multiple namespaces, internal ports])
956 OVS_TRAFFIC_VSWITCHD_START(
957 [set-fail-mode br0 secure -- ])
959 ADD_NAMESPACES(at_ns0, at_ns1)
961 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
962 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
964 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
966 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
967 AT_DATA([flows.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
972 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
973 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
976 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
978 dnl HTTP requests from p0->p1 should work fine.
979 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
980 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
982 dnl (again) HTTP requests from p0->p1 should work fine.
983 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
989 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
990 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
991 /removing policing failed: No such device/d"])
994 AT_SETUP([conntrack - multi-stage pipeline, local])
996 OVS_TRAFFIC_VSWITCHD_START()
998 ADD_NAMESPACES(at_ns0)
1000 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1001 AT_CHECK([ip link set dev br0 up])
1002 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1003 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1005 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1006 dnl return traffic from ns0 back to the local stack.
1007 AT_DATA([flows.txt], [dnl
1009 table=0,priority=1,action=drop
1010 table=0,priority=10,arp,action=normal
1012 dnl Load the output port to REG0
1013 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1014 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1016 dnl Ingress pipeline
1017 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1018 dnl - All other connections go through conntracker using the input port as
1019 dnl a connection tracking zone.
1020 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1021 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1022 table=1,priority=1,action=drop
1025 dnl - Allow all connections from LOCAL port (commit and skip to output)
1026 dnl - Allow other established connections to go through conntracker using
1027 dnl output port as a connection tracking zone.
1028 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1029 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1030 table=2,priority=1,action=drop
1032 dnl Only allow established traffic from egress ct lookup
1033 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1034 table=3,priority=1,action=drop
1037 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1040 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1042 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1043 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1046 dnl HTTP requests from root namespace to p0 should work fine.
1047 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1048 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1050 dnl (again) HTTP requests from root namespace to p0 should work fine.
1051 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1053 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1054 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1055 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
1056 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1057 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1060 OVS_TRAFFIC_VSWITCHD_STOP
1063 AT_SETUP([conntrack - ct_mark])
1065 OVS_TRAFFIC_VSWITCHD_START()
1067 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1069 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1070 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1071 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1072 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1074 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1075 dnl Check that different marks do not match for traffic between ns2<->ns3.
1076 AT_DATA([flows.txt], [dnl
1077 priority=1,action=drop
1078 priority=10,arp,action=normal
1079 priority=10,icmp,action=normal
1080 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1081 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1082 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1083 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1084 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1085 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1088 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1090 dnl HTTP requests from p0->p1 should work fine.
1091 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1092 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1094 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1095 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1098 dnl HTTP requests from p2->p3 should fail due to network failure.
1099 dnl Try 3 times, in 1 second intervals.
1100 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1101 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1103 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1104 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1107 OVS_TRAFFIC_VSWITCHD_STOP
1110 AT_SETUP([conntrack - ct_mark bit-fiddling])
1112 OVS_TRAFFIC_VSWITCHD_START()
1114 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1116 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1117 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1119 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1120 dnl cause an additional bit to be set in the connection (and be allowed).
1121 AT_DATA([flows.txt], [dnl
1122 table=0,priority=1,action=drop
1123 table=0,priority=10,arp,action=normal
1124 table=0,priority=10,icmp,action=normal
1125 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1126 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1127 table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1128 table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1129 table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1132 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1134 dnl HTTP requests from p0->p1 should work fine.
1135 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1136 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1138 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1139 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1142 OVS_TRAFFIC_VSWITCHD_STOP
1145 AT_SETUP([conntrack - ct_mark from register])
1147 OVS_TRAFFIC_VSWITCHD_START()
1149 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1151 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1152 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1153 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1154 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1156 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1157 AT_DATA([flows.txt], [dnl
1158 priority=1,action=drop
1159 priority=10,arp,action=normal
1160 priority=10,icmp,action=normal
1161 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1162 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1163 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1164 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1165 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1166 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1169 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1171 dnl HTTP requests from p0->p1 should work fine.
1172 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1173 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1179 dnl HTTP requests from p2->p3 should fail due to network failure.
1180 dnl Try 3 times, in 1 second intervals.
1181 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1182 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1184 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1185 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1188 OVS_TRAFFIC_VSWITCHD_STOP
1191 AT_SETUP([conntrack - ct_label])
1193 OVS_TRAFFIC_VSWITCHD_START()
1195 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1197 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1198 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1199 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1200 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1202 dnl Allow traffic between ns0<->ns1 using the ct_label.
1203 dnl Check that different labels do not match for traffic between ns2<->ns3.
1204 AT_DATA([flows.txt], [dnl
1205 priority=1,action=drop
1206 priority=10,arp,action=normal
1207 priority=10,icmp,action=normal
1208 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1209 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1210 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1211 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1212 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1213 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1216 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1218 dnl HTTP requests from p0->p1 should work fine.
1219 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1220 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1222 dnl HTTP requests from p2->p3 should fail due to network failure.
1223 dnl Try 3 times, in 1 second intervals.
1224 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1225 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1227 OVS_TRAFFIC_VSWITCHD_STOP
1230 AT_SETUP([conntrack - ct_label bit-fiddling])
1232 OVS_TRAFFIC_VSWITCHD_START()
1234 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1236 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1237 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1239 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1240 dnl cause an additional bit to be set in the connection labels (and be allowed)
1241 AT_DATA([flows.txt], [dnl
1242 table=0,priority=1,action=drop
1243 table=0,priority=10,arp,action=normal
1244 table=0,priority=10,icmp,action=normal
1245 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1246 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1247 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1248 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1249 table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1252 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1254 dnl HTTP requests from p0->p1 should work fine.
1255 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1256 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1258 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1259 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1262 OVS_TRAFFIC_VSWITCHD_STOP
1265 AT_SETUP([conntrack - ct metadata, multiple zones])
1267 OVS_TRAFFIC_VSWITCHD_START()
1269 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1271 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1272 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1274 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1275 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1276 dnl and we should see that the conntrack entries only apply the ct_mark and
1277 dnl ct_labels to the connection in zone=1.
1278 AT_DATA([flows.txt], [dnl
1279 table=0,priority=1,action=drop
1280 table=0,priority=10,arp,action=normal
1281 table=0,priority=10,icmp,action=normal
1282 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1283 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1284 table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1285 table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1286 table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1289 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1291 dnl HTTP requests from p0->p1 should work fine.
1292 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1293 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1295 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1296 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1297 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1300 OVS_TRAFFIC_VSWITCHD_STOP
1303 AT_SETUP([conntrack - ICMP related])
1305 OVS_TRAFFIC_VSWITCHD_START()
1307 ADD_NAMESPACES(at_ns0, at_ns1)
1309 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1310 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1312 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1313 AT_DATA([flows.txt], [dnl
1314 priority=1,action=drop
1315 priority=10,arp,action=normal
1316 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1317 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1318 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1321 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1323 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1324 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1326 AT_CHECK([ovs-appctl revalidator/purge], [0])
1327 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1328 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1329 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1330 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1331 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1335 OVS_TRAFFIC_VSWITCHD_STOP
1338 AT_SETUP([conntrack - ICMP related 2])
1340 OVS_TRAFFIC_VSWITCHD_START()
1342 ADD_NAMESPACES(at_ns0, at_ns1)
1344 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1345 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1347 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1348 AT_DATA([flows.txt], [dnl
1349 priority=1,action=drop
1350 priority=10,arp,action=normal
1351 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1352 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1353 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1354 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1357 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1359 AT_CAPTURE_FILE([ofctl_monitor.log])
1360 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1362 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1363 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1365 dnl 2. Send and UDP packet to port 5555
1366 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1368 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1369 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1371 dnl Check this output. We only see the latter two packets, not the first.
1372 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1373 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1374 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1375 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1376 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1379 OVS_TRAFFIC_VSWITCHD_STOP
1382 AT_SETUP([conntrack - FTP])
1383 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1385 OVS_TRAFFIC_VSWITCHD_START()
1387 ADD_NAMESPACES(at_ns0, at_ns1)
1389 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1390 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1392 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1393 AT_DATA([flows1.txt], [dnl
1394 priority=1,action=drop
1395 priority=10,arp,action=normal
1396 priority=10,icmp,action=normal
1397 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1398 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1399 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1400 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1403 dnl Similar policy but without allowing all traffic from ns0->ns1.
1404 AT_DATA([flows2.txt], [dnl
1405 priority=1,action=drop
1406 priority=10,arp,action=normal
1407 priority=10,icmp,action=normal
1408 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1409 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1410 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1411 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1412 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1413 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1414 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1417 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1419 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1420 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1421 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1423 dnl FTP requests from p1->p0 should fail due to network failure.
1424 dnl Try 3 times, in 1 second intervals.
1425 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1426 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1429 dnl FTP requests from p0->p1 should work fine.
1430 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1431 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1432 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1435 dnl Try the second set of flows.
1436 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1437 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1439 dnl FTP requests from p1->p0 should fail due to network failure.
1440 dnl Try 3 times, in 1 second intervals.
1441 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1442 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1445 dnl Active FTP requests from p0->p1 should work fine.
1446 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1447 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1448 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1449 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1452 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1454 dnl Passive FTP requests from p0->p1 should work fine.
1455 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1456 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1457 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1458 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1461 OVS_TRAFFIC_VSWITCHD_STOP
1465 AT_SETUP([conntrack - IPv6 FTP])
1466 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1468 OVS_TRAFFIC_VSWITCHD_START()
1470 ADD_NAMESPACES(at_ns0, at_ns1)
1472 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1473 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1475 dnl Allow any traffic from ns0->ns1.
1476 dnl Only allow nd, return traffic from ns1->ns0.
1477 AT_DATA([flows.txt], [dnl
1478 dnl Track all IPv6 traffic and drop the rest.
1479 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1480 table=0 priority=100 in_port=1 icmp6, action=2
1481 table=0 priority=100 in_port=2 icmp6, action=1
1482 table=0 priority=10 ip6, action=ct(table=1)
1483 table=0 priority=0 action=drop
1487 dnl Allow new TCPv6 FTP control connections from port 1.
1488 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1489 dnl Allow related TCPv6 connections from port 2.
1490 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1491 dnl Allow established TCPv6 connections both ways.
1492 table=1 in_port=1 ct_state=+est, tcp6, action=2
1493 table=1 in_port=2 ct_state=+est, tcp6, action=1
1494 dnl Drop everything else.
1495 table=1 priority=0, action=drop
1498 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1500 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1501 dnl waiting, we get occasional failures due to the following error:
1502 dnl "connect: Cannot assign requested address"
1503 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1505 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1506 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1508 dnl FTP requests from p0->p1 should work fine.
1509 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1511 dnl Discards CLOSE_WAIT and CLOSING
1512 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1513 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1514 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1517 OVS_TRAFFIC_VSWITCHD_STOP
1521 AT_SETUP([conntrack - FTP with multiple expectations])
1522 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1524 OVS_TRAFFIC_VSWITCHD_START()
1526 ADD_NAMESPACES(at_ns0, at_ns1)
1528 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1529 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1531 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1532 AT_DATA([flows.txt], [dnl
1533 priority=1,action=drop
1534 priority=10,arp,action=normal
1535 priority=10,icmp,action=normal
1536 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1537 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1538 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1539 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1540 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1541 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1542 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1543 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1544 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1545 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1548 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1550 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1551 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1553 dnl FTP requests from p1->p0 should fail due to network failure.
1554 dnl Try 3 times, in 1 second intervals.
1555 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1556 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1559 dnl Active FTP requests from p0->p1 should work fine.
1560 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1561 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1562 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1563 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1564 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1565 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1568 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1570 dnl Passive FTP requests from p0->p1 should work fine.
1571 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1573 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1574 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1575 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1576 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1579 OVS_TRAFFIC_VSWITCHD_STOP
1582 AT_SETUP([conntrack - IPv4 fragmentation ])
1584 OVS_TRAFFIC_VSWITCHD_START()
1586 ADD_NAMESPACES(at_ns0, at_ns1)
1588 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1589 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1591 dnl Sending ping through conntrack
1592 AT_DATA([flows.txt], [dnl
1593 priority=1,action=drop
1594 priority=10,arp,action=normal
1595 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1596 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1597 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1600 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1602 dnl Ipv4 fragmentation connectivity check.
1603 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1604 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1607 dnl Ipv4 larger fragmentation connectivity check.
1608 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1609 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1612 OVS_TRAFFIC_VSWITCHD_STOP
1615 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1617 OVS_TRAFFIC_VSWITCHD_START()
1619 ADD_NAMESPACES(at_ns0, at_ns1)
1621 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1622 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1624 AT_DATA([flows.txt], [dnl
1625 priority=1,action=drop
1626 priority=10,arp,action=normal
1628 dnl Only allow non-fragmented messages and 1st fragments of each message
1629 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1630 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1631 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1632 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1635 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1637 dnl Ipv4 fragmentation connectivity check.
1638 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1639 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1642 OVS_TRAFFIC_VSWITCHD_STOP
1645 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1647 OVS_TRAFFIC_VSWITCHD_START()
1649 ADD_NAMESPACES(at_ns0, at_ns1)
1651 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1652 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1653 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1654 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1656 dnl Sending ping through conntrack
1657 AT_DATA([flows.txt], [dnl
1658 priority=1,action=drop
1659 priority=10,arp,action=normal
1660 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1661 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1662 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1665 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1667 dnl Ipv4 fragmentation connectivity check.
1668 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1669 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1672 dnl Ipv4 larger fragmentation connectivity check.
1673 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1674 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1677 OVS_TRAFFIC_VSWITCHD_STOP
1680 AT_SETUP([conntrack - IPv6 fragmentation])
1682 OVS_TRAFFIC_VSWITCHD_START()
1684 ADD_NAMESPACES(at_ns0, at_ns1)
1686 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1687 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1689 dnl Sending ping through conntrack
1690 AT_DATA([flows.txt], [dnl
1691 priority=1,action=drop
1692 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1693 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1694 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1695 priority=100,icmp6,icmp_type=135,action=normal
1696 priority=100,icmp6,icmp_type=136,action=normal
1699 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1701 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1702 dnl waiting, we get occasional failures due to the following error:
1703 dnl "connect: Cannot assign requested address"
1704 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1706 dnl Ipv6 fragmentation connectivity check.
1707 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1708 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1711 dnl Ipv6 larger fragmentation connectivity check.
1712 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1713 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1716 OVS_TRAFFIC_VSWITCHD_STOP
1719 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1721 OVS_TRAFFIC_VSWITCHD_START()
1723 ADD_NAMESPACES(at_ns0, at_ns1)
1725 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1726 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1728 AT_DATA([flows.txt], [dnl
1729 priority=1,action=drop
1731 dnl Only allow non-fragmented messages and 1st fragments of each message
1732 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1733 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1734 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1735 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1737 dnl Neighbour Discovery
1738 priority=100,icmp6,icmp_type=135,action=normal
1739 priority=100,icmp6,icmp_type=136,action=normal
1742 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1744 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1745 dnl waiting, we get occasional failures due to the following error:
1746 dnl "connect: Cannot assign requested address"
1747 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1749 dnl Send an IPv6 fragment. Some time later, it should expire.
1750 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1751 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1754 dnl At this point, the kernel will either crash or everything is OK.
1756 OVS_TRAFFIC_VSWITCHD_STOP
1759 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1761 OVS_TRAFFIC_VSWITCHD_START()
1763 ADD_NAMESPACES(at_ns0, at_ns1)
1765 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1766 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1768 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1769 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1771 dnl Sending ping through conntrack
1772 AT_DATA([flows.txt], [dnl
1773 priority=1,action=drop
1774 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1775 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1776 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1777 priority=100,icmp6,icmp_type=135,action=normal
1778 priority=100,icmp6,icmp_type=136,action=normal
1781 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1783 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1784 dnl waiting, we get occasional failures due to the following error:
1785 dnl "connect: Cannot assign requested address"
1786 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1788 dnl Ipv4 fragmentation connectivity check.
1789 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1790 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1793 dnl Ipv4 larger fragmentation connectivity check.
1794 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1795 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1798 OVS_TRAFFIC_VSWITCHD_STOP
1801 AT_SETUP([conntrack - Fragmentation over vxlan])
1805 OVS_TRAFFIC_VSWITCHD_START()
1806 ADD_BR([br-underlay])
1807 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1809 ADD_NAMESPACES(at_ns0)
1811 dnl Sending ping through conntrack
1812 AT_DATA([flows.txt], [dnl
1813 priority=1,action=drop
1814 priority=10,arp,action=normal
1815 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1816 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1817 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1820 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1822 dnl Set up underlay link from host into the namespace using veth pair.
1823 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1824 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1825 AT_CHECK([ip link set dev br-underlay up])
1827 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1828 dnl linux device inside the namespace.
1829 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1830 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1831 [id 0 dstport 4789])
1833 dnl First, check the underlay
1834 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1835 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1838 dnl Okay, now check the overlay with different packet sizes
1839 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1840 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1842 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1843 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1845 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1846 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1849 OVS_TRAFFIC_VSWITCHD_STOP
1852 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1856 OVS_TRAFFIC_VSWITCHD_START()
1857 ADD_BR([br-underlay])
1858 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1860 ADD_NAMESPACES(at_ns0)
1862 dnl Sending ping through conntrack
1863 AT_DATA([flows.txt], [dnl
1864 priority=1,action=drop
1865 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1866 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1867 table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1869 dnl Neighbour Discovery
1870 priority=1000,icmp6,icmp_type=135,action=normal
1871 priority=1000,icmp6,icmp_type=136,action=normal
1874 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1876 dnl Set up underlay link from host into the namespace using veth pair.
1877 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1878 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1879 AT_CHECK([ip link set dev br-underlay up])
1881 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1882 dnl linux device inside the namespace.
1883 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1884 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1885 [id 0 dstport 4789])
1887 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1888 dnl waiting, we get occasional failures due to the following error:
1889 dnl "connect: Cannot assign requested address"
1890 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1892 dnl First, check the underlay
1893 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1894 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1897 dnl Okay, now check the overlay with different packet sizes
1898 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1899 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1901 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1902 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1904 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1905 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1908 OVS_TRAFFIC_VSWITCHD_STOP
1911 AT_SETUP([conntrack - resubmit to ct multiple times])
1914 OVS_TRAFFIC_VSWITCHD_START(
1915 [set-fail-mode br0 secure -- ])
1917 ADD_NAMESPACES(at_ns0, at_ns1)
1919 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1920 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1922 AT_DATA([flows.txt], [dnl
1923 table=0,priority=150,arp,action=normal
1924 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1926 table=1,priority=100,ip,action=ct(table=3)
1927 table=2,priority=100,ip,action=ct(table=3)
1929 table=3,ip,action=drop
1932 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1934 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1935 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1938 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1939 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1940 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1941 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1942 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1943 table=3, n_packets=2, n_bytes=196, ip actions=drop
1947 OVS_TRAFFIC_VSWITCHD_STOP
1951 AT_SETUP([conntrack - simple SNAT])
1953 OVS_TRAFFIC_VSWITCHD_START()
1955 ADD_NAMESPACES(at_ns0, at_ns1)
1957 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1958 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1959 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1961 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1962 AT_DATA([flows.txt], [dnl
1963 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1964 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1965 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1968 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1969 priority=10 arp action=normal
1970 priority=0,action=drop
1972 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1973 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1974 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1975 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1977 dnl Swaps the fields of the ARP message to turn a query to a response.
1978 table=10 priority=100 arp xreg0=0 action=normal
1979 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1980 table=10 priority=0 action=drop
1983 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1985 dnl HTTP requests from p0->p1 should work fine.
1986 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1987 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1989 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1990 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1993 OVS_TRAFFIC_VSWITCHD_STOP
1997 AT_SETUP([conntrack - SNAT with port range])
1999 OVS_TRAFFIC_VSWITCHD_START()
2001 ADD_NAMESPACES(at_ns0, at_ns1)
2003 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2004 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2005 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2007 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2008 AT_DATA([flows.txt], [dnl
2009 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2010 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2011 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2012 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2015 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2016 priority=10 arp action=normal
2017 priority=0,action=drop
2019 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2020 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2021 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2022 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2024 dnl Swaps the fields of the ARP message to turn a query to a response.
2025 table=10 priority=100 arp xreg0=0 action=normal
2026 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2027 table=10 priority=0 action=drop
2030 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2032 dnl HTTP requests from p0->p1 should work fine.
2033 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2034 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2036 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2037 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2040 OVS_TRAFFIC_VSWITCHD_STOP
2044 AT_SETUP([conntrack - more complex SNAT])
2046 OVS_TRAFFIC_VSWITCHD_START()
2048 ADD_NAMESPACES(at_ns0, at_ns1)
2050 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2051 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2052 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2054 AT_DATA([flows.txt], [dnl
2055 dnl Track all IP traffic, NAT existing connections.
2056 priority=100 ip action=ct(table=1,zone=1,nat)
2058 dnl Allow ARP, but generate responses for NATed addresses
2059 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2060 priority=10 arp action=normal
2061 priority=0 action=drop
2063 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2064 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2065 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2066 dnl Only allow established traffic from ns1->ns0.
2067 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2068 table=1 priority=0 action=drop
2070 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2071 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2072 dnl Zero result means not found.
2073 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2074 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2075 dnl ARP TPA IP in reg2.
2076 table=10 priority=100 arp xreg0=0 action=normal
2077 dnl Swaps the fields of the ARP message to turn a query to a response.
2078 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2079 table=10 priority=0 action=drop
2082 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2084 dnl HTTP requests from p0->p1 should work fine.
2085 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2086 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2088 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2089 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2092 OVS_TRAFFIC_VSWITCHD_STOP
2095 AT_SETUP([conntrack - simple DNAT])
2097 OVS_TRAFFIC_VSWITCHD_START()
2099 ADD_NAMESPACES(at_ns0, at_ns1)
2101 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2102 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2103 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2105 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2106 AT_DATA([flows.txt], [dnl
2107 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2108 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2109 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2110 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2113 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2114 priority=10 arp action=normal
2115 priority=0,action=drop
2117 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2118 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2119 dnl Zero result means not found.
2120 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2121 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2123 table=10 priority=100 arp xreg0=0 action=normal
2124 dnl Swaps the fields of the ARP message to turn a query to a response.
2125 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2126 table=10 priority=0 action=drop
2129 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2131 dnl Should work with the virtual IP address through NAT
2132 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2133 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2135 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2136 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2139 dnl Should work with the assigned IP address as well
2140 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2142 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2143 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2146 OVS_TRAFFIC_VSWITCHD_STOP
2149 AT_SETUP([conntrack - more complex DNAT])
2151 OVS_TRAFFIC_VSWITCHD_START()
2153 ADD_NAMESPACES(at_ns0, at_ns1)
2155 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2156 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2157 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2160 AT_DATA([flows.txt], [dnl
2161 dnl Track all IP traffic
2162 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2164 dnl Allow ARP, but generate responses for NATed addresses
2165 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2166 table=0 priority=10 arp action=normal
2167 table=0 priority=0 action=drop
2169 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2170 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2171 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2172 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2173 dnl Only allow established traffic from ns1->ns0.
2174 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2175 table=1 priority=0 action=drop
2177 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2178 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2179 dnl Zero result means not found.
2180 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2181 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2183 table=10 priority=100 arp xreg0=0 action=normal
2184 dnl Swaps the fields of the ARP message to turn a query to a response.
2185 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2186 table=10 priority=0 action=drop
2189 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2191 dnl Should work with the virtual IP address through NAT
2192 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2193 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2195 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2196 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2199 dnl Should work with the assigned IP address as well
2200 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2202 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2203 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2206 OVS_TRAFFIC_VSWITCHD_STOP
2209 AT_SETUP([conntrack - ICMP related with NAT])
2211 OVS_TRAFFIC_VSWITCHD_START()
2213 ADD_NAMESPACES(at_ns0, at_ns1)
2215 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2216 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2217 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2219 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2220 dnl Make sure ICMP responses are reverse-NATted.
2221 AT_DATA([flows.txt], [dnl
2222 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2223 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2224 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2227 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2228 priority=10 arp action=normal
2229 priority=0,action=drop
2231 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2232 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2233 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2234 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2236 dnl Swaps the fields of the ARP message to turn a query to a response.
2237 table=10 priority=100 arp xreg0=0 action=normal
2238 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2239 table=10 priority=0 action=drop
2242 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2244 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2245 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2247 AT_CHECK([ovs-appctl revalidator/purge], [0])
2248 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2249 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2250 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2251 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2252 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2253 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2254 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2255 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2256 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2257 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2258 OFPST_FLOW reply (OF1.5):
2261 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2262 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2265 OVS_TRAFFIC_VSWITCHD_STOP
2269 AT_SETUP([conntrack - FTP with NAT])
2270 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2273 OVS_TRAFFIC_VSWITCHD_START()
2275 ADD_NAMESPACES(at_ns0, at_ns1)
2277 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2278 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2279 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2281 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2283 AT_DATA([flows.txt], [dnl
2284 dnl track all IP traffic, de-mangle non-NEW connections
2285 table=0 in_port=1, ip, action=ct(table=1,nat)
2286 table=0 in_port=2, ip, action=ct(table=2,nat)
2290 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2291 table=0 priority=10 arp action=normal
2292 table=0 priority=0 action=drop
2294 dnl Table 1: port 1 -> 2
2296 dnl Allow new FTP connections. These need to be commited.
2297 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2298 dnl Allow established TCP connections, make sure they are NATted already.
2299 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2301 dnl Table 1: droppers
2303 table=1 priority=10, tcp, action=drop
2304 table=1 priority=0,action=drop
2306 dnl Table 2: port 2 -> 1
2308 dnl Allow established TCP connections, make sure they are reverse NATted
2309 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2310 dnl Allow (new) related (data) connections. These need to be commited.
2311 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2312 dnl Allow related ICMP packets, make sure they are reverse NATted
2313 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2315 dnl Table 2: droppers
2317 table=2 priority=10, tcp, action=drop
2318 table=2 priority=0, action=drop
2320 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2322 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2323 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2324 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2326 dnl Swaps the fields of the ARP message to turn a query to a response.
2327 table=10 priority=100 arp xreg0=0 action=normal
2328 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2329 table=10 priority=0 action=drop
2332 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2334 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2335 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2336 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2338 dnl FTP requests from p0->p1 should work fine.
2339 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2341 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2342 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2343 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2346 OVS_TRAFFIC_VSWITCHD_STOP
2350 AT_SETUP([conntrack - FTP with NAT 2])
2351 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2353 OVS_TRAFFIC_VSWITCHD_START()
2355 ADD_NAMESPACES(at_ns0, at_ns1)
2357 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2358 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2359 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2361 dnl Allow any traffic from ns0->ns1.
2362 dnl Only allow nd, return traffic from ns1->ns0.
2363 AT_DATA([flows.txt], [dnl
2364 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2365 table=0 ip, action=ct(table=1)
2369 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2370 table=0 priority=10 arp action=normal
2371 table=0 priority=0 action=drop
2375 dnl Allow new FTP connections. These need to be commited.
2376 dnl This does helper for new packets.
2377 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2378 dnl Allow and NAT established TCP connections
2379 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2380 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2381 dnl Allow and NAT (new) related active (data) connections.
2382 dnl These need to be commited.
2383 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2384 dnl Allow related ICMP packets.
2385 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2386 dnl Drop everything else.
2387 table=1 priority=0, action=drop
2389 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2391 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2392 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2393 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2395 dnl Swaps the fields of the ARP message to turn a query to a response.
2396 table=10 priority=100 arp xreg0=0 action=normal
2397 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2398 table=10 priority=0 action=drop
2401 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2403 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2404 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2406 dnl FTP requests from p0->p1 should work fine.
2407 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2409 dnl Discards CLOSE_WAIT and CLOSING
2410 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2411 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2412 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2415 OVS_TRAFFIC_VSWITCHD_STOP
2418 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2420 OVS_TRAFFIC_VSWITCHD_START()
2422 ADD_NAMESPACES(at_ns0, at_ns1)
2424 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2425 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2426 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2427 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2429 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2430 AT_DATA([flows.txt], [dnl
2431 priority=1,action=drop
2432 priority=10,icmp6,action=normal
2433 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2434 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2435 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2436 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2439 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2441 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2442 dnl waiting, we get occasional failures due to the following error:
2443 dnl "connect: Cannot assign requested address"
2444 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2446 dnl HTTP requests from ns0->ns1 should work fine.
2447 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2449 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2451 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2452 dnl Try 3 times, in 1 second intervals.
2453 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2454 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2456 OVS_TRAFFIC_VSWITCHD_STOP
2460 AT_SETUP([conntrack - IPv6 FTP with NAT])
2461 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2463 OVS_TRAFFIC_VSWITCHD_START()
2465 ADD_NAMESPACES(at_ns0, at_ns1)
2467 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2468 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2469 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2470 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2471 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2473 dnl Allow any traffic from ns0->ns1.
2474 dnl Only allow nd, return traffic from ns1->ns0.
2475 AT_DATA([flows.txt], [dnl
2476 dnl Allow other ICMPv6 both ways (without commit).
2477 table=1 priority=100 in_port=1 icmp6, action=2
2478 table=1 priority=100 in_port=2 icmp6, action=1
2479 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2480 table=0 priority=10 ip6, action=ct(nat,table=1)
2481 table=0 priority=0 action=drop
2485 dnl Allow new TCPv6 FTP control connections.
2486 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2487 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2488 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2489 dnl Allow established TCPv6 connections both ways, enforce NATting
2490 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2491 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2492 dnl Drop everything else.
2493 table=1 priority=0, action=drop
2496 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2498 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2499 dnl waiting, we get occasional failures due to the following error:
2500 dnl "connect: Cannot assign requested address"
2501 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2503 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2504 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2506 dnl FTP requests from p0->p1 should work fine.
2507 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2509 dnl Discards CLOSE_WAIT and CLOSING
2510 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2511 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2512 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2515 OVS_TRAFFIC_VSWITCHD_STOP
2518 AT_SETUP([conntrack - DNAT load balancing])
2520 OVS_TRAFFIC_VSWITCHD_START()
2522 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2524 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2525 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2526 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2527 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2528 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2529 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2530 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2531 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2533 dnl Select group for load balancing. One bucket per server. Each bucket
2534 dnl tracks and NATs the connection and recirculates to table 4 for egress
2535 dnl routing. Packets of existing connections are always NATted based on
2536 dnl connection state, only new connections are NATted according to the
2537 dnl specific NAT parameters in each bucket.
2538 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2540 AT_DATA([flows.txt], [dnl
2541 dnl Track connections to the virtual IP address.
2542 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2543 dnl All other IP traffic is allowed but the connection state is no commited.
2544 table=0 priority=90 ip action=ct(table=4,nat)
2546 dnl Allow ARP, but generate responses for virtual addresses
2547 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2548 table=0 priority=10 arp action=normal
2549 table=0 priority=0 action=drop
2553 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2554 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2555 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2556 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2557 table=4 priority=0 action=drop
2559 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2560 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2561 dnl Zero result means not found.
2562 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2563 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2565 table=10 priority=100 arp xreg0=0 action=normal
2566 dnl Swaps the fields of the ARP message to turn a query to a response.
2567 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2568 table=10 priority=0 action=controller
2571 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2573 dnl Start web servers
2574 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2575 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2576 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2578 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2579 on_exit 'ovs-appctl revalidator/purge'
2580 on_exit 'ovs-appctl dpif/dump-flows br0'
2582 dnl Should work with the virtual IP address through NAT
2583 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2585 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2588 dnl Each server should have at least one connection.
2589 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2590 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2591 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2592 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2595 ovs-appctl dpif/dump-flows br0
2596 ovs-appctl revalidator/purge
2597 ovs-ofctl -O OpenFlow15 dump-flows br0
2598 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2600 OVS_TRAFFIC_VSWITCHD_STOP
2604 AT_SETUP([conntrack - DNAT load balancing with NC])
2606 OVS_TRAFFIC_VSWITCHD_START()
2608 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2610 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2611 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2612 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2613 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2614 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2615 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2616 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2617 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2618 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2619 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2621 dnl Select group for load balancing. One bucket per server. Each bucket
2622 dnl tracks and NATs the connection and recirculates to table 4 for egress
2623 dnl routing. Packets of existing connections are always NATted based on
2624 dnl connection state, only new connections are NATted according to the
2625 dnl specific NAT parameters in each bucket.
2626 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2628 AT_DATA([flows.txt], [dnl
2629 dnl Track connections to the virtual IP address.
2630 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2631 dnl All other IP traffic is allowed but the connection state is no commited.
2632 table=0 priority=90 ip action=ct(table=4,nat)
2634 dnl Allow ARP, but generate responses for virtual addresses
2635 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2636 table=0 priority=10 arp action=normal
2637 table=0 priority=0 action=drop
2641 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2642 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2643 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2644 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2645 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2646 table=4 priority=0 action=drop
2648 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2649 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2650 dnl Zero result means not found.
2651 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2652 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2654 table=10 priority=100 arp xreg0=0 action=normal
2655 dnl Swaps the fields of the ARP message to turn a query to a response.
2656 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2657 table=10 priority=0 action=controller
2660 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2662 dnl Start web servers
2663 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2664 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2665 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2667 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2668 on_exit 'ovs-appctl revalidator/purge'
2669 on_exit 'ovs-appctl dpif/dump-flows br0'
2673 dnl Should work with the virtual IP address through NAT
2674 for i in 1 2 3 4 5 6 7 8 9; do
2676 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2677 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2682 ovs-appctl dpif/dump-flows br0
2683 ovs-appctl revalidator/purge
2684 ovs-ofctl -O OpenFlow15 dump-flows br0
2685 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2687 OVS_TRAFFIC_VSWITCHD_STOP