]> git.proxmox.com Git - mirror_ovs.git/blame - tests/system-traffic.at
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ofp-actions: Add truncate action.
[mirror_ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b 3AT_SETUP([datapath - ping between two ports])
cf7659b6
JR		 4OVS_TRAFFIC_VSWITCHD_START()
5
6AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
69c2bdfe
AZ		 7
8ADD_NAMESPACES(at_ns0, at_ns1)
9
10ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
12
de22d08f 13NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 143 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 15])
16NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 173 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 18])
19NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 203 packets transmitted, 3 received, 0% packet loss, time 0ms
21])
22
d7c5426b 23OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 24AT_CLEANUP
25
e0b92701
DDP		 26AT_SETUP([datapath - http between two ports])
27OVS_TRAFFIC_VSWITCHD_START()
28
29AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
30
31ADD_NAMESPACES(at_ns0, at_ns1)
32
33ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
35
36NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
373 packets transmitted, 3 received, 0% packet loss, time 0ms
38])
39
40NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
42
43OVS_TRAFFIC_VSWITCHD_STOP
44AT_CLEANUP
45
d7c5426b 46AT_SETUP([datapath - ping between two ports on vlan])
cf7659b6
JR		 47OVS_TRAFFIC_VSWITCHD_START()
48
49AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 50
51ADD_NAMESPACES(at_ns0, at_ns1)
52
53ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
55
56ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
58
de22d08f 59NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 603 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 61])
62NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 633 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 64])
65NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 663 packets transmitted, 3 received, 0% packet loss, time 0ms
67])
68
d7c5426b 69OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 70AT_CLEANUP
71
d7c5426b 72AT_SETUP([datapath - ping6 between two ports])
cf7659b6
JR		 73OVS_TRAFFIC_VSWITCHD_START()
74
75AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 76
77ADD_NAMESPACES(at_ns0, at_ns1)
78
79ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
80ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
81
c10840ff
JS		 82dnl Linux seems to take a little time to get its IPv6 stack in order. Without
83dnl waiting, we get occasional failures due to the following error:
cfe17b43 84dnl "connect: Cannot assign requested address"
c10840ff 85OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
cfe17b43 86
de22d08f 87NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 883 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 89])
90NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 913 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 92])
93NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 943 packets transmitted, 3 received, 0% packet loss, time 0ms
95])
96
d7c5426b 97OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 98AT_CLEANUP
99
d7c5426b 100AT_SETUP([datapath - ping6 between two ports on vlan])
cf7659b6
JR		 101OVS_TRAFFIC_VSWITCHD_START()
102
103AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
cfe17b43
JS		 104
105ADD_NAMESPACES(at_ns0, at_ns1)
106
107ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
108ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
109
110ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
111ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
112
c10840ff
JS		 113dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114dnl waiting, we get occasional failures due to the following error:
cfe17b43 115dnl "connect: Cannot assign requested address"
c10840ff 116OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
cfe17b43 117
de22d08f 118NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1193 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 120])
121NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 1223 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 123])
124NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 1253 packets transmitted, 3 received, 0% packet loss, time 0ms
126])
127
d7c5426b 128OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 129AT_CLEANUP
810e1785
JS		 130
131AT_SETUP([datapath - ping over vxlan tunnel])
dfb21e96 132OVS_CHECK_VXLAN()
810e1785 133
cf7659b6
JR		 134OVS_TRAFFIC_VSWITCHD_START()
135ADD_BR([br-underlay])
136
137AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
138AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
139
810e1785
JS		 140ADD_NAMESPACES(at_ns0)
141
142dnl Set up underlay link from host into the namespace using veth pair.
143ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
144AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
145AT_CHECK([ip link set dev br-underlay up])
146
147dnl Set up tunnel endpoints on OVS outside the namespace and with a native
148dnl linux device inside the namespace.
149ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
150ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
151 [id 0 dstport 4789])
152
153dnl First, check the underlay
154NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1553 packets transmitted, 3 received, 0% packet loss, time 0ms
156])
157
158dnl Okay, now check the overlay with different packet sizes
159NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1603 packets transmitted, 3 received, 0% packet loss, time 0ms
161])
162NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1633 packets transmitted, 3 received, 0% packet loss, time 0ms
164])
165NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
523256cc
JS		 1663 packets transmitted, 3 received, 0% packet loss, time 0ms
167])
168
169OVS_TRAFFIC_VSWITCHD_STOP
170AT_CLEANUP
171
172AT_SETUP([datapath - ping over gre tunnel])
173OVS_CHECK_GRE()
174
175OVS_TRAFFIC_VSWITCHD_START()
176ADD_BR([br-underlay])
177
178AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
179AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
180
181ADD_NAMESPACES(at_ns0)
182
183dnl Set up underlay link from host into the namespace using veth pair.
184ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
185AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
186AT_CHECK([ip link set dev br-underlay up])
187
188dnl Set up tunnel endpoints on OVS outside the namespace and with a native
189dnl linux device inside the namespace.
190ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
191ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
192
193dnl First, check the underlay
194NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1953 packets transmitted, 3 received, 0% packet loss, time 0ms
196])
197
198dnl Okay, now check the overlay with different packet sizes
199NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2003 packets transmitted, 3 received, 0% packet loss, time 0ms
201])
202NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2033 packets transmitted, 3 received, 0% packet loss, time 0ms
204])
205NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
92b8af2c
JS		 2063 packets transmitted, 3 received, 0% packet loss, time 0ms
207])
208
209OVS_TRAFFIC_VSWITCHD_STOP
210AT_CLEANUP
211
212AT_SETUP([datapath - ping over geneve tunnel])
213OVS_CHECK_GENEVE()
214
215OVS_TRAFFIC_VSWITCHD_START()
216ADD_BR([br-underlay])
217
218AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
219AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
220
221ADD_NAMESPACES(at_ns0)
222
223dnl Set up underlay link from host into the namespace using veth pair.
224ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
225AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
226AT_CHECK([ip link set dev br-underlay up])
227
228dnl Set up tunnel endpoints on OVS outside the namespace and with a native
229dnl linux device inside the namespace.
230ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
231ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
232 [vni 0])
233
234dnl First, check the underlay
235NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2363 packets transmitted, 3 received, 0% packet loss, time 0ms
237])
238
239dnl Okay, now check the overlay with different packet sizes
240NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2413 packets transmitted, 3 received, 0% packet loss, time 0ms
242])
243NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2443 packets transmitted, 3 received, 0% packet loss, time 0ms
245])
246NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
810e1785
JS		 2473 packets transmitted, 3 received, 0% packet loss, time 0ms
248])
249
250OVS_TRAFFIC_VSWITCHD_STOP
251AT_CLEANUP
07659514 252
aaca4fe0
WT		 253AT_SETUP([datapath - basic truncate action])
254OVS_TRAFFIC_VSWITCHD_START()
255AT_CHECK([ovs-ofctl del-flows br0])
256
257dnl Create p0 and ovs-p0(1)
258ADD_NAMESPACES(at_ns0)
259ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
260NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
261NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
262
263dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
264AT_CHECK([ip link add p1 type veth peer name ovs-p1])
265on_exit 'ip link del ovs-p1'
266AT_CHECK([ip link set dev ovs-p1 up])
267AT_CHECK([ip link set dev p1 up])
268AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
269dnl Use p1 to check the truncated packet
270AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
271
272dnl Create p2(5) and ovs-p2(4)
273AT_CHECK([ip link add p2 type veth peer name ovs-p2])
274on_exit 'ip link del ovs-p2'
275AT_CHECK([ip link set dev ovs-p2 up])
276AT_CHECK([ip link set dev p2 up])
277AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
278dnl Use p2 to check the truncated packet
279AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
280
281dnl basic test
282AT_CHECK([ovs-ofctl del-flows br0])
283AT_DATA([flows.txt], [dnl
284in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
285in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
286in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
287])
288AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
289
290dnl use this file as payload file for ncat
291AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
292on_exit 'rm -f payload200.bin'
293NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
294
295dnl packet with truncated size
296AT_CHECK([ovs-appctl revalidator/purge], [0])
297AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
298n_bytes=100
299])
300dnl packet with original size
301AT_CHECK([ovs-appctl revalidator/purge], [0])
302AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
303n_bytes=242
304])
305
306dnl more complicated output actions
307AT_CHECK([ovs-ofctl del-flows br0])
308AT_DATA([flows.txt], [dnl
309in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
310in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
311in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
312])
313AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
314
315NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
316
317dnl 100 + 100 + 242 + min(65535,242) = 684
318AT_CHECK([ovs-appctl revalidator/purge], [0])
319AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
320n_bytes=684
321])
322dnl 242 + 100 + min(242,200) = 542
323AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
324n_bytes=542
325])
326
327dnl SLOW_ACTION: disable kernel datapath truncate support
328dnl Repeat the test above, but exercise the SLOW_ACTION code path
329AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
330[Datapath truncate action diabled
331])
332
333dnl SLOW_ACTION test1: check datapatch actions
334AT_CHECK([ovs-ofctl del-flows br0])
335AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
336
337CHECK_KERNEL_DP(
338AT_CHECK([ovs-appctl ofproto/trace system 'in_port(2),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
339AT_CHECK([tail -3 stdout], [0],
340[Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
341This flow is handled by the userspace slow path because it:
342 - Uses action(s) not supported by datapath.
343])
344)
345
346dnl SLOW_ACTION test2: check actual packet truncate
347AT_CHECK([ovs-ofctl del-flows br0])
348AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
349NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 1234 < payload200.bin])
350
351dnl 100 + 100 + 242 + min(65535,242) = 684
352AT_CHECK([ovs-appctl revalidator/purge], [0])
353AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
354n_bytes=684
355])
356
357dnl 242 + 100 + min(242,200) = 542
358AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
359n_bytes=542
360])
361
362OVS_TRAFFIC_VSWITCHD_STOP
363AT_CLEANUP
364
365dnl Create 2 bridges and 2 namespaces to test truncate over
366dnl GRE tunnel:
367dnl br0: overlay bridge
368dnl ns1: connect to br0, with IP:10.1.1.2
369dnl br-underlay: with IP: 172.31.1.100
370dnl ns0: connect to br-underlay, with IP: 10.1.1.1
371AT_SETUP([datapath - truncate and output to gre tunnel])
372OVS_CHECK_GRE()
373OVS_TRAFFIC_VSWITCHD_START()
374
375ADD_BR([br-underlay])
376ADD_NAMESPACES(at_ns0)
377ADD_NAMESPACES(at_ns1)
378AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
379AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
380
381dnl Set up underlay link from host into the namespace using veth pair.
382ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
383AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
384AT_CHECK([ip link set dev br-underlay up])
385
386dnl Set up tunnel endpoints on OVS outside the namespace and with a native
387dnl linux device inside the namespace.
388ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
389ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
390AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
391NS_CHECK_EXEC([at_ns0], [ip link set dev ns_gre0 address e6:66:c1:11:11:11])
392NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
393
394dnl Set up (p1 and ovs-p1) at br0
395ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
396AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
397NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
398NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
399
400dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
401AT_CHECK([ip link add p2 type veth peer name ovs-p2])
402on_exit 'ip link del ovs-p2'
403AT_CHECK([ip link set dev ovs-p2 up])
404AT_CHECK([ip link set dev p2 up])
405AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
406AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
407
408dnl use this file as payload file for ncat
409AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
410on_exit 'rm -f payload200.bin'
411
412AT_CHECK([ovs-ofctl del-flows br0])
413AT_DATA([flows.txt], [dnl
414priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
415priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
416priority=1,in_port=4,ip,actions=drop
417priority=1,actions=drop
418])
419AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
420
421AT_CHECK([ovs-ofctl del-flows br-underlay])
422AT_DATA([flows-underlay.txt], [dnl
423priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
424priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
425priority=1,actions=drop
426])
427
428AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
429
430dnl check tunnel push path, from at_ns1 to at_ns0
431NS_CHECK_EXEC([at_ns1], [nc -u 10.1.1.1 1234 < payload200.bin])
432AT_CHECK([ovs-appctl revalidator/purge], [0])
433
434dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
435AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
436n_bytes=242
437])
438dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
439AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
440n_bytes=138
441])
442
443dnl check tunnel pop path, from at_ns0 to at_ns1
444NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 5678 < payload200.bin])
445dnl After truncation = 100 byte at loopback device p2(4)
446AT_CHECK([ovs-appctl revalidator/purge], [0])
447AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
448n_bytes=100
449])
450
451dnl SLOW_ACTION: disable datapath truncate support
452dnl Repeat the test above, but exercise the SLOW_ACTION code path
453AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
454[Datapath truncate action diabled
455])
456
457dnl SLOW_ACTION test1: check datapatch actions
458AT_CHECK([ovs-ofctl del-flows br0])
459AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
460
461CHECK_KERNEL_DP(
462AT_CHECK([ovs-appctl ofproto/trace system 'in_port(5),eth(src=e6:66:c1:11:11:11,dst=e6:66:c1:22:22:22),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=17,tos=4,ttl=128,frag=no),udp(src=8,dst=9)'], [0], [stdout])
463AT_CHECK([tail -3 stdout], [0],
464[Datapath actions: trunc(100),set(tunnel(dst=172.31.1.1,ttl=64,flags(df))),4
465This flow is handled by the userspace slow path because it:
466 - Uses action(s) not supported by datapath.
467])
468)
469
470dnl SLOW_ACTION test2: check actual packet truncate
471AT_CHECK([ovs-ofctl del-flows br0])
472AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
473AT_CHECK([ovs-ofctl del-flows br-underlay])
474AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
475
476dnl check tunnel push path, from at_ns1 to at_ns0
477NS_CHECK_EXEC([at_ns1], [nc -u 10.1.1.1 1234 < payload200.bin])
478AT_CHECK([ovs-appctl revalidator/purge], [0])
479
480dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
481AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
482n_bytes=242
483])
484dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
485AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
486n_bytes=138
487])
488
489dnl check tunnel pop path, from at_ns0 to at_ns1
490NS_CHECK_EXEC([at_ns0], [nc -u 10.1.1.2 5678 < payload200.bin])
491dnl After truncation = 100 byte at loopback device p2(4)
492AT_CHECK([ovs-appctl revalidator/purge], [0])
493AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | awk --field-separator=', ' '{print $5}'], [0], [dnl
494n_bytes=100
495])
496
497OVS_TRAFFIC_VSWITCHD_STOP
498AT_CLEANUP
499
07659514
JS		 500AT_SETUP([conntrack - controller])
501CHECK_CONNTRACK()
cf7659b6 502OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 503
504ADD_NAMESPACES(at_ns0, at_ns1)
505
506ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
507ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
508
509dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
510AT_DATA([flows.txt], [dnl
511priority=1,action=drop
512priority=10,arp,action=normal
513priority=100,in_port=1,udp,action=ct(commit),controller
514priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
515priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
516])
517
6cfa8ec3 518AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 519
520AT_CAPTURE_FILE([ofctl_monitor.log])
521AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
522
523dnl Send an unsolicited reply from port 2. This should be dropped.
524AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
525
526dnl OK, now start a new connection from port 1.
527AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
528
529dnl Now try a reply from port 2.
530AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
531
532dnl Check this output. We only see the latter two packets, not the first.
533AT_CHECK([cat ofctl_monitor.log], [0], [dnl
f274a047 534NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
07659514 535udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
f274a047 536NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
07659514
JS		 537udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
538])
539
540OVS_TRAFFIC_VSWITCHD_STOP
541AT_CLEANUP
542
543AT_SETUP([conntrack - IPv4 HTTP])
544CHECK_CONNTRACK()
cf7659b6 545OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 546
547ADD_NAMESPACES(at_ns0, at_ns1)
548
549ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
550ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
551
552dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
553AT_DATA([flows.txt], [dnl
554priority=1,action=drop
555priority=10,arp,action=normal
556priority=10,icmp,action=normal
557priority=100,in_port=1,tcp,action=ct(commit),2
558priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
559priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
560])
561
6cfa8ec3 562AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 563
564dnl Basic connectivity check.
565NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
566
567dnl HTTP requests from ns0->ns1 should work fine.
568NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
569NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
570
ec3aa16c 571AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 572tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
07659514
JS		 573])
574
575dnl HTTP requests from ns1->ns0 should fail due to network failure.
576dnl Try 3 times, in 1 second intervals.
577NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
578NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
579
580OVS_TRAFFIC_VSWITCHD_STOP
581AT_CLEANUP
582
583AT_SETUP([conntrack - IPv6 HTTP])
584CHECK_CONNTRACK()
cf7659b6 585OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 586
587ADD_NAMESPACES(at_ns0, at_ns1)
588
589ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
590ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
591
592dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
593AT_DATA([flows.txt], [dnl
594priority=1,action=drop
595priority=10,icmp6,action=normal
596priority=100,in_port=1,tcp6,action=ct(commit),2
597priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
598priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
599])
600
6cfa8ec3 601AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514 602
c10840ff
JS		 603dnl Linux seems to take a little time to get its IPv6 stack in order. Without
604dnl waiting, we get occasional failures due to the following error:
07659514 605dnl "connect: Cannot assign requested address"
c10840ff 606OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
07659514
JS		 607
608dnl HTTP requests from ns0->ns1 should work fine.
609NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
610
611NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
612
ec3aa16c 613AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
420c73b2 614tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
ec3aa16c
DDP		 615])
616
07659514
JS		 617dnl HTTP requests from ns1->ns0 should fail due to network failure.
618dnl Try 3 times, in 1 second intervals.
619NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
620NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
621
622OVS_TRAFFIC_VSWITCHD_STOP
623AT_CLEANUP
624
625AT_SETUP([conntrack - commit, recirc])
626CHECK_CONNTRACK()
cf7659b6 627OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 628
629ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
630
631ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
632ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
633ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
634ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
635
636dnl Allow any traffic from ns0->ns1, ns2->ns3.
637AT_DATA([flows.txt], [dnl
638priority=1,action=drop
639priority=10,arp,action=normal
640priority=10,icmp,action=normal
641priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
642priority=100,in_port=1,tcp,ct_state=+trk,action=2
643priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
644priority=100,in_port=2,tcp,ct_state=+trk,action=1
645priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
646priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
647priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
648priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
649priority=100,in_port=4,tcp,ct_state=+trk,action=3
650])
651
6cfa8ec3 652AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 653
654dnl HTTP requests from p0->p1 should work fine.
655NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
656NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
657
658dnl HTTP requests from p2->p3 should work fine.
659NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
660NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
661
662OVS_TRAFFIC_VSWITCHD_STOP
663AT_CLEANUP
664
665AT_SETUP([conntrack - preserve registers])
666CHECK_CONNTRACK()
cf7659b6 667OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 668
669ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
670
671ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
672ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
673ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
674ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
675
676dnl Allow any traffic from ns0->ns1, ns2->ns3.
677AT_DATA([flows.txt], [dnl
678priority=1,action=drop
679priority=10,arp,action=normal
680priority=10,icmp,action=normal
681priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
682priority=100,in_port=1,tcp,ct_state=+trk,action=2
683priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
684priority=100,in_port=2,tcp,ct_state=+trk,action=1
685priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
686priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
687priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
688priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
689priority=100,in_port=4,tcp,ct_state=+trk,action=3
690])
691
6cfa8ec3 692AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 693
694dnl HTTP requests from p0->p1 should work fine.
695NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
696NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
697
698dnl HTTP requests from p2->p3 should work fine.
699NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
700NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
701
702OVS_TRAFFIC_VSWITCHD_STOP
703AT_CLEANUP
704
705AT_SETUP([conntrack - invalid])
706CHECK_CONNTRACK()
cf7659b6 707OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 708
709ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
710
711ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
712ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
713ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
714ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
715
716dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
717dnl the opposite direction. This should fail.
718dnl Pass traffic from ns3->ns4 without committing, and this time match
719dnl invalid traffic and allow it through.
720AT_DATA([flows.txt], [dnl
721priority=1,action=drop
722priority=10,arp,action=normal
723priority=10,icmp,action=normal
724priority=100,in_port=1,tcp,action=ct(),2
725priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
726priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
727priority=100,in_port=3,tcp,action=ct(),4
728priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
729priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
730priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
731])
732
6cfa8ec3 733AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 734
735dnl We set up our rules to allow the request without committing. The return
736dnl traffic can't be identified, because the initial request wasn't committed.
737dnl For the first pair of ports, this means that the connection fails.
738NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
739NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
740
741dnl For the second pair, we allow packets from invalid connections, so it works.
742NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
743NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
744
745OVS_TRAFFIC_VSWITCHD_STOP
746AT_CLEANUP
747
748AT_SETUP([conntrack - zones])
749CHECK_CONNTRACK()
cf7659b6 750OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 751
752ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
753
754ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
755ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
756ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
757ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
758
759dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
760dnl For ns2->ns3, use a different zone and see that the match fails.
761AT_DATA([flows.txt], [dnl
762priority=1,action=drop
763priority=10,arp,action=normal
764priority=10,icmp,action=normal
765priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
766priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
767priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
768priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
769priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
770priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
771])
772
6cfa8ec3 773AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 774
775dnl HTTP requests from p0->p1 should work fine.
776NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
777NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
778
ec3aa16c 779AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 780tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
07659514
JS		 781])
782
783dnl HTTP requests from p2->p3 should fail due to network failure.
784dnl Try 3 times, in 1 second intervals.
785NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
786NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
787
ec3aa16c 788AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 789tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 790])
791
792OVS_TRAFFIC_VSWITCHD_STOP
793AT_CLEANUP
794
795AT_SETUP([conntrack - zones from field])
796CHECK_CONNTRACK()
cf7659b6 797OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 798
799ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
800
801ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
802ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
803ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
804ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
805
806dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
807AT_DATA([flows.txt], [dnl
808priority=1,action=drop
809priority=10,arp,action=normal
810priority=10,icmp,action=normal
811priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
812priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
813priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
814priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
815priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
816priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
817])
818
6cfa8ec3 819AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 820
821dnl HTTP requests from p0->p1 should work fine.
822NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
823NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
824
ec3aa16c 825AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 826tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
07659514
JS		 827])
828
829dnl HTTP requests from p2->p3 should fail due to network failure.
830dnl Try 3 times, in 1 second intervals.
831NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
832NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
833
ec3aa16c 834AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 835tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
07659514
JS		 836])
837
838OVS_TRAFFIC_VSWITCHD_STOP
839AT_CLEANUP
840
841AT_SETUP([conntrack - multiple bridges])
842CHECK_CONNTRACK()
843OVS_TRAFFIC_VSWITCHD_START(
cf7659b6 844 [_ADD_BR([br1]) --\
07659514
JS		 845 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
846 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
847
848ADD_NAMESPACES(at_ns0, at_ns1)
849
850ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
851ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
852
853dnl Allow any traffic from ns0->br1, allow established in reverse.
854AT_DATA([flows-br0.txt], [dnl
855priority=1,action=drop
856priority=10,arp,action=normal
857priority=10,icmp,action=normal
858priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
859priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
860priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
861])
862
863dnl Allow any traffic from br0->ns1, allow established in reverse.
864AT_DATA([flows-br1.txt], [dnl
865priority=1,action=drop
866priority=10,arp,action=normal
867priority=10,icmp,action=normal
868priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
869priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
870priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
871priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
872priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
873])
874
6cfa8ec3
JR		 875AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
876AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
07659514
JS		 877
878dnl HTTP requests from p0->p1 should work fine.
879NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
880NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
881
882OVS_TRAFFIC_VSWITCHD_STOP
883AT_CLEANUP
884
885AT_SETUP([conntrack - multiple zones])
886CHECK_CONNTRACK()
cf7659b6 887OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 888
889ADD_NAMESPACES(at_ns0, at_ns1)
890
891ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
892ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
893
894dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
895AT_DATA([flows.txt], [dnl
896priority=1,action=drop
897priority=10,arp,action=normal
898priority=10,icmp,action=normal
899priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
900priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
901priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
902])
903
6cfa8ec3 904AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
07659514
JS		 905
906dnl HTTP requests from p0->p1 should work fine.
907NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
908NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
909
910dnl (again) HTTP requests from p0->p1 should work fine.
911NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
912
ec3aa16c 913AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2
JR		 914tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
915tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
07659514
JS		 916])
917
918OVS_TRAFFIC_VSWITCHD_STOP
919AT_CLEANUP
920
c2926d6d
JS		 921AT_SETUP([conntrack - multiple zones, local])
922CHECK_CONNTRACK()
cf7659b6 923OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 924
925ADD_NAMESPACES(at_ns0)
926
927AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
928AT_CHECK([ip link set dev br0 up])
929on_exit 'ip addr del dev br0 "10.1.1.1/24"'
930ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
931
932dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
933dnl return traffic from ns0 back to the local stack.
934AT_DATA([flows.txt], [dnl
935priority=1,action=drop
936priority=10,arp,action=normal
937priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
938priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
939priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
940priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
941table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
942table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
943])
944
6cfa8ec3 945AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 946
947AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
9483 packets transmitted, 3 received, 0% packet loss, time 0ms
949])
950
951dnl HTTP requests from root namespace to p0 should work fine.
952NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
953AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
954
955dnl (again) HTTP requests from root namespace to p0 should work fine.
956AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
957
ec3aa16c
DDP		 958AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
959icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
960icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
420c73b2
JR		 961tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
962tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
c2926d6d
JS		 963])
964
965OVS_TRAFFIC_VSWITCHD_STOP
966AT_CLEANUP
967
0e27c629
JS		 968AT_SETUP([conntrack - multiple namespaces, internal ports])
969CHECK_CONNTRACK()
970OVS_TRAFFIC_VSWITCHD_START(
971 [set-fail-mode br0 secure -- ])
972
973ADD_NAMESPACES(at_ns0, at_ns1)
974
975ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
976ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
977
978dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
979dnl
980dnl If skb->nfct is leaking from inside the namespace, this test will fail.
981AT_DATA([flows.txt], [dnl
982priority=1,action=drop
983priority=10,arp,action=normal
984priority=10,icmp,action=normal
985priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
986priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
987priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
988])
989
990AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
991
992dnl HTTP requests from p0->p1 should work fine.
993NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
994NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
995
996dnl (again) HTTP requests from p0->p1 should work fine.
997NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
998
ec3aa16c 999AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
420c73b2 1000tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
0e27c629
JS		 1001])
1002
1003OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1004/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1005/removing policing failed: No such device/d"])
1006AT_CLEANUP
1007
c2926d6d
JS		 1008AT_SETUP([conntrack - multi-stage pipeline, local])
1009CHECK_CONNTRACK()
cf7659b6 1010OVS_TRAFFIC_VSWITCHD_START()
c2926d6d
JS		 1011
1012ADD_NAMESPACES(at_ns0)
1013
1014AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1015AT_CHECK([ip link set dev br0 up])
1016on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1017ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1018
1019dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1020dnl return traffic from ns0 back to the local stack.
1021AT_DATA([flows.txt], [dnl
1022dnl default
1023table=0,priority=1,action=drop
1024table=0,priority=10,arp,action=normal
1025
1026dnl Load the output port to REG0
1027table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1028table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1029
1030dnl Ingress pipeline
1031dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1032dnl - All other connections go through conntracker using the input port as
1033dnl a connection tracking zone.
1034table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1035table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1036table=1,priority=1,action=drop
1037
1038dnl Egress pipeline
1039dnl - Allow all connections from LOCAL port (commit and skip to output)
1040dnl - Allow other established connections to go through conntracker using
1041dnl output port as a connection tracking zone.
1042table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1043table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1044table=2,priority=1,action=drop
1045
1046dnl Only allow established traffic from egress ct lookup
1047table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1048table=3,priority=1,action=drop
1049
1050dnl output table
1051table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1052])
1053
6cfa8ec3 1054AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
c2926d6d
JS		 1055
1056AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
10573 packets transmitted, 3 received, 0% packet loss, time 0ms
1058])
1059
1060dnl HTTP requests from root namespace to p0 should work fine.
1061NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1062AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1063
1064dnl (again) HTTP requests from root namespace to p0 should work fine.
1065AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1066
ec3aa16c
DDP		 1067AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1068icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
1069icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
420c73b2
JR		 1070tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1071tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
c2926d6d
JS		 1072])
1073
1074OVS_TRAFFIC_VSWITCHD_STOP
1075AT_CLEANUP
1076
8e53fe8c
JS		 1077AT_SETUP([conntrack - ct_mark])
1078CHECK_CONNTRACK()
cf7659b6 1079OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 1080
1081ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1082
1083ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1084ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1085ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1086ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1087
1088dnl Allow traffic between ns0<->ns1 using the ct_mark.
1089dnl Check that different marks do not match for traffic between ns2<->ns3.
1090AT_DATA([flows.txt], [dnl
1091priority=1,action=drop
1092priority=10,arp,action=normal
1093priority=10,icmp,action=normal
1094priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1095priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1096priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1097priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1098priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1099priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1100])
1101
6cfa8ec3 1102AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 1103
1104dnl HTTP requests from p0->p1 should work fine.
1105NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1106NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1107
420c73b2
JR		 1108AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1109tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 1110])
1111
1112dnl HTTP requests from p2->p3 should fail due to network failure.
1113dnl Try 3 times, in 1 second intervals.
1114NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1115NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1116
ec3aa16c 1117AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1118tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 1119])
1120
1121OVS_TRAFFIC_VSWITCHD_STOP
1122AT_CLEANUP
1123
4d182934
JS		 1124AT_SETUP([conntrack - ct_mark bit-fiddling])
1125CHECK_CONNTRACK()
1126OVS_TRAFFIC_VSWITCHD_START()
1127
1128ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1129
1130ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1131ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1132
1133dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1134dnl cause an additional bit to be set in the connection (and be allowed).
1135AT_DATA([flows.txt], [dnl
1136table=0,priority=1,action=drop
1137table=0,priority=10,arp,action=normal
1138table=0,priority=10,icmp,action=normal
1139table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1140table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1141table=1,priority=100,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1142table=1,priority=100,in_port=1,ct_state=-new,tcp,action=2
1143table=1,priority=100,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1144])
1145
1146AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1147
1148dnl HTTP requests from p0->p1 should work fine.
1149NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1150NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1151
420c73b2
JR		 1152AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1153tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
4d182934
JS		 1154])
1155
1156OVS_TRAFFIC_VSWITCHD_STOP
1157AT_CLEANUP
1158
8e53fe8c
JS		 1159AT_SETUP([conntrack - ct_mark from register])
1160CHECK_CONNTRACK()
cf7659b6 1161OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 1162
1163ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1164
1165ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1166ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1167ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1168ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1169
1170dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1171AT_DATA([flows.txt], [dnl
1172priority=1,action=drop
1173priority=10,arp,action=normal
1174priority=10,icmp,action=normal
1175priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1176priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1177priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1178priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1179priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1180priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1181])
1182
6cfa8ec3 1183AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c
JS		 1184
1185dnl HTTP requests from p0->p1 should work fine.
1186NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1187NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1188
420c73b2
JR		 1189AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1190tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
8e53fe8c
JS		 1191])
1192
1193dnl HTTP requests from p2->p3 should fail due to network failure.
1194dnl Try 3 times, in 1 second intervals.
1195NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1196NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1197
ec3aa16c 1198AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
420c73b2 1199tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
8e53fe8c
JS		 1200])
1201
1202OVS_TRAFFIC_VSWITCHD_STOP
1203AT_CLEANUP
1204
9daf2348
JS		 1205AT_SETUP([conntrack - ct_label])
1206CHECK_CONNTRACK()
cf7659b6 1207OVS_TRAFFIC_VSWITCHD_START()
9daf2348
JS		 1208
1209ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1210
1211ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1212ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1213ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1214ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1215
1216dnl Allow traffic between ns0<->ns1 using the ct_label.
1217dnl Check that different labels do not match for traffic between ns2<->ns3.
1218AT_DATA([flows.txt], [dnl
1219priority=1,action=drop
1220priority=10,arp,action=normal
1221priority=10,icmp,action=normal
1222priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1223priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1224priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1225priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1226priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1227priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1228])
1229
6cfa8ec3 1230AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
9daf2348
JS		 1231
1232dnl HTTP requests from p0->p1 should work fine.
1233NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1234NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1235
1236dnl HTTP requests from p2->p3 should fail due to network failure.
1237dnl Try 3 times, in 1 second intervals.
1238NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1239NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1240
1241OVS_TRAFFIC_VSWITCHD_STOP
1242AT_CLEANUP
1243
4d182934
JS		 1244AT_SETUP([conntrack - ct_label bit-fiddling])
1245CHECK_CONNTRACK()
1246OVS_TRAFFIC_VSWITCHD_START()
1247
1248ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1249
1250ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1251ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1252
1253dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1254dnl cause an additional bit to be set in the connection labels (and be allowed)
1255AT_DATA([flows.txt], [dnl
1256table=0,priority=1,action=drop
1257table=0,priority=10,arp,action=normal
1258table=0,priority=10,icmp,action=normal
1259table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1260table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1261table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1262table=1,priority=100,in_port=1,tcp,ct_state=-new,action=2
1263table=1,priority=100,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1264])
1265
1266AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1267
1268dnl HTTP requests from p0->p1 should work fine.
1269NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1270NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1271
420c73b2
JR		 1272AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1273tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
4d182934
JS		 1274])
1275
1276OVS_TRAFFIC_VSWITCHD_STOP
1277AT_CLEANUP
1278
f2d105b5
JS		 1279AT_SETUP([conntrack - ct metadata, multiple zones])
1280CHECK_CONNTRACK()
1281OVS_TRAFFIC_VSWITCHD_START()
1282
1283ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1284
1285ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1286ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1287
1288dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1289dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1290dnl and we should see that the conntrack entries only apply the ct_mark and
1291dnl ct_labels to the connection in zone=1.
1292AT_DATA([flows.txt], [dnl
1293table=0,priority=1,action=drop
1294table=0,priority=10,arp,action=normal
1295table=0,priority=10,icmp,action=normal
1296table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1297table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1298table=1,priority=100,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1299table=1,priority=100,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1300table=1,priority=100,in_port=2,tcp,action=ct(zone=2),1
1301])
1302
1303AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1304
1305dnl HTTP requests from p0->p1 should work fine.
1306NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1307NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1308
420c73b2
JR		 1309AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1310tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1311tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
f2d105b5
JS		 1312])
1313
1314OVS_TRAFFIC_VSWITCHD_STOP
1315AT_CLEANUP
1316
8e53fe8c
JS		 1317AT_SETUP([conntrack - ICMP related])
1318CHECK_CONNTRACK()
cf7659b6 1319OVS_TRAFFIC_VSWITCHD_START()
8e53fe8c
JS		 1320
1321ADD_NAMESPACES(at_ns0, at_ns1)
1322
1323ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1324ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1325
1326dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1327AT_DATA([flows.txt], [dnl
1328priority=1,action=drop
1329priority=10,arp,action=normal
1330priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1331priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1332priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1333])
1334
6cfa8ec3 1335AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
8e53fe8c 1336
bde2e7b5 1337dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 1338NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
8e53fe8c
JS		 1339
1340AT_CHECK([ovs-appctl revalidator/purge], [0])
1341AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1342 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1343 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1344 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
bde2e7b5 1345 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
8e53fe8c
JS		 1346NXST_FLOW reply:
1347])
1348
1349OVS_TRAFFIC_VSWITCHD_STOP
1350AT_CLEANUP
1351
07659514
JS		 1352AT_SETUP([conntrack - ICMP related 2])
1353CHECK_CONNTRACK()
cf7659b6 1354OVS_TRAFFIC_VSWITCHD_START()
07659514
JS		 1355
1356ADD_NAMESPACES(at_ns0, at_ns1)
1357
1358ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1359ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1360
1361dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1362AT_DATA([flows.txt], [dnl
1363priority=1,action=drop
1364priority=10,arp,action=normal
6cfa8ec3
JR		 1365priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1366priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1367priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1368priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
07659514
JS		 1369])
1370
6cfa8ec3 1371AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
07659514
JS		 1372
1373AT_CAPTURE_FILE([ofctl_monitor.log])
1374AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1375
1376dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1377AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1378
1379dnl 2. Send and UDP packet to port 5555
1380AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1381
1382dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1383AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1384
1385dnl Check this output. We only see the latter two packets, not the first.
1386AT_CHECK([cat ofctl_monitor.log], [0], [dnl
f274a047 1387NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
07659514 1388udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
f274a047 1389NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
07659514
JS		 1390icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1391])
1392
1393OVS_TRAFFIC_VSWITCHD_STOP
1394AT_CLEANUP
d787ad39
JS		 1395
1396AT_SETUP([conntrack - FTP])
1397AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1398CHECK_CONNTRACK()
cf7659b6 1399OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 1400
1401ADD_NAMESPACES(at_ns0, at_ns1)
1402
1403ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1404ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1405
1406dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1407AT_DATA([flows1.txt], [dnl
1408priority=1,action=drop
1409priority=10,arp,action=normal
1410priority=10,icmp,action=normal
1411priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1412priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1413priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1414priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
1415])
1416
1417dnl Similar policy but without allowing all traffic from ns0->ns1.
1418AT_DATA([flows2.txt], [dnl
1419priority=1,action=drop
1420priority=10,arp,action=normal
1421priority=10,icmp,action=normal
1422priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
1423priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1424priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
1425priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1426priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1427priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
1428priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1429])
1430
6cfa8ec3 1431AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
d787ad39
JS		 1432
1433NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1434NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
20322d4b 1435OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
d787ad39
JS		 1436
1437dnl FTP requests from p1->p0 should fail due to network failure.
1438dnl Try 3 times, in 1 second intervals.
1439NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1440AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1441])
1442
1443dnl FTP requests from p0->p1 should work fine.
1444NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 1445AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1446tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
d787ad39
JS		 1447])
1448
1449dnl Try the second set of flows.
6cfa8ec3 1450AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
ec3aa16c 1451AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1452
1453dnl FTP requests from p1->p0 should fail due to network failure.
1454dnl Try 3 times, in 1 second intervals.
1455NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1456AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1457])
1458
1459dnl Active FTP requests from p0->p1 should work fine.
9ac0aada 1460NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
420c73b2
JR		 1461AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1462tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1463tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
d787ad39
JS		 1464])
1465
ec3aa16c 1466AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1467
1468dnl Passive FTP requests from p0->p1 should work fine.
9ac0aada 1469NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
420c73b2
JR		 1470AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1471tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1472tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
d787ad39
JS		 1473])
1474
1475OVS_TRAFFIC_VSWITCHD_STOP
1476AT_CLEANUP
1477
2fa3e06d
JR		 1478
1479AT_SETUP([conntrack - IPv6 FTP])
1480AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1481CHECK_CONNTRACK()
1482OVS_TRAFFIC_VSWITCHD_START()
1483
1484ADD_NAMESPACES(at_ns0, at_ns1)
1485
1486ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1487ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1488
1489dnl Allow any traffic from ns0->ns1.
1490dnl Only allow nd, return traffic from ns1->ns0.
1491AT_DATA([flows.txt], [dnl
1492dnl Track all IPv6 traffic and drop the rest.
1493dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1494table=0 priority=100 in_port=1 icmp6, action=2
1495table=0 priority=100 in_port=2 icmp6, action=1
1496table=0 priority=10 ip6, action=ct(table=1)
1497table=0 priority=0 action=drop
1498dnl
1499dnl Table 1
1500dnl
1501dnl Allow new TCPv6 FTP control connections from port 1.
1502table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1503dnl Allow related TCPv6 connections from port 2.
1504table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1505dnl Allow established TCPv6 connections both ways.
1506table=1 in_port=1 ct_state=+est, tcp6, action=2
1507table=1 in_port=2 ct_state=+est, tcp6, action=1
1508dnl Drop everything else.
1509table=1 priority=0, action=drop
1510])
1511
1512AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1513
c10840ff
JS		 1514dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1515dnl waiting, we get occasional failures due to the following error:
1516dnl "connect: Cannot assign requested address"
1517OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1518
2fa3e06d 1519NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
20322d4b 1520OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2fa3e06d
JR		 1521
1522dnl FTP requests from p0->p1 should work fine.
1523NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1524
ec3aa16c 1525dnl Discards CLOSE_WAIT and CLOSING
420c73b2
JR		 1526AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1527tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1528tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2fa3e06d
JR		 1529])
1530
1531OVS_TRAFFIC_VSWITCHD_STOP
1532AT_CLEANUP
1533
1534
d787ad39
JS		 1535AT_SETUP([conntrack - FTP with multiple expectations])
1536AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1537CHECK_CONNTRACK()
cf7659b6 1538OVS_TRAFFIC_VSWITCHD_START()
d787ad39
JS		 1539
1540ADD_NAMESPACES(at_ns0, at_ns1)
1541
1542ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1543ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1544
1545dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1546AT_DATA([flows.txt], [dnl
1547priority=1,action=drop
1548priority=10,arp,action=normal
1549priority=10,icmp,action=normal
1550priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1551priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1552priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1553priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1554priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1555priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1556priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1557priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1558priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1559priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1560])
1561
6cfa8ec3 1562AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
d787ad39
JS		 1563
1564NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1565NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1566
1567dnl FTP requests from p1->p0 should fail due to network failure.
1568dnl Try 3 times, in 1 second intervals.
1569NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
ec3aa16c 1570AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
d787ad39
JS		 1571])
1572
1573dnl Active FTP requests from p0->p1 should work fine.
1574NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 1575AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1576tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1577tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1578tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1579tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
d787ad39
JS		 1580])
1581
ec3aa16c 1582AT_CHECK([ovs-appctl dpctl/flush-conntrack])
d787ad39
JS		 1583
1584dnl Passive FTP requests from p0->p1 should work fine.
1585NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
420c73b2
JR		 1586AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1587tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1588tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1589tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1590tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
d787ad39
JS		 1591])
1592
1593OVS_TRAFFIC_VSWITCHD_STOP
1594AT_CLEANUP
27130224
AZ		 1595
1596AT_SETUP([conntrack - IPv4 fragmentation ])
1597CHECK_CONNTRACK()
cf7659b6 1598OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1599
1600ADD_NAMESPACES(at_ns0, at_ns1)
1601
1602ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1603ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1604
1605dnl Sending ping through conntrack
1606AT_DATA([flows.txt], [dnl
1607priority=1,action=drop
1608priority=10,arp,action=normal
1609priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1610priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1611priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1612])
1613
6cfa8ec3 1614AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1615
1616dnl Basic connectivity check.
1617NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16183 packets transmitted, 3 received, 0% packet loss, time 0ms
1619])
1620
1621dnl Ipv4 fragmentation connectivity check.
1622NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16233 packets transmitted, 3 received, 0% packet loss, time 0ms
1624])
1625
1626dnl Ipv4 larger fragmentation connectivity check.
1627NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16283 packets transmitted, 3 received, 0% packet loss, time 0ms
1629])
1630
1631OVS_TRAFFIC_VSWITCHD_STOP
1632AT_CLEANUP
1633
0cf28088
JS		 1634AT_SETUP([conntrack - IPv4 fragmentation expiry])
1635CHECK_CONNTRACK()
1636OVS_TRAFFIC_VSWITCHD_START()
1637
1638ADD_NAMESPACES(at_ns0, at_ns1)
1639
1640ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1641ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1642
1643AT_DATA([flows.txt], [dnl
1644priority=1,action=drop
1645priority=10,arp,action=normal
1646
1647dnl Only allow non-fragmented messages and 1st fragments of each message
1648priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1649priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1650priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1651priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1652])
1653
1654AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1655
1656dnl Basic connectivity check.
1657NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16583 packets transmitted, 3 received, 0% packet loss, time 0ms
1659])
1660
1661dnl Ipv4 fragmentation connectivity check.
1662NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
16637 packets transmitted, 0 received, 100% packet loss, time 0ms
1664])
1665
1666OVS_TRAFFIC_VSWITCHD_STOP
1667AT_CLEANUP
1668
27130224
AZ		 1669AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1670CHECK_CONNTRACK()
cf7659b6 1671OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1672
1673ADD_NAMESPACES(at_ns0, at_ns1)
1674
1675ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1676ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1677ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1678ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1679
1680dnl Sending ping through conntrack
1681AT_DATA([flows.txt], [dnl
1682priority=1,action=drop
1683priority=10,arp,action=normal
1684priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1685priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1686priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1687])
1688
6cfa8ec3 1689AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1690
1691dnl Basic connectivity check.
1692NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
16933 packets transmitted, 3 received, 0% packet loss, time 0ms
1694])
1695
1696dnl Ipv4 fragmentation connectivity check.
1697NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
16983 packets transmitted, 3 received, 0% packet loss, time 0ms
1699])
1700
1701dnl Ipv4 larger fragmentation connectivity check.
1702NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
17033 packets transmitted, 3 received, 0% packet loss, time 0ms
1704])
1705
1706OVS_TRAFFIC_VSWITCHD_STOP
1707AT_CLEANUP
1708
1709AT_SETUP([conntrack - IPv6 fragmentation])
1710CHECK_CONNTRACK()
cf7659b6 1711OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1712
1713ADD_NAMESPACES(at_ns0, at_ns1)
1714
1715ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1716ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1717
1718dnl Sending ping through conntrack
1719AT_DATA([flows.txt], [dnl
1720priority=1,action=drop
1721priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1722priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1723priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1724priority=100,icmp6,icmp_type=135,action=normal
1725priority=100,icmp6,icmp_type=136,action=normal
1726])
1727
6cfa8ec3 1728AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 1729
c10840ff
JS		 1730dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1731dnl waiting, we get occasional failures due to the following error:
27130224 1732dnl "connect: Cannot assign requested address"
c10840ff 1733OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224
AZ		 1734
1735dnl Basic connectivity check.
1736NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17373 packets transmitted, 3 received, 0% packet loss, time 0ms
1738])
1739
221a2668 1740dnl Ipv6 fragmentation connectivity check.
27130224
AZ		 1741NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17423 packets transmitted, 3 received, 0% packet loss, time 0ms
1743])
1744
221a2668 1745dnl Ipv6 larger fragmentation connectivity check.
27130224
AZ		 1746NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17473 packets transmitted, 3 received, 0% packet loss, time 0ms
1748])
1749
1750OVS_TRAFFIC_VSWITCHD_STOP
1751AT_CLEANUP
1752
0cf28088
JS		 1753AT_SETUP([conntrack - IPv6 fragmentation expiry])
1754CHECK_CONNTRACK()
1755OVS_TRAFFIC_VSWITCHD_START()
1756
1757ADD_NAMESPACES(at_ns0, at_ns1)
1758
1759ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1760ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1761
1762AT_DATA([flows.txt], [dnl
1763priority=1,action=drop
1764
1765dnl Only allow non-fragmented messages and 1st fragments of each message
1766priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1767priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1768priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1769priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1770
1771dnl Neighbour Discovery
1772priority=100,icmp6,icmp_type=135,action=normal
1773priority=100,icmp6,icmp_type=136,action=normal
1774])
1775
1776AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1777
c10840ff
JS		 1778dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1779dnl waiting, we get occasional failures due to the following error:
0cf28088 1780dnl "connect: Cannot assign requested address"
c10840ff 1781OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
0cf28088
JS		 1782
1783dnl Basic connectivity check.
1784NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17853 packets transmitted, 3 received, 0% packet loss, time 0ms
1786])
1787
1788dnl Send an IPv6 fragment. Some time later, it should expire.
1789NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
17907 packets transmitted, 0 received, 100% packet loss, time 0ms
1791])
1792
1793dnl At this point, the kernel will either crash or everything is OK.
1794
1795OVS_TRAFFIC_VSWITCHD_STOP
1796AT_CLEANUP
1797
27130224
AZ		 1798AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1799CHECK_CONNTRACK()
cf7659b6 1800OVS_TRAFFIC_VSWITCHD_START()
27130224
AZ		 1801
1802ADD_NAMESPACES(at_ns0, at_ns1)
1803
1804ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1805ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1806
1807ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1808ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1809
1810dnl Sending ping through conntrack
1811AT_DATA([flows.txt], [dnl
1812priority=1,action=drop
1813priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1814priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1815priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1816priority=100,icmp6,icmp_type=135,action=normal
1817priority=100,icmp6,icmp_type=136,action=normal
1818])
1819
6cfa8ec3 1820AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224 1821
c10840ff
JS		 1822dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1823dnl waiting, we get occasional failures due to the following error:
27130224 1824dnl "connect: Cannot assign requested address"
c10840ff 1825OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
27130224
AZ		 1826
1827dnl Basic connectivity check.
1828NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
18293 packets transmitted, 3 received, 0% packet loss, time 0ms
1830])
1831
1832dnl Ipv4 fragmentation connectivity check.
1833NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
18343 packets transmitted, 3 received, 0% packet loss, time 0ms
1835])
1836
1837dnl Ipv4 larger fragmentation connectivity check.
1838NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
18393 packets transmitted, 3 received, 0% packet loss, time 0ms
1840])
1841
1842OVS_TRAFFIC_VSWITCHD_STOP
1843AT_CLEANUP
1844
1845AT_SETUP([conntrack - Fragmentation over vxlan])
dfb21e96 1846OVS_CHECK_VXLAN()
27130224
AZ		 1847CHECK_CONNTRACK()
1848
cf7659b6
JR		 1849OVS_TRAFFIC_VSWITCHD_START()
1850ADD_BR([br-underlay])
1851AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1852
27130224
AZ		 1853ADD_NAMESPACES(at_ns0)
1854
1855dnl Sending ping through conntrack
1856AT_DATA([flows.txt], [dnl
1857priority=1,action=drop
1858priority=10,arp,action=normal
1859priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3a9eb803
JS		 1860priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1861table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
27130224
AZ		 1862])
1863
6cfa8ec3 1864AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
27130224
AZ		 1865
1866dnl Set up underlay link from host into the namespace using veth pair.
1867ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1868AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1869AT_CHECK([ip link set dev br-underlay up])
1870
1871dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1872dnl linux device inside the namespace.
6e3a764c 1873ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
27130224
AZ		 1874ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1875 [id 0 dstport 4789])
1876
1877dnl First, check the underlay
1878NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
18793 packets transmitted, 3 received, 0% packet loss, time 0ms
1880])
1881
1882dnl Okay, now check the overlay with different packet sizes
1883NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
18843 packets transmitted, 3 received, 0% packet loss, time 0ms
1885])
1886NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
18873 packets transmitted, 3 received, 0% packet loss, time 0ms
1888])
1889NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
18903 packets transmitted, 3 received, 0% packet loss, time 0ms
1891])
1892
1893OVS_TRAFFIC_VSWITCHD_STOP
1894AT_CLEANUP
c4e34c61 1895
84f646df 1896AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
a9f70f3d 1897OVS_CHECK_VXLAN()
84f646df
JS		 1898CHECK_CONNTRACK()
1899
1900OVS_TRAFFIC_VSWITCHD_START()
1901ADD_BR([br-underlay])
1902AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1903
1904ADD_NAMESPACES(at_ns0)
1905
1906dnl Sending ping through conntrack
1907AT_DATA([flows.txt], [dnl
1908priority=1,action=drop
1909priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1910priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1911table=1,priority=100,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1912
1913dnl Neighbour Discovery
1914priority=1000,icmp6,icmp_type=135,action=normal
1915priority=1000,icmp6,icmp_type=136,action=normal
1916])
1917
1918AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1919
1920dnl Set up underlay link from host into the namespace using veth pair.
1921ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1922AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1923AT_CHECK([ip link set dev br-underlay up])
1924
1925dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1926dnl linux device inside the namespace.
6e3a764c 1927ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
84f646df
JS		 1928ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1929 [id 0 dstport 4789])
1930
c10840ff
JS		 1931dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1932dnl waiting, we get occasional failures due to the following error:
84f646df 1933dnl "connect: Cannot assign requested address"
c10840ff 1934OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
84f646df
JS		 1935
1936dnl First, check the underlay
1937NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
19383 packets transmitted, 3 received, 0% packet loss, time 0ms
1939])
1940
1941dnl Okay, now check the overlay with different packet sizes
1942NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
19433 packets transmitted, 3 received, 0% packet loss, time 0ms
1944])
1945NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
19463 packets transmitted, 3 received, 0% packet loss, time 0ms
1947])
1948NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
19493 packets transmitted, 3 received, 0% packet loss, time 0ms
1950])
1951
1952OVS_TRAFFIC_VSWITCHD_STOP
1953AT_CLEANUP
9ac0aada 1954
c4e34c61
RB		 1955AT_SETUP([conntrack - resubmit to ct multiple times])
1956CHECK_CONNTRACK()
1957
1958OVS_TRAFFIC_VSWITCHD_START(
1959 [set-fail-mode br0 secure -- ])
1960
1961ADD_NAMESPACES(at_ns0, at_ns1)
1962
1963ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1964ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1965
1966AT_DATA([flows.txt], [dnl
1967table=0,priority=150,arp,action=normal
1968table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1969
1970table=1,priority=100,ip,action=ct(table=3)
1971table=2,priority=100,ip,action=ct(table=3)
1972
1973table=3,ip,action=drop
1974])
1975
1976AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1977
1978NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
19791 packets transmitted, 0 received, 100% packet loss, time 0ms
1980])
1981
1982AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1983 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1984 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1985 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1986 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1987 table=3, n_packets=2, n_bytes=196, ip actions=drop
1988NXST_FLOW reply:
1989])
1990
1991OVS_TRAFFIC_VSWITCHD_STOP
1992AT_CLEANUP
9ac0aada
JR		 1993
1994
1995AT_SETUP([conntrack - simple SNAT])
1996CHECK_CONNTRACK()
1997OVS_TRAFFIC_VSWITCHD_START()
1998
1999ADD_NAMESPACES(at_ns0, at_ns1)
2000
2001ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2002NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2003ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2004
2005dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2006AT_DATA([flows.txt], [dnl
2007in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2008in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2009in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2010dnl
2011dnl ARP
2012priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2013priority=10 arp action=normal
2014priority=0,action=drop
2015dnl
2016dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2017table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2018table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2019dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2020dnl TPA IP in reg2.
2021dnl Swaps the fields of the ARP message to turn a query to a response.
2022table=10 priority=100 arp xreg0=0 action=normal
2023table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2024table=10 priority=0 action=drop
2025])
2026
2027AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2028
2029dnl HTTP requests from p0->p1 should work fine.
2030NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2031NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2032
a857bb69 2033AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
420c73b2 2034tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2035])
2036
2037OVS_TRAFFIC_VSWITCHD_STOP
2038AT_CLEANUP
2039
2040
2041AT_SETUP([conntrack - SNAT with port range])
2042CHECK_CONNTRACK()
2043OVS_TRAFFIC_VSWITCHD_START()
2044
2045ADD_NAMESPACES(at_ns0, at_ns1)
2046
2047ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2048NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2049ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2050
2051dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2052AT_DATA([flows.txt], [dnl
2053in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2054in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2055in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2056in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2057dnl
2058dnl ARP
2059priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2060priority=10 arp action=normal
2061priority=0,action=drop
2062dnl
2063dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2064table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2065table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2066dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2067dnl TPA IP in reg2.
2068dnl Swaps the fields of the ARP message to turn a query to a response.
2069table=10 priority=100 arp xreg0=0 action=normal
2070table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2071table=10 priority=0 action=drop
2072])
2073
2074AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2075
2076dnl HTTP requests from p0->p1 should work fine.
2077NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2078NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2079
a857bb69 2080AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
420c73b2 2081tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2082])
2083
2084OVS_TRAFFIC_VSWITCHD_STOP
2085AT_CLEANUP
2086
2087
2088AT_SETUP([conntrack - more complex SNAT])
2089CHECK_CONNTRACK()
2090OVS_TRAFFIC_VSWITCHD_START()
2091
2092ADD_NAMESPACES(at_ns0, at_ns1)
2093
2094ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2095NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2096ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2097
2098AT_DATA([flows.txt], [dnl
2099dnl Track all IP traffic, NAT existing connections.
2100priority=100 ip action=ct(table=1,zone=1,nat)
2101dnl
2102dnl Allow ARP, but generate responses for NATed addresses
2103priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2104priority=10 arp action=normal
2105priority=0 action=drop
2106dnl
2107dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2108table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2109table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2110dnl Only allow established traffic from ns1->ns0.
2111table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2112table=1 priority=0 action=drop
2113dnl
2114dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2115table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2116dnl Zero result means not found.
2117table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2118dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2119dnl ARP TPA IP in reg2.
2120table=10 priority=100 arp xreg0=0 action=normal
2121dnl Swaps the fields of the ARP message to turn a query to a response.
2122table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2123table=10 priority=0 action=drop
2124])
2125
2126AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2127
2128dnl HTTP requests from p0->p1 should work fine.
2129NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2130NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2131
a857bb69 2132AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
420c73b2 2133tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2134])
2135
2136OVS_TRAFFIC_VSWITCHD_STOP
2137AT_CLEANUP
2138
2139AT_SETUP([conntrack - simple DNAT])
2140CHECK_CONNTRACK()
2141OVS_TRAFFIC_VSWITCHD_START()
2142
2143ADD_NAMESPACES(at_ns0, at_ns1)
2144
2145ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2146ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2147NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2148
2149dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2150AT_DATA([flows.txt], [dnl
2151priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2152priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2153priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2154priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2155dnl
2156dnl ARP
2157priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2158priority=10 arp action=normal
2159priority=0,action=drop
2160dnl
2161dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2162table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2163dnl Zero result means not found.
2164table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2165dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2166dnl TPA IP in reg2.
2167table=10 priority=100 arp xreg0=0 action=normal
2168dnl Swaps the fields of the ARP message to turn a query to a response.
2169table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2170table=10 priority=0 action=drop
2171])
2172
2173AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2174
2175dnl Should work with the virtual IP address through NAT
2176NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2177NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2178
420c73b2
JR		 2179AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2180tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2181])
2182
2183dnl Should work with the assigned IP address as well
2184NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2185
420c73b2
JR		 2186AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2187tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2188])
2189
2190OVS_TRAFFIC_VSWITCHD_STOP
2191AT_CLEANUP
2192
2193AT_SETUP([conntrack - more complex DNAT])
2194CHECK_CONNTRACK()
2195OVS_TRAFFIC_VSWITCHD_START()
2196
2197ADD_NAMESPACES(at_ns0, at_ns1)
2198
2199ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2200ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2201NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2202
2203dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2204AT_DATA([flows.txt], [dnl
2205dnl Track all IP traffic
2206table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2207dnl
2208dnl Allow ARP, but generate responses for NATed addresses
2209table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2210table=0 priority=10 arp action=normal
2211table=0 priority=0 action=drop
2212dnl
2213dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2214table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2215table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2216table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2217dnl Only allow established traffic from ns1->ns0.
2218table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2219table=1 priority=0 action=drop
2220dnl
2221dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2222table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2223dnl Zero result means not found.
2224table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2225dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2226dnl TPA IP in reg2.
2227table=10 priority=100 arp xreg0=0 action=normal
2228dnl Swaps the fields of the ARP message to turn a query to a response.
2229table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2230table=10 priority=0 action=drop
2231])
2232
2233AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2234
2235dnl Should work with the virtual IP address through NAT
2236NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2237NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2238
420c73b2
JR		 2239AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2240tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2241])
2242
2243dnl Should work with the assigned IP address as well
2244NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2245
420c73b2
JR		 2246AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2247tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
9ac0aada
JR		 2248])
2249
2250OVS_TRAFFIC_VSWITCHD_STOP
2251AT_CLEANUP
2252
2253AT_SETUP([conntrack - ICMP related with NAT])
2254CHECK_CONNTRACK()
2255OVS_TRAFFIC_VSWITCHD_START()
2256
2257ADD_NAMESPACES(at_ns0, at_ns1)
2258
2259ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2260NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2261ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2262
2263dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2264dnl Make sure ICMP responses are reverse-NATted.
2265AT_DATA([flows.txt], [dnl
2266in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2267in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2268in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2269dnl
2270dnl ARP
2271priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2272priority=10 arp action=normal
2273priority=0,action=drop
2274dnl
2275dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2276table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2277table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2278dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2279dnl TPA IP in reg2.
2280dnl Swaps the fields of the ARP message to turn a query to a response.
2281table=10 priority=100 arp xreg0=0 action=normal
2282table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2283table=10 priority=0 action=drop
2284])
2285
2286AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2287
2288dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
b54971f7 2289NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
9ac0aada
JR		 2290
2291AT_CHECK([ovs-appctl revalidator/purge], [0])
2292AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2293 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2294 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2295 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2296 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2297 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2298 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2299 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2300 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2301 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2302OFPST_FLOW reply (OF1.5):
2303])
2304
a857bb69
DDP		 2305AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2306udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
9ac0aada
JR		 2307])
2308
2309OVS_TRAFFIC_VSWITCHD_STOP
2310AT_CLEANUP
2311
2312
2313AT_SETUP([conntrack - FTP with NAT])
2314AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2315CHECK_CONNTRACK()
2316
2317OVS_TRAFFIC_VSWITCHD_START()
2318
2319ADD_NAMESPACES(at_ns0, at_ns1)
2320
2321ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2322NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2323ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2324
2325dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2326
2327AT_DATA([flows.txt], [dnl
2328dnl track all IP traffic, de-mangle non-NEW connections
2329table=0 in_port=1, ip, action=ct(table=1,nat)
2330table=0 in_port=2, ip, action=ct(table=2,nat)
2331dnl
2332dnl ARP
2333dnl
2334table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2335table=0 priority=10 arp action=normal
2336table=0 priority=0 action=drop
2337dnl
2338dnl Table 1: port 1 -> 2
2339dnl
2340dnl Allow new FTP connections. These need to be commited.
2341table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2342dnl Allow established TCP connections, make sure they are NATted already.
2343table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
2344dnl
2345dnl Table 1: droppers
2346dnl
2347table=1 priority=10, tcp, action=drop
2348table=1 priority=0,action=drop
2349dnl
2350dnl Table 2: port 2 -> 1
2351dnl
2352dnl Allow established TCP connections, make sure they are reverse NATted
2353table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2354dnl Allow (new) related (data) connections. These need to be commited.
2355table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
2356dnl Allow related ICMP packets, make sure they are reverse NATted
2357table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2358dnl
2359dnl Table 2: droppers
2360dnl
2361table=2 priority=10, tcp, action=drop
2362table=2 priority=0, action=drop
2363dnl
2364dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2365dnl
2366table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2367table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2368dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2369dnl TPA IP in reg2.
2370dnl Swaps the fields of the ARP message to turn a query to a response.
2371table=10 priority=100 arp xreg0=0 action=normal
2372table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2373table=10 priority=0 action=drop
2374])
2375
2376AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2377
2378dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2379NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
20322d4b 2380OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
9ac0aada
JR		 2381
2382dnl FTP requests from p0->p1 should work fine.
2383NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2384
420c73b2
JR		 2385AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2386tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2387tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
9ac0aada
JR		 2388])
2389
2390OVS_TRAFFIC_VSWITCHD_STOP
2391AT_CLEANUP
2392
2393
2394AT_SETUP([conntrack - FTP with NAT 2])
2395AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2396CHECK_CONNTRACK()
2397OVS_TRAFFIC_VSWITCHD_START()
2398
2399ADD_NAMESPACES(at_ns0, at_ns1)
2400
2401ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2402NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2403ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2404
2405dnl Allow any traffic from ns0->ns1.
2406dnl Only allow nd, return traffic from ns1->ns0.
2407AT_DATA([flows.txt], [dnl
2408dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2409table=0 ip, action=ct(table=1)
2410dnl
2411dnl ARP
2412dnl
2413table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2414table=0 priority=10 arp action=normal
2415table=0 priority=0 action=drop
2416dnl
2417dnl Table 1
2418dnl
2419dnl Allow new FTP connections. These need to be commited.
2420dnl This does helper for new packets.
2421table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
2422dnl Allow and NAT established TCP connections
2423table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2424table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2425dnl Allow and NAT (new) related active (data) connections.
2426dnl These need to be commited.
2427table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2428dnl Allow related ICMP packets.
2429table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2430dnl Drop everything else.
2431table=1 priority=0, action=drop
2432dnl
2433dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2434dnl
2435table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2436table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2437dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2438dnl TPA IP in reg2.
2439dnl Swaps the fields of the ARP message to turn a query to a response.
2440table=10 priority=100 arp xreg0=0 action=normal
2441table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2442table=10 priority=0 action=drop
2443])
2444
2445AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2446
2447NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
20322d4b 2448OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
9ac0aada
JR		 2449
2450dnl FTP requests from p0->p1 should work fine.
2451NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2452
a857bb69 2453dnl Discards CLOSE_WAIT and CLOSING
420c73b2
JR		 2454AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2455tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2456tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
9ac0aada
JR		 2457])
2458
2459OVS_TRAFFIC_VSWITCHD_STOP
2460AT_CLEANUP
2461
2462AT_SETUP([conntrack - IPv6 HTTP with NAT])
2463CHECK_CONNTRACK()
2464OVS_TRAFFIC_VSWITCHD_START()
2465
2466ADD_NAMESPACES(at_ns0, at_ns1)
2467
2468ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2469NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2470ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2471NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2472
2473dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2474AT_DATA([flows.txt], [dnl
2475priority=1,action=drop
2476priority=10,icmp6,action=normal
2477priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2478priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2479priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2480priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2481])
2482
2483AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2484
c10840ff
JS		 2485dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2486dnl waiting, we get occasional failures due to the following error:
9ac0aada 2487dnl "connect: Cannot assign requested address"
c10840ff 2488OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
9ac0aada
JR		 2489
2490dnl HTTP requests from ns0->ns1 should work fine.
2491NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2492
2493NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2494
2495dnl HTTP requests from ns1->ns0 should fail due to network failure.
2496dnl Try 3 times, in 1 second intervals.
2497NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2498NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2499
2500OVS_TRAFFIC_VSWITCHD_STOP
2501AT_CLEANUP
2502
2503
2504AT_SETUP([conntrack - IPv6 FTP with NAT])
2505AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2506CHECK_CONNTRACK()
2507OVS_TRAFFIC_VSWITCHD_START()
2508
2509ADD_NAMESPACES(at_ns0, at_ns1)
2510
2511ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2512NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2513ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2514dnl Would be nice if NAT could translate neighbor discovery messages, too.
2515NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2516
2517dnl Allow any traffic from ns0->ns1.
2518dnl Only allow nd, return traffic from ns1->ns0.
2519AT_DATA([flows.txt], [dnl
2520dnl Allow other ICMPv6 both ways (without commit).
2521table=1 priority=100 in_port=1 icmp6, action=2
2522table=1 priority=100 in_port=2 icmp6, action=1
2523dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2524table=0 priority=10 ip6, action=ct(nat,table=1)
2525table=0 priority=0 action=drop
2526dnl
2527dnl Table 1
2528dnl
2529dnl Allow new TCPv6 FTP control connections.
2530table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2531dnl Allow related TCPv6 connections from port 2 to the NATted address.
2532table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2533dnl Allow established TCPv6 connections both ways, enforce NATting
2534table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2535table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2536dnl Drop everything else.
2537table=1 priority=0, action=drop
2538])
2539
2540AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2541
c10840ff
JS		 2542dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2543dnl waiting, we get occasional failures due to the following error:
2544dnl "connect: Cannot assign requested address"
2545OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2546
9ac0aada 2547NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
20322d4b 2548OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
9ac0aada
JR		 2549
2550dnl FTP requests from p0->p1 should work fine.
2551NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
2552
a857bb69 2553dnl Discards CLOSE_WAIT and CLOSING
420c73b2
JR		 2554AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2555tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2556tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
9ac0aada
JR		 2557])
2558
2559OVS_TRAFFIC_VSWITCHD_STOP
2560AT_CLEANUP
2c66ebe4
JR		 2561
2562AT_SETUP([conntrack - DNAT load balancing])
2563CHECK_CONNTRACK()
2564OVS_TRAFFIC_VSWITCHD_START()
2565
2566ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2567
2568ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2569ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2570ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2571ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2572NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2573NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2574NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2575NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2576
2577dnl Select group for load balancing. One bucket per server. Each bucket
2578dnl tracks and NATs the connection and recirculates to table 4 for egress
2579dnl routing. Packets of existing connections are always NATted based on
2580dnl connection state, only new connections are NATted according to the
2581dnl specific NAT parameters in each bucket.
2582AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2583
2584AT_DATA([flows.txt], [dnl
2585dnl Track connections to the virtual IP address.
2586table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2587dnl All other IP traffic is allowed but the connection state is no commited.
2588table=0 priority=90 ip action=ct(table=4,nat)
2589dnl
2590dnl Allow ARP, but generate responses for virtual addresses
2591table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2592table=0 priority=10 arp action=normal
2593table=0 priority=0 action=drop
2594dnl
2595dnl Routing table
2596dnl
2597table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2598table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2599table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2600table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2601table=4 priority=0 action=drop
2602dnl
2603dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2604table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2605dnl Zero result means not found.
2606table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2607dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2608dnl TPA IP in reg2.
2609table=10 priority=100 arp xreg0=0 action=normal
2610dnl Swaps the fields of the ARP message to turn a query to a response.
2611table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2612table=10 priority=0 action=controller
2613])
2614
2615AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2616
2617dnl Start web servers
2618NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2619NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2620NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2621
2622on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2623on_exit 'ovs-appctl revalidator/purge'
2624on_exit 'ovs-appctl dpif/dump-flows br0'
2625
2626dnl Should work with the virtual IP address through NAT
2627for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2628 echo Request $i
2629 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2630done
2631
2632dnl Each server should have at least one connection.
420c73b2
JR		 2633AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2634tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2635tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2636tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2c66ebe4
JR		 2637])
2638
2639ovs-appctl dpif/dump-flows br0
2640ovs-appctl revalidator/purge
2641ovs-ofctl -O OpenFlow15 dump-flows br0
2642ovs-ofctl -O OpenFlow15 dump-group-stats br0
2643
2644OVS_TRAFFIC_VSWITCHD_STOP
2645AT_CLEANUP
2646
2647
2648AT_SETUP([conntrack - DNAT load balancing with NC])
2649CHECK_CONNTRACK()
2650OVS_TRAFFIC_VSWITCHD_START()
2651
2652ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2653
2654ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2655ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2656ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2657ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2658ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2659NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2660NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2661NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2662NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2663NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2664
2665dnl Select group for load balancing. One bucket per server. Each bucket
2666dnl tracks and NATs the connection and recirculates to table 4 for egress
2667dnl routing. Packets of existing connections are always NATted based on
2668dnl connection state, only new connections are NATted according to the
2669dnl specific NAT parameters in each bucket.
2670AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2671
2672AT_DATA([flows.txt], [dnl
2673dnl Track connections to the virtual IP address.
2674table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2675dnl All other IP traffic is allowed but the connection state is no commited.
2676table=0 priority=90 ip action=ct(table=4,nat)
2677dnl
2678dnl Allow ARP, but generate responses for virtual addresses
2679table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2680table=0 priority=10 arp action=normal
2681table=0 priority=0 action=drop
2682dnl
2683dnl Routing table
2684dnl
2685table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2686table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2687table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2688table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2689table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2690table=4 priority=0 action=drop
2691dnl
2692dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2693table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2694dnl Zero result means not found.
2695table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2696dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2697dnl TPA IP in reg2.
2698table=10 priority=100 arp xreg0=0 action=normal
2699dnl Swaps the fields of the ARP message to turn a query to a response.
2700table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2701table=10 priority=0 action=controller
2702])
2703
2704AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2705
2706dnl Start web servers
2707NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2708NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2709NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2710
2711on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2712on_exit 'ovs-appctl revalidator/purge'
2713on_exit 'ovs-appctl dpif/dump-flows br0'
2714
2715sleep 5
2716
2717dnl Should work with the virtual IP address through NAT
2718for i in 1 2 3 4 5 6 7 8 9; do
2719 echo Request $i
2720 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2721 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2722done
2723
2724conntrack -L 2>&1
2725
2726ovs-appctl dpif/dump-flows br0
2727ovs-appctl revalidator/purge
2728ovs-ofctl -O OpenFlow15 dump-flows br0
2729ovs-ofctl -O OpenFlow15 dump-group-stats br0
2730
2731OVS_TRAFFIC_VSWITCHD_STOP
2732AT_CLEANUP
openvswitch mirror