]> git.proxmox.com Git - ovs.git/blame - tests/system-traffic.at
projects / ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
meta-flow.xml: Fix typos of flow-based tunnel command examples.
[ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
e0b92701
DDP		 26AT_SETUP([datapath - http between two ports])
27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
373 packets transmitted, 3 received, 0% packet loss, time 0ms
38])
39
7ed40afe 40OVS_START_L7([at_ns1], [http])
e0b92701
DDP		 41NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
42
43OVS_TRAFFIC_VSWITCHD_STOP
44AT_CLEANUP
45
d7c5426b 46AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 47OVS_TRAFFIC_VSWITCHD_START()
48
49AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 50
51ADD_NAMESPACES(at_ns0, at_ns1)
52
53ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
55
56ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
58
de22d08f 59NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 603 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 61])
62NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 633 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 64])
65NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 663 packets transmitted, 3 received, 0% packet loss, time 0ms
67])
68
d7c5426b 69OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 70AT_CLEANUP
71
c5abeef4
EG		 72AT_SETUP([datapath - ping between two ports on cvlan])
73OVS_TRAFFIC_VSWITCHD_START()
74
75AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
76
77ADD_NAMESPACES(at_ns0, at_ns1)
78
79ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
80ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
81
82ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
83ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
84
85ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
86ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
87
88OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
89
90NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
913 packets transmitted, 3 received, 0% packet loss, time 0ms
92])
93NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
943 packets transmitted, 3 received, 0% packet loss, time 0ms
95])
96NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
973 packets transmitted, 3 received, 0% packet loss, time 0ms
98])
99
100OVS_TRAFFIC_VSWITCHD_STOP
101AT_CLEANUP
102
d7c5426b 103AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 104OVS_TRAFFIC_VSWITCHD_START()
105
106AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 107
108ADD_NAMESPACES(at_ns0, at_ns1)
109
110ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
111ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
112
c10840ff
JS		 113dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114dnl waiting, we get occasional failures due to the following error:
cfe17b43 115dnl "connect: Cannot assign requested address"
c10840ff 116OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
cfe17b43 117
de22d08f 118NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 1193 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 120])
121NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 1223 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 123])
124NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1253 packets transmitted, 3 received, 0% packet loss, time 0ms
126])
127
d7c5426b 128OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 129AT_CLEANUP
130
d7c5426b 131AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 132OVS_TRAFFIC_VSWITCHD_START()
133
134AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 135
136ADD_NAMESPACES(at_ns0, at_ns1)
137
138ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
139ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
140
141ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
142ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
143
c10840ff
JS		 144dnl Linux seems to take a little time to get its IPv6 stack in order. Without
145dnl waiting, we get occasional failures due to the following error:
cfe17b43 146dnl "connect: Cannot assign requested address"
68ffb694 147OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
cfe17b43 148
de22d08f 149NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1503 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 151])
152NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1533 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 154])
155NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1563 packets transmitted, 3 received, 0% packet loss, time 0ms
157])
158
d7c5426b 159OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 160AT_CLEANUP
810e1785 161
c5abeef4
EG		 162AT_SETUP([datapath - ping6 between two ports on cvlan])
163OVS_TRAFFIC_VSWITCHD_START()
164
165AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
166
167ADD_NAMESPACES(at_ns0, at_ns1)
168
169ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
170ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
171
172ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
173ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
174
175ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
176ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
177
178OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
179
180NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1813 packets transmitted, 3 received, 0% packet loss, time 0ms
182])
183NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1843 packets transmitted, 3 received, 0% packet loss, time 0ms
185])
186NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1873 packets transmitted, 3 received, 0% packet loss, time 0ms
188])
189
190OVS_TRAFFIC_VSWITCHD_STOP
191AT_CLEANUP
192
ddb5f937
LR		 193AT_SETUP([datapath - ping over bond])
194OVS_TRAFFIC_VSWITCHD_START()
195
196AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
197
198ADD_NAMESPACES(at_ns0, at_ns1)
199
200ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
201ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
202
203OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
204
205NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2063 packets transmitted, 3 received, 0% packet loss, time 0ms
207])
208NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2093 packets transmitted, 3 received, 0% packet loss, time 0ms
210])
211NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2123 packets transmitted, 3 received, 0% packet loss, time 0ms
213])
214
215OVS_TRAFFIC_VSWITCHD_STOP
216AT_CLEANUP
217
810e1785 218AT_SETUP([datapath - ping over vxlan tunnel])
dfb21e96 219OVS_CHECK_VXLAN()
810e1785 220
cf7659b6
JR		 221OVS_TRAFFIC_VSWITCHD_START()
222ADD_BR([br-underlay])
223
224AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
225AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
226
810e1785
JS		 227ADD_NAMESPACES(at_ns0)
228
229dnl Set up underlay link from host into the namespace using veth pair.
230ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
231AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
232AT_CHECK([ip link set dev br-underlay up])
233
234dnl Set up tunnel endpoints on OVS outside the namespace and with a native
235dnl linux device inside the namespace.
236ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
237ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
238 [id 0 dstport 4789])
239
240dnl First, check the underlay
241NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2423 packets transmitted, 3 received, 0% packet loss, time 0ms
243])
244
245dnl Okay, now check the overlay with different packet sizes
246NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2473 packets transmitted, 3 received, 0% packet loss, time 0ms
248])
249NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2503 packets transmitted, 3 received, 0% packet loss, time 0ms
251])
252NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
d5f2dd0b
EG		 2533 packets transmitted, 3 received, 0% packet loss, time 0ms
254])
255
256OVS_TRAFFIC_VSWITCHD_STOP
257AT_CLEANUP
258
259AT_SETUP([datapath - ping over vxlan6 tunnel])
67e3ddf1 260OVS_CHECK_VXLAN_UDP6ZEROCSUM()
d5f2dd0b
EG		 261
262OVS_TRAFFIC_VSWITCHD_START()
263ADD_BR([br-underlay])
264
265AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
266AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
267
268ADD_NAMESPACES(at_ns0)
269
270dnl Set up underlay link from host into the namespace using veth pair.
271ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
272AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
273AT_CHECK([ip link set dev br-underlay up])
274
275dnl Set up tunnel endpoints on OVS outside the namespace and with a native
276dnl linux device inside the namespace.
277ADD_OVS_TUNNEL6([vxlan], [br0], [at_vxlan0], [fc00::1], [10.1.1.100/24])
278ADD_NATIVE_TUNNEL6([vxlan], [at_vxlan1], [at_ns0], [fc00::100], [10.1.1.1/24],
279 [id 0 dstport 4789 udp6zerocsumtx udp6zerocsumrx])
280
281OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
282
283dnl First, check the underlay
284NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
2853 packets transmitted, 3 received, 0% packet loss, time 0ms
286])
287
288dnl Okay, now check the overlay with different packet sizes
289NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2903 packets transmitted, 3 received, 0% packet loss, time 0ms
291])
292NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2933 packets transmitted, 3 received, 0% packet loss, time 0ms
294])
295NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
523256cc
JS		 2963 packets transmitted, 3 received, 0% packet loss, time 0ms
297])
298
299OVS_TRAFFIC_VSWITCHD_STOP
300AT_CLEANUP
301
302AT_SETUP([datapath - ping over gre tunnel])
cae92b42 303OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
523256cc
JS		 304OVS_CHECK_GRE()
305
306OVS_TRAFFIC_VSWITCHD_START()
307ADD_BR([br-underlay])
308
309AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
310AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
311
312ADD_NAMESPACES(at_ns0)
313
314dnl Set up underlay link from host into the namespace using veth pair.
315ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
316AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
317AT_CHECK([ip link set dev br-underlay up])
318
319dnl Set up tunnel endpoints on OVS outside the namespace and with a native
320dnl linux device inside the namespace.
321ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
322ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
323
324dnl First, check the underlay
325NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3263 packets transmitted, 3 received, 0% packet loss, time 0ms
327])
328
329dnl Okay, now check the overlay with different packet sizes
330NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3313 packets transmitted, 3 received, 0% packet loss, time 0ms
332])
333NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3343 packets transmitted, 3 received, 0% packet loss, time 0ms
335])
336NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
92b8af2c
JS		 3373 packets transmitted, 3 received, 0% packet loss, time 0ms
338])
339
340OVS_TRAFFIC_VSWITCHD_STOP
341AT_CLEANUP
342
98514eea 343AT_SETUP([datapath - ping over erspan v1 tunnel])
cae92b42 344OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 345OVS_CHECK_GRE()
346OVS_CHECK_ERSPAN()
347
348OVS_TRAFFIC_VSWITCHD_START()
349ADD_BR([br-underlay])
350
351AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
352AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
353
354ADD_NAMESPACES(at_ns0)
355
356dnl Set up underlay link from host into the namespace using veth pair.
357ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
358AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
359AT_CHECK([ip link set dev br-underlay up])
360
361dnl Set up tunnel endpoints on OVS outside the namespace and with a native
362dnl linux device inside the namespace.
363ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
364ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 1 erspan 7])
365
366dnl First, check the underlay
367NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3683 packets transmitted, 3 received, 0% packet loss, time 0ms
369])
370
371dnl Okay, now check the overlay with different packet sizes
372dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
373NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
3743 packets transmitted, 3 received, 0% packet loss, time 0ms
375])
376OVS_TRAFFIC_VSWITCHD_STOP
377AT_CLEANUP
378
379AT_SETUP([datapath - ping over erspan v2 tunnel])
cae92b42 380OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 381OVS_CHECK_GRE()
382OVS_CHECK_ERSPAN()
383
384OVS_TRAFFIC_VSWITCHD_START()
385ADD_BR([br-underlay])
386
387AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
388AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
389
390ADD_NAMESPACES(at_ns0)
391
392dnl Set up underlay link from host into the namespace using veth pair.
393ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
394AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
395AT_CHECK([ip link set dev br-underlay up])
396
397dnl Set up tunnel endpoints on OVS outside the namespace and with a native
398dnl linux device inside the namespace.
399ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
400ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 2 erspan_dir egress erspan_hwid 7])
401
402dnl First, check the underlay
403NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
4043 packets transmitted, 3 received, 0% packet loss, time 0ms
405])
406
407dnl Okay, now check the overlay with different packet sizes
408dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
409NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
4103 packets transmitted, 3 received, 0% packet loss, time 0ms
411])
412OVS_TRAFFIC_VSWITCHD_STOP
413AT_CLEANUP
414
415AT_SETUP([datapath - ping over ip6erspan v1 tunnel])
cae92b42 416OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 417OVS_CHECK_GRE()
418OVS_CHECK_ERSPAN()
419
420OVS_TRAFFIC_VSWITCHD_START()
421ADD_BR([br-underlay])
422
423AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
424AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
425
426ADD_NAMESPACES(at_ns0)
427
428dnl Set up underlay link from host into the namespace using veth pair.
429ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
430AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
431AT_CHECK([ip link set dev br-underlay up])
432
433dnl Set up tunnel endpoints on OVS outside the namespace and with a native
434dnl linux device inside the namespace.
435ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
436 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
437ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
438 [10.1.1.1/24], [local fc00:100::1 seq key 123 erspan_ver 1 erspan 7])
439
440OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
441
442dnl First, check the underlay
443NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
4443 packets transmitted, 3 received, 0% packet loss, time 0ms
445])
446
447dnl Okay, now check the overlay with different packet sizes
448NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
4493 packets transmitted, 3 received, 0% packet loss, time 0ms
450])
451OVS_TRAFFIC_VSWITCHD_STOP
452AT_CLEANUP
453
454AT_SETUP([datapath - ping over ip6erspan v2 tunnel])
cae92b42 455OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 456OVS_CHECK_GRE()
457OVS_CHECK_ERSPAN()
458
459OVS_TRAFFIC_VSWITCHD_START()
460ADD_BR([br-underlay])
461
462AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
463AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
464
465ADD_NAMESPACES(at_ns0)
466
467dnl Set up underlay link from host into the namespace using veth pair.
468ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
469AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
470AT_CHECK([ip link set dev br-underlay up])
471
472dnl Set up tunnel endpoints on OVS outside the namespace and with a native
473dnl linux device inside the namespace.
474ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
475 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
476ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
477 [10.1.1.1/24],
478 [local fc00:100::1 seq key 121 erspan_ver 2 erspan_dir ingress erspan_hwid 0x7])
479
480OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
481
482dnl First, check the underlay
483NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
4843 packets transmitted, 3 received, 0% packet loss, time 0ms
485])
486
487dnl Okay, now check the overlay with different packet sizes
488NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
4893 packets transmitted, 3 received, 0% packet loss, time 0ms
490])
491OVS_TRAFFIC_VSWITCHD_STOP
492AT_CLEANUP
493
92b8af2c
JS		 494AT_SETUP([datapath - ping over geneve tunnel])
495OVS_CHECK_GENEVE()
496
497OVS_TRAFFIC_VSWITCHD_START()
498ADD_BR([br-underlay])
499
500AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
501AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
502
503ADD_NAMESPACES(at_ns0)
504
505dnl Set up underlay link from host into the namespace using veth pair.
506ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
507AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
508AT_CHECK([ip link set dev br-underlay up])
509
510dnl Set up tunnel endpoints on OVS outside the namespace and with a native
511dnl linux device inside the namespace.
512ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
513ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
514 [vni 0])
515
516dnl First, check the underlay
517NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
5183 packets transmitted, 3 received, 0% packet loss, time 0ms
519])
520
521dnl Okay, now check the overlay with different packet sizes
522NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
5233 packets transmitted, 3 received, 0% packet loss, time 0ms
524])
525NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
5263 packets transmitted, 3 received, 0% packet loss, time 0ms
527])
528NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
b31f1b04
EG		 5293 packets transmitted, 3 received, 0% packet loss, time 0ms
530])
531
532OVS_TRAFFIC_VSWITCHD_STOP
533AT_CLEANUP
534
bed941ba
YHW		 535AT_SETUP([datapath - flow resume with geneve tun_metadata])
536OVS_CHECK_GENEVE()
537
538OVS_TRAFFIC_VSWITCHD_START()
539ADD_BR([br-underlay])
540
fcfd14ce
YS		 541AT_CHECK([ovs-ofctl monitor br0 resume --detach --no-chdir --pidfile 2> /dev/null])
542
bed941ba
YHW		 543ADD_NAMESPACES(at_ns0)
544
545dnl Set up underlay link from host into the namespace using veth pair.
546ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
547AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
548AT_CHECK([ip link set dev br-underlay up])
549
550dnl Set up tunnel endpoints on OVS outside the namespace and with a native
551dnl linux device inside the namespace.
552ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
553ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
554 [vni 0])
555
556dnl Set up flows
557AT_DATA([flows.txt], [dnl
558table=0, arp action=NORMAL
559table=0, in_port=LOCAL icmp action=output:at_gnv0
560table=0, in_port=at_gnv0 icmp action=set_field:0xa->tun_metadata0,resubmit(,1)
561table=1, icmp action=controller(pause), resubmit(,2)
562table=2, tun_metadata0=0xa, icmp action=output:LOCAL
563])
564AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"])
565AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
566AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
567
bed941ba
YHW		 568NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
5693 packets transmitted, 3 received, 0% packet loss, time 0ms
570])
571
fcfd14ce 572OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
bed941ba
YHW		 573OVS_TRAFFIC_VSWITCHD_STOP
574AT_CLEANUP
575
b31f1b04 576AT_SETUP([datapath - ping over geneve6 tunnel])
67e3ddf1 577OVS_CHECK_GENEVE_UDP6ZEROCSUM()
b31f1b04
EG		 578
579OVS_TRAFFIC_VSWITCHD_START()
580ADD_BR([br-underlay])
581
582AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
583AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
584
585ADD_NAMESPACES(at_ns0)
586
587dnl Set up underlay link from host into the namespace using veth pair.
588ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
589AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
590AT_CHECK([ip link set dev br-underlay up])
591
592dnl Set up tunnel endpoints on OVS outside the namespace and with a native
593dnl linux device inside the namespace.
594ADD_OVS_TUNNEL6([geneve], [br0], [at_gnv0], [fc00::1], [10.1.1.100/24])
595ADD_NATIVE_TUNNEL6([geneve], [ns_gnv0], [at_ns0], [fc00::100], [10.1.1.1/24],
596 [vni 0 udp6zerocsumtx udp6zerocsumrx])
597
598OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
599
600dnl First, check the underlay
601NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
6023 packets transmitted, 3 received, 0% packet loss, time 0ms
603])
604
605dnl Okay, now check the overlay with different packet sizes
606NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
6073 packets transmitted, 3 received, 0% packet loss, time 0ms
608])
609NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
6103 packets transmitted, 3 received, 0% packet loss, time 0ms
611])
612NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
810e1785
JS		 6133 packets transmitted, 3 received, 0% packet loss, time 0ms
614])
615
616OVS_TRAFFIC_VSWITCHD_STOP
617AT_CLEANUP
07659514 618
eb27d96b 619AT_SETUP([datapath - ping over gre tunnel by simulated packets])
7c84d7f4 620OVS_CHECK_KERNEL(3, 10, 4, 18)
eb27d96b
YS		 621
622OVS_TRAFFIC_VSWITCHD_START()
623AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
624ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
625
626AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
627AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
628
629ADD_NAMESPACES(at_ns0)
630
631dnl Set up underlay link from host into the namespace using veth pair.
632ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
633AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
634AT_CHECK([ip link set dev br-underlay up])
635
636dnl Set up tunnel endpoints on OVS outside the namespace.
637ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
638
639dnl Certain Linux distributions, like CentOS, have default iptable rules
640dnl to reject input traffic from br-underlay. Here we add a rule to walk
641dnl around it.
642iptables -I INPUT 1 -i br-underlay -j ACCEPT
643on_exit 'iptables -D INPUT 1'
644
645ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap &
646sleep 1
647
648dnl First, check the underlay.
649NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
6503 packets transmitted, 3 received, 0% packet loss, time 0ms
651])
652
653dnl We don't actually add gretap port as below, instead, we will
654dnl emulate one that sends packets. Suppose its mac address is f2:ff:00:00:00:04.
655dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
656
657dnl Now, check the overlay by sending out raw arp and icmp packets.
658ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000042ec2c4000402ff3bcac1f0101ac1f016400006558fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=NORMAL"
659
660OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 46: ARP, Reply 10.1.1.100 is-at f2:ff:00:00:00:01.* length 28" 2>&1 1>/dev/null])
661
662ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500007aec8e4000402ff322ac1f0101ac1f016400006558f2ff00000001f2ff00000004080045000054548f40004001cfb30a0101010a0101640800e6e829270003e1a3435b00000000ff1a050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=NORMAL"
663
664OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 102: IP 10.1.1.100 > 10.1.1.1: ICMP echo reply,.* length 64$" 2>&1 1>/dev/null])
665
666OVS_TRAFFIC_VSWITCHD_STOP
667AT_CLEANUP
668
669AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets])
7c84d7f4 670OVS_CHECK_KERNEL(3, 10, 4, 18)
eb27d96b
YS		 671
672OVS_TRAFFIC_VSWITCHD_START()
673AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
674ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
675
676AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
677AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
678
679ADD_NAMESPACES(at_ns0)
680
681dnl Set up underlay link from host into the namespace using veth pair.
682ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
683AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
684AT_CHECK([ip link set dev br-underlay up])
685
686dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native
687dnl linux device inside the namespace.
688ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
689
690dnl Certain Linux distributions, like CentOS, have default iptable rules
691dnl to reject input traffic from br-underlay. Here we add a rule to walk
692dnl around it.
693iptables -I INPUT 1 -i br-underlay -j ACCEPT
694on_exit 'iptables -D INPUT 1'
695
696ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
697sleep 1
698
699dnl First, check the underlay
700NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
7013 packets transmitted, 3 received, 0% packet loss, time 0ms
702])
703
704dnl Okay, now send out an arp request from 10.1.1.1 for 10.1.1.100 in erspan.
705ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500004e151d4000402fcac0ac1f0101ac1f0164100088be000000061000000100000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
706
707dnl 0002 is arp reply, followed by mac address of 10.1.1.100.
708OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0806 0001 0800 0604 0002 f2ff 0000 0001" 2>&1 1>/dev/null])
709OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0a01 0164 f2ff 0000 0004 0a01 0101" 2>&1 1>/dev/null])
710
711dnl Okay, now check the overlay with raw icmp packets.
712AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
713
714ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500008e70cb4000402f6ed2ac1f0101ac1f0164100088be000000051000000100000007f2ff00000001f2ff0000000408004500005c4a3340004001da070a0101010a010164080084f238fb0001f36a6b5b0000000021870e0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
715
716OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
717
718OVS_TRAFFIC_VSWITCHD_STOP
719AT_CLEANUP
720
721AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets])
7c84d7f4 722OVS_CHECK_KERNEL(3, 10, 4, 18)
eb27d96b
YS		 723
724OVS_TRAFFIC_VSWITCHD_START()
725AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
726ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
727
728AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
729AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
730
731ADD_NAMESPACES(at_ns0)
732
733dnl Set up underlay link from host into the namespace using veth pair.
734ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
735AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
736AT_CHECK([ip link set dev br-underlay up])
737
738dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
739dnl linux device inside the namespace.
740ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
741
742dnl Certain Linux distributions, like CentOS, have default iptable rules
743dnl to reject input traffic from br-underlay. Here we add a rule to walk
744dnl around it.
745iptables -I INPUT 1 -i br-underlay -j ACCEPT
746on_exit 'iptables -D INPUT 1'
747
748ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
749sleep 1
750
751dnl First, check the underlay.
752NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
7533 packets transmitted, 3 received, 0% packet loss, time 0ms
754])
755
756dnl Okay, send raw arp request and icmp echo request.
757ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000052373d4000402fa89cac1f0101ac1f0164100088be00000006200000016f54b41700008078fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
758
759OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
760OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
761OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0101" 2>&1 1>/dev/null])
762
763dnl Because tcpdump might not be able to parse erspan headers, we check icmp echo reply
764dnl by packet length.
765AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
766
767ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500009287e14000402f57b8ac1f0101ac1f0164100088be0000000520000001144cd5a400008078f2ff00000001f2ff0000000408004500005c38d640004001eb640a0101010a01016408005e57585f0001df6c6b5b0000000045bc050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
768
769OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
770
771OVS_TRAFFIC_VSWITCHD_STOP
772AT_CLEANUP
773
774AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets])
7c84d7f4 775OVS_CHECK_KERNEL(3, 10, 4, 18)
eb27d96b
YS		 776
777OVS_TRAFFIC_VSWITCHD_START()
778AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
779ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
780
781AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
782AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
783
784ADD_NAMESPACES(at_ns0)
785
786dnl Set up underlay link from host into the namespace using veth pair.
787ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
788AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
789AT_CHECK([ip link set dev br-underlay up])
790
791dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
792dnl linux device inside the namespace.
793ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
794 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
795
796OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
797
798dnl Certain Linux distributions, like CentOS, have default iptable rules
799dnl to reject input traffic from br-underlay. Here we add a rule to walk
800dnl around it.
801ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
802on_exit 'ip6tables -D INPUT 1'
803
804ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
805sleep 1
806
807dnl First, check the underlay.
808NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
8093 packets transmitted, 3 received, 0% packet loss, time 0ms
810])
811
812dnl Okay, now send raw arp request and icmp echo request.
813ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003a2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be000000051000007b00000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
814
815dnl Check arp reply.
816OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
817OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
818OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0101" 2>&1 1>/dev/null])
819
820AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
821
822ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007a3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be000000061000407b00000007f2ff00000001f2ff0000000408004500005429b640004001fa8c0a0101010a01016408005c2c7526000118d3685b00000000e4aa020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
823
824OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
825
826OVS_TRAFFIC_VSWITCHD_STOP
827AT_CLEANUP
828
829AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets])
7c84d7f4 830OVS_CHECK_KERNEL(3, 10, 4, 18)
eb27d96b
YS		 831
832OVS_TRAFFIC_VSWITCHD_START()
833AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
834ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
835
836AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
837AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
838
839ADD_NAMESPACES(at_ns0)
840
841dnl Set up underlay link from host into the namespace using veth pair.
842ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
843AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
844AT_CHECK([ip link set dev br-underlay up])
845
846dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
847dnl linux device inside the namespace.
848ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
849 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
850
851OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
852
853dnl Certain Linux distributions, like CentOS, have default iptable rules
854dnl to reject input traffic from br-underlay. Here we add a rule to walk
855dnl around it.
856ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
857on_exit 'ip6tables -D INPUT 1'
858
859ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
860sleep 1
861
862dnl First, check the underlay.
863NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
8643 packets transmitted, 3 received, 0% packet loss, time 0ms
865])
866
867dnl Okay, now send raw arp request and icmp echo request.
868ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003e2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be0000000620000079af514f9900008070fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
869
870OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0004 f2ff 0000 0001 0806 0001 0800 0604" 2>&1 1>/dev/null])
871OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0002 f2ff 0000 0001 0a01 0164 f2ff 0000" 2>&1 1>/dev/null])
872OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0004 0a01 0101" 2>&1 1>/dev/null])
873
874AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
875
876ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007e3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be0000000720004079af514f9b00008070f2ff00000001f2ff00000004080045000054ffcb4000400124770a0101010a0101640800419e23ac000112d7685b000000004caf0c0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
877
878OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
879
880OVS_TRAFFIC_VSWITCHD_STOP
881AT_CLEANUP
882
7ae62a67
WT		 883AT_SETUP([datapath - clone action])
884OVS_TRAFFIC_VSWITCHD_START()
885
886ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
887
888ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
889ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
7ae62a67 890
88b5874e
WT		 891AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
892 -- set interface ovs-p1 ofport_request=2])
7ae62a67 893
88b5874e
WT		 894AT_DATA([flows.txt], [dnl
895priority=1 actions=NORMAL
896priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
897priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
898])
899AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
7ae62a67 900
88b5874e 901AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
7ae62a67
WT		 902NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
9033 packets transmitted, 3 received, 0% packet loss, time 0ms
904])
905
e8833217
DM		 906OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
907
88b5874e
WT		 908AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
909icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
910icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
911icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
912])
7ae62a67
WT		 913
914OVS_TRAFFIC_VSWITCHD_STOP
915AT_CLEANUP
916
457402dc
YHW		 917AT_SETUP([datapath - mpls actions])
918OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
919
920ADD_NAMESPACES(at_ns0, at_ns1)
921
922ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
923ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
924
925AT_CHECK([ip link add patch0 type veth peer name patch1])
926on_exit 'ip link del patch0'
927
928AT_CHECK([ip link set dev patch0 up])
929AT_CHECK([ip link set dev patch1 up])
930AT_CHECK([ovs-vsctl add-port br0 patch0])
931AT_CHECK([ovs-vsctl add-port br1 patch1])
932
933AT_DATA([flows.txt], [dnl
934table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,resubmit(,1)
935table=0,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,1)
936table=0,priority=10 actions=resubmit(,1)
937table=1,priority=10 actions=normal
938])
939
940AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
941AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
942
943NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
9443 packets transmitted, 3 received, 0% packet loss, time 0ms
945])
946
947NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
9483 packets transmitted, 3 received, 0% packet loss, time 0ms
949])
950
951OVS_TRAFFIC_VSWITCHD_STOP
952AT_CLEANUP
aaca4fe0 953AT_SETUP([datapath - basic truncate action])
9c1ab985 954AT_SKIP_IF([test $HAVE_NC = no])
aaca4fe0
WT		 955OVS_TRAFFIC_VSWITCHD_START()
956AT_CHECK([ovs-ofctl del-flows br0])
957
958dnl Create p0 and ovs-p0(1)
959ADD_NAMESPACES(at_ns0)
960ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
961NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
962NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
963
964dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
965AT_CHECK([ip link add p1 type veth peer name ovs-p1])
966on_exit 'ip link del ovs-p1'
967AT_CHECK([ip link set dev ovs-p1 up])
968AT_CHECK([ip link set dev p1 up])
969AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
970dnl Use p1 to check the truncated packet
971AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
972
973dnl Create p2(5) and ovs-p2(4)
974AT_CHECK([ip link add p2 type veth peer name ovs-p2])
975on_exit 'ip link del ovs-p2'
976AT_CHECK([ip link set dev ovs-p2 up])
977AT_CHECK([ip link set dev p2 up])
978AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
979dnl Use p2 to check the truncated packet
980AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
981
982dnl basic test
983AT_CHECK([ovs-ofctl del-flows br0])
984AT_DATA([flows.txt], [dnl
985in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
986in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
987in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
988])
989AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
990
991dnl use this file as payload file for ncat
992AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
993on_exit 'rm -f payload200.bin'
a037f175 994NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 995
996dnl packet with truncated size
997AT_CHECK([ovs-appctl revalidator/purge], [0])
998AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
999n_bytes=100
1000])
1001dnl packet with original size
1002AT_CHECK([ovs-appctl revalidator/purge], [0])
1003AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1004n_bytes=242
1005])
1006
1007dnl more complicated output actions
1008AT_CHECK([ovs-ofctl del-flows br0])
1009AT_DATA([flows.txt], [dnl
1010in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1011in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1012in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
1013])
1014AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1015
a037f175 1016NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 1017
1018dnl 100 + 100 + 242 + min(65535,242) = 684
1019AT_CHECK([ovs-appctl revalidator/purge], [0])
1020AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1021n_bytes=684
1022])
1023dnl 242 + 100 + min(242,200) = 542
1024AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1025n_bytes=542
1026])
1027
1028dnl SLOW_ACTION: disable kernel datapath truncate support
1029dnl Repeat the test above, but exercise the SLOW_ACTION code path
c7eca965 1030AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
aaca4fe0
WT		 1031
1032dnl SLOW_ACTION test1: check datapatch actions
1033AT_CHECK([ovs-ofctl del-flows br0])
1034AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1035
3041e1fc 1036AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
aaca4fe0
WT		 1037AT_CHECK([tail -3 stdout], [0],
1038[Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
1039This flow is handled by the userspace slow path because it:
393e9f7c 1040 - Uses action(s) not supported by datapath.
aaca4fe0 1041])
aaca4fe0
WT		 1042
1043dnl SLOW_ACTION test2: check actual packet truncate
1044AT_CHECK([ovs-ofctl del-flows br0])
1045AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
a037f175 1046NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 1047
1048dnl 100 + 100 + 242 + min(65535,242) = 684
1049AT_CHECK([ovs-appctl revalidator/purge], [0])
1050AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1051n_bytes=684
1052])
1053
1054dnl 242 + 100 + min(242,200) = 542
1055AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1056n_bytes=542
1057])
1058
1059OVS_TRAFFIC_VSWITCHD_STOP
1060AT_CLEANUP
1061
348f1f67
YS		 1062dnl Create 2 bridges and 2 namespaces to test truncate over
1063dnl GRE tunnel:
1064dnl br0: overlay bridge
1065dnl ns1: connect to br0, with IP:10.1.1.2
1066dnl br-underlay: with IP: 172.31.1.100
1067dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1068AT_SETUP([datapath - truncate and output to gre tunnel by simulated packets])
7c84d7f4 1069OVS_CHECK_KERNEL(3, 10, 4, 18)
348f1f67
YS		 1070AT_SKIP_IF([test $HAVE_NC = no])
1071OVS_TRAFFIC_VSWITCHD_START()
1072
1073ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"02:90:8c:a8:a1:49\"])
1074ADD_NAMESPACES(at_ns0)
1075ADD_NAMESPACES(at_ns1)
1076AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1077AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1078
1079dnl Set up underlay link from host into the namespace using veth pair.
1080ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", fa:ad:fa:25:05:60)
1081AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1082AT_CHECK([ip link set dev br-underlay up])
1083
1084dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1085dnl linux device inside the namespace.
1086ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1087
1088dnl The below native tunnel isn't actually added. We simulate it to send
1089dnl and receive packets.
1090dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1091dnl [], [address e6:66:c1:11:11:11])
1092dnl AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1093dnl NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1094
1095dnl Set up (p1 and ovs-p1) at br0
1096ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1097AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1098NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1099NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1100
1101dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1102AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1103on_exit 'ip link del ovs-p2'
1104AT_CHECK([ip link set dev ovs-p2 up])
1105AT_CHECK([ip link set dev p2 up])
1106AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1107AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1108
1109dnl use this file as payload file for ncat
1110AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1111on_exit 'rm -f payload200.bin'
1112
1113AT_CHECK([ovs-ofctl del-flows br0])
1114AT_DATA([flows.txt], [dnl
1115priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1116priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1117priority=1,in_port=4,ip,actions=drop
1118priority=1,actions=drop
1119])
1120AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1121
1122AT_CHECK([ovs-ofctl del-flows br-underlay])
1123AT_DATA([flows-underlay.txt], [dnl
1124priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1125priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1126priority=1,actions=drop
1127])
1128
1129AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1130
1131dnl check tunnel push path, from at_ns1 to at_ns0
1132NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1133AT_CHECK([ovs-appctl revalidator/purge], [0])
1134
1135dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1136AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1137n_bytes=242
1138])
1139dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1140AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1141n_bytes=138
1142])
1143
1144dnl check tunnel pop path, from at_ns0 to at_ns1
1145dnl This 200-byte packet is simulated on behalf of ns_gre0
1146ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1147
1148dnl After truncation = 100 byte at loopback device p2(4)
1149AT_CHECK([ovs-appctl revalidator/purge], [0])
1150AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1151 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1152])
1153
1154dnl SLOW_ACTION: disable datapath truncate support
1155dnl Repeat the test above, but exercise the SLOW_ACTION code path
1156AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1157
1158dnl SLOW_ACTION test1: check datapatch actions
1159AT_CHECK([ovs-ofctl del-flows br0])
1160AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1161
1162dnl SLOW_ACTION test2: check actual packet truncate
1163AT_CHECK([ovs-ofctl del-flows br0])
1164AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1165AT_CHECK([ovs-ofctl del-flows br-underlay])
1166AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1167
1168dnl check tunnel push path, from at_ns1 to at_ns0
1169NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1170AT_CHECK([ovs-appctl revalidator/purge], [0])
1171
1172dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1173AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1174n_bytes=242
1175])
1176dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1177AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1178n_bytes=138
1179])
1180
1181dnl check tunnel pop path, from at_ns0 to at_ns1
1182dnl This 200-byte packet is simulated on behalf of ns_gre0
1183ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1184
1185dnl After truncation = 100 byte at loopback device p2(4)
1186AT_CHECK([ovs-appctl revalidator/purge], [0])
1187AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1188 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1189])
1190
1191OVS_TRAFFIC_VSWITCHD_STOP
1192AT_CLEANUP
1193
aaca4fe0
WT		 1194dnl Create 2 bridges and 2 namespaces to test truncate over
1195dnl GRE tunnel:
1196dnl br0: overlay bridge
1197dnl ns1: connect to br0, with IP:10.1.1.2
1198dnl br-underlay: with IP: 172.31.1.100
1199dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1200AT_SETUP([datapath - truncate and output to gre tunnel])
9c1ab985 1201AT_SKIP_IF([test $HAVE_NC = no])
348f1f67 1202OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
aaca4fe0
WT		 1203OVS_CHECK_GRE()
1204OVS_TRAFFIC_VSWITCHD_START()
1205
1206ADD_BR([br-underlay])
1207ADD_NAMESPACES(at_ns0)
1208ADD_NAMESPACES(at_ns1)
1209AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1210AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1211
1212dnl Set up underlay link from host into the namespace using veth pair.
1213ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1214AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1215AT_CHECK([ip link set dev br-underlay up])
1216
1217dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1218dnl linux device inside the namespace.
1219ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
2b9f3924
WT		 1220ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1221 [], [address e6:66:c1:11:11:11])
aaca4fe0 1222AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
aaca4fe0
WT		 1223NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1224
1225dnl Set up (p1 and ovs-p1) at br0
1226ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1227AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1228NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1229NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1230
1231dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1232AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1233on_exit 'ip link del ovs-p2'
1234AT_CHECK([ip link set dev ovs-p2 up])
1235AT_CHECK([ip link set dev p2 up])
1236AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1237AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1238
1239dnl use this file as payload file for ncat
1240AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1241on_exit 'rm -f payload200.bin'
1242
1243AT_CHECK([ovs-ofctl del-flows br0])
1244AT_DATA([flows.txt], [dnl
1245priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1246priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1247priority=1,in_port=4,ip,actions=drop
1248priority=1,actions=drop
1249])
1250AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1251
1252AT_CHECK([ovs-ofctl del-flows br-underlay])
1253AT_DATA([flows-underlay.txt], [dnl
1254priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1255priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1256priority=1,actions=drop
1257])
1258
1259AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1260
1261dnl check tunnel push path, from at_ns1 to at_ns0
a037f175 1262NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
aaca4fe0
WT		 1263AT_CHECK([ovs-appctl revalidator/purge], [0])
1264
1265dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1266AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1267n_bytes=242
1268])
1269dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1270AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1271n_bytes=138
1272])
1273
1274dnl check tunnel pop path, from at_ns0 to at_ns1
a037f175 1275NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
aaca4fe0
WT		 1276dnl After truncation = 100 byte at loopback device p2(4)
1277AT_CHECK([ovs-appctl revalidator/purge], [0])
32b0cc65
JS		 1278AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1279 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
aaca4fe0
WT		 1280])
1281
1282dnl SLOW_ACTION: disable datapath truncate support
1283dnl Repeat the test above, but exercise the SLOW_ACTION code path
c7eca965 1284AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
aaca4fe0
WT		 1285
1286dnl SLOW_ACTION test1: check datapatch actions
1287AT_CHECK([ovs-ofctl del-flows br0])
1288AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1289
aaca4fe0
WT		 1290dnl SLOW_ACTION test2: check actual packet truncate
1291AT_CHECK([ovs-ofctl del-flows br0])
1292AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1293AT_CHECK([ovs-ofctl del-flows br-underlay])
1294AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1295
1296dnl check tunnel push path, from at_ns1 to at_ns0
a037f175 1297NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
aaca4fe0
WT		 1298AT_CHECK([ovs-appctl revalidator/purge], [0])
1299
1300dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1301AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1302n_bytes=242
1303])
1304dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1305AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1306n_bytes=138
1307])
1308
1309dnl check tunnel pop path, from at_ns0 to at_ns1
a037f175 1310NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
aaca4fe0
WT		 1311dnl After truncation = 100 byte at loopback device p2(4)
1312AT_CHECK([ovs-appctl revalidator/purge], [0])
32b0cc65
JS		 1313AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1314 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
aaca4fe0
WT		 1315])
1316
1317OVS_TRAFFIC_VSWITCHD_STOP
1318AT_CLEANUP
1319
ee8941ab
JS		 1320AT_BANNER([conntrack])
1321
07659514
JS		 1322AT_SETUP([conntrack - controller])
1323CHECK_CONNTRACK()
cf7659b6 1324OVS_TRAFFIC_VSWITCHD_START()
daf4d3c1 1325AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
07659514
JS		 1326
1327ADD_NAMESPACES(at_ns0, at_ns1)
1328
1329ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1330ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1331
1332dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1333AT_DATA([flows.txt], [dnl
1334priority=1,action=drop
1335priority=10,arp,action=normal
1336priority=100,in_port=1,udp,action=ct(commit),controller
1337priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1338priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
1339])
1340
6cfa8ec3 1341AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 1342
1343AT_CAPTURE_FILE([ofctl_monitor.log])
1344AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1345
1346dnl Send an unsolicited reply from port 2. This should be dropped.
4573c42e 1347AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
07659514
JS		 1348
1349dnl OK, now start a new connection from port 1.
4573c42e 1350AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
07659514
JS		 1351
1352dnl Now try a reply from port 2.
4573c42e 1353AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
07659514 1354
e8833217
DM		 1355OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1356
07659514
JS		 1357dnl Check this output. We only see the latter two packets, not the first.
1358AT_CHECK([cat ofctl_monitor.log], [0], [dnl
f274a047 1359NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
07659514 1360udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
45e46e92 1361NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,ip,in_port=2 (via action) data_len=42 (unbuffered)
07659514
JS		 1362udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1363])
1364
1365OVS_TRAFFIC_VSWITCHD_STOP
1366AT_CLEANUP
1367
a76a37ef
JR		 1368AT_SETUP([conntrack - force commit])
1369CHECK_CONNTRACK()
1370OVS_TRAFFIC_VSWITCHD_START()
1371AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1372
1373ADD_NAMESPACES(at_ns0, at_ns1)
1374
1375ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1376ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1377
1378AT_DATA([flows.txt], [dnl
1379priority=1,action=drop
1380priority=10,arp,action=normal
68c94b1a 1381priority=100,in_port=1,udp,action=ct(force,commit),controller
a76a37ef
JR		 1382priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1383priority=100,in_port=2,ct_state=+trk+est,udp,action=ct(force,commit,table=1)
1384table=1,in_port=2,ct_state=+trk,udp,action=controller
1385])
1386
1387AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1388
1389AT_CAPTURE_FILE([ofctl_monitor.log])
1390AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1391
1392dnl Send an unsolicited reply from port 2. This should be dropped.
1393AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1394
1395dnl OK, now start a new connection from port 1.
1396AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1397
1398dnl Now try a reply from port 2.
1399AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1400
1401AT_CHECK([ovs-appctl revalidator/purge], [0])
1402
e8833217
DM		 1403OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1404
a76a37ef
JR		 1405dnl Check this output. We only see the latter two packets, not the first.
1406AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1407NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1408udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
45e46e92 1409NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1,ip,in_port=2 (via action) data_len=42 (unbuffered)
a76a37ef
JR		 1410udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1411])
1412
1413dnl
1414dnl Check that the directionality has been changed by force commit.
1415dnl
1416AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [], [dnl
1417udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2)
1418])
1419
68c94b1a
JS		 1420dnl OK, now send another packet from port 1 and see that it switches again
1421AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1422AT_CHECK([ovs-appctl revalidator/purge], [0])
1423
1424AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1425udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1426])
1427
a76a37ef
JR		 1428OVS_TRAFFIC_VSWITCHD_STOP
1429AT_CLEANUP
1430
c43a1331
YHW		 1431AT_SETUP([conntrack - ct flush by 5-tuple])
1432CHECK_CONNTRACK()
c43a1331
YHW		 1433OVS_TRAFFIC_VSWITCHD_START()
1434
1435ADD_NAMESPACES(at_ns0, at_ns1)
1436
1437ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1438ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1439
1440AT_DATA([flows.txt], [dnl
1441priority=1,action=drop
1442priority=10,arp,action=normal
1443priority=100,in_port=1,udp,action=ct(commit),2
1444priority=100,in_port=2,udp,action=ct(zone=5,commit),1
1445priority=100,in_port=1,icmp,action=ct(commit),2
1446priority=100,in_port=2,icmp,action=ct(zone=5,commit),1
1447])
1448
1449AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1450
1451dnl Test UDP from port 1
1452AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1453
1454AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1455udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1456])
1457
1458AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1'])
1459
1460AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [1], [dnl
1461])
1462
1463dnl Test UDP from port 2
1464AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1465
1466AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [dnl
1467udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5
1468])
1469
1470AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2'])
1471
1472AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1473])
1474
1475dnl Test ICMP traffic
1476NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
14773 packets transmitted, 3 received, 0% packet loss, time 0ms
1478])
1479
1480AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [stdout])
1481AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl
1482icmp,orig=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=8,code=0),reply=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=0,code=0),zone=5
1483])
1484
1485ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2`
1486ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0
1487AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 $ICMP_TUPLE])
1488
1489AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [1], [dnl
1490])
1491
ffdcd110 1492OVS_TRAFFIC_VSWITCHD_STOP
c43a1331
YHW		 1493AT_CLEANUP
1494
e5cf8cce
DDP		 1495AT_SETUP([conntrack - IPv4 ping])
1496CHECK_CONNTRACK()
1497OVS_TRAFFIC_VSWITCHD_START()
1498
1499ADD_NAMESPACES(at_ns0, at_ns1)
1500
1501ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1502ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1503
1504dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1505AT_DATA([flows.txt], [dnl
1506priority=1,action=drop
1507priority=10,arp,action=normal
1508priority=100,in_port=1,icmp,action=ct(commit),2
1509priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1510priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1511])
1512
1513AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1514
1515dnl Pings from ns0->ns1 should work fine.
1516NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
15173 packets transmitted, 3 received, 0% packet loss, time 0ms
1518])
1519
1520AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1521icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1522])
1523
1524AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1525
1526dnl Pings from ns1->ns0 should fail.
1527NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
15287 packets transmitted, 0 received, 100% packet loss, time 0ms
1529])
1530
1531OVS_TRAFFIC_VSWITCHD_STOP
1532AT_CLEANUP
1533
26509f88
DB		 1534AT_SETUP([conntrack - get_nconns and get/set_maxconns])
1535CHECK_CONNTRACK()
1536CHECK_CT_DPIF_SET_GET_MAXCONNS()
1537CHECK_CT_DPIF_GET_NCONNS()
1538OVS_TRAFFIC_VSWITCHD_START()
1539
1540ADD_NAMESPACES(at_ns0, at_ns1)
1541
1542ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1543ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1544
1545dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1546AT_DATA([flows.txt], [dnl
1547priority=1,action=drop
1548priority=10,arp,action=normal
1549priority=100,in_port=1,icmp,action=ct(commit),2
1550priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1551priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1552])
1553
1554AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1555
1556dnl Pings from ns0->ns1 should work fine.
1557NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
15583 packets transmitted, 3 received, 0% packet loss, time 0ms
1559])
1560
1561AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1562icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1563])
1564
1565AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp], [2], [], [dnl
1566ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1567ovs-appctl: ovs-vswitchd: server returned an error
1568])
1569
1570AT_CHECK([ovs-appctl dpctl/ct-set-maxconns a], [2], [], [dnl
1571ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1572ovs-appctl: ovs-vswitchd: server returned an error
1573])
1574
1575AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp 10], [2], [], [dnl
ffdcd110 1576ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1577ovs-appctl: ovs-vswitchd: server returned an error
1578])
1579
1580AT_CHECK([ovs-appctl dpctl/ct-get-maxconns one-bad-dp], [2], [], [dnl
ffdcd110 1581ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1582ovs-appctl: ovs-vswitchd: server returned an error
1583])
1584
1585AT_CHECK([ovs-appctl dpctl/ct-get-nconns one-bad-dp], [2], [], [dnl
ffdcd110 1586ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1587ovs-appctl: ovs-vswitchd: server returned an error
1588])
1589
1590AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
15911
1592])
1593
1594AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
15953000000
1596])
1597
1598AT_CHECK([ovs-appctl dpctl/ct-set-maxconns 10], [], [dnl
1599setting maxconns successful
1600])
1601
1602AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
160310
1604])
1605
1606AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1607
1608AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
16090
1610])
1611
1612AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
161310
1614])
1615
ffdcd110 1616OVS_TRAFFIC_VSWITCHD_STOP
26509f88
DB		 1617AT_CLEANUP
1618
e5cf8cce
DDP		 1619AT_SETUP([conntrack - IPv6 ping])
1620CHECK_CONNTRACK()
1621OVS_TRAFFIC_VSWITCHD_START()
1622
1623ADD_NAMESPACES(at_ns0, at_ns1)
1624
1625ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1626ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1627
1628AT_DATA([flows.txt], [dnl
1629
1630dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
1631dnl through normal action.
1632table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
1633table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
1634table=0,priority=1,action=normal
1635
1636dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
1637table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
1638table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
1639table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
1640table=1,priority=1,action=drop
1641])
1642
1643AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1644
1645OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1646
027f7e84
DDP		 1647dnl The above ping creates state in the connection tracker. We're not
1648dnl interested in that state.
1649AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1650
e5cf8cce
DDP		 1651dnl Pings from ns1->ns0 should fail.
1652NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
16537 packets transmitted, 0 received, 100% packet loss, time 0ms
1654])
1655
1656dnl Pings from ns0->ns1 should work fine.
1657NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
16583 packets transmitted, 3 received, 0% packet loss, time 0ms
1659])
1660
1661AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1662icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
1663])
1664
1665OVS_TRAFFIC_VSWITCHD_STOP
1666AT_CLEANUP
1667
07659514
JS		 1668AT_SETUP([conntrack - preserve registers])
1669CHECK_CONNTRACK()
cf7659b6 1670OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1671
1672ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1673
1674ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1675ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1676ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1677ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1678
1679dnl Allow any traffic from ns0->ns1, ns2->ns3.
1680AT_DATA([flows.txt], [dnl
1681priority=1,action=drop
1682priority=10,arp,action=normal
1683priority=10,icmp,action=normal
1684priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1685priority=100,in_port=1,tcp,ct_state=+trk,action=2
1686priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1687priority=100,in_port=2,tcp,ct_state=+trk,action=1
1688priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
1689priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
1690priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
1691priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1692priority=100,in_port=4,tcp,ct_state=+trk,action=3
1693])
1694
6cfa8ec3 1695AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1696
7ed40afe
JS		 1697OVS_START_L7([at_ns1], [http])
1698OVS_START_L7([at_ns3], [http])
1699
07659514 1700dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1701NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1702
1703dnl HTTP requests from p2->p3 should work fine.
07659514
JS		 1704NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1705
1706OVS_TRAFFIC_VSWITCHD_STOP
1707AT_CLEANUP
1708
1709AT_SETUP([conntrack - invalid])
1710CHECK_CONNTRACK()
cf7659b6 1711OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1712
1713ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1714
1715ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1716ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1717ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1718ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1719
1720dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
1721dnl the opposite direction. This should fail.
1722dnl Pass traffic from ns3->ns4 without committing, and this time match
1723dnl invalid traffic and allow it through.
1724AT_DATA([flows.txt], [dnl
1725priority=1,action=drop
1726priority=10,arp,action=normal
1727priority=10,icmp,action=normal
1728priority=100,in_port=1,tcp,action=ct(),2
1729priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1730priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
1731priority=100,in_port=3,tcp,action=ct(),4
1732priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1733priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
1734priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
1735])
1736
6cfa8ec3 1737AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 1738
1739dnl We set up our rules to allow the request without committing. The return
1740dnl traffic can't be identified, because the initial request wasn't committed.
1741dnl For the first pair of ports, this means that the connection fails.
7ed40afe
JS		 1742OVS_START_L7([at_ns1], [http])
1743OVS_START_L7([at_ns3], [http])
07659514
JS		 1744NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
1745
1746dnl For the second pair, we allow packets from invalid connections, so it works.
07659514
JS		 1747NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1748
1749OVS_TRAFFIC_VSWITCHD_STOP
1750AT_CLEANUP
1751
1752AT_SETUP([conntrack - zones])
1753CHECK_CONNTRACK()
cf7659b6 1754OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1755
1756ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1757
1758ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1759ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1760ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1761ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1762
1763dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
1764dnl For ns2->ns3, use a different zone and see that the match fails.
1765AT_DATA([flows.txt], [dnl
1766priority=1,action=drop
1767priority=10,arp,action=normal
1768priority=10,icmp,action=normal
1769priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
1770priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1771priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1772priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
1773priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1774priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
1775])
1776
6cfa8ec3 1777AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1778
7ed40afe
JS		 1779OVS_START_L7([at_ns1], [http])
1780OVS_START_L7([at_ns3], [http])
1781
07659514 1782dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1783NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1784
ec3aa16c 1785AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1786tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
07659514
JS		 1787])
1788
1789dnl HTTP requests from p2->p3 should fail due to network failure.
1790dnl Try 3 times, in 1 second intervals.
07659514
JS		 1791NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1792
ec3aa16c 1793AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1794tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 1795])
1796
1797OVS_TRAFFIC_VSWITCHD_STOP
1798AT_CLEANUP
1799
1800AT_SETUP([conntrack - zones from field])
1801CHECK_CONNTRACK()
cf7659b6 1802OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1803
1804ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1805
1806ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1807ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1808ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1809ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1810
1811dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1812AT_DATA([flows.txt], [dnl
1813priority=1,action=drop
1814priority=10,arp,action=normal
1815priority=10,icmp,action=normal
1816priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
1817priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1818priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
1819priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
1820priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1821priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
1822])
1823
6cfa8ec3 1824AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1825
7ed40afe
JS		 1826OVS_START_L7([at_ns1], [http])
1827OVS_START_L7([at_ns3], [http])
1828
07659514 1829dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1830NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1831
ec3aa16c 1832AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1833tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
07659514
JS		 1834])
1835
1836dnl HTTP requests from p2->p3 should fail due to network failure.
1837dnl Try 3 times, in 1 second intervals.
07659514
JS		 1838NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1839
ec3aa16c 1840AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1841tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
07659514
JS		 1842])
1843
1844OVS_TRAFFIC_VSWITCHD_STOP
1845AT_CLEANUP
1846
1847AT_SETUP([conntrack - multiple bridges])
1848CHECK_CONNTRACK()
1849OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 1850 [_ADD_BR([br1]) --\
07659514
JS		 1851 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1852 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1853
1854ADD_NAMESPACES(at_ns0, at_ns1)
1855
1856ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1857ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1858
1859dnl Allow any traffic from ns0->br1, allow established in reverse.
1860AT_DATA([flows-br0.txt], [dnl
1861priority=1,action=drop
1862priority=10,arp,action=normal
1863priority=10,icmp,action=normal
1864priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1865priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1866priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1867])
1868
1869dnl Allow any traffic from br0->ns1, allow established in reverse.
1870AT_DATA([flows-br1.txt], [dnl
1871priority=1,action=drop
1872priority=10,arp,action=normal
1873priority=10,icmp,action=normal
1874priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1875priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1876priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1877priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1878priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1879])
1880
6cfa8ec3
JR		 1881AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1882AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 1883
1884dnl HTTP requests from p0->p1 should work fine.
7ed40afe 1885OVS_START_L7([at_ns1], [http])
07659514
JS		 1886NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1887
1888OVS_TRAFFIC_VSWITCHD_STOP
1889AT_CLEANUP
1890
1891AT_SETUP([conntrack - multiple zones])
1892CHECK_CONNTRACK()
cf7659b6 1893OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1894
1895ADD_NAMESPACES(at_ns0, at_ns1)
1896
1897ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1898ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1899
1900dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1901AT_DATA([flows.txt], [dnl
1902priority=1,action=drop
1903priority=10,arp,action=normal
1904priority=10,icmp,action=normal
1905priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1906priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1907priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1908])
1909
6cfa8ec3 1910AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1911
7ed40afe
JS		 1912OVS_START_L7([at_ns1], [http])
1913
07659514 1914dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1915NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1916
1917dnl (again) HTTP requests from p0->p1 should work fine.
1918NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1919
ec3aa16c 1920AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2
JR		 1921tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1922tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 1923])
1924
1925OVS_TRAFFIC_VSWITCHD_STOP
1926AT_CLEANUP
1927
0e27c629
JS		 1928AT_SETUP([conntrack - multiple namespaces, internal ports])
1929CHECK_CONNTRACK()
4573c42e 1930CHECK_CONNTRACK_LOCAL_STACK()
0e27c629
JS		 1931OVS_TRAFFIC_VSWITCHD_START(
1932 [set-fail-mode br0 secure -- ])
1933
1934ADD_NAMESPACES(at_ns0, at_ns1)
1935
1936ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1937ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1938
1939dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1940dnl
1941dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1942AT_DATA([flows.txt], [dnl
1943priority=1,action=drop
1944priority=10,arp,action=normal
1945priority=10,icmp,action=normal
1946priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1947priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1948priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1949])
1950
1951AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1952
7ed40afe
JS		 1953OVS_START_L7([at_ns1], [http])
1954
0e27c629 1955dnl HTTP requests from p0->p1 should work fine.
0e27c629
JS		 1956NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1957
1958dnl (again) HTTP requests from p0->p1 should work fine.
1959NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1960
ec3aa16c 1961AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1962tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
0e27c629
JS		 1963])
1964
1965OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1966/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1967/removing policing failed: No such device/d"])
1968AT_CLEANUP
1969
8e53fe8c
JS		 1970AT_SETUP([conntrack - ct_mark])
1971CHECK_CONNTRACK()
cf7659b6 1972OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 1973
1974ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1975
1976ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1977ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1978ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1979ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1980
1981dnl Allow traffic between ns0<->ns1 using the ct_mark.
1982dnl Check that different marks do not match for traffic between ns2<->ns3.
1983AT_DATA([flows.txt], [dnl
1984priority=1,action=drop
1985priority=10,arp,action=normal
1986priority=10,icmp,action=normal
1987priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1988priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1989priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1990priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1991priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1992priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1993])
1994
6cfa8ec3 1995AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 1996
7ed40afe
JS		 1997OVS_START_L7([at_ns1], [http])
1998OVS_START_L7([at_ns3], [http])
1999
8e53fe8c 2000dnl HTTP requests from p0->p1 should work fine.
8e53fe8c 2001NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 2002AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2003tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2004])
2005
2006dnl HTTP requests from p2->p3 should fail due to network failure.
2007dnl Try 3 times, in 1 second intervals.
8e53fe8c 2008NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 2009AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 2010tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2011])
2012
2013OVS_TRAFFIC_VSWITCHD_STOP
2014AT_CLEANUP
2015
4d182934
JS		 2016AT_SETUP([conntrack - ct_mark bit-fiddling])
2017CHECK_CONNTRACK()
2018OVS_TRAFFIC_VSWITCHD_START()
2019
2020ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2021
2022ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2023ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2024
2025dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
2026dnl cause an additional bit to be set in the connection (and be allowed).
2027AT_DATA([flows.txt], [dnl
2028table=0,priority=1,action=drop
2029table=0,priority=10,arp,action=normal
2030table=0,priority=10,icmp,action=normal
2031table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2032table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
723af132
JS		 2033table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
2034table=1,in_port=1,ct_state=-new,tcp,action=2
2035table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
4d182934
JS		 2036])
2037
2038AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2039
7ed40afe
JS		 2040OVS_START_L7([at_ns1], [http])
2041
4d182934 2042dnl HTTP requests from p0->p1 should work fine.
4d182934
JS		 2043NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2044
420c73b2
JR		 2045AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2046tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
4d182934
JS		 2047])
2048
2049OVS_TRAFFIC_VSWITCHD_STOP
2050AT_CLEANUP
2051
8e53fe8c
JS		 2052AT_SETUP([conntrack - ct_mark from register])
2053CHECK_CONNTRACK()
cf7659b6 2054OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 2055
2056ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2057
2058ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2059ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2060ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2061ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2062
2063dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2064AT_DATA([flows.txt], [dnl
2065priority=1,action=drop
2066priority=10,arp,action=normal
2067priority=10,icmp,action=normal
2068priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
2069priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2070priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2071priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
2072priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2073priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2074])
2075
6cfa8ec3 2076AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 2077
7ed40afe
JS		 2078OVS_START_L7([at_ns1], [http])
2079OVS_START_L7([at_ns3], [http])
2080
8e53fe8c 2081dnl HTTP requests from p0->p1 should work fine.
8e53fe8c 2082NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 2083AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2084tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2085])
2086
2087dnl HTTP requests from p2->p3 should fail due to network failure.
2088dnl Try 3 times, in 1 second intervals.
8e53fe8c 2089NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 2090AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 2091tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2092])
2093
2094OVS_TRAFFIC_VSWITCHD_STOP
2095AT_CLEANUP
2096
9daf2348
JS		 2097AT_SETUP([conntrack - ct_label])
2098CHECK_CONNTRACK()
cf7659b6 2099OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 2100
2101ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2102
2103ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2104ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2105ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2106ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2107
2108dnl Allow traffic between ns0<->ns1 using the ct_label.
2109dnl Check that different labels do not match for traffic between ns2<->ns3.
2110AT_DATA([flows.txt], [dnl
2111priority=1,action=drop
2112priority=10,arp,action=normal
2113priority=10,icmp,action=normal
2114priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
2115priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2116priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
2117priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
2118priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2119priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
2120])
2121
6cfa8ec3 2122AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348 2123
7ed40afe
JS		 2124OVS_START_L7([at_ns1], [http])
2125OVS_START_L7([at_ns3], [http])
2126
9daf2348 2127dnl HTTP requests from p0->p1 should work fine.
9daf2348
JS		 2128NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2129
2130dnl HTTP requests from p2->p3 should fail due to network failure.
2131dnl Try 3 times, in 1 second intervals.
9daf2348
JS		 2132NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2133
2134OVS_TRAFFIC_VSWITCHD_STOP
2135AT_CLEANUP
2136
4d182934
JS		 2137AT_SETUP([conntrack - ct_label bit-fiddling])
2138CHECK_CONNTRACK()
2139OVS_TRAFFIC_VSWITCHD_START()
2140
2141ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2142
2143ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2144ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2145
2146dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
2147dnl cause an additional bit to be set in the connection labels (and be allowed)
2148AT_DATA([flows.txt], [dnl
2149table=0,priority=1,action=drop
2150table=0,priority=10,arp,action=normal
2151table=0,priority=10,icmp,action=normal
2152table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2153table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
723af132
JS		 2154table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
2155table=1,in_port=1,tcp,ct_state=-new,action=2
2156table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
4d182934
JS		 2157])
2158
2159AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2160
7ed40afe
JS		 2161OVS_START_L7([at_ns1], [http])
2162
4d182934 2163dnl HTTP requests from p0->p1 should work fine.
4d182934
JS		 2164NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2165
420c73b2
JR		 2166AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2167tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
4d182934
JS		 2168])
2169
2170OVS_TRAFFIC_VSWITCHD_STOP
2171AT_CLEANUP
2172
f2d105b5
JS		 2173AT_SETUP([conntrack - ct metadata, multiple zones])
2174CHECK_CONNTRACK()
2175OVS_TRAFFIC_VSWITCHD_START()
2176
2177ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2178
2179ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2180ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2181
2182dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
2183dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
2184dnl and we should see that the conntrack entries only apply the ct_mark and
2185dnl ct_labels to the connection in zone=1.
2186AT_DATA([flows.txt], [dnl
2187table=0,priority=1,action=drop
2188table=0,priority=10,arp,action=normal
2189table=0,priority=10,icmp,action=normal
2190table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
2191table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
723af132
JS		 2192table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
2193table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
2194table=1,in_port=2,tcp,action=ct(zone=2),1
f2d105b5
JS		 2195])
2196
2197AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2198
7ed40afe
JS		 2199OVS_START_L7([at_ns1], [http])
2200
f2d105b5 2201dnl HTTP requests from p0->p1 should work fine.
f2d105b5
JS		 2202NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2203
420c73b2
JR		 2204AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2205tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
2206tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
f2d105b5
JS		 2207])
2208
2209OVS_TRAFFIC_VSWITCHD_STOP
2210AT_CLEANUP
2211
8e53fe8c 2212AT_SETUP([conntrack - ICMP related])
9c1ab985 2213AT_SKIP_IF([test $HAVE_NC = no])
8e53fe8c 2214CHECK_CONNTRACK()
cf7659b6 2215OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 2216
2217ADD_NAMESPACES(at_ns0, at_ns1)
2218
2219ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2220ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2221
2222dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2223AT_DATA([flows.txt], [dnl
2224priority=1,action=drop
2225priority=10,arp,action=normal
2226priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
2227priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
2228priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
2229])
2230
6cfa8ec3 2231AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 2232
bde2e7b5 2233dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 2234NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
8e53fe8c
JS		 2235
2236AT_CHECK([ovs-appctl revalidator/purge], [0])
2237AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2238 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
2239 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
2240 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
bde2e7b5 2241 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
8e53fe8c
JS		 2242NXST_FLOW reply:
2243])
2244
2245OVS_TRAFFIC_VSWITCHD_STOP
2246AT_CLEANUP
2247
d0e42062
JR		 2248AT_SETUP([conntrack - ICMP related to original direction])
2249AT_SKIP_IF([test $HAVE_NC = no])
2250CHECK_CONNTRACK()
2251OVS_TRAFFIC_VSWITCHD_START()
2252
2253ADD_NAMESPACES(at_ns0, at_ns1)
2254
2255ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2256ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2257
2258dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2259AT_DATA([flows.txt], [dnl
2260priority=1000,arp,action=normal
2261priority=100,ip,action=ct(table=1)
2262priority=1,action=drop
2263table=1,ip,action=ct(zone=34673,table=2)
2264table=2,in_port=2,udp,action=ct(commit,zone=34673),1
2265table=2,in_port=1,udp,action=ct(commit,zone=34673),2
2266table=2,in_port=2,ct_state=+rel,icmp,action=1
2267])
2268
2269AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2270
2271dnl 1. Send and UDP packet to port 53 (src=192.100.1.8,dst=192.100.2.5)
2272AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '00010200020400232211223308004500001c000100004011f6fac0640108c06402050035003500087b9e'])
2273
2274dnl 2. Send and UDP packet to port 53 (src=192.100.2.5,dst=192.100.1.8)
2275AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) '00232211223300010200020408004500001c000100004011f6fac0640205c06401080035003500087b9e'])
2276
2277dnl 3. Send an ICMP port unreach reply for port 53, related to the 2nd
2278dnl packet, but in the original direction of the conntrack entry created
2279dnl for the 1st packet.
2280AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2281
2282AT_CHECK([ovs-appctl revalidator/purge], [0])
2283
2284dnl 4. Repeat 3.
2285AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2286
2287AT_CHECK([ovs-appctl revalidator/purge], [0])
2288
2289AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2290 n_packets=4, n_bytes=224, priority=100,ip actions=ct(table=1)
2291 priority=1000,arp actions=NORMAL
2292 table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
2293 table=2, n_packets=1, n_bytes=42, udp,in_port=1 actions=ct(commit,zone=34673),output:2
2294 table=2, n_packets=1, n_bytes=42, udp,in_port=2 actions=ct(commit,zone=34673),output:1
2295 table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2 actions=output:1
2296NXST_FLOW reply:
2297])
2298
2299AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.100.1.8)], [0], [dnl
2300udp,orig=(src=192.100.1.8,dst=192.100.2.5,sport=<cleared>,dport=<cleared>),reply=(src=192.100.2.5,dst=192.100.1.8,sport=<cleared>,dport=<cleared>),zone=34673
2301])
2302
2303OVS_TRAFFIC_VSWITCHD_STOP
2304AT_CLEANUP
2305
07659514
JS		 2306AT_SETUP([conntrack - ICMP related 2])
2307CHECK_CONNTRACK()
cf7659b6 2308OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 2309
2310ADD_NAMESPACES(at_ns0, at_ns1)
2311
2312ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
2313ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
2314
2315dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2316AT_DATA([flows.txt], [dnl
5c2e106b
DDP		 2317table=0,ip,action=ct(commit,table=1)
2318table=1,ip,action=controller
07659514
JS		 2319])
2320
6cfa8ec3 2321AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 2322
2323AT_CAPTURE_FILE([ofctl_monitor.log])
2324AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
2325
2326dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
5c2e106b 2327AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
07659514
JS		 2328
2329dnl 2. Send and UDP packet to port 5555
5c2e106b 2330AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
07659514 2331
a81da080
DB		 2332dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet
2333AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
07659514 2334
e8833217
DM		 2335OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
2336
07659514 2337dnl Check this output. We only see the latter two packets, not the first.
c2fcc6fc 2338AT_CHECK([cat ofctl_monitor.log | grep -v ff02 | grep -v fe80 | grep -v no_match], [0], [dnl
45e46e92 2339NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,ip,in_port=2 (via action) data_len=75 (unbuffered)
5c2e106b 2340icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
45e46e92 2341NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered)
07659514 2342udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
45e46e92 2343NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered)
a81da080 2344icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
07659514
JS		 2345])
2346
5c2e106b
DDP		 2347AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
2348udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
2349])
2350
2351AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
2352])
2353
07659514
JS		 2354OVS_TRAFFIC_VSWITCHD_STOP
2355AT_CLEANUP
d787ad39 2356
daf4d3c1 2357AT_SETUP([conntrack - IPv4 fragmentation])
d787ad39 2358CHECK_CONNTRACK()
cf7659b6 2359OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2360
2361ADD_NAMESPACES(at_ns0, at_ns1)
2362
2363ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2364ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2365
2366dnl Sending ping through conntrack
2367AT_DATA([flows.txt], [dnl
2368priority=1,action=drop
2369priority=10,arp,action=normal
2370priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2371priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2372priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2373])
2374
6cfa8ec3 2375AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2376
4ea96698
DB		 2377dnl Modify userspace conntrack fragmentation handling.
2378DPCTL_MODIFY_FRAGMENTATION()
2379
27130224
AZ		 2380dnl Ipv4 fragmentation connectivity check.
2381NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
23823 packets transmitted, 3 received, 0% packet loss, time 0ms
2383])
2384
2385dnl Ipv4 larger fragmentation connectivity check.
2386NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
23873 packets transmitted, 3 received, 0% packet loss, time 0ms
2388])
2389
4ea96698
DB		 2390dnl Check userspace conntrack fragmentation counters.
2391DPCTL_CHECK_FRAGMENTATION_PASS()
2392
27130224
AZ		 2393OVS_TRAFFIC_VSWITCHD_STOP
2394AT_CLEANUP
2395
0cf28088
JS		 2396AT_SETUP([conntrack - IPv4 fragmentation expiry])
2397CHECK_CONNTRACK()
2398OVS_TRAFFIC_VSWITCHD_START()
2399
2400ADD_NAMESPACES(at_ns0, at_ns1)
2401
2402ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2403ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2404
2405AT_DATA([flows.txt], [dnl
2406priority=1,action=drop
2407priority=10,arp,action=normal
2408
2409dnl Only allow non-fragmented messages and 1st fragments of each message
2410priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
2411priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
2412priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2413priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2414])
2415
2416AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2417
4ea96698
DB		 2418dnl Modify userspace conntrack fragmentation handling.
2419DPCTL_MODIFY_FRAGMENTATION()
2420
0cf28088
JS		 2421dnl Ipv4 fragmentation connectivity check.
2422NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
24237 packets transmitted, 0 received, 100% packet loss, time 0ms
2424])
2425
4ea96698
DB		 2426dnl Check userspace conntrack fragmentation counters.
2427DPCTL_CHECK_FRAGMENTATION_FAIL()
2428
0cf28088
JS		 2429OVS_TRAFFIC_VSWITCHD_STOP
2430AT_CLEANUP
2431
27130224
AZ		 2432AT_SETUP([conntrack - IPv4 fragmentation + vlan])
2433CHECK_CONNTRACK()
cf7659b6 2434OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2435
2436ADD_NAMESPACES(at_ns0, at_ns1)
2437
2438ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2439ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2440ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
2441ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
2442
2443dnl Sending ping through conntrack
2444AT_DATA([flows.txt], [dnl
2445priority=1,action=drop
2446priority=10,arp,action=normal
2447priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2448priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2449priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2450])
2451
6cfa8ec3 2452AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2453
4ea96698
DB		 2454dnl Modify userspace conntrack fragmentation handling.
2455DPCTL_MODIFY_FRAGMENTATION()
2456
27130224
AZ		 2457dnl Ipv4 fragmentation connectivity check.
2458NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
24593 packets transmitted, 3 received, 0% packet loss, time 0ms
2460])
2461
2462dnl Ipv4 larger fragmentation connectivity check.
2463NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
24643 packets transmitted, 3 received, 0% packet loss, time 0ms
2465])
2466
4ea96698
DB		 2467dnl Check userspace conntrack fragmentation counters.
2468DPCTL_CHECK_FRAGMENTATION_PASS()
2469
27130224
AZ		 2470OVS_TRAFFIC_VSWITCHD_STOP
2471AT_CLEANUP
2472
2526a3dc
EG		 2473AT_SETUP([conntrack - IPv4 fragmentation + cvlan])
2474CHECK_CONNTRACK()
2526a3dc
EG		 2475OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2476OVS_CHECK_8021AD()
2477
2478ADD_NAMESPACES(at_ns0, at_ns1)
2479
2480ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2481ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2482
2483ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
2484ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
2485
2486ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
2487ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
2488
2489dnl Sending ping through conntrack
2490AT_DATA([flows.txt], [dnl
2491priority=1,action=drop
2492priority=10,arp,action=normal
2493priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2494priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2495priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2496])
2497
2498AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2499
2500OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
2501
2502dnl Ipv4 fragmentation connectivity check.
2503NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25043 packets transmitted, 3 received, 0% packet loss, time 0ms
2505])
2506
2507dnl Ipv4 fragmentation connectivity check. (outer svlan)
2508NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
25093 packets transmitted, 3 received, 0% packet loss, time 0ms
2510])
2511
2512dnl Ipv4 larger fragmentation connectivity check.
2513NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25143 packets transmitted, 3 received, 0% packet loss, time 0ms
2515])
2516
2517dnl Ipv4 larger fragmentation connectivity check. (outer svlan)
2518NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
25193 packets transmitted, 3 received, 0% packet loss, time 0ms
2520])
2521
2522OVS_TRAFFIC_VSWITCHD_STOP
2523AT_CLEANUP
2524
e917d3ee
DB		 2525AT_SETUP([conntrack - IPv4 fragmentation incomplete reassembled packet])
2526CHECK_CONNTRACK()
2527OVS_TRAFFIC_VSWITCHD_START()
4ea96698
DB		 2528DPCTL_SET_MIN_FRAG_SIZE()
2529
e917d3ee
DB		 2530
2531ADD_NAMESPACES(at_ns0, at_ns1)
2532
2533ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2534ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2535
2536AT_DATA([bundle.txt], [dnl
2537packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2538])
2539
2540AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2541
2542AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2543])
2544
2545OVS_TRAFFIC_VSWITCHD_STOP
2546AT_CLEANUP
2547
2548dnl Uses same first fragment as above 'incomplete reassembled packet' test.
2549AT_SETUP([conntrack - IPv4 fragmentation with fragments specified])
2550CHECK_CONNTRACK()
e917d3ee 2551OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2552DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2553
2554ADD_NAMESPACES(at_ns0, at_ns1)
2555
2556ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2557ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2558
2559AT_DATA([bundle.txt], [dnl
2560packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2561packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2562])
2563
2564AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2565
2566AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2567udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2568])
2569
2570OVS_TRAFFIC_VSWITCHD_STOP
2571AT_CLEANUP
2572
b21ac618
DB		 2573AT_SETUP([conntrack - IPv4 fragmentation out of order])
2574CHECK_CONNTRACK()
b21ac618 2575OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2576DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2577
2578ADD_NAMESPACES(at_ns0, at_ns1)
2579
2580ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2581ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2582
2583AT_DATA([bundle.txt], [dnl
2584packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2585packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2586])
2587
2588AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2589
2590AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2591udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2592])
2593
2594OVS_TRAFFIC_VSWITCHD_STOP
2595AT_CLEANUP
2596
2597AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet])
2598CHECK_CONNTRACK()
b21ac618
DB		 2599CHECK_CONNTRACK_FRAG_OVERLAP()
2600OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2601DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2602
2603ADD_NAMESPACES(at_ns0, at_ns1)
2604
2605ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2606ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2607
2608AT_DATA([bundle.txt], [dnl
2609packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2610packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2611])
2612
2613AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2614# There is one byte of overlap, hence the no packet gets thru. conntrack.
2615AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2616])
2617
2618OVS_TRAFFIC_VSWITCHD_STOP
2619AT_CLEANUP
2620
2621AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet out of order])
2622CHECK_CONNTRACK()
b21ac618
DB		 2623CHECK_CONNTRACK_FRAG_OVERLAP()
2624OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2625DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2626
2627ADD_NAMESPACES(at_ns0, at_ns1)
2628
2629ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2630ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2631
2632AT_DATA([bundle.txt], [dnl
2633packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2634packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2635])
2636
2637AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2638# There is one byte of overlap, hence the no packet gets thru. conntrack.
2639AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2640])
2641
2642OVS_TRAFFIC_VSWITCHD_STOP
2643AT_CLEANUP
2644
27130224
AZ		 2645AT_SETUP([conntrack - IPv6 fragmentation])
2646CHECK_CONNTRACK()
cf7659b6 2647OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2648
2649ADD_NAMESPACES(at_ns0, at_ns1)
2650
2651ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2652ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2653
2654dnl Sending ping through conntrack
2655AT_DATA([flows.txt], [dnl
2656priority=1,action=drop
2657priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2658priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2659priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2660priority=100,icmp6,icmp_type=135,action=normal
2661priority=100,icmp6,icmp_type=136,action=normal
2662])
2663
6cfa8ec3 2664AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2665
c10840ff
JS		 2666dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2667dnl waiting, we get occasional failures due to the following error:
27130224 2668dnl "connect: Cannot assign requested address"
c10840ff 2669OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224 2670
221a2668 2671dnl Ipv6 fragmentation connectivity check.
27130224
AZ		 2672NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
26733 packets transmitted, 3 received, 0% packet loss, time 0ms
2674])
2675
221a2668 2676dnl Ipv6 larger fragmentation connectivity check.
27130224
AZ		 2677NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
26783 packets transmitted, 3 received, 0% packet loss, time 0ms
2679])
2680
2681OVS_TRAFFIC_VSWITCHD_STOP
2682AT_CLEANUP
2683
0cf28088
JS		 2684AT_SETUP([conntrack - IPv6 fragmentation expiry])
2685CHECK_CONNTRACK()
2686OVS_TRAFFIC_VSWITCHD_START()
2687
2688ADD_NAMESPACES(at_ns0, at_ns1)
2689
2690ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2691ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2692
2693AT_DATA([flows.txt], [dnl
2694priority=1,action=drop
2695
2696dnl Only allow non-fragmented messages and 1st fragments of each message
2697priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
2698priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
2699priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2700priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2701
2702dnl Neighbour Discovery
2703priority=100,icmp6,icmp_type=135,action=normal
2704priority=100,icmp6,icmp_type=136,action=normal
2705])
2706
2707AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2708
c10840ff
JS		 2709dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2710dnl waiting, we get occasional failures due to the following error:
0cf28088 2711dnl "connect: Cannot assign requested address"
c10840ff 2712OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
0cf28088 2713
0cf28088
JS		 2714dnl Send an IPv6 fragment. Some time later, it should expire.
2715NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
27167 packets transmitted, 0 received, 100% packet loss, time 0ms
2717])
2718
2719dnl At this point, the kernel will either crash or everything is OK.
2720
2721OVS_TRAFFIC_VSWITCHD_STOP
2722AT_CLEANUP
2723
27130224
AZ		 2724AT_SETUP([conntrack - IPv6 fragmentation + vlan])
2725CHECK_CONNTRACK()
cf7659b6 2726OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2727
2728ADD_NAMESPACES(at_ns0, at_ns1)
2729
2730ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2731ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2732
2733ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
2734ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
2735
2736dnl Sending ping through conntrack
2737AT_DATA([flows.txt], [dnl
2738priority=1,action=drop
2739priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2740priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2741priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2742priority=100,icmp6,icmp_type=135,action=normal
2743priority=100,icmp6,icmp_type=136,action=normal
2744])
2745
6cfa8ec3 2746AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2747
c10840ff
JS		 2748dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2749dnl waiting, we get occasional failures due to the following error:
27130224 2750dnl "connect: Cannot assign requested address"
c10840ff 2751OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224 2752
27130224
AZ		 2753dnl Ipv4 fragmentation connectivity check.
2754NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
27553 packets transmitted, 3 received, 0% packet loss, time 0ms
2756])
2757
2758dnl Ipv4 larger fragmentation connectivity check.
2759NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
27603 packets transmitted, 3 received, 0% packet loss, time 0ms
2761])
2762
2763OVS_TRAFFIC_VSWITCHD_STOP
2764AT_CLEANUP
2765
2526a3dc
EG		 2766AT_SETUP([conntrack - IPv6 fragmentation + cvlan])
2767CHECK_CONNTRACK()
2526a3dc
EG		 2768OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2769OVS_CHECK_8021AD()
2770
2771ADD_NAMESPACES(at_ns0, at_ns1)
2772
2773ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2774ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2775
2776ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::3/96")
2777ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::4/96")
2778
2779ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::3/96")
2780ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::4/96")
2781
2782dnl Sending ping through conntrack
2783AT_DATA([flows.txt], [dnl
2784priority=1,action=drop
2785priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2786priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2787priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2788priority=100,icmp6,icmp_type=135,action=normal
2789priority=100,icmp6,icmp_type=136,action=normal
2790])
2791
2792AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2793
2794OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::4])
2795
2796dnl Ipv6 fragmentation connectivity check.
2797NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
27983 packets transmitted, 3 received, 0% packet loss, time 0ms
2799])
2800
2801dnl Ipv6 fragmentation connectivity check. (outer svlan)
2802NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
28033 packets transmitted, 3 received, 0% packet loss, time 0ms
2804])
2805
2806dnl Ipv6 larger fragmentation connectivity check.
2807NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
28083 packets transmitted, 3 received, 0% packet loss, time 0ms
2809])
2810
2811dnl Ipv6 larger fragmentation connectivity check. (outer svlan)
2812NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
28133 packets transmitted, 3 received, 0% packet loss, time 0ms
2814])
2815
2816OVS_TRAFFIC_VSWITCHD_STOP
2817AT_CLEANUP
2818
e917d3ee
DB		 2819AT_SETUP([conntrack - IPv6 fragmentation incomplete reassembled packet])
2820CHECK_CONNTRACK()
2821OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2822DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2823
2824ADD_NAMESPACES(at_ns0, at_ns1)
2825
2826ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2827ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2828
2829AT_DATA([bundle.txt], [dnl
2830packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008f62900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2831])
2832
2833AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2834
2835AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2836])
2837
2838OVS_TRAFFIC_VSWITCHD_STOP
2839AT_CLEANUP
2840
2841AT_SETUP([conntrack - IPv6 fragmentation with fragments specified])
2842CHECK_CONNTRACK()
e917d3ee 2843OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2844DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2845
2846ADD_NAMESPACES(at_ns0, at_ns1)
2847
2848ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2849ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2850
2851AT_DATA([bundle.txt], [dnl
2852packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2853packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2854])
2855
2856AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2857
2858AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2859udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2860])
2861
2862OVS_TRAFFIC_VSWITCHD_STOP
2863AT_CLEANUP
2864
b21ac618
DB		 2865AT_SETUP([conntrack - IPv6 fragmentation out of order])
2866CHECK_CONNTRACK()
b21ac618 2867OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2868DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2869
2870ADD_NAMESPACES(at_ns0, at_ns1)
2871
2872ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2873ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2874
2875AT_DATA([bundle.txt], [dnl
2876packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2877packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2878])
2879
2880AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2881
2882AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2883udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2884])
2885
2886OVS_TRAFFIC_VSWITCHD_STOP
2887AT_CLEANUP
2888
2889AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers])
2890CHECK_CONNTRACK()
b21ac618 2891OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2892DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2893
2894ADD_NAMESPACES(at_ns0, at_ns1)
2895
2896ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2897ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2898
2899# Add different extension headers
2900AT_DATA([bundle.txt], [dnl
1630b26f 2901packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2902packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2903])
2904
2905AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2906
2907AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2908udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2909])
2910
2911OVS_TRAFFIC_VSWITCHD_STOP
2912AT_CLEANUP
2913
2914AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers + out of order])
2915CHECK_CONNTRACK()
b21ac618 2916OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2917DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2918
2919ADD_NAMESPACES(at_ns0, at_ns1)
2920
2921ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2922ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2923
2924# Add different extension headers
2925AT_DATA([bundle.txt], [dnl
2926packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
1630b26f 2927packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2928])
2929
2930AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2931
2932AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2933udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2934])
2935
2936OVS_TRAFFIC_VSWITCHD_STOP
2937AT_CLEANUP
2938
2939AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2])
2940CHECK_CONNTRACK()
b21ac618 2941OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2942DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2943
2944ADD_NAMESPACES(at_ns0, at_ns1)
2945
2946ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2947ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2948
2949# Add different extension headers
2950AT_DATA([bundle.txt], [dnl
1630b26f 2951packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2952packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2953])
2954
2955AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2956
2957AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2958udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2959])
2960
2961OVS_TRAFFIC_VSWITCHD_STOP
2962AT_CLEANUP
2963
2964AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2 + out of order])
2965CHECK_CONNTRACK()
b21ac618 2966OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2967DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2968
2969ADD_NAMESPACES(at_ns0, at_ns1)
2970
2971ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2972ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2973
2974# Add different extension headers
2975AT_DATA([bundle.txt], [dnl
2976packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
1630b26f 2977packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2978])
2979
2980AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2981
2982AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2983udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2984])
2985
2986OVS_TRAFFIC_VSWITCHD_STOP
2987AT_CLEANUP
2988
27130224 2989AT_SETUP([conntrack - Fragmentation over vxlan])
dfb21e96 2990OVS_CHECK_VXLAN()
27130224 2991CHECK_CONNTRACK()
c6fb6677 2992CHECK_CONNTRACK_LOCAL_STACK()
27130224 2993
cf7659b6
JR		 2994OVS_TRAFFIC_VSWITCHD_START()
2995ADD_BR([br-underlay])
2996AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
2997
27130224
AZ		 2998ADD_NAMESPACES(at_ns0)
2999
3000dnl Sending ping through conntrack
3001AT_DATA([flows.txt], [dnl
3002priority=1,action=drop
3003priority=10,arp,action=normal
3004priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3a9eb803 3005priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
723af132 3006table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
27130224
AZ		 3007])
3008
6cfa8ec3 3009AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 3010
3011dnl Set up underlay link from host into the namespace using veth pair.
3012ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3013AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3014AT_CHECK([ip link set dev br-underlay up])
3015
3016dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3017dnl linux device inside the namespace.
6e3a764c 3018ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
27130224
AZ		 3019ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
3020 [id 0 dstport 4789])
3021
3022dnl First, check the underlay
3023NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
30243 packets transmitted, 3 received, 0% packet loss, time 0ms
3025])
3026
3027dnl Okay, now check the overlay with different packet sizes
3028NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30293 packets transmitted, 3 received, 0% packet loss, time 0ms
3030])
3031NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30323 packets transmitted, 3 received, 0% packet loss, time 0ms
3033])
3034NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30353 packets transmitted, 3 received, 0% packet loss, time 0ms
3036])
3037
3038OVS_TRAFFIC_VSWITCHD_STOP
3039AT_CLEANUP
c4e34c61 3040
84f646df 3041AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
a9f70f3d 3042OVS_CHECK_VXLAN()
84f646df 3043CHECK_CONNTRACK()
c6fb6677 3044CHECK_CONNTRACK_LOCAL_STACK()
84f646df
JS		 3045
3046OVS_TRAFFIC_VSWITCHD_START()
3047ADD_BR([br-underlay])
3048AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3049
3050ADD_NAMESPACES(at_ns0)
3051
3052dnl Sending ping through conntrack
3053AT_DATA([flows.txt], [dnl
3054priority=1,action=drop
3055priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
3056priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
723af132 3057table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
84f646df
JS		 3058
3059dnl Neighbour Discovery
3060priority=1000,icmp6,icmp_type=135,action=normal
3061priority=1000,icmp6,icmp_type=136,action=normal
3062])
3063
3064AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3065
3066dnl Set up underlay link from host into the namespace using veth pair.
3067ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3068AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3069AT_CHECK([ip link set dev br-underlay up])
3070
3071dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3072dnl linux device inside the namespace.
6e3a764c 3073ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
84f646df
JS		 3074ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
3075 [id 0 dstport 4789])
3076
c10840ff
JS		 3077dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3078dnl waiting, we get occasional failures due to the following error:
84f646df 3079dnl "connect: Cannot assign requested address"
c10840ff 3080OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
84f646df
JS		 3081
3082dnl First, check the underlay
3083NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
30843 packets transmitted, 3 received, 0% packet loss, time 0ms
3085])
3086
3087dnl Okay, now check the overlay with different packet sizes
3088NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
30893 packets transmitted, 3 received, 0% packet loss, time 0ms
3090])
3091NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
30923 packets transmitted, 3 received, 0% packet loss, time 0ms
3093])
3094NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
30953 packets transmitted, 3 received, 0% packet loss, time 0ms
3096])
3097
3098OVS_TRAFFIC_VSWITCHD_STOP
3099AT_CLEANUP
9ac0aada 3100
c4e34c61
RB		 3101AT_SETUP([conntrack - resubmit to ct multiple times])
3102CHECK_CONNTRACK()
3103
3104OVS_TRAFFIC_VSWITCHD_START(
3105 [set-fail-mode br0 secure -- ])
3106
3107ADD_NAMESPACES(at_ns0, at_ns1)
3108
3109ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3110ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3111
3112AT_DATA([flows.txt], [dnl
3113table=0,priority=150,arp,action=normal
3114table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
3115
723af132
JS		 3116table=1,ip,action=ct(table=3)
3117table=2,ip,action=ct(table=3)
c4e34c61
RB		 3118
3119table=3,ip,action=drop
3120])
3121
3122AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
3123
3124NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
31251 packets transmitted, 0 received, 100% packet loss, time 0ms
3126])
3127
3128AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
3129 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
3130 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
723af132
JS		 3131 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3132 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
c4e34c61
RB		 3133 table=3, n_packets=2, n_bytes=196, ip actions=drop
3134NXST_FLOW reply:
3135])
3136
3137OVS_TRAFFIC_VSWITCHD_STOP
3138AT_CLEANUP
9ac0aada 3139
1d768544
JS		 3140AT_BANNER([conntrack - L7])
3141
3142AT_SETUP([conntrack - IPv4 HTTP])
3143CHECK_CONNTRACK()
3144OVS_TRAFFIC_VSWITCHD_START()
3145
3146ADD_NAMESPACES(at_ns0, at_ns1)
3147
3148ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3149ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3150
3151dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3152AT_DATA([flows.txt], [dnl
3153priority=1,action=drop
3154priority=10,arp,action=normal
3155priority=10,icmp,action=normal
3156priority=100,in_port=1,tcp,action=ct(commit),2
3157priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
3158priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
3159])
3160
3161AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3162
3163OVS_START_L7([at_ns0], [http])
3164OVS_START_L7([at_ns1], [http])
3165
3166dnl HTTP requests from ns0->ns1 should work fine.
3167NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3168AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3169tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3170])
3171
3172dnl HTTP requests from ns1->ns0 should fail due to network failure.
3173dnl Try 3 times, in 1 second intervals.
3174NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3175
3176OVS_TRAFFIC_VSWITCHD_STOP
3177AT_CLEANUP
3178
3179AT_SETUP([conntrack - IPv6 HTTP])
3180CHECK_CONNTRACK()
3181OVS_TRAFFIC_VSWITCHD_START()
3182
3183ADD_NAMESPACES(at_ns0, at_ns1)
3184
3185ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3186ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3187
3188dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3189AT_DATA([flows.txt], [dnl
3190priority=1,action=drop
3191priority=10,icmp6,action=normal
3192priority=100,in_port=1,tcp6,action=ct(commit),2
3193priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
3194priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
3195])
3196
3197AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3198
3199dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3200dnl waiting, we get occasional failures due to the following error:
3201dnl "connect: Cannot assign requested address"
3202OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3203
3204OVS_START_L7([at_ns0], [http6])
3205OVS_START_L7([at_ns1], [http6])
3206
3207dnl HTTP requests from ns0->ns1 should work fine.
3208NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3209AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3210tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3211])
3212
3213dnl HTTP requests from ns1->ns0 should fail due to network failure.
3214dnl Try 3 times, in 1 second intervals.
3215NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3216
3217OVS_TRAFFIC_VSWITCHD_STOP
3218AT_CLEANUP
3219
3220AT_SETUP([conntrack - commit, recirc])
3221CHECK_CONNTRACK()
3222OVS_TRAFFIC_VSWITCHD_START()
3223
3224ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
3225
3226ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3227ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3228ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
3229ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
3230
3231dnl Allow any traffic from ns0->ns1, ns2->ns3.
3232AT_DATA([flows.txt], [dnl
3233priority=1,action=drop
3234priority=10,arp,action=normal
3235priority=10,icmp,action=normal
3236priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
3237priority=100,in_port=1,tcp,ct_state=+trk,action=2
3238priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
3239priority=100,in_port=2,tcp,ct_state=+trk,action=1
3240priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
3241priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
3242priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
3243priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
3244priority=100,in_port=4,tcp,ct_state=+trk,action=3
3245])
3246
3247AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3248
3249OVS_START_L7([at_ns1], [http])
3250OVS_START_L7([at_ns3], [http])
3251
3252dnl HTTP requests from p0->p1 should work fine.
3253NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3254
3255dnl HTTP requests from p2->p3 should work fine.
3256NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
3257
3258OVS_TRAFFIC_VSWITCHD_STOP
3259AT_CLEANUP
3260
3261AT_SETUP([conntrack - multiple zones, local])
3262CHECK_CONNTRACK()
3263CHECK_CONNTRACK_LOCAL_STACK()
3264OVS_TRAFFIC_VSWITCHD_START()
3265
3266ADD_NAMESPACES(at_ns0)
3267
3268AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3269AT_CHECK([ip link set dev br0 up])
3270on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3271ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3272
3273dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3274dnl return traffic from ns0 back to the local stack.
3275AT_DATA([flows.txt], [dnl
3276priority=1,action=drop
3277priority=10,arp,action=normal
3278priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
3279priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
3280priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
3281priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
3282table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
3283table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
3284])
3285
3286AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3287
3288AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
32893 packets transmitted, 3 received, 0% packet loss, time 0ms
3290])
3291
3292OVS_START_L7([at_ns0], [http])
3293
3294dnl HTTP requests from root namespace to p0 should work fine.
3295AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3296
3297dnl (again) HTTP requests from root namespace to p0 should work fine.
3298AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3299
3300AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3301icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3302icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
3303tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3304tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3305])
3306
3307OVS_TRAFFIC_VSWITCHD_STOP
3308AT_CLEANUP
3309
3310AT_SETUP([conntrack - multi-stage pipeline, local])
3311CHECK_CONNTRACK()
3312CHECK_CONNTRACK_LOCAL_STACK()
3313OVS_TRAFFIC_VSWITCHD_START()
3314
3315ADD_NAMESPACES(at_ns0)
3316
3317AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3318AT_CHECK([ip link set dev br0 up])
3319on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3320ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3321
3322dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3323dnl return traffic from ns0 back to the local stack.
3324AT_DATA([flows.txt], [dnl
3325dnl default
3326table=0,priority=1,action=drop
3327table=0,priority=10,arp,action=normal
3328
3329dnl Load the output port to REG0
3330table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
3331table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
3332
3333dnl Ingress pipeline
3334dnl - Allow all connections from LOCAL port (commit and proceed to egress)
3335dnl - All other connections go through conntracker using the input port as
3336dnl a connection tracking zone.
f6fabcc6 3337table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=2,zone=OXM_OF_IN_PORT[[0..15]])
1d768544
JS		 3338table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
3339table=1,priority=1,action=drop
3340
3341dnl Egress pipeline
3342dnl - Allow all connections from LOCAL port (commit and skip to output)
3343dnl - Allow other established connections to go through conntracker using
3344dnl output port as a connection tracking zone.
f6fabcc6 3345table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=4,zone=NXM_NX_REG0[[0..15]])
1d768544
JS		 3346table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
3347table=2,priority=1,action=drop
3348
3349dnl Only allow established traffic from egress ct lookup
3350table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
3351table=3,priority=1,action=drop
3352
3353dnl output table
3354table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
3355])
3356
3357AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3358
3359AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
33603 packets transmitted, 3 received, 0% packet loss, time 0ms
3361])
3362
3363OVS_START_L7([at_ns0], [http])
3364
3365dnl HTTP requests from root namespace to p0 should work fine.
3366AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3367
3368dnl (again) HTTP requests from root namespace to p0 should work fine.
3369AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3370
3371AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3372icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3373icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
3374tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3375tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
3376])
3377
3378OVS_TRAFFIC_VSWITCHD_STOP
3379AT_CLEANUP
3380
3f1087c7
YHW		 3381AT_SETUP([conntrack - limit by zone])
3382CHECK_CONNTRACK()
adf1b852 3383CHECK_CT_DPIF_PER_ZONE_LIMIT()
3f1087c7
YHW		 3384OVS_TRAFFIC_VSWITCHD_START()
3385
3386ADD_NAMESPACES(at_ns0, at_ns1)
3387
3388ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3389ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3390
3391AT_DATA([flows.txt], [dnl
3392priority=1,action=drop
3393priority=10,arp,action=normal
3394priority=100,in_port=1,udp,action=ct(commit),2
3395priority=100,in_port=2,udp,action=ct(zone=3,commit),1
3396])
3397
3398AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3399
3400AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
3401AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
3402AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
3403default limit=10
3404zone=0,limit=5,count=0
3405zone=1,limit=10,count=0
3406zone=2,limit=10,count=0
3407zone=3,limit=3,count=0
3408])
3409
3410dnl Test UDP from port 1
3411AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3412AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000300080000 actions=resubmit(,0)"])
3413AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000400080000 actions=resubmit(,0)"])
3414AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000500080000 actions=resubmit(,0)"])
3415AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000600080000 actions=resubmit(,0)"])
3416AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000700080000 actions=resubmit(,0)"])
3417AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000800080000 actions=resubmit(,0)"])
3418AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000900080000 actions=resubmit(,0)"])
3419AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000a00080000 actions=resubmit(,0)"])
3420
3421AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
3422default limit=10
3423zone=0,limit=5,count=5
3424zone=1,limit=10,count=0
3425zone=2,limit=10,count=0
3426zone=3,limit=3,count=0
3427zone=4,limit=10,count=0
3428zone=5,limit=10,count=0
3429])
3430
3431dnl Test ct-get-limits for all zoens
3432AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
3433default limit=10
3434zone=0,limit=5,count=5
3435zone=3,limit=3,count=0
3436])
3437
3438AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | sort ], [0], [dnl
3439udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
3440udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
3441udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
3442udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
3443udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
3444])
3445
3446dnl Test UDP from port 2
3447AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000200080000 actions=resubmit(,0)"])
3448AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000300080000 actions=resubmit(,0)"])
3449AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000400080000 actions=resubmit(,0)"])
3450AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000500080000 actions=resubmit(,0)"])
3451AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000600080000 actions=resubmit(,0)"])
3452
3453AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
3454default limit=10
3455zone=0,limit=5,count=5
3456zone=3,limit=3,count=3
3457])
3458
3459AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.3," | sort ], [0], [dnl
3460udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=2),reply=(src=10.1.1.4,dst=10.1.1.3,sport=2,dport=1),zone=3
3461udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.1.1.3,sport=3,dport=1),zone=3
3462udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
3463])
3464
3465OVS_TRAFFIC_VSWITCHD_STOP(["dnl
3466/could not create datapath/d
3467/(Cannot allocate memory) on packet/d"])
3468AT_CLEANUP
3469
9d3e0e5c
JR		 3470AT_SETUP([FTP - no conntrack])
3471AT_SKIP_IF([test $HAVE_FTP = no])
3472OVS_TRAFFIC_VSWITCHD_START()
3473
3474ADD_NAMESPACES(at_ns0, at_ns1)
3475
3476ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3477ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3478
3479AT_DATA([flows.txt], [dnl
3480table=0,action=normal
3481])
3482
3483AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
3484
3485NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
3486NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3487OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3488
3489dnl FTP requests from p0->p1 should work fine.
3490NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3491
3492AT_CHECK([find -name index.html], [0], [dnl
3493./index.html
3494])
3495
3496OVS_TRAFFIC_VSWITCHD_STOP
3497AT_CLEANUP
3498
1d768544 3499AT_SETUP([conntrack - FTP])
40c7b2fc 3500AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3501CHECK_CONNTRACK()
3502CHECK_CONNTRACK_ALG()
3503OVS_TRAFFIC_VSWITCHD_START()
3504
3505ADD_NAMESPACES(at_ns0, at_ns1)
3506
3507ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3508ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3509
3510dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3511AT_DATA([flows1.txt], [dnl
3512table=0,priority=1,action=drop
3513table=0,priority=10,arp,action=normal
3514table=0,priority=10,icmp,action=normal
3515table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
3516table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3517table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3518table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3519])
3520
3521dnl Similar policy but without allowing all traffic from ns0->ns1.
3522AT_DATA([flows2.txt], [dnl
3523table=0,priority=1,action=drop
3524table=0,priority=10,arp,action=normal
3525table=0,priority=10,icmp,action=normal
3526
3527dnl Allow outgoing TCP connections, and treat them as FTP
3528table=0,priority=100,in_port=1,tcp,action=ct(table=1)
3529table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
3530table=1,in_port=1,tcp,ct_state=+trk+est,action=2
3531
3532dnl Allow incoming FTP data connections and responses to existing connections
3533table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3534table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
3535table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3536table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
3537])
3538
3a2a425b
DB		 3539dnl flows3 is same as flows1, except no ALG is specified.
3540AT_DATA([flows3.txt], [dnl
3541table=0,priority=1,action=drop
3542table=0,priority=10,arp,action=normal
3543table=0,priority=10,icmp,action=normal
3544table=0,priority=100,in_port=1,tcp,action=ct(commit),2
3545table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3546table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3547table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3548])
3549
1d768544
JS		 3550AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3551
3552OVS_START_L7([at_ns0], [ftp])
3553OVS_START_L7([at_ns1], [ftp])
3554
3555dnl FTP requests from p1->p0 should fail due to network failure.
3556dnl Try 3 times, in 1 second intervals.
3557NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3558AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3559])
3560
3561dnl FTP requests from p0->p1 should work fine.
3562NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3563AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3564tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3565])
3566
3567dnl Try the second set of flows.
3568AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3569AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3570
3571dnl FTP requests from p1->p0 should fail due to network failure.
3572dnl Try 3 times, in 1 second intervals.
3573NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3574AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3575])
3576
3577dnl Active FTP requests from p0->p1 should work fine.
3578NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
3579AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3580tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3581tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3582])
3583
3584AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3585
3586dnl Passive FTP requests from p0->p1 should work fine.
3587NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
3588AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3589tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3590])
3591
3a2a425b
DB		 3592dnl Try the third set of flows, without alg specifier.
3593AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt])
3594AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3595
3596dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned.
3597NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4])
3598AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3599tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3600])
3601
1d768544
JS		 3602OVS_TRAFFIC_VSWITCHD_STOP
3603AT_CLEANUP
3604
3605AT_SETUP([conntrack - FTP over IPv6])
40c7b2fc 3606AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3607CHECK_CONNTRACK()
3608CHECK_CONNTRACK_ALG()
3609OVS_TRAFFIC_VSWITCHD_START()
3610
3611ADD_NAMESPACES(at_ns0, at_ns1)
3612
3613ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3614ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3615
3616dnl Allow any traffic from ns0->ns1.
3617dnl Only allow nd, return traffic from ns1->ns0.
3618AT_DATA([flows.txt], [dnl
3619dnl Track all IPv6 traffic and drop the rest.
3620dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3621table=0 priority=100 in_port=1 icmp6, action=2
3622table=0 priority=100 in_port=2 icmp6, action=1
3623table=0 priority=10 ip6, action=ct(table=1)
3624table=0 priority=0 action=drop
3625dnl
3626dnl Table 1
3627dnl
3628dnl Allow new TCPv6 FTP control connections from port 1.
3629table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3630dnl Allow related TCPv6 connections from port 2.
3631table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
3632dnl Allow established TCPv6 connections both ways.
3633table=1 in_port=1 ct_state=+est, tcp6, action=2
3634table=1 in_port=2 ct_state=+est, tcp6, action=1
3635dnl Drop everything else.
3636table=1 priority=0, action=drop
3637])
3638
3639AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3640
3641dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3642dnl waiting, we get occasional failures due to the following error:
3643dnl "connect: Cannot assign requested address"
3644OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3645
3646OVS_START_L7([at_ns1], [ftp])
3647
3648dnl FTP requests from p0->p1 should work fine.
3649NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3650
3651dnl Discards CLOSE_WAIT and CLOSING
3652AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3653tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3654tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3655])
3656
3657OVS_TRAFFIC_VSWITCHD_STOP
3658AT_CLEANUP
3659
200a9af9
DB		 3660AT_SETUP([conntrack - IPv6 FTP Passive])
3661AT_SKIP_IF([test $HAVE_FTP = no])
3662CHECK_CONNTRACK()
3663CHECK_CONNTRACK_ALG()
3664OVS_TRAFFIC_VSWITCHD_START()
3665
3666ADD_NAMESPACES(at_ns0, at_ns1)
3667
3668ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3669NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3670ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3671NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
3672NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
3673NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:88 dev p1])
3674
3675dnl Allow any traffic from ns0->ns1.
3676dnl Only allow nd, return traffic from ns1->ns0.
3677AT_DATA([flows.txt], [dnl
3678dnl Track all IPv6 traffic and drop the rest.
3679dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3680table=0 priority=100 in_port=1 icmp6, action=2
3681table=0 priority=100 in_port=2 icmp6, action=1
3682table=0 priority=10 ip6, action=ct(table=1)
3683table=0 priority=0 action=drop
3684dnl
3685dnl Table 1
3686dnl
3687dnl Allow new TCPv6 FTP control connections from port 1.
3688table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3689dnl Allow related TCPv6 connections from port 1.
3690table=1 in_port=1 ct_state=+new+rel, tcp6, action=ct(commit),2
3691dnl Allow established TCPv6 connections both ways.
3692table=1 in_port=1 ct_state=+est, tcp6, action=2
3693table=1 in_port=2 ct_state=+est, tcp6, action=1
3694dnl Drop everything else.
3695table=1 priority=0, action=drop
3696])
3697
3698AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3699
3700dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3701dnl waiting, we get occasional failures due to the following error:
3702dnl "connect: Cannot assign requested address"
3703OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3704
3705OVS_START_L7([at_ns1], [ftp])
3706
3707dnl FTP passive requests from p0->p1 should work fine.
3708NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3709
3710dnl Discards CLOSE_WAIT and CLOSING
3711AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3712tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3713tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3714])
3715
3716OVS_TRAFFIC_VSWITCHD_STOP
3717AT_CLEANUP
3718
1d768544 3719AT_SETUP([conntrack - FTP with multiple expectations])
40c7b2fc 3720AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3721CHECK_CONNTRACK()
3722CHECK_CONNTRACK_ALG()
3723OVS_TRAFFIC_VSWITCHD_START()
3724
3725ADD_NAMESPACES(at_ns0, at_ns1)
3726
3727ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3728ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3729
3730dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
3731AT_DATA([flows.txt], [dnl
3732table=0,priority=1,action=drop
3733table=0,priority=10,arp,action=normal
3734table=0,priority=10,icmp,action=normal
3735
3736dnl Traffic from ns1
3737table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
3738table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
3739table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
3740table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
3741table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
3742
3743dnl Traffic from ns2
3744table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
3745table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3746table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
3747table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3748table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
3749])
3750
3751AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3752
3753OVS_START_L7([at_ns0], [ftp])
3754OVS_START_L7([at_ns1], [ftp])
3755
3756dnl FTP requests from p1->p0 should fail due to network failure.
3757dnl Try 3 times, in 1 second intervals.
3758NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3759AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3760])
3761
3762dnl Active FTP requests from p0->p1 should work fine.
3763NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3764AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3765tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3766tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3767tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3768tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3769])
3770
3771AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3772
3773dnl Passive FTP requests from p0->p1 should work fine.
3774NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3775AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3776tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3777tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3778tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3779tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3780])
3781
3782OVS_TRAFFIC_VSWITCHD_STOP
3783AT_CLEANUP
3784
40c7b2fc
JS		 3785AT_SETUP([conntrack - TFTP])
3786AT_SKIP_IF([test $HAVE_TFTP = no])
3787CHECK_CONNTRACK()
3788CHECK_CONNTRACK_ALG()
3789OVS_TRAFFIC_VSWITCHD_START()
3790
3791ADD_NAMESPACES(at_ns0, at_ns1)
3792
3793ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3794ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3795
3796dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3797AT_DATA([flows1.txt], [dnl
3798table=0,priority=1,action=drop
3799table=0,priority=10,arp,action=normal
3800table=0,priority=10,icmp,action=normal
3801table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
3802table=0,priority=100,in_port=2,udp,action=ct(table=1)
3803table=1,in_port=2,udp,ct_state=+trk+est,action=1
3804table=1,in_port=2,udp,ct_state=+trk+rel,action=1
3805])
3806
3807dnl Similar policy but without allowing all traffic from ns0->ns1.
3808AT_DATA([flows2.txt], [dnl
3809table=0,priority=1,action=drop
3810table=0,priority=10,arp,action=normal
3811table=0,priority=10,icmp,action=normal
3812
3813dnl Allow outgoing UDP connections, and treat them as TFTP
3814table=0,priority=100,in_port=1,udp,action=ct(table=1)
3815table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
3816table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
3817table=1,in_port=1,udp,ct_state=+trk+est,action=2
3818
3819dnl Allow incoming TFTP data connections and responses to existing connections
3820table=0,priority=100,in_port=2,udp,action=ct(table=1)
3821table=1,in_port=2,udp,ct_state=+trk+est,action=1
3822table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
3823])
3824
3825AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3826
3827OVS_START_L7([at_ns0], [tftp])
3828OVS_START_L7([at_ns1], [tftp])
3829
3830dnl TFTP requests from p1->p0 should fail due to network failure.
3831NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
3832AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3833])
3834
3835dnl TFTP requests from p0->p1 should work fine.
3836NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
3837AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3838udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3839])
3840
3841dnl Try the second set of flows.
3842AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3843AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3844
3845dnl TFTP requests from p1->p0 should fail due to network failure.
3846NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
3847AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3848])
3849
3850dnl TFTP requests from p0->p1 should work fine.
3851NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
3852AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3853udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3854])
3855
3856OVS_TRAFFIC_VSWITCHD_STOP
3857AT_CLEANUP
3858
ee8941ab 3859AT_BANNER([conntrack - NAT])
9ac0aada
JR		 3860
3861AT_SETUP([conntrack - simple SNAT])
3862CHECK_CONNTRACK()
4573c42e 3863CHECK_CONNTRACK_NAT()
9ac0aada
JR		 3864OVS_TRAFFIC_VSWITCHD_START()
3865
3866ADD_NAMESPACES(at_ns0, at_ns1)
3867
3868ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3869NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3870ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3871
3872dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3873AT_DATA([flows.txt], [dnl
3874in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
3875in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3876in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
3877dnl
3878dnl ARP
3879priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3880priority=10 arp action=normal
3881priority=0,action=drop
3882dnl
3883dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3884table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3885table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3886dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3887dnl TPA IP in reg2.
3888dnl Swaps the fields of the ARP message to turn a query to a response.
3889table=10 priority=100 arp xreg0=0 action=normal
3890table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3891table=10 priority=0 action=drop
3892])
3893
3894AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3895
3896dnl HTTP requests from p0->p1 should work fine.
7ed40afe 3897OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 3898NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3899
13c10e56 3900AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 3901tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 3902])
3903
3904OVS_TRAFFIC_VSWITCHD_STOP
3905AT_CLEANUP
3906
c0324e37
JR		 3907AT_SETUP([conntrack - SNAT with ct_mark change on reply])
3908CHECK_CONNTRACK()
3909CHECK_CONNTRACK_NAT()
3910OVS_TRAFFIC_VSWITCHD_START()
3911
3912ADD_NAMESPACES(at_ns0, at_ns1)
3913
3914ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ed307567
DB		 3915NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
3916NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
3917
c0324e37 3918ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ed307567
DB		 3919NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
3920NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
c0324e37
JR		 3921
3922dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3923AT_DATA([flows.txt], [dnl
ed307567 3924in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240)),2
c0324e37
JR		 3925in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3926dnl
3927dnl Setting the mark fails if the datapath can't find the existing conntrack
3928dnl entry after NAT has been reversed and the skb was lost due to an upcall.
3929dnl
3930in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
3931table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
3932dnl
c0324e37 3933priority=0,action=drop
c0324e37
JR		 3934])
3935
3936AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3937
aeae4330 3938dnl ICMP requests from p0->p1 should work fine.
c0324e37
JR		 3939NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
39401 packets transmitted, 1 received, 0% packet loss, time 0ms
3941])
3942
3943AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
3944icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
3945])
3946
3947OVS_TRAFFIC_VSWITCHD_STOP
3948AT_CLEANUP
9ac0aada
JR		 3949
3950AT_SETUP([conntrack - SNAT with port range])
3951CHECK_CONNTRACK()
4573c42e 3952CHECK_CONNTRACK_NAT()
9ac0aada
JR		 3953OVS_TRAFFIC_VSWITCHD_START()
3954
3955ADD_NAMESPACES(at_ns0, at_ns1)
3956
3957ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3958NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3959ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3960
3961dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3962AT_DATA([flows.txt], [dnl
3963in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
3964in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
3965in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
3966in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
3967dnl
3968dnl ARP
3969priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3970priority=10 arp action=normal
3971priority=0,action=drop
3972dnl
3973dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3974table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3975table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3976dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3977dnl TPA IP in reg2.
3978dnl Swaps the fields of the ARP message to turn a query to a response.
3979table=10 priority=100 arp xreg0=0 action=normal
3980table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3981table=10 priority=0 action=drop
3982])
3983
3984AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3985
3986dnl HTTP requests from p0->p1 should work fine.
7ed40afe 3987OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 3988NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3989
13c10e56 3990AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 3991tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 3992])
3993
3994OVS_TRAFFIC_VSWITCHD_STOP
3995AT_CLEANUP
3996
32b2c81f
DB		 3997AT_SETUP([conntrack - SNAT with port range with exhaustion])
3998CHECK_CONNTRACK()
3999CHECK_CONNTRACK_NAT()
4000OVS_TRAFFIC_VSWITCHD_START()
4001
4002ADD_NAMESPACES(at_ns0, at_ns1)
4003
4004ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4005NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4006ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4007
4008dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4009AT_DATA([flows.txt], [dnl
4010in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568,random)),2
4011in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
4012in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
4013in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
4014dnl
4015dnl ARP
4016priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4017priority=10 arp action=normal
4018priority=0,action=drop
4019dnl
4020dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4021table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4022table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4023dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4024dnl TPA IP in reg2.
4025dnl Swaps the fields of the ARP message to turn a query to a response.
4026table=10 priority=100 arp xreg0=0 action=normal
4027table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4028table=10 priority=0 action=drop
4029])
4030
4031AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4032
4033dnl HTTP requests from p0->p1 should work fine.
4034OVS_START_L7([at_ns1], [http])
4035NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log])
4036
4037NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log], [4])
4038
4039AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4040tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4041])
4042
4043OVS_TRAFFIC_VSWITCHD_STOP(["dnl
4044/Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and\/or zone partitioning./d
4045/Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d"])
4046AT_CLEANUP
9ac0aada
JR		 4047
4048AT_SETUP([conntrack - more complex SNAT])
4049CHECK_CONNTRACK()
4573c42e 4050CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4051OVS_TRAFFIC_VSWITCHD_START()
4052
4053ADD_NAMESPACES(at_ns0, at_ns1)
4054
4055ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4056NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4057ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4058
4059AT_DATA([flows.txt], [dnl
4060dnl Track all IP traffic, NAT existing connections.
4061priority=100 ip action=ct(table=1,zone=1,nat)
4062dnl
4063dnl Allow ARP, but generate responses for NATed addresses
4064priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4065priority=10 arp action=normal
4066priority=0 action=drop
4067dnl
4068dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
4069table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
4070table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
4071dnl Only allow established traffic from ns1->ns0.
4072table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
4073table=1 priority=0 action=drop
4074dnl
4075dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4076table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4077dnl Zero result means not found.
4078table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
4079dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4080dnl ARP TPA IP in reg2.
4081table=10 priority=100 arp xreg0=0 action=normal
4082dnl Swaps the fields of the ARP message to turn a query to a response.
4083table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4084table=10 priority=0 action=drop
4085])
4086
4087AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4088
4089dnl HTTP requests from p0->p1 should work fine.
7ed40afe 4090OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4091NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4092
13c10e56 4093AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 4094tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4095])
4096
4097OVS_TRAFFIC_VSWITCHD_STOP
4098AT_CLEANUP
4099
4100AT_SETUP([conntrack - simple DNAT])
4101CHECK_CONNTRACK()
4573c42e 4102CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4103OVS_TRAFFIC_VSWITCHD_START()
4104
4105ADD_NAMESPACES(at_ns0, at_ns1)
4106
4107ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4108ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4109NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4110
4111dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4112AT_DATA([flows.txt], [dnl
4113priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4114priority=10 in_port=1,ip,action=ct(commit,zone=1),2
4115priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
4116priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
4117dnl
4118dnl ARP
4119priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4120priority=10 arp action=normal
4121priority=0,action=drop
4122dnl
4123dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4124table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4125dnl Zero result means not found.
4126table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4127dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4128dnl TPA IP in reg2.
4129table=10 priority=100 arp xreg0=0 action=normal
4130dnl Swaps the fields of the ARP message to turn a query to a response.
4131table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4132table=10 priority=0 action=drop
4133])
4134
4135AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4136
4137dnl Should work with the virtual IP address through NAT
7ed40afe 4138OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4139NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4140
420c73b2
JR		 4141AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4142tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4143])
4144
4145dnl Should work with the assigned IP address as well
4146NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4147
420c73b2
JR		 4148AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4149tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4150])
4151
4152OVS_TRAFFIC_VSWITCHD_STOP
4153AT_CLEANUP
4154
4155AT_SETUP([conntrack - more complex DNAT])
4156CHECK_CONNTRACK()
4573c42e 4157CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4158OVS_TRAFFIC_VSWITCHD_START()
4159
4160ADD_NAMESPACES(at_ns0, at_ns1)
4161
4162ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4163ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4164NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4165
4166dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4167AT_DATA([flows.txt], [dnl
4168dnl Track all IP traffic
4169table=0 priority=100 ip action=ct(table=1,zone=1,nat)
4170dnl
4171dnl Allow ARP, but generate responses for NATed addresses
4172table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4173table=0 priority=10 arp action=normal
4174table=0 priority=0 action=drop
4175dnl
4176dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
4177table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4178table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
4179table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
4180dnl Only allow established traffic from ns1->ns0.
4181table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
4182table=1 priority=0 action=drop
4183dnl
4184dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4185table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4186dnl Zero result means not found.
4187table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4188dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4189dnl TPA IP in reg2.
4190table=10 priority=100 arp xreg0=0 action=normal
4191dnl Swaps the fields of the ARP message to turn a query to a response.
4192table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4193table=10 priority=0 action=drop
4194])
4195
4196AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4197
4198dnl Should work with the virtual IP address through NAT
7ed40afe 4199OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4200NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4201
420c73b2
JR		 4202AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4203tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4204])
4205
4206dnl Should work with the assigned IP address as well
4207NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4208
420c73b2
JR		 4209AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4210tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4211])
4212
4213OVS_TRAFFIC_VSWITCHD_STOP
4214AT_CLEANUP
4215
4216AT_SETUP([conntrack - ICMP related with NAT])
9c1ab985 4217AT_SKIP_IF([test $HAVE_NC = no])
b020a416 4218AT_SKIP_IF([test $HAVE_TCPDUMP = no])
9ac0aada 4219CHECK_CONNTRACK()
4573c42e 4220CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4221OVS_TRAFFIC_VSWITCHD_START()
4222
4223ADD_NAMESPACES(at_ns0, at_ns1)
4224
4225ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4226NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4227ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4228
4229dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
4230dnl Make sure ICMP responses are reverse-NATted.
4231AT_DATA([flows.txt], [dnl
4232in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
4233in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
4234in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
4235dnl
4236dnl ARP
4237priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4238priority=10 arp action=normal
4239priority=0,action=drop
4240dnl
4241dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4242table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4243table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4244dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4245dnl TPA IP in reg2.
4246dnl Swaps the fields of the ARP message to turn a query to a response.
4247table=10 priority=100 arp xreg0=0 action=normal
4248table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4249table=10 priority=0 action=drop
4250])
4251
4252AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4253
b020a416
DB		 4254rm p0.pcap
4255tcpdump -U -i ovs-p0 -w p0.pcap &
4256sleep 1
4257
9ac0aada 4258dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 4259NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
9ac0aada
JR		 4260
4261AT_CHECK([ovs-appctl revalidator/purge], [0])
4262AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
4263 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
4264 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
4265 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
4266 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
4267 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4268 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
4269 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
4270 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
4271 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
4272OFPST_FLOW reply (OF1.5):
4273])
4274
a857bb69
DDP		 4275AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4276udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
9ac0aada
JR		 4277])
4278
b020a416
DB		 4279AT_CHECK([tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
4280
9ac0aada
JR		 4281OVS_TRAFFIC_VSWITCHD_STOP
4282AT_CLEANUP
4283
2cd20955 4284dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
019c73ac 4285dnl
74f205f6
JS		 4286dnl Checks the implementation of conntrack with FTP ALGs in combination with
4287dnl NAT, using the provided flow table.
4288m4_define([CHECK_FTP_NAT],
efa29a89 4289 [AT_SETUP([conntrack - FTP $1])
40c7b2fc 4290 AT_SKIP_IF([test $HAVE_FTP = no])
253e4dc0 4291 AT_SKIP_IF([test $HAVE_LFTP = no])
74f205f6
JS		 4292 CHECK_CONNTRACK()
4293 CHECK_CONNTRACK_NAT()
fc9a5ee1 4294 CHECK_CONNTRACK_ALG()
019c73ac 4295
74f205f6 4296 OVS_TRAFFIC_VSWITCHD_START()
019c73ac 4297
74f205f6 4298 ADD_NAMESPACES(at_ns0, at_ns1)
019c73ac 4299
74f205f6
JS		 4300 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4301 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4302 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
019c73ac 4303
74f205f6 4304 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2cd20955 4305 AT_DATA([flows.txt], [$3])
019c73ac 4306
74f205f6 4307 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
019c73ac 4308
7ed40afe 4309 OVS_START_L7([at_ns1], [ftp])
019c73ac 4310
74f205f6 4311 dnl FTP requests from p0->p1 should work fine.
253e4dc0
DM		 4312 AT_DATA([ftp.cmd], [dnl
4313set net:max-retries 1
4314set net:timeout 1
4315set ftp:passive-mode off
4316cache off
4317connect ftp://anonymous:@10.1.1.2
4318ls
4319ls
4320ls
4321ls
4322])
4323 NS_CHECK_EXEC([at_ns0], [lftp -f ftp.cmd > lftp.log])
019c73ac 4324
74f205f6 4325 dnl Discards CLOSE_WAIT and CLOSING
2cd20955 4326 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
019c73ac 4327
74f205f6
JS		 4328 OVS_TRAFFIC_VSWITCHD_STOP
4329 AT_CLEANUP])
019c73ac 4330
efa29a89 4331dnl CHECK_FTP_SNAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
74f205f6
JS		 4332dnl
4333dnl Checks the implementation of conntrack with FTP ALGs in combination with
4334dnl NAT, with flow tables that implement the NATing as part of handling of
4335dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
4336dnl
4337dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4338dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4339m4_define([CHECK_FTP_SNAT_PRE_RECIRC], [dnl
4340 CHECK_FTP_NAT([SNAT prerecirc $1], [$2], [dnl
9ac0aada
JR		 4341dnl track all IP traffic, de-mangle non-NEW connections
4342table=0 in_port=1, ip, action=ct(table=1,nat)
4343table=0 in_port=2, ip, action=ct(table=2,nat)
4344dnl
4345dnl ARP
4346dnl
4347table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4348table=0 priority=10 arp action=normal
4349table=0 priority=0 action=drop
4350dnl
4351dnl Table 1: port 1 -> 2
4352dnl
4353dnl Allow new FTP connections. These need to be commited.
74f205f6 4354table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
9ac0aada 4355dnl Allow established TCP connections, make sure they are NATted already.
74f205f6 4356table=1 ct_state=+est, tcp, nw_src=$2, action=2
9ac0aada
JR		 4357dnl
4358dnl Table 1: droppers
4359dnl
4360table=1 priority=10, tcp, action=drop
4361table=1 priority=0,action=drop
4362dnl
4363dnl Table 2: port 2 -> 1
4364dnl
4365dnl Allow established TCP connections, make sure they are reverse NATted
4366table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
4367dnl Allow (new) related (data) connections. These need to be commited.
74f205f6 4368table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
9ac0aada
JR		 4369dnl Allow related ICMP packets, make sure they are reverse NATted
4370table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
4371dnl
4372dnl Table 2: droppers
4373dnl
4374table=2 priority=10, tcp, action=drop
4375table=2 priority=0, action=drop
4376dnl
4377dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4378dnl
74f205f6 4379table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
9ac0aada
JR		 4380table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4381dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4382dnl TPA IP in reg2.
4383dnl Swaps the fields of the ARP message to turn a query to a response.
4384table=10 priority=100 arp xreg0=0 action=normal
4385table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4386table=10 priority=0 action=drop
2cd20955
JR		 4387], [dnl
4388tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4389tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4390])
9ac0aada
JR		 4391])
4392
74f205f6 4393dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
efa29a89 4394CHECK_FTP_SNAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
9ac0aada 4395
74f205f6
JS		 4396dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4397dnl
4398dnl The FTP PORT command includes the ASCII representation of the address,
4399dnl so when these messages need to be NATed between addresses that have
4400dnl different lengths when represented in ASCII (such as the original address
4401dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4402dnl resize the packet and adjust TCP sequence numbers. This test is kept
4403dnl separate from the above to easier identify issues in this code on different
4404dnl kernels.
efa29a89 4405CHECK_FTP_SNAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
74f205f6 4406
efa29a89 4407dnl CHECK_FTP_SNAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
74f205f6
JS		 4408dnl
4409dnl Checks the implementation of conntrack with FTP ALGs in combination with
4410dnl NAT, with flow tables that implement the NATing after the first round
4411dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
4412dnl flow will implement the NATing with ct(nat..),output:foo.
4413dnl
4414dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4415dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4416m4_define([CHECK_FTP_SNAT_POST_RECIRC], [dnl
4417 CHECK_FTP_NAT([SNAT postrecirc $1], [$2], [dnl
9ac0aada
JR		 4418dnl track all IP traffic (this includes a helper call to non-NEW packets.)
4419table=0 ip, action=ct(table=1)
4420dnl
4421dnl ARP
4422dnl
4423table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4424table=0 priority=10 arp action=normal
4425table=0 priority=0 action=drop
4426dnl
4427dnl Table 1
4428dnl
4429dnl Allow new FTP connections. These need to be commited.
4430dnl This does helper for new packets.
74f205f6 4431table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
9ac0aada
JR		 4432dnl Allow and NAT established TCP connections
4433table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
4434table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
4435dnl Allow and NAT (new) related active (data) connections.
4436dnl These need to be commited.
4437table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
4438dnl Allow related ICMP packets.
4439table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
4440dnl Drop everything else.
4441table=1 priority=0, action=drop
4442dnl
4443dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4444dnl
74f205f6 4445table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
9ac0aada
JR		 4446table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4447dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4448dnl TPA IP in reg2.
4449dnl Swaps the fields of the ARP message to turn a query to a response.
4450table=10 priority=100 arp xreg0=0 action=normal
4451table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4452table=10 priority=0 action=drop
2cd20955
JR		 4453], [dnl
4454tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4455tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4456])
9ac0aada
JR		 4457])
4458
74f205f6 4459dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
efa29a89 4460CHECK_FTP_SNAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
9ac0aada 4461
74f205f6
JS		 4462dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4463dnl
4464dnl The FTP PORT command includes the ASCII representation of the address,
4465dnl so when these messages need to be NATed between addresses that have
4466dnl different lengths when represented in ASCII (such as the original address
4467dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4468dnl resize the packet and adjust TCP sequence numbers. This test is kept
4469dnl separate from the above to easier identify issues in this code on different
4470dnl kernels.
efa29a89 4471CHECK_FTP_SNAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
9ac0aada 4472
daf4d3c1 4473
efa29a89 4474dnl CHECK_FTP_SNAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
daf4d3c1
JR		 4475dnl
4476dnl Checks the implementation of conntrack original direction tuple matching
4477dnl with FTP ALGs in combination with NAT, with flow tables that implement
4478dnl the NATing before the first round of recirculation - that is, the first
4479dnl flow ct(nat, table=foo) then a subsequent flow will implement the
4480dnl commiting of NATed and other connections with ct(nat..),output:foo.
4481dnl
4482dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4483dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4484m4_define([CHECK_FTP_SNAT_ORIG_TUPLE], [dnl
4485 CHECK_FTP_NAT([SNAT orig tuple $1], [$2], [dnl
2cd20955
JR		 4486dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
4487dnl NAT is only applied to OUT-direction packets, so that ACL
4488dnl processing can be done with non-NATted headers.
4489dnl
4490dnl Track all IP traffic in the IN-direction (IN from Port 1).
4491table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
4492dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
4493table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
daf4d3c1
JR		 4494dnl
4495dnl ARP
4496dnl
4497table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4498table=0 priority=10 arp action=normal
4499table=0 priority=0 action=drop
4500dnl
2cd20955
JR		 4501dnl Pass tracked traffic through ACL, drop everything else.
4502dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
4503dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
4504dnl get the ACL lookup using the conntrack tuple and the inverted direction.
4505dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
28033773 4506dnl of the master connection, as stored in ct_label[0].
2cd20955
JR		 4507dnl
4508dnl Incoming non-related packet in the original direction (ACL IN)
4509table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
4510dnl Incoming non-related reply packet (CT ACL OUT)
4511table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
4512dnl Outgoing non-related packet (ACL OUT)
4513table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
4514dnl Outgoing non-related reply packet (CT ACL IN)
4515table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
daf4d3c1 4516dnl
2cd20955 4517dnl Related packet (CT ACL in the direction of the master connection.)
28033773 4518table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
daf4d3c1
JR		 4519dnl Drop everything else.
4520table=1 priority=0, action=drop
4521dnl
2cd20955
JR		 4522dnl "ACL table"
4523dnl
4524dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
4525dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
4526dnl in reg2.
4527table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
4528dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
4529table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
4530dnl
4531dnl Re-process stateful traffic that was not accepted by a stateful rule as
4532dnl normal traffic in the current direction. This should also delete the
4533dnl now stale conntrack state, so that new state can be created in it's place.
4534dnl
4535dnl Stateful accepts go to next table.
4536table=4 priority=100 reg2=1, action=goto_table:5
4537dnl Everything else is reprocessed disregarding the CT state, using the actual
4538dnl packet direction.
4539table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
4540dnl
4541dnl "ACL verdict processing table."
4542dnl
4543dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
4544dnl
4545dnl Drop all non-accepted packets.
4546table=5 reg2=0 priority=1000 action=drop
daf4d3c1 4547dnl
2cd20955
JR		 4548dnl Commit new incoming FTP control connections with SNAT range. Must match on
4549dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
28033773
JR		 4550dnl connections to ct_label[0] Store the rule ID to ct_label[96..127].
4551table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955 4552dnl Commit other new incoming non-related IP connections with SNAT range.
28033773 4553table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955
JR		 4554dnl Commit non-related outgoing new IP connections with DNAT range.
4555dnl (This should not get any packets in this test.)
28033773 4556table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955 4557dnl Commit new related connections in either direction, which need 'nat'
28033773 4558dnl and which inherit the label (the direction of the original direction
2cd20955
JR		 4559dnl master tuple) from the master connection.
4560table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4561dnl
4562dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
4563dnl
4564table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
4565dnl Forward everything else, including stateless accepts.
4566table=5 priority=0 action=goto_table:6
4567dnl
4568dnl "Forwarding table"
4569dnl
4570table=6 in_port=1 action=2
4571table=6 in_port=2 action=1
daf4d3c1
JR		 4572dnl
4573dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4574dnl
2cd20955 4575table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
daf4d3c1
JR		 4576table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4577dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4578dnl TPA IP in reg2.
4579dnl Swaps the fields of the ARP message to turn a query to a response.
4580table=10 priority=100 arp xreg0=0 action=normal
4581table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4582table=10 priority=0 action=drop
2cd20955 4583], [dnl
28033773
JR		 4584tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>),helper=ftp
4585tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>)
2cd20955 4586])
daf4d3c1
JR		 4587])
4588
4589dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
4590dnl an ACL table based on matching on conntrack original direction tuple only.
efa29a89 4591CHECK_FTP_SNAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
daf4d3c1
JR		 4592
4593dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
4594dnl an ACL table based on matching on conntrack original direction tuple only.
efa29a89 4595CHECK_FTP_SNAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
daf4d3c1 4596
efa29a89 4597AT_SETUP([conntrack - IPv4 FTP Passive with SNAT])
200a9af9
DB		 4598AT_SKIP_IF([test $HAVE_FTP = no])
4599CHECK_CONNTRACK()
4600CHECK_CONNTRACK_NAT()
4601CHECK_CONNTRACK_ALG()
4602
4603OVS_TRAFFIC_VSWITCHD_START()
4604
4605ADD_NAMESPACES(at_ns0, at_ns1)
4606
4607ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4608NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4609NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4610
4611ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4612NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4613NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4614NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
4615
4616dnl Allow any traffic from ns0->ns1.
4617AT_DATA([flows.txt], [dnl
4618dnl track all IPv4 traffic and NAT any established traffic.
4619table=0 priority=10 ip, action=ct(nat,table=1)
4620table=0 priority=0 action=drop
4621dnl
4622dnl Table 1
4623dnl
4624dnl Allow new FTP control connections.
4625table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
4626dnl Allow related TCP connections from port 1.
4627table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4628dnl Allow established TCP connections both ways, post-NAT match.
4629table=1 in_port=1 ct_state=+est tcp nw_src=10.1.1.240 action=2
4630table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4631
4632dnl Allow ICMP both ways.
4633table=1 priority=100 in_port=1 icmp, action=2
4634table=1 priority=100 in_port=2 icmp, action=1
4635table=1 priority=0, action=drop
4636])
4637
4638AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4639
4640dnl Check that the stacks working to avoid races.
4641OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4642
4643OVS_START_L7([at_ns1], [ftp])
4644
4645dnl FTP requests from p0->p1 should work fine.
4646NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4647
4648dnl Discards CLOSE_WAIT and CLOSING
4649AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4650tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4651tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4652])
4653
4654OVS_TRAFFIC_VSWITCHD_STOP
4655AT_CLEANUP
4656
efa29a89
DM		 4657AT_SETUP([conntrack - IPv4 FTP Passive with DNAT])
4658AT_SKIP_IF([test $HAVE_FTP = no])
4659CHECK_CONNTRACK()
4660CHECK_CONNTRACK_NAT()
4661CHECK_CONNTRACK_ALG()
4662
4663OVS_TRAFFIC_VSWITCHD_START()
4664
4665ADD_NAMESPACES(at_ns0, at_ns1)
4666
4667ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4668NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4669NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4670NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4671
4672ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4673NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4674NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4675
4676dnl Allow any traffic from ns0->ns1.
4677AT_DATA([flows.txt], [dnl
4678dnl track all IPv4 traffic and NAT any established traffic.
4679table=0 priority=10 ip, action=ct(nat,table=1)
4680table=0 priority=0 action=drop
4681dnl
4682dnl Table 1
4683dnl
4684dnl Allow new FTP control connections.
4685table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4686dnl Allow related TCP connections from port 1.
4687table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4688dnl Allow established TCP connections both ways, post-NAT match.
4689table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4690table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4691
4692dnl Allow ICMP both ways.
4693table=1 priority=100 in_port=1 icmp, action=2
4694table=1 priority=100 in_port=2 icmp, action=1
4695table=1 priority=0, action=drop
4696])
4697
4698AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4699
4700dnl Check that the stacks working to avoid races.
4701OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4702
4703OVS_START_L7([at_ns1], [ftp])
4704
4705dnl FTP requests from p0->p1 should work fine.
4706NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4707
4708dnl Discards CLOSE_WAIT and CLOSING
4709AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4710tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4711tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4712])
4713
4714OVS_TRAFFIC_VSWITCHD_STOP
4715AT_CLEANUP
4716
cd7c99a6
DB		 4717AT_SETUP([conntrack - IPv4 FTP Passive with DNAT 2])
4718AT_SKIP_IF([test $HAVE_FTP = no])
4719CHECK_CONNTRACK()
4720CHECK_CONNTRACK_NAT()
4721CHECK_CONNTRACK_ALG()
4722
4723OVS_TRAFFIC_VSWITCHD_START()
4724
4725ADD_NAMESPACES(at_ns0, at_ns1)
4726
4727ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
4728NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4729NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.200 e6:66:c1:22:22:22])
4730NS_CHECK_EXEC([at_ns0], [arp -s 10.1.100.1 e6:66:c1:22:22:22])
4731
4732ADD_VETH(p1, at_ns1, br0, "10.1.100.1/16")
4733NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4734NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4735
4736dnl Allow any traffic from ns0->ns1.
4737AT_DATA([flows.txt], [dnl
4738dnl track all IPv4 traffic and NAT any established traffic.
4739table=0 priority=10 ip, action=ct(nat,table=1)
4740table=0 priority=0 action=drop
4741dnl
4742dnl Table 1
4743dnl
4744dnl Allow new FTP control connections.
4745table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.100.1)),2
4746dnl Allow related TCP connections from port 1.
4747table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4748dnl Allow established TCP connections both ways, post-NAT match.
4749table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.100.1 action=2
4750table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4751
4752dnl Allow ICMP both ways.
4753table=1 priority=100 in_port=1 icmp, action=2
4754table=1 priority=100 in_port=2 icmp, action=1
4755table=1 priority=0, action=drop
4756])
4757
4758AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4759
4760dnl Check that the stacks working to avoid races.
4761OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null])
4762
4763OVS_START_L7([at_ns1], [ftp])
4764
4765dnl FTP requests from p0->p1 should work fine.
4766NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.200 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4767
4768dnl Discards CLOSE_WAIT and CLOSING
4769AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl
4770tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4771tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4772])
4773
4774OVS_TRAFFIC_VSWITCHD_STOP
4775AT_CLEANUP
4776
efa29a89
DM		 4777AT_SETUP([conntrack - IPv4 FTP Active with DNAT])
4778AT_SKIP_IF([test $HAVE_FTP = no])
4779CHECK_CONNTRACK()
4780CHECK_CONNTRACK_NAT()
4781CHECK_CONNTRACK_ALG()
4782
4783OVS_TRAFFIC_VSWITCHD_START()
4784
4785ADD_NAMESPACES(at_ns0, at_ns1)
4786
4787ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4788NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4789NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4790NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4791
4792ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4793NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4794NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4795
4796dnl Allow any traffic from ns0->ns1.
4797AT_DATA([flows.txt], [dnl
4798dnl track all IPv4 traffic and NAT any established traffic.
4799table=0 priority=10 ip, action=ct(nat,table=1)
4800table=0 priority=0 action=drop
4801dnl
4802dnl Table 1
4803dnl
4804dnl Allow new FTP control connections.
4805table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4806dnl Allow related TCP connections from port 1.
4807table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.240 action=ct(commit,nat),1
4808dnl Allow established TCP connections both ways, post-NAT match.
4809table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4810table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4811
4812dnl Allow ICMP both ways.
4813table=1 priority=100 in_port=1 icmp, action=2
4814table=1 priority=100 in_port=2 icmp, action=1
4815table=1 priority=0, action=drop
4816])
4817
4818AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4819
4820dnl Check that the stacks working to avoid races.
4821OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4822
4823OVS_START_L7([at_ns1], [ftp])
4824
4825dnl FTP requests from p0->p1 should work fine.
4826NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4827
4828dnl Discards CLOSE_WAIT and CLOSING
4829AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4830tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4831tcp,orig=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4832])
4833
4834OVS_TRAFFIC_VSWITCHD_STOP
4835AT_CLEANUP
4836
4837AT_SETUP([conntrack - IPv4 FTP Active with DNAT with reverse skew])
4838AT_SKIP_IF([test $HAVE_FTP = no])
4839CHECK_CONNTRACK()
4840CHECK_CONNTRACK_NAT()
4841CHECK_CONNTRACK_ALG()
4842
4843OVS_TRAFFIC_VSWITCHD_START()
4844
4845ADD_NAMESPACES(at_ns0, at_ns1)
4846
cd7c99a6 4847ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
efa29a89
DM		 4848NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4849NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
cd7c99a6 4850NS_CHECK_EXEC([at_ns0], [arp -s 10.1.120.240 e6:66:c1:22:22:22])
efa29a89 4851
cd7c99a6 4852ADD_VETH(p1, at_ns1, br0, "10.1.1.2/16")
efa29a89
DM		 4853NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4854NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4855
4856dnl Allow any traffic from ns0->ns1.
4857AT_DATA([flows.txt], [dnl
4858dnl track all IPv4 traffic and NAT any established traffic.
4859table=0 priority=10 ip, action=ct(nat,table=1)
4860table=0 priority=0 action=drop
4861dnl
4862dnl Table 1
4863dnl
4864dnl Allow new FTP control connections.
4865table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.2)),2
4866dnl Allow related TCP connections from port 1.
4867table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.2 action=ct(commit,nat),1
4868dnl Allow established TCP connections both ways, post-NAT match.
4869table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.2 action=2
4870table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4871
4872dnl Allow ICMP both ways.
4873table=1 priority=100 in_port=1 icmp, action=2
4874table=1 priority=100 in_port=2 icmp, action=1
4875table=1 priority=0, action=drop
4876])
4877
4878AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4879
4880dnl Check that the stacks working to avoid races.
4881OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4882
4883OVS_START_L7([at_ns1], [ftp])
4884
4885dnl FTP requests from p0->p1 should work fine.
cd7c99a6 4886NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.120.240 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
efa29a89
DM		 4887
4888dnl Discards CLOSE_WAIT and CLOSING
cd7c99a6
DB		 4889AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl
4890tcp,orig=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4891tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
efa29a89
DM		 4892])
4893
4894OVS_TRAFFIC_VSWITCHD_STOP
4895AT_CLEANUP
4896
b020a416 4897AT_SETUP([conntrack - IPv6 HTTP with SNAT])
9ac0aada 4898CHECK_CONNTRACK()
4573c42e 4899CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4900OVS_TRAFFIC_VSWITCHD_START()
4901
4902ADD_NAMESPACES(at_ns0, at_ns1)
4903
4904ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4905NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4906ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4907NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
b020a416 4908NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
9ac0aada
JR		 4909
4910dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4911AT_DATA([flows.txt], [dnl
4912priority=1,action=drop
4913priority=10,icmp6,action=normal
b020a416 4914priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
9ac0aada
JR		 4915priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
4916priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
4917priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
b020a416 4918priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
9ac0aada
JR		 4919])
4920
4921AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4922
c10840ff
JS		 4923dnl Linux seems to take a little time to get its IPv6 stack in order. Without
4924dnl waiting, we get occasional failures due to the following error:
9ac0aada 4925dnl "connect: Cannot assign requested address"
c10840ff 4926OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
9ac0aada
JR		 4927
4928dnl HTTP requests from ns0->ns1 should work fine.
7ed40afe 4929OVS_START_L7([at_ns1], [http6])
9ac0aada
JR		 4930
4931NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4932
4933dnl HTTP requests from ns1->ns0 should fail due to network failure.
4934dnl Try 3 times, in 1 second intervals.
7ed40afe 4935OVS_START_L7([at_ns0], [http6])
9ac0aada
JR		 4936NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
4937
4938OVS_TRAFFIC_VSWITCHD_STOP
4939AT_CLEANUP
4940
b020a416
DB		 4941AT_SETUP([conntrack - IPv6 HTTP with DNAT])
4942CHECK_CONNTRACK()
4943CHECK_CONNTRACK_NAT()
4944OVS_TRAFFIC_VSWITCHD_START()
4945
4946ADD_NAMESPACES(at_ns0, at_ns1)
4947
4948ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4949ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4950NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
4951NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
4952NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
4953NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
4954
4955dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4956AT_DATA([flows.txt], [dnl
4957priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
4958priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
4959priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
4960])
4961
4962AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4963
4964dnl Linux seems to take a little time to get its IPv6 stack in order. Without
4965dnl waiting, we get occasional failures due to the following error:
4966dnl "connect: Cannot assign requested address"
4967OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
4968
4969NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
49703 packets transmitted, 3 received, 0% packet loss, time 0ms
4971])
4972
4973dnl Should work with the virtual IP address through NAT
4974OVS_START_L7([at_ns1], [http6])
4975NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4976
4977AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
4978icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
4979tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4980])
4981
4982OVS_TRAFFIC_VSWITCHD_STOP
4983AT_CLEANUP
4984
4985AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
4986AT_SKIP_IF([test $HAVE_TCPDUMP = no])
4987CHECK_CONNTRACK()
4988CHECK_CONNTRACK_NAT()
4989OVS_TRAFFIC_VSWITCHD_START()
4990
4991ADD_NAMESPACES(at_ns0, at_ns1)
4992
4993ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4994ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4995NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
4996NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
4997
4998NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
4999NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
5000NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
5001NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
5002
5003NS_CHECK_EXEC([at_ns0], [ip -6 route add default via fc00::2])
5004
5005dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5006AT_DATA([flows.txt], [dnl
5007priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
5008priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
5009priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
5010priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
5011])
5012
5013AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5014
5015dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5016dnl waiting, we get occasional failures due to the following error:
5017dnl "connect: Cannot assign requested address"
5018OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
5019
5020AT_CHECK([ovs-appctl dpctl/flush-conntrack])
5021
5022rm p0.pcap
5023tcpdump -U -i ovs-p0 -w p0.pcap &
5024sleep 1
5025
5026dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
5027NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
5028
5029AT_CHECK([tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
5030
5031AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5032udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
5033])
5034
5035OVS_TRAFFIC_VSWITCHD_STOP
5036AT_CLEANUP
9ac0aada 5037
efa29a89 5038AT_SETUP([conntrack - IPv6 FTP with SNAT])
40c7b2fc 5039AT_SKIP_IF([test $HAVE_FTP = no])
9ac0aada 5040CHECK_CONNTRACK()
4573c42e 5041CHECK_CONNTRACK_NAT()
fc9a5ee1
DB		 5042CHECK_CONNTRACK_ALG()
5043
9ac0aada
JR		 5044OVS_TRAFFIC_VSWITCHD_START()
5045
5046ADD_NAMESPACES(at_ns0, at_ns1)
5047
5048ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5049NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5050ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5051dnl Would be nice if NAT could translate neighbor discovery messages, too.
5052NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5053
5054dnl Allow any traffic from ns0->ns1.
5055dnl Only allow nd, return traffic from ns1->ns0.
5056AT_DATA([flows.txt], [dnl
9ac0aada
JR		 5057dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5058table=0 priority=10 ip6, action=ct(nat,table=1)
5059table=0 priority=0 action=drop
5060dnl
5061dnl Table 1
5062dnl
5063dnl Allow new TCPv6 FTP control connections.
5064table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5065dnl Allow related TCPv6 connections from port 2 to the NATted address.
5066table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
5067dnl Allow established TCPv6 connections both ways, enforce NATting
5068table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5069table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
daf4d3c1
JR		 5070dnl Allow other ICMPv6 both ways (without commit).
5071table=1 priority=100 in_port=1 icmp6, action=2
5072table=1 priority=100 in_port=2 icmp6, action=1
9ac0aada
JR		 5073dnl Drop everything else.
5074table=1 priority=0, action=drop
5075])
5076
5077AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5078
c10840ff
JS		 5079dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5080dnl waiting, we get occasional failures due to the following error:
5081dnl "connect: Cannot assign requested address"
5082OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5083
7ed40afe 5084OVS_START_L7([at_ns1], [ftp])
9ac0aada
JR		 5085
5086dnl FTP requests from p0->p1 should work fine.
4fee8b13 5087NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
9ac0aada 5088
a857bb69 5089dnl Discards CLOSE_WAIT and CLOSING
420c73b2
JR		 5090AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5091tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5092tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
9ac0aada
JR		 5093])
5094
5095OVS_TRAFFIC_VSWITCHD_STOP
5096AT_CLEANUP
2c66ebe4 5097
efa29a89 5098AT_SETUP([conntrack - IPv6 FTP Passive with SNAT])
200a9af9
DB		 5099AT_SKIP_IF([test $HAVE_FTP = no])
5100CHECK_CONNTRACK()
5101CHECK_CONNTRACK_NAT()
5102CHECK_CONNTRACK_ALG()
5103
5104OVS_TRAFFIC_VSWITCHD_START()
5105
5106ADD_NAMESPACES(at_ns0, at_ns1)
5107
5108ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5109NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5110ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5111NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
5112NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
5113NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5114
5115dnl Allow any traffic from ns0->ns1.
5116dnl Only allow nd, return traffic from ns1->ns0.
5117AT_DATA([flows.txt], [dnl
5118dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5119table=0 priority=10 ip6, action=ct(nat,table=1)
5120table=0 priority=0 action=drop
5121dnl
5122dnl Table 1
5123dnl
5124dnl Allow new TCPv6 FTP control connections.
5125table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5126dnl Allow related TCPv6 connections from port 1.
5127table=1 in_port=1 ct_state=+new+rel tcp6 ipv6_dst=fc00::2 action=ct(commit,nat),2
5128dnl Allow established TCPv6 connections both ways, enforce NATting
5129table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5130table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5131dnl Allow other ICMPv6 both ways (without commit).
5132table=1 priority=100 in_port=1 icmp6, action=2
5133table=1 priority=100 in_port=2 icmp6, action=1
5134dnl Drop everything else.
5135table=1 priority=0, action=drop
5136])
5137
5138AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5139
5140dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5141dnl waiting, we get occasional failures due to the following error:
5142dnl "connect: Cannot assign requested address"
5143OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5144
5145OVS_START_L7([at_ns1], [ftp])
5146
5147dnl FTP requests from p0->p1 should work fine.
5148NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5149
5150dnl Discards CLOSE_WAIT and CLOSING
5151AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5152tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5153tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5154])
5155
5156OVS_TRAFFIC_VSWITCHD_STOP
5157AT_CLEANUP
daf4d3c1 5158
efa29a89 5159AT_SETUP([conntrack - IPv6 FTP with SNAT - orig tuple])
daf4d3c1
JR		 5160AT_SKIP_IF([test $HAVE_FTP = no])
5161CHECK_CONNTRACK()
5162CHECK_CONNTRACK_NAT()
aeae4330 5163CHECK_CONNTRACK_ALG()
daf4d3c1
JR		 5164OVS_TRAFFIC_VSWITCHD_START()
5165
5166ADD_NAMESPACES(at_ns0, at_ns1)
5167
5168ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5169NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5170ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5171dnl Would be nice if NAT could translate neighbor discovery messages, too.
5172NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5173
5174dnl Allow any traffic from ns0->ns1.
5175dnl Only allow nd, return traffic from ns1->ns0.
5176AT_DATA([flows.txt], [dnl
5177dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5178table=0 priority=10 ip6, action=ct(nat,table=1)
5179table=0 priority=0 action=drop
5180dnl
5181dnl Table 1
5182dnl
5183dnl Allow other ICMPv6 both ways (without commit).
5184table=1 priority=100 in_port=1 icmp6, action=2
5185table=1 priority=100 in_port=2 icmp6, action=1
5186dnl Allow new TCPv6 FTP control connections.
5187table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5188dnl Allow related TCPv6 connections from port 2 to the NATted address.
5189table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
5190dnl Allow established TCPv6 connections both ways, enforce NATting
5191table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
5192table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
5193dnl Drop everything else.
5194table=1 priority=0, action=drop
5195])
5196
5197AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5198
5199dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5200dnl waiting, we get occasional failures due to the following error:
5201dnl "connect: Cannot assign requested address"
5202OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5203
5204NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
5205OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
5206
5207dnl FTP requests from p0->p1 should work fine.
5208NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5209
5210dnl Discards CLOSE_WAIT and CLOSING
5211AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5212tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5213tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5214])
5215
5216OVS_TRAFFIC_VSWITCHD_STOP
5217AT_CLEANUP
5218
efa29a89 5219AT_SETUP([conntrack - IPv4 TFTP with SNAT])
8fc6257b 5220AT_SKIP_IF([test $HAVE_TFTP = no])
200a9af9
DB		 5221CHECK_CONNTRACK()
5222CHECK_CONNTRACK_NAT()
5223CHECK_CONNTRACK_ALG()
5224
5225OVS_TRAFFIC_VSWITCHD_START()
5226
5227ADD_NAMESPACES(at_ns0, at_ns1)
5228
5229ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5230NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5231NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5232
5233ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5234NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5235NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5236NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
5237
5238dnl Allow any traffic from ns0->ns1.
5239AT_DATA([flows.txt], [dnl
5240dnl track all IPv4 traffic.
5241table=0 priority=10 ip, action=ct(table=1)
5242dnl drop everything else.
5243table=0 priority=0 action=drop
5244dnl
5245dnl Table 1
5246dnl Allow ICMP both ways.
5247table=1 priority=100 in_port=1 icmp, action=2
5248table=1 priority=100 in_port=2 icmp, action=1
5249dnl
5250dnl Allow new TFTP control connections.
5251table=1 in_port=1 ct_state=+new udp nw_src=10.1.1.1 tp_dst=69 action=ct(alg=tftp,commit,nat(src=10.1.1.240)),2
5252dnl Allow related UDP connections from port 1.
5253table=1 in_port=2 ct_state=+new+rel udp nw_src=10.1.1.2 action=ct(commit,nat),1
5254dnl Allow established and NAT them.
5255table=1 in_port=1 ct_state=+est udp nw_src=10.1.1.1 action=ct(nat,table=2)
5256table=1 in_port=2 ct_state=+est udp nw_src=10.1.1.2 action=ct(nat,table=2)
5257dnl
5258table=1 priority=0, action=drop
5259dnl
5260table=2 in_port=1 ct_state=+est udp nw_src=10.1.1.240 action=2
5261table=2 in_port=2 ct_state=+est udp nw_dst=10.1.1.1 action=1
5262])
5263
5264AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5265
5266dnl Check that the stacks working to avoid races.
5267OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
5268
5269OVS_START_L7([at_ns0], [tftp])
5270OVS_START_L7([at_ns1], [tftp])
5271
5272dnl TFTP requests from p0->p1 should work fine.
5273NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows.txt -o foo 2>curl0.log]])
5274
5275AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5276udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),helper=tftp
5277udp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>)
5278])
5279
5280OVS_TRAFFIC_VSWITCHD_STOP
5281AT_CLEANUP
daf4d3c1 5282
2c66ebe4
JR		 5283AT_SETUP([conntrack - DNAT load balancing])
5284CHECK_CONNTRACK()
4573c42e 5285CHECK_CONNTRACK_NAT()
2c66ebe4
JR		 5286OVS_TRAFFIC_VSWITCHD_START()
5287
5288ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
5289
5290ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5291ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5292ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5293ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5294NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5295NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5296NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5297NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5298
5299dnl Select group for load balancing. One bucket per server. Each bucket
5300dnl tracks and NATs the connection and recirculates to table 4 for egress
5301dnl routing. Packets of existing connections are always NATted based on
5302dnl connection state, only new connections are NATted according to the
5303dnl specific NAT parameters in each bucket.
5304AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5305
5306AT_DATA([flows.txt], [dnl
5307dnl Track connections to the virtual IP address.
5308table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5309dnl All other IP traffic is allowed but the connection state is no commited.
5310table=0 priority=90 ip action=ct(table=4,nat)
5311dnl
5312dnl Allow ARP, but generate responses for virtual addresses
5313table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5314table=0 priority=10 arp action=normal
5315table=0 priority=0 action=drop
5316dnl
5317dnl Routing table
5318dnl
5319table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5320table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5321table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5322table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5323table=4 priority=0 action=drop
5324dnl
5325dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5326table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5327dnl Zero result means not found.
5328table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5329dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5330dnl TPA IP in reg2.
5331table=10 priority=100 arp xreg0=0 action=normal
5332dnl Swaps the fields of the ARP message to turn a query to a response.
5333table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5334table=10 priority=0 action=controller
5335])
5336
5337AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5338
5339dnl Start web servers
7ed40afe
JS		 5340OVS_START_L7([at_ns2], [http])
5341OVS_START_L7([at_ns3], [http])
5342OVS_START_L7([at_ns4], [http])
2c66ebe4
JR		 5343
5344on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5345on_exit 'ovs-appctl revalidator/purge'
5346on_exit 'ovs-appctl dpif/dump-flows br0'
5347
5348dnl Should work with the virtual IP address through NAT
5349for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
5350 echo Request $i
5351 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
5352done
5353
5354dnl Each server should have at least one connection.
420c73b2
JR		 5355AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
5356tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5357tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5358tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2c66ebe4
JR		 5359])
5360
5361ovs-appctl dpif/dump-flows br0
5362ovs-appctl revalidator/purge
5363ovs-ofctl -O OpenFlow15 dump-flows br0
5364ovs-ofctl -O OpenFlow15 dump-group-stats br0
5365
5366OVS_TRAFFIC_VSWITCHD_STOP
5367AT_CLEANUP
5368
5369
5370AT_SETUP([conntrack - DNAT load balancing with NC])
9c1ab985 5371AT_SKIP_IF([test $HAVE_NC = no])
2c66ebe4 5372CHECK_CONNTRACK()
4573c42e 5373CHECK_CONNTRACK_NAT()
2c66ebe4
JR		 5374OVS_TRAFFIC_VSWITCHD_START()
5375
5376ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
5377
5378ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5379ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5380ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5381ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5382ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
5383NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5384NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5385NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5386NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5387NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
5388
5389dnl Select group for load balancing. One bucket per server. Each bucket
5390dnl tracks and NATs the connection and recirculates to table 4 for egress
5391dnl routing. Packets of existing connections are always NATted based on
5392dnl connection state, only new connections are NATted according to the
5393dnl specific NAT parameters in each bucket.
5394AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5395
5396AT_DATA([flows.txt], [dnl
5397dnl Track connections to the virtual IP address.
5398table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5399dnl All other IP traffic is allowed but the connection state is no commited.
5400table=0 priority=90 ip action=ct(table=4,nat)
5401dnl
5402dnl Allow ARP, but generate responses for virtual addresses
5403table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5404table=0 priority=10 arp action=normal
5405table=0 priority=0 action=drop
5406dnl
5407dnl Routing table
5408dnl
5409table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5410table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5411table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5412table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5413table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
5414table=4 priority=0 action=drop
5415dnl
5416dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5417table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5418dnl Zero result means not found.
5419table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5420dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5421dnl TPA IP in reg2.
5422table=10 priority=100 arp xreg0=0 action=normal
5423dnl Swaps the fields of the ARP message to turn a query to a response.
5424table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5425table=10 priority=0 action=controller
5426])
5427
5428AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5429
5430dnl Start web servers
7ed40afe
JS		 5431OVS_START_L7([at_ns2], [http])
5432OVS_START_L7([at_ns3], [http])
5433OVS_START_L7([at_ns4], [http])
2c66ebe4
JR		 5434
5435on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5436on_exit 'ovs-appctl revalidator/purge'
5437on_exit 'ovs-appctl dpif/dump-flows br0'
5438
5439sleep 5
5440
5441dnl Should work with the virtual IP address through NAT
5442for i in 1 2 3 4 5 6 7 8 9; do
5443 echo Request $i
5444 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
5445 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
5446done
5447
5448conntrack -L 2>&1
5449
5450ovs-appctl dpif/dump-flows br0
5451ovs-appctl revalidator/purge
5452ovs-ofctl -O OpenFlow15 dump-flows br0
5453ovs-ofctl -O OpenFlow15 dump-group-stats br0
5454
5455OVS_TRAFFIC_VSWITCHD_STOP
5456AT_CLEANUP
b4fa814c 5457
8d48d5f3
EG		 5458AT_SETUP([conntrack - floating IP])
5459AT_SKIP_IF([test $HAVE_NC = no])
5460CHECK_CONNTRACK()
5461OVS_TRAFFIC_VSWITCHD_START()
5462OVS_CHECK_CT_CLEAR()
5463
5464ADD_NAMESPACES(at_ns0, at_ns1)
5465ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1
5466ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2
5467
5468dnl Static ARPs
5469NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0])
5470NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1])
5471
5472dnl Static ARP and route entries for the FIP "gateway"
5473NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0])
5474NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1])
5475NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254])
5476NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254])
5477
5478NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid])
5479
5480AT_DATA([flows.txt], [dnl
5481table=0,priority=10 ip action=ct(table=1)
5482table=0,priority=1 action=drop
5483dnl dst FIP
5484table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10
5485table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10)
5486dnl dst local
5487table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20
5488table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20)
5489table=1,priority=1 ip,ct_state=+trk+inv action=drop
5490dnl
5491dnl FIP translation (dst FIP, src local) --> (dst local, src FIP)
5492table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11
5493table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11
5494table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12
5495table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12
5496dnl clear conntrack and do another lookup since we changed the tuple
5497table=12,priority=10 ip action=ct_clear,ct(table=13)
5498table=12,priority=1 action=drop
5499table=13 ip,ct_state=+trk+est action=goto_table:20
5500table=13 ip,ct_state=+trk+new action=ct(commit,table=20)
5501table=13 ip,ct_state=+trk+inv action=drop
5502dnl
5503dnl Output
5504table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21
5505table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21
5506table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21
5507table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0
5508table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1
5509])
5510
5511AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5512
5513dnl non-FIP case
5514NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234])
5515OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5516grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5517]])
5518
5519dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it
5520dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV
5521dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a
5522dnl second time after the FIP translation (because ct_clear didn't occur).
5523NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234])
5524OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5525grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5526]])
5527
5528OVS_TRAFFIC_VSWITCHD_STOP
5529AT_CLEANUP
5530
b4fa814c
EG		 5531AT_BANNER([802.1ad])
5532
5533AT_SETUP([802.1ad - vlan_limit])
5534OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5535OVS_CHECK_8021AD()
5536
5537ADD_NAMESPACES(at_ns0, at_ns1)
5538
5539ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5540ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5541
5542ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5543ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5544
5545ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5546ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5547
5548AT_CHECK([ovs-ofctl add-flow br0 "priority=1 action=normal"])
5549
5550OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5551
5552dnl CVLAN traffic should match the flow and drop
5553AT_CHECK([ovs-appctl revalidator/purge])
5554AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:vlan-limit=1])
5555AT_CHECK([ovs-ofctl add-flow br0 "priority=100 dl_type=0x8100 action=drop"])
5556NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.2.2.2], [1], [ignore])
5557
5558OVS_TRAFFIC_VSWITCHD_STOP
5559AT_CLEANUP
0147a20e
EG		 5560
5561
5562AT_SETUP([802.1ad - push/pop outer 802.1ad])
5563OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5564OVS_CHECK_8021AD()
5565
5566ADD_BR([br1])
5567ADD_BR([br2])
5568ADD_NAMESPACES(at_ns0, at_ns1)
5569
5570AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5571AT_CHECK([ip link set dev ovs-p0 up])
5572AT_CHECK([ip link set dev ovs-p1 up])
5573AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5574AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5575on_exit 'ip link del ovs-p0'
5576
5577AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5578AT_CHECK([ip link set dev ovs-p2 up])
5579AT_CHECK([ip link set dev ovs-p3 up])
5580AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5581AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5582on_exit 'ip link del ovs-p2'
5583
5584ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5585ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5586ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5587ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5588
5589AT_DATA([flows-br0.txt], [dnl
5590priority=1 action=drop
5591priority=100 in_port=1 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:2
5592priority=100 in_port=2 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:1
5593])
5594
5595AT_DATA([flows-customer-br.txt], [dnl
5596priority=1 action=normal
5597priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5598])
5599
5600AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5601AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5602AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5603
5604OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5605
5606NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
56073 packets transmitted, 3 received, 0% packet loss, time 0ms
5608])
5609
5610NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
56113 packets transmitted, 3 received, 0% packet loss, time 0ms
5612])
5613
5614OVS_TRAFFIC_VSWITCHD_STOP
5615AT_CLEANUP
5616
5617
5618AT_SETUP([802.1ad - push/pop outer 802.1q])
5619OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5620OVS_CHECK_8021AD()
5621
5622ADD_BR([br1])
5623ADD_BR([br2])
5624ADD_NAMESPACES(at_ns0, at_ns1)
5625
5626AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5627AT_CHECK([ip link set dev ovs-p0 up])
5628AT_CHECK([ip link set dev ovs-p1 up])
5629AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5630AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5631on_exit 'ip link del ovs-p0'
5632
5633AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5634AT_CHECK([ip link set dev ovs-p2 up])
5635AT_CHECK([ip link set dev ovs-p3 up])
5636AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5637AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5638on_exit 'ip link del ovs-p2'
5639
5640ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5641ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5642ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5643ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5644
5645AT_DATA([flows-br0.txt], [dnl
5646priority=1 action=drop
5647priority=100 in_port=1 action=push_vlan:0x8100,mod_vlan_vid=4094,output:2
5648priority=100 in_port=2 action=push_vlan:0x8100,mod_vlan_vid=4094,output:1
5649])
5650
5651AT_DATA([flows-customer-br.txt], [dnl
5652priority=1 action=normal
5653priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5654])
5655
5656AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5657AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5658AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5659
5660OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5661
5662NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
56633 packets transmitted, 3 received, 0% packet loss, time 0ms
5664])
5665
5666NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
56673 packets transmitted, 3 received, 0% packet loss, time 0ms
5668])
5669
5670OVS_TRAFFIC_VSWITCHD_STOP
5671AT_CLEANUP
d4a814a8
EG		 5672
5673
5674AT_SETUP([802.1ad - 802.1q tunnel])
5675OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5676OVS_CHECK_8021AD()
5677
5678ADD_BR([br1])
5679ADD_BR([br2])
5680ADD_NAMESPACES(at_ns0, at_ns1)
5681
5682AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5683AT_CHECK([ip link set dev ovs-p0 up])
5684AT_CHECK([ip link set dev ovs-p1 up])
5685AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5686AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5687on_exit 'ip link del ovs-p0'
5688
5689AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5690AT_CHECK([ip link set dev ovs-p2 up])
5691AT_CHECK([ip link set dev ovs-p3 up])
5692AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5693AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5694on_exit 'ip link del ovs-p2'
5695
5696ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5697ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5698ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5699ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5700ADD_CVLAN(p4, at_ns0, 200, "10.3.2.1/24")
5701ADD_CVLAN(p5, at_ns1, 200, "10.3.2.2/24")
5702ADD_CVLAN(p4, at_ns0, 300, "10.4.2.1/24")
5703ADD_CVLAN(p5, at_ns1, 300, "10.4.2.2/24")
5704
5705AT_CHECK([ovs-ofctl add-flow br0 action=normal])
5706AT_CHECK([ovs-ofctl add-flow br1 action=normal])
5707AT_CHECK([ovs-ofctl add-flow br2 action=normal])
5708AT_CHECK([ovs-vsctl set port ovs-p0 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5709AT_CHECK([ovs-vsctl set port ovs-p2 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5710
5711OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5712OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.3.2.2])
5713
5714NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57153 packets transmitted, 3 received, 0% packet loss, time 0ms
5716])
5717
5718NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
57193 packets transmitted, 3 received, 0% packet loss, time 0ms
5720])
5721
5722NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57233 packets transmitted, 3 received, 0% packet loss, time 0ms
5724])
5725
5726NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
57273 packets transmitted, 3 received, 0% packet loss, time 0ms
5728])
5729
5730dnl CVLAN 300 is not permitted by dot1q-tunnel
5731NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.4.2.2], [1], [ignore])
5732
5733OVS_TRAFFIC_VSWITCHD_STOP(["/dropping VLAN \(0\|300\) packet received on dot1q-tunnel port/d"])
5734AT_CLEANUP
79d6e24f
EG		 5735
5736AT_SETUP([802.1ad - double vlan match])
5737OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5738OVS_CHECK_8021AD()
5739
5740ADD_NAMESPACES(at_ns0, at_ns1)
5741
5742ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5743ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5744
5745ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5746ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5747
5748ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5749ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5750
5751AT_DATA([flows-br0.txt], [dnl
5752table=0,priority=1 action=drop
5753table=0,priority=100 dl_vlan=4094 action=pop_vlan,goto_table:1
5754table=1,priority=100 dl_vlan=100 action=push_vlan:0x88a8,mod_vlan_vid:4094,normal
5755])
5756AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5757
5758OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5759
5760NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57613 packets transmitted, 3 received, 0% packet loss, time 0ms
5762])
5763
5764NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57653 packets transmitted, 3 received, 0% packet loss, time 0ms
5766])
5767
296251ca
AV		 5768OVS_TRAFFIC_VSWITCHD_STOP
5769AT_CLEANUP
5770
5771
5772AT_BANNER([nsh-datapath])
5773
5774AT_SETUP([nsh - encap header])
5775OVS_TRAFFIC_VSWITCHD_START()
5776
5777ADD_NAMESPACES(at_ns0, at_ns1)
5778
5779ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5780ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5781
5782dnl The flow will encap a nsh header to the TCP syn packet
5783dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp
5784AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5785
5786rm ovs-p1.pcap
5787tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5788sleep 1
5789
5790dnl The hex dump is a TCP syn packet. pkt=eth/ip/tcp
5791dnl The packet is sent from p0(at_ns0) interface directed to
5792dnl p1(at_ns1) interface
5793NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5794
5795sleep 1
5796
5797dnl Check the expected nsh encapsulated packet on the egress interface
5798AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0fc6" 2>&1 1>/dev/null])
5799AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0012 *34ff *1122 *3344 *0000 *0000 *0000" 2>&1 1>/dev/null])
5800AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0000 *0000 *0000 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5801AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5802AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5803AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5804
5805
5806OVS_TRAFFIC_VSWITCHD_STOP
5807AT_CLEANUP
5808
5809AT_SETUP([nsh - decap header])
5810OVS_TRAFFIC_VSWITCHD_START()
5811
5812ADD_NAMESPACES(at_ns0, at_ns1)
5813
5814ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5815ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5816
5817dnl The flow will decap a nsh header which in turn carries a TCP syn packet
5818dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp
5819AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"])
5820
5821rm ovs-p1.pcap
5822tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5823sleep 1
5824
5825dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5826dnl The packet is sent from p0(at_ns0) interface directed to
5827dnl p1(at_ns1) interface
5828NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 00 64 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5829
5830sleep 1
5831
5832dnl Check the expected de-capsulated TCP packet on the egress interface
5833AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f200 *0000 *0002 *f200 *0000 *0001 *0800 *4500" 2>&1 1>/dev/null])
5834AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0028 *0001 *0000 *4006 *b013 *c0a8 *000a *0a00" 2>&1 1>/dev/null])
5835AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *000a *0400 *0800 *0000 *00c8 *0000 *0000 *5002" 2>&1 1>/dev/null])
5836AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *2000 *b85e *0000" 2>&1 1>/dev/null])
5837
5838
5839OVS_TRAFFIC_VSWITCHD_STOP
5840AT_CLEANUP
5841
5842AT_SETUP([nsh - replace header])
5843OVS_TRAFFIC_VSWITCHD_START()
5844
5845ADD_NAMESPACES(at_ns0, at_ns1)
5846
5847ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5848ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5849
5850dnl The flow will decap a nsh header and encap a new nsh header
5851dnl eth/nsh-X/eth/ip/tcp --> OVS --> eth/nsh-Y/eth/ip/tcp
5852dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4,
5853dnl nsh_ttl=7 and change the md1 context
5854AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5855
5856rm ovs-p1.pcap
5857tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5858sleep 1
5859
5860dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5861dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3
5862dnl The packet is sent from p0(at_ns0) interface directed to
5863dnl p1(at_ns1) interface
5864NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5865
5866sleep 1
5867
5868dnl Check the expected NSH packet with new fields in the header
5869AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000* 0001 *894f *01c6" 2>&1 1>/dev/null])
5870AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0104 *100f *0e0d *0c0b *0a09 *0807" 2>&1 1>/dev/null])
5871AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0605 *0403 *0201 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5872AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5873AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5874AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5875
5876OVS_TRAFFIC_VSWITCHD_STOP
5877AT_CLEANUP
5878
5879
5880AT_SETUP([nsh - forward])
5881OVS_TRAFFIC_VSWITCHD_START()
5882
5883ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
5884
5885ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5886ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5887ADD_VETH(p2, at_ns2, br0, "0.0.0.0")
5888
5889dnl Push two flows to OVS. #1 will check on SPI=0X100, SI=2 and send the
5890dnl packet to at_ns1. #2 will check on SPI=0X100, SI=1 and send the
5891dnl packet to to at_ns2.
5892AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"])
5893AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"])
5894
5895
5896rm ovs-p1.pcap
5897rm ovs-p2.pcap
5898tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5899tcpdump -U -i ovs-p2 -w ovs-p2.pcap &
5900sleep 1
5901
5902dnl First send packet from at_ns0 --> OVS with SPI=0x100 and SI=2
5903NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 02 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5904
5905sleep 1
5906
5907dnl Check for the above packet on ovs-p1 interface
5908AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0206" 2>&1 1>/dev/null])
5909AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0002 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
5910AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5911AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5912AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5913AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5914
5915
5916dnl Send the second packet from at_ns1 --> OVS with SPI=0x100 and SI=1
5917NS_CHECK_EXEC([at_ns1], [$PYTHON $srcdir/sendpkt.py p1 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 01 c6 01 03 00 01 00 01 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5918
5919sleep 1
5920
5921dnl Check for the above packet on ovs-p2 interface
5922AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *01c6" 2>&1 1>/dev/null])
5923AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0001 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
5924AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5925AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5926AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5927AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5928
5929
5930
79d6e24f
EG		 5931OVS_TRAFFIC_VSWITCHD_STOP
5932AT_CLEANUP
openvswitch packages for PVE