]> git.proxmox.com Git - mirror_ovs.git/blame - tests/system-traffic.at
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
list: Remove lib/list.h completely.
[mirror_ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
d7c5426b 26AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
38
de22d08f 39NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 403 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 41])
42NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 433 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 44])
45NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 463 packets transmitted, 3 received, 0% packet loss, time 0ms
47])
48
d7c5426b 49OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 50AT_CLEANUP
51
d7c5426b 52AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 53OVS_TRAFFIC_VSWITCHD_START()
54
55AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 56
57ADD_NAMESPACES(at_ns0, at_ns1)
58
59ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
61
62dnl Without this sleep, we get occasional failures due to the following error:
63dnl "connect: Cannot assign requested address"
64sleep 2;
65
de22d08f 66NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 673 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 68])
69NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 703 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 71])
72NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 733 packets transmitted, 3 received, 0% packet loss, time 0ms
74])
75
d7c5426b 76OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 77AT_CLEANUP
78
d7c5426b 79AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 80OVS_TRAFFIC_VSWITCHD_START()
81
82AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 83
84ADD_NAMESPACES(at_ns0, at_ns1)
85
86ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
88
89ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
91
92dnl Without this sleep, we get occasional failures due to the following error:
93dnl "connect: Cannot assign requested address"
94sleep 2;
95
de22d08f 96NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 973 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 98])
99NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1003 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 101])
102NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1033 packets transmitted, 3 received, 0% packet loss, time 0ms
104])
105
d7c5426b 106OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 107AT_CLEANUP
810e1785
JS		 108
109AT_SETUP([datapath - ping over vxlan tunnel])
dfb21e96 110OVS_CHECK_VXLAN()
810e1785 111
cf7659b6
JR		 112OVS_TRAFFIC_VSWITCHD_START()
113ADD_BR([br-underlay])
114
115AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
117
810e1785
JS		 118ADD_NAMESPACES(at_ns0)
119
120dnl Set up underlay link from host into the namespace using veth pair.
121ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123AT_CHECK([ip link set dev br-underlay up])
124
125dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126dnl linux device inside the namespace.
127ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
129 [id 0 dstport 4789])
130
131dnl First, check the underlay
132NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1333 packets transmitted, 3 received, 0% packet loss, time 0ms
134])
135
136dnl Okay, now check the overlay with different packet sizes
137NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1383 packets transmitted, 3 received, 0% packet loss, time 0ms
139])
140NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1413 packets transmitted, 3 received, 0% packet loss, time 0ms
142])
143NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1443 packets transmitted, 3 received, 0% packet loss, time 0ms
145])
146
147OVS_TRAFFIC_VSWITCHD_STOP
148AT_CLEANUP
07659514
JS		 149
150AT_SETUP([conntrack - controller])
151CHECK_CONNTRACK()
cf7659b6 152OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 153
154ADD_NAMESPACES(at_ns0, at_ns1)
155
156ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
158
159dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160AT_DATA([flows.txt], [dnl
161priority=1,action=drop
162priority=10,arp,action=normal
163priority=100,in_port=1,udp,action=ct(commit),controller
164priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
166])
167
6cfa8ec3 168AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 169
170AT_CAPTURE_FILE([ofctl_monitor.log])
171AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
172
173dnl Send an unsolicited reply from port 2. This should be dropped.
174AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
175
176dnl OK, now start a new connection from port 1.
177AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
178
179dnl Now try a reply from port 2.
180AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
181
182dnl Check this output. We only see the latter two packets, not the first.
183AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
188])
189
190OVS_TRAFFIC_VSWITCHD_STOP
191AT_CLEANUP
192
193AT_SETUP([conntrack - IPv4 HTTP])
194CHECK_CONNTRACK()
cf7659b6 195OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 196
197ADD_NAMESPACES(at_ns0, at_ns1)
198
199ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
201
202dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203AT_DATA([flows.txt], [dnl
204priority=1,action=drop
205priority=10,arp,action=normal
206priority=10,icmp,action=normal
207priority=100,in_port=1,tcp,action=ct(commit),2
208priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
210])
211
6cfa8ec3 212AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 213
214dnl Basic connectivity check.
215NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
216
217dnl HTTP requests from ns0->ns1 should work fine.
218NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
220
ec3aa16c
DDP		 221AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
222tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
07659514
JS		 223])
224
225dnl HTTP requests from ns1->ns0 should fail due to network failure.
226dnl Try 3 times, in 1 second intervals.
227NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
229
230OVS_TRAFFIC_VSWITCHD_STOP
231AT_CLEANUP
232
233AT_SETUP([conntrack - IPv6 HTTP])
234CHECK_CONNTRACK()
cf7659b6 235OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 236
237ADD_NAMESPACES(at_ns0, at_ns1)
238
239ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
241
242dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243AT_DATA([flows.txt], [dnl
244priority=1,action=drop
245priority=10,icmp6,action=normal
246priority=100,in_port=1,tcp6,action=ct(commit),2
247priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
249])
250
6cfa8ec3 251AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 252
253dnl Without this sleep, we get occasional failures due to the following error:
254dnl "connect: Cannot assign requested address"
255sleep 2;
256
257dnl HTTP requests from ns0->ns1 should work fine.
258NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
259
260NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
261
ec3aa16c
DDP		 262AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
263tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
264])
265
07659514
JS		 266dnl HTTP requests from ns1->ns0 should fail due to network failure.
267dnl Try 3 times, in 1 second intervals.
268NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
269NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
270
271OVS_TRAFFIC_VSWITCHD_STOP
272AT_CLEANUP
273
274AT_SETUP([conntrack - commit, recirc])
275CHECK_CONNTRACK()
cf7659b6 276OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 277
278ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
279
280ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
281ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
282ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
283ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
284
285dnl Allow any traffic from ns0->ns1, ns2->ns3.
286AT_DATA([flows.txt], [dnl
287priority=1,action=drop
288priority=10,arp,action=normal
289priority=10,icmp,action=normal
290priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
291priority=100,in_port=1,tcp,ct_state=+trk,action=2
292priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
293priority=100,in_port=2,tcp,ct_state=+trk,action=1
294priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
295priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
296priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
297priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
298priority=100,in_port=4,tcp,ct_state=+trk,action=3
299])
300
6cfa8ec3 301AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 302
303dnl HTTP requests from p0->p1 should work fine.
304NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
305NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
306
307dnl HTTP requests from p2->p3 should work fine.
308NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
309NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
310
311OVS_TRAFFIC_VSWITCHD_STOP
312AT_CLEANUP
313
314AT_SETUP([conntrack - preserve registers])
315CHECK_CONNTRACK()
cf7659b6 316OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 317
318ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
319
320ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
321ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
322ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
323ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
324
325dnl Allow any traffic from ns0->ns1, ns2->ns3.
326AT_DATA([flows.txt], [dnl
327priority=1,action=drop
328priority=10,arp,action=normal
329priority=10,icmp,action=normal
330priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
331priority=100,in_port=1,tcp,ct_state=+trk,action=2
332priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
333priority=100,in_port=2,tcp,ct_state=+trk,action=1
334priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
335priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
336priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
337priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
338priority=100,in_port=4,tcp,ct_state=+trk,action=3
339])
340
6cfa8ec3 341AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 342
343dnl HTTP requests from p0->p1 should work fine.
344NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
345NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
346
347dnl HTTP requests from p2->p3 should work fine.
348NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
349NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
350
351OVS_TRAFFIC_VSWITCHD_STOP
352AT_CLEANUP
353
354AT_SETUP([conntrack - invalid])
355CHECK_CONNTRACK()
cf7659b6 356OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 357
358ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
359
360ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
361ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
362ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
363ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
364
365dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
366dnl the opposite direction. This should fail.
367dnl Pass traffic from ns3->ns4 without committing, and this time match
368dnl invalid traffic and allow it through.
369AT_DATA([flows.txt], [dnl
370priority=1,action=drop
371priority=10,arp,action=normal
372priority=10,icmp,action=normal
373priority=100,in_port=1,tcp,action=ct(),2
374priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
375priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
376priority=100,in_port=3,tcp,action=ct(),4
377priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
378priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
379priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
380])
381
6cfa8ec3 382AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 383
384dnl We set up our rules to allow the request without committing. The return
385dnl traffic can't be identified, because the initial request wasn't committed.
386dnl For the first pair of ports, this means that the connection fails.
387NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
388NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
389
390dnl For the second pair, we allow packets from invalid connections, so it works.
391NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
392NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
393
394OVS_TRAFFIC_VSWITCHD_STOP
395AT_CLEANUP
396
397AT_SETUP([conntrack - zones])
398CHECK_CONNTRACK()
cf7659b6 399OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 400
401ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
402
403ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
404ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
405ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
406ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
407
408dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
409dnl For ns2->ns3, use a different zone and see that the match fails.
410AT_DATA([flows.txt], [dnl
411priority=1,action=drop
412priority=10,arp,action=normal
413priority=10,icmp,action=normal
414priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
415priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
416priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
417priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
418priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
419priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
420])
421
6cfa8ec3 422AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 423
424dnl HTTP requests from p0->p1 should work fine.
425NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
426NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
427
ec3aa16c
DDP		 428AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
429tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
07659514
JS		 430])
431
432dnl HTTP requests from p2->p3 should fail due to network failure.
433dnl Try 3 times, in 1 second intervals.
434NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
435NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
436
ec3aa16c
DDP		 437AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
438tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
07659514
JS		 439])
440
441OVS_TRAFFIC_VSWITCHD_STOP
442AT_CLEANUP
443
444AT_SETUP([conntrack - zones from field])
445CHECK_CONNTRACK()
cf7659b6 446OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 447
448ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
449
450ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
451ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
452ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
453ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
454
455dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
456AT_DATA([flows.txt], [dnl
457priority=1,action=drop
458priority=10,arp,action=normal
459priority=10,icmp,action=normal
460priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
461priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
463priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
464priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
465priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
466])
467
6cfa8ec3 468AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 469
470dnl HTTP requests from p0->p1 should work fine.
471NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
472NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
473
ec3aa16c
DDP		 474AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
475tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
07659514
JS		 476])
477
478dnl HTTP requests from p2->p3 should fail due to network failure.
479dnl Try 3 times, in 1 second intervals.
480NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
481NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
482
ec3aa16c
DDP		 483AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
484tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
07659514
JS		 485])
486
487OVS_TRAFFIC_VSWITCHD_STOP
488AT_CLEANUP
489
490AT_SETUP([conntrack - multiple bridges])
491CHECK_CONNTRACK()
492OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 493 [_ADD_BR([br1]) --\
07659514
JS		 494 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
495 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
496
497ADD_NAMESPACES(at_ns0, at_ns1)
498
499ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
500ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
501
502dnl Allow any traffic from ns0->br1, allow established in reverse.
503AT_DATA([flows-br0.txt], [dnl
504priority=1,action=drop
505priority=10,arp,action=normal
506priority=10,icmp,action=normal
507priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
508priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
509priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
510])
511
512dnl Allow any traffic from br0->ns1, allow established in reverse.
513AT_DATA([flows-br1.txt], [dnl
514priority=1,action=drop
515priority=10,arp,action=normal
516priority=10,icmp,action=normal
517priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
518priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
519priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
520priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
521priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
522])
523
6cfa8ec3
JR		 524AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
525AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 526
527dnl HTTP requests from p0->p1 should work fine.
528NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
529NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
530
531OVS_TRAFFIC_VSWITCHD_STOP
532AT_CLEANUP
533
534AT_SETUP([conntrack - multiple zones])
535CHECK_CONNTRACK()
cf7659b6 536OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 537
538ADD_NAMESPACES(at_ns0, at_ns1)
539
540ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
541ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
542
543dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
544AT_DATA([flows.txt], [dnl
545priority=1,action=drop
546priority=10,arp,action=normal
547priority=10,icmp,action=normal
548priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
549priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
550priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
551])
552
6cfa8ec3 553AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 554
555dnl HTTP requests from p0->p1 should work fine.
556NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
557NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558
559dnl (again) HTTP requests from p0->p1 should work fine.
560NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
561
ec3aa16c
DDP		 562AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
563tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
564tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
07659514
JS		 565])
566
567OVS_TRAFFIC_VSWITCHD_STOP
568AT_CLEANUP
569
c2926d6d
JS		 570AT_SETUP([conntrack - multiple zones, local])
571CHECK_CONNTRACK()
cf7659b6 572OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 573
574ADD_NAMESPACES(at_ns0)
575
576AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577AT_CHECK([ip link set dev br0 up])
578on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
580
581dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582dnl return traffic from ns0 back to the local stack.
583AT_DATA([flows.txt], [dnl
584priority=1,action=drop
585priority=10,arp,action=normal
586priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
592])
593
6cfa8ec3 594AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 595
596AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
5973 packets transmitted, 3 received, 0% packet loss, time 0ms
598])
599
600dnl HTTP requests from root namespace to p0 should work fine.
601NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
603
604dnl (again) HTTP requests from root namespace to p0 should work fine.
605AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
606
ec3aa16c
DDP		 607AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
609icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
610tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
611tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
c2926d6d
JS		 612])
613
614OVS_TRAFFIC_VSWITCHD_STOP
615AT_CLEANUP
616
0e27c629
JS		 617AT_SETUP([conntrack - multiple namespaces, internal ports])
618CHECK_CONNTRACK()
619OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
621
622ADD_NAMESPACES(at_ns0, at_ns1)
623
624ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
625ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
626
627dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
628dnl
629dnl If skb->nfct is leaking from inside the namespace, this test will fail.
630AT_DATA([flows.txt], [dnl
631priority=1,action=drop
632priority=10,arp,action=normal
633priority=10,icmp,action=normal
634priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
635priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
636priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
637])
638
639AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
640
641dnl HTTP requests from p0->p1 should work fine.
642NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
643NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644
645dnl (again) HTTP requests from p0->p1 should work fine.
646NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
647
ec3aa16c
DDP		 648AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
649tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
0e27c629
JS		 650])
651
652OVS_TRAFFIC_VSWITCHD_STOP(["dnl
653/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
654/removing policing failed: No such device/d"])
655AT_CLEANUP
656
c2926d6d
JS		 657AT_SETUP([conntrack - multi-stage pipeline, local])
658CHECK_CONNTRACK()
cf7659b6 659OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 660
661ADD_NAMESPACES(at_ns0)
662
663AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
664AT_CHECK([ip link set dev br0 up])
665on_exit 'ip addr del dev br0 "10.1.1.1/24"'
666ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
667
668dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
669dnl return traffic from ns0 back to the local stack.
670AT_DATA([flows.txt], [dnl
671dnl default
672table=0,priority=1,action=drop
673table=0,priority=10,arp,action=normal
674
675dnl Load the output port to REG0
676table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
677table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
678
679dnl Ingress pipeline
680dnl - Allow all connections from LOCAL port (commit and proceed to egress)
681dnl - All other connections go through conntracker using the input port as
682dnl a connection tracking zone.
683table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
684table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
685table=1,priority=1,action=drop
686
687dnl Egress pipeline
688dnl - Allow all connections from LOCAL port (commit and skip to output)
689dnl - Allow other established connections to go through conntracker using
690dnl output port as a connection tracking zone.
691table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
692table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
693table=2,priority=1,action=drop
694
695dnl Only allow established traffic from egress ct lookup
696table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
697table=3,priority=1,action=drop
698
699dnl output table
700table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
701])
702
6cfa8ec3 703AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 704
705AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
7063 packets transmitted, 3 received, 0% packet loss, time 0ms
707])
708
709dnl HTTP requests from root namespace to p0 should work fine.
710NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
712
713dnl (again) HTTP requests from root namespace to p0 should work fine.
714AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
715
ec3aa16c
DDP		 716AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
717icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
718icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
719tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
720tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
c2926d6d
JS		 721])
722
723OVS_TRAFFIC_VSWITCHD_STOP
724AT_CLEANUP
725
8e53fe8c
JS		 726AT_SETUP([conntrack - ct_mark])
727CHECK_CONNTRACK()
cf7659b6 728OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 729
730ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
731
732ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
733ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
734ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
735ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
736
737dnl Allow traffic between ns0<->ns1 using the ct_mark.
738dnl Check that different marks do not match for traffic between ns2<->ns3.
739AT_DATA([flows.txt], [dnl
740priority=1,action=drop
741priority=10,arp,action=normal
742priority=10,icmp,action=normal
743priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
744priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
745priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
746priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
747priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
748priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
749])
750
6cfa8ec3 751AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 752
753dnl HTTP requests from p0->p1 should work fine.
754NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
755NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
756
ec3aa16c
DDP		 757AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
758tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
8e53fe8c
JS		 759])
760
761dnl HTTP requests from p2->p3 should fail due to network failure.
762dnl Try 3 times, in 1 second intervals.
763NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
764NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
765
ec3aa16c
DDP		 766AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
767tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
8e53fe8c
JS		 768])
769
770OVS_TRAFFIC_VSWITCHD_STOP
771AT_CLEANUP
772
773AT_SETUP([conntrack - ct_mark from register])
774CHECK_CONNTRACK()
cf7659b6 775OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 776
777ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
778
779ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
780ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
781ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
782ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
783
784dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
785AT_DATA([flows.txt], [dnl
786priority=1,action=drop
787priority=10,arp,action=normal
788priority=10,icmp,action=normal
789priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
790priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
791priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
792priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
793priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
794priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
795])
796
6cfa8ec3 797AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 798
799dnl HTTP requests from p0->p1 should work fine.
800NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
801NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
802
ec3aa16c
DDP		 803AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
804tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
8e53fe8c
JS		 805])
806
807dnl HTTP requests from p2->p3 should fail due to network failure.
808dnl Try 3 times, in 1 second intervals.
809NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
810NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
811
ec3aa16c
DDP		 812AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
813tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
8e53fe8c
JS		 814])
815
816OVS_TRAFFIC_VSWITCHD_STOP
817AT_CLEANUP
818
9daf2348
JS		 819AT_SETUP([conntrack - ct_label])
820CHECK_CONNTRACK()
cf7659b6 821OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 822
823ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
824
825ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
826ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
827ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
828ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
829
830dnl Allow traffic between ns0<->ns1 using the ct_label.
831dnl Check that different labels do not match for traffic between ns2<->ns3.
832AT_DATA([flows.txt], [dnl
833priority=1,action=drop
834priority=10,arp,action=normal
835priority=10,icmp,action=normal
836priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
837priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
838priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
839priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
840priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
841priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
842])
843
6cfa8ec3 844AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348
JS		 845
846dnl HTTP requests from p0->p1 should work fine.
847NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
848NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
849
850dnl HTTP requests from p2->p3 should fail due to network failure.
851dnl Try 3 times, in 1 second intervals.
852NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
853NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
854
855OVS_TRAFFIC_VSWITCHD_STOP
856AT_CLEANUP
857
8e53fe8c
JS		 858AT_SETUP([conntrack - ICMP related])
859CHECK_CONNTRACK()
cf7659b6 860OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 861
862ADD_NAMESPACES(at_ns0, at_ns1)
863
864ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
865ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
866
867dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
868AT_DATA([flows.txt], [dnl
869priority=1,action=drop
870priority=10,arp,action=normal
871priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
872priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
873priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
874])
875
6cfa8ec3 876AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 877
bde2e7b5 878dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 879NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
8e53fe8c
JS		 880
881AT_CHECK([ovs-appctl revalidator/purge], [0])
882AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
883 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
884 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
885 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
bde2e7b5 886 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
8e53fe8c
JS		 887NXST_FLOW reply:
888])
889
890OVS_TRAFFIC_VSWITCHD_STOP
891AT_CLEANUP
892
07659514
JS		 893AT_SETUP([conntrack - ICMP related 2])
894CHECK_CONNTRACK()
cf7659b6 895OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 896
897ADD_NAMESPACES(at_ns0, at_ns1)
898
899ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
900ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
901
902dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
903AT_DATA([flows.txt], [dnl
904priority=1,action=drop
905priority=10,arp,action=normal
6cfa8ec3
JR		 906priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
907priority=100,in_port=1,ip,ct_state=+trk,actions=controller
908priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
909priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
07659514
JS		 910])
911
6cfa8ec3 912AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 913
914AT_CAPTURE_FILE([ofctl_monitor.log])
915AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
916
917dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
918AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
919
920dnl 2. Send and UDP packet to port 5555
921AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
922
923dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
924AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
925
926dnl Check this output. We only see the latter two packets, not the first.
927AT_CHECK([cat ofctl_monitor.log], [0], [dnl
928NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
929udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
930NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
931icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
932])
933
934OVS_TRAFFIC_VSWITCHD_STOP
935AT_CLEANUP
d787ad39
JS		 936
937AT_SETUP([conntrack - FTP])
938AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
939CHECK_CONNTRACK()
cf7659b6 940OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 941
942ADD_NAMESPACES(at_ns0, at_ns1)
943
944ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
945ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
946
947dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
948AT_DATA([flows1.txt], [dnl
949priority=1,action=drop
950priority=10,arp,action=normal
951priority=10,icmp,action=normal
952priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
953priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
954priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
955priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
956])
957
958dnl Similar policy but without allowing all traffic from ns0->ns1.
959AT_DATA([flows2.txt], [dnl
960priority=1,action=drop
961priority=10,arp,action=normal
962priority=10,icmp,action=normal
963priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
964priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
965priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
966priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
967priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
968priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
969priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
970])
971
6cfa8ec3 972AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
d787ad39
JS		 973
974NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
975NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
976
977dnl FTP requests from p1->p0 should fail due to network failure.
978dnl Try 3 times, in 1 second intervals.
979NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 980AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 981])
982
983dnl FTP requests from p0->p1 should work fine.
984NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 985AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
986tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 987])
988
989dnl Try the second set of flows.
6cfa8ec3 990AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
ec3aa16c 991AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 992
993dnl FTP requests from p1->p0 should fail due to network failure.
994dnl Try 3 times, in 1 second intervals.
995NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 996AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 997])
998
999dnl Active FTP requests from p0->p1 should work fine.
9ac0aada 1000NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
ec3aa16c
DDP		 1001AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1002tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1003tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
d787ad39
JS		 1004])
1005
ec3aa16c 1006AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1007
1008dnl Passive FTP requests from p0->p1 should work fine.
9ac0aada 1009NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
ec3aa16c
DDP		 1010AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1011tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1012tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 1013])
1014
1015OVS_TRAFFIC_VSWITCHD_STOP
1016AT_CLEANUP
1017
2fa3e06d
JR		 1018
1019AT_SETUP([conntrack - IPv6 FTP])
1020AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1021CHECK_CONNTRACK()
1022OVS_TRAFFIC_VSWITCHD_START()
1023
1024ADD_NAMESPACES(at_ns0, at_ns1)
1025
1026ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1027ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1028
1029dnl Allow any traffic from ns0->ns1.
1030dnl Only allow nd, return traffic from ns1->ns0.
1031AT_DATA([flows.txt], [dnl
1032dnl Track all IPv6 traffic and drop the rest.
1033dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1034table=0 priority=100 in_port=1 icmp6, action=2
1035table=0 priority=100 in_port=2 icmp6, action=1
1036table=0 priority=10 ip6, action=ct(table=1)
1037table=0 priority=0 action=drop
1038dnl
1039dnl Table 1
1040dnl
1041dnl Allow new TCPv6 FTP control connections from port 1.
1042table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1043dnl Allow related TCPv6 connections from port 2.
1044table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1045dnl Allow established TCPv6 connections both ways.
1046table=1 in_port=1 ct_state=+est, tcp6, action=2
1047table=1 in_port=2 ct_state=+est, tcp6, action=1
1048dnl Drop everything else.
1049table=1 priority=0, action=drop
1050])
1051
1052AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1053
1054NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1055
1056dnl FTP requests from p0->p1 should work fine.
1057NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1058
ec3aa16c
DDP		 1059dnl Discards CLOSE_WAIT and CLOSING
1060AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1061tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1062tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2fa3e06d
JR		 1063])
1064
1065OVS_TRAFFIC_VSWITCHD_STOP
1066AT_CLEANUP
1067
1068
d787ad39
JS		 1069AT_SETUP([conntrack - FTP with multiple expectations])
1070AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1071CHECK_CONNTRACK()
cf7659b6 1072OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 1073
1074ADD_NAMESPACES(at_ns0, at_ns1)
1075
1076ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1077ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1078
1079dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1080AT_DATA([flows.txt], [dnl
1081priority=1,action=drop
1082priority=10,arp,action=normal
1083priority=10,icmp,action=normal
1084priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1085priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1086priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1087priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1088priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1089priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1090priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1091priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1092priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1093priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1094])
1095
6cfa8ec3 1096AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
d787ad39
JS		 1097
1098NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1099NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1100
1101dnl FTP requests from p1->p0 should fail due to network failure.
1102dnl Try 3 times, in 1 second intervals.
1103NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1104AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1105])
1106
1107dnl Active FTP requests from p0->p1 should work fine.
1108NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 1109AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1110tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1111tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1112tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1113tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
d787ad39
JS		 1114])
1115
ec3aa16c 1116AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1117
1118dnl Passive FTP requests from p0->p1 should work fine.
1119NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 1120AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1121tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1122tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1123tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1124tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 1125])
1126
1127OVS_TRAFFIC_VSWITCHD_STOP
1128AT_CLEANUP
27130224
AZ		 1129
1130AT_SETUP([conntrack - IPv4 fragmentation ])
1131CHECK_CONNTRACK()
cf7659b6 1132OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1133
1134ADD_NAMESPACES(at_ns0, at_ns1)
1135
1136ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1137ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1138
1139dnl Sending ping through conntrack
1140AT_DATA([flows.txt], [dnl
1141priority=1,action=drop
1142priority=10,arp,action=normal
1143priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1144priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1145priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1146])
1147
6cfa8ec3 1148AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1149
1150dnl Basic connectivity check.
1151NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11523 packets transmitted, 3 received, 0% packet loss, time 0ms
1153])
1154
1155dnl Ipv4 fragmentation connectivity check.
1156NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11573 packets transmitted, 3 received, 0% packet loss, time 0ms
1158])
1159
1160dnl Ipv4 larger fragmentation connectivity check.
1161NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11623 packets transmitted, 3 received, 0% packet loss, time 0ms
1163])
1164
1165OVS_TRAFFIC_VSWITCHD_STOP
1166AT_CLEANUP
1167
0cf28088
JS		 1168AT_SETUP([conntrack - IPv4 fragmentation expiry])
1169CHECK_CONNTRACK()
1170OVS_TRAFFIC_VSWITCHD_START()
1171
1172ADD_NAMESPACES(at_ns0, at_ns1)
1173
1174ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1175ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1176
1177AT_DATA([flows.txt], [dnl
1178priority=1,action=drop
1179priority=10,arp,action=normal
1180
1181dnl Only allow non-fragmented messages and 1st fragments of each message
1182priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1183priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1184priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1185priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1186])
1187
1188AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1189
1190dnl Basic connectivity check.
1191NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11923 packets transmitted, 3 received, 0% packet loss, time 0ms
1193])
1194
1195dnl Ipv4 fragmentation connectivity check.
1196NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11977 packets transmitted, 0 received, 100% packet loss, time 0ms
1198])
1199
1200OVS_TRAFFIC_VSWITCHD_STOP
1201AT_CLEANUP
1202
27130224
AZ		 1203AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1204CHECK_CONNTRACK()
cf7659b6 1205OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1206
1207ADD_NAMESPACES(at_ns0, at_ns1)
1208
1209ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1210ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1211ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1212ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1213
1214dnl Sending ping through conntrack
1215AT_DATA([flows.txt], [dnl
1216priority=1,action=drop
1217priority=10,arp,action=normal
1218priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1219priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1220priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1221])
1222
6cfa8ec3 1223AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1224
1225dnl Basic connectivity check.
1226NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12273 packets transmitted, 3 received, 0% packet loss, time 0ms
1228])
1229
1230dnl Ipv4 fragmentation connectivity check.
1231NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12323 packets transmitted, 3 received, 0% packet loss, time 0ms
1233])
1234
1235dnl Ipv4 larger fragmentation connectivity check.
1236NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12373 packets transmitted, 3 received, 0% packet loss, time 0ms
1238])
1239
1240OVS_TRAFFIC_VSWITCHD_STOP
1241AT_CLEANUP
1242
1243AT_SETUP([conntrack - IPv6 fragmentation])
1244CHECK_CONNTRACK()
cf7659b6 1245OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1246
1247ADD_NAMESPACES(at_ns0, at_ns1)
1248
1249ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1250ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1251
1252dnl Sending ping through conntrack
1253AT_DATA([flows.txt], [dnl
1254priority=1,action=drop
1255priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1256priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1257priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1258priority=100,icmp6,icmp_type=135,action=normal
1259priority=100,icmp6,icmp_type=136,action=normal
1260])
1261
6cfa8ec3 1262AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1263
1264dnl Without this sleep, we get occasional failures due to the following error:
1265dnl "connect: Cannot assign requested address"
1266sleep 2;
1267
1268dnl Basic connectivity check.
1269NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12703 packets transmitted, 3 received, 0% packet loss, time 0ms
1271])
1272
221a2668 1273dnl Ipv6 fragmentation connectivity check.
27130224
AZ		 1274NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12753 packets transmitted, 3 received, 0% packet loss, time 0ms
1276])
1277
221a2668 1278dnl Ipv6 larger fragmentation connectivity check.
27130224
AZ		 1279NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12803 packets transmitted, 3 received, 0% packet loss, time 0ms
1281])
1282
1283OVS_TRAFFIC_VSWITCHD_STOP
1284AT_CLEANUP
1285
0cf28088
JS		 1286AT_SETUP([conntrack - IPv6 fragmentation expiry])
1287CHECK_CONNTRACK()
1288OVS_TRAFFIC_VSWITCHD_START()
1289
1290ADD_NAMESPACES(at_ns0, at_ns1)
1291
1292ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1293ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1294
1295AT_DATA([flows.txt], [dnl
1296priority=1,action=drop
1297
1298dnl Only allow non-fragmented messages and 1st fragments of each message
1299priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1300priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1301priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1302priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1303
1304dnl Neighbour Discovery
1305priority=100,icmp6,icmp_type=135,action=normal
1306priority=100,icmp6,icmp_type=136,action=normal
1307])
1308
1309AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1310
1311dnl Without this sleep, we get occasional failures due to the following error:
1312dnl "connect: Cannot assign requested address"
1313sleep 2;
1314
1315dnl Basic connectivity check.
1316NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
13173 packets transmitted, 3 received, 0% packet loss, time 0ms
1318])
1319
1320dnl Send an IPv6 fragment. Some time later, it should expire.
1321NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
13227 packets transmitted, 0 received, 100% packet loss, time 0ms
1323])
1324
1325dnl At this point, the kernel will either crash or everything is OK.
1326
1327OVS_TRAFFIC_VSWITCHD_STOP
1328AT_CLEANUP
1329
27130224
AZ		 1330AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1331CHECK_CONNTRACK()
cf7659b6 1332OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1333
1334ADD_NAMESPACES(at_ns0, at_ns1)
1335
1336ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1337ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1338
1339ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1340ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1341
1342dnl Sending ping through conntrack
1343AT_DATA([flows.txt], [dnl
1344priority=1,action=drop
1345priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1346priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1347priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1348priority=100,icmp6,icmp_type=135,action=normal
1349priority=100,icmp6,icmp_type=136,action=normal
1350])
1351
6cfa8ec3 1352AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1353
1354dnl Without this sleep, we get occasional failures due to the following error:
1355dnl "connect: Cannot assign requested address"
1356sleep 2;
1357
1358dnl Basic connectivity check.
1359NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
13603 packets transmitted, 3 received, 0% packet loss, time 0ms
1361])
1362
1363dnl Ipv4 fragmentation connectivity check.
1364NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
13653 packets transmitted, 3 received, 0% packet loss, time 0ms
1366])
1367
1368dnl Ipv4 larger fragmentation connectivity check.
1369NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
13703 packets transmitted, 3 received, 0% packet loss, time 0ms
1371])
1372
1373OVS_TRAFFIC_VSWITCHD_STOP
1374AT_CLEANUP
1375
1376AT_SETUP([conntrack - Fragmentation over vxlan])
dfb21e96 1377OVS_CHECK_VXLAN()
27130224
AZ		 1378CHECK_CONNTRACK()
1379
cf7659b6
JR		 1380OVS_TRAFFIC_VSWITCHD_START()
1381ADD_BR([br-underlay])
1382AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1383
27130224
AZ		 1384ADD_NAMESPACES(at_ns0)
1385
1386dnl Sending ping through conntrack
1387AT_DATA([flows.txt], [dnl
1388priority=1,action=drop
1389priority=10,arp,action=normal
1390priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3a9eb803
JS		 1391priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1392table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
27130224
AZ		 1393])
1394
6cfa8ec3 1395AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1396
1397dnl Set up underlay link from host into the namespace using veth pair.
1398ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1399AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1400AT_CHECK([ip link set dev br-underlay up])
1401
1402dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1403dnl linux device inside the namespace.
1404ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1405ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1406 [id 0 dstport 4789])
1407
1408dnl First, check the underlay
1409NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
14103 packets transmitted, 3 received, 0% packet loss, time 0ms
1411])
1412
1413dnl Okay, now check the overlay with different packet sizes
1414NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
14153 packets transmitted, 3 received, 0% packet loss, time 0ms
1416])
1417NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
14183 packets transmitted, 3 received, 0% packet loss, time 0ms
1419])
1420NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
14213 packets transmitted, 3 received, 0% packet loss, time 0ms
1422])
1423
1424OVS_TRAFFIC_VSWITCHD_STOP
1425AT_CLEANUP
c4e34c61 1426
84f646df
JS		 1427AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1428AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1429CHECK_CONNTRACK()
1430
1431OVS_TRAFFIC_VSWITCHD_START()
1432ADD_BR([br-underlay])
1433AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1434
1435ADD_NAMESPACES(at_ns0)
1436
1437dnl Sending ping through conntrack
1438AT_DATA([flows.txt], [dnl
1439priority=1,action=drop
1440priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1441priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1442table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1443
1444dnl Neighbour Discovery
1445priority=1000,icmp6,icmp_type=135,action=normal
1446priority=1000,icmp6,icmp_type=136,action=normal
1447])
1448
1449AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1450
1451dnl Set up underlay link from host into the namespace using veth pair.
1452ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1453AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1454AT_CHECK([ip link set dev br-underlay up])
1455
1456dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1457dnl linux device inside the namespace.
1458ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], ["fc00::2/96"])
1459ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1460 [id 0 dstport 4789])
1461
1462dnl Without this sleep, we get occasional failures due to the following error:
1463dnl "connect: Cannot assign requested address"
1464sleep 2;
1465
1466dnl First, check the underlay
1467NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
14683 packets transmitted, 3 received, 0% packet loss, time 0ms
1469])
1470
1471dnl Okay, now check the overlay with different packet sizes
1472NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
14733 packets transmitted, 3 received, 0% packet loss, time 0ms
1474])
1475NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
14763 packets transmitted, 3 received, 0% packet loss, time 0ms
1477])
1478NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
14793 packets transmitted, 3 received, 0% packet loss, time 0ms
1480])
1481
1482OVS_TRAFFIC_VSWITCHD_STOP
1483AT_CLEANUP
9ac0aada 1484
c4e34c61
RB		 1485AT_SETUP([conntrack - resubmit to ct multiple times])
1486CHECK_CONNTRACK()
1487
1488OVS_TRAFFIC_VSWITCHD_START(
1489 [set-fail-mode br0 secure -- ])
1490
1491ADD_NAMESPACES(at_ns0, at_ns1)
1492
1493ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1494ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1495
1496AT_DATA([flows.txt], [dnl
1497table=0,priority=150,arp,action=normal
1498table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1499
1500table=1,priority=100,ip,action=ct(table=3)
1501table=2,priority=100,ip,action=ct(table=3)
1502
1503table=3,ip,action=drop
1504])
1505
1506AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1507
1508NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
15091 packets transmitted, 0 received, 100% packet loss, time 0ms
1510])
1511
1512AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1513 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1514 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1515 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1516 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1517 table=3, n_packets=2, n_bytes=196, ip actions=drop
1518NXST_FLOW reply:
1519])
1520
1521OVS_TRAFFIC_VSWITCHD_STOP
1522AT_CLEANUP
9ac0aada
JR		 1523
1524
1525AT_SETUP([conntrack - simple SNAT])
1526CHECK_CONNTRACK()
1527OVS_TRAFFIC_VSWITCHD_START()
1528
1529ADD_NAMESPACES(at_ns0, at_ns1)
1530
1531ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1532NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1533ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1534
1535dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1536AT_DATA([flows.txt], [dnl
1537in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1538in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1539in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1540dnl
1541dnl ARP
1542priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1543priority=10 arp action=normal
1544priority=0,action=drop
1545dnl
1546dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1547table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1548table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1549dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1550dnl TPA IP in reg2.
1551dnl Swaps the fields of the ARP message to turn a query to a response.
1552table=10 priority=100 arp xreg0=0 action=normal
1553table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1554table=10 priority=0 action=drop
1555])
1556
1557AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1558
1559dnl HTTP requests from p0->p1 should work fine.
1560NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1561NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1562
a857bb69
DDP		 1563AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1564tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1565])
1566
1567OVS_TRAFFIC_VSWITCHD_STOP
1568AT_CLEANUP
1569
1570
1571AT_SETUP([conntrack - SNAT with port range])
1572CHECK_CONNTRACK()
1573OVS_TRAFFIC_VSWITCHD_START()
1574
1575ADD_NAMESPACES(at_ns0, at_ns1)
1576
1577ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1578NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1579ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1580
1581dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1582AT_DATA([flows.txt], [dnl
1583in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1584in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1585in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1586in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1587dnl
1588dnl ARP
1589priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1590priority=10 arp action=normal
1591priority=0,action=drop
1592dnl
1593dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1594table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1595table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1596dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1597dnl TPA IP in reg2.
1598dnl Swaps the fields of the ARP message to turn a query to a response.
1599table=10 priority=100 arp xreg0=0 action=normal
1600table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1601table=10 priority=0 action=drop
1602])
1603
1604AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1605
1606dnl HTTP requests from p0->p1 should work fine.
1607NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1608NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1609
a857bb69
DDP		 1610AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1611tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1612])
1613
1614OVS_TRAFFIC_VSWITCHD_STOP
1615AT_CLEANUP
1616
1617
1618AT_SETUP([conntrack - more complex SNAT])
1619CHECK_CONNTRACK()
1620OVS_TRAFFIC_VSWITCHD_START()
1621
1622ADD_NAMESPACES(at_ns0, at_ns1)
1623
1624ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1625NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1626ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1627
1628AT_DATA([flows.txt], [dnl
1629dnl Track all IP traffic, NAT existing connections.
1630priority=100 ip action=ct(table=1,zone=1,nat)
1631dnl
1632dnl Allow ARP, but generate responses for NATed addresses
1633priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1634priority=10 arp action=normal
1635priority=0 action=drop
1636dnl
1637dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1638table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1639table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1640dnl Only allow established traffic from ns1->ns0.
1641table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1642table=1 priority=0 action=drop
1643dnl
1644dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1645table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1646dnl Zero result means not found.
1647table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1648dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1649dnl ARP TPA IP in reg2.
1650table=10 priority=100 arp xreg0=0 action=normal
1651dnl Swaps the fields of the ARP message to turn a query to a response.
1652table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1653table=10 priority=0 action=drop
1654])
1655
1656AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1657
1658dnl HTTP requests from p0->p1 should work fine.
1659NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1660NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1661
a857bb69
DDP		 1662AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1663tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1664])
1665
1666OVS_TRAFFIC_VSWITCHD_STOP
1667AT_CLEANUP
1668
1669AT_SETUP([conntrack - simple DNAT])
1670CHECK_CONNTRACK()
1671OVS_TRAFFIC_VSWITCHD_START()
1672
1673ADD_NAMESPACES(at_ns0, at_ns1)
1674
1675ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1676ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1677NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1678
1679dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1680AT_DATA([flows.txt], [dnl
1681priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1682priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1683priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1684priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1685dnl
1686dnl ARP
1687priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1688priority=10 arp action=normal
1689priority=0,action=drop
1690dnl
1691dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1692table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1693dnl Zero result means not found.
1694table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1695dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1696dnl TPA IP in reg2.
1697table=10 priority=100 arp xreg0=0 action=normal
1698dnl Swaps the fields of the ARP message to turn a query to a response.
1699table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1700table=10 priority=0 action=drop
1701])
1702
1703AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1704
1705dnl Should work with the virtual IP address through NAT
1706NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1707NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1708
a857bb69
DDP		 1709AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1710tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1711])
1712
1713dnl Should work with the assigned IP address as well
1714NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1715
a857bb69
DDP		 1716AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1717tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1718])
1719
1720OVS_TRAFFIC_VSWITCHD_STOP
1721AT_CLEANUP
1722
1723AT_SETUP([conntrack - more complex DNAT])
1724CHECK_CONNTRACK()
1725OVS_TRAFFIC_VSWITCHD_START()
1726
1727ADD_NAMESPACES(at_ns0, at_ns1)
1728
1729ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1730ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1731NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1732
1733dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1734AT_DATA([flows.txt], [dnl
1735dnl Track all IP traffic
1736table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1737dnl
1738dnl Allow ARP, but generate responses for NATed addresses
1739table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1740table=0 priority=10 arp action=normal
1741table=0 priority=0 action=drop
1742dnl
1743dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1744table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1745table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1746table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1747dnl Only allow established traffic from ns1->ns0.
1748table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1749table=1 priority=0 action=drop
1750dnl
1751dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1752table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1753dnl Zero result means not found.
1754table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1755dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1756dnl TPA IP in reg2.
1757table=10 priority=100 arp xreg0=0 action=normal
1758dnl Swaps the fields of the ARP message to turn a query to a response.
1759table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1760table=10 priority=0 action=drop
1761])
1762
1763AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1764
1765dnl Should work with the virtual IP address through NAT
1766NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1767NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1768
a857bb69
DDP		 1769AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1770tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1771])
1772
1773dnl Should work with the assigned IP address as well
1774NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1775
a857bb69
DDP		 1776AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1777tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1778])
1779
1780OVS_TRAFFIC_VSWITCHD_STOP
1781AT_CLEANUP
1782
1783AT_SETUP([conntrack - ICMP related with NAT])
1784CHECK_CONNTRACK()
1785OVS_TRAFFIC_VSWITCHD_START()
1786
1787ADD_NAMESPACES(at_ns0, at_ns1)
1788
1789ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1790NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1791ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1792
1793dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1794dnl Make sure ICMP responses are reverse-NATted.
1795AT_DATA([flows.txt], [dnl
1796in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1797in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1798in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1799dnl
1800dnl ARP
1801priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1802priority=10 arp action=normal
1803priority=0,action=drop
1804dnl
1805dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1806table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1807table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1808dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1809dnl TPA IP in reg2.
1810dnl Swaps the fields of the ARP message to turn a query to a response.
1811table=10 priority=100 arp xreg0=0 action=normal
1812table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1813table=10 priority=0 action=drop
1814])
1815
1816AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1817
1818dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 1819NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
9ac0aada
JR		 1820
1821AT_CHECK([ovs-appctl revalidator/purge], [0])
1822AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1823 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1824 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1825 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1826 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1827 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1828 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1829 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1830 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1831 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1832OFPST_FLOW reply (OF1.5):
1833])
1834
a857bb69
DDP		 1835AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1836udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
9ac0aada
JR		 1837])
1838
1839OVS_TRAFFIC_VSWITCHD_STOP
1840AT_CLEANUP
1841
1842
1843AT_SETUP([conntrack - FTP with NAT])
1844AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1845CHECK_CONNTRACK()
1846
1847OVS_TRAFFIC_VSWITCHD_START()
1848
1849ADD_NAMESPACES(at_ns0, at_ns1)
1850
1851ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1852NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1853ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1854
1855dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1856
1857AT_DATA([flows.txt], [dnl
1858dnl track all IP traffic, de-mangle non-NEW connections
1859table=0 in_port=1, ip, action=ct(table=1,nat)
1860table=0 in_port=2, ip, action=ct(table=2,nat)
1861dnl
1862dnl ARP
1863dnl
1864table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1865table=0 priority=10 arp action=normal
1866table=0 priority=0 action=drop
1867dnl
1868dnl Table 1: port 1 -> 2
1869dnl
1870dnl Allow new FTP connections. These need to be commited.
1871table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1872dnl Allow established TCP connections, make sure they are NATted already.
1873table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1874dnl
1875dnl Table 1: droppers
1876dnl
1877table=1 priority=10, tcp, action=drop
1878table=1 priority=0,action=drop
1879dnl
1880dnl Table 2: port 2 -> 1
1881dnl
1882dnl Allow established TCP connections, make sure they are reverse NATted
1883table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1884dnl Allow (new) related (data) connections. These need to be commited.
1885table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1886dnl Allow related ICMP packets, make sure they are reverse NATted
1887table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1888dnl
1889dnl Table 2: droppers
1890dnl
1891table=2 priority=10, tcp, action=drop
1892table=2 priority=0, action=drop
1893dnl
1894dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1895dnl
1896table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1897table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1898dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1899dnl TPA IP in reg2.
1900dnl Swaps the fields of the ARP message to turn a query to a response.
1901table=10 priority=100 arp xreg0=0 action=normal
1902table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1903table=10 priority=0 action=drop
1904])
1905
1906AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1907
1908dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1909NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1910
1911dnl FTP requests from p0->p1 should work fine.
1912NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1913
a857bb69
DDP		 1914AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1915tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1916tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1917])
1918
1919OVS_TRAFFIC_VSWITCHD_STOP
1920AT_CLEANUP
1921
1922
1923AT_SETUP([conntrack - FTP with NAT 2])
1924AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1925CHECK_CONNTRACK()
1926OVS_TRAFFIC_VSWITCHD_START()
1927
1928ADD_NAMESPACES(at_ns0, at_ns1)
1929
1930ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1931NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1932ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1933
1934dnl Allow any traffic from ns0->ns1.
1935dnl Only allow nd, return traffic from ns1->ns0.
1936AT_DATA([flows.txt], [dnl
1937dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1938table=0 ip, action=ct(table=1)
1939dnl
1940dnl ARP
1941dnl
1942table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1943table=0 priority=10 arp action=normal
1944table=0 priority=0 action=drop
1945dnl
1946dnl Table 1
1947dnl
1948dnl Allow new FTP connections. These need to be commited.
1949dnl This does helper for new packets.
1950table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1951dnl Allow and NAT established TCP connections
1952table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1953table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1954dnl Allow and NAT (new) related active (data) connections.
1955dnl These need to be commited.
1956table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1957dnl Allow related ICMP packets.
1958table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1959dnl Drop everything else.
1960table=1 priority=0, action=drop
1961dnl
1962dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1963dnl
1964table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1965table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1966dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1967dnl TPA IP in reg2.
1968dnl Swaps the fields of the ARP message to turn a query to a response.
1969table=10 priority=100 arp xreg0=0 action=normal
1970table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1971table=10 priority=0 action=drop
1972])
1973
1974AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1975
1976NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1977
1978dnl FTP requests from p0->p1 should work fine.
1979NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1980
a857bb69
DDP		 1981dnl Discards CLOSE_WAIT and CLOSING
1982AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1983tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1984tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1985])
1986
1987OVS_TRAFFIC_VSWITCHD_STOP
1988AT_CLEANUP
1989
1990AT_SETUP([conntrack - IPv6 HTTP with NAT])
1991CHECK_CONNTRACK()
1992OVS_TRAFFIC_VSWITCHD_START()
1993
1994ADD_NAMESPACES(at_ns0, at_ns1)
1995
1996ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1997NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1998ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1999NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2000
2001dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2002AT_DATA([flows.txt], [dnl
2003priority=1,action=drop
2004priority=10,icmp6,action=normal
2005priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2006priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2007priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2008priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2009])
2010
2011AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2012
2013dnl Without this sleep, we get occasional failures due to the following error:
2014dnl "connect: Cannot assign requested address"
2015sleep 2;
2016
2017dnl HTTP requests from ns0->ns1 should work fine.
2018NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2019
2020NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2021
2022dnl HTTP requests from ns1->ns0 should fail due to network failure.
2023dnl Try 3 times, in 1 second intervals.
2024NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2025NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2026
2027OVS_TRAFFIC_VSWITCHD_STOP
2028AT_CLEANUP
2029
2030
2031AT_SETUP([conntrack - IPv6 FTP with NAT])
2032AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2033CHECK_CONNTRACK()
2034OVS_TRAFFIC_VSWITCHD_START()
2035
2036ADD_NAMESPACES(at_ns0, at_ns1)
2037
2038ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2039NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2040ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2041dnl Would be nice if NAT could translate neighbor discovery messages, too.
2042NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2043
2044dnl Allow any traffic from ns0->ns1.
2045dnl Only allow nd, return traffic from ns1->ns0.
2046AT_DATA([flows.txt], [dnl
2047dnl Allow other ICMPv6 both ways (without commit).
2048table=1 priority=100 in_port=1 icmp6, action=2
2049table=1 priority=100 in_port=2 icmp6, action=1
2050dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2051table=0 priority=10 ip6, action=ct(nat,table=1)
2052table=0 priority=0 action=drop
2053dnl
2054dnl Table 1
2055dnl
2056dnl Allow new TCPv6 FTP control connections.
2057table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2058dnl Allow related TCPv6 connections from port 2 to the NATted address.
2059table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2060dnl Allow established TCPv6 connections both ways, enforce NATting
2061table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2062table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2063dnl Drop everything else.
2064table=1 priority=0, action=drop
2065])
2066
2067AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2068
2069NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2070
2071dnl FTP requests from p0->p1 should work fine.
2072NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2073
a857bb69
DDP		 2074dnl Discards CLOSE_WAIT and CLOSING
2075AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
2076tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
2077tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 2078])
2079
2080OVS_TRAFFIC_VSWITCHD_STOP
2081AT_CLEANUP
openvswitch mirror