]> git.proxmox.com Git - mirror_ovs.git/blame - tests/system-traffic.at
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ofproto-dpif-xlate: Fix recirculation for resubmit to current table.
[mirror_ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
d7c5426b 26AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
38
de22d08f 39NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 403 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 41])
42NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 433 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 44])
45NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 463 packets transmitted, 3 received, 0% packet loss, time 0ms
47])
48
d7c5426b 49OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 50AT_CLEANUP
51
d7c5426b 52AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 53OVS_TRAFFIC_VSWITCHD_START()
54
55AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 56
57ADD_NAMESPACES(at_ns0, at_ns1)
58
59ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
61
62dnl Without this sleep, we get occasional failures due to the following error:
63dnl "connect: Cannot assign requested address"
64sleep 2;
65
de22d08f 66NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 673 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 68])
69NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 703 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 71])
72NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 733 packets transmitted, 3 received, 0% packet loss, time 0ms
74])
75
d7c5426b 76OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 77AT_CLEANUP
78
d7c5426b 79AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 80OVS_TRAFFIC_VSWITCHD_START()
81
82AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 83
84ADD_NAMESPACES(at_ns0, at_ns1)
85
86ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
88
89ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
91
92dnl Without this sleep, we get occasional failures due to the following error:
93dnl "connect: Cannot assign requested address"
94sleep 2;
95
de22d08f 96NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 973 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 98])
99NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1003 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 101])
102NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1033 packets transmitted, 3 received, 0% packet loss, time 0ms
104])
105
d7c5426b 106OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 107AT_CLEANUP
810e1785
JS		 108
109AT_SETUP([datapath - ping over vxlan tunnel])
dfb21e96 110OVS_CHECK_VXLAN()
810e1785 111
cf7659b6
JR		 112OVS_TRAFFIC_VSWITCHD_START()
113ADD_BR([br-underlay])
114
115AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
117
810e1785
JS		 118ADD_NAMESPACES(at_ns0)
119
120dnl Set up underlay link from host into the namespace using veth pair.
121ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123AT_CHECK([ip link set dev br-underlay up])
124
125dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126dnl linux device inside the namespace.
127ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
129 [id 0 dstport 4789])
130
131dnl First, check the underlay
132NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1333 packets transmitted, 3 received, 0% packet loss, time 0ms
134])
135
136dnl Okay, now check the overlay with different packet sizes
137NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1383 packets transmitted, 3 received, 0% packet loss, time 0ms
139])
140NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1413 packets transmitted, 3 received, 0% packet loss, time 0ms
142])
143NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1443 packets transmitted, 3 received, 0% packet loss, time 0ms
145])
146
147OVS_TRAFFIC_VSWITCHD_STOP
148AT_CLEANUP
07659514
JS		 149
150AT_SETUP([conntrack - controller])
151CHECK_CONNTRACK()
cf7659b6 152OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 153
154ADD_NAMESPACES(at_ns0, at_ns1)
155
156ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
158
159dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160AT_DATA([flows.txt], [dnl
161priority=1,action=drop
162priority=10,arp,action=normal
163priority=100,in_port=1,udp,action=ct(commit),controller
164priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
166])
167
6cfa8ec3 168AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 169
170AT_CAPTURE_FILE([ofctl_monitor.log])
171AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
172
173dnl Send an unsolicited reply from port 2. This should be dropped.
174AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
175
176dnl OK, now start a new connection from port 1.
177AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
178
179dnl Now try a reply from port 2.
180AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
181
182dnl Check this output. We only see the latter two packets, not the first.
183AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
188])
189
190OVS_TRAFFIC_VSWITCHD_STOP
191AT_CLEANUP
192
193AT_SETUP([conntrack - IPv4 HTTP])
194CHECK_CONNTRACK()
cf7659b6 195OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 196
197ADD_NAMESPACES(at_ns0, at_ns1)
198
199ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
201
202dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203AT_DATA([flows.txt], [dnl
204priority=1,action=drop
205priority=10,arp,action=normal
206priority=10,icmp,action=normal
207priority=100,in_port=1,tcp,action=ct(commit),2
208priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
210])
211
6cfa8ec3 212AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 213
214dnl Basic connectivity check.
215NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
216
217dnl HTTP requests from ns0->ns1 should work fine.
218NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
220
ec3aa16c
DDP		 221AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
222tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
07659514
JS		 223])
224
225dnl HTTP requests from ns1->ns0 should fail due to network failure.
226dnl Try 3 times, in 1 second intervals.
227NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
229
230OVS_TRAFFIC_VSWITCHD_STOP
231AT_CLEANUP
232
233AT_SETUP([conntrack - IPv6 HTTP])
234CHECK_CONNTRACK()
cf7659b6 235OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 236
237ADD_NAMESPACES(at_ns0, at_ns1)
238
239ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
241
242dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243AT_DATA([flows.txt], [dnl
244priority=1,action=drop
245priority=10,icmp6,action=normal
246priority=100,in_port=1,tcp6,action=ct(commit),2
247priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
249])
250
6cfa8ec3 251AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 252
253dnl Without this sleep, we get occasional failures due to the following error:
254dnl "connect: Cannot assign requested address"
255sleep 2;
256
257dnl HTTP requests from ns0->ns1 should work fine.
258NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
259
260NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
261
ec3aa16c
DDP		 262AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
263tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
264])
265
07659514
JS		 266dnl HTTP requests from ns1->ns0 should fail due to network failure.
267dnl Try 3 times, in 1 second intervals.
268NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
269NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
270
271OVS_TRAFFIC_VSWITCHD_STOP
272AT_CLEANUP
273
274AT_SETUP([conntrack - commit, recirc])
275CHECK_CONNTRACK()
cf7659b6 276OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 277
278ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
279
280ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
281ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
282ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
283ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
284
285dnl Allow any traffic from ns0->ns1, ns2->ns3.
286AT_DATA([flows.txt], [dnl
287priority=1,action=drop
288priority=10,arp,action=normal
289priority=10,icmp,action=normal
290priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
291priority=100,in_port=1,tcp,ct_state=+trk,action=2
292priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
293priority=100,in_port=2,tcp,ct_state=+trk,action=1
294priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
295priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
296priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
297priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
298priority=100,in_port=4,tcp,ct_state=+trk,action=3
299])
300
6cfa8ec3 301AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 302
303dnl HTTP requests from p0->p1 should work fine.
304NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
305NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
306
307dnl HTTP requests from p2->p3 should work fine.
308NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
309NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
310
311OVS_TRAFFIC_VSWITCHD_STOP
312AT_CLEANUP
313
314AT_SETUP([conntrack - preserve registers])
315CHECK_CONNTRACK()
cf7659b6 316OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 317
318ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
319
320ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
321ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
322ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
323ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
324
325dnl Allow any traffic from ns0->ns1, ns2->ns3.
326AT_DATA([flows.txt], [dnl
327priority=1,action=drop
328priority=10,arp,action=normal
329priority=10,icmp,action=normal
330priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
331priority=100,in_port=1,tcp,ct_state=+trk,action=2
332priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
333priority=100,in_port=2,tcp,ct_state=+trk,action=1
334priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
335priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
336priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
337priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
338priority=100,in_port=4,tcp,ct_state=+trk,action=3
339])
340
6cfa8ec3 341AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 342
343dnl HTTP requests from p0->p1 should work fine.
344NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
345NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
346
347dnl HTTP requests from p2->p3 should work fine.
348NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
349NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
350
351OVS_TRAFFIC_VSWITCHD_STOP
352AT_CLEANUP
353
354AT_SETUP([conntrack - invalid])
355CHECK_CONNTRACK()
cf7659b6 356OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 357
358ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
359
360ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
361ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
362ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
363ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
364
365dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
366dnl the opposite direction. This should fail.
367dnl Pass traffic from ns3->ns4 without committing, and this time match
368dnl invalid traffic and allow it through.
369AT_DATA([flows.txt], [dnl
370priority=1,action=drop
371priority=10,arp,action=normal
372priority=10,icmp,action=normal
373priority=100,in_port=1,tcp,action=ct(),2
374priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
375priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
376priority=100,in_port=3,tcp,action=ct(),4
377priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
378priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
379priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
380])
381
6cfa8ec3 382AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 383
384dnl We set up our rules to allow the request without committing. The return
385dnl traffic can't be identified, because the initial request wasn't committed.
386dnl For the first pair of ports, this means that the connection fails.
387NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
388NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
389
390dnl For the second pair, we allow packets from invalid connections, so it works.
391NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
392NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
393
394OVS_TRAFFIC_VSWITCHD_STOP
395AT_CLEANUP
396
397AT_SETUP([conntrack - zones])
398CHECK_CONNTRACK()
cf7659b6 399OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 400
401ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
402
403ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
404ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
405ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
406ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
407
408dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
409dnl For ns2->ns3, use a different zone and see that the match fails.
410AT_DATA([flows.txt], [dnl
411priority=1,action=drop
412priority=10,arp,action=normal
413priority=10,icmp,action=normal
414priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
415priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
416priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
417priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
418priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
419priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
420])
421
6cfa8ec3 422AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 423
424dnl HTTP requests from p0->p1 should work fine.
425NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
426NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
427
ec3aa16c
DDP		 428AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
429tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
07659514
JS		 430])
431
432dnl HTTP requests from p2->p3 should fail due to network failure.
433dnl Try 3 times, in 1 second intervals.
434NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
435NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
436
ec3aa16c
DDP		 437AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
438tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
07659514
JS		 439])
440
441OVS_TRAFFIC_VSWITCHD_STOP
442AT_CLEANUP
443
444AT_SETUP([conntrack - zones from field])
445CHECK_CONNTRACK()
cf7659b6 446OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 447
448ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
449
450ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
451ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
452ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
453ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
454
455dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
456AT_DATA([flows.txt], [dnl
457priority=1,action=drop
458priority=10,arp,action=normal
459priority=10,icmp,action=normal
460priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
461priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
463priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
464priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
465priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
466])
467
6cfa8ec3 468AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 469
470dnl HTTP requests from p0->p1 should work fine.
471NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
472NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
473
ec3aa16c
DDP		 474AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
475tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
07659514
JS		 476])
477
478dnl HTTP requests from p2->p3 should fail due to network failure.
479dnl Try 3 times, in 1 second intervals.
480NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
481NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
482
ec3aa16c
DDP		 483AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
484tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
07659514
JS		 485])
486
487OVS_TRAFFIC_VSWITCHD_STOP
488AT_CLEANUP
489
490AT_SETUP([conntrack - multiple bridges])
491CHECK_CONNTRACK()
492OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 493 [_ADD_BR([br1]) --\
07659514
JS		 494 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
495 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
496
497ADD_NAMESPACES(at_ns0, at_ns1)
498
499ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
500ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
501
502dnl Allow any traffic from ns0->br1, allow established in reverse.
503AT_DATA([flows-br0.txt], [dnl
504priority=1,action=drop
505priority=10,arp,action=normal
506priority=10,icmp,action=normal
507priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
508priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
509priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
510])
511
512dnl Allow any traffic from br0->ns1, allow established in reverse.
513AT_DATA([flows-br1.txt], [dnl
514priority=1,action=drop
515priority=10,arp,action=normal
516priority=10,icmp,action=normal
517priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
518priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
519priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
520priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
521priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
522])
523
6cfa8ec3
JR		 524AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
525AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 526
527dnl HTTP requests from p0->p1 should work fine.
528NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
529NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
530
531OVS_TRAFFIC_VSWITCHD_STOP
532AT_CLEANUP
533
534AT_SETUP([conntrack - multiple zones])
535CHECK_CONNTRACK()
cf7659b6 536OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 537
538ADD_NAMESPACES(at_ns0, at_ns1)
539
540ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
541ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
542
543dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
544AT_DATA([flows.txt], [dnl
545priority=1,action=drop
546priority=10,arp,action=normal
547priority=10,icmp,action=normal
548priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
549priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
550priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
551])
552
6cfa8ec3 553AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 554
555dnl HTTP requests from p0->p1 should work fine.
556NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
557NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558
559dnl (again) HTTP requests from p0->p1 should work fine.
560NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
561
ec3aa16c
DDP		 562AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
563tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
564tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
07659514
JS		 565])
566
567OVS_TRAFFIC_VSWITCHD_STOP
568AT_CLEANUP
569
c2926d6d
JS		 570AT_SETUP([conntrack - multiple zones, local])
571CHECK_CONNTRACK()
cf7659b6 572OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 573
574ADD_NAMESPACES(at_ns0)
575
576AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577AT_CHECK([ip link set dev br0 up])
578on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
580
581dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582dnl return traffic from ns0 back to the local stack.
583AT_DATA([flows.txt], [dnl
584priority=1,action=drop
585priority=10,arp,action=normal
586priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
592])
593
6cfa8ec3 594AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 595
596AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
5973 packets transmitted, 3 received, 0% packet loss, time 0ms
598])
599
600dnl HTTP requests from root namespace to p0 should work fine.
601NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
603
604dnl (again) HTTP requests from root namespace to p0 should work fine.
605AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
606
ec3aa16c
DDP		 607AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
609icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
610tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
611tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
c2926d6d
JS		 612])
613
614OVS_TRAFFIC_VSWITCHD_STOP
615AT_CLEANUP
616
0e27c629
JS		 617AT_SETUP([conntrack - multiple namespaces, internal ports])
618CHECK_CONNTRACK()
619OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
621
622ADD_NAMESPACES(at_ns0, at_ns1)
623
624ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
625ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
626
627dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
628dnl
629dnl If skb->nfct is leaking from inside the namespace, this test will fail.
630AT_DATA([flows.txt], [dnl
631priority=1,action=drop
632priority=10,arp,action=normal
633priority=10,icmp,action=normal
634priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
635priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
636priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
637])
638
639AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
640
641dnl HTTP requests from p0->p1 should work fine.
642NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
643NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644
645dnl (again) HTTP requests from p0->p1 should work fine.
646NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
647
ec3aa16c
DDP		 648AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
649tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
0e27c629
JS		 650])
651
652OVS_TRAFFIC_VSWITCHD_STOP(["dnl
653/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
654/removing policing failed: No such device/d"])
655AT_CLEANUP
656
c2926d6d
JS		 657AT_SETUP([conntrack - multi-stage pipeline, local])
658CHECK_CONNTRACK()
cf7659b6 659OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 660
661ADD_NAMESPACES(at_ns0)
662
663AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
664AT_CHECK([ip link set dev br0 up])
665on_exit 'ip addr del dev br0 "10.1.1.1/24"'
666ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
667
668dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
669dnl return traffic from ns0 back to the local stack.
670AT_DATA([flows.txt], [dnl
671dnl default
672table=0,priority=1,action=drop
673table=0,priority=10,arp,action=normal
674
675dnl Load the output port to REG0
676table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
677table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
678
679dnl Ingress pipeline
680dnl - Allow all connections from LOCAL port (commit and proceed to egress)
681dnl - All other connections go through conntracker using the input port as
682dnl a connection tracking zone.
683table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
684table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
685table=1,priority=1,action=drop
686
687dnl Egress pipeline
688dnl - Allow all connections from LOCAL port (commit and skip to output)
689dnl - Allow other established connections to go through conntracker using
690dnl output port as a connection tracking zone.
691table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
692table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
693table=2,priority=1,action=drop
694
695dnl Only allow established traffic from egress ct lookup
696table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
697table=3,priority=1,action=drop
698
699dnl output table
700table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
701])
702
6cfa8ec3 703AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 704
705AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
7063 packets transmitted, 3 received, 0% packet loss, time 0ms
707])
708
709dnl HTTP requests from root namespace to p0 should work fine.
710NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
712
713dnl (again) HTTP requests from root namespace to p0 should work fine.
714AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
715
ec3aa16c
DDP		 716AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
717icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
718icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
719tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
720tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
c2926d6d
JS		 721])
722
723OVS_TRAFFIC_VSWITCHD_STOP
724AT_CLEANUP
725
8e53fe8c
JS		 726AT_SETUP([conntrack - ct_mark])
727CHECK_CONNTRACK()
cf7659b6 728OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 729
730ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
731
732ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
733ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
734ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
735ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
736
737dnl Allow traffic between ns0<->ns1 using the ct_mark.
738dnl Check that different marks do not match for traffic between ns2<->ns3.
739AT_DATA([flows.txt], [dnl
740priority=1,action=drop
741priority=10,arp,action=normal
742priority=10,icmp,action=normal
743priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
744priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
745priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
746priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
747priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
748priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
749])
750
6cfa8ec3 751AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 752
753dnl HTTP requests from p0->p1 should work fine.
754NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
755NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
756
ec3aa16c
DDP		 757AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
758tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
8e53fe8c
JS		 759])
760
761dnl HTTP requests from p2->p3 should fail due to network failure.
762dnl Try 3 times, in 1 second intervals.
763NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
764NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
765
ec3aa16c
DDP		 766AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
767tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
8e53fe8c
JS		 768])
769
770OVS_TRAFFIC_VSWITCHD_STOP
771AT_CLEANUP
772
773AT_SETUP([conntrack - ct_mark from register])
774CHECK_CONNTRACK()
cf7659b6 775OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 776
777ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
778
779ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
780ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
781ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
782ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
783
784dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
785AT_DATA([flows.txt], [dnl
786priority=1,action=drop
787priority=10,arp,action=normal
788priority=10,icmp,action=normal
789priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
790priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
791priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
792priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
793priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
794priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
795])
796
6cfa8ec3 797AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 798
799dnl HTTP requests from p0->p1 should work fine.
800NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
801NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
802
ec3aa16c
DDP		 803AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
804tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
8e53fe8c
JS		 805])
806
807dnl HTTP requests from p2->p3 should fail due to network failure.
808dnl Try 3 times, in 1 second intervals.
809NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
810NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
811
ec3aa16c
DDP		 812AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
813tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
8e53fe8c
JS		 814])
815
816OVS_TRAFFIC_VSWITCHD_STOP
817AT_CLEANUP
818
9daf2348
JS		 819AT_SETUP([conntrack - ct_label])
820CHECK_CONNTRACK()
cf7659b6 821OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 822
823ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
824
825ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
826ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
827ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
828ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
829
830dnl Allow traffic between ns0<->ns1 using the ct_label.
831dnl Check that different labels do not match for traffic between ns2<->ns3.
832AT_DATA([flows.txt], [dnl
833priority=1,action=drop
834priority=10,arp,action=normal
835priority=10,icmp,action=normal
836priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
837priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
838priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
839priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
840priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
841priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
842])
843
6cfa8ec3 844AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348
JS		 845
846dnl HTTP requests from p0->p1 should work fine.
847NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
848NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
849
850dnl HTTP requests from p2->p3 should fail due to network failure.
851dnl Try 3 times, in 1 second intervals.
852NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
853NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
854
855OVS_TRAFFIC_VSWITCHD_STOP
856AT_CLEANUP
857
8e53fe8c
JS		 858AT_SETUP([conntrack - ICMP related])
859CHECK_CONNTRACK()
cf7659b6 860OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 861
862ADD_NAMESPACES(at_ns0, at_ns1)
863
864ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
865ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
866
867dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
868AT_DATA([flows.txt], [dnl
869priority=1,action=drop
870priority=10,arp,action=normal
871priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
872priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
873priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
874])
875
6cfa8ec3 876AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 877
dc55e946
JS		 878dnl If we simulate a UDP request to a port that isn't serving any real traffic,
879dnl then the destination responds with an ICMP "destination unreachable"
880dnl message, it should be marked as "related".
881AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
8820000 0000 0000 0000 0000 0000 0800 4500 dnl
883001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
8840102 839c 1388 000a f1a6 610a'])
885
886AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
8870000 0000 0000 0000 0000 0000 0800 45c0 dnl
888003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
8890101 0303 131d 0000 0000 dnl
8904500 001e bb85 4000 4011 6945 0a01 0101 dnl
8910a01 0102 839c 1388 000a f1a6 610a'])
8e53fe8c
JS		 892
893AT_CHECK([ovs-appctl revalidator/purge], [0])
894AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
895 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
896 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
897 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
dc55e946 898 priority=10,arp actions=NORMAL
8e53fe8c
JS		 899NXST_FLOW reply:
900])
901
902OVS_TRAFFIC_VSWITCHD_STOP
903AT_CLEANUP
904
07659514
JS		 905AT_SETUP([conntrack - ICMP related 2])
906CHECK_CONNTRACK()
cf7659b6 907OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 908
909ADD_NAMESPACES(at_ns0, at_ns1)
910
911ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
912ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
913
914dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
915AT_DATA([flows.txt], [dnl
916priority=1,action=drop
917priority=10,arp,action=normal
6cfa8ec3
JR		 918priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
919priority=100,in_port=1,ip,ct_state=+trk,actions=controller
920priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
921priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
07659514
JS		 922])
923
6cfa8ec3 924AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 925
926AT_CAPTURE_FILE([ofctl_monitor.log])
927AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
928
929dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
930AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
931
932dnl 2. Send and UDP packet to port 5555
933AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
934
935dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
936AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
937
938dnl Check this output. We only see the latter two packets, not the first.
939AT_CHECK([cat ofctl_monitor.log], [0], [dnl
940NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
941udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
942NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
943icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
944])
945
946OVS_TRAFFIC_VSWITCHD_STOP
947AT_CLEANUP
d787ad39
JS		 948
949AT_SETUP([conntrack - FTP])
950AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
951CHECK_CONNTRACK()
cf7659b6 952OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 953
954ADD_NAMESPACES(at_ns0, at_ns1)
955
956ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
957ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
958
959dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
960AT_DATA([flows1.txt], [dnl
961priority=1,action=drop
962priority=10,arp,action=normal
963priority=10,icmp,action=normal
964priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
965priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
966priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
967priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
968])
969
970dnl Similar policy but without allowing all traffic from ns0->ns1.
971AT_DATA([flows2.txt], [dnl
972priority=1,action=drop
973priority=10,arp,action=normal
974priority=10,icmp,action=normal
975priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
976priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
977priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
978priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
979priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
980priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
981priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
982])
983
6cfa8ec3 984AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
d787ad39
JS		 985
986NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
987NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
988
989dnl FTP requests from p1->p0 should fail due to network failure.
990dnl Try 3 times, in 1 second intervals.
991NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 992AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 993])
994
995dnl FTP requests from p0->p1 should work fine.
996NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 997AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
998tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 999])
1000
1001dnl Try the second set of flows.
6cfa8ec3 1002AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
ec3aa16c 1003AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1004
1005dnl FTP requests from p1->p0 should fail due to network failure.
1006dnl Try 3 times, in 1 second intervals.
1007NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1008AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1009])
1010
1011dnl Active FTP requests from p0->p1 should work fine.
9ac0aada 1012NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
ec3aa16c
DDP		 1013AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1014tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1015tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
d787ad39
JS		 1016])
1017
ec3aa16c 1018AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1019
1020dnl Passive FTP requests from p0->p1 should work fine.
9ac0aada 1021NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
ec3aa16c
DDP		 1022AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1023tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1024tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 1025])
1026
1027OVS_TRAFFIC_VSWITCHD_STOP
1028AT_CLEANUP
1029
2fa3e06d
JR		 1030
1031AT_SETUP([conntrack - IPv6 FTP])
1032AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1033CHECK_CONNTRACK()
1034OVS_TRAFFIC_VSWITCHD_START()
1035
1036ADD_NAMESPACES(at_ns0, at_ns1)
1037
1038ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1039ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1040
1041dnl Allow any traffic from ns0->ns1.
1042dnl Only allow nd, return traffic from ns1->ns0.
1043AT_DATA([flows.txt], [dnl
1044dnl Track all IPv6 traffic and drop the rest.
1045dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1046table=0 priority=100 in_port=1 icmp6, action=2
1047table=0 priority=100 in_port=2 icmp6, action=1
1048table=0 priority=10 ip6, action=ct(table=1)
1049table=0 priority=0 action=drop
1050dnl
1051dnl Table 1
1052dnl
1053dnl Allow new TCPv6 FTP control connections from port 1.
1054table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1055dnl Allow related TCPv6 connections from port 2.
1056table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1057dnl Allow established TCPv6 connections both ways.
1058table=1 in_port=1 ct_state=+est, tcp6, action=2
1059table=1 in_port=2 ct_state=+est, tcp6, action=1
1060dnl Drop everything else.
1061table=1 priority=0, action=drop
1062])
1063
1064AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1065
1066NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1067
1068dnl FTP requests from p0->p1 should work fine.
1069NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1070
ec3aa16c
DDP		 1071dnl Discards CLOSE_WAIT and CLOSING
1072AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1073tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1074tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
2fa3e06d
JR		 1075])
1076
1077OVS_TRAFFIC_VSWITCHD_STOP
1078AT_CLEANUP
1079
1080
d787ad39
JS		 1081AT_SETUP([conntrack - FTP with multiple expectations])
1082AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1083CHECK_CONNTRACK()
cf7659b6 1084OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 1085
1086ADD_NAMESPACES(at_ns0, at_ns1)
1087
1088ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1089ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1090
1091dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1092AT_DATA([flows.txt], [dnl
1093priority=1,action=drop
1094priority=10,arp,action=normal
1095priority=10,icmp,action=normal
1096priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1097priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1098priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1099priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1100priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1101priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1102priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1103priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1104priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1105priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1106])
1107
6cfa8ec3 1108AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
d787ad39
JS		 1109
1110NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1111NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1112
1113dnl FTP requests from p1->p0 should fail due to network failure.
1114dnl Try 3 times, in 1 second intervals.
1115NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1116AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1117])
1118
1119dnl Active FTP requests from p0->p1 should work fine.
1120NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 1121AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1122tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1123tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1124tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1125tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
d787ad39
JS		 1126])
1127
ec3aa16c 1128AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1129
1130dnl Passive FTP requests from p0->p1 should work fine.
1131NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
ec3aa16c
DDP		 1132AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1133tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1134tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1135tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1136tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
d787ad39
JS		 1137])
1138
1139OVS_TRAFFIC_VSWITCHD_STOP
1140AT_CLEANUP
27130224
AZ		 1141
1142AT_SETUP([conntrack - IPv4 fragmentation ])
1143CHECK_CONNTRACK()
cf7659b6 1144OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1145
1146ADD_NAMESPACES(at_ns0, at_ns1)
1147
1148ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1149ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1150
1151dnl Sending ping through conntrack
1152AT_DATA([flows.txt], [dnl
1153priority=1,action=drop
1154priority=10,arp,action=normal
1155priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1156priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1157priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1158])
1159
6cfa8ec3 1160AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1161
1162dnl Basic connectivity check.
1163NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11643 packets transmitted, 3 received, 0% packet loss, time 0ms
1165])
1166
1167dnl Ipv4 fragmentation connectivity check.
1168NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11693 packets transmitted, 3 received, 0% packet loss, time 0ms
1170])
1171
1172dnl Ipv4 larger fragmentation connectivity check.
1173NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
11743 packets transmitted, 3 received, 0% packet loss, time 0ms
1175])
1176
1177OVS_TRAFFIC_VSWITCHD_STOP
1178AT_CLEANUP
1179
1180AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1181CHECK_CONNTRACK()
cf7659b6 1182OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1183
1184ADD_NAMESPACES(at_ns0, at_ns1)
1185
1186ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1187ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1188ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1189ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1190
1191dnl Sending ping through conntrack
1192AT_DATA([flows.txt], [dnl
1193priority=1,action=drop
1194priority=10,arp,action=normal
1195priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1196priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1197priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1198])
1199
6cfa8ec3 1200AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1201
1202dnl Basic connectivity check.
1203NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12043 packets transmitted, 3 received, 0% packet loss, time 0ms
1205])
1206
1207dnl Ipv4 fragmentation connectivity check.
1208NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12093 packets transmitted, 3 received, 0% packet loss, time 0ms
1210])
1211
1212dnl Ipv4 larger fragmentation connectivity check.
1213NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
12143 packets transmitted, 3 received, 0% packet loss, time 0ms
1215])
1216
1217OVS_TRAFFIC_VSWITCHD_STOP
1218AT_CLEANUP
1219
1220AT_SETUP([conntrack - IPv6 fragmentation])
1221CHECK_CONNTRACK()
cf7659b6 1222OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1223
1224ADD_NAMESPACES(at_ns0, at_ns1)
1225
1226ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1227ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1228
1229dnl Sending ping through conntrack
1230AT_DATA([flows.txt], [dnl
1231priority=1,action=drop
1232priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1233priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1234priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1235priority=100,icmp6,icmp_type=135,action=normal
1236priority=100,icmp6,icmp_type=136,action=normal
1237])
1238
6cfa8ec3 1239AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1240
1241dnl Without this sleep, we get occasional failures due to the following error:
1242dnl "connect: Cannot assign requested address"
1243sleep 2;
1244
1245dnl Basic connectivity check.
1246NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12473 packets transmitted, 3 received, 0% packet loss, time 0ms
1248])
1249
1250dnl Ipv4 fragmentation connectivity check.
1251NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12523 packets transmitted, 3 received, 0% packet loss, time 0ms
1253])
1254
1255dnl Ipv4 larger fragmentation connectivity check.
1256NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
12573 packets transmitted, 3 received, 0% packet loss, time 0ms
1258])
1259
1260OVS_TRAFFIC_VSWITCHD_STOP
1261AT_CLEANUP
1262
1263AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1264CHECK_CONNTRACK()
cf7659b6 1265OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1266
1267ADD_NAMESPACES(at_ns0, at_ns1)
1268
1269ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1270ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1271
1272ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1273ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1274
1275dnl Sending ping through conntrack
1276AT_DATA([flows.txt], [dnl
1277priority=1,action=drop
1278priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1279priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1280priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1281priority=100,icmp6,icmp_type=135,action=normal
1282priority=100,icmp6,icmp_type=136,action=normal
1283])
1284
6cfa8ec3 1285AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1286
1287dnl Without this sleep, we get occasional failures due to the following error:
1288dnl "connect: Cannot assign requested address"
1289sleep 2;
1290
1291dnl Basic connectivity check.
1292NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
12933 packets transmitted, 3 received, 0% packet loss, time 0ms
1294])
1295
1296dnl Ipv4 fragmentation connectivity check.
1297NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
12983 packets transmitted, 3 received, 0% packet loss, time 0ms
1299])
1300
1301dnl Ipv4 larger fragmentation connectivity check.
1302NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
13033 packets transmitted, 3 received, 0% packet loss, time 0ms
1304])
1305
1306OVS_TRAFFIC_VSWITCHD_STOP
1307AT_CLEANUP
1308
1309AT_SETUP([conntrack - Fragmentation over vxlan])
dfb21e96 1310OVS_CHECK_VXLAN()
27130224
AZ		 1311CHECK_CONNTRACK()
1312
cf7659b6
JR		 1313OVS_TRAFFIC_VSWITCHD_START()
1314ADD_BR([br-underlay])
1315AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1316
27130224
AZ		 1317ADD_NAMESPACES(at_ns0)
1318
1319dnl Sending ping through conntrack
1320AT_DATA([flows.txt], [dnl
1321priority=1,action=drop
1322priority=10,arp,action=normal
1323priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1324priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1325priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1326])
1327
6cfa8ec3 1328AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1329
1330dnl Set up underlay link from host into the namespace using veth pair.
1331ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1332AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1333AT_CHECK([ip link set dev br-underlay up])
1334
1335dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1336dnl linux device inside the namespace.
1337ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1338ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1339 [id 0 dstport 4789])
1340
1341dnl First, check the underlay
1342NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
13433 packets transmitted, 3 received, 0% packet loss, time 0ms
1344])
1345
1346dnl Okay, now check the overlay with different packet sizes
1347NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13483 packets transmitted, 3 received, 0% packet loss, time 0ms
1349])
1350NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13513 packets transmitted, 3 received, 0% packet loss, time 0ms
1352])
1353NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
13543 packets transmitted, 3 received, 0% packet loss, time 0ms
1355])
1356
1357OVS_TRAFFIC_VSWITCHD_STOP
1358AT_CLEANUP
c4e34c61 1359
9ac0aada 1360
c4e34c61
RB		 1361AT_SETUP([conntrack - resubmit to ct multiple times])
1362CHECK_CONNTRACK()
1363
1364OVS_TRAFFIC_VSWITCHD_START(
1365 [set-fail-mode br0 secure -- ])
1366
1367ADD_NAMESPACES(at_ns0, at_ns1)
1368
1369ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1370ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1371
1372AT_DATA([flows.txt], [dnl
1373table=0,priority=150,arp,action=normal
1374table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1375
1376table=1,priority=100,ip,action=ct(table=3)
1377table=2,priority=100,ip,action=ct(table=3)
1378
1379table=3,ip,action=drop
1380])
1381
1382AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1383
1384NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
13851 packets transmitted, 0 received, 100% packet loss, time 0ms
1386])
1387
1388AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1389 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1390 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1391 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1392 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1393 table=3, n_packets=2, n_bytes=196, ip actions=drop
1394NXST_FLOW reply:
1395])
1396
1397OVS_TRAFFIC_VSWITCHD_STOP
1398AT_CLEANUP
9ac0aada
JR		 1399
1400
1401AT_SETUP([conntrack - simple SNAT])
1402CHECK_CONNTRACK()
1403OVS_TRAFFIC_VSWITCHD_START()
1404
1405ADD_NAMESPACES(at_ns0, at_ns1)
1406
1407ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1408NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1409ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1410
1411dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1412AT_DATA([flows.txt], [dnl
1413in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1414in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1415in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1416dnl
1417dnl ARP
1418priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1419priority=10 arp action=normal
1420priority=0,action=drop
1421dnl
1422dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1423table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1424table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1425dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1426dnl TPA IP in reg2.
1427dnl Swaps the fields of the ARP message to turn a query to a response.
1428table=10 priority=100 arp xreg0=0 action=normal
1429table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1430table=10 priority=0 action=drop
1431])
1432
1433AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1434
1435dnl HTTP requests from p0->p1 should work fine.
1436NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1437NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1438
a857bb69
DDP		 1439AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1440tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1441])
1442
1443OVS_TRAFFIC_VSWITCHD_STOP
1444AT_CLEANUP
1445
1446
1447AT_SETUP([conntrack - SNAT with port range])
1448CHECK_CONNTRACK()
1449OVS_TRAFFIC_VSWITCHD_START()
1450
1451ADD_NAMESPACES(at_ns0, at_ns1)
1452
1453ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1454NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1455ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1456
1457dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1458AT_DATA([flows.txt], [dnl
1459in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1460in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1461in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1462in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1463dnl
1464dnl ARP
1465priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1466priority=10 arp action=normal
1467priority=0,action=drop
1468dnl
1469dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1470table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1471table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1472dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1473dnl TPA IP in reg2.
1474dnl Swaps the fields of the ARP message to turn a query to a response.
1475table=10 priority=100 arp xreg0=0 action=normal
1476table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1477table=10 priority=0 action=drop
1478])
1479
1480AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1481
1482dnl HTTP requests from p0->p1 should work fine.
1483NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1484NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1485
a857bb69
DDP		 1486AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1487tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1488])
1489
1490OVS_TRAFFIC_VSWITCHD_STOP
1491AT_CLEANUP
1492
1493
1494AT_SETUP([conntrack - more complex SNAT])
1495CHECK_CONNTRACK()
1496OVS_TRAFFIC_VSWITCHD_START()
1497
1498ADD_NAMESPACES(at_ns0, at_ns1)
1499
1500ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1501NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1502ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1503
1504AT_DATA([flows.txt], [dnl
1505dnl Track all IP traffic, NAT existing connections.
1506priority=100 ip action=ct(table=1,zone=1,nat)
1507dnl
1508dnl Allow ARP, but generate responses for NATed addresses
1509priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1510priority=10 arp action=normal
1511priority=0 action=drop
1512dnl
1513dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1514table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1515table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1516dnl Only allow established traffic from ns1->ns0.
1517table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1518table=1 priority=0 action=drop
1519dnl
1520dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1521table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1522dnl Zero result means not found.
1523table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1524dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1525dnl ARP TPA IP in reg2.
1526table=10 priority=100 arp xreg0=0 action=normal
1527dnl Swaps the fields of the ARP message to turn a query to a response.
1528table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1529table=10 priority=0 action=drop
1530])
1531
1532AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1533
1534dnl HTTP requests from p0->p1 should work fine.
1535NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1536NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1537
a857bb69
DDP		 1538AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1539tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1540])
1541
1542OVS_TRAFFIC_VSWITCHD_STOP
1543AT_CLEANUP
1544
1545AT_SETUP([conntrack - simple DNAT])
1546CHECK_CONNTRACK()
1547OVS_TRAFFIC_VSWITCHD_START()
1548
1549ADD_NAMESPACES(at_ns0, at_ns1)
1550
1551ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1552ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1553NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1554
1555dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1556AT_DATA([flows.txt], [dnl
1557priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1558priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1559priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1560priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1561dnl
1562dnl ARP
1563priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1564priority=10 arp action=normal
1565priority=0,action=drop
1566dnl
1567dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1568table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1569dnl Zero result means not found.
1570table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1571dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1572dnl TPA IP in reg2.
1573table=10 priority=100 arp xreg0=0 action=normal
1574dnl Swaps the fields of the ARP message to turn a query to a response.
1575table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1576table=10 priority=0 action=drop
1577])
1578
1579AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1580
1581dnl Should work with the virtual IP address through NAT
1582NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1583NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1584
a857bb69
DDP		 1585AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1586tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1587])
1588
1589dnl Should work with the assigned IP address as well
1590NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1591
a857bb69
DDP		 1592AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1593tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1594])
1595
1596OVS_TRAFFIC_VSWITCHD_STOP
1597AT_CLEANUP
1598
1599AT_SETUP([conntrack - more complex DNAT])
1600CHECK_CONNTRACK()
1601OVS_TRAFFIC_VSWITCHD_START()
1602
1603ADD_NAMESPACES(at_ns0, at_ns1)
1604
1605ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1606ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1607NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1608
1609dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1610AT_DATA([flows.txt], [dnl
1611dnl Track all IP traffic
1612table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1613dnl
1614dnl Allow ARP, but generate responses for NATed addresses
1615table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1616table=0 priority=10 arp action=normal
1617table=0 priority=0 action=drop
1618dnl
1619dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1620table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1621table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1622table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1623dnl Only allow established traffic from ns1->ns0.
1624table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1625table=1 priority=0 action=drop
1626dnl
1627dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1628table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1629dnl Zero result means not found.
1630table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1631dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1632dnl TPA IP in reg2.
1633table=10 priority=100 arp xreg0=0 action=normal
1634dnl Swaps the fields of the ARP message to turn a query to a response.
1635table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1636table=10 priority=0 action=drop
1637])
1638
1639AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1640
1641dnl Should work with the virtual IP address through NAT
1642NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1643NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1644
a857bb69
DDP		 1645AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1646tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1647])
1648
1649dnl Should work with the assigned IP address as well
1650NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1651
a857bb69
DDP		 1652AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1653tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1654])
1655
1656OVS_TRAFFIC_VSWITCHD_STOP
1657AT_CLEANUP
1658
1659AT_SETUP([conntrack - ICMP related with NAT])
1660CHECK_CONNTRACK()
1661OVS_TRAFFIC_VSWITCHD_START()
1662
1663ADD_NAMESPACES(at_ns0, at_ns1)
1664
1665ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1666NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1667ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1668
1669dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1670dnl Make sure ICMP responses are reverse-NATted.
1671AT_DATA([flows.txt], [dnl
1672in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1673in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1674in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1675dnl
1676dnl ARP
1677priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1678priority=10 arp action=normal
1679priority=0,action=drop
1680dnl
1681dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1682table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1683table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1684dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1685dnl TPA IP in reg2.
1686dnl Swaps the fields of the ARP message to turn a query to a response.
1687table=10 priority=100 arp xreg0=0 action=normal
1688table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1689table=10 priority=0 action=drop
1690])
1691
1692AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1693
1694dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1695dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
1696NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
1697
1698AT_CHECK([ovs-appctl revalidator/purge], [0])
1699AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1700 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1701 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1702 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1703 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1704 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1705 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1706 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1707 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1708 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1709OFPST_FLOW reply (OF1.5):
1710])
1711
a857bb69
DDP		 1712AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1713udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
9ac0aada
JR		 1714])
1715
1716OVS_TRAFFIC_VSWITCHD_STOP
1717AT_CLEANUP
1718
1719
1720AT_SETUP([conntrack - FTP with NAT])
1721AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1722CHECK_CONNTRACK()
1723
1724OVS_TRAFFIC_VSWITCHD_START()
1725
1726ADD_NAMESPACES(at_ns0, at_ns1)
1727
1728ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1729NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1730ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1731
1732dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1733
1734AT_DATA([flows.txt], [dnl
1735dnl track all IP traffic, de-mangle non-NEW connections
1736table=0 in_port=1, ip, action=ct(table=1,nat)
1737table=0 in_port=2, ip, action=ct(table=2,nat)
1738dnl
1739dnl ARP
1740dnl
1741table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1742table=0 priority=10 arp action=normal
1743table=0 priority=0 action=drop
1744dnl
1745dnl Table 1: port 1 -> 2
1746dnl
1747dnl Allow new FTP connections. These need to be commited.
1748table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1749dnl Allow established TCP connections, make sure they are NATted already.
1750table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1751dnl
1752dnl Table 1: droppers
1753dnl
1754table=1 priority=10, tcp, action=drop
1755table=1 priority=0,action=drop
1756dnl
1757dnl Table 2: port 2 -> 1
1758dnl
1759dnl Allow established TCP connections, make sure they are reverse NATted
1760table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1761dnl Allow (new) related (data) connections. These need to be commited.
1762table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1763dnl Allow related ICMP packets, make sure they are reverse NATted
1764table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1765dnl
1766dnl Table 2: droppers
1767dnl
1768table=2 priority=10, tcp, action=drop
1769table=2 priority=0, action=drop
1770dnl
1771dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1772dnl
1773table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1774table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1775dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1776dnl TPA IP in reg2.
1777dnl Swaps the fields of the ARP message to turn a query to a response.
1778table=10 priority=100 arp xreg0=0 action=normal
1779table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1780table=10 priority=0 action=drop
1781])
1782
1783AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1784
1785dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1786NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1787
1788dnl FTP requests from p0->p1 should work fine.
1789NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1790
a857bb69
DDP		 1791AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1792tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1793tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1794])
1795
1796OVS_TRAFFIC_VSWITCHD_STOP
1797AT_CLEANUP
1798
1799
1800AT_SETUP([conntrack - FTP with NAT 2])
1801AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1802CHECK_CONNTRACK()
1803OVS_TRAFFIC_VSWITCHD_START()
1804
1805ADD_NAMESPACES(at_ns0, at_ns1)
1806
1807ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1808NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1809ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1810
1811dnl Allow any traffic from ns0->ns1.
1812dnl Only allow nd, return traffic from ns1->ns0.
1813AT_DATA([flows.txt], [dnl
1814dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1815table=0 ip, action=ct(table=1)
1816dnl
1817dnl ARP
1818dnl
1819table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1820table=0 priority=10 arp action=normal
1821table=0 priority=0 action=drop
1822dnl
1823dnl Table 1
1824dnl
1825dnl Allow new FTP connections. These need to be commited.
1826dnl This does helper for new packets.
1827table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1828dnl Allow and NAT established TCP connections
1829table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1830table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1831dnl Allow and NAT (new) related active (data) connections.
1832dnl These need to be commited.
1833table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1834dnl Allow related ICMP packets.
1835table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1836dnl Drop everything else.
1837table=1 priority=0, action=drop
1838dnl
1839dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1840dnl
1841table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1842table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1843dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1844dnl TPA IP in reg2.
1845dnl Swaps the fields of the ARP message to turn a query to a response.
1846table=10 priority=100 arp xreg0=0 action=normal
1847table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1848table=10 priority=0 action=drop
1849])
1850
1851AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1852
1853NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1854
1855dnl FTP requests from p0->p1 should work fine.
1856NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1857
a857bb69
DDP		 1858dnl Discards CLOSE_WAIT and CLOSING
1859AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1860tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1861tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1862])
1863
1864OVS_TRAFFIC_VSWITCHD_STOP
1865AT_CLEANUP
1866
1867AT_SETUP([conntrack - IPv6 HTTP with NAT])
1868CHECK_CONNTRACK()
1869OVS_TRAFFIC_VSWITCHD_START()
1870
1871ADD_NAMESPACES(at_ns0, at_ns1)
1872
1873ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1874NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1875ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1876NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1877
1878dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1879AT_DATA([flows.txt], [dnl
1880priority=1,action=drop
1881priority=10,icmp6,action=normal
1882priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
1883priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
1884priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
1885priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
1886])
1887
1888AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1889
1890dnl Without this sleep, we get occasional failures due to the following error:
1891dnl "connect: Cannot assign requested address"
1892sleep 2;
1893
1894dnl HTTP requests from ns0->ns1 should work fine.
1895NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
1896
1897NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1898
1899dnl HTTP requests from ns1->ns0 should fail due to network failure.
1900dnl Try 3 times, in 1 second intervals.
1901NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
1902NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
1903
1904OVS_TRAFFIC_VSWITCHD_STOP
1905AT_CLEANUP
1906
1907
1908AT_SETUP([conntrack - IPv6 FTP with NAT])
1909AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1910CHECK_CONNTRACK()
1911OVS_TRAFFIC_VSWITCHD_START()
1912
1913ADD_NAMESPACES(at_ns0, at_ns1)
1914
1915ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1916NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1917ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1918dnl Would be nice if NAT could translate neighbor discovery messages, too.
1919NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1920
1921dnl Allow any traffic from ns0->ns1.
1922dnl Only allow nd, return traffic from ns1->ns0.
1923AT_DATA([flows.txt], [dnl
1924dnl Allow other ICMPv6 both ways (without commit).
1925table=1 priority=100 in_port=1 icmp6, action=2
1926table=1 priority=100 in_port=2 icmp6, action=1
1927dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
1928table=0 priority=10 ip6, action=ct(nat,table=1)
1929table=0 priority=0 action=drop
1930dnl
1931dnl Table 1
1932dnl
1933dnl Allow new TCPv6 FTP control connections.
1934table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
1935dnl Allow related TCPv6 connections from port 2 to the NATted address.
1936table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
1937dnl Allow established TCPv6 connections both ways, enforce NATting
1938table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
1939table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
1940dnl Drop everything else.
1941table=1 priority=0, action=drop
1942])
1943
1944AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1945
1946NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1947
1948dnl FTP requests from p0->p1 should work fine.
1949NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1950
a857bb69
DDP		 1951dnl Discards CLOSE_WAIT and CLOSING
1952AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1953tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1954tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
9ac0aada
JR		 1955])
1956
1957OVS_TRAFFIC_VSWITCHD_STOP
1958AT_CLEANUP
openvswitch mirror