]> git.proxmox.com Git - ovs.git/blame - tests/system-traffic.at
projects / ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
system-tests: Add IPv6 FTP system test.
[ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
d7c5426b 26AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
38
de22d08f 39NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 403 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 41])
42NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 433 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 44])
45NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 463 packets transmitted, 3 received, 0% packet loss, time 0ms
47])
48
d7c5426b 49OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 50AT_CLEANUP
51
d7c5426b 52AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 53OVS_TRAFFIC_VSWITCHD_START()
54
55AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 56
57ADD_NAMESPACES(at_ns0, at_ns1)
58
59ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
61
62dnl Without this sleep, we get occasional failures due to the following error:
63dnl "connect: Cannot assign requested address"
64sleep 2;
65
de22d08f 66NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 673 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 68])
69NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 703 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 71])
72NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 733 packets transmitted, 3 received, 0% packet loss, time 0ms
74])
75
d7c5426b 76OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 77AT_CLEANUP
78
d7c5426b 79AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 80OVS_TRAFFIC_VSWITCHD_START()
81
82AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 83
84ADD_NAMESPACES(at_ns0, at_ns1)
85
86ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
88
89ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
91
92dnl Without this sleep, we get occasional failures due to the following error:
93dnl "connect: Cannot assign requested address"
94sleep 2;
95
de22d08f 96NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 973 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 98])
99NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1003 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 101])
102NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1033 packets transmitted, 3 received, 0% packet loss, time 0ms
104])
105
d7c5426b 106OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 107AT_CLEANUP
810e1785
JS		 108
109AT_SETUP([datapath - ping over vxlan tunnel])
110AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
111
cf7659b6
JR		 112OVS_TRAFFIC_VSWITCHD_START()
113ADD_BR([br-underlay])
114
115AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
117
810e1785
JS		 118ADD_NAMESPACES(at_ns0)
119
120dnl Set up underlay link from host into the namespace using veth pair.
121ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123AT_CHECK([ip link set dev br-underlay up])
124
125dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126dnl linux device inside the namespace.
127ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
129 [id 0 dstport 4789])
130
131dnl First, check the underlay
132NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1333 packets transmitted, 3 received, 0% packet loss, time 0ms
134])
135
136dnl Okay, now check the overlay with different packet sizes
137NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1383 packets transmitted, 3 received, 0% packet loss, time 0ms
139])
140NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1413 packets transmitted, 3 received, 0% packet loss, time 0ms
142])
143NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1443 packets transmitted, 3 received, 0% packet loss, time 0ms
145])
146
147OVS_TRAFFIC_VSWITCHD_STOP
148AT_CLEANUP
07659514
JS		 149
150AT_SETUP([conntrack - controller])
151CHECK_CONNTRACK()
cf7659b6 152OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 153
154ADD_NAMESPACES(at_ns0, at_ns1)
155
156ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
158
159dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160AT_DATA([flows.txt], [dnl
161priority=1,action=drop
162priority=10,arp,action=normal
163priority=100,in_port=1,udp,action=ct(commit),controller
164priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
166])
167
6cfa8ec3 168AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 169
170AT_CAPTURE_FILE([ofctl_monitor.log])
171AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
172
173dnl Send an unsolicited reply from port 2. This should be dropped.
174AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
175
176dnl OK, now start a new connection from port 1.
177AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
178
179dnl Now try a reply from port 2.
180AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
181
182dnl Check this output. We only see the latter two packets, not the first.
183AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
188])
189
190OVS_TRAFFIC_VSWITCHD_STOP
191AT_CLEANUP
192
193AT_SETUP([conntrack - IPv4 HTTP])
194CHECK_CONNTRACK()
cf7659b6 195OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 196
197ADD_NAMESPACES(at_ns0, at_ns1)
198
199ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
201
202dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203AT_DATA([flows.txt], [dnl
204priority=1,action=drop
205priority=10,arp,action=normal
206priority=10,icmp,action=normal
207priority=100,in_port=1,tcp,action=ct(commit),2
208priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
210])
211
6cfa8ec3 212AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 213
214dnl Basic connectivity check.
215NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
216
217dnl HTTP requests from ns0->ns1 should work fine.
218NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
220
221AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
222TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
223])
224
225dnl HTTP requests from ns1->ns0 should fail due to network failure.
226dnl Try 3 times, in 1 second intervals.
227NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
229
230OVS_TRAFFIC_VSWITCHD_STOP
231AT_CLEANUP
232
233AT_SETUP([conntrack - IPv6 HTTP])
234CHECK_CONNTRACK()
cf7659b6 235OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 236
237ADD_NAMESPACES(at_ns0, at_ns1)
238
239ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
241
242dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243AT_DATA([flows.txt], [dnl
244priority=1,action=drop
245priority=10,icmp6,action=normal
246priority=100,in_port=1,tcp6,action=ct(commit),2
247priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
249])
250
6cfa8ec3 251AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 252
253dnl Without this sleep, we get occasional failures due to the following error:
254dnl "connect: Cannot assign requested address"
255sleep 2;
256
257dnl HTTP requests from ns0->ns1 should work fine.
258NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
259
260NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
261
262dnl HTTP requests from ns1->ns0 should fail due to network failure.
263dnl Try 3 times, in 1 second intervals.
264NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
265NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
266
267OVS_TRAFFIC_VSWITCHD_STOP
268AT_CLEANUP
269
270AT_SETUP([conntrack - commit, recirc])
271CHECK_CONNTRACK()
cf7659b6 272OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 273
274ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
275
276ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
277ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
278ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
279ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
280
281dnl Allow any traffic from ns0->ns1, ns2->ns3.
282AT_DATA([flows.txt], [dnl
283priority=1,action=drop
284priority=10,arp,action=normal
285priority=10,icmp,action=normal
286priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
287priority=100,in_port=1,tcp,ct_state=+trk,action=2
288priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
289priority=100,in_port=2,tcp,ct_state=+trk,action=1
290priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
291priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
292priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
293priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
294priority=100,in_port=4,tcp,ct_state=+trk,action=3
295])
296
6cfa8ec3 297AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 298
299dnl HTTP requests from p0->p1 should work fine.
300NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
301NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
302
303dnl HTTP requests from p2->p3 should work fine.
304NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
305NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
306
307OVS_TRAFFIC_VSWITCHD_STOP
308AT_CLEANUP
309
310AT_SETUP([conntrack - preserve registers])
311CHECK_CONNTRACK()
cf7659b6 312OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 313
314ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
315
316ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
317ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
318ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
319ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
320
321dnl Allow any traffic from ns0->ns1, ns2->ns3.
322AT_DATA([flows.txt], [dnl
323priority=1,action=drop
324priority=10,arp,action=normal
325priority=10,icmp,action=normal
326priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
327priority=100,in_port=1,tcp,ct_state=+trk,action=2
328priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
329priority=100,in_port=2,tcp,ct_state=+trk,action=1
330priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
331priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
332priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
333priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
334priority=100,in_port=4,tcp,ct_state=+trk,action=3
335])
336
6cfa8ec3 337AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 338
339dnl HTTP requests from p0->p1 should work fine.
340NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
341NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
342
343dnl HTTP requests from p2->p3 should work fine.
344NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
345NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
346
347OVS_TRAFFIC_VSWITCHD_STOP
348AT_CLEANUP
349
350AT_SETUP([conntrack - invalid])
351CHECK_CONNTRACK()
cf7659b6 352OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 353
354ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
355
356ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
357ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
358ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
359ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
360
361dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
362dnl the opposite direction. This should fail.
363dnl Pass traffic from ns3->ns4 without committing, and this time match
364dnl invalid traffic and allow it through.
365AT_DATA([flows.txt], [dnl
366priority=1,action=drop
367priority=10,arp,action=normal
368priority=10,icmp,action=normal
369priority=100,in_port=1,tcp,action=ct(),2
370priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
371priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
372priority=100,in_port=3,tcp,action=ct(),4
373priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
374priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
375priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
376])
377
6cfa8ec3 378AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 379
380dnl We set up our rules to allow the request without committing. The return
381dnl traffic can't be identified, because the initial request wasn't committed.
382dnl For the first pair of ports, this means that the connection fails.
383NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
384NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
385
386dnl For the second pair, we allow packets from invalid connections, so it works.
387NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
388NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
389
390OVS_TRAFFIC_VSWITCHD_STOP
391AT_CLEANUP
392
393AT_SETUP([conntrack - zones])
394CHECK_CONNTRACK()
cf7659b6 395OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 396
397ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
398
399ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
403
404dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405dnl For ns2->ns3, use a different zone and see that the match fails.
406AT_DATA([flows.txt], [dnl
407priority=1,action=drop
408priority=10,arp,action=normal
409priority=10,icmp,action=normal
410priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
416])
417
6cfa8ec3 418AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 419
420dnl HTTP requests from p0->p1 should work fine.
421NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
423
424AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
426])
427
428dnl HTTP requests from p2->p3 should fail due to network failure.
429dnl Try 3 times, in 1 second intervals.
430NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
432
433AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
435])
436
437OVS_TRAFFIC_VSWITCHD_STOP
438AT_CLEANUP
439
440AT_SETUP([conntrack - zones from field])
441CHECK_CONNTRACK()
cf7659b6 442OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 443
444ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
445
446ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
447ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
448ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
449ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
450
451dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
452AT_DATA([flows.txt], [dnl
453priority=1,action=drop
454priority=10,arp,action=normal
455priority=10,icmp,action=normal
456priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
457priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
458priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
459priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
460priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
461priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
462])
463
6cfa8ec3 464AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 465
466dnl HTTP requests from p0->p1 should work fine.
467NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
468NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
469
470AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
471TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
472])
473
474dnl HTTP requests from p2->p3 should fail due to network failure.
475dnl Try 3 times, in 1 second intervals.
476NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
477NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
478
479AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
480SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
481])
482
483OVS_TRAFFIC_VSWITCHD_STOP
484AT_CLEANUP
485
486AT_SETUP([conntrack - multiple bridges])
487CHECK_CONNTRACK()
488OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 489 [_ADD_BR([br1]) --\
07659514
JS		 490 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
491 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
492
493ADD_NAMESPACES(at_ns0, at_ns1)
494
495ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
497
498dnl Allow any traffic from ns0->br1, allow established in reverse.
499AT_DATA([flows-br0.txt], [dnl
500priority=1,action=drop
501priority=10,arp,action=normal
502priority=10,icmp,action=normal
503priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
504priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
505priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
506])
507
508dnl Allow any traffic from br0->ns1, allow established in reverse.
509AT_DATA([flows-br1.txt], [dnl
510priority=1,action=drop
511priority=10,arp,action=normal
512priority=10,icmp,action=normal
513priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
514priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
515priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
516priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
517priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
518])
519
6cfa8ec3
JR		 520AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
521AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 522
523dnl HTTP requests from p0->p1 should work fine.
524NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
525NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
526
527OVS_TRAFFIC_VSWITCHD_STOP
528AT_CLEANUP
529
530AT_SETUP([conntrack - multiple zones])
531CHECK_CONNTRACK()
cf7659b6 532OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 533
534ADD_NAMESPACES(at_ns0, at_ns1)
535
536ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
537ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
538
539dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
540AT_DATA([flows.txt], [dnl
541priority=1,action=drop
542priority=10,arp,action=normal
543priority=10,icmp,action=normal
544priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
545priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
546priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
547])
548
6cfa8ec3 549AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 550
551dnl HTTP requests from p0->p1 should work fine.
552NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
553NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
554
555dnl (again) HTTP requests from p0->p1 should work fine.
556NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
557
558AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
559SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
560TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
561])
562
563OVS_TRAFFIC_VSWITCHD_STOP
564AT_CLEANUP
565
c2926d6d
JS		 566AT_SETUP([conntrack - multiple zones, local])
567CHECK_CONNTRACK()
cf7659b6 568OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 569
570ADD_NAMESPACES(at_ns0)
571
572AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
573AT_CHECK([ip link set dev br0 up])
574on_exit 'ip addr del dev br0 "10.1.1.1/24"'
575ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
576
577dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
578dnl return traffic from ns0 back to the local stack.
579AT_DATA([flows.txt], [dnl
580priority=1,action=drop
581priority=10,arp,action=normal
582priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
583priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
584priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
585priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
586table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
587table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
588])
589
6cfa8ec3 590AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 591
592AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
5933 packets transmitted, 3 received, 0% packet loss, time 0ms
594])
595
596dnl HTTP requests from root namespace to p0 should work fine.
597NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
598AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
599
600dnl (again) HTTP requests from root namespace to p0 should work fine.
601AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
602
603AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
604TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
605TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
606src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
607src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
608])
609
610OVS_TRAFFIC_VSWITCHD_STOP
611AT_CLEANUP
612
0e27c629
JS		 613AT_SETUP([conntrack - multiple namespaces, internal ports])
614CHECK_CONNTRACK()
615OVS_TRAFFIC_VSWITCHD_START(
616 [set-fail-mode br0 secure -- ])
617
618ADD_NAMESPACES(at_ns0, at_ns1)
619
620ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
621ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
622
623dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
624dnl
625dnl If skb->nfct is leaking from inside the namespace, this test will fail.
626AT_DATA([flows.txt], [dnl
627priority=1,action=drop
628priority=10,arp,action=normal
629priority=10,icmp,action=normal
630priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
631priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
632priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
633])
634
635AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
636
637dnl HTTP requests from p0->p1 should work fine.
638NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
639NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
640
641dnl (again) HTTP requests from p0->p1 should work fine.
642NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
643
644AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
645TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
646])
647
648OVS_TRAFFIC_VSWITCHD_STOP(["dnl
649/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
650/removing policing failed: No such device/d"])
651AT_CLEANUP
652
c2926d6d
JS		 653AT_SETUP([conntrack - multi-stage pipeline, local])
654CHECK_CONNTRACK()
cf7659b6 655OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 656
657ADD_NAMESPACES(at_ns0)
658
659AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
660AT_CHECK([ip link set dev br0 up])
661on_exit 'ip addr del dev br0 "10.1.1.1/24"'
662ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
663
664dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
665dnl return traffic from ns0 back to the local stack.
666AT_DATA([flows.txt], [dnl
667dnl default
668table=0,priority=1,action=drop
669table=0,priority=10,arp,action=normal
670
671dnl Load the output port to REG0
672table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
673table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
674
675dnl Ingress pipeline
676dnl - Allow all connections from LOCAL port (commit and proceed to egress)
677dnl - All other connections go through conntracker using the input port as
678dnl a connection tracking zone.
679table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
680table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
681table=1,priority=1,action=drop
682
683dnl Egress pipeline
684dnl - Allow all connections from LOCAL port (commit and skip to output)
685dnl - Allow other established connections to go through conntracker using
686dnl output port as a connection tracking zone.
687table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
688table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
689table=2,priority=1,action=drop
690
691dnl Only allow established traffic from egress ct lookup
692table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
693table=3,priority=1,action=drop
694
695dnl output table
696table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
697])
698
6cfa8ec3 699AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 700
701AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
7023 packets transmitted, 3 received, 0% packet loss, time 0ms
703])
704
705dnl HTTP requests from root namespace to p0 should work fine.
706NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
707AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
708
709dnl (again) HTTP requests from root namespace to p0 should work fine.
710AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
711
712AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
713TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
714TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
715src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
716src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
717])
718
719OVS_TRAFFIC_VSWITCHD_STOP
720AT_CLEANUP
721
8e53fe8c
JS		 722AT_SETUP([conntrack - ct_mark])
723CHECK_CONNTRACK()
cf7659b6 724OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 725
726ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
727
728ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
729ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
730ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
731ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
732
733dnl Allow traffic between ns0<->ns1 using the ct_mark.
734dnl Check that different marks do not match for traffic between ns2<->ns3.
735AT_DATA([flows.txt], [dnl
736priority=1,action=drop
737priority=10,arp,action=normal
738priority=10,icmp,action=normal
739priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
740priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
741priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
742priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
743priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
744priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
745])
746
6cfa8ec3 747AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 748
749dnl HTTP requests from p0->p1 should work fine.
750NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
751NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
752
753AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
754TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
755])
756
757dnl HTTP requests from p2->p3 should fail due to network failure.
758dnl Try 3 times, in 1 second intervals.
759NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
760NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
761
762AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
763SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
764])
765
766OVS_TRAFFIC_VSWITCHD_STOP
767AT_CLEANUP
768
769AT_SETUP([conntrack - ct_mark from register])
770CHECK_CONNTRACK()
cf7659b6 771OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 772
773ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
774
775ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
776ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
777ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
778ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
779
780dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
781AT_DATA([flows.txt], [dnl
782priority=1,action=drop
783priority=10,arp,action=normal
784priority=10,icmp,action=normal
785priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
786priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
787priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
788priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
789priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
790priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
791])
792
6cfa8ec3 793AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 794
795dnl HTTP requests from p0->p1 should work fine.
796NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
797NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
798
799AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
800TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
801])
802
803dnl HTTP requests from p2->p3 should fail due to network failure.
804dnl Try 3 times, in 1 second intervals.
805NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
806NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
807
808AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
809SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
810])
811
812OVS_TRAFFIC_VSWITCHD_STOP
813AT_CLEANUP
814
9daf2348
JS		 815AT_SETUP([conntrack - ct_label])
816CHECK_CONNTRACK()
cf7659b6 817OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 818
819ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
820
821ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
822ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
823ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
824ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
825
826dnl Allow traffic between ns0<->ns1 using the ct_label.
827dnl Check that different labels do not match for traffic between ns2<->ns3.
828AT_DATA([flows.txt], [dnl
829priority=1,action=drop
830priority=10,arp,action=normal
831priority=10,icmp,action=normal
832priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
833priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
834priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
835priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
836priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
837priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
838])
839
6cfa8ec3 840AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348
JS		 841
842dnl HTTP requests from p0->p1 should work fine.
843NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
844NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
845
846dnl HTTP requests from p2->p3 should fail due to network failure.
847dnl Try 3 times, in 1 second intervals.
848NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
849NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
850
851OVS_TRAFFIC_VSWITCHD_STOP
852AT_CLEANUP
853
8e53fe8c
JS		 854AT_SETUP([conntrack - ICMP related])
855CHECK_CONNTRACK()
cf7659b6 856OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 857
858ADD_NAMESPACES(at_ns0, at_ns1)
859
860ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
861ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
862
863dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
864AT_DATA([flows.txt], [dnl
865priority=1,action=drop
866priority=10,arp,action=normal
867priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
868priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
869priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
870])
871
6cfa8ec3 872AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 873
dc55e946
JS		 874dnl If we simulate a UDP request to a port that isn't serving any real traffic,
875dnl then the destination responds with an ICMP "destination unreachable"
876dnl message, it should be marked as "related".
877AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
8780000 0000 0000 0000 0000 0000 0800 4500 dnl
879001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
8800102 839c 1388 000a f1a6 610a'])
881
882AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
8830000 0000 0000 0000 0000 0000 0800 45c0 dnl
884003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
8850101 0303 131d 0000 0000 dnl
8864500 001e bb85 4000 4011 6945 0a01 0101 dnl
8870a01 0102 839c 1388 000a f1a6 610a'])
8e53fe8c
JS		 888
889AT_CHECK([ovs-appctl revalidator/purge], [0])
890AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
891 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
892 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
893 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
dc55e946 894 priority=10,arp actions=NORMAL
8e53fe8c
JS		 895NXST_FLOW reply:
896])
897
898OVS_TRAFFIC_VSWITCHD_STOP
899AT_CLEANUP
900
07659514
JS		 901AT_SETUP([conntrack - ICMP related 2])
902CHECK_CONNTRACK()
cf7659b6 903OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 904
905ADD_NAMESPACES(at_ns0, at_ns1)
906
907ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
908ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
909
910dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
911AT_DATA([flows.txt], [dnl
912priority=1,action=drop
913priority=10,arp,action=normal
6cfa8ec3
JR		 914priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
915priority=100,in_port=1,ip,ct_state=+trk,actions=controller
916priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
917priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
07659514
JS		 918])
919
6cfa8ec3 920AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 921
922AT_CAPTURE_FILE([ofctl_monitor.log])
923AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
924
925dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
926AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
927
928dnl 2. Send and UDP packet to port 5555
929AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
930
931dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
932AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
933
934dnl Check this output. We only see the latter two packets, not the first.
935AT_CHECK([cat ofctl_monitor.log], [0], [dnl
936NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
937udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
938NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
939icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
940])
941
942OVS_TRAFFIC_VSWITCHD_STOP
943AT_CLEANUP
d787ad39
JS		 944
945AT_SETUP([conntrack - FTP])
946AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
947CHECK_CONNTRACK()
cf7659b6 948OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 949
950ADD_NAMESPACES(at_ns0, at_ns1)
951
952ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
953ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
954
955dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
956AT_DATA([flows1.txt], [dnl
957priority=1,action=drop
958priority=10,arp,action=normal
959priority=10,icmp,action=normal
960priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
961priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
962priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
963priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
964])
965
966dnl Similar policy but without allowing all traffic from ns0->ns1.
967AT_DATA([flows2.txt], [dnl
968priority=1,action=drop
969priority=10,arp,action=normal
970priority=10,icmp,action=normal
971priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
972priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
973priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
974priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
975priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
976priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
977priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
978])
979
6cfa8ec3 980AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
d787ad39
JS		 981
982NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
983NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
984
985dnl FTP requests from p1->p0 should fail due to network failure.
986dnl Try 3 times, in 1 second intervals.
987NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
988AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
989])
990
991dnl FTP requests from p0->p1 should work fine.
992NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
994TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
995])
996
997dnl Try the second set of flows.
6cfa8ec3 998AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
d787ad39 999conntrack -F
d787ad39
JS		 1000
1001dnl FTP requests from p1->p0 should fail due to network failure.
1002dnl Try 3 times, in 1 second intervals.
1003NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1004AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1005])
1006
1007dnl Active FTP requests from p0->p1 should work fine.
1008NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1009AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1010TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1011TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1012])
1013
1014AT_CHECK([conntrack -F 2>/dev/null])
1015
1016dnl Passive FTP requests from p0->p1 should work fine.
1017NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1018AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1019TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1020TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1021])
1022
1023OVS_TRAFFIC_VSWITCHD_STOP
1024AT_CLEANUP
1025
2fa3e06d
JR		 1026
1027AT_SETUP([conntrack - IPv6 FTP])
1028AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1029CHECK_CONNTRACK()
1030OVS_TRAFFIC_VSWITCHD_START()
1031
1032ADD_NAMESPACES(at_ns0, at_ns1)
1033
1034ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1035ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1036
1037dnl Allow any traffic from ns0->ns1.
1038dnl Only allow nd, return traffic from ns1->ns0.
1039AT_DATA([flows.txt], [dnl
1040dnl Track all IPv6 traffic and drop the rest.
1041dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1042table=0 priority=100 in_port=1 icmp6, action=2
1043table=0 priority=100 in_port=2 icmp6, action=1
1044table=0 priority=10 ip6, action=ct(table=1)
1045table=0 priority=0 action=drop
1046dnl
1047dnl Table 1
1048dnl
1049dnl Allow new TCPv6 FTP control connections from port 1.
1050table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1051dnl Allow related TCPv6 connections from port 2.
1052table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1053dnl Allow established TCPv6 connections both ways.
1054table=1 in_port=1 ct_state=+est, tcp6, action=2
1055table=1 in_port=2 ct_state=+est, tcp6, action=1
1056dnl Drop everything else.
1057table=1 priority=0, action=drop
1058])
1059
1060AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1061
1062NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1063
1064dnl FTP requests from p0->p1 should work fine.
1065NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1066
1067AT_CHECK([conntrack -L -f ipv6 2>&1 | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOSE"], [0], [dnl
1068TIME_WAIT src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1069TIME_WAIT src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1070])
1071
1072OVS_TRAFFIC_VSWITCHD_STOP
1073AT_CLEANUP
1074
1075
d787ad39
JS		 1076AT_SETUP([conntrack - FTP with multiple expectations])
1077AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1078CHECK_CONNTRACK()
cf7659b6 1079OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 1080
1081ADD_NAMESPACES(at_ns0, at_ns1)
1082
1083ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1084ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1085
1086dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1087AT_DATA([flows.txt], [dnl
1088priority=1,action=drop
1089priority=10,arp,action=normal
1090priority=10,icmp,action=normal
1091priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1092priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1093priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1094priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1095priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1096priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1097priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1098priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1099priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1100priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1101])
1102
6cfa8ec3 1103AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
d787ad39
JS		 1104
1105NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1106NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1107
1108dnl FTP requests from p1->p0 should fail due to network failure.
1109dnl Try 3 times, in 1 second intervals.
1110NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1111AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1112])
1113
1114dnl Active FTP requests from p0->p1 should work fine.
1115NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1116AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1117TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1118TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1119TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1120TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1121])
1122
1123AT_CHECK([conntrack -F 2>/dev/null])
1124
1125dnl Passive FTP requests from p0->p1 should work fine.
1126NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1127AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1128TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1129TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1130TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1131TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1132])
1133
1134OVS_TRAFFIC_VSWITCHD_STOP
1135AT_CLEANUP
27130224
AZ		 1136
1137AT_SETUP([conntrack - IPv4 fragmentation ])
1138CHECK_CONNTRACK()
cf7659b6 1139OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1140
1141ADD_NAMESPACES(at_ns0, at_ns1)
1142
1143ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1144ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1145
1146dnl Sending ping through conntrack
1147AT_DATA([flows.txt], [dnl
1148priority=1,action=drop
1149priority=10,arp,action=normal
1150priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1151priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1152priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1153])
1154
6cfa8ec3 1155AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1156
1157dnl Basic connectivity check.
1158NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11593 packets transmitted, 3 received, 0% packet loss, time 0ms
1160])
1161
1162dnl Ipv4 fragmentation connectivity check.
1163NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11643 packets transmitted, 3 received, 0% packet loss, time 0ms
1165])
1166
1167dnl Ipv4 larger fragmentation connectivity check.
1168NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11693 packets transmitted, 3 received, 0% packet loss, time 0ms
1170])
1171
1172OVS_TRAFFIC_VSWITCHD_STOP
1173AT_CLEANUP
1174
1175AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1176CHECK_CONNTRACK()
cf7659b6 1177OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1178
1179ADD_NAMESPACES(at_ns0, at_ns1)
1180
1181ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1182ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1183ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1184ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1185
1186dnl Sending ping through conntrack
1187AT_DATA([flows.txt], [dnl
1188priority=1,action=drop
1189priority=10,arp,action=normal
1190priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1191priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1192priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1193])
1194
6cfa8ec3 1195AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1196
1197dnl Basic connectivity check.
1198NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
11993 packets transmitted, 3 received, 0% packet loss, time 0ms
1200])
1201
1202dnl Ipv4 fragmentation connectivity check.
1203NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12043 packets transmitted, 3 received, 0% packet loss, time 0ms
1205])
1206
1207dnl Ipv4 larger fragmentation connectivity check.
1208NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12093 packets transmitted, 3 received, 0% packet loss, time 0ms
1210])
1211
1212OVS_TRAFFIC_VSWITCHD_STOP
1213AT_CLEANUP
1214
1215AT_SETUP([conntrack - IPv6 fragmentation])
1216CHECK_CONNTRACK()
cf7659b6 1217OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1218
1219ADD_NAMESPACES(at_ns0, at_ns1)
1220
1221ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1222ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1223
1224dnl Sending ping through conntrack
1225AT_DATA([flows.txt], [dnl
1226priority=1,action=drop
1227priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1228priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1229priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1230priority=100,icmp6,icmp_type=135,action=normal
1231priority=100,icmp6,icmp_type=136,action=normal
1232])
1233
6cfa8ec3 1234AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1235
1236dnl Without this sleep, we get occasional failures due to the following error:
1237dnl "connect: Cannot assign requested address"
1238sleep 2;
1239
1240dnl Basic connectivity check.
1241NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12423 packets transmitted, 3 received, 0% packet loss, time 0ms
1243])
1244
1245dnl Ipv4 fragmentation connectivity check.
1246NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12473 packets transmitted, 3 received, 0% packet loss, time 0ms
1248])
1249
1250dnl Ipv4 larger fragmentation connectivity check.
1251NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12523 packets transmitted, 3 received, 0% packet loss, time 0ms
1253])
1254
1255OVS_TRAFFIC_VSWITCHD_STOP
1256AT_CLEANUP
1257
1258AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1259CHECK_CONNTRACK()
cf7659b6 1260OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1261
1262ADD_NAMESPACES(at_ns0, at_ns1)
1263
1264ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1265ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1266
1267ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1268ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1269
1270dnl Sending ping through conntrack
1271AT_DATA([flows.txt], [dnl
1272priority=1,action=drop
1273priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1274priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1275priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1276priority=100,icmp6,icmp_type=135,action=normal
1277priority=100,icmp6,icmp_type=136,action=normal
1278])
1279
6cfa8ec3 1280AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1281
1282dnl Without this sleep, we get occasional failures due to the following error:
1283dnl "connect: Cannot assign requested address"
1284sleep 2;
1285
1286dnl Basic connectivity check.
1287NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
12883 packets transmitted, 3 received, 0% packet loss, time 0ms
1289])
1290
1291dnl Ipv4 fragmentation connectivity check.
1292NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
12933 packets transmitted, 3 received, 0% packet loss, time 0ms
1294])
1295
1296dnl Ipv4 larger fragmentation connectivity check.
1297NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
12983 packets transmitted, 3 received, 0% packet loss, time 0ms
1299])
1300
1301OVS_TRAFFIC_VSWITCHD_STOP
1302AT_CLEANUP
1303
1304AT_SETUP([conntrack - Fragmentation over vxlan])
1305AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1306CHECK_CONNTRACK()
1307
cf7659b6
JR		 1308OVS_TRAFFIC_VSWITCHD_START()
1309ADD_BR([br-underlay])
1310AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1311
27130224
AZ		 1312ADD_NAMESPACES(at_ns0)
1313
1314dnl Sending ping through conntrack
1315AT_DATA([flows.txt], [dnl
1316priority=1,action=drop
1317priority=10,arp,action=normal
1318priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1319priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1320priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1321])
1322
6cfa8ec3 1323AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1324
1325dnl Set up underlay link from host into the namespace using veth pair.
1326ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1327AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1328AT_CHECK([ip link set dev br-underlay up])
1329
1330dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1331dnl linux device inside the namespace.
1332ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1333ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1334 [id 0 dstport 4789])
1335
1336dnl First, check the underlay
1337NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
13383 packets transmitted, 3 received, 0% packet loss, time 0ms
1339])
1340
1341dnl Okay, now check the overlay with different packet sizes
1342NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13433 packets transmitted, 3 received, 0% packet loss, time 0ms
1344])
1345NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13463 packets transmitted, 3 received, 0% packet loss, time 0ms
1347])
1348NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13493 packets transmitted, 3 received, 0% packet loss, time 0ms
1350])
1351
1352OVS_TRAFFIC_VSWITCHD_STOP
1353AT_CLEANUP
c4e34c61
RB		 1354
1355AT_SETUP([conntrack - resubmit to ct multiple times])
1356CHECK_CONNTRACK()
1357
1358OVS_TRAFFIC_VSWITCHD_START(
1359 [set-fail-mode br0 secure -- ])
1360
1361ADD_NAMESPACES(at_ns0, at_ns1)
1362
1363ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1364ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1365
1366AT_DATA([flows.txt], [dnl
1367table=0,priority=150,arp,action=normal
1368table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1369
1370table=1,priority=100,ip,action=ct(table=3)
1371table=2,priority=100,ip,action=ct(table=3)
1372
1373table=3,ip,action=drop
1374])
1375
1376AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1377
1378NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
13791 packets transmitted, 0 received, 100% packet loss, time 0ms
1380])
1381
1382AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1383 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1384 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1385 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1386 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1387 table=3, n_packets=2, n_bytes=196, ip actions=drop
1388NXST_FLOW reply:
1389])
1390
1391OVS_TRAFFIC_VSWITCHD_STOP
1392AT_CLEANUP
openvswitch packages for PVE