]> git.proxmox.com Git - mirror_ovs.git/blame - tests/system-traffic.at
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add support for connection tracking helper/ALGs.
[mirror_ovs.git] / tests / system-traffic.at
CommitLineData
d7c5426b 1AT_BANNER([datapath-sanity])
69c2bdfe 2
d7c5426b
DDP		 3AT_SETUP([datapath - ping between two ports])
4OVS_TRAFFIC_VSWITCHD_START(
69c2bdfe
AZ		 5 [set-fail-mode br0 standalone -- ])
6
7ADD_NAMESPACES(at_ns0, at_ns1)
8
9ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
10ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
11
de22d08f 12NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 133 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 14])
15NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43 163 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 17])
18NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 193 packets transmitted, 3 received, 0% packet loss, time 0ms
20])
21
d7c5426b 22OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 23AT_CLEANUP
24
d7c5426b
DDP		 25AT_SETUP([datapath - ping between two ports on vlan])
26OVS_TRAFFIC_VSWITCHD_START(
cfe17b43
JS		 27 [set-fail-mode br0 standalone -- ])
28
29ADD_NAMESPACES(at_ns0, at_ns1)
30
31ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
32ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
33
34ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
35ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
36
de22d08f 37NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 383 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 39])
40NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43 413 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 42])
43NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 443 packets transmitted, 3 received, 0% packet loss, time 0ms
45])
46
d7c5426b 47OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 48AT_CLEANUP
49
d7c5426b
DDP		 50AT_SETUP([datapath - ping6 between two ports])
51OVS_TRAFFIC_VSWITCHD_START(
cfe17b43
JS		 52 [set-fail-mode br0 standalone -- ])
53
54ADD_NAMESPACES(at_ns0, at_ns1)
55
56ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
57ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
58
59dnl Without this sleep, we get occasional failures due to the following error:
60dnl "connect: Cannot assign requested address"
61sleep 2;
62
de22d08f 63NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 643 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 65])
66NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43 673 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 68])
69NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 703 packets transmitted, 3 received, 0% packet loss, time 0ms
71])
72
d7c5426b 73OVS_TRAFFIC_VSWITCHD_STOP
cfe17b43
JS		 74AT_CLEANUP
75
d7c5426b
DDP		 76AT_SETUP([datapath - ping6 between two ports on vlan])
77OVS_TRAFFIC_VSWITCHD_START(
cfe17b43
JS		 78 [set-fail-mode br0 standalone -- ])
79
80ADD_NAMESPACES(at_ns0, at_ns1)
81
82ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
83ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
84
85ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
86ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
87
88dnl Without this sleep, we get occasional failures due to the following error:
89dnl "connect: Cannot assign requested address"
90sleep 2;
91
de22d08f 92NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 933 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 94])
95NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43 963 packets transmitted, 3 received, 0% packet loss, time 0ms
de22d08f
JS		 97])
98NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
cfe17b43
JS		 993 packets transmitted, 3 received, 0% packet loss, time 0ms
100])
101
d7c5426b 102OVS_TRAFFIC_VSWITCHD_STOP
69c2bdfe 103AT_CLEANUP
810e1785
JS		 104
105AT_SETUP([datapath - ping over vxlan tunnel])
106AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
107
108OVS_TRAFFIC_VSWITCHD_START(
109 [set-fail-mode br0 standalone -- ])
110ADD_BR([br-underlay], [set-fail-mode br-underlay standalone])
111ADD_NAMESPACES(at_ns0)
112
113dnl Set up underlay link from host into the namespace using veth pair.
114ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
115AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
116AT_CHECK([ip link set dev br-underlay up])
117
118dnl Set up tunnel endpoints on OVS outside the namespace and with a native
119dnl linux device inside the namespace.
120ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
121ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
122 [id 0 dstport 4789])
123
124dnl First, check the underlay
125NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1263 packets transmitted, 3 received, 0% packet loss, time 0ms
127])
128
129dnl Okay, now check the overlay with different packet sizes
130NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1313 packets transmitted, 3 received, 0% packet loss, time 0ms
132])
133NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1343 packets transmitted, 3 received, 0% packet loss, time 0ms
135])
136NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1373 packets transmitted, 3 received, 0% packet loss, time 0ms
138])
139
140OVS_TRAFFIC_VSWITCHD_STOP
141AT_CLEANUP
07659514
JS		 142
143AT_SETUP([conntrack - controller])
144CHECK_CONNTRACK()
145OVS_TRAFFIC_VSWITCHD_START(
146 [set-fail-mode br0 standalone -- ])
147
148ADD_NAMESPACES(at_ns0, at_ns1)
149
150ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
151ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
152
153dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
154AT_DATA([flows.txt], [dnl
155priority=1,action=drop
156priority=10,arp,action=normal
157priority=100,in_port=1,udp,action=ct(commit),controller
158priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
159priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
160])
161
162AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
163
164AT_CAPTURE_FILE([ofctl_monitor.log])
165AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
166
167dnl Send an unsolicited reply from port 2. This should be dropped.
168AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
169
170dnl OK, now start a new connection from port 1.
171AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
172
173dnl Now try a reply from port 2.
174AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
175
176dnl Check this output. We only see the latter two packets, not the first.
177AT_CHECK([cat ofctl_monitor.log], [0], [dnl
178NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
179udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
180NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
181udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
182])
183
184OVS_TRAFFIC_VSWITCHD_STOP
185AT_CLEANUP
186
187AT_SETUP([conntrack - IPv4 HTTP])
188CHECK_CONNTRACK()
189OVS_TRAFFIC_VSWITCHD_START(
190 [set-fail-mode br0 standalone -- ])
191
192ADD_NAMESPACES(at_ns0, at_ns1)
193
194ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
195ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
196
197dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
198AT_DATA([flows.txt], [dnl
199priority=1,action=drop
200priority=10,arp,action=normal
201priority=10,icmp,action=normal
202priority=100,in_port=1,tcp,action=ct(commit),2
203priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
204priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
205])
206
207AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
208
209dnl Basic connectivity check.
210NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
211
212dnl HTTP requests from ns0->ns1 should work fine.
213NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
214NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
215
216AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
217TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
218])
219
220dnl HTTP requests from ns1->ns0 should fail due to network failure.
221dnl Try 3 times, in 1 second intervals.
222NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
223NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
224
225OVS_TRAFFIC_VSWITCHD_STOP
226AT_CLEANUP
227
228AT_SETUP([conntrack - IPv6 HTTP])
229CHECK_CONNTRACK()
230OVS_TRAFFIC_VSWITCHD_START(
231 [set-fail-mode br0 standalone -- ])
232
233ADD_NAMESPACES(at_ns0, at_ns1)
234
235ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
236ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
237
238dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
239AT_DATA([flows.txt], [dnl
240priority=1,action=drop
241priority=10,icmp6,action=normal
242priority=100,in_port=1,tcp6,action=ct(commit),2
243priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
244priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
245])
246
247AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
248
249dnl Without this sleep, we get occasional failures due to the following error:
250dnl "connect: Cannot assign requested address"
251sleep 2;
252
253dnl HTTP requests from ns0->ns1 should work fine.
254NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
255
256NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
257
258dnl HTTP requests from ns1->ns0 should fail due to network failure.
259dnl Try 3 times, in 1 second intervals.
260NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
261NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
262
263OVS_TRAFFIC_VSWITCHD_STOP
264AT_CLEANUP
265
266AT_SETUP([conntrack - commit, recirc])
267CHECK_CONNTRACK()
268OVS_TRAFFIC_VSWITCHD_START(
269 [set-fail-mode br0 standalone -- ])
270
271ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
272
273ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
274ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
275ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
276ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
277
278dnl Allow any traffic from ns0->ns1, ns2->ns3.
279AT_DATA([flows.txt], [dnl
280priority=1,action=drop
281priority=10,arp,action=normal
282priority=10,icmp,action=normal
283priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
284priority=100,in_port=1,tcp,ct_state=+trk,action=2
285priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
286priority=100,in_port=2,tcp,ct_state=+trk,action=1
287priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
288priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
289priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
290priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
291priority=100,in_port=4,tcp,ct_state=+trk,action=3
292])
293
294AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
295
296dnl HTTP requests from p0->p1 should work fine.
297NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
298NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
299
300dnl HTTP requests from p2->p3 should work fine.
301NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
302NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
303
304OVS_TRAFFIC_VSWITCHD_STOP
305AT_CLEANUP
306
307AT_SETUP([conntrack - preserve registers])
308CHECK_CONNTRACK()
309OVS_TRAFFIC_VSWITCHD_START(
310 [set-fail-mode br0 standalone -- ])
311
312ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
313
314ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
315ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
316ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
317ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
318
319dnl Allow any traffic from ns0->ns1, ns2->ns3.
320AT_DATA([flows.txt], [dnl
321priority=1,action=drop
322priority=10,arp,action=normal
323priority=10,icmp,action=normal
324priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
325priority=100,in_port=1,tcp,ct_state=+trk,action=2
326priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
327priority=100,in_port=2,tcp,ct_state=+trk,action=1
328priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
329priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
330priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
331priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
332priority=100,in_port=4,tcp,ct_state=+trk,action=3
333])
334
335AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
336
337dnl HTTP requests from p0->p1 should work fine.
338NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
339NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
340
341dnl HTTP requests from p2->p3 should work fine.
342NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
343NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
344
345OVS_TRAFFIC_VSWITCHD_STOP
346AT_CLEANUP
347
348AT_SETUP([conntrack - invalid])
349CHECK_CONNTRACK()
350OVS_TRAFFIC_VSWITCHD_START(
351 [set-fail-mode br0 standalone -- ])
352
353ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
354
355ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
356ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
357ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
358ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
359
360dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
361dnl the opposite direction. This should fail.
362dnl Pass traffic from ns3->ns4 without committing, and this time match
363dnl invalid traffic and allow it through.
364AT_DATA([flows.txt], [dnl
365priority=1,action=drop
366priority=10,arp,action=normal
367priority=10,icmp,action=normal
368priority=100,in_port=1,tcp,action=ct(),2
369priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
370priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
371priority=100,in_port=3,tcp,action=ct(),4
372priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
373priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
374priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
375])
376
377AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
378
379dnl We set up our rules to allow the request without committing. The return
380dnl traffic can't be identified, because the initial request wasn't committed.
381dnl For the first pair of ports, this means that the connection fails.
382NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
383NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
384
385dnl For the second pair, we allow packets from invalid connections, so it works.
386NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
387NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
388
389OVS_TRAFFIC_VSWITCHD_STOP
390AT_CLEANUP
391
392AT_SETUP([conntrack - zones])
393CHECK_CONNTRACK()
394OVS_TRAFFIC_VSWITCHD_START(
395 [set-fail-mode br0 standalone -- ])
396
397ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
398
399ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
403
404dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405dnl For ns2->ns3, use a different zone and see that the match fails.
406AT_DATA([flows.txt], [dnl
407priority=1,action=drop
408priority=10,arp,action=normal
409priority=10,icmp,action=normal
410priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
416])
417
418AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
419
420dnl HTTP requests from p0->p1 should work fine.
421NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
423
424AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
426])
427
428dnl HTTP requests from p2->p3 should fail due to network failure.
429dnl Try 3 times, in 1 second intervals.
430NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
432
433AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
435])
436
437OVS_TRAFFIC_VSWITCHD_STOP
438AT_CLEANUP
439
440AT_SETUP([conntrack - zones from field])
441CHECK_CONNTRACK()
442OVS_TRAFFIC_VSWITCHD_START(
443 [set-fail-mode br0 standalone -- ])
444
445ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
446
447ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
448ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
449ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
450ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
451
452dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
453AT_DATA([flows.txt], [dnl
454priority=1,action=drop
455priority=10,arp,action=normal
456priority=10,icmp,action=normal
457priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
458priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
459priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
460priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
461priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
463])
464
465AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
466
467dnl HTTP requests from p0->p1 should work fine.
468NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
469NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
470
471AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
472TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
473])
474
475dnl HTTP requests from p2->p3 should fail due to network failure.
476dnl Try 3 times, in 1 second intervals.
477NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
478NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
479
480AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
481SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
482])
483
484OVS_TRAFFIC_VSWITCHD_STOP
485AT_CLEANUP
486
487AT_SETUP([conntrack - multiple bridges])
488CHECK_CONNTRACK()
489OVS_TRAFFIC_VSWITCHD_START(
490 [set-fail-mode br0 standalone --\
491 add-br br1 --\
492 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
493 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
494
495ADD_NAMESPACES(at_ns0, at_ns1)
496
497ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
498ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
499
500dnl Allow any traffic from ns0->br1, allow established in reverse.
501AT_DATA([flows-br0.txt], [dnl
502priority=1,action=drop
503priority=10,arp,action=normal
504priority=10,icmp,action=normal
505priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
506priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
507priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
508])
509
510dnl Allow any traffic from br0->ns1, allow established in reverse.
511AT_DATA([flows-br1.txt], [dnl
512priority=1,action=drop
513priority=10,arp,action=normal
514priority=10,icmp,action=normal
515priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
516priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
517priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
518priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
519priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
520])
521
522AT_CHECK([ovs-ofctl add-flows br0 flows-br0.txt])
523AT_CHECK([ovs-ofctl add-flows br1 flows-br1.txt])
524
525dnl HTTP requests from p0->p1 should work fine.
526NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
527NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
528
529OVS_TRAFFIC_VSWITCHD_STOP
530AT_CLEANUP
531
532AT_SETUP([conntrack - multiple zones])
533CHECK_CONNTRACK()
534OVS_TRAFFIC_VSWITCHD_START(
535 [set-fail-mode br0 standalone -- ])
536
537ADD_NAMESPACES(at_ns0, at_ns1)
538
539ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
540ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
541
542dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
543AT_DATA([flows.txt], [dnl
544priority=1,action=drop
545priority=10,arp,action=normal
546priority=10,icmp,action=normal
547priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
548priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
549priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
550])
551
552AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
553
554dnl HTTP requests from p0->p1 should work fine.
555NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
556NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
557
558dnl (again) HTTP requests from p0->p1 should work fine.
559NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
560
561AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
562SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
563TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
564])
565
566OVS_TRAFFIC_VSWITCHD_STOP
567AT_CLEANUP
568
8e53fe8c
JS		 569AT_SETUP([conntrack - ct_mark])
570CHECK_CONNTRACK()
571OVS_TRAFFIC_VSWITCHD_START(
572 [set-fail-mode br0 standalone -- ])
573
574ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
575
576ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
577ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
578ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
579ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
580
581dnl Allow traffic between ns0<->ns1 using the ct_mark.
582dnl Check that different marks do not match for traffic between ns2<->ns3.
583AT_DATA([flows.txt], [dnl
584priority=1,action=drop
585priority=10,arp,action=normal
586priority=10,icmp,action=normal
587priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
588priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
589priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
590priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
591priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
592priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
593])
594
595AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
596
597dnl HTTP requests from p0->p1 should work fine.
598NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
599NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
600
601AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
602TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
603])
604
605dnl HTTP requests from p2->p3 should fail due to network failure.
606dnl Try 3 times, in 1 second intervals.
607NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
608NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
609
610AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
611SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
612])
613
614OVS_TRAFFIC_VSWITCHD_STOP
615AT_CLEANUP
616
617AT_SETUP([conntrack - ct_mark from register])
618CHECK_CONNTRACK()
619OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 standalone -- ])
621
622ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
623
624ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
625ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
626ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
627ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
628
629dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
630AT_DATA([flows.txt], [dnl
631priority=1,action=drop
632priority=10,arp,action=normal
633priority=10,icmp,action=normal
634priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
635priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
636priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
637priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
638priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
639priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
640])
641
642AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
643
644dnl HTTP requests from p0->p1 should work fine.
645NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
646NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
647
648AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
649TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
650])
651
652dnl HTTP requests from p2->p3 should fail due to network failure.
653dnl Try 3 times, in 1 second intervals.
654NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
655NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
656
657AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
658SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
659])
660
661OVS_TRAFFIC_VSWITCHD_STOP
662AT_CLEANUP
663
9daf2348
JS		 664AT_SETUP([conntrack - ct_label])
665CHECK_CONNTRACK()
666OVS_TRAFFIC_VSWITCHD_START(
667 [set-fail-mode br0 standalone -- ])
668
669ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
670
671ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
672ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
673ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
674ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
675
676dnl Allow traffic between ns0<->ns1 using the ct_label.
677dnl Check that different labels do not match for traffic between ns2<->ns3.
678AT_DATA([flows.txt], [dnl
679priority=1,action=drop
680priority=10,arp,action=normal
681priority=10,icmp,action=normal
682priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
683priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
684priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
685priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
686priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
687priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
688])
689
690AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
691
692dnl HTTP requests from p0->p1 should work fine.
693NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
694NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
695
696dnl HTTP requests from p2->p3 should fail due to network failure.
697dnl Try 3 times, in 1 second intervals.
698NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
699NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
700
701OVS_TRAFFIC_VSWITCHD_STOP
702AT_CLEANUP
703
8e53fe8c
JS		 704AT_SETUP([conntrack - ICMP related])
705CHECK_CONNTRACK()
706OVS_TRAFFIC_VSWITCHD_START(
707 [set-fail-mode br0 secure -- ])
708
709ADD_NAMESPACES(at_ns0, at_ns1)
710
711ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
712ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
713
714dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
715AT_DATA([flows.txt], [dnl
716priority=1,action=drop
717priority=10,arp,action=normal
718priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
719priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
720priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
721])
722
723AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
724
725dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
726dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
727NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
728
729AT_CHECK([ovs-appctl revalidator/purge], [0])
730AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
731 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
732 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
733 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
734 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
735NXST_FLOW reply:
736])
737
738OVS_TRAFFIC_VSWITCHD_STOP
739AT_CLEANUP
740
07659514
JS		 741AT_SETUP([conntrack - ICMP related 2])
742CHECK_CONNTRACK()
743OVS_TRAFFIC_VSWITCHD_START(
744 [set-fail-mode br0 standalone -- ])
745
746ADD_NAMESPACES(at_ns0, at_ns1)
747
748ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
749ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
750
751dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
752AT_DATA([flows.txt], [dnl
753priority=1,action=drop
754priority=10,arp,action=normal
755priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,table=0)
756priority=100,in_port=1,ct_state=+trk,actions=controller
757priority=100,in_port=2,ct_state=-trk,action=ct(table=0)
758priority=100,in_port=2,ct_state=+trk+rel+rpl,action=controller
759])
760
761AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
762
763AT_CAPTURE_FILE([ofctl_monitor.log])
764AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
765
766dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
767AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
768
769dnl 2. Send and UDP packet to port 5555
770AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
771
772dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
773AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
774
775dnl Check this output. We only see the latter two packets, not the first.
776AT_CHECK([cat ofctl_monitor.log], [0], [dnl
777NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
778udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
779NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
780icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
781])
782
783OVS_TRAFFIC_VSWITCHD_STOP
784AT_CLEANUP
d787ad39
JS		 785
786AT_SETUP([conntrack - FTP])
787AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
788CHECK_CONNTRACK()
789OVS_TRAFFIC_VSWITCHD_START(
790 [set-fail-mode br0 standalone -- ])
791
792ADD_NAMESPACES(at_ns0, at_ns1)
793
794ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
795ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
796
797dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
798AT_DATA([flows1.txt], [dnl
799priority=1,action=drop
800priority=10,arp,action=normal
801priority=10,icmp,action=normal
802priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
803priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
804priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
805priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
806])
807
808dnl Similar policy but without allowing all traffic from ns0->ns1.
809AT_DATA([flows2.txt], [dnl
810priority=1,action=drop
811priority=10,arp,action=normal
812priority=10,icmp,action=normal
813priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
814priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
815priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
816priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
817priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
818priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
819priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
820])
821
822AT_CHECK([ovs-ofctl add-flows br0 flows1.txt])
823
824NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
825NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
826
827dnl FTP requests from p1->p0 should fail due to network failure.
828dnl Try 3 times, in 1 second intervals.
829NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
830AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
831])
832
833dnl FTP requests from p0->p1 should work fine.
834NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
835AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
836TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
837])
838
839dnl Try the second set of flows.
840conntrack -F
841AT_CHECK([ovs-ofctl del-flows br0])
842AT_CHECK([ovs-ofctl add-flows br0 flows2.txt])
843
844dnl FTP requests from p1->p0 should fail due to network failure.
845dnl Try 3 times, in 1 second intervals.
846NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
847AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
848])
849
850dnl Active FTP requests from p0->p1 should work fine.
851NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
852AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
853TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
854TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
855])
856
857AT_CHECK([conntrack -F 2>/dev/null])
858
859dnl Passive FTP requests from p0->p1 should work fine.
860NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
861AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
862TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
863TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
864])
865
866OVS_TRAFFIC_VSWITCHD_STOP
867AT_CLEANUP
868
869AT_SETUP([conntrack - FTP with multiple expectations])
870AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
871CHECK_CONNTRACK()
872OVS_TRAFFIC_VSWITCHD_START(
873 [set-fail-mode br0 standalone -- ])
874
875ADD_NAMESPACES(at_ns0, at_ns1)
876
877ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
878ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
879
880dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
881AT_DATA([flows.txt], [dnl
882priority=1,action=drop
883priority=10,arp,action=normal
884priority=10,icmp,action=normal
885priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
886priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
887priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
888priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
889priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
890priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
891priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
892priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
893priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
894priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
895])
896
897AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
898
899NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
900NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
901
902dnl FTP requests from p1->p0 should fail due to network failure.
903dnl Try 3 times, in 1 second intervals.
904NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
905AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
906])
907
908dnl Active FTP requests from p0->p1 should work fine.
909NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
910AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
911TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
912TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
913TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
914TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
915])
916
917AT_CHECK([conntrack -F 2>/dev/null])
918
919dnl Passive FTP requests from p0->p1 should work fine.
920NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
921AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
922TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
923TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
924TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
925TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
926])
927
928OVS_TRAFFIC_VSWITCHD_STOP
929AT_CLEANUP
openvswitch mirror