From: Joe Stringer <joe@ovn.org>
Date: Tue, 19 Jul 2016 19:54:06 +0000 (-0700)
Subject: system-traffic: Update tests in flat tables.
X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=b3b85373ff4beef6c2da12405900cce05737d0fc

system-traffic: Update tests in flat tables.

A few of the earlier tests were written with all flows in a single flat
table. While this is a possible way to write your flows to use
connection tracking, it's easier to understand if the processing
proceeds forward from one table to the next. Update these tests.

Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
---

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 75b510497..bd2cea11b 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -1391,27 +1391,31 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 
 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 AT_DATA([flows1.txt], [dnl
-priority=1,action=drop
-priority=10,arp,action=normal
-priority=10,icmp,action=normal
-priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
-priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
-priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
-priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
+table=0,priority=100,in_port=2,tcp,action=ct(table=1)
+table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
 ])
 
 dnl Similar policy but without allowing all traffic from ns0->ns1.
 AT_DATA([flows2.txt], [dnl
-priority=1,action=drop
-priority=10,arp,action=normal
-priority=10,icmp,action=normal
-priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
-priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
-priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
-priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
-priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
-priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
-priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+
+dnl Allow outgoing TCP connections, and treat them as FTP
+table=0,priority=100,in_port=1,tcp,action=ct(table=1)
+table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
+table=1,in_port=1,tcp,ct_state=+trk+est,action=2
+
+dnl Allow incoming FTP data connections and responses to existing connections
+table=0,priority=100,in_port=2,tcp,action=ct(table=1)
+table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
+table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
 ])
 
 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
@@ -1530,19 +1534,22 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 
 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
 AT_DATA([flows.txt], [dnl
-priority=1,action=drop
-priority=10,arp,action=normal
-priority=10,icmp,action=normal
-priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
-priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
-priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
-priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
-priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
-priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
-priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
-priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
-priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
-priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+
+dnl Traffic from ns1
+table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp)
+table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
+table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
+table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
+
+dnl Traffic from ns2
+table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2)
+table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
+table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
+table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
+table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
 ])
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])