]> git.proxmox.com Git - mirror_ovs.git/blame - tests/system-traffic.at
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netdev-afxdp: add new netdev type for AF_XDP.
[mirror_ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
e0b92701
DDP		 26AT_SETUP([datapath - http between two ports])
27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
373 packets transmitted, 3 received, 0% packet loss, time 0ms
38])
39
7ed40afe 40OVS_START_L7([at_ns1], [http])
e0b92701
DDP		 41NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
42
43OVS_TRAFFIC_VSWITCHD_STOP
44AT_CLEANUP
45
d7c5426b 46AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 47OVS_TRAFFIC_VSWITCHD_START()
48
49AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 50
51ADD_NAMESPACES(at_ns0, at_ns1)
52
53ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
55
56ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
58
de22d08f 59NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 603 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 61])
62NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 633 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 64])
65NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 663 packets transmitted, 3 received, 0% packet loss, time 0ms
67])
68
d7c5426b 69OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 70AT_CLEANUP
71
c5abeef4
EG		 72AT_SETUP([datapath - ping between two ports on cvlan])
73OVS_TRAFFIC_VSWITCHD_START()
0de1b425 74OVS_CHECK_8021AD()
c5abeef4
EG		 75
76AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77
78ADD_NAMESPACES(at_ns0, at_ns1)
79
80ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
81ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
82
83ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
84ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
85
86ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
87ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
88
89OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
90
91NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
923 packets transmitted, 3 received, 0% packet loss, time 0ms
93])
94NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
953 packets transmitted, 3 received, 0% packet loss, time 0ms
96])
97NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
983 packets transmitted, 3 received, 0% packet loss, time 0ms
99])
100
101OVS_TRAFFIC_VSWITCHD_STOP
102AT_CLEANUP
103
d7c5426b 104AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 105OVS_TRAFFIC_VSWITCHD_START()
106
107AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 108
109ADD_NAMESPACES(at_ns0, at_ns1)
110
111ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
112ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
113
c10840ff
JS		 114dnl Linux seems to take a little time to get its IPv6 stack in order. Without
115dnl waiting, we get occasional failures due to the following error:
cfe17b43 116dnl "connect: Cannot assign requested address"
c10840ff 117OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
cfe17b43 118
de22d08f 119NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 1203 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 121])
122NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 1233 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 124])
125NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1263 packets transmitted, 3 received, 0% packet loss, time 0ms
127])
128
d7c5426b 129OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 130AT_CLEANUP
131
d7c5426b 132AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 133OVS_TRAFFIC_VSWITCHD_START()
134
135AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 136
137ADD_NAMESPACES(at_ns0, at_ns1)
138
139ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
140ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
141
142ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
143ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
144
c10840ff
JS		 145dnl Linux seems to take a little time to get its IPv6 stack in order. Without
146dnl waiting, we get occasional failures due to the following error:
cfe17b43 147dnl "connect: Cannot assign requested address"
68ffb694 148OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
cfe17b43 149
de22d08f 150NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1513 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 152])
153NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1543 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 155])
156NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1573 packets transmitted, 3 received, 0% packet loss, time 0ms
158])
159
d7c5426b 160OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 161AT_CLEANUP
810e1785 162
c5abeef4
EG		 163AT_SETUP([datapath - ping6 between two ports on cvlan])
164OVS_TRAFFIC_VSWITCHD_START()
0de1b425 165OVS_CHECK_8021AD()
c5abeef4
EG		 166
167AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
168
169ADD_NAMESPACES(at_ns0, at_ns1)
170
171ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
172ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
173
174ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
175ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
176
177ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
178ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
179
180OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
181
182NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1833 packets transmitted, 3 received, 0% packet loss, time 0ms
184])
185NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1863 packets transmitted, 3 received, 0% packet loss, time 0ms
187])
188NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
1893 packets transmitted, 3 received, 0% packet loss, time 0ms
190])
191
192OVS_TRAFFIC_VSWITCHD_STOP
193AT_CLEANUP
194
ddb5f937
LR		 195AT_SETUP([datapath - ping over bond])
196OVS_TRAFFIC_VSWITCHD_START()
197
198AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
199
200ADD_NAMESPACES(at_ns0, at_ns1)
201
202ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
203ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
204
205OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
206
207NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2083 packets transmitted, 3 received, 0% packet loss, time 0ms
209])
210NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2113 packets transmitted, 3 received, 0% packet loss, time 0ms
212])
213NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2143 packets transmitted, 3 received, 0% packet loss, time 0ms
215])
216
217OVS_TRAFFIC_VSWITCHD_STOP
218AT_CLEANUP
219
810e1785 220AT_SETUP([datapath - ping over vxlan tunnel])
dfb21e96 221OVS_CHECK_VXLAN()
810e1785 222
cf7659b6
JR		 223OVS_TRAFFIC_VSWITCHD_START()
224ADD_BR([br-underlay])
225
226AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
227AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
228
810e1785
JS		 229ADD_NAMESPACES(at_ns0)
230
231dnl Set up underlay link from host into the namespace using veth pair.
232ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
233AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
234AT_CHECK([ip link set dev br-underlay up])
235
236dnl Set up tunnel endpoints on OVS outside the namespace and with a native
237dnl linux device inside the namespace.
238ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
239ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
240 [id 0 dstport 4789])
241
242dnl First, check the underlay
243NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2443 packets transmitted, 3 received, 0% packet loss, time 0ms
245])
246
247dnl Okay, now check the overlay with different packet sizes
248NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2493 packets transmitted, 3 received, 0% packet loss, time 0ms
250])
251NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2523 packets transmitted, 3 received, 0% packet loss, time 0ms
253])
254NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
d5f2dd0b
EG		 2553 packets transmitted, 3 received, 0% packet loss, time 0ms
256])
257
258OVS_TRAFFIC_VSWITCHD_STOP
259AT_CLEANUP
260
261AT_SETUP([datapath - ping over vxlan6 tunnel])
67e3ddf1 262OVS_CHECK_VXLAN_UDP6ZEROCSUM()
d5f2dd0b
EG		 263
264OVS_TRAFFIC_VSWITCHD_START()
265ADD_BR([br-underlay])
266
267AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
268AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
269
270ADD_NAMESPACES(at_ns0)
271
272dnl Set up underlay link from host into the namespace using veth pair.
273ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
274AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
275AT_CHECK([ip link set dev br-underlay up])
276
277dnl Set up tunnel endpoints on OVS outside the namespace and with a native
278dnl linux device inside the namespace.
279ADD_OVS_TUNNEL6([vxlan], [br0], [at_vxlan0], [fc00::1], [10.1.1.100/24])
280ADD_NATIVE_TUNNEL6([vxlan], [at_vxlan1], [at_ns0], [fc00::100], [10.1.1.1/24],
281 [id 0 dstport 4789 udp6zerocsumtx udp6zerocsumrx])
282
283OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
284
285dnl First, check the underlay
286NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
2873 packets transmitted, 3 received, 0% packet loss, time 0ms
288])
289
290dnl Okay, now check the overlay with different packet sizes
291NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2923 packets transmitted, 3 received, 0% packet loss, time 0ms
293])
294NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2953 packets transmitted, 3 received, 0% packet loss, time 0ms
296])
297NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
523256cc
JS		 2983 packets transmitted, 3 received, 0% packet loss, time 0ms
299])
300
301OVS_TRAFFIC_VSWITCHD_STOP
302AT_CLEANUP
303
304AT_SETUP([datapath - ping over gre tunnel])
cae92b42 305OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
523256cc
JS		 306OVS_CHECK_GRE()
307
308OVS_TRAFFIC_VSWITCHD_START()
309ADD_BR([br-underlay])
310
311AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
312AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
313
314ADD_NAMESPACES(at_ns0)
315
316dnl Set up underlay link from host into the namespace using veth pair.
317ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
318AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
319AT_CHECK([ip link set dev br-underlay up])
320
321dnl Set up tunnel endpoints on OVS outside the namespace and with a native
322dnl linux device inside the namespace.
323ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
324ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
325
326dnl First, check the underlay
327NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3283 packets transmitted, 3 received, 0% packet loss, time 0ms
329])
330
331dnl Okay, now check the overlay with different packet sizes
332NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3333 packets transmitted, 3 received, 0% packet loss, time 0ms
334])
335NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3363 packets transmitted, 3 received, 0% packet loss, time 0ms
337])
338NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
92b8af2c
JS		 3393 packets transmitted, 3 received, 0% packet loss, time 0ms
340])
341
342OVS_TRAFFIC_VSWITCHD_STOP
343AT_CLEANUP
344
a3173ee1
WT		 345AT_SETUP([datapath - ping over ip6gre L2 tunnel])
346OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
347OVS_CHECK_GRE()
348OVS_CHECK_ERSPAN()
349
350OVS_TRAFFIC_VSWITCHD_START()
351ADD_BR([br-underlay])
352
353AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
354AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
355
356ADD_NAMESPACES(at_ns0)
357
358dnl Set up underlay link from host into the namespace using veth pair.
359ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
360AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
361AT_CHECK([ip link set dev br-underlay up])
362
363dnl Set up tunnel endpoints on OVS outside the namespace and with a native
364dnl linux device inside the namespace.
365ADD_OVS_TUNNEL6([ip6gre], [br0], [at_gre0], [fc00:100::1], [10.1.1.100/24],
366 [options:packet_type=legacy_l2])
367ADD_NATIVE_TUNNEL6([ip6gretap], [ns_gretap0], [at_ns0], [fc00:100::100],
368 [10.1.1.1/24], [local fc00:100::1])
369
370OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
371
372dnl First, check the underlay
373NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
3743 packets transmitted, 3 received, 0% packet loss, time 0ms
375])
376
377dnl Okay, now check the overlay with different packet sizes
378NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3793 packets transmitted, 3 received, 0% packet loss, time 0ms
380])
381OVS_TRAFFIC_VSWITCHD_STOP
382AT_CLEANUP
383
384
98514eea 385AT_SETUP([datapath - ping over erspan v1 tunnel])
cae92b42 386OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 387OVS_CHECK_GRE()
388OVS_CHECK_ERSPAN()
389
390OVS_TRAFFIC_VSWITCHD_START()
391ADD_BR([br-underlay])
392
393AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
394AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
395
396ADD_NAMESPACES(at_ns0)
397
398dnl Set up underlay link from host into the namespace using veth pair.
399ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
400AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
401AT_CHECK([ip link set dev br-underlay up])
402
403dnl Set up tunnel endpoints on OVS outside the namespace and with a native
404dnl linux device inside the namespace.
405ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
406ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 1 erspan 7])
407
408dnl First, check the underlay
409NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
4103 packets transmitted, 3 received, 0% packet loss, time 0ms
411])
412
413dnl Okay, now check the overlay with different packet sizes
414dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
415NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
4163 packets transmitted, 3 received, 0% packet loss, time 0ms
417])
418OVS_TRAFFIC_VSWITCHD_STOP
419AT_CLEANUP
420
421AT_SETUP([datapath - ping over erspan v2 tunnel])
cae92b42 422OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 423OVS_CHECK_GRE()
424OVS_CHECK_ERSPAN()
425
426OVS_TRAFFIC_VSWITCHD_START()
427ADD_BR([br-underlay])
428
429AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
430AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
431
432ADD_NAMESPACES(at_ns0)
433
434dnl Set up underlay link from host into the namespace using veth pair.
435ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
436AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
437AT_CHECK([ip link set dev br-underlay up])
438
439dnl Set up tunnel endpoints on OVS outside the namespace and with a native
440dnl linux device inside the namespace.
441ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
442ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 2 erspan_dir egress erspan_hwid 7])
443
444dnl First, check the underlay
445NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
4463 packets transmitted, 3 received, 0% packet loss, time 0ms
447])
448
449dnl Okay, now check the overlay with different packet sizes
450dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
451NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
4523 packets transmitted, 3 received, 0% packet loss, time 0ms
453])
454OVS_TRAFFIC_VSWITCHD_STOP
455AT_CLEANUP
456
457AT_SETUP([datapath - ping over ip6erspan v1 tunnel])
cae92b42 458OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 459OVS_CHECK_GRE()
460OVS_CHECK_ERSPAN()
461
462OVS_TRAFFIC_VSWITCHD_START()
463ADD_BR([br-underlay])
464
465AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
466AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
467
468ADD_NAMESPACES(at_ns0)
469
470dnl Set up underlay link from host into the namespace using veth pair.
471ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
472AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
473AT_CHECK([ip link set dev br-underlay up])
474
475dnl Set up tunnel endpoints on OVS outside the namespace and with a native
476dnl linux device inside the namespace.
477ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
478 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
479ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
480 [10.1.1.1/24], [local fc00:100::1 seq key 123 erspan_ver 1 erspan 7])
481
482OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
483
484dnl First, check the underlay
485NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
4863 packets transmitted, 3 received, 0% packet loss, time 0ms
487])
488
489dnl Okay, now check the overlay with different packet sizes
490NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
4913 packets transmitted, 3 received, 0% packet loss, time 0ms
492])
493OVS_TRAFFIC_VSWITCHD_STOP
494AT_CLEANUP
495
496AT_SETUP([datapath - ping over ip6erspan v2 tunnel])
cae92b42 497OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
98514eea
WT		 498OVS_CHECK_GRE()
499OVS_CHECK_ERSPAN()
500
501OVS_TRAFFIC_VSWITCHD_START()
502ADD_BR([br-underlay])
503
504AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
505AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
506
507ADD_NAMESPACES(at_ns0)
508
509dnl Set up underlay link from host into the namespace using veth pair.
510ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
511AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
512AT_CHECK([ip link set dev br-underlay up])
513
514dnl Set up tunnel endpoints on OVS outside the namespace and with a native
515dnl linux device inside the namespace.
516ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
517 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
518ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
519 [10.1.1.1/24],
520 [local fc00:100::1 seq key 121 erspan_ver 2 erspan_dir ingress erspan_hwid 0x7])
521
522OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
523
524dnl First, check the underlay
525NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
5263 packets transmitted, 3 received, 0% packet loss, time 0ms
527])
528
529dnl Okay, now check the overlay with different packet sizes
530NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
5313 packets transmitted, 3 received, 0% packet loss, time 0ms
532])
533OVS_TRAFFIC_VSWITCHD_STOP
534AT_CLEANUP
535
92b8af2c
JS		 536AT_SETUP([datapath - ping over geneve tunnel])
537OVS_CHECK_GENEVE()
538
539OVS_TRAFFIC_VSWITCHD_START()
540ADD_BR([br-underlay])
541
542AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
543AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
544
545ADD_NAMESPACES(at_ns0)
546
547dnl Set up underlay link from host into the namespace using veth pair.
548ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
549AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
550AT_CHECK([ip link set dev br-underlay up])
551
552dnl Set up tunnel endpoints on OVS outside the namespace and with a native
553dnl linux device inside the namespace.
554ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
555ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
556 [vni 0])
557
558dnl First, check the underlay
559NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
5603 packets transmitted, 3 received, 0% packet loss, time 0ms
561])
562
563dnl Okay, now check the overlay with different packet sizes
564NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
5653 packets transmitted, 3 received, 0% packet loss, time 0ms
566])
567NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
5683 packets transmitted, 3 received, 0% packet loss, time 0ms
569])
570NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
b31f1b04
EG		 5713 packets transmitted, 3 received, 0% packet loss, time 0ms
572])
573
574OVS_TRAFFIC_VSWITCHD_STOP
575AT_CLEANUP
576
bed941ba
YHW		 577AT_SETUP([datapath - flow resume with geneve tun_metadata])
578OVS_CHECK_GENEVE()
579
580OVS_TRAFFIC_VSWITCHD_START()
581ADD_BR([br-underlay])
582
fcfd14ce
YS		 583AT_CHECK([ovs-ofctl monitor br0 resume --detach --no-chdir --pidfile 2> /dev/null])
584
bed941ba
YHW		 585ADD_NAMESPACES(at_ns0)
586
587dnl Set up underlay link from host into the namespace using veth pair.
588ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
589AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
590AT_CHECK([ip link set dev br-underlay up])
591
592dnl Set up tunnel endpoints on OVS outside the namespace and with a native
593dnl linux device inside the namespace.
594ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
595ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
596 [vni 0])
597
598dnl Set up flows
599AT_DATA([flows.txt], [dnl
600table=0, arp action=NORMAL
601table=0, in_port=LOCAL icmp action=output:at_gnv0
602table=0, in_port=at_gnv0 icmp action=set_field:0xa->tun_metadata0,resubmit(,1)
603table=1, icmp action=controller(pause), resubmit(,2)
604table=2, tun_metadata0=0xa, icmp action=output:LOCAL
605])
606AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"])
607AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
608AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
609
bed941ba
YHW		 610NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
6113 packets transmitted, 3 received, 0% packet loss, time 0ms
612])
613
fcfd14ce 614OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
bed941ba
YHW		 615OVS_TRAFFIC_VSWITCHD_STOP
616AT_CLEANUP
617
b31f1b04 618AT_SETUP([datapath - ping over geneve6 tunnel])
67e3ddf1 619OVS_CHECK_GENEVE_UDP6ZEROCSUM()
b31f1b04
EG		 620
621OVS_TRAFFIC_VSWITCHD_START()
622ADD_BR([br-underlay])
623
624AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
625AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
626
627ADD_NAMESPACES(at_ns0)
628
629dnl Set up underlay link from host into the namespace using veth pair.
630ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
631AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
632AT_CHECK([ip link set dev br-underlay up])
633
634dnl Set up tunnel endpoints on OVS outside the namespace and with a native
635dnl linux device inside the namespace.
636ADD_OVS_TUNNEL6([geneve], [br0], [at_gnv0], [fc00::1], [10.1.1.100/24])
637ADD_NATIVE_TUNNEL6([geneve], [ns_gnv0], [at_ns0], [fc00::100], [10.1.1.1/24],
638 [vni 0 udp6zerocsumtx udp6zerocsumrx])
639
640OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
641
642dnl First, check the underlay
643NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
6443 packets transmitted, 3 received, 0% packet loss, time 0ms
645])
646
647dnl Okay, now check the overlay with different packet sizes
648NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
6493 packets transmitted, 3 received, 0% packet loss, time 0ms
650])
651NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
6523 packets transmitted, 3 received, 0% packet loss, time 0ms
653])
654NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
810e1785
JS		 6553 packets transmitted, 3 received, 0% packet loss, time 0ms
656])
657
658OVS_TRAFFIC_VSWITCHD_STOP
659AT_CLEANUP
07659514 660
eb27d96b 661AT_SETUP([datapath - ping over gre tunnel by simulated packets])
e06c44a8 662OVS_CHECK_MIN_KERNEL(3, 10)
eb27d96b
YS		 663
664OVS_TRAFFIC_VSWITCHD_START()
665AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
666ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
667
668AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
669AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
670
671ADD_NAMESPACES(at_ns0)
672
673dnl Set up underlay link from host into the namespace using veth pair.
674ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
675AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
676AT_CHECK([ip link set dev br-underlay up])
677
678dnl Set up tunnel endpoints on OVS outside the namespace.
679ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
680
681dnl Certain Linux distributions, like CentOS, have default iptable rules
682dnl to reject input traffic from br-underlay. Here we add a rule to walk
683dnl around it.
684iptables -I INPUT 1 -i br-underlay -j ACCEPT
685on_exit 'iptables -D INPUT 1'
686
687ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap &
688sleep 1
689
690dnl First, check the underlay.
691NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
6923 packets transmitted, 3 received, 0% packet loss, time 0ms
693])
694
695dnl We don't actually add gretap port as below, instead, we will
696dnl emulate one that sends packets. Suppose its mac address is f2:ff:00:00:00:04.
697dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
698
699dnl Now, check the overlay by sending out raw arp and icmp packets.
700ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000042ec2c4000402ff3bcac1f0101ac1f016400006558fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=NORMAL"
701
702OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 46: ARP, Reply 10.1.1.100 is-at f2:ff:00:00:00:01.* length 28" 2>&1 1>/dev/null])
703
704ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500007aec8e4000402ff322ac1f0101ac1f016400006558f2ff00000001f2ff00000004080045000054548f40004001cfb30a0101010a0101640800e6e829270003e1a3435b00000000ff1a050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=NORMAL"
705
706OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 102: IP 10.1.1.100 > 10.1.1.1: ICMP echo reply,.* length 64$" 2>&1 1>/dev/null])
707
708OVS_TRAFFIC_VSWITCHD_STOP
709AT_CLEANUP
710
711AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets])
e06c44a8 712OVS_CHECK_MIN_KERNEL(3, 10)
eb27d96b
YS		 713
714OVS_TRAFFIC_VSWITCHD_START()
715AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
716ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
717
718AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
719AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
720
721ADD_NAMESPACES(at_ns0)
722
723dnl Set up underlay link from host into the namespace using veth pair.
724ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
725AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
726AT_CHECK([ip link set dev br-underlay up])
727
728dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native
729dnl linux device inside the namespace.
730ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
731
732dnl Certain Linux distributions, like CentOS, have default iptable rules
733dnl to reject input traffic from br-underlay. Here we add a rule to walk
734dnl around it.
735iptables -I INPUT 1 -i br-underlay -j ACCEPT
736on_exit 'iptables -D INPUT 1'
737
738ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
739sleep 1
740
741dnl First, check the underlay
742NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
7433 packets transmitted, 3 received, 0% packet loss, time 0ms
744])
745
746dnl Okay, now send out an arp request from 10.1.1.1 for 10.1.1.100 in erspan.
747ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500004e151d4000402fcac0ac1f0101ac1f0164100088be000000061000000100000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
748
749dnl 0002 is arp reply, followed by mac address of 10.1.1.100.
750OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0806 0001 0800 0604 0002 f2ff 0000 0001" 2>&1 1>/dev/null])
751OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0a01 0164 f2ff 0000 0004 0a01 0101" 2>&1 1>/dev/null])
752
753dnl Okay, now check the overlay with raw icmp packets.
754AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
755
756ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500008e70cb4000402f6ed2ac1f0101ac1f0164100088be000000051000000100000007f2ff00000001f2ff0000000408004500005c4a3340004001da070a0101010a010164080084f238fb0001f36a6b5b0000000021870e0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
757
758OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
759
760OVS_TRAFFIC_VSWITCHD_STOP
761AT_CLEANUP
762
763AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets])
e06c44a8 764OVS_CHECK_MIN_KERNEL(3, 10)
eb27d96b
YS		 765
766OVS_TRAFFIC_VSWITCHD_START()
767AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
768ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
769
770AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
771AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
772
773ADD_NAMESPACES(at_ns0)
774
775dnl Set up underlay link from host into the namespace using veth pair.
776ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
777AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
778AT_CHECK([ip link set dev br-underlay up])
779
780dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
781dnl linux device inside the namespace.
782ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
783
784dnl Certain Linux distributions, like CentOS, have default iptable rules
785dnl to reject input traffic from br-underlay. Here we add a rule to walk
786dnl around it.
787iptables -I INPUT 1 -i br-underlay -j ACCEPT
788on_exit 'iptables -D INPUT 1'
789
790ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
791sleep 1
792
793dnl First, check the underlay.
794NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
7953 packets transmitted, 3 received, 0% packet loss, time 0ms
796])
797
798dnl Okay, send raw arp request and icmp echo request.
799ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000052373d4000402fa89cac1f0101ac1f0164100088be00000006200000016f54b41700008078fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
800
801OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
802OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
803OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0101" 2>&1 1>/dev/null])
804
805dnl Because tcpdump might not be able to parse erspan headers, we check icmp echo reply
806dnl by packet length.
807AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
808
809ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500009287e14000402f57b8ac1f0101ac1f0164100088be0000000520000001144cd5a400008078f2ff00000001f2ff0000000408004500005c38d640004001eb640a0101010a01016408005e57585f0001df6c6b5b0000000045bc050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
810
811OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
812
813OVS_TRAFFIC_VSWITCHD_STOP
814AT_CLEANUP
815
816AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets])
e06c44a8 817OVS_CHECK_MIN_KERNEL(3, 10)
eb27d96b
YS		 818
819OVS_TRAFFIC_VSWITCHD_START()
820AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
821ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
822
823AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
824AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
825
826ADD_NAMESPACES(at_ns0)
827
828dnl Set up underlay link from host into the namespace using veth pair.
829ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
830AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
831AT_CHECK([ip link set dev br-underlay up])
832
833dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
834dnl linux device inside the namespace.
835ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
836 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
837
838OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
839
840dnl Certain Linux distributions, like CentOS, have default iptable rules
841dnl to reject input traffic from br-underlay. Here we add a rule to walk
842dnl around it.
843ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
844on_exit 'ip6tables -D INPUT 1'
845
846ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
847sleep 1
848
849dnl First, check the underlay.
850NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
8513 packets transmitted, 3 received, 0% packet loss, time 0ms
852])
853
854dnl Okay, now send raw arp request and icmp echo request.
855ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003a2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be000000051000007b00000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
856
857dnl Check arp reply.
858OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
859OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
860OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0101" 2>&1 1>/dev/null])
861
862AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
863
864ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007a3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be000000061000407b00000007f2ff00000001f2ff0000000408004500005429b640004001fa8c0a0101010a01016408005c2c7526000118d3685b00000000e4aa020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
865
866OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
867
868OVS_TRAFFIC_VSWITCHD_STOP
869AT_CLEANUP
870
871AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets])
e06c44a8 872OVS_CHECK_MIN_KERNEL(3, 10)
eb27d96b
YS		 873
874OVS_TRAFFIC_VSWITCHD_START()
875AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
876ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
877
878AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
879AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
880
881ADD_NAMESPACES(at_ns0)
882
883dnl Set up underlay link from host into the namespace using veth pair.
884ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
885AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
886AT_CHECK([ip link set dev br-underlay up])
887
888dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
889dnl linux device inside the namespace.
890ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
891 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
892
893OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
894
895dnl Certain Linux distributions, like CentOS, have default iptable rules
896dnl to reject input traffic from br-underlay. Here we add a rule to walk
897dnl around it.
898ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
899on_exit 'ip6tables -D INPUT 1'
900
901ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
902sleep 1
903
904dnl First, check the underlay.
905NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
9063 packets transmitted, 3 received, 0% packet loss, time 0ms
907])
908
909dnl Okay, now send raw arp request and icmp echo request.
910ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003e2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be0000000620000079af514f9900008070fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
911
912OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0004 f2ff 0000 0001 0806 0001 0800 0604" 2>&1 1>/dev/null])
913OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0002 f2ff 0000 0001 0a01 0164 f2ff 0000" 2>&1 1>/dev/null])
914OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0004 0a01 0101" 2>&1 1>/dev/null])
915
916AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
917
918ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007e3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be0000000720004079af514f9b00008070f2ff00000001f2ff00000004080045000054ffcb4000400124770a0101010a0101640800419e23ac000112d7685b000000004caf0c0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
919
920OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
921
922OVS_TRAFFIC_VSWITCHD_STOP
923AT_CLEANUP
924
7ae62a67
WT		 925AT_SETUP([datapath - clone action])
926OVS_TRAFFIC_VSWITCHD_START()
927
928ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
929
930ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
931ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
7ae62a67 932
88b5874e
WT		 933AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
934 -- set interface ovs-p1 ofport_request=2])
7ae62a67 935
88b5874e
WT		 936AT_DATA([flows.txt], [dnl
937priority=1 actions=NORMAL
938priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
939priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
940])
941AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
7ae62a67 942
88b5874e 943AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
7ae62a67
WT		 944NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
9453 packets transmitted, 3 received, 0% packet loss, time 0ms
946])
947
e8833217
DM		 948OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
949
88b5874e
WT		 950AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
951icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
952icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
953icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
954])
7ae62a67
WT		 955
956OVS_TRAFFIC_VSWITCHD_STOP
957AT_CLEANUP
958
457402dc
YHW		 959AT_SETUP([datapath - mpls actions])
960OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
961
962ADD_NAMESPACES(at_ns0, at_ns1)
963
964ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
965ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
966
967AT_CHECK([ip link add patch0 type veth peer name patch1])
968on_exit 'ip link del patch0'
969
970AT_CHECK([ip link set dev patch0 up])
971AT_CHECK([ip link set dev patch1 up])
972AT_CHECK([ovs-vsctl add-port br0 patch0])
973AT_CHECK([ovs-vsctl add-port br1 patch1])
974
975AT_DATA([flows.txt], [dnl
976table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,resubmit(,1)
977table=0,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,1)
978table=0,priority=10 actions=resubmit(,1)
979table=1,priority=10 actions=normal
980])
981
982AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
983AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
984
985NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
9863 packets transmitted, 3 received, 0% packet loss, time 0ms
987])
988
989NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
9903 packets transmitted, 3 received, 0% packet loss, time 0ms
991])
992
993OVS_TRAFFIC_VSWITCHD_STOP
994AT_CLEANUP
aaca4fe0 995AT_SETUP([datapath - basic truncate action])
9c1ab985 996AT_SKIP_IF([test $HAVE_NC = no])
aaca4fe0
WT		 997OVS_TRAFFIC_VSWITCHD_START()
998AT_CHECK([ovs-ofctl del-flows br0])
999
1000dnl Create p0 and ovs-p0(1)
1001ADD_NAMESPACES(at_ns0)
1002ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1003NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
1004NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1005
1006dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
1007AT_CHECK([ip link add p1 type veth peer name ovs-p1])
1008on_exit 'ip link del ovs-p1'
1009AT_CHECK([ip link set dev ovs-p1 up])
1010AT_CHECK([ip link set dev p1 up])
1011AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
1012dnl Use p1 to check the truncated packet
1013AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
1014
1015dnl Create p2(5) and ovs-p2(4)
1016AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1017on_exit 'ip link del ovs-p2'
1018AT_CHECK([ip link set dev ovs-p2 up])
1019AT_CHECK([ip link set dev p2 up])
1020AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
1021dnl Use p2 to check the truncated packet
1022AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
1023
1024dnl basic test
1025AT_CHECK([ovs-ofctl del-flows br0])
1026AT_DATA([flows.txt], [dnl
1027in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1028in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1029in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
1030])
1031AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1032
1033dnl use this file as payload file for ncat
1034AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1035on_exit 'rm -f payload200.bin'
a037f175 1036NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 1037
1038dnl packet with truncated size
1039AT_CHECK([ovs-appctl revalidator/purge], [0])
1040AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1041n_bytes=100
1042])
1043dnl packet with original size
1044AT_CHECK([ovs-appctl revalidator/purge], [0])
1045AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1046n_bytes=242
1047])
1048
1049dnl more complicated output actions
1050AT_CHECK([ovs-ofctl del-flows br0])
1051AT_DATA([flows.txt], [dnl
1052in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1053in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1054in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
1055])
1056AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1057
a037f175 1058NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 1059
1060dnl 100 + 100 + 242 + min(65535,242) = 684
1061AT_CHECK([ovs-appctl revalidator/purge], [0])
1062AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1063n_bytes=684
1064])
1065dnl 242 + 100 + min(242,200) = 542
1066AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1067n_bytes=542
1068])
1069
1070dnl SLOW_ACTION: disable kernel datapath truncate support
1071dnl Repeat the test above, but exercise the SLOW_ACTION code path
c7eca965 1072AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
aaca4fe0
WT		 1073
1074dnl SLOW_ACTION test1: check datapatch actions
1075AT_CHECK([ovs-ofctl del-flows br0])
1076AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1077
3041e1fc 1078AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
aaca4fe0
WT		 1079AT_CHECK([tail -3 stdout], [0],
1080[Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
1081This flow is handled by the userspace slow path because it:
393e9f7c 1082 - Uses action(s) not supported by datapath.
aaca4fe0 1083])
aaca4fe0
WT		 1084
1085dnl SLOW_ACTION test2: check actual packet truncate
1086AT_CHECK([ovs-ofctl del-flows br0])
1087AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
a037f175 1088NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
aaca4fe0
WT		 1089
1090dnl 100 + 100 + 242 + min(65535,242) = 684
1091AT_CHECK([ovs-appctl revalidator/purge], [0])
1092AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1093n_bytes=684
1094])
1095
1096dnl 242 + 100 + min(242,200) = 542
1097AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1098n_bytes=542
1099])
1100
1101OVS_TRAFFIC_VSWITCHD_STOP
1102AT_CLEANUP
1103
348f1f67
YS		 1104dnl Create 2 bridges and 2 namespaces to test truncate over
1105dnl GRE tunnel:
1106dnl br0: overlay bridge
1107dnl ns1: connect to br0, with IP:10.1.1.2
1108dnl br-underlay: with IP: 172.31.1.100
1109dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1110AT_SETUP([datapath - truncate and output to gre tunnel by simulated packets])
e06c44a8 1111OVS_CHECK_MIN_KERNEL(3, 10)
348f1f67
YS		 1112AT_SKIP_IF([test $HAVE_NC = no])
1113OVS_TRAFFIC_VSWITCHD_START()
1114
1115ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"02:90:8c:a8:a1:49\"])
1116ADD_NAMESPACES(at_ns0)
1117ADD_NAMESPACES(at_ns1)
1118AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1119AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1120
1121dnl Set up underlay link from host into the namespace using veth pair.
1122ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", fa:ad:fa:25:05:60)
1123AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1124AT_CHECK([ip link set dev br-underlay up])
1125
1126dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1127dnl linux device inside the namespace.
1128ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1129
1130dnl The below native tunnel isn't actually added. We simulate it to send
1131dnl and receive packets.
1132dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1133dnl [], [address e6:66:c1:11:11:11])
1134dnl AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1135dnl NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1136
1137dnl Set up (p1 and ovs-p1) at br0
1138ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1139AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1140NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1141NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1142
1143dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1144AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1145on_exit 'ip link del ovs-p2'
1146AT_CHECK([ip link set dev ovs-p2 up])
1147AT_CHECK([ip link set dev p2 up])
1148AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1149AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1150
1151dnl use this file as payload file for ncat
1152AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1153on_exit 'rm -f payload200.bin'
1154
1155AT_CHECK([ovs-ofctl del-flows br0])
1156AT_DATA([flows.txt], [dnl
1157priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1158priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1159priority=1,in_port=4,ip,actions=drop
1160priority=1,actions=drop
1161])
1162AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1163
1164AT_CHECK([ovs-ofctl del-flows br-underlay])
1165AT_DATA([flows-underlay.txt], [dnl
1166priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1167priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1168priority=1,actions=drop
1169])
1170
1171AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1172
1173dnl check tunnel push path, from at_ns1 to at_ns0
1174NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1175AT_CHECK([ovs-appctl revalidator/purge], [0])
1176
1177dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1178AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1179n_bytes=242
1180])
1181dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1182AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1183n_bytes=138
1184])
1185
1186dnl check tunnel pop path, from at_ns0 to at_ns1
1187dnl This 200-byte packet is simulated on behalf of ns_gre0
1188ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1189
1190dnl After truncation = 100 byte at loopback device p2(4)
1191AT_CHECK([ovs-appctl revalidator/purge], [0])
1192AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1193 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1194])
1195
1196dnl SLOW_ACTION: disable datapath truncate support
1197dnl Repeat the test above, but exercise the SLOW_ACTION code path
1198AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1199
1200dnl SLOW_ACTION test1: check datapatch actions
1201AT_CHECK([ovs-ofctl del-flows br0])
1202AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1203
1204dnl SLOW_ACTION test2: check actual packet truncate
1205AT_CHECK([ovs-ofctl del-flows br0])
1206AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1207AT_CHECK([ovs-ofctl del-flows br-underlay])
1208AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1209
1210dnl check tunnel push path, from at_ns1 to at_ns0
1211NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1212AT_CHECK([ovs-appctl revalidator/purge], [0])
1213
1214dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1215AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1216n_bytes=242
1217])
1218dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1219AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1220n_bytes=138
1221])
1222
1223dnl check tunnel pop path, from at_ns0 to at_ns1
1224dnl This 200-byte packet is simulated on behalf of ns_gre0
1225ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1226
1227dnl After truncation = 100 byte at loopback device p2(4)
1228AT_CHECK([ovs-appctl revalidator/purge], [0])
1229AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1230 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1231])
1232
1233OVS_TRAFFIC_VSWITCHD_STOP
1234AT_CLEANUP
1235
aaca4fe0
WT		 1236dnl Create 2 bridges and 2 namespaces to test truncate over
1237dnl GRE tunnel:
1238dnl br0: overlay bridge
1239dnl ns1: connect to br0, with IP:10.1.1.2
1240dnl br-underlay: with IP: 172.31.1.100
1241dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1242AT_SETUP([datapath - truncate and output to gre tunnel])
9c1ab985 1243AT_SKIP_IF([test $HAVE_NC = no])
348f1f67 1244OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
aaca4fe0
WT		 1245OVS_CHECK_GRE()
1246OVS_TRAFFIC_VSWITCHD_START()
1247
1248ADD_BR([br-underlay])
1249ADD_NAMESPACES(at_ns0)
1250ADD_NAMESPACES(at_ns1)
1251AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1252AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1253
1254dnl Set up underlay link from host into the namespace using veth pair.
1255ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1256AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1257AT_CHECK([ip link set dev br-underlay up])
1258
1259dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1260dnl linux device inside the namespace.
1261ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
2b9f3924
WT		 1262ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1263 [], [address e6:66:c1:11:11:11])
aaca4fe0 1264AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
aaca4fe0
WT		 1265NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1266
1267dnl Set up (p1 and ovs-p1) at br0
1268ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1269AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1270NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1271NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1272
1273dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1274AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1275on_exit 'ip link del ovs-p2'
1276AT_CHECK([ip link set dev ovs-p2 up])
1277AT_CHECK([ip link set dev p2 up])
1278AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1279AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1280
1281dnl use this file as payload file for ncat
1282AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1283on_exit 'rm -f payload200.bin'
1284
1285AT_CHECK([ovs-ofctl del-flows br0])
1286AT_DATA([flows.txt], [dnl
1287priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1288priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1289priority=1,in_port=4,ip,actions=drop
1290priority=1,actions=drop
1291])
1292AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1293
1294AT_CHECK([ovs-ofctl del-flows br-underlay])
1295AT_DATA([flows-underlay.txt], [dnl
1296priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1297priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1298priority=1,actions=drop
1299])
1300
1301AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1302
1303dnl check tunnel push path, from at_ns1 to at_ns0
a037f175 1304NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
aaca4fe0
WT		 1305AT_CHECK([ovs-appctl revalidator/purge], [0])
1306
1307dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1308AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1309n_bytes=242
1310])
1311dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1312AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1313n_bytes=138
1314])
1315
1316dnl check tunnel pop path, from at_ns0 to at_ns1
a037f175 1317NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
aaca4fe0
WT		 1318dnl After truncation = 100 byte at loopback device p2(4)
1319AT_CHECK([ovs-appctl revalidator/purge], [0])
32b0cc65
JS		 1320AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1321 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
aaca4fe0
WT		 1322])
1323
1324dnl SLOW_ACTION: disable datapath truncate support
1325dnl Repeat the test above, but exercise the SLOW_ACTION code path
c7eca965 1326AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
aaca4fe0
WT		 1327
1328dnl SLOW_ACTION test1: check datapatch actions
1329AT_CHECK([ovs-ofctl del-flows br0])
1330AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1331
aaca4fe0
WT		 1332dnl SLOW_ACTION test2: check actual packet truncate
1333AT_CHECK([ovs-ofctl del-flows br0])
1334AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1335AT_CHECK([ovs-ofctl del-flows br-underlay])
1336AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1337
1338dnl check tunnel push path, from at_ns1 to at_ns0
a037f175 1339NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
aaca4fe0
WT		 1340AT_CHECK([ovs-appctl revalidator/purge], [0])
1341
1342dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1343AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1344n_bytes=242
1345])
1346dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1347AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1348n_bytes=138
1349])
1350
1351dnl check tunnel pop path, from at_ns0 to at_ns1
a037f175 1352NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
aaca4fe0
WT		 1353dnl After truncation = 100 byte at loopback device p2(4)
1354AT_CHECK([ovs-appctl revalidator/purge], [0])
32b0cc65
JS		 1355AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1356 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
aaca4fe0
WT		 1357])
1358
1359OVS_TRAFFIC_VSWITCHD_STOP
1360AT_CLEANUP
1361
ee8941ab
JS		 1362AT_BANNER([conntrack])
1363
07659514
JS		 1364AT_SETUP([conntrack - controller])
1365CHECK_CONNTRACK()
cf7659b6 1366OVS_TRAFFIC_VSWITCHD_START()
daf4d3c1 1367AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
07659514
JS		 1368
1369ADD_NAMESPACES(at_ns0, at_ns1)
1370
1371ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1372ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1373
1374dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1375AT_DATA([flows.txt], [dnl
1376priority=1,action=drop
1377priority=10,arp,action=normal
1378priority=100,in_port=1,udp,action=ct(commit),controller
1379priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1380priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
1381])
1382
6cfa8ec3 1383AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 1384
1385AT_CAPTURE_FILE([ofctl_monitor.log])
1386AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1387
1388dnl Send an unsolicited reply from port 2. This should be dropped.
4573c42e 1389AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
07659514
JS		 1390
1391dnl OK, now start a new connection from port 1.
4573c42e 1392AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
07659514
JS		 1393
1394dnl Now try a reply from port 2.
4573c42e 1395AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
07659514 1396
e8833217
DM		 1397OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1398
07659514
JS		 1399dnl Check this output. We only see the latter two packets, not the first.
1400AT_CHECK([cat ofctl_monitor.log], [0], [dnl
f274a047 1401NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
07659514 1402udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
45e46e92 1403NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,ip,in_port=2 (via action) data_len=42 (unbuffered)
07659514
JS		 1404udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1405])
1406
1407OVS_TRAFFIC_VSWITCHD_STOP
1408AT_CLEANUP
1409
a76a37ef
JR		 1410AT_SETUP([conntrack - force commit])
1411CHECK_CONNTRACK()
1412OVS_TRAFFIC_VSWITCHD_START()
1413AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1414
1415ADD_NAMESPACES(at_ns0, at_ns1)
1416
1417ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1418ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1419
1420AT_DATA([flows.txt], [dnl
1421priority=1,action=drop
1422priority=10,arp,action=normal
68c94b1a 1423priority=100,in_port=1,udp,action=ct(force,commit),controller
a76a37ef
JR		 1424priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1425priority=100,in_port=2,ct_state=+trk+est,udp,action=ct(force,commit,table=1)
1426table=1,in_port=2,ct_state=+trk,udp,action=controller
1427])
1428
1429AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1430
1431AT_CAPTURE_FILE([ofctl_monitor.log])
1432AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1433
1434dnl Send an unsolicited reply from port 2. This should be dropped.
1435AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1436
1437dnl OK, now start a new connection from port 1.
1438AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1439
1440dnl Now try a reply from port 2.
1441AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1442
1443AT_CHECK([ovs-appctl revalidator/purge], [0])
1444
e8833217
DM		 1445OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1446
a76a37ef
JR		 1447dnl Check this output. We only see the latter two packets, not the first.
1448AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1449NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1450udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
45e46e92 1451NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1,ip,in_port=2 (via action) data_len=42 (unbuffered)
a76a37ef
JR		 1452udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1453])
1454
1455dnl
1456dnl Check that the directionality has been changed by force commit.
1457dnl
1458AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [], [dnl
1459udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2)
1460])
1461
68c94b1a
JS		 1462dnl OK, now send another packet from port 1 and see that it switches again
1463AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1464AT_CHECK([ovs-appctl revalidator/purge], [0])
1465
1466AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1467udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1468])
1469
a76a37ef
JR		 1470OVS_TRAFFIC_VSWITCHD_STOP
1471AT_CLEANUP
1472
c43a1331
YHW		 1473AT_SETUP([conntrack - ct flush by 5-tuple])
1474CHECK_CONNTRACK()
c43a1331
YHW		 1475OVS_TRAFFIC_VSWITCHD_START()
1476
1477ADD_NAMESPACES(at_ns0, at_ns1)
1478
1479ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1480ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1481
1482AT_DATA([flows.txt], [dnl
1483priority=1,action=drop
1484priority=10,arp,action=normal
1485priority=100,in_port=1,udp,action=ct(commit),2
1486priority=100,in_port=2,udp,action=ct(zone=5,commit),1
1487priority=100,in_port=1,icmp,action=ct(commit),2
1488priority=100,in_port=2,icmp,action=ct(zone=5,commit),1
1489])
1490
1491AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1492
1493dnl Test UDP from port 1
1494AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1495
1496AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1497udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1498])
1499
1500AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1'])
1501
1502AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [1], [dnl
1503])
1504
1505dnl Test UDP from port 2
1506AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1507
1508AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [dnl
1509udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5
1510])
1511
1512AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2'])
1513
1514AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1515])
1516
1517dnl Test ICMP traffic
1518NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
15193 packets transmitted, 3 received, 0% packet loss, time 0ms
1520])
1521
1522AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [stdout])
1523AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl
1524icmp,orig=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=8,code=0),reply=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=0,code=0),zone=5
1525])
1526
1527ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2`
1528ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0
1529AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 $ICMP_TUPLE])
1530
1531AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [1], [dnl
1532])
1533
ffdcd110 1534OVS_TRAFFIC_VSWITCHD_STOP
c43a1331
YHW		 1535AT_CLEANUP
1536
e5cf8cce
DDP		 1537AT_SETUP([conntrack - IPv4 ping])
1538CHECK_CONNTRACK()
1539OVS_TRAFFIC_VSWITCHD_START()
1540
1541ADD_NAMESPACES(at_ns0, at_ns1)
1542
1543ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1544ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1545
1546dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1547AT_DATA([flows.txt], [dnl
1548priority=1,action=drop
1549priority=10,arp,action=normal
1550priority=100,in_port=1,icmp,action=ct(commit),2
1551priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1552priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1553])
1554
1555AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1556
1557dnl Pings from ns0->ns1 should work fine.
1558NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
15593 packets transmitted, 3 received, 0% packet loss, time 0ms
1560])
1561
1562AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1563icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1564])
1565
1566AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1567
1568dnl Pings from ns1->ns0 should fail.
1569NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
15707 packets transmitted, 0 received, 100% packet loss, time 0ms
1571])
1572
1573OVS_TRAFFIC_VSWITCHD_STOP
1574AT_CLEANUP
1575
26509f88
DB		 1576AT_SETUP([conntrack - get_nconns and get/set_maxconns])
1577CHECK_CONNTRACK()
1578CHECK_CT_DPIF_SET_GET_MAXCONNS()
1579CHECK_CT_DPIF_GET_NCONNS()
1580OVS_TRAFFIC_VSWITCHD_START()
1581
1582ADD_NAMESPACES(at_ns0, at_ns1)
1583
1584ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1585ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1586
1587dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1588AT_DATA([flows.txt], [dnl
1589priority=1,action=drop
1590priority=10,arp,action=normal
1591priority=100,in_port=1,icmp,action=ct(commit),2
1592priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1593priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1594])
1595
1596AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1597
1598dnl Pings from ns0->ns1 should work fine.
1599NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16003 packets transmitted, 3 received, 0% packet loss, time 0ms
1601])
1602
1603AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1604icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1605])
1606
1607AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp], [2], [], [dnl
1608ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1609ovs-appctl: ovs-vswitchd: server returned an error
1610])
1611
1612AT_CHECK([ovs-appctl dpctl/ct-set-maxconns a], [2], [], [dnl
1613ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1614ovs-appctl: ovs-vswitchd: server returned an error
1615])
1616
1617AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp 10], [2], [], [dnl
ffdcd110 1618ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1619ovs-appctl: ovs-vswitchd: server returned an error
1620])
1621
1622AT_CHECK([ovs-appctl dpctl/ct-get-maxconns one-bad-dp], [2], [], [dnl
ffdcd110 1623ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1624ovs-appctl: ovs-vswitchd: server returned an error
1625])
1626
1627AT_CHECK([ovs-appctl dpctl/ct-get-nconns one-bad-dp], [2], [], [dnl
ffdcd110 1628ovs-vswitchd: datapath not found (Invalid argument)
26509f88
DB		 1629ovs-appctl: ovs-vswitchd: server returned an error
1630])
1631
1632AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
16331
1634])
1635
1636AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
16373000000
1638])
1639
1640AT_CHECK([ovs-appctl dpctl/ct-set-maxconns 10], [], [dnl
1641setting maxconns successful
1642])
1643
1644AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
164510
1646])
1647
1648AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1649
1650AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
16510
1652])
1653
1654AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
165510
1656])
1657
ffdcd110 1658OVS_TRAFFIC_VSWITCHD_STOP
26509f88
DB		 1659AT_CLEANUP
1660
e5cf8cce
DDP		 1661AT_SETUP([conntrack - IPv6 ping])
1662CHECK_CONNTRACK()
1663OVS_TRAFFIC_VSWITCHD_START()
1664
1665ADD_NAMESPACES(at_ns0, at_ns1)
1666
1667ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1668ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1669
1670AT_DATA([flows.txt], [dnl
1671
1672dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
1673dnl through normal action.
1674table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
1675table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
1676table=0,priority=1,action=normal
1677
1678dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
1679table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
1680table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
1681table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
1682table=1,priority=1,action=drop
1683])
1684
1685AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1686
1687OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1688
027f7e84
DDP		 1689dnl The above ping creates state in the connection tracker. We're not
1690dnl interested in that state.
1691AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1692
e5cf8cce
DDP		 1693dnl Pings from ns1->ns0 should fail.
1694NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
16957 packets transmitted, 0 received, 100% packet loss, time 0ms
1696])
1697
1698dnl Pings from ns0->ns1 should work fine.
1699NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17003 packets transmitted, 3 received, 0% packet loss, time 0ms
1701])
1702
1703AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1704icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
1705])
1706
1707OVS_TRAFFIC_VSWITCHD_STOP
1708AT_CLEANUP
1709
07659514
JS		 1710AT_SETUP([conntrack - preserve registers])
1711CHECK_CONNTRACK()
cf7659b6 1712OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1713
1714ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1715
1716ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1717ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1718ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1719ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1720
1721dnl Allow any traffic from ns0->ns1, ns2->ns3.
1722AT_DATA([flows.txt], [dnl
1723priority=1,action=drop
1724priority=10,arp,action=normal
1725priority=10,icmp,action=normal
1726priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1727priority=100,in_port=1,tcp,ct_state=+trk,action=2
1728priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1729priority=100,in_port=2,tcp,ct_state=+trk,action=1
1730priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
1731priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
1732priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
1733priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1734priority=100,in_port=4,tcp,ct_state=+trk,action=3
1735])
1736
6cfa8ec3 1737AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1738
7ed40afe
JS		 1739OVS_START_L7([at_ns1], [http])
1740OVS_START_L7([at_ns3], [http])
1741
07659514 1742dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1743NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1744
1745dnl HTTP requests from p2->p3 should work fine.
07659514
JS		 1746NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1747
1748OVS_TRAFFIC_VSWITCHD_STOP
1749AT_CLEANUP
1750
1751AT_SETUP([conntrack - invalid])
1752CHECK_CONNTRACK()
cf7659b6 1753OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1754
1755ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1756
1757ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1758ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1759ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1760ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1761
1762dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
1763dnl the opposite direction. This should fail.
1764dnl Pass traffic from ns3->ns4 without committing, and this time match
1765dnl invalid traffic and allow it through.
1766AT_DATA([flows.txt], [dnl
1767priority=1,action=drop
1768priority=10,arp,action=normal
1769priority=10,icmp,action=normal
1770priority=100,in_port=1,tcp,action=ct(),2
1771priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1772priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
1773priority=100,in_port=3,tcp,action=ct(),4
1774priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1775priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
1776priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
1777])
1778
6cfa8ec3 1779AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 1780
1781dnl We set up our rules to allow the request without committing. The return
1782dnl traffic can't be identified, because the initial request wasn't committed.
1783dnl For the first pair of ports, this means that the connection fails.
7ed40afe
JS		 1784OVS_START_L7([at_ns1], [http])
1785OVS_START_L7([at_ns3], [http])
07659514
JS		 1786NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
1787
1788dnl For the second pair, we allow packets from invalid connections, so it works.
07659514
JS		 1789NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1790
1791OVS_TRAFFIC_VSWITCHD_STOP
1792AT_CLEANUP
1793
1794AT_SETUP([conntrack - zones])
1795CHECK_CONNTRACK()
cf7659b6 1796OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1797
1798ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1799
1800ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1801ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1802ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1803ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1804
1805dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
1806dnl For ns2->ns3, use a different zone and see that the match fails.
1807AT_DATA([flows.txt], [dnl
1808priority=1,action=drop
1809priority=10,arp,action=normal
1810priority=10,icmp,action=normal
1811priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
1812priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1813priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1814priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
1815priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1816priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
1817])
1818
6cfa8ec3 1819AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1820
7ed40afe
JS		 1821OVS_START_L7([at_ns1], [http])
1822OVS_START_L7([at_ns3], [http])
1823
07659514 1824dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1825NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1826
ec3aa16c 1827AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1828tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
07659514
JS		 1829])
1830
1831dnl HTTP requests from p2->p3 should fail due to network failure.
1832dnl Try 3 times, in 1 second intervals.
07659514
JS		 1833NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1834
ec3aa16c 1835AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1836tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 1837])
1838
1839OVS_TRAFFIC_VSWITCHD_STOP
1840AT_CLEANUP
1841
1842AT_SETUP([conntrack - zones from field])
1843CHECK_CONNTRACK()
cf7659b6 1844OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1845
1846ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1847
1848ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1849ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1850ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1851ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1852
1853dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1854AT_DATA([flows.txt], [dnl
1855priority=1,action=drop
1856priority=10,arp,action=normal
1857priority=10,icmp,action=normal
1858priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
1859priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1860priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
1861priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
1862priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1863priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
1864])
1865
6cfa8ec3 1866AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1867
7ed40afe
JS		 1868OVS_START_L7([at_ns1], [http])
1869OVS_START_L7([at_ns3], [http])
1870
07659514 1871dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1872NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1873
ec3aa16c 1874AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1875tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
07659514
JS		 1876])
1877
1878dnl HTTP requests from p2->p3 should fail due to network failure.
1879dnl Try 3 times, in 1 second intervals.
07659514
JS		 1880NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1881
ec3aa16c 1882AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1883tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
07659514
JS		 1884])
1885
1886OVS_TRAFFIC_VSWITCHD_STOP
1887AT_CLEANUP
1888
1889AT_SETUP([conntrack - multiple bridges])
1890CHECK_CONNTRACK()
1891OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 1892 [_ADD_BR([br1]) --\
07659514
JS		 1893 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1894 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1895
1896ADD_NAMESPACES(at_ns0, at_ns1)
1897
1898ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1899ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1900
1901dnl Allow any traffic from ns0->br1, allow established in reverse.
1902AT_DATA([flows-br0.txt], [dnl
1903priority=1,action=drop
1904priority=10,arp,action=normal
1905priority=10,icmp,action=normal
1906priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1907priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1908priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1909])
1910
1911dnl Allow any traffic from br0->ns1, allow established in reverse.
1912AT_DATA([flows-br1.txt], [dnl
1913priority=1,action=drop
1914priority=10,arp,action=normal
1915priority=10,icmp,action=normal
1916priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1917priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1918priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1919priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1920priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1921])
1922
6cfa8ec3
JR		 1923AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1924AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 1925
1926dnl HTTP requests from p0->p1 should work fine.
7ed40afe 1927OVS_START_L7([at_ns1], [http])
07659514
JS		 1928NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1929
1930OVS_TRAFFIC_VSWITCHD_STOP
1931AT_CLEANUP
1932
1933AT_SETUP([conntrack - multiple zones])
1934CHECK_CONNTRACK()
cf7659b6 1935OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1936
1937ADD_NAMESPACES(at_ns0, at_ns1)
1938
1939ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1940ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1941
1942dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1943AT_DATA([flows.txt], [dnl
1944priority=1,action=drop
1945priority=10,arp,action=normal
1946priority=10,icmp,action=normal
1947priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1948priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1949priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1950])
1951
6cfa8ec3 1952AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 1953
7ed40afe
JS		 1954OVS_START_L7([at_ns1], [http])
1955
07659514 1956dnl HTTP requests from p0->p1 should work fine.
07659514
JS		 1957NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1958
1959dnl (again) HTTP requests from p0->p1 should work fine.
1960NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1961
ec3aa16c 1962AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2
JR		 1963tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1964tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 1965])
1966
1967OVS_TRAFFIC_VSWITCHD_STOP
1968AT_CLEANUP
1969
0e27c629
JS		 1970AT_SETUP([conntrack - multiple namespaces, internal ports])
1971CHECK_CONNTRACK()
4573c42e 1972CHECK_CONNTRACK_LOCAL_STACK()
0e27c629
JS		 1973OVS_TRAFFIC_VSWITCHD_START(
1974 [set-fail-mode br0 secure -- ])
1975
1976ADD_NAMESPACES(at_ns0, at_ns1)
1977
1978ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1979ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1980
1981dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1982dnl
1983dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1984AT_DATA([flows.txt], [dnl
1985priority=1,action=drop
1986priority=10,arp,action=normal
1987priority=10,icmp,action=normal
1988priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1989priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1990priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1991])
1992
1993AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1994
7ed40afe
JS		 1995OVS_START_L7([at_ns1], [http])
1996
0e27c629 1997dnl HTTP requests from p0->p1 should work fine.
0e27c629
JS		 1998NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1999
2000dnl (again) HTTP requests from p0->p1 should work fine.
2001NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2002
ec3aa16c 2003AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 2004tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
0e27c629
JS		 2005])
2006
2007OVS_TRAFFIC_VSWITCHD_STOP(["dnl
2008/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
2009/removing policing failed: No such device/d"])
2010AT_CLEANUP
2011
8e53fe8c
JS		 2012AT_SETUP([conntrack - ct_mark])
2013CHECK_CONNTRACK()
cf7659b6 2014OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 2015
2016ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2017
2018ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2019ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2020ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2021ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2022
2023dnl Allow traffic between ns0<->ns1 using the ct_mark.
2024dnl Check that different marks do not match for traffic between ns2<->ns3.
2025AT_DATA([flows.txt], [dnl
2026priority=1,action=drop
2027priority=10,arp,action=normal
2028priority=10,icmp,action=normal
2029priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
2030priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2031priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2032priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
2033priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2034priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2035])
2036
6cfa8ec3 2037AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 2038
7ed40afe
JS		 2039OVS_START_L7([at_ns1], [http])
2040OVS_START_L7([at_ns3], [http])
2041
8e53fe8c 2042dnl HTTP requests from p0->p1 should work fine.
8e53fe8c 2043NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 2044AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2045tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2046])
2047
2048dnl HTTP requests from p2->p3 should fail due to network failure.
2049dnl Try 3 times, in 1 second intervals.
8e53fe8c 2050NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 2051AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 2052tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2053])
2054
2055OVS_TRAFFIC_VSWITCHD_STOP
2056AT_CLEANUP
2057
4d182934
JS		 2058AT_SETUP([conntrack - ct_mark bit-fiddling])
2059CHECK_CONNTRACK()
2060OVS_TRAFFIC_VSWITCHD_START()
2061
2062ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2063
2064ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2065ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2066
2067dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
2068dnl cause an additional bit to be set in the connection (and be allowed).
2069AT_DATA([flows.txt], [dnl
2070table=0,priority=1,action=drop
2071table=0,priority=10,arp,action=normal
2072table=0,priority=10,icmp,action=normal
2073table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2074table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
723af132
JS		 2075table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
2076table=1,in_port=1,ct_state=-new,tcp,action=2
2077table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
4d182934
JS		 2078])
2079
2080AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2081
7ed40afe
JS		 2082OVS_START_L7([at_ns1], [http])
2083
4d182934 2084dnl HTTP requests from p0->p1 should work fine.
4d182934
JS		 2085NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2086
420c73b2
JR		 2087AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2088tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
4d182934
JS		 2089])
2090
2091OVS_TRAFFIC_VSWITCHD_STOP
2092AT_CLEANUP
2093
8e53fe8c
JS		 2094AT_SETUP([conntrack - ct_mark from register])
2095CHECK_CONNTRACK()
cf7659b6 2096OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 2097
2098ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2099
2100ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2101ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2102ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2103ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2104
2105dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2106AT_DATA([flows.txt], [dnl
2107priority=1,action=drop
2108priority=10,arp,action=normal
2109priority=10,icmp,action=normal
2110priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
2111priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2112priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2113priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
2114priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2115priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2116])
2117
6cfa8ec3 2118AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 2119
7ed40afe
JS		 2120OVS_START_L7([at_ns1], [http])
2121OVS_START_L7([at_ns3], [http])
2122
8e53fe8c 2123dnl HTTP requests from p0->p1 should work fine.
8e53fe8c 2124NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 2125AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2126tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2127])
2128
2129dnl HTTP requests from p2->p3 should fail due to network failure.
2130dnl Try 3 times, in 1 second intervals.
8e53fe8c 2131NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 2132AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 2133tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 2134])
2135
2136OVS_TRAFFIC_VSWITCHD_STOP
2137AT_CLEANUP
2138
9daf2348
JS		 2139AT_SETUP([conntrack - ct_label])
2140CHECK_CONNTRACK()
cf7659b6 2141OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 2142
2143ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2144
2145ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2146ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2147ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2148ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2149
2150dnl Allow traffic between ns0<->ns1 using the ct_label.
2151dnl Check that different labels do not match for traffic between ns2<->ns3.
2152AT_DATA([flows.txt], [dnl
2153priority=1,action=drop
2154priority=10,arp,action=normal
2155priority=10,icmp,action=normal
2156priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
2157priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2158priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
2159priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
2160priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2161priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
2162])
2163
6cfa8ec3 2164AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348 2165
7ed40afe
JS		 2166OVS_START_L7([at_ns1], [http])
2167OVS_START_L7([at_ns3], [http])
2168
9daf2348 2169dnl HTTP requests from p0->p1 should work fine.
9daf2348
JS		 2170NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2171
2172dnl HTTP requests from p2->p3 should fail due to network failure.
2173dnl Try 3 times, in 1 second intervals.
9daf2348
JS		 2174NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2175
2176OVS_TRAFFIC_VSWITCHD_STOP
2177AT_CLEANUP
2178
4d182934
JS		 2179AT_SETUP([conntrack - ct_label bit-fiddling])
2180CHECK_CONNTRACK()
2181OVS_TRAFFIC_VSWITCHD_START()
2182
2183ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2184
2185ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2186ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2187
2188dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
2189dnl cause an additional bit to be set in the connection labels (and be allowed)
2190AT_DATA([flows.txt], [dnl
2191table=0,priority=1,action=drop
2192table=0,priority=10,arp,action=normal
2193table=0,priority=10,icmp,action=normal
2194table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2195table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
723af132
JS		 2196table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
2197table=1,in_port=1,tcp,ct_state=-new,action=2
2198table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
4d182934
JS		 2199])
2200
2201AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2202
7ed40afe
JS		 2203OVS_START_L7([at_ns1], [http])
2204
4d182934 2205dnl HTTP requests from p0->p1 should work fine.
4d182934
JS		 2206NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2207
420c73b2
JR		 2208AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2209tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
4d182934
JS		 2210])
2211
2212OVS_TRAFFIC_VSWITCHD_STOP
2213AT_CLEANUP
2214
f2d105b5
JS		 2215AT_SETUP([conntrack - ct metadata, multiple zones])
2216CHECK_CONNTRACK()
2217OVS_TRAFFIC_VSWITCHD_START()
2218
2219ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2220
2221ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2222ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2223
2224dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
2225dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
2226dnl and we should see that the conntrack entries only apply the ct_mark and
2227dnl ct_labels to the connection in zone=1.
2228AT_DATA([flows.txt], [dnl
2229table=0,priority=1,action=drop
2230table=0,priority=10,arp,action=normal
2231table=0,priority=10,icmp,action=normal
2232table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
2233table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
723af132
JS		 2234table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
2235table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
2236table=1,in_port=2,tcp,action=ct(zone=2),1
f2d105b5
JS		 2237])
2238
2239AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2240
7ed40afe
JS		 2241OVS_START_L7([at_ns1], [http])
2242
f2d105b5 2243dnl HTTP requests from p0->p1 should work fine.
f2d105b5
JS		 2244NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2245
420c73b2
JR		 2246AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2247tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
2248tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
f2d105b5
JS		 2249])
2250
2251OVS_TRAFFIC_VSWITCHD_STOP
2252AT_CLEANUP
2253
8e53fe8c 2254AT_SETUP([conntrack - ICMP related])
9c1ab985 2255AT_SKIP_IF([test $HAVE_NC = no])
8e53fe8c 2256CHECK_CONNTRACK()
cf7659b6 2257OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 2258
2259ADD_NAMESPACES(at_ns0, at_ns1)
2260
2261ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2262ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2263
2264dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2265AT_DATA([flows.txt], [dnl
2266priority=1,action=drop
2267priority=10,arp,action=normal
2268priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
2269priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
2270priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
2271])
2272
6cfa8ec3 2273AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 2274
bde2e7b5 2275dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 2276NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
8e53fe8c
JS		 2277
2278AT_CHECK([ovs-appctl revalidator/purge], [0])
2279AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2280 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
2281 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
2282 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
bde2e7b5 2283 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
8e53fe8c
JS		 2284NXST_FLOW reply:
2285])
2286
2287OVS_TRAFFIC_VSWITCHD_STOP
2288AT_CLEANUP
2289
d0e42062
JR		 2290AT_SETUP([conntrack - ICMP related to original direction])
2291AT_SKIP_IF([test $HAVE_NC = no])
2292CHECK_CONNTRACK()
2293OVS_TRAFFIC_VSWITCHD_START()
2294
2295ADD_NAMESPACES(at_ns0, at_ns1)
2296
2297ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2298ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2299
2300dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2301AT_DATA([flows.txt], [dnl
2302priority=1000,arp,action=normal
2303priority=100,ip,action=ct(table=1)
2304priority=1,action=drop
2305table=1,ip,action=ct(zone=34673,table=2)
2306table=2,in_port=2,udp,action=ct(commit,zone=34673),1
2307table=2,in_port=1,udp,action=ct(commit,zone=34673),2
2308table=2,in_port=2,ct_state=+rel,icmp,action=1
2309])
2310
2311AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2312
2313dnl 1. Send and UDP packet to port 53 (src=192.100.1.8,dst=192.100.2.5)
2314AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '00010200020400232211223308004500001c000100004011f6fac0640108c06402050035003500087b9e'])
2315
2316dnl 2. Send and UDP packet to port 53 (src=192.100.2.5,dst=192.100.1.8)
2317AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) '00232211223300010200020408004500001c000100004011f6fac0640205c06401080035003500087b9e'])
2318
2319dnl 3. Send an ICMP port unreach reply for port 53, related to the 2nd
2320dnl packet, but in the original direction of the conntrack entry created
2321dnl for the 1st packet.
2322AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2323
2324AT_CHECK([ovs-appctl revalidator/purge], [0])
2325
2326dnl 4. Repeat 3.
2327AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2328
2329AT_CHECK([ovs-appctl revalidator/purge], [0])
2330
2331AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2332 n_packets=4, n_bytes=224, priority=100,ip actions=ct(table=1)
2333 priority=1000,arp actions=NORMAL
2334 table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
2335 table=2, n_packets=1, n_bytes=42, udp,in_port=1 actions=ct(commit,zone=34673),output:2
2336 table=2, n_packets=1, n_bytes=42, udp,in_port=2 actions=ct(commit,zone=34673),output:1
2337 table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2 actions=output:1
2338NXST_FLOW reply:
2339])
2340
2341AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.100.1.8)], [0], [dnl
2342udp,orig=(src=192.100.1.8,dst=192.100.2.5,sport=<cleared>,dport=<cleared>),reply=(src=192.100.2.5,dst=192.100.1.8,sport=<cleared>,dport=<cleared>),zone=34673
2343])
2344
2345OVS_TRAFFIC_VSWITCHD_STOP
2346AT_CLEANUP
2347
07659514
JS		 2348AT_SETUP([conntrack - ICMP related 2])
2349CHECK_CONNTRACK()
cf7659b6 2350OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 2351
2352ADD_NAMESPACES(at_ns0, at_ns1)
2353
2354ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
2355ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
2356
2357dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2358AT_DATA([flows.txt], [dnl
5c2e106b
DDP		 2359table=0,ip,action=ct(commit,table=1)
2360table=1,ip,action=controller
07659514
JS		 2361])
2362
6cfa8ec3 2363AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 2364
2365AT_CAPTURE_FILE([ofctl_monitor.log])
2366AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
2367
2368dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
5c2e106b 2369AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
07659514
JS		 2370
2371dnl 2. Send and UDP packet to port 5555
5c2e106b 2372AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
07659514 2373
a81da080
DB		 2374dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet
2375AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
07659514 2376
e8833217
DM		 2377OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
2378
07659514 2379dnl Check this output. We only see the latter two packets, not the first.
c2fcc6fc 2380AT_CHECK([cat ofctl_monitor.log | grep -v ff02 | grep -v fe80 | grep -v no_match], [0], [dnl
45e46e92 2381NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,ip,in_port=2 (via action) data_len=75 (unbuffered)
5c2e106b 2382icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
45e46e92 2383NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered)
07659514 2384udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
45e46e92 2385NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered)
a81da080 2386icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
07659514
JS		 2387])
2388
5c2e106b
DDP		 2389AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
2390udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
2391])
2392
2393AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
2394])
2395
07659514
JS		 2396OVS_TRAFFIC_VSWITCHD_STOP
2397AT_CLEANUP
d787ad39 2398
daf4d3c1 2399AT_SETUP([conntrack - IPv4 fragmentation])
d787ad39 2400CHECK_CONNTRACK()
cf7659b6 2401OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2402
2403ADD_NAMESPACES(at_ns0, at_ns1)
2404
2405ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2406ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2407
2408dnl Sending ping through conntrack
2409AT_DATA([flows.txt], [dnl
2410priority=1,action=drop
2411priority=10,arp,action=normal
2412priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2413priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2414priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2415])
2416
6cfa8ec3 2417AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2418
4ea96698
DB		 2419dnl Modify userspace conntrack fragmentation handling.
2420DPCTL_MODIFY_FRAGMENTATION()
2421
27130224
AZ		 2422dnl Ipv4 fragmentation connectivity check.
2423NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
24243 packets transmitted, 3 received, 0% packet loss, time 0ms
2425])
2426
2427dnl Ipv4 larger fragmentation connectivity check.
2428NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
24293 packets transmitted, 3 received, 0% packet loss, time 0ms
2430])
2431
4ea96698
DB		 2432dnl Check userspace conntrack fragmentation counters.
2433DPCTL_CHECK_FRAGMENTATION_PASS()
2434
27130224
AZ		 2435OVS_TRAFFIC_VSWITCHD_STOP
2436AT_CLEANUP
2437
0cf28088
JS		 2438AT_SETUP([conntrack - IPv4 fragmentation expiry])
2439CHECK_CONNTRACK()
2440OVS_TRAFFIC_VSWITCHD_START()
2441
2442ADD_NAMESPACES(at_ns0, at_ns1)
2443
2444ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2445ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2446
2447AT_DATA([flows.txt], [dnl
2448priority=1,action=drop
2449priority=10,arp,action=normal
2450
2451dnl Only allow non-fragmented messages and 1st fragments of each message
2452priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
2453priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
2454priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2455priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2456])
2457
2458AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2459
4ea96698
DB		 2460dnl Modify userspace conntrack fragmentation handling.
2461DPCTL_MODIFY_FRAGMENTATION()
2462
0cf28088
JS		 2463dnl Ipv4 fragmentation connectivity check.
2464NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
24657 packets transmitted, 0 received, 100% packet loss, time 0ms
2466])
2467
4ea96698
DB		 2468dnl Check userspace conntrack fragmentation counters.
2469DPCTL_CHECK_FRAGMENTATION_FAIL()
2470
0cf28088
JS		 2471OVS_TRAFFIC_VSWITCHD_STOP
2472AT_CLEANUP
2473
27130224
AZ		 2474AT_SETUP([conntrack - IPv4 fragmentation + vlan])
2475CHECK_CONNTRACK()
cf7659b6 2476OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2477
2478ADD_NAMESPACES(at_ns0, at_ns1)
2479
2480ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2481ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2482ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
2483ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
2484
2485dnl Sending ping through conntrack
2486AT_DATA([flows.txt], [dnl
2487priority=1,action=drop
2488priority=10,arp,action=normal
2489priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2490priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2491priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2492])
2493
6cfa8ec3 2494AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2495
4ea96698
DB		 2496dnl Modify userspace conntrack fragmentation handling.
2497DPCTL_MODIFY_FRAGMENTATION()
2498
27130224
AZ		 2499dnl Ipv4 fragmentation connectivity check.
2500NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25013 packets transmitted, 3 received, 0% packet loss, time 0ms
2502])
2503
2504dnl Ipv4 larger fragmentation connectivity check.
2505NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25063 packets transmitted, 3 received, 0% packet loss, time 0ms
2507])
2508
4ea96698
DB		 2509dnl Check userspace conntrack fragmentation counters.
2510DPCTL_CHECK_FRAGMENTATION_PASS()
2511
27130224
AZ		 2512OVS_TRAFFIC_VSWITCHD_STOP
2513AT_CLEANUP
2514
2526a3dc
EG		 2515AT_SETUP([conntrack - IPv4 fragmentation + cvlan])
2516CHECK_CONNTRACK()
2526a3dc
EG		 2517OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2518OVS_CHECK_8021AD()
2519
2520ADD_NAMESPACES(at_ns0, at_ns1)
2521
2522ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2523ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2524
2525ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
2526ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
2527
2528ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
2529ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
2530
2531dnl Sending ping through conntrack
2532AT_DATA([flows.txt], [dnl
2533priority=1,action=drop
2534priority=10,arp,action=normal
2535priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2536priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2537priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2538])
2539
2540AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2541
2542OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
2543
2544dnl Ipv4 fragmentation connectivity check.
2545NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25463 packets transmitted, 3 received, 0% packet loss, time 0ms
2547])
2548
2549dnl Ipv4 fragmentation connectivity check. (outer svlan)
2550NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
25513 packets transmitted, 3 received, 0% packet loss, time 0ms
2552])
2553
2554dnl Ipv4 larger fragmentation connectivity check.
2555NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
25563 packets transmitted, 3 received, 0% packet loss, time 0ms
2557])
2558
2559dnl Ipv4 larger fragmentation connectivity check. (outer svlan)
2560NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
25613 packets transmitted, 3 received, 0% packet loss, time 0ms
2562])
2563
2564OVS_TRAFFIC_VSWITCHD_STOP
2565AT_CLEANUP
2566
e917d3ee
DB		 2567AT_SETUP([conntrack - IPv4 fragmentation incomplete reassembled packet])
2568CHECK_CONNTRACK()
2569OVS_TRAFFIC_VSWITCHD_START()
4ea96698
DB		 2570DPCTL_SET_MIN_FRAG_SIZE()
2571
e917d3ee
DB		 2572
2573ADD_NAMESPACES(at_ns0, at_ns1)
2574
2575ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2576ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2577
2578AT_DATA([bundle.txt], [dnl
2579packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2580])
2581
2582AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2583
2584AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2585])
2586
2587OVS_TRAFFIC_VSWITCHD_STOP
2588AT_CLEANUP
2589
2590dnl Uses same first fragment as above 'incomplete reassembled packet' test.
2591AT_SETUP([conntrack - IPv4 fragmentation with fragments specified])
2592CHECK_CONNTRACK()
e917d3ee 2593OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2594DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2595
2596ADD_NAMESPACES(at_ns0, at_ns1)
2597
2598ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2599ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2600
2601AT_DATA([bundle.txt], [dnl
2602packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2603packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2604])
2605
2606AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2607
2608AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2609udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2610])
2611
2612OVS_TRAFFIC_VSWITCHD_STOP
2613AT_CLEANUP
2614
b21ac618
DB		 2615AT_SETUP([conntrack - IPv4 fragmentation out of order])
2616CHECK_CONNTRACK()
b21ac618 2617OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2618DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2619
2620ADD_NAMESPACES(at_ns0, at_ns1)
2621
2622ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2623ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2624
2625AT_DATA([bundle.txt], [dnl
2626packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2627packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2628])
2629
2630AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2631
2632AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2633udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2634])
2635
2636OVS_TRAFFIC_VSWITCHD_STOP
2637AT_CLEANUP
2638
2639AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet])
2640CHECK_CONNTRACK()
b21ac618
DB		 2641CHECK_CONNTRACK_FRAG_OVERLAP()
2642OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2643DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2644
2645ADD_NAMESPACES(at_ns0, at_ns1)
2646
2647ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2648ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2649
2650AT_DATA([bundle.txt], [dnl
2651packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2652packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2653])
2654
2655AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2656# There is one byte of overlap, hence the no packet gets thru. conntrack.
2657AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2658])
2659
2660OVS_TRAFFIC_VSWITCHD_STOP
2661AT_CLEANUP
2662
2663AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet out of order])
2664CHECK_CONNTRACK()
b21ac618
DB		 2665CHECK_CONNTRACK_FRAG_OVERLAP()
2666OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2667DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2668
2669ADD_NAMESPACES(at_ns0, at_ns1)
2670
2671ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2672ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2673
2674AT_DATA([bundle.txt], [dnl
2675packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2676packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2677])
2678
2679AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2680# There is one byte of overlap, hence the no packet gets thru. conntrack.
2681AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2682])
2683
2684OVS_TRAFFIC_VSWITCHD_STOP
2685AT_CLEANUP
2686
27130224
AZ		 2687AT_SETUP([conntrack - IPv6 fragmentation])
2688CHECK_CONNTRACK()
cf7659b6 2689OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2690
2691ADD_NAMESPACES(at_ns0, at_ns1)
2692
2693ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2694ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2695
2696dnl Sending ping through conntrack
2697AT_DATA([flows.txt], [dnl
2698priority=1,action=drop
2699priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2700priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2701priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2702priority=100,icmp6,icmp_type=135,action=normal
2703priority=100,icmp6,icmp_type=136,action=normal
2704])
2705
6cfa8ec3 2706AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2707
c10840ff
JS		 2708dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2709dnl waiting, we get occasional failures due to the following error:
27130224 2710dnl "connect: Cannot assign requested address"
c10840ff 2711OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224 2712
221a2668 2713dnl Ipv6 fragmentation connectivity check.
27130224
AZ		 2714NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
27153 packets transmitted, 3 received, 0% packet loss, time 0ms
2716])
2717
221a2668 2718dnl Ipv6 larger fragmentation connectivity check.
27130224
AZ		 2719NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
27203 packets transmitted, 3 received, 0% packet loss, time 0ms
2721])
2722
2723OVS_TRAFFIC_VSWITCHD_STOP
2724AT_CLEANUP
2725
0cf28088
JS		 2726AT_SETUP([conntrack - IPv6 fragmentation expiry])
2727CHECK_CONNTRACK()
2728OVS_TRAFFIC_VSWITCHD_START()
2729
2730ADD_NAMESPACES(at_ns0, at_ns1)
2731
2732ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2733ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2734
2735AT_DATA([flows.txt], [dnl
2736priority=1,action=drop
2737
2738dnl Only allow non-fragmented messages and 1st fragments of each message
2739priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
2740priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
2741priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2742priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2743
2744dnl Neighbour Discovery
2745priority=100,icmp6,icmp_type=135,action=normal
2746priority=100,icmp6,icmp_type=136,action=normal
2747])
2748
2749AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2750
c10840ff
JS		 2751dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2752dnl waiting, we get occasional failures due to the following error:
0cf28088 2753dnl "connect: Cannot assign requested address"
c10840ff 2754OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
0cf28088 2755
0cf28088
JS		 2756dnl Send an IPv6 fragment. Some time later, it should expire.
2757NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
27587 packets transmitted, 0 received, 100% packet loss, time 0ms
2759])
2760
2761dnl At this point, the kernel will either crash or everything is OK.
2762
2763OVS_TRAFFIC_VSWITCHD_STOP
2764AT_CLEANUP
2765
27130224
AZ		 2766AT_SETUP([conntrack - IPv6 fragmentation + vlan])
2767CHECK_CONNTRACK()
cf7659b6 2768OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 2769
2770ADD_NAMESPACES(at_ns0, at_ns1)
2771
2772ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2773ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2774
2775ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
2776ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
2777
2778dnl Sending ping through conntrack
2779AT_DATA([flows.txt], [dnl
2780priority=1,action=drop
2781priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2782priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2783priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2784priority=100,icmp6,icmp_type=135,action=normal
2785priority=100,icmp6,icmp_type=136,action=normal
2786])
2787
6cfa8ec3 2788AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 2789
c10840ff
JS		 2790dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2791dnl waiting, we get occasional failures due to the following error:
27130224 2792dnl "connect: Cannot assign requested address"
c10840ff 2793OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224 2794
27130224
AZ		 2795dnl Ipv4 fragmentation connectivity check.
2796NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
27973 packets transmitted, 3 received, 0% packet loss, time 0ms
2798])
2799
2800dnl Ipv4 larger fragmentation connectivity check.
2801NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
28023 packets transmitted, 3 received, 0% packet loss, time 0ms
2803])
2804
2805OVS_TRAFFIC_VSWITCHD_STOP
2806AT_CLEANUP
2807
2526a3dc
EG		 2808AT_SETUP([conntrack - IPv6 fragmentation + cvlan])
2809CHECK_CONNTRACK()
2526a3dc
EG		 2810OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2811OVS_CHECK_8021AD()
2812
2813ADD_NAMESPACES(at_ns0, at_ns1)
2814
2815ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2816ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2817
2818ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::3/96")
2819ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::4/96")
2820
2821ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::3/96")
2822ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::4/96")
2823
2824dnl Sending ping through conntrack
2825AT_DATA([flows.txt], [dnl
2826priority=1,action=drop
2827priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2828priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2829priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2830priority=100,icmp6,icmp_type=135,action=normal
2831priority=100,icmp6,icmp_type=136,action=normal
2832])
2833
2834AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2835
2836OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::4])
2837
2838dnl Ipv6 fragmentation connectivity check.
2839NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
28403 packets transmitted, 3 received, 0% packet loss, time 0ms
2841])
2842
2843dnl Ipv6 fragmentation connectivity check. (outer svlan)
2844NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
28453 packets transmitted, 3 received, 0% packet loss, time 0ms
2846])
2847
2848dnl Ipv6 larger fragmentation connectivity check.
2849NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
28503 packets transmitted, 3 received, 0% packet loss, time 0ms
2851])
2852
2853dnl Ipv6 larger fragmentation connectivity check. (outer svlan)
2854NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
28553 packets transmitted, 3 received, 0% packet loss, time 0ms
2856])
2857
2858OVS_TRAFFIC_VSWITCHD_STOP
2859AT_CLEANUP
2860
e917d3ee
DB		 2861AT_SETUP([conntrack - IPv6 fragmentation incomplete reassembled packet])
2862CHECK_CONNTRACK()
2863OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2864DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2865
2866ADD_NAMESPACES(at_ns0, at_ns1)
2867
2868ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2869ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2870
2871AT_DATA([bundle.txt], [dnl
2872packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008f62900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2873])
2874
2875AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2876
2877AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2878])
2879
2880OVS_TRAFFIC_VSWITCHD_STOP
2881AT_CLEANUP
2882
2883AT_SETUP([conntrack - IPv6 fragmentation with fragments specified])
2884CHECK_CONNTRACK()
e917d3ee 2885OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2886DPCTL_SET_MIN_FRAG_SIZE()
e917d3ee
DB		 2887
2888ADD_NAMESPACES(at_ns0, at_ns1)
2889
2890ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2891ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2892
2893AT_DATA([bundle.txt], [dnl
2894packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2895packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2896])
2897
2898AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2899
2900AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2901udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2902])
2903
2904OVS_TRAFFIC_VSWITCHD_STOP
2905AT_CLEANUP
2906
b21ac618
DB		 2907AT_SETUP([conntrack - IPv6 fragmentation out of order])
2908CHECK_CONNTRACK()
b21ac618 2909OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2910DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2911
2912ADD_NAMESPACES(at_ns0, at_ns1)
2913
2914ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2915ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2916
2917AT_DATA([bundle.txt], [dnl
2918packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2919packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2920])
2921
2922AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2923
2924AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2925udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2926])
2927
2928OVS_TRAFFIC_VSWITCHD_STOP
2929AT_CLEANUP
2930
2931AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers])
2932CHECK_CONNTRACK()
b21ac618 2933OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2934DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2935
2936ADD_NAMESPACES(at_ns0, at_ns1)
2937
2938ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2939ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2940
2941# Add different extension headers
2942AT_DATA([bundle.txt], [dnl
1630b26f 2943packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2944packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2945])
2946
2947AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2948
2949AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2950udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2951])
2952
2953OVS_TRAFFIC_VSWITCHD_STOP
2954AT_CLEANUP
2955
2956AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers + out of order])
2957CHECK_CONNTRACK()
b21ac618 2958OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2959DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2960
2961ADD_NAMESPACES(at_ns0, at_ns1)
2962
2963ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2964ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2965
2966# Add different extension headers
2967AT_DATA([bundle.txt], [dnl
2968packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
1630b26f 2969packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2970])
2971
2972AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2973
2974AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2975udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2976])
2977
2978OVS_TRAFFIC_VSWITCHD_STOP
2979AT_CLEANUP
2980
2981AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2])
2982CHECK_CONNTRACK()
b21ac618 2983OVS_TRAFFIC_VSWITCHD_START()
4ea96698 2984DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 2985
2986ADD_NAMESPACES(at_ns0, at_ns1)
2987
2988ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2989ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2990
2991# Add different extension headers
2992AT_DATA([bundle.txt], [dnl
1630b26f 2993packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 2994packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2995])
2996
2997AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2998
2999AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3000udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3001])
3002
3003OVS_TRAFFIC_VSWITCHD_STOP
3004AT_CLEANUP
3005
3006AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2 + out of order])
3007CHECK_CONNTRACK()
b21ac618 3008OVS_TRAFFIC_VSWITCHD_START()
4ea96698 3009DPCTL_SET_MIN_FRAG_SIZE()
b21ac618
DB		 3010
3011ADD_NAMESPACES(at_ns0, at_ns1)
3012
3013ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3014ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3015
3016# Add different extension headers
3017AT_DATA([bundle.txt], [dnl
3018packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
1630b26f 3019packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008e04000010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
b21ac618
DB		 3020])
3021
3022AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3023
3024AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3025udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3026])
3027
3028OVS_TRAFFIC_VSWITCHD_STOP
3029AT_CLEANUP
3030
27130224 3031AT_SETUP([conntrack - Fragmentation over vxlan])
dfb21e96 3032OVS_CHECK_VXLAN()
27130224 3033CHECK_CONNTRACK()
c6fb6677 3034CHECK_CONNTRACK_LOCAL_STACK()
27130224 3035
cf7659b6
JR		 3036OVS_TRAFFIC_VSWITCHD_START()
3037ADD_BR([br-underlay])
3038AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3039
27130224
AZ		 3040ADD_NAMESPACES(at_ns0)
3041
3042dnl Sending ping through conntrack
3043AT_DATA([flows.txt], [dnl
3044priority=1,action=drop
3045priority=10,arp,action=normal
3046priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3a9eb803 3047priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
723af132 3048table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
27130224
AZ		 3049])
3050
6cfa8ec3 3051AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 3052
3053dnl Set up underlay link from host into the namespace using veth pair.
3054ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3055AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3056AT_CHECK([ip link set dev br-underlay up])
3057
3058dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3059dnl linux device inside the namespace.
6e3a764c 3060ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
27130224
AZ		 3061ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
3062 [id 0 dstport 4789])
3063
3064dnl First, check the underlay
3065NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
30663 packets transmitted, 3 received, 0% packet loss, time 0ms
3067])
3068
3069dnl Okay, now check the overlay with different packet sizes
3070NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30713 packets transmitted, 3 received, 0% packet loss, time 0ms
3072])
3073NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30743 packets transmitted, 3 received, 0% packet loss, time 0ms
3075])
3076NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
30773 packets transmitted, 3 received, 0% packet loss, time 0ms
3078])
3079
3080OVS_TRAFFIC_VSWITCHD_STOP
3081AT_CLEANUP
c4e34c61 3082
84f646df 3083AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
a9f70f3d 3084OVS_CHECK_VXLAN()
84f646df 3085CHECK_CONNTRACK()
c6fb6677 3086CHECK_CONNTRACK_LOCAL_STACK()
84f646df
JS		 3087
3088OVS_TRAFFIC_VSWITCHD_START()
3089ADD_BR([br-underlay])
3090AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3091
3092ADD_NAMESPACES(at_ns0)
3093
3094dnl Sending ping through conntrack
3095AT_DATA([flows.txt], [dnl
3096priority=1,action=drop
3097priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
3098priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
723af132 3099table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
84f646df
JS		 3100
3101dnl Neighbour Discovery
3102priority=1000,icmp6,icmp_type=135,action=normal
3103priority=1000,icmp6,icmp_type=136,action=normal
3104])
3105
3106AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3107
3108dnl Set up underlay link from host into the namespace using veth pair.
3109ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3110AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3111AT_CHECK([ip link set dev br-underlay up])
3112
3113dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3114dnl linux device inside the namespace.
6e3a764c 3115ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
84f646df
JS		 3116ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
3117 [id 0 dstport 4789])
3118
c10840ff
JS		 3119dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3120dnl waiting, we get occasional failures due to the following error:
84f646df 3121dnl "connect: Cannot assign requested address"
c10840ff 3122OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
84f646df
JS		 3123
3124dnl First, check the underlay
3125NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
31263 packets transmitted, 3 received, 0% packet loss, time 0ms
3127])
3128
3129dnl Okay, now check the overlay with different packet sizes
3130NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
31313 packets transmitted, 3 received, 0% packet loss, time 0ms
3132])
3133NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
31343 packets transmitted, 3 received, 0% packet loss, time 0ms
3135])
3136NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
31373 packets transmitted, 3 received, 0% packet loss, time 0ms
3138])
3139
3140OVS_TRAFFIC_VSWITCHD_STOP
3141AT_CLEANUP
9ac0aada 3142
c4e34c61
RB		 3143AT_SETUP([conntrack - resubmit to ct multiple times])
3144CHECK_CONNTRACK()
3145
3146OVS_TRAFFIC_VSWITCHD_START(
3147 [set-fail-mode br0 secure -- ])
3148
3149ADD_NAMESPACES(at_ns0, at_ns1)
3150
3151ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3152ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3153
3154AT_DATA([flows.txt], [dnl
3155table=0,priority=150,arp,action=normal
3156table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
3157
723af132
JS		 3158table=1,ip,action=ct(table=3)
3159table=2,ip,action=ct(table=3)
c4e34c61
RB		 3160
3161table=3,ip,action=drop
3162])
3163
3164AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
3165
3166NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
31671 packets transmitted, 0 received, 100% packet loss, time 0ms
3168])
3169
3170AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
3171 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
3172 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
723af132
JS		 3173 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3174 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
c4e34c61
RB		 3175 table=3, n_packets=2, n_bytes=196, ip actions=drop
3176NXST_FLOW reply:
3177])
3178
3179OVS_TRAFFIC_VSWITCHD_STOP
3180AT_CLEANUP
9ac0aada 3181
1d768544
JS		 3182AT_BANNER([conntrack - L7])
3183
3184AT_SETUP([conntrack - IPv4 HTTP])
3185CHECK_CONNTRACK()
3186OVS_TRAFFIC_VSWITCHD_START()
3187
3188ADD_NAMESPACES(at_ns0, at_ns1)
3189
3190ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3191ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3192
3193dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3194AT_DATA([flows.txt], [dnl
3195priority=1,action=drop
3196priority=10,arp,action=normal
3197priority=10,icmp,action=normal
3198priority=100,in_port=1,tcp,action=ct(commit),2
3199priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
3200priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
3201])
3202
3203AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3204
3205OVS_START_L7([at_ns0], [http])
3206OVS_START_L7([at_ns1], [http])
3207
3208dnl HTTP requests from ns0->ns1 should work fine.
3209NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3210AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3211tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3212])
3213
3214dnl HTTP requests from ns1->ns0 should fail due to network failure.
3215dnl Try 3 times, in 1 second intervals.
3216NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3217
3218OVS_TRAFFIC_VSWITCHD_STOP
3219AT_CLEANUP
3220
3221AT_SETUP([conntrack - IPv6 HTTP])
3222CHECK_CONNTRACK()
3223OVS_TRAFFIC_VSWITCHD_START()
3224
3225ADD_NAMESPACES(at_ns0, at_ns1)
3226
3227ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3228ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3229
3230dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3231AT_DATA([flows.txt], [dnl
3232priority=1,action=drop
3233priority=10,icmp6,action=normal
3234priority=100,in_port=1,tcp6,action=ct(commit),2
3235priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
3236priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
3237])
3238
3239AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3240
3241dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3242dnl waiting, we get occasional failures due to the following error:
3243dnl "connect: Cannot assign requested address"
3244OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3245
3246OVS_START_L7([at_ns0], [http6])
3247OVS_START_L7([at_ns1], [http6])
3248
3249dnl HTTP requests from ns0->ns1 should work fine.
3250NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3251AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3252tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3253])
3254
3255dnl HTTP requests from ns1->ns0 should fail due to network failure.
3256dnl Try 3 times, in 1 second intervals.
3257NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3258
3259OVS_TRAFFIC_VSWITCHD_STOP
3260AT_CLEANUP
3261
3262AT_SETUP([conntrack - commit, recirc])
3263CHECK_CONNTRACK()
3264OVS_TRAFFIC_VSWITCHD_START()
3265
3266ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
3267
3268ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3269ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3270ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
3271ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
3272
3273dnl Allow any traffic from ns0->ns1, ns2->ns3.
3274AT_DATA([flows.txt], [dnl
3275priority=1,action=drop
3276priority=10,arp,action=normal
3277priority=10,icmp,action=normal
3278priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
3279priority=100,in_port=1,tcp,ct_state=+trk,action=2
3280priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
3281priority=100,in_port=2,tcp,ct_state=+trk,action=1
3282priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
3283priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
3284priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
3285priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
3286priority=100,in_port=4,tcp,ct_state=+trk,action=3
3287])
3288
3289AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3290
3291OVS_START_L7([at_ns1], [http])
3292OVS_START_L7([at_ns3], [http])
3293
3294dnl HTTP requests from p0->p1 should work fine.
3295NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3296
3297dnl HTTP requests from p2->p3 should work fine.
3298NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
3299
3300OVS_TRAFFIC_VSWITCHD_STOP
3301AT_CLEANUP
3302
3303AT_SETUP([conntrack - multiple zones, local])
3304CHECK_CONNTRACK()
3305CHECK_CONNTRACK_LOCAL_STACK()
3306OVS_TRAFFIC_VSWITCHD_START()
3307
3308ADD_NAMESPACES(at_ns0)
3309
3310AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3311AT_CHECK([ip link set dev br0 up])
3312on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3313ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3314
3315dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3316dnl return traffic from ns0 back to the local stack.
3317AT_DATA([flows.txt], [dnl
3318priority=1,action=drop
3319priority=10,arp,action=normal
3320priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
3321priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
3322priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
3323priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
3324table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
3325table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
3326])
3327
3328AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3329
3330AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
33313 packets transmitted, 3 received, 0% packet loss, time 0ms
3332])
3333
3334OVS_START_L7([at_ns0], [http])
3335
3336dnl HTTP requests from root namespace to p0 should work fine.
3337AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3338
3339dnl (again) HTTP requests from root namespace to p0 should work fine.
3340AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3341
3342AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3343icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3344icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
3345tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3346tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3347])
3348
3349OVS_TRAFFIC_VSWITCHD_STOP
3350AT_CLEANUP
3351
3352AT_SETUP([conntrack - multi-stage pipeline, local])
3353CHECK_CONNTRACK()
3354CHECK_CONNTRACK_LOCAL_STACK()
3355OVS_TRAFFIC_VSWITCHD_START()
3356
3357ADD_NAMESPACES(at_ns0)
3358
3359AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3360AT_CHECK([ip link set dev br0 up])
3361on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3362ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3363
3364dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3365dnl return traffic from ns0 back to the local stack.
3366AT_DATA([flows.txt], [dnl
3367dnl default
3368table=0,priority=1,action=drop
3369table=0,priority=10,arp,action=normal
3370
3371dnl Load the output port to REG0
3372table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
3373table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
3374
3375dnl Ingress pipeline
3376dnl - Allow all connections from LOCAL port (commit and proceed to egress)
3377dnl - All other connections go through conntracker using the input port as
3378dnl a connection tracking zone.
f6fabcc6 3379table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=2,zone=OXM_OF_IN_PORT[[0..15]])
1d768544
JS		 3380table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
3381table=1,priority=1,action=drop
3382
3383dnl Egress pipeline
3384dnl - Allow all connections from LOCAL port (commit and skip to output)
3385dnl - Allow other established connections to go through conntracker using
3386dnl output port as a connection tracking zone.
f6fabcc6 3387table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=4,zone=NXM_NX_REG0[[0..15]])
1d768544
JS		 3388table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
3389table=2,priority=1,action=drop
3390
3391dnl Only allow established traffic from egress ct lookup
3392table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
3393table=3,priority=1,action=drop
3394
3395dnl output table
3396table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
3397])
3398
3399AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3400
3401AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
34023 packets transmitted, 3 received, 0% packet loss, time 0ms
3403])
3404
3405OVS_START_L7([at_ns0], [http])
3406
3407dnl HTTP requests from root namespace to p0 should work fine.
3408AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3409
3410dnl (again) HTTP requests from root namespace to p0 should work fine.
3411AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3412
3413AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3414icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3415icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
3416tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3417tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
3418])
3419
3420OVS_TRAFFIC_VSWITCHD_STOP
3421AT_CLEANUP
3422
3f1087c7
YHW		 3423AT_SETUP([conntrack - limit by zone])
3424CHECK_CONNTRACK()
adf1b852 3425CHECK_CT_DPIF_PER_ZONE_LIMIT()
3f1087c7
YHW		 3426OVS_TRAFFIC_VSWITCHD_START()
3427
3428ADD_NAMESPACES(at_ns0, at_ns1)
3429
3430ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3431ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3432
3433AT_DATA([flows.txt], [dnl
3434priority=1,action=drop
3435priority=10,arp,action=normal
3436priority=100,in_port=1,udp,action=ct(commit),2
3437priority=100,in_port=2,udp,action=ct(zone=3,commit),1
3438])
3439
3440AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3441
3442AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
3443AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
3444AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
3445default limit=10
3446zone=0,limit=5,count=0
3447zone=1,limit=10,count=0
3448zone=2,limit=10,count=0
3449zone=3,limit=3,count=0
3450])
3451
3452dnl Test UDP from port 1
3453AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3454AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000300080000 actions=resubmit(,0)"])
3455AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000400080000 actions=resubmit(,0)"])
3456AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000500080000 actions=resubmit(,0)"])
3457AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000600080000 actions=resubmit(,0)"])
3458AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000700080000 actions=resubmit(,0)"])
3459AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000800080000 actions=resubmit(,0)"])
3460AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000900080000 actions=resubmit(,0)"])
3461AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000a00080000 actions=resubmit(,0)"])
3462
3463AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
3464default limit=10
3465zone=0,limit=5,count=5
3466zone=1,limit=10,count=0
3467zone=2,limit=10,count=0
3468zone=3,limit=3,count=0
3469zone=4,limit=10,count=0
3470zone=5,limit=10,count=0
3471])
3472
3473dnl Test ct-get-limits for all zoens
3474AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
3475default limit=10
3476zone=0,limit=5,count=5
3477zone=3,limit=3,count=0
3478])
3479
3480AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | sort ], [0], [dnl
3481udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
3482udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
3483udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
3484udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
3485udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
3486])
3487
3488dnl Test UDP from port 2
e2603f61
DB		 3489AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000200080000 actions=resubmit(,0)"])
3490AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000300080000 actions=resubmit(,0)"])
3491AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000400080000 actions=resubmit(,0)"])
3492AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000500080000 actions=resubmit(,0)"])
3493AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000600080000 actions=resubmit(,0)"])
3f1087c7
YHW		 3494
3495AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
3496default limit=10
3497zone=0,limit=5,count=5
3498zone=3,limit=3,count=3
3499])
3500
3501AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.3," | sort ], [0], [dnl
3502udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=2),reply=(src=10.1.1.4,dst=10.1.1.3,sport=2,dport=1),zone=3
3503udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.1.1.3,sport=3,dport=1),zone=3
3504udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
3505])
3506
3507OVS_TRAFFIC_VSWITCHD_STOP(["dnl
3508/could not create datapath/d
3509/(Cannot allocate memory) on packet/d"])
3510AT_CLEANUP
3511
9d3e0e5c
JR		 3512AT_SETUP([FTP - no conntrack])
3513AT_SKIP_IF([test $HAVE_FTP = no])
3514OVS_TRAFFIC_VSWITCHD_START()
3515
3516ADD_NAMESPACES(at_ns0, at_ns1)
3517
3518ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3519ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3520
3521AT_DATA([flows.txt], [dnl
3522table=0,action=normal
3523])
3524
3525AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
3526
3527NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
3528NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3529OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3530
3531dnl FTP requests from p0->p1 should work fine.
3532NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3533
3534AT_CHECK([find -name index.html], [0], [dnl
3535./index.html
3536])
3537
3538OVS_TRAFFIC_VSWITCHD_STOP
3539AT_CLEANUP
3540
1d768544 3541AT_SETUP([conntrack - FTP])
40c7b2fc 3542AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3543CHECK_CONNTRACK()
3544CHECK_CONNTRACK_ALG()
3545OVS_TRAFFIC_VSWITCHD_START()
3546
3547ADD_NAMESPACES(at_ns0, at_ns1)
3548
3549ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3550ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3551
3552dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3553AT_DATA([flows1.txt], [dnl
3554table=0,priority=1,action=drop
3555table=0,priority=10,arp,action=normal
3556table=0,priority=10,icmp,action=normal
3557table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
3558table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3559table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3560table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3561])
3562
3563dnl Similar policy but without allowing all traffic from ns0->ns1.
3564AT_DATA([flows2.txt], [dnl
3565table=0,priority=1,action=drop
3566table=0,priority=10,arp,action=normal
3567table=0,priority=10,icmp,action=normal
3568
3569dnl Allow outgoing TCP connections, and treat them as FTP
3570table=0,priority=100,in_port=1,tcp,action=ct(table=1)
3571table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
3572table=1,in_port=1,tcp,ct_state=+trk+est,action=2
3573
3574dnl Allow incoming FTP data connections and responses to existing connections
3575table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3576table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
3577table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3578table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
3579])
3580
3a2a425b
DB		 3581dnl flows3 is same as flows1, except no ALG is specified.
3582AT_DATA([flows3.txt], [dnl
3583table=0,priority=1,action=drop
3584table=0,priority=10,arp,action=normal
3585table=0,priority=10,icmp,action=normal
3586table=0,priority=100,in_port=1,tcp,action=ct(commit),2
3587table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3588table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3589table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3590])
3591
1d768544
JS		 3592AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3593
3594OVS_START_L7([at_ns0], [ftp])
3595OVS_START_L7([at_ns1], [ftp])
3596
3597dnl FTP requests from p1->p0 should fail due to network failure.
3598dnl Try 3 times, in 1 second intervals.
3599NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3600AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3601])
3602
3603dnl FTP requests from p0->p1 should work fine.
3604NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3605AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3606tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3607])
3608
3609dnl Try the second set of flows.
3610AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3611AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3612
3613dnl FTP requests from p1->p0 should fail due to network failure.
3614dnl Try 3 times, in 1 second intervals.
3615NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3616AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3617])
3618
3619dnl Active FTP requests from p0->p1 should work fine.
3620NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
3621AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3622tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3623tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3624])
3625
3626AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3627
3628dnl Passive FTP requests from p0->p1 should work fine.
3629NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
3630AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3631tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3632])
3633
3a2a425b
DB		 3634dnl Try the third set of flows, without alg specifier.
3635AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt])
3636AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3637
3638dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned.
3639NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4])
3640AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3641tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3642])
3643
1d768544
JS		 3644OVS_TRAFFIC_VSWITCHD_STOP
3645AT_CLEANUP
3646
3647AT_SETUP([conntrack - FTP over IPv6])
40c7b2fc 3648AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3649CHECK_CONNTRACK()
3650CHECK_CONNTRACK_ALG()
3651OVS_TRAFFIC_VSWITCHD_START()
3652
3653ADD_NAMESPACES(at_ns0, at_ns1)
3654
3655ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3656ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3657
3658dnl Allow any traffic from ns0->ns1.
3659dnl Only allow nd, return traffic from ns1->ns0.
3660AT_DATA([flows.txt], [dnl
3661dnl Track all IPv6 traffic and drop the rest.
3662dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3663table=0 priority=100 in_port=1 icmp6, action=2
3664table=0 priority=100 in_port=2 icmp6, action=1
3665table=0 priority=10 ip6, action=ct(table=1)
3666table=0 priority=0 action=drop
3667dnl
3668dnl Table 1
3669dnl
3670dnl Allow new TCPv6 FTP control connections from port 1.
3671table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3672dnl Allow related TCPv6 connections from port 2.
3673table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
3674dnl Allow established TCPv6 connections both ways.
3675table=1 in_port=1 ct_state=+est, tcp6, action=2
3676table=1 in_port=2 ct_state=+est, tcp6, action=1
3677dnl Drop everything else.
3678table=1 priority=0, action=drop
3679])
3680
3681AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3682
3683dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3684dnl waiting, we get occasional failures due to the following error:
3685dnl "connect: Cannot assign requested address"
3686OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3687
3688OVS_START_L7([at_ns1], [ftp])
3689
3690dnl FTP requests from p0->p1 should work fine.
3691NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3692
3693dnl Discards CLOSE_WAIT and CLOSING
3694AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3695tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3696tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3697])
3698
3699OVS_TRAFFIC_VSWITCHD_STOP
3700AT_CLEANUP
3701
200a9af9
DB		 3702AT_SETUP([conntrack - IPv6 FTP Passive])
3703AT_SKIP_IF([test $HAVE_FTP = no])
3704CHECK_CONNTRACK()
3705CHECK_CONNTRACK_ALG()
3706OVS_TRAFFIC_VSWITCHD_START()
3707
3708ADD_NAMESPACES(at_ns0, at_ns1)
3709
3710ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3711NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3712ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3713NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
3714NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
3715NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:88 dev p1])
3716
3717dnl Allow any traffic from ns0->ns1.
3718dnl Only allow nd, return traffic from ns1->ns0.
3719AT_DATA([flows.txt], [dnl
3720dnl Track all IPv6 traffic and drop the rest.
3721dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3722table=0 priority=100 in_port=1 icmp6, action=2
3723table=0 priority=100 in_port=2 icmp6, action=1
3724table=0 priority=10 ip6, action=ct(table=1)
3725table=0 priority=0 action=drop
3726dnl
3727dnl Table 1
3728dnl
3729dnl Allow new TCPv6 FTP control connections from port 1.
3730table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3731dnl Allow related TCPv6 connections from port 1.
3732table=1 in_port=1 ct_state=+new+rel, tcp6, action=ct(commit),2
3733dnl Allow established TCPv6 connections both ways.
3734table=1 in_port=1 ct_state=+est, tcp6, action=2
3735table=1 in_port=2 ct_state=+est, tcp6, action=1
3736dnl Drop everything else.
3737table=1 priority=0, action=drop
3738])
3739
3740AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3741
3742dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3743dnl waiting, we get occasional failures due to the following error:
3744dnl "connect: Cannot assign requested address"
3745OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3746
3747OVS_START_L7([at_ns1], [ftp])
3748
3749dnl FTP passive requests from p0->p1 should work fine.
3750NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3751
3752dnl Discards CLOSE_WAIT and CLOSING
3753AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3754tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3755tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3756])
3757
3758OVS_TRAFFIC_VSWITCHD_STOP
3759AT_CLEANUP
3760
1d768544 3761AT_SETUP([conntrack - FTP with multiple expectations])
40c7b2fc 3762AT_SKIP_IF([test $HAVE_FTP = no])
1d768544
JS		 3763CHECK_CONNTRACK()
3764CHECK_CONNTRACK_ALG()
3765OVS_TRAFFIC_VSWITCHD_START()
3766
3767ADD_NAMESPACES(at_ns0, at_ns1)
3768
3769ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3770ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3771
3772dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
3773AT_DATA([flows.txt], [dnl
3774table=0,priority=1,action=drop
3775table=0,priority=10,arp,action=normal
3776table=0,priority=10,icmp,action=normal
3777
3778dnl Traffic from ns1
3779table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
3780table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
3781table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
3782table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
3783table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
3784
3785dnl Traffic from ns2
3786table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
3787table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3788table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
3789table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3790table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
3791])
3792
3793AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3794
3795OVS_START_L7([at_ns0], [ftp])
3796OVS_START_L7([at_ns1], [ftp])
3797
3798dnl FTP requests from p1->p0 should fail due to network failure.
3799dnl Try 3 times, in 1 second intervals.
3800NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3801AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3802])
3803
3804dnl Active FTP requests from p0->p1 should work fine.
3805NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3806AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3807tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3808tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3809tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3810tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3811])
3812
3813AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3814
3815dnl Passive FTP requests from p0->p1 should work fine.
3816NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3817AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3818tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3819tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3820tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3821tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3822])
3823
3824OVS_TRAFFIC_VSWITCHD_STOP
3825AT_CLEANUP
3826
40c7b2fc
JS		 3827AT_SETUP([conntrack - TFTP])
3828AT_SKIP_IF([test $HAVE_TFTP = no])
3829CHECK_CONNTRACK()
3830CHECK_CONNTRACK_ALG()
3831OVS_TRAFFIC_VSWITCHD_START()
3832
3833ADD_NAMESPACES(at_ns0, at_ns1)
3834
3835ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3836ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3837
3838dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3839AT_DATA([flows1.txt], [dnl
3840table=0,priority=1,action=drop
3841table=0,priority=10,arp,action=normal
3842table=0,priority=10,icmp,action=normal
3843table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
3844table=0,priority=100,in_port=2,udp,action=ct(table=1)
3845table=1,in_port=2,udp,ct_state=+trk+est,action=1
3846table=1,in_port=2,udp,ct_state=+trk+rel,action=1
3847])
3848
3849dnl Similar policy but without allowing all traffic from ns0->ns1.
3850AT_DATA([flows2.txt], [dnl
3851table=0,priority=1,action=drop
3852table=0,priority=10,arp,action=normal
3853table=0,priority=10,icmp,action=normal
3854
3855dnl Allow outgoing UDP connections, and treat them as TFTP
3856table=0,priority=100,in_port=1,udp,action=ct(table=1)
3857table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
3858table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
3859table=1,in_port=1,udp,ct_state=+trk+est,action=2
3860
3861dnl Allow incoming TFTP data connections and responses to existing connections
3862table=0,priority=100,in_port=2,udp,action=ct(table=1)
3863table=1,in_port=2,udp,ct_state=+trk+est,action=1
3864table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
3865])
3866
3867AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3868
3869OVS_START_L7([at_ns0], [tftp])
3870OVS_START_L7([at_ns1], [tftp])
3871
3872dnl TFTP requests from p1->p0 should fail due to network failure.
3873NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
3874AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3875])
3876
3877dnl TFTP requests from p0->p1 should work fine.
3878NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
3879AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3880udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3881])
3882
3883dnl Try the second set of flows.
3884AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3885AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3886
3887dnl TFTP requests from p1->p0 should fail due to network failure.
3888NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
3889AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3890])
3891
3892dnl TFTP requests from p0->p1 should work fine.
3893NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
3894AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3895udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3896])
3897
3898OVS_TRAFFIC_VSWITCHD_STOP
3899AT_CLEANUP
3900
ee8941ab 3901AT_BANNER([conntrack - NAT])
9ac0aada
JR		 3902
3903AT_SETUP([conntrack - simple SNAT])
3904CHECK_CONNTRACK()
4573c42e 3905CHECK_CONNTRACK_NAT()
9ac0aada
JR		 3906OVS_TRAFFIC_VSWITCHD_START()
3907
3908ADD_NAMESPACES(at_ns0, at_ns1)
3909
3910ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3911NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3912ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3913
3914dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3915AT_DATA([flows.txt], [dnl
3916in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
3917in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3918in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
3919dnl
3920dnl ARP
3921priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3922priority=10 arp action=normal
3923priority=0,action=drop
3924dnl
3925dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3926table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3927table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3928dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3929dnl TPA IP in reg2.
3930dnl Swaps the fields of the ARP message to turn a query to a response.
3931table=10 priority=100 arp xreg0=0 action=normal
3932table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3933table=10 priority=0 action=drop
3934])
3935
3936AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3937
3938dnl HTTP requests from p0->p1 should work fine.
7ed40afe 3939OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 3940NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3941
13c10e56 3942AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 3943tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 3944])
3945
3946OVS_TRAFFIC_VSWITCHD_STOP
3947AT_CLEANUP
3948
c0324e37
JR		 3949AT_SETUP([conntrack - SNAT with ct_mark change on reply])
3950CHECK_CONNTRACK()
3951CHECK_CONNTRACK_NAT()
3952OVS_TRAFFIC_VSWITCHD_START()
3953
3954ADD_NAMESPACES(at_ns0, at_ns1)
3955
3956ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
ed307567
DB		 3957NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
3958NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
3959
c0324e37 3960ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
ed307567
DB		 3961NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
3962NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
c0324e37
JR		 3963
3964dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3965AT_DATA([flows.txt], [dnl
ed307567 3966in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240)),2
c0324e37
JR		 3967in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3968dnl
3969dnl Setting the mark fails if the datapath can't find the existing conntrack
3970dnl entry after NAT has been reversed and the skb was lost due to an upcall.
3971dnl
3972in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
3973table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
3974dnl
c0324e37 3975priority=0,action=drop
c0324e37
JR		 3976])
3977
3978AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3979
aeae4330 3980dnl ICMP requests from p0->p1 should work fine.
c0324e37
JR		 3981NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
39821 packets transmitted, 1 received, 0% packet loss, time 0ms
3983])
3984
3985AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
3986icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
3987])
3988
3989OVS_TRAFFIC_VSWITCHD_STOP
3990AT_CLEANUP
9ac0aada
JR		 3991
3992AT_SETUP([conntrack - SNAT with port range])
3993CHECK_CONNTRACK()
4573c42e 3994CHECK_CONNTRACK_NAT()
9ac0aada
JR		 3995OVS_TRAFFIC_VSWITCHD_START()
3996
3997ADD_NAMESPACES(at_ns0, at_ns1)
3998
3999ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4000NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4001ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4002
4003dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4004AT_DATA([flows.txt], [dnl
4005in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
4006in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
4007in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
4008in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
4009dnl
4010dnl ARP
4011priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4012priority=10 arp action=normal
4013priority=0,action=drop
4014dnl
4015dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4016table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4017table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4018dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4019dnl TPA IP in reg2.
4020dnl Swaps the fields of the ARP message to turn a query to a response.
4021table=10 priority=100 arp xreg0=0 action=normal
4022table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4023table=10 priority=0 action=drop
4024])
4025
4026AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4027
4028dnl HTTP requests from p0->p1 should work fine.
7ed40afe 4029OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4030NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4031
13c10e56 4032AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 4033tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4034])
4035
4036OVS_TRAFFIC_VSWITCHD_STOP
4037AT_CLEANUP
4038
e32cd4c6 4039AT_SETUP([conntrack - SNAT with port range using ICMP])
4040dnl Check PAT is not attempted on ICMP packets causing corrupted packets.
4041CHECK_CONNTRACK()
4042CHECK_CONNTRACK_NAT()
4043OVS_TRAFFIC_VSWITCHD_START()
4044
4045ADD_NAMESPACES(at_ns0, at_ns1)
4046
4047ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4048NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4049ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4050
4051dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4052AT_DATA([flows.txt], [dnl
4053in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:20000)),2
4054in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
4055in_port=2,ct_state=+trk,ct_zone=1,action=1
4056dnl
4057dnl ARP
4058priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4059priority=10 arp action=normal
4060priority=0,action=drop
4061dnl
4062dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4063table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4064table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4065dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4066dnl TPA IP in reg2.
4067dnl Swaps the fields of the ARP message to turn a query to a response.
4068table=10 priority=100 arp xreg0=0 action=normal
4069table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4070table=10 priority=0 action=drop
4071])
4072
4073AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4074
4075dnl ICMP requests from p0->p1 should work fine.
4076NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
40771 packets transmitted, 1 received, 0% packet loss, time 0ms
4078])
4079
4080AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4081icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1
4082])
4083
4084OVS_TRAFFIC_VSWITCHD_STOP
4085AT_CLEANUP
4086
32b2c81f
DB		 4087AT_SETUP([conntrack - SNAT with port range with exhaustion])
4088CHECK_CONNTRACK()
4089CHECK_CONNTRACK_NAT()
4090OVS_TRAFFIC_VSWITCHD_START()
4091
4092ADD_NAMESPACES(at_ns0, at_ns1)
4093
4094ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4095NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4096ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4097
4098dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4099AT_DATA([flows.txt], [dnl
4100in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568,random)),2
4101in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
4102in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
4103in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
4104dnl
4105dnl ARP
4106priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4107priority=10 arp action=normal
4108priority=0,action=drop
4109dnl
4110dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4111table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4112table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4113dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4114dnl TPA IP in reg2.
4115dnl Swaps the fields of the ARP message to turn a query to a response.
4116table=10 priority=100 arp xreg0=0 action=normal
4117table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4118table=10 priority=0 action=drop
4119])
4120
4121AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4122
4123dnl HTTP requests from p0->p1 should work fine.
4124OVS_START_L7([at_ns1], [http])
4125NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log])
4126
4127NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log], [4])
4128
4129AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4130tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4131])
4132
4133OVS_TRAFFIC_VSWITCHD_STOP(["dnl
4134/Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and\/or zone partitioning./d
4135/Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d"])
4136AT_CLEANUP
9ac0aada
JR		 4137
4138AT_SETUP([conntrack - more complex SNAT])
4139CHECK_CONNTRACK()
4573c42e 4140CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4141OVS_TRAFFIC_VSWITCHD_START()
4142
4143ADD_NAMESPACES(at_ns0, at_ns1)
4144
4145ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4146NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4147ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4148
4149AT_DATA([flows.txt], [dnl
4150dnl Track all IP traffic, NAT existing connections.
4151priority=100 ip action=ct(table=1,zone=1,nat)
4152dnl
4153dnl Allow ARP, but generate responses for NATed addresses
4154priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4155priority=10 arp action=normal
4156priority=0 action=drop
4157dnl
4158dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
4159table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
4160table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
4161dnl Only allow established traffic from ns1->ns0.
4162table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
4163table=1 priority=0 action=drop
4164dnl
4165dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4166table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4167dnl Zero result means not found.
4168table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
4169dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4170dnl ARP TPA IP in reg2.
4171table=10 priority=100 arp xreg0=0 action=normal
4172dnl Swaps the fields of the ARP message to turn a query to a response.
4173table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4174table=10 priority=0 action=drop
4175])
4176
4177AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4178
4179dnl HTTP requests from p0->p1 should work fine.
7ed40afe 4180OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4181NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4182
13c10e56 4183AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
420c73b2 4184tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4185])
4186
4187OVS_TRAFFIC_VSWITCHD_STOP
4188AT_CLEANUP
4189
4190AT_SETUP([conntrack - simple DNAT])
4191CHECK_CONNTRACK()
4573c42e 4192CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4193OVS_TRAFFIC_VSWITCHD_START()
4194
4195ADD_NAMESPACES(at_ns0, at_ns1)
4196
4197ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4198ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4199NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4200
4201dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4202AT_DATA([flows.txt], [dnl
4203priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4204priority=10 in_port=1,ip,action=ct(commit,zone=1),2
4205priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
4206priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
4207dnl
4208dnl ARP
4209priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4210priority=10 arp action=normal
4211priority=0,action=drop
4212dnl
4213dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4214table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4215dnl Zero result means not found.
4216table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4217dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4218dnl TPA IP in reg2.
4219table=10 priority=100 arp xreg0=0 action=normal
4220dnl Swaps the fields of the ARP message to turn a query to a response.
4221table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4222table=10 priority=0 action=drop
4223])
4224
4225AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4226
4227dnl Should work with the virtual IP address through NAT
7ed40afe 4228OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4229NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4230
420c73b2
JR		 4231AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4232tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4233])
4234
4235dnl Should work with the assigned IP address as well
4236NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4237
420c73b2
JR		 4238AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4239tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4240])
4241
4242OVS_TRAFFIC_VSWITCHD_STOP
4243AT_CLEANUP
4244
4245AT_SETUP([conntrack - more complex DNAT])
4246CHECK_CONNTRACK()
4573c42e 4247CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4248OVS_TRAFFIC_VSWITCHD_START()
4249
4250ADD_NAMESPACES(at_ns0, at_ns1)
4251
4252ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4253ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4254NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4255
4256dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4257AT_DATA([flows.txt], [dnl
4258dnl Track all IP traffic
4259table=0 priority=100 ip action=ct(table=1,zone=1,nat)
4260dnl
4261dnl Allow ARP, but generate responses for NATed addresses
4262table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4263table=0 priority=10 arp action=normal
4264table=0 priority=0 action=drop
4265dnl
4266dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
4267table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4268table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
4269table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
4270dnl Only allow established traffic from ns1->ns0.
4271table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
4272table=1 priority=0 action=drop
4273dnl
4274dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4275table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4276dnl Zero result means not found.
4277table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4278dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4279dnl TPA IP in reg2.
4280table=10 priority=100 arp xreg0=0 action=normal
4281dnl Swaps the fields of the ARP message to turn a query to a response.
4282table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4283table=10 priority=0 action=drop
4284])
4285
4286AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4287
4288dnl Should work with the virtual IP address through NAT
7ed40afe 4289OVS_START_L7([at_ns1], [http])
9ac0aada
JR		 4290NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4291
420c73b2
JR		 4292AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4293tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4294])
4295
4296dnl Should work with the assigned IP address as well
4297NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4298
420c73b2
JR		 4299AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4300tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 4301])
4302
4303OVS_TRAFFIC_VSWITCHD_STOP
4304AT_CLEANUP
4305
4306AT_SETUP([conntrack - ICMP related with NAT])
9c1ab985 4307AT_SKIP_IF([test $HAVE_NC = no])
b020a416 4308AT_SKIP_IF([test $HAVE_TCPDUMP = no])
9ac0aada 4309CHECK_CONNTRACK()
4573c42e 4310CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4311OVS_TRAFFIC_VSWITCHD_START()
4312
4313ADD_NAMESPACES(at_ns0, at_ns1)
4314
4315ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4316NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4317ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4318
4319dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
4320dnl Make sure ICMP responses are reverse-NATted.
4321AT_DATA([flows.txt], [dnl
4322in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
4323in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
4324in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
4325dnl
4326dnl ARP
4327priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4328priority=10 arp action=normal
4329priority=0,action=drop
4330dnl
4331dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4332table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4333table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4334dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4335dnl TPA IP in reg2.
4336dnl Swaps the fields of the ARP message to turn a query to a response.
4337table=10 priority=100 arp xreg0=0 action=normal
4338table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4339table=10 priority=0 action=drop
4340])
4341
4342AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4343
b020a416
DB		 4344rm p0.pcap
4345tcpdump -U -i ovs-p0 -w p0.pcap &
4346sleep 1
4347
9ac0aada 4348dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 4349NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
9ac0aada
JR		 4350
4351AT_CHECK([ovs-appctl revalidator/purge], [0])
4352AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
4353 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
4354 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
4355 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
4356 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
4357 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4358 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
4359 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
4360 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
4361 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
4362OFPST_FLOW reply (OF1.5):
4363])
4364
a857bb69
DDP		 4365AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4366udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
9ac0aada
JR		 4367])
4368
b020a416
DB		 4369AT_CHECK([tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
4370
9ac0aada
JR		 4371OVS_TRAFFIC_VSWITCHD_STOP
4372AT_CLEANUP
4373
2cd20955 4374dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
019c73ac 4375dnl
74f205f6
JS		 4376dnl Checks the implementation of conntrack with FTP ALGs in combination with
4377dnl NAT, using the provided flow table.
4378m4_define([CHECK_FTP_NAT],
efa29a89 4379 [AT_SETUP([conntrack - FTP $1])
40c7b2fc 4380 AT_SKIP_IF([test $HAVE_FTP = no])
253e4dc0 4381 AT_SKIP_IF([test $HAVE_LFTP = no])
74f205f6
JS		 4382 CHECK_CONNTRACK()
4383 CHECK_CONNTRACK_NAT()
fc9a5ee1 4384 CHECK_CONNTRACK_ALG()
019c73ac 4385
74f205f6 4386 OVS_TRAFFIC_VSWITCHD_START()
019c73ac 4387
74f205f6 4388 ADD_NAMESPACES(at_ns0, at_ns1)
019c73ac 4389
74f205f6
JS		 4390 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4391 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4392 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
019c73ac 4393
74f205f6 4394 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2cd20955 4395 AT_DATA([flows.txt], [$3])
019c73ac 4396
74f205f6 4397 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
019c73ac 4398
7ed40afe 4399 OVS_START_L7([at_ns1], [ftp])
019c73ac 4400
74f205f6 4401 dnl FTP requests from p0->p1 should work fine.
253e4dc0
DM		 4402 AT_DATA([ftp.cmd], [dnl
4403set net:max-retries 1
4404set net:timeout 1
4405set ftp:passive-mode off
4406cache off
4407connect ftp://anonymous:@10.1.1.2
4408ls
4409ls
4410ls
4411ls
4412])
4413 NS_CHECK_EXEC([at_ns0], [lftp -f ftp.cmd > lftp.log])
019c73ac 4414
74f205f6 4415 dnl Discards CLOSE_WAIT and CLOSING
2cd20955 4416 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
019c73ac 4417
74f205f6
JS		 4418 OVS_TRAFFIC_VSWITCHD_STOP
4419 AT_CLEANUP])
019c73ac 4420
efa29a89 4421dnl CHECK_FTP_SNAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
74f205f6
JS		 4422dnl
4423dnl Checks the implementation of conntrack with FTP ALGs in combination with
4424dnl NAT, with flow tables that implement the NATing as part of handling of
4425dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
4426dnl
4427dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4428dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4429m4_define([CHECK_FTP_SNAT_PRE_RECIRC], [dnl
4430 CHECK_FTP_NAT([SNAT prerecirc $1], [$2], [dnl
9ac0aada
JR		 4431dnl track all IP traffic, de-mangle non-NEW connections
4432table=0 in_port=1, ip, action=ct(table=1,nat)
4433table=0 in_port=2, ip, action=ct(table=2,nat)
4434dnl
4435dnl ARP
4436dnl
4437table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4438table=0 priority=10 arp action=normal
4439table=0 priority=0 action=drop
4440dnl
4441dnl Table 1: port 1 -> 2
4442dnl
4443dnl Allow new FTP connections. These need to be commited.
74f205f6 4444table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
9ac0aada 4445dnl Allow established TCP connections, make sure they are NATted already.
74f205f6 4446table=1 ct_state=+est, tcp, nw_src=$2, action=2
9ac0aada
JR		 4447dnl
4448dnl Table 1: droppers
4449dnl
4450table=1 priority=10, tcp, action=drop
4451table=1 priority=0,action=drop
4452dnl
4453dnl Table 2: port 2 -> 1
4454dnl
4455dnl Allow established TCP connections, make sure they are reverse NATted
4456table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
4457dnl Allow (new) related (data) connections. These need to be commited.
74f205f6 4458table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
9ac0aada
JR		 4459dnl Allow related ICMP packets, make sure they are reverse NATted
4460table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
4461dnl
4462dnl Table 2: droppers
4463dnl
4464table=2 priority=10, tcp, action=drop
4465table=2 priority=0, action=drop
4466dnl
4467dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4468dnl
74f205f6 4469table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
9ac0aada
JR		 4470table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4471dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4472dnl TPA IP in reg2.
4473dnl Swaps the fields of the ARP message to turn a query to a response.
4474table=10 priority=100 arp xreg0=0 action=normal
4475table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4476table=10 priority=0 action=drop
2cd20955
JR		 4477], [dnl
4478tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4479tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4480])
9ac0aada
JR		 4481])
4482
74f205f6 4483dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
efa29a89 4484CHECK_FTP_SNAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
9ac0aada 4485
74f205f6
JS		 4486dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4487dnl
4488dnl The FTP PORT command includes the ASCII representation of the address,
4489dnl so when these messages need to be NATed between addresses that have
4490dnl different lengths when represented in ASCII (such as the original address
4491dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4492dnl resize the packet and adjust TCP sequence numbers. This test is kept
4493dnl separate from the above to easier identify issues in this code on different
4494dnl kernels.
efa29a89 4495CHECK_FTP_SNAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
74f205f6 4496
efa29a89 4497dnl CHECK_FTP_SNAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
74f205f6
JS		 4498dnl
4499dnl Checks the implementation of conntrack with FTP ALGs in combination with
4500dnl NAT, with flow tables that implement the NATing after the first round
4501dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
4502dnl flow will implement the NATing with ct(nat..),output:foo.
4503dnl
4504dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4505dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4506m4_define([CHECK_FTP_SNAT_POST_RECIRC], [dnl
4507 CHECK_FTP_NAT([SNAT postrecirc $1], [$2], [dnl
9ac0aada
JR		 4508dnl track all IP traffic (this includes a helper call to non-NEW packets.)
4509table=0 ip, action=ct(table=1)
4510dnl
4511dnl ARP
4512dnl
4513table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4514table=0 priority=10 arp action=normal
4515table=0 priority=0 action=drop
4516dnl
4517dnl Table 1
4518dnl
4519dnl Allow new FTP connections. These need to be commited.
4520dnl This does helper for new packets.
74f205f6 4521table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
9ac0aada
JR		 4522dnl Allow and NAT established TCP connections
4523table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
4524table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
4525dnl Allow and NAT (new) related active (data) connections.
4526dnl These need to be commited.
4527table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
4528dnl Allow related ICMP packets.
4529table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
4530dnl Drop everything else.
4531table=1 priority=0, action=drop
4532dnl
4533dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4534dnl
74f205f6 4535table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
9ac0aada
JR		 4536table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4537dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4538dnl TPA IP in reg2.
4539dnl Swaps the fields of the ARP message to turn a query to a response.
4540table=10 priority=100 arp xreg0=0 action=normal
4541table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4542table=10 priority=0 action=drop
2cd20955
JR		 4543], [dnl
4544tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4545tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4546])
9ac0aada
JR		 4547])
4548
74f205f6 4549dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
efa29a89 4550CHECK_FTP_SNAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
9ac0aada 4551
74f205f6
JS		 4552dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4553dnl
4554dnl The FTP PORT command includes the ASCII representation of the address,
4555dnl so when these messages need to be NATed between addresses that have
4556dnl different lengths when represented in ASCII (such as the original address
4557dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4558dnl resize the packet and adjust TCP sequence numbers. This test is kept
4559dnl separate from the above to easier identify issues in this code on different
4560dnl kernels.
efa29a89 4561CHECK_FTP_SNAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
9ac0aada 4562
daf4d3c1 4563
efa29a89 4564dnl CHECK_FTP_SNAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
daf4d3c1
JR		 4565dnl
4566dnl Checks the implementation of conntrack original direction tuple matching
4567dnl with FTP ALGs in combination with NAT, with flow tables that implement
4568dnl the NATing before the first round of recirculation - that is, the first
4569dnl flow ct(nat, table=foo) then a subsequent flow will implement the
4570dnl commiting of NATed and other connections with ct(nat..),output:foo.
4571dnl
4572dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4573dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
efa29a89
DM		 4574m4_define([CHECK_FTP_SNAT_ORIG_TUPLE], [dnl
4575 CHECK_FTP_NAT([SNAT orig tuple $1], [$2], [dnl
2cd20955
JR		 4576dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
4577dnl NAT is only applied to OUT-direction packets, so that ACL
4578dnl processing can be done with non-NATted headers.
4579dnl
4580dnl Track all IP traffic in the IN-direction (IN from Port 1).
4581table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
4582dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
4583table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
daf4d3c1
JR		 4584dnl
4585dnl ARP
4586dnl
4587table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4588table=0 priority=10 arp action=normal
4589table=0 priority=0 action=drop
4590dnl
2cd20955
JR		 4591dnl Pass tracked traffic through ACL, drop everything else.
4592dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
4593dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
4594dnl get the ACL lookup using the conntrack tuple and the inverted direction.
4595dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
28033773 4596dnl of the master connection, as stored in ct_label[0].
2cd20955
JR		 4597dnl
4598dnl Incoming non-related packet in the original direction (ACL IN)
4599table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
4600dnl Incoming non-related reply packet (CT ACL OUT)
4601table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
4602dnl Outgoing non-related packet (ACL OUT)
4603table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
4604dnl Outgoing non-related reply packet (CT ACL IN)
4605table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
daf4d3c1 4606dnl
2cd20955 4607dnl Related packet (CT ACL in the direction of the master connection.)
28033773 4608table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
daf4d3c1
JR		 4609dnl Drop everything else.
4610table=1 priority=0, action=drop
4611dnl
2cd20955
JR		 4612dnl "ACL table"
4613dnl
4614dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
4615dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
4616dnl in reg2.
4617table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
4618dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
4619table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
4620dnl
4621dnl Re-process stateful traffic that was not accepted by a stateful rule as
4622dnl normal traffic in the current direction. This should also delete the
4623dnl now stale conntrack state, so that new state can be created in it's place.
4624dnl
4625dnl Stateful accepts go to next table.
4626table=4 priority=100 reg2=1, action=goto_table:5
4627dnl Everything else is reprocessed disregarding the CT state, using the actual
4628dnl packet direction.
4629table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
4630dnl
4631dnl "ACL verdict processing table."
4632dnl
4633dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
4634dnl
4635dnl Drop all non-accepted packets.
4636table=5 reg2=0 priority=1000 action=drop
daf4d3c1 4637dnl
2cd20955
JR		 4638dnl Commit new incoming FTP control connections with SNAT range. Must match on
4639dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
28033773
JR		 4640dnl connections to ct_label[0] Store the rule ID to ct_label[96..127].
4641table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955 4642dnl Commit other new incoming non-related IP connections with SNAT range.
28033773 4643table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955
JR		 4644dnl Commit non-related outgoing new IP connections with DNAT range.
4645dnl (This should not get any packets in this test.)
28033773 4646table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2cd20955 4647dnl Commit new related connections in either direction, which need 'nat'
28033773 4648dnl and which inherit the label (the direction of the original direction
2cd20955
JR		 4649dnl master tuple) from the master connection.
4650table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4651dnl
4652dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
4653dnl
4654table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
4655dnl Forward everything else, including stateless accepts.
4656table=5 priority=0 action=goto_table:6
4657dnl
4658dnl "Forwarding table"
4659dnl
4660table=6 in_port=1 action=2
4661table=6 in_port=2 action=1
daf4d3c1
JR		 4662dnl
4663dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4664dnl
2cd20955 4665table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
daf4d3c1
JR		 4666table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4667dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4668dnl TPA IP in reg2.
4669dnl Swaps the fields of the ARP message to turn a query to a response.
4670table=10 priority=100 arp xreg0=0 action=normal
4671table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4672table=10 priority=0 action=drop
2cd20955 4673], [dnl
28033773
JR		 4674tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>),helper=ftp
4675tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>)
2cd20955 4676])
daf4d3c1
JR		 4677])
4678
4679dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
4680dnl an ACL table based on matching on conntrack original direction tuple only.
efa29a89 4681CHECK_FTP_SNAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
daf4d3c1
JR		 4682
4683dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
4684dnl an ACL table based on matching on conntrack original direction tuple only.
efa29a89 4685CHECK_FTP_SNAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
daf4d3c1 4686
efa29a89 4687AT_SETUP([conntrack - IPv4 FTP Passive with SNAT])
200a9af9
DB		 4688AT_SKIP_IF([test $HAVE_FTP = no])
4689CHECK_CONNTRACK()
4690CHECK_CONNTRACK_NAT()
4691CHECK_CONNTRACK_ALG()
4692
4693OVS_TRAFFIC_VSWITCHD_START()
4694
4695ADD_NAMESPACES(at_ns0, at_ns1)
4696
4697ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4698NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4699NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4700
4701ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4702NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4703NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4704NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
4705
4706dnl Allow any traffic from ns0->ns1.
4707AT_DATA([flows.txt], [dnl
4708dnl track all IPv4 traffic and NAT any established traffic.
4709table=0 priority=10 ip, action=ct(nat,table=1)
4710table=0 priority=0 action=drop
4711dnl
4712dnl Table 1
4713dnl
4714dnl Allow new FTP control connections.
4715table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
4716dnl Allow related TCP connections from port 1.
4717table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4718dnl Allow established TCP connections both ways, post-NAT match.
4719table=1 in_port=1 ct_state=+est tcp nw_src=10.1.1.240 action=2
4720table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4721
4722dnl Allow ICMP both ways.
4723table=1 priority=100 in_port=1 icmp, action=2
4724table=1 priority=100 in_port=2 icmp, action=1
4725table=1 priority=0, action=drop
4726])
4727
4728AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4729
4730dnl Check that the stacks working to avoid races.
4731OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4732
4733OVS_START_L7([at_ns1], [ftp])
4734
4735dnl FTP requests from p0->p1 should work fine.
4736NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4737
4738dnl Discards CLOSE_WAIT and CLOSING
4739AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4740tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4741tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4742])
4743
4744OVS_TRAFFIC_VSWITCHD_STOP
4745AT_CLEANUP
4746
efa29a89
DM		 4747AT_SETUP([conntrack - IPv4 FTP Passive with DNAT])
4748AT_SKIP_IF([test $HAVE_FTP = no])
4749CHECK_CONNTRACK()
4750CHECK_CONNTRACK_NAT()
4751CHECK_CONNTRACK_ALG()
4752
4753OVS_TRAFFIC_VSWITCHD_START()
4754
4755ADD_NAMESPACES(at_ns0, at_ns1)
4756
4757ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4758NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4759NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4760NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4761
4762ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4763NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4764NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4765
4766dnl Allow any traffic from ns0->ns1.
4767AT_DATA([flows.txt], [dnl
4768dnl track all IPv4 traffic and NAT any established traffic.
4769table=0 priority=10 ip, action=ct(nat,table=1)
4770table=0 priority=0 action=drop
4771dnl
4772dnl Table 1
4773dnl
4774dnl Allow new FTP control connections.
4775table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4776dnl Allow related TCP connections from port 1.
4777table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4778dnl Allow established TCP connections both ways, post-NAT match.
4779table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4780table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4781
4782dnl Allow ICMP both ways.
4783table=1 priority=100 in_port=1 icmp, action=2
4784table=1 priority=100 in_port=2 icmp, action=1
4785table=1 priority=0, action=drop
4786])
4787
4788AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4789
4790dnl Check that the stacks working to avoid races.
4791OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4792
4793OVS_START_L7([at_ns1], [ftp])
4794
4795dnl FTP requests from p0->p1 should work fine.
4796NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4797
4798dnl Discards CLOSE_WAIT and CLOSING
4799AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4800tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4801tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4802])
4803
4804OVS_TRAFFIC_VSWITCHD_STOP
4805AT_CLEANUP
4806
cd7c99a6
DB		 4807AT_SETUP([conntrack - IPv4 FTP Passive with DNAT 2])
4808AT_SKIP_IF([test $HAVE_FTP = no])
4809CHECK_CONNTRACK()
4810CHECK_CONNTRACK_NAT()
4811CHECK_CONNTRACK_ALG()
4812
4813OVS_TRAFFIC_VSWITCHD_START()
4814
4815ADD_NAMESPACES(at_ns0, at_ns1)
4816
4817ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
4818NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4819NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.200 e6:66:c1:22:22:22])
4820NS_CHECK_EXEC([at_ns0], [arp -s 10.1.100.1 e6:66:c1:22:22:22])
4821
4822ADD_VETH(p1, at_ns1, br0, "10.1.100.1/16")
4823NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4824NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4825
4826dnl Allow any traffic from ns0->ns1.
4827AT_DATA([flows.txt], [dnl
4828dnl track all IPv4 traffic and NAT any established traffic.
4829table=0 priority=10 ip, action=ct(nat,table=1)
4830table=0 priority=0 action=drop
4831dnl
4832dnl Table 1
4833dnl
4834dnl Allow new FTP control connections.
4835table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.100.1)),2
4836dnl Allow related TCP connections from port 1.
4837table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4838dnl Allow established TCP connections both ways, post-NAT match.
4839table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.100.1 action=2
4840table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4841
4842dnl Allow ICMP both ways.
4843table=1 priority=100 in_port=1 icmp, action=2
4844table=1 priority=100 in_port=2 icmp, action=1
4845table=1 priority=0, action=drop
4846])
4847
4848AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4849
4850dnl Check that the stacks working to avoid races.
4851OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null])
4852
4853OVS_START_L7([at_ns1], [ftp])
4854
4855dnl FTP requests from p0->p1 should work fine.
4856NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.200 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4857
4858dnl Discards CLOSE_WAIT and CLOSING
4859AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl
4860tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4861tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4862])
4863
4864OVS_TRAFFIC_VSWITCHD_STOP
4865AT_CLEANUP
4866
efa29a89
DM		 4867AT_SETUP([conntrack - IPv4 FTP Active with DNAT])
4868AT_SKIP_IF([test $HAVE_FTP = no])
4869CHECK_CONNTRACK()
4870CHECK_CONNTRACK_NAT()
4871CHECK_CONNTRACK_ALG()
4872
4873OVS_TRAFFIC_VSWITCHD_START()
4874
4875ADD_NAMESPACES(at_ns0, at_ns1)
4876
4877ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4878NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4879NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4880NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4881
4882ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4883NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4884NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4885
4886dnl Allow any traffic from ns0->ns1.
4887AT_DATA([flows.txt], [dnl
4888dnl track all IPv4 traffic and NAT any established traffic.
4889table=0 priority=10 ip, action=ct(nat,table=1)
4890table=0 priority=0 action=drop
4891dnl
4892dnl Table 1
4893dnl
4894dnl Allow new FTP control connections.
4895table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4896dnl Allow related TCP connections from port 1.
4897table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.240 action=ct(commit,nat),1
4898dnl Allow established TCP connections both ways, post-NAT match.
4899table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4900table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4901
4902dnl Allow ICMP both ways.
4903table=1 priority=100 in_port=1 icmp, action=2
4904table=1 priority=100 in_port=2 icmp, action=1
4905table=1 priority=0, action=drop
4906])
4907
4908AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4909
4910dnl Check that the stacks working to avoid races.
4911OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4912
4913OVS_START_L7([at_ns1], [ftp])
4914
4915dnl FTP requests from p0->p1 should work fine.
4916NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4917
4918dnl Discards CLOSE_WAIT and CLOSING
4919AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4920tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4921tcp,orig=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4922])
4923
4924OVS_TRAFFIC_VSWITCHD_STOP
4925AT_CLEANUP
4926
4927AT_SETUP([conntrack - IPv4 FTP Active with DNAT with reverse skew])
4928AT_SKIP_IF([test $HAVE_FTP = no])
4929CHECK_CONNTRACK()
4930CHECK_CONNTRACK_NAT()
4931CHECK_CONNTRACK_ALG()
4932
4933OVS_TRAFFIC_VSWITCHD_START()
4934
4935ADD_NAMESPACES(at_ns0, at_ns1)
4936
cd7c99a6 4937ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
efa29a89
DM		 4938NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4939NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
cd7c99a6 4940NS_CHECK_EXEC([at_ns0], [arp -s 10.1.120.240 e6:66:c1:22:22:22])
efa29a89 4941
cd7c99a6 4942ADD_VETH(p1, at_ns1, br0, "10.1.1.2/16")
efa29a89
DM		 4943NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4944NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4945
4946dnl Allow any traffic from ns0->ns1.
4947AT_DATA([flows.txt], [dnl
4948dnl track all IPv4 traffic and NAT any established traffic.
4949table=0 priority=10 ip, action=ct(nat,table=1)
4950table=0 priority=0 action=drop
4951dnl
4952dnl Table 1
4953dnl
4954dnl Allow new FTP control connections.
4955table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.2)),2
4956dnl Allow related TCP connections from port 1.
4957table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.2 action=ct(commit,nat),1
4958dnl Allow established TCP connections both ways, post-NAT match.
4959table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.2 action=2
4960table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4961
4962dnl Allow ICMP both ways.
4963table=1 priority=100 in_port=1 icmp, action=2
4964table=1 priority=100 in_port=2 icmp, action=1
4965table=1 priority=0, action=drop
4966])
4967
4968AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4969
4970dnl Check that the stacks working to avoid races.
4971OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4972
4973OVS_START_L7([at_ns1], [ftp])
4974
4975dnl FTP requests from p0->p1 should work fine.
cd7c99a6 4976NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.120.240 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
efa29a89
DM		 4977
4978dnl Discards CLOSE_WAIT and CLOSING
cd7c99a6
DB		 4979AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl
4980tcp,orig=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4981tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
efa29a89
DM		 4982])
4983
4984OVS_TRAFFIC_VSWITCHD_STOP
4985AT_CLEANUP
4986
b020a416 4987AT_SETUP([conntrack - IPv6 HTTP with SNAT])
9ac0aada 4988CHECK_CONNTRACK()
4573c42e 4989CHECK_CONNTRACK_NAT()
9ac0aada
JR		 4990OVS_TRAFFIC_VSWITCHD_START()
4991
4992ADD_NAMESPACES(at_ns0, at_ns1)
4993
4994ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4995NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4996ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4997NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
b020a416 4998NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
9ac0aada
JR		 4999
5000dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5001AT_DATA([flows.txt], [dnl
5002priority=1,action=drop
5003priority=10,icmp6,action=normal
b020a416 5004priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
9ac0aada
JR		 5005priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
5006priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
5007priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
b020a416 5008priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
9ac0aada
JR		 5009])
5010
5011AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5012
c10840ff
JS		 5013dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5014dnl waiting, we get occasional failures due to the following error:
9ac0aada 5015dnl "connect: Cannot assign requested address"
c10840ff 5016OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
9ac0aada
JR		 5017
5018dnl HTTP requests from ns0->ns1 should work fine.
7ed40afe 5019OVS_START_L7([at_ns1], [http6])
9ac0aada
JR		 5020
5021NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5022
5023dnl HTTP requests from ns1->ns0 should fail due to network failure.
5024dnl Try 3 times, in 1 second intervals.
7ed40afe 5025OVS_START_L7([at_ns0], [http6])
9ac0aada
JR		 5026NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
5027
5028OVS_TRAFFIC_VSWITCHD_STOP
5029AT_CLEANUP
5030
b020a416
DB		 5031AT_SETUP([conntrack - IPv6 HTTP with DNAT])
5032CHECK_CONNTRACK()
5033CHECK_CONNTRACK_NAT()
5034OVS_TRAFFIC_VSWITCHD_START()
5035
5036ADD_NAMESPACES(at_ns0, at_ns1)
5037
5038ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5039ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5040NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
5041NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
5042NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
5043NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
5044
5045dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5046AT_DATA([flows.txt], [dnl
5047priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
5048priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
5049priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
5050])
5051
5052AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5053
5054dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5055dnl waiting, we get occasional failures due to the following error:
5056dnl "connect: Cannot assign requested address"
5057OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
5058
5059NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
50603 packets transmitted, 3 received, 0% packet loss, time 0ms
5061])
5062
5063dnl Should work with the virtual IP address through NAT
5064OVS_START_L7([at_ns1], [http6])
5065NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
5066
5067AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
5068icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
5069tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
5070])
5071
5072OVS_TRAFFIC_VSWITCHD_STOP
5073AT_CLEANUP
5074
5075AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
5076AT_SKIP_IF([test $HAVE_TCPDUMP = no])
5077CHECK_CONNTRACK()
5078CHECK_CONNTRACK_NAT()
5079OVS_TRAFFIC_VSWITCHD_START()
5080
5081ADD_NAMESPACES(at_ns0, at_ns1)
5082
5083ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5084ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5085NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
5086NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
5087
5088NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
5089NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
5090NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
5091NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
5092
5093NS_CHECK_EXEC([at_ns0], [ip -6 route add default via fc00::2])
5094
5095dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5096AT_DATA([flows.txt], [dnl
5097priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
5098priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
5099priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
5100priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
5101])
5102
5103AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5104
5105dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5106dnl waiting, we get occasional failures due to the following error:
5107dnl "connect: Cannot assign requested address"
5108OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
5109
5110AT_CHECK([ovs-appctl dpctl/flush-conntrack])
5111
5112rm p0.pcap
5113tcpdump -U -i ovs-p0 -w p0.pcap &
5114sleep 1
5115
5116dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
5117NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
5118
5119AT_CHECK([tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
5120
5121AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5122udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
5123])
5124
5125OVS_TRAFFIC_VSWITCHD_STOP
5126AT_CLEANUP
9ac0aada 5127
efa29a89 5128AT_SETUP([conntrack - IPv6 FTP with SNAT])
40c7b2fc 5129AT_SKIP_IF([test $HAVE_FTP = no])
9ac0aada 5130CHECK_CONNTRACK()
4573c42e 5131CHECK_CONNTRACK_NAT()
fc9a5ee1
DB		 5132CHECK_CONNTRACK_ALG()
5133
9ac0aada
JR		 5134OVS_TRAFFIC_VSWITCHD_START()
5135
5136ADD_NAMESPACES(at_ns0, at_ns1)
5137
5138ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5139NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5140ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5141dnl Would be nice if NAT could translate neighbor discovery messages, too.
5142NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5143
5144dnl Allow any traffic from ns0->ns1.
5145dnl Only allow nd, return traffic from ns1->ns0.
5146AT_DATA([flows.txt], [dnl
9ac0aada
JR		 5147dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5148table=0 priority=10 ip6, action=ct(nat,table=1)
5149table=0 priority=0 action=drop
5150dnl
5151dnl Table 1
5152dnl
5153dnl Allow new TCPv6 FTP control connections.
5154table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5155dnl Allow related TCPv6 connections from port 2 to the NATted address.
5156table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
5157dnl Allow established TCPv6 connections both ways, enforce NATting
5158table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5159table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
daf4d3c1
JR		 5160dnl Allow other ICMPv6 both ways (without commit).
5161table=1 priority=100 in_port=1 icmp6, action=2
5162table=1 priority=100 in_port=2 icmp6, action=1
9ac0aada
JR		 5163dnl Drop everything else.
5164table=1 priority=0, action=drop
5165])
5166
5167AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5168
c10840ff
JS		 5169dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5170dnl waiting, we get occasional failures due to the following error:
5171dnl "connect: Cannot assign requested address"
5172OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5173
7ed40afe 5174OVS_START_L7([at_ns1], [ftp])
9ac0aada
JR		 5175
5176dnl FTP requests from p0->p1 should work fine.
4fee8b13 5177NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
9ac0aada 5178
a857bb69 5179dnl Discards CLOSE_WAIT and CLOSING
420c73b2
JR		 5180AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5181tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5182tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
9ac0aada
JR		 5183])
5184
5185OVS_TRAFFIC_VSWITCHD_STOP
5186AT_CLEANUP
2c66ebe4 5187
efa29a89 5188AT_SETUP([conntrack - IPv6 FTP Passive with SNAT])
200a9af9
DB		 5189AT_SKIP_IF([test $HAVE_FTP = no])
5190CHECK_CONNTRACK()
5191CHECK_CONNTRACK_NAT()
5192CHECK_CONNTRACK_ALG()
5193
5194OVS_TRAFFIC_VSWITCHD_START()
5195
5196ADD_NAMESPACES(at_ns0, at_ns1)
5197
5198ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5199NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5200ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5201NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
5202NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
5203NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5204
5205dnl Allow any traffic from ns0->ns1.
5206dnl Only allow nd, return traffic from ns1->ns0.
5207AT_DATA([flows.txt], [dnl
5208dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5209table=0 priority=10 ip6, action=ct(nat,table=1)
5210table=0 priority=0 action=drop
5211dnl
5212dnl Table 1
5213dnl
5214dnl Allow new TCPv6 FTP control connections.
5215table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5216dnl Allow related TCPv6 connections from port 1.
5217table=1 in_port=1 ct_state=+new+rel tcp6 ipv6_dst=fc00::2 action=ct(commit,nat),2
5218dnl Allow established TCPv6 connections both ways, enforce NATting
5219table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5220table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5221dnl Allow other ICMPv6 both ways (without commit).
5222table=1 priority=100 in_port=1 icmp6, action=2
5223table=1 priority=100 in_port=2 icmp6, action=1
5224dnl Drop everything else.
5225table=1 priority=0, action=drop
5226])
5227
5228AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5229
5230dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5231dnl waiting, we get occasional failures due to the following error:
5232dnl "connect: Cannot assign requested address"
5233OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5234
5235OVS_START_L7([at_ns1], [ftp])
5236
5237dnl FTP requests from p0->p1 should work fine.
5238NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5239
5240dnl Discards CLOSE_WAIT and CLOSING
5241AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5242tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5243tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5244])
5245
5246OVS_TRAFFIC_VSWITCHD_STOP
5247AT_CLEANUP
daf4d3c1 5248
efa29a89 5249AT_SETUP([conntrack - IPv6 FTP with SNAT - orig tuple])
daf4d3c1
JR		 5250AT_SKIP_IF([test $HAVE_FTP = no])
5251CHECK_CONNTRACK()
5252CHECK_CONNTRACK_NAT()
aeae4330 5253CHECK_CONNTRACK_ALG()
daf4d3c1
JR		 5254OVS_TRAFFIC_VSWITCHD_START()
5255
5256ADD_NAMESPACES(at_ns0, at_ns1)
5257
5258ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5259NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5260ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5261dnl Would be nice if NAT could translate neighbor discovery messages, too.
5262NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5263
5264dnl Allow any traffic from ns0->ns1.
5265dnl Only allow nd, return traffic from ns1->ns0.
5266AT_DATA([flows.txt], [dnl
5267dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5268table=0 priority=10 ip6, action=ct(nat,table=1)
5269table=0 priority=0 action=drop
5270dnl
5271dnl Table 1
5272dnl
5273dnl Allow other ICMPv6 both ways (without commit).
5274table=1 priority=100 in_port=1 icmp6, action=2
5275table=1 priority=100 in_port=2 icmp6, action=1
5276dnl Allow new TCPv6 FTP control connections.
5277table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5278dnl Allow related TCPv6 connections from port 2 to the NATted address.
5279table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
5280dnl Allow established TCPv6 connections both ways, enforce NATting
5281table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
5282table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
5283dnl Drop everything else.
5284table=1 priority=0, action=drop
5285])
5286
5287AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5288
5289dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5290dnl waiting, we get occasional failures due to the following error:
5291dnl "connect: Cannot assign requested address"
5292OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5293
5294NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
5295OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
5296
5297dnl FTP requests from p0->p1 should work fine.
5298NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5299
5300dnl Discards CLOSE_WAIT and CLOSING
5301AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5302tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5303tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5304])
5305
5306OVS_TRAFFIC_VSWITCHD_STOP
5307AT_CLEANUP
5308
efa29a89 5309AT_SETUP([conntrack - IPv4 TFTP with SNAT])
8fc6257b 5310AT_SKIP_IF([test $HAVE_TFTP = no])
200a9af9
DB		 5311CHECK_CONNTRACK()
5312CHECK_CONNTRACK_NAT()
5313CHECK_CONNTRACK_ALG()
5314
5315OVS_TRAFFIC_VSWITCHD_START()
5316
5317ADD_NAMESPACES(at_ns0, at_ns1)
5318
5319ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5320NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5321NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5322
5323ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5324NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5325NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5326NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
5327
5328dnl Allow any traffic from ns0->ns1.
5329AT_DATA([flows.txt], [dnl
5330dnl track all IPv4 traffic.
5331table=0 priority=10 ip, action=ct(table=1)
5332dnl drop everything else.
5333table=0 priority=0 action=drop
5334dnl
5335dnl Table 1
5336dnl Allow ICMP both ways.
5337table=1 priority=100 in_port=1 icmp, action=2
5338table=1 priority=100 in_port=2 icmp, action=1
5339dnl
5340dnl Allow new TFTP control connections.
5341table=1 in_port=1 ct_state=+new udp nw_src=10.1.1.1 tp_dst=69 action=ct(alg=tftp,commit,nat(src=10.1.1.240)),2
5342dnl Allow related UDP connections from port 1.
5343table=1 in_port=2 ct_state=+new+rel udp nw_src=10.1.1.2 action=ct(commit,nat),1
5344dnl Allow established and NAT them.
5345table=1 in_port=1 ct_state=+est udp nw_src=10.1.1.1 action=ct(nat,table=2)
5346table=1 in_port=2 ct_state=+est udp nw_src=10.1.1.2 action=ct(nat,table=2)
5347dnl
5348table=1 priority=0, action=drop
5349dnl
5350table=2 in_port=1 ct_state=+est udp nw_src=10.1.1.240 action=2
5351table=2 in_port=2 ct_state=+est udp nw_dst=10.1.1.1 action=1
5352])
5353
5354AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5355
5356dnl Check that the stacks working to avoid races.
5357OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
5358
5359OVS_START_L7([at_ns0], [tftp])
5360OVS_START_L7([at_ns1], [tftp])
5361
5362dnl TFTP requests from p0->p1 should work fine.
5363NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows.txt -o foo 2>curl0.log]])
5364
5365AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5366udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),helper=tftp
5367udp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>)
5368])
5369
5370OVS_TRAFFIC_VSWITCHD_STOP
5371AT_CLEANUP
daf4d3c1 5372
2c66ebe4
JR		 5373AT_SETUP([conntrack - DNAT load balancing])
5374CHECK_CONNTRACK()
4573c42e 5375CHECK_CONNTRACK_NAT()
2c66ebe4
JR		 5376OVS_TRAFFIC_VSWITCHD_START()
5377
5378ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
5379
5380ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5381ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5382ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5383ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5384NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5385NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5386NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5387NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5388
5389dnl Select group for load balancing. One bucket per server. Each bucket
5390dnl tracks and NATs the connection and recirculates to table 4 for egress
5391dnl routing. Packets of existing connections are always NATted based on
5392dnl connection state, only new connections are NATted according to the
5393dnl specific NAT parameters in each bucket.
5394AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5395
5396AT_DATA([flows.txt], [dnl
5397dnl Track connections to the virtual IP address.
5398table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5399dnl All other IP traffic is allowed but the connection state is no commited.
5400table=0 priority=90 ip action=ct(table=4,nat)
5401dnl
5402dnl Allow ARP, but generate responses for virtual addresses
5403table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5404table=0 priority=10 arp action=normal
5405table=0 priority=0 action=drop
5406dnl
5407dnl Routing table
5408dnl
5409table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5410table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5411table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5412table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5413table=4 priority=0 action=drop
5414dnl
5415dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5416table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5417dnl Zero result means not found.
5418table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5419dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5420dnl TPA IP in reg2.
5421table=10 priority=100 arp xreg0=0 action=normal
5422dnl Swaps the fields of the ARP message to turn a query to a response.
5423table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5424table=10 priority=0 action=controller
5425])
5426
5427AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5428
5429dnl Start web servers
7ed40afe
JS		 5430OVS_START_L7([at_ns2], [http])
5431OVS_START_L7([at_ns3], [http])
5432OVS_START_L7([at_ns4], [http])
2c66ebe4
JR		 5433
5434on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5435on_exit 'ovs-appctl revalidator/purge'
5436on_exit 'ovs-appctl dpif/dump-flows br0'
5437
5438dnl Should work with the virtual IP address through NAT
5439for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
5440 echo Request $i
5441 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
5442done
5443
5444dnl Each server should have at least one connection.
420c73b2
JR		 5445AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
5446tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5447tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5448tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2c66ebe4
JR		 5449])
5450
5451ovs-appctl dpif/dump-flows br0
5452ovs-appctl revalidator/purge
5453ovs-ofctl -O OpenFlow15 dump-flows br0
5454ovs-ofctl -O OpenFlow15 dump-group-stats br0
5455
5456OVS_TRAFFIC_VSWITCHD_STOP
5457AT_CLEANUP
5458
5459
5460AT_SETUP([conntrack - DNAT load balancing with NC])
9c1ab985 5461AT_SKIP_IF([test $HAVE_NC = no])
2c66ebe4 5462CHECK_CONNTRACK()
4573c42e 5463CHECK_CONNTRACK_NAT()
2c66ebe4
JR		 5464OVS_TRAFFIC_VSWITCHD_START()
5465
5466ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
5467
5468ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5469ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5470ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5471ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5472ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
5473NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5474NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5475NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5476NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5477NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
5478
5479dnl Select group for load balancing. One bucket per server. Each bucket
5480dnl tracks and NATs the connection and recirculates to table 4 for egress
5481dnl routing. Packets of existing connections are always NATted based on
5482dnl connection state, only new connections are NATted according to the
5483dnl specific NAT parameters in each bucket.
5484AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5485
5486AT_DATA([flows.txt], [dnl
5487dnl Track connections to the virtual IP address.
5488table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5489dnl All other IP traffic is allowed but the connection state is no commited.
5490table=0 priority=90 ip action=ct(table=4,nat)
5491dnl
5492dnl Allow ARP, but generate responses for virtual addresses
5493table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5494table=0 priority=10 arp action=normal
5495table=0 priority=0 action=drop
5496dnl
5497dnl Routing table
5498dnl
5499table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5500table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5501table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5502table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5503table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
5504table=4 priority=0 action=drop
5505dnl
5506dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5507table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5508dnl Zero result means not found.
5509table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5510dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5511dnl TPA IP in reg2.
5512table=10 priority=100 arp xreg0=0 action=normal
5513dnl Swaps the fields of the ARP message to turn a query to a response.
5514table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5515table=10 priority=0 action=controller
5516])
5517
5518AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5519
5520dnl Start web servers
7ed40afe
JS		 5521OVS_START_L7([at_ns2], [http])
5522OVS_START_L7([at_ns3], [http])
5523OVS_START_L7([at_ns4], [http])
2c66ebe4
JR		 5524
5525on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5526on_exit 'ovs-appctl revalidator/purge'
5527on_exit 'ovs-appctl dpif/dump-flows br0'
5528
5529sleep 5
5530
5531dnl Should work with the virtual IP address through NAT
5532for i in 1 2 3 4 5 6 7 8 9; do
5533 echo Request $i
5534 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
5535 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
5536done
5537
5538conntrack -L 2>&1
5539
5540ovs-appctl dpif/dump-flows br0
5541ovs-appctl revalidator/purge
5542ovs-ofctl -O OpenFlow15 dump-flows br0
5543ovs-ofctl -O OpenFlow15 dump-group-stats br0
5544
5545OVS_TRAFFIC_VSWITCHD_STOP
5546AT_CLEANUP
b4fa814c 5547
8d48d5f3
EG		 5548AT_SETUP([conntrack - floating IP])
5549AT_SKIP_IF([test $HAVE_NC = no])
5550CHECK_CONNTRACK()
5551OVS_TRAFFIC_VSWITCHD_START()
5552OVS_CHECK_CT_CLEAR()
5553
5554ADD_NAMESPACES(at_ns0, at_ns1)
5555ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1
5556ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2
5557
5558dnl Static ARPs
5559NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0])
5560NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1])
5561
5562dnl Static ARP and route entries for the FIP "gateway"
5563NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0])
5564NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1])
5565NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254])
5566NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254])
5567
5568NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid])
5569
5570AT_DATA([flows.txt], [dnl
5571table=0,priority=10 ip action=ct(table=1)
5572table=0,priority=1 action=drop
5573dnl dst FIP
5574table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10
5575table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10)
5576dnl dst local
5577table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20
5578table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20)
5579table=1,priority=1 ip,ct_state=+trk+inv action=drop
5580dnl
5581dnl FIP translation (dst FIP, src local) --> (dst local, src FIP)
5582table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11
5583table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11
5584table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12
5585table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12
5586dnl clear conntrack and do another lookup since we changed the tuple
5587table=12,priority=10 ip action=ct_clear,ct(table=13)
5588table=12,priority=1 action=drop
5589table=13 ip,ct_state=+trk+est action=goto_table:20
5590table=13 ip,ct_state=+trk+new action=ct(commit,table=20)
5591table=13 ip,ct_state=+trk+inv action=drop
5592dnl
5593dnl Output
5594table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21
5595table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21
5596table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21
5597table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0
5598table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1
5599])
5600
5601AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5602
5603dnl non-FIP case
5604NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234])
5605OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5606grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5607]])
5608
5609dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it
5610dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV
5611dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a
5612dnl second time after the FIP translation (because ct_clear didn't occur).
5613NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234])
5614OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5615grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5616]])
5617
5618OVS_TRAFFIC_VSWITCHD_STOP
5619AT_CLEANUP
5620
b4fa814c
EG		 5621AT_BANNER([802.1ad])
5622
5623AT_SETUP([802.1ad - vlan_limit])
5624OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5625OVS_CHECK_8021AD()
5626
5627ADD_NAMESPACES(at_ns0, at_ns1)
5628
5629ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5630ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5631
5632ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5633ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5634
5635ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5636ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5637
5638AT_CHECK([ovs-ofctl add-flow br0 "priority=1 action=normal"])
5639
5640OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5641
5642dnl CVLAN traffic should match the flow and drop
5643AT_CHECK([ovs-appctl revalidator/purge])
5644AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:vlan-limit=1])
5645AT_CHECK([ovs-ofctl add-flow br0 "priority=100 dl_type=0x8100 action=drop"])
5646NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.2.2.2], [1], [ignore])
5647
5648OVS_TRAFFIC_VSWITCHD_STOP
5649AT_CLEANUP
0147a20e
EG		 5650
5651
5652AT_SETUP([802.1ad - push/pop outer 802.1ad])
5653OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5654OVS_CHECK_8021AD()
5655
5656ADD_BR([br1])
5657ADD_BR([br2])
5658ADD_NAMESPACES(at_ns0, at_ns1)
5659
5660AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5661AT_CHECK([ip link set dev ovs-p0 up])
5662AT_CHECK([ip link set dev ovs-p1 up])
5663AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5664AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5665on_exit 'ip link del ovs-p0'
5666
5667AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5668AT_CHECK([ip link set dev ovs-p2 up])
5669AT_CHECK([ip link set dev ovs-p3 up])
5670AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5671AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5672on_exit 'ip link del ovs-p2'
5673
5674ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5675ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5676ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5677ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5678
5679AT_DATA([flows-br0.txt], [dnl
5680priority=1 action=drop
5681priority=100 in_port=1 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:2
5682priority=100 in_port=2 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:1
5683])
5684
5685AT_DATA([flows-customer-br.txt], [dnl
5686priority=1 action=normal
5687priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5688])
5689
5690AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5691AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5692AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5693
5694OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5695
5696NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
56973 packets transmitted, 3 received, 0% packet loss, time 0ms
5698])
5699
5700NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57013 packets transmitted, 3 received, 0% packet loss, time 0ms
5702])
5703
5704OVS_TRAFFIC_VSWITCHD_STOP
5705AT_CLEANUP
5706
5707
5708AT_SETUP([802.1ad - push/pop outer 802.1q])
5709OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5710OVS_CHECK_8021AD()
5711
5712ADD_BR([br1])
5713ADD_BR([br2])
5714ADD_NAMESPACES(at_ns0, at_ns1)
5715
5716AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5717AT_CHECK([ip link set dev ovs-p0 up])
5718AT_CHECK([ip link set dev ovs-p1 up])
5719AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5720AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5721on_exit 'ip link del ovs-p0'
5722
5723AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5724AT_CHECK([ip link set dev ovs-p2 up])
5725AT_CHECK([ip link set dev ovs-p3 up])
5726AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5727AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5728on_exit 'ip link del ovs-p2'
5729
5730ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5731ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5732ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5733ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5734
5735AT_DATA([flows-br0.txt], [dnl
5736priority=1 action=drop
5737priority=100 in_port=1 action=push_vlan:0x8100,mod_vlan_vid=4094,output:2
5738priority=100 in_port=2 action=push_vlan:0x8100,mod_vlan_vid=4094,output:1
5739])
5740
5741AT_DATA([flows-customer-br.txt], [dnl
5742priority=1 action=normal
5743priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5744])
5745
5746AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5747AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5748AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5749
5750OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5751
5752NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57533 packets transmitted, 3 received, 0% packet loss, time 0ms
5754])
5755
5756NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
57573 packets transmitted, 3 received, 0% packet loss, time 0ms
5758])
5759
5760OVS_TRAFFIC_VSWITCHD_STOP
5761AT_CLEANUP
d4a814a8
EG		 5762
5763
5764AT_SETUP([802.1ad - 802.1q tunnel])
5765OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5766OVS_CHECK_8021AD()
5767
5768ADD_BR([br1])
5769ADD_BR([br2])
5770ADD_NAMESPACES(at_ns0, at_ns1)
5771
5772AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5773AT_CHECK([ip link set dev ovs-p0 up])
5774AT_CHECK([ip link set dev ovs-p1 up])
5775AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5776AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5777on_exit 'ip link del ovs-p0'
5778
5779AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5780AT_CHECK([ip link set dev ovs-p2 up])
5781AT_CHECK([ip link set dev ovs-p3 up])
5782AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5783AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5784on_exit 'ip link del ovs-p2'
5785
5786ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5787ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5788ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5789ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5790ADD_CVLAN(p4, at_ns0, 200, "10.3.2.1/24")
5791ADD_CVLAN(p5, at_ns1, 200, "10.3.2.2/24")
5792ADD_CVLAN(p4, at_ns0, 300, "10.4.2.1/24")
5793ADD_CVLAN(p5, at_ns1, 300, "10.4.2.2/24")
5794
5795AT_CHECK([ovs-ofctl add-flow br0 action=normal])
5796AT_CHECK([ovs-ofctl add-flow br1 action=normal])
5797AT_CHECK([ovs-ofctl add-flow br2 action=normal])
5798AT_CHECK([ovs-vsctl set port ovs-p0 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5799AT_CHECK([ovs-vsctl set port ovs-p2 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5800
5801OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5802OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.3.2.2])
5803
5804NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
58053 packets transmitted, 3 received, 0% packet loss, time 0ms
5806])
5807
5808NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
58093 packets transmitted, 3 received, 0% packet loss, time 0ms
5810])
5811
5812NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
58133 packets transmitted, 3 received, 0% packet loss, time 0ms
5814])
5815
5816NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
58173 packets transmitted, 3 received, 0% packet loss, time 0ms
5818])
5819
5820dnl CVLAN 300 is not permitted by dot1q-tunnel
5821NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.4.2.2], [1], [ignore])
5822
5823OVS_TRAFFIC_VSWITCHD_STOP(["/dropping VLAN \(0\|300\) packet received on dot1q-tunnel port/d"])
5824AT_CLEANUP
79d6e24f
EG		 5825
5826AT_SETUP([802.1ad - double vlan match])
5827OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5828OVS_CHECK_8021AD()
5829
5830ADD_NAMESPACES(at_ns0, at_ns1)
5831
5832ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5833ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5834
5835ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5836ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5837
5838ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5839ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5840
5841AT_DATA([flows-br0.txt], [dnl
5842table=0,priority=1 action=drop
5843table=0,priority=100 dl_vlan=4094 action=pop_vlan,goto_table:1
5844table=1,priority=100 dl_vlan=100 action=push_vlan:0x88a8,mod_vlan_vid:4094,normal
5845])
5846AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5847
5848OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5849
5850NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
58513 packets transmitted, 3 received, 0% packet loss, time 0ms
5852])
5853
5854NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
58553 packets transmitted, 3 received, 0% packet loss, time 0ms
5856])
5857
296251ca
AV		 5858OVS_TRAFFIC_VSWITCHD_STOP
5859AT_CLEANUP
5860
5861
5862AT_BANNER([nsh-datapath])
5863
5864AT_SETUP([nsh - encap header])
5865OVS_TRAFFIC_VSWITCHD_START()
5866
5867ADD_NAMESPACES(at_ns0, at_ns1)
5868
5869ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5870ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5871
5872dnl The flow will encap a nsh header to the TCP syn packet
5873dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp
5874AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5875
5876rm ovs-p1.pcap
5877tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5878sleep 1
5879
5880dnl The hex dump is a TCP syn packet. pkt=eth/ip/tcp
5881dnl The packet is sent from p0(at_ns0) interface directed to
5882dnl p1(at_ns1) interface
5883NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5884
5885sleep 1
5886
5887dnl Check the expected nsh encapsulated packet on the egress interface
5888AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0fc6" 2>&1 1>/dev/null])
5889AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0012 *34ff *1122 *3344 *0000 *0000 *0000" 2>&1 1>/dev/null])
5890AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0000 *0000 *0000 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5891AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5892AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5893AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5894
5895
5896OVS_TRAFFIC_VSWITCHD_STOP
5897AT_CLEANUP
5898
5899AT_SETUP([nsh - decap header])
5900OVS_TRAFFIC_VSWITCHD_START()
5901
5902ADD_NAMESPACES(at_ns0, at_ns1)
5903
5904ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5905ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5906
5907dnl The flow will decap a nsh header which in turn carries a TCP syn packet
5908dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp
5909AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"])
5910
5911rm ovs-p1.pcap
5912tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5913sleep 1
5914
5915dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5916dnl The packet is sent from p0(at_ns0) interface directed to
5917dnl p1(at_ns1) interface
5918NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 00 64 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5919
5920sleep 1
5921
5922dnl Check the expected de-capsulated TCP packet on the egress interface
5923AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f200 *0000 *0002 *f200 *0000 *0001 *0800 *4500" 2>&1 1>/dev/null])
5924AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0028 *0001 *0000 *4006 *b013 *c0a8 *000a *0a00" 2>&1 1>/dev/null])
5925AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *000a *0400 *0800 *0000 *00c8 *0000 *0000 *5002" 2>&1 1>/dev/null])
5926AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *2000 *b85e *0000" 2>&1 1>/dev/null])
5927
5928
5929OVS_TRAFFIC_VSWITCHD_STOP
5930AT_CLEANUP
5931
5932AT_SETUP([nsh - replace header])
5933OVS_TRAFFIC_VSWITCHD_START()
5934
5935ADD_NAMESPACES(at_ns0, at_ns1)
5936
5937ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5938ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5939
5940dnl The flow will decap a nsh header and encap a new nsh header
5941dnl eth/nsh-X/eth/ip/tcp --> OVS --> eth/nsh-Y/eth/ip/tcp
5942dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4,
5943dnl nsh_ttl=7 and change the md1 context
5944AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5945
5946rm ovs-p1.pcap
5947tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5948sleep 1
5949
5950dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5951dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3
5952dnl The packet is sent from p0(at_ns0) interface directed to
5953dnl p1(at_ns1) interface
5954NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5955
5956sleep 1
5957
5958dnl Check the expected NSH packet with new fields in the header
5959AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000* 0001 *894f *01c6" 2>&1 1>/dev/null])
5960AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0104 *100f *0e0d *0c0b *0a09 *0807" 2>&1 1>/dev/null])
5961AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0605 *0403 *0201 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5962AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5963AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5964AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5965
5966OVS_TRAFFIC_VSWITCHD_STOP
5967AT_CLEANUP
5968
5969
5970AT_SETUP([nsh - forward])
5971OVS_TRAFFIC_VSWITCHD_START()
5972
5973ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
5974
5975ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5976ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5977ADD_VETH(p2, at_ns2, br0, "0.0.0.0")
5978
5979dnl Push two flows to OVS. #1 will check on SPI=0X100, SI=2 and send the
5980dnl packet to at_ns1. #2 will check on SPI=0X100, SI=1 and send the
5981dnl packet to to at_ns2.
5982AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"])
5983AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"])
5984
5985
5986rm ovs-p1.pcap
5987rm ovs-p2.pcap
5988tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5989tcpdump -U -i ovs-p2 -w ovs-p2.pcap &
5990sleep 1
5991
5992dnl First send packet from at_ns0 --> OVS with SPI=0x100 and SI=2
5993NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 02 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5994
5995sleep 1
5996
5997dnl Check for the above packet on ovs-p1 interface
5998AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0206" 2>&1 1>/dev/null])
5999AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0002 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
6000AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6001AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6002AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6003AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6004
6005
6006dnl Send the second packet from at_ns1 --> OVS with SPI=0x100 and SI=1
6007NS_CHECK_EXEC([at_ns1], [$PYTHON $srcdir/sendpkt.py p1 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 01 c6 01 03 00 01 00 01 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6008
6009sleep 1
6010
6011dnl Check for the above packet on ovs-p2 interface
6012AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *01c6" 2>&1 1>/dev/null])
6013AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0001 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
6014AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6015AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6016AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6017AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6018
6019
6020
79d6e24f
EG		 6021OVS_TRAFFIC_VSWITCHD_STOP
6022AT_CLEANUP
openvswitch mirror