]>
Commit | Line | Data |
---|---|---|
d7c5426b | 1 | AT_BANNER([datapath-sanity]) |
69c2bdfe | 2 | |
d7c5426b DDP |
3 | AT_SETUP([datapath - ping between two ports]) |
4 | OVS_TRAFFIC_VSWITCHD_START( | |
69c2bdfe AZ |
5 | [set-fail-mode br0 standalone -- ]) |
6 | ||
7 | ADD_NAMESPACES(at_ns0, at_ns1) | |
8 | ||
9 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
10 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
11 | ||
de22d08f | 12 | NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl |
cfe17b43 | 13 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
14 | ]) |
15 | NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl | |
cfe17b43 | 16 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
17 | ]) |
18 | NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl | |
cfe17b43 JS |
19 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
20 | ]) | |
21 | ||
d7c5426b | 22 | OVS_TRAFFIC_VSWITCHD_STOP |
cfe17b43 JS |
23 | AT_CLEANUP |
24 | ||
d7c5426b DDP |
25 | AT_SETUP([datapath - ping between two ports on vlan]) |
26 | OVS_TRAFFIC_VSWITCHD_START( | |
cfe17b43 JS |
27 | [set-fail-mode br0 standalone -- ]) |
28 | ||
29 | ADD_NAMESPACES(at_ns0, at_ns1) | |
30 | ||
31 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
32 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
33 | ||
34 | ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24") | |
35 | ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24") | |
36 | ||
de22d08f | 37 | NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl |
cfe17b43 | 38 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
39 | ]) |
40 | NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl | |
cfe17b43 | 41 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
42 | ]) |
43 | NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl | |
cfe17b43 JS |
44 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
45 | ]) | |
46 | ||
d7c5426b | 47 | OVS_TRAFFIC_VSWITCHD_STOP |
cfe17b43 JS |
48 | AT_CLEANUP |
49 | ||
d7c5426b DDP |
50 | AT_SETUP([datapath - ping6 between two ports]) |
51 | OVS_TRAFFIC_VSWITCHD_START( | |
cfe17b43 JS |
52 | [set-fail-mode br0 standalone -- ]) |
53 | ||
54 | ADD_NAMESPACES(at_ns0, at_ns1) | |
55 | ||
56 | ADD_VETH(p0, at_ns0, br0, "fc00::1/96") | |
57 | ADD_VETH(p1, at_ns1, br0, "fc00::2/96") | |
58 | ||
59 | dnl Without this sleep, we get occasional failures due to the following error: | |
60 | dnl "connect: Cannot assign requested address" | |
61 | sleep 2; | |
62 | ||
de22d08f | 63 | NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl |
cfe17b43 | 64 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
65 | ]) |
66 | NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl | |
cfe17b43 | 67 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
68 | ]) |
69 | NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl | |
cfe17b43 JS |
70 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
71 | ]) | |
72 | ||
d7c5426b | 73 | OVS_TRAFFIC_VSWITCHD_STOP |
cfe17b43 JS |
74 | AT_CLEANUP |
75 | ||
d7c5426b DDP |
76 | AT_SETUP([datapath - ping6 between two ports on vlan]) |
77 | OVS_TRAFFIC_VSWITCHD_START( | |
cfe17b43 JS |
78 | [set-fail-mode br0 standalone -- ]) |
79 | ||
80 | ADD_NAMESPACES(at_ns0, at_ns1) | |
81 | ||
82 | ADD_VETH(p0, at_ns0, br0, "fc00::1/96") | |
83 | ADD_VETH(p1, at_ns1, br0, "fc00::2/96") | |
84 | ||
85 | ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96") | |
86 | ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96") | |
87 | ||
88 | dnl Without this sleep, we get occasional failures due to the following error: | |
89 | dnl "connect: Cannot assign requested address" | |
90 | sleep 2; | |
91 | ||
de22d08f | 92 | NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl |
cfe17b43 | 93 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
94 | ]) |
95 | NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl | |
cfe17b43 | 96 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
de22d08f JS |
97 | ]) |
98 | NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl | |
cfe17b43 JS |
99 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms |
100 | ]) | |
101 | ||
d7c5426b | 102 | OVS_TRAFFIC_VSWITCHD_STOP |
69c2bdfe | 103 | AT_CLEANUP |
810e1785 JS |
104 | |
105 | AT_SETUP([datapath - ping over vxlan tunnel]) | |
106 | AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null]) | |
107 | ||
108 | OVS_TRAFFIC_VSWITCHD_START( | |
109 | [set-fail-mode br0 standalone -- ]) | |
110 | ADD_BR([br-underlay], [set-fail-mode br-underlay standalone]) | |
111 | ADD_NAMESPACES(at_ns0) | |
112 | ||
113 | dnl Set up underlay link from host into the namespace using veth pair. | |
114 | ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24") | |
115 | AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) | |
116 | AT_CHECK([ip link set dev br-underlay up]) | |
117 | ||
118 | dnl Set up tunnel endpoints on OVS outside the namespace and with a native | |
119 | dnl linux device inside the namespace. | |
120 | ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24]) | |
121 | ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24], | |
122 | [id 0 dstport 4789]) | |
123 | ||
124 | dnl First, check the underlay | |
125 | NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl | |
126 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms | |
127 | ]) | |
128 | ||
129 | dnl Okay, now check the overlay with different packet sizes | |
130 | NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl | |
131 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms | |
132 | ]) | |
133 | NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl | |
134 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms | |
135 | ]) | |
136 | NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl | |
137 | 3 packets transmitted, 3 received, 0% packet loss, time 0ms | |
138 | ]) | |
139 | ||
140 | OVS_TRAFFIC_VSWITCHD_STOP | |
141 | AT_CLEANUP | |
07659514 JS |
142 | |
143 | AT_SETUP([conntrack - controller]) | |
144 | CHECK_CONNTRACK() | |
145 | OVS_TRAFFIC_VSWITCHD_START( | |
146 | [set-fail-mode br0 standalone -- ]) | |
147 | ||
148 | ADD_NAMESPACES(at_ns0, at_ns1) | |
149 | ||
150 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
151 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
152 | ||
153 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
154 | AT_DATA([flows.txt], [dnl | |
155 | priority=1,action=drop | |
156 | priority=10,arp,action=normal | |
157 | priority=100,in_port=1,udp,action=ct(commit),controller | |
158 | priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0) | |
159 | priority=100,in_port=2,ct_state=+trk+est,udp,action=controller | |
160 | ]) | |
161 | ||
162 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
163 | ||
164 | AT_CAPTURE_FILE([ofctl_monitor.log]) | |
165 | AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log]) | |
166 | ||
167 | dnl Send an unsolicited reply from port 2. This should be dropped. | |
168 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000']) | |
169 | ||
170 | dnl OK, now start a new connection from port 1. | |
171 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000']) | |
172 | ||
173 | dnl Now try a reply from port 2. | |
174 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000']) | |
175 | ||
176 | dnl Check this output. We only see the latter two packets, not the first. | |
177 | AT_CHECK([cat ofctl_monitor.log], [0], [dnl | |
178 | NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered) | |
179 | udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0 | |
180 | NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) | |
181 | udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0 | |
182 | ]) | |
183 | ||
184 | OVS_TRAFFIC_VSWITCHD_STOP | |
185 | AT_CLEANUP | |
186 | ||
187 | AT_SETUP([conntrack - IPv4 HTTP]) | |
188 | CHECK_CONNTRACK() | |
189 | OVS_TRAFFIC_VSWITCHD_START( | |
190 | [set-fail-mode br0 standalone -- ]) | |
191 | ||
192 | ADD_NAMESPACES(at_ns0, at_ns1) | |
193 | ||
194 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
195 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
196 | ||
197 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
198 | AT_DATA([flows.txt], [dnl | |
199 | priority=1,action=drop | |
200 | priority=10,arp,action=normal | |
201 | priority=10,icmp,action=normal | |
202 | priority=100,in_port=1,tcp,action=ct(commit),2 | |
203 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) | |
204 | priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 | |
205 | ]) | |
206 | ||
207 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
208 | ||
209 | dnl Basic connectivity check. | |
210 | NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null]) | |
211 | ||
212 | dnl HTTP requests from ns0->ns1 should work fine. | |
213 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
214 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
215 | ||
216 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl | |
217 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1 | |
218 | ]) | |
219 | ||
220 | dnl HTTP requests from ns1->ns0 should fail due to network failure. | |
221 | dnl Try 3 times, in 1 second intervals. | |
222 | NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
223 | NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4]) | |
224 | ||
225 | OVS_TRAFFIC_VSWITCHD_STOP | |
226 | AT_CLEANUP | |
227 | ||
228 | AT_SETUP([conntrack - IPv6 HTTP]) | |
229 | CHECK_CONNTRACK() | |
230 | OVS_TRAFFIC_VSWITCHD_START( | |
231 | [set-fail-mode br0 standalone -- ]) | |
232 | ||
233 | ADD_NAMESPACES(at_ns0, at_ns1) | |
234 | ||
235 | ADD_VETH(p0, at_ns0, br0, "fc00::1/96") | |
236 | ADD_VETH(p1, at_ns1, br0, "fc00::2/96") | |
237 | ||
238 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
239 | AT_DATA([flows.txt], [dnl | |
240 | priority=1,action=drop | |
241 | priority=10,icmp6,action=normal | |
242 | priority=100,in_port=1,tcp6,action=ct(commit),2 | |
243 | priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) | |
244 | priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 | |
245 | ]) | |
246 | ||
247 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
248 | ||
249 | dnl Without this sleep, we get occasional failures due to the following error: | |
250 | dnl "connect: Cannot assign requested address" | |
251 | sleep 2; | |
252 | ||
253 | dnl HTTP requests from ns0->ns1 should work fine. | |
254 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid]) | |
255 | ||
256 | NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
257 | ||
258 | dnl HTTP requests from ns1->ns0 should fail due to network failure. | |
259 | dnl Try 3 times, in 1 second intervals. | |
260 | NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid]) | |
261 | NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]) | |
262 | ||
263 | OVS_TRAFFIC_VSWITCHD_STOP | |
264 | AT_CLEANUP | |
265 | ||
266 | AT_SETUP([conntrack - commit, recirc]) | |
267 | CHECK_CONNTRACK() | |
268 | OVS_TRAFFIC_VSWITCHD_START( | |
269 | [set-fail-mode br0 standalone -- ]) | |
270 | ||
271 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
272 | ||
273 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
274 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
275 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
276 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
277 | ||
278 | dnl Allow any traffic from ns0->ns1, ns2->ns3. | |
279 | AT_DATA([flows.txt], [dnl | |
280 | priority=1,action=drop | |
281 | priority=10,arp,action=normal | |
282 | priority=10,icmp,action=normal | |
283 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) | |
284 | priority=100,in_port=1,tcp,ct_state=+trk,action=2 | |
285 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) | |
286 | priority=100,in_port=2,tcp,ct_state=+trk,action=1 | |
287 | priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) | |
288 | priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) | |
289 | priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 | |
290 | priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) | |
291 | priority=100,in_port=4,tcp,ct_state=+trk,action=3 | |
292 | ]) | |
293 | ||
294 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
295 | ||
296 | dnl HTTP requests from p0->p1 should work fine. | |
297 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
298 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
299 | ||
300 | dnl HTTP requests from p2->p3 should work fine. | |
301 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
302 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) | |
303 | ||
304 | OVS_TRAFFIC_VSWITCHD_STOP | |
305 | AT_CLEANUP | |
306 | ||
307 | AT_SETUP([conntrack - preserve registers]) | |
308 | CHECK_CONNTRACK() | |
309 | OVS_TRAFFIC_VSWITCHD_START( | |
310 | [set-fail-mode br0 standalone -- ]) | |
311 | ||
312 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
313 | ||
314 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
315 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
316 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
317 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
318 | ||
319 | dnl Allow any traffic from ns0->ns1, ns2->ns3. | |
320 | AT_DATA([flows.txt], [dnl | |
321 | priority=1,action=drop | |
322 | priority=10,arp,action=normal | |
323 | priority=10,icmp,action=normal | |
324 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) | |
325 | priority=100,in_port=1,tcp,ct_state=+trk,action=2 | |
326 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) | |
327 | priority=100,in_port=2,tcp,ct_state=+trk,action=1 | |
328 | priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0) | |
329 | priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0) | |
330 | priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4 | |
331 | priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) | |
332 | priority=100,in_port=4,tcp,ct_state=+trk,action=3 | |
333 | ]) | |
334 | ||
335 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
336 | ||
337 | dnl HTTP requests from p0->p1 should work fine. | |
338 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
339 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
340 | ||
341 | dnl HTTP requests from p2->p3 should work fine. | |
342 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
343 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) | |
344 | ||
345 | OVS_TRAFFIC_VSWITCHD_STOP | |
346 | AT_CLEANUP | |
347 | ||
348 | AT_SETUP([conntrack - invalid]) | |
349 | CHECK_CONNTRACK() | |
350 | OVS_TRAFFIC_VSWITCHD_START( | |
351 | [set-fail-mode br0 standalone -- ]) | |
352 | ||
353 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
354 | ||
355 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
356 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
357 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
358 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
359 | ||
360 | dnl Pass traffic from ns0->ns1 without committing, but attempt to track in | |
361 | dnl the opposite direction. This should fail. | |
362 | dnl Pass traffic from ns3->ns4 without committing, and this time match | |
363 | dnl invalid traffic and allow it through. | |
364 | AT_DATA([flows.txt], [dnl | |
365 | priority=1,action=drop | |
366 | priority=10,arp,action=normal | |
367 | priority=10,icmp,action=normal | |
368 | priority=100,in_port=1,tcp,action=ct(),2 | |
369 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) | |
370 | priority=100,in_port=2,ct_state=+trk+new,tcp,action=1 | |
371 | priority=100,in_port=3,tcp,action=ct(),4 | |
372 | priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0) | |
373 | priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3 | |
374 | priority=100,in_port=4,ct_state=+trk+new,tcp,action=3 | |
375 | ]) | |
376 | ||
377 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
378 | ||
379 | dnl We set up our rules to allow the request without committing. The return | |
380 | dnl traffic can't be identified, because the initial request wasn't committed. | |
381 | dnl For the first pair of ports, this means that the connection fails. | |
382 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
383 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4]) | |
384 | ||
385 | dnl For the second pair, we allow packets from invalid connections, so it works. | |
386 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
387 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) | |
388 | ||
389 | OVS_TRAFFIC_VSWITCHD_STOP | |
390 | AT_CLEANUP | |
391 | ||
392 | AT_SETUP([conntrack - zones]) | |
393 | CHECK_CONNTRACK() | |
394 | OVS_TRAFFIC_VSWITCHD_START( | |
395 | [set-fail-mode br0 standalone -- ]) | |
396 | ||
397 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
398 | ||
399 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
400 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
401 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
402 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
403 | ||
404 | dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone. | |
405 | dnl For ns2->ns3, use a different zone and see that the match fails. | |
406 | AT_DATA([flows.txt], [dnl | |
407 | priority=1,action=drop | |
408 | priority=10,arp,action=normal | |
409 | priority=10,icmp,action=normal | |
410 | priority=100,in_port=1,tcp,action=ct(commit,zone=1),2 | |
411 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1) | |
412 | priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1 | |
413 | priority=100,in_port=3,tcp,action=ct(commit,zone=2),4 | |
414 | priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2) | |
415 | priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3 | |
416 | ]) | |
417 | ||
418 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
419 | ||
420 | dnl HTTP requests from p0->p1 should work fine. | |
421 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
422 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
423 | ||
424 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl | |
425 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1 | |
426 | ]) | |
427 | ||
428 | dnl HTTP requests from p2->p3 should fail due to network failure. | |
429 | dnl Try 3 times, in 1 second intervals. | |
430 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
431 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4]) | |
432 | ||
433 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl | |
434 | SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1 | |
435 | ]) | |
436 | ||
437 | OVS_TRAFFIC_VSWITCHD_STOP | |
438 | AT_CLEANUP | |
439 | ||
440 | AT_SETUP([conntrack - zones from field]) | |
441 | CHECK_CONNTRACK() | |
442 | OVS_TRAFFIC_VSWITCHD_START( | |
443 | [set-fail-mode br0 standalone -- ]) | |
444 | ||
445 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
446 | ||
447 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
448 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
449 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
450 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
451 | ||
452 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
453 | AT_DATA([flows.txt], [dnl | |
454 | priority=1,action=drop | |
455 | priority=10,arp,action=normal | |
456 | priority=10,icmp,action=normal | |
457 | priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2 | |
458 | priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]]) | |
459 | priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1 | |
460 | priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4 | |
461 | priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]]) | |
462 | priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3 | |
463 | ]) | |
464 | ||
465 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
466 | ||
467 | dnl HTTP requests from p0->p1 should work fine. | |
468 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
469 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
470 | ||
471 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl | |
472 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1 | |
473 | ]) | |
474 | ||
475 | dnl HTTP requests from p2->p3 should fail due to network failure. | |
476 | dnl Try 3 times, in 1 second intervals. | |
477 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
478 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4]) | |
479 | ||
480 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl | |
481 | SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1 | |
482 | ]) | |
483 | ||
484 | OVS_TRAFFIC_VSWITCHD_STOP | |
485 | AT_CLEANUP | |
486 | ||
487 | AT_SETUP([conntrack - multiple bridges]) | |
488 | CHECK_CONNTRACK() | |
489 | OVS_TRAFFIC_VSWITCHD_START( | |
490 | [set-fail-mode br0 standalone --\ | |
491 | add-br br1 --\ | |
492 | add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\ | |
493 | add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --]) | |
494 | ||
495 | ADD_NAMESPACES(at_ns0, at_ns1) | |
496 | ||
497 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
498 | ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24") | |
499 | ||
500 | dnl Allow any traffic from ns0->br1, allow established in reverse. | |
501 | AT_DATA([flows-br0.txt], [dnl | |
502 | priority=1,action=drop | |
503 | priority=10,arp,action=normal | |
504 | priority=10,icmp,action=normal | |
505 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1 | |
506 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1) | |
507 | priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2 | |
508 | ]) | |
509 | ||
510 | dnl Allow any traffic from br0->ns1, allow established in reverse. | |
511 | AT_DATA([flows-br1.txt], [dnl | |
512 | priority=1,action=drop | |
513 | priority=10,arp,action=normal | |
514 | priority=10,icmp,action=normal | |
515 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2) | |
516 | priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2 | |
517 | priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2 | |
518 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2) | |
519 | priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1 | |
520 | ]) | |
521 | ||
522 | AT_CHECK([ovs-ofctl add-flows br0 flows-br0.txt]) | |
523 | AT_CHECK([ovs-ofctl add-flows br1 flows-br1.txt]) | |
524 | ||
525 | dnl HTTP requests from p0->p1 should work fine. | |
526 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
527 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
528 | ||
529 | OVS_TRAFFIC_VSWITCHD_STOP | |
530 | AT_CLEANUP | |
531 | ||
532 | AT_SETUP([conntrack - multiple zones]) | |
533 | CHECK_CONNTRACK() | |
534 | OVS_TRAFFIC_VSWITCHD_START( | |
535 | [set-fail-mode br0 standalone -- ]) | |
536 | ||
537 | ADD_NAMESPACES(at_ns0, at_ns1) | |
538 | ||
539 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
540 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
541 | ||
542 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
543 | AT_DATA([flows.txt], [dnl | |
544 | priority=1,action=drop | |
545 | priority=10,arp,action=normal | |
546 | priority=10,icmp,action=normal | |
547 | priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2 | |
548 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2) | |
549 | priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1 | |
550 | ]) | |
551 | ||
552 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
553 | ||
554 | dnl HTTP requests from p0->p1 should work fine. | |
555 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
556 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
557 | ||
558 | dnl (again) HTTP requests from p0->p1 should work fine. | |
559 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
560 | ||
561 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl | |
562 | SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1 | |
563 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1 | |
564 | ]) | |
565 | ||
566 | OVS_TRAFFIC_VSWITCHD_STOP | |
567 | AT_CLEANUP | |
568 | ||
8e53fe8c JS |
569 | AT_SETUP([conntrack - ct_mark]) |
570 | CHECK_CONNTRACK() | |
571 | OVS_TRAFFIC_VSWITCHD_START( | |
572 | [set-fail-mode br0 standalone -- ]) | |
573 | ||
574 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
575 | ||
576 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
577 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
578 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
579 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
580 | ||
581 | dnl Allow traffic between ns0<->ns1 using the ct_mark. | |
582 | dnl Check that different marks do not match for traffic between ns2<->ns3. | |
583 | AT_DATA([flows.txt], [dnl | |
584 | priority=1,action=drop | |
585 | priority=10,arp,action=normal | |
586 | priority=10,icmp,action=normal | |
587 | priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2 | |
588 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) | |
589 | priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1 | |
590 | priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4 | |
591 | priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0) | |
592 | priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3 | |
593 | ]) | |
594 | ||
595 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
596 | ||
597 | dnl HTTP requests from p0->p1 should work fine. | |
598 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
599 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
600 | ||
601 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl | |
602 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1 | |
603 | ]) | |
604 | ||
605 | dnl HTTP requests from p2->p3 should fail due to network failure. | |
606 | dnl Try 3 times, in 1 second intervals. | |
607 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
608 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4]) | |
609 | ||
610 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl | |
611 | SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1 | |
612 | ]) | |
613 | ||
614 | OVS_TRAFFIC_VSWITCHD_STOP | |
615 | AT_CLEANUP | |
616 | ||
617 | AT_SETUP([conntrack - ct_mark from register]) | |
618 | CHECK_CONNTRACK() | |
619 | OVS_TRAFFIC_VSWITCHD_START( | |
620 | [set-fail-mode br0 standalone -- ]) | |
621 | ||
622 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
623 | ||
624 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
625 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
626 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
627 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
628 | ||
629 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
630 | AT_DATA([flows.txt], [dnl | |
631 | priority=1,action=drop | |
632 | priority=10,arp,action=normal | |
633 | priority=10,icmp,action=normal | |
634 | priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2 | |
635 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) | |
636 | priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1 | |
637 | priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4 | |
638 | priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0) | |
639 | priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3 | |
640 | ]) | |
641 | ||
642 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
643 | ||
644 | dnl HTTP requests from p0->p1 should work fine. | |
645 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
646 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
647 | ||
648 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl | |
649 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1 | |
650 | ]) | |
651 | ||
652 | dnl HTTP requests from p2->p3 should fail due to network failure. | |
653 | dnl Try 3 times, in 1 second intervals. | |
654 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
655 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4]) | |
656 | ||
657 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl | |
658 | SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1 | |
659 | ]) | |
660 | ||
661 | OVS_TRAFFIC_VSWITCHD_STOP | |
662 | AT_CLEANUP | |
663 | ||
9daf2348 JS |
664 | AT_SETUP([conntrack - ct_label]) |
665 | CHECK_CONNTRACK() | |
666 | OVS_TRAFFIC_VSWITCHD_START( | |
667 | [set-fail-mode br0 standalone -- ]) | |
668 | ||
669 | ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) | |
670 | ||
671 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
672 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
673 | ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") | |
674 | ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") | |
675 | ||
676 | dnl Allow traffic between ns0<->ns1 using the ct_label. | |
677 | dnl Check that different labels do not match for traffic between ns2<->ns3. | |
678 | AT_DATA([flows.txt], [dnl | |
679 | priority=1,action=drop | |
680 | priority=10,arp,action=normal | |
681 | priority=10,icmp,action=normal | |
682 | priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2 | |
683 | priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) | |
684 | priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1 | |
685 | priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4 | |
686 | priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0) | |
687 | priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3 | |
688 | ]) | |
689 | ||
690 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
691 | ||
692 | dnl HTTP requests from p0->p1 should work fine. | |
693 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) | |
694 | NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
695 | ||
696 | dnl HTTP requests from p2->p3 should fail due to network failure. | |
697 | dnl Try 3 times, in 1 second intervals. | |
698 | NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid]) | |
699 | NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4]) | |
700 | ||
701 | OVS_TRAFFIC_VSWITCHD_STOP | |
702 | AT_CLEANUP | |
703 | ||
8e53fe8c JS |
704 | AT_SETUP([conntrack - ICMP related]) |
705 | CHECK_CONNTRACK() | |
706 | OVS_TRAFFIC_VSWITCHD_START( | |
707 | [set-fail-mode br0 secure -- ]) | |
708 | ||
709 | ADD_NAMESPACES(at_ns0, at_ns1) | |
710 | ||
711 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
712 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
713 | ||
714 | dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back. | |
715 | AT_DATA([flows.txt], [dnl | |
716 | priority=1,action=drop | |
717 | priority=10,arp,action=normal | |
718 | priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2 | |
719 | priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0) | |
720 | priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1 | |
721 | ]) | |
722 | ||
723 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
724 | ||
725 | dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response. | |
726 | dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately. | |
727 | NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"]) | |
728 | ||
729 | AT_CHECK([ovs-appctl revalidator/purge], [0]) | |
730 | AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl | |
731 | n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2 | |
732 | n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1 | |
733 | n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0) | |
734 | n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL | |
735 | NXST_FLOW reply: | |
736 | ]) | |
737 | ||
738 | OVS_TRAFFIC_VSWITCHD_STOP | |
739 | AT_CLEANUP | |
740 | ||
07659514 JS |
741 | AT_SETUP([conntrack - ICMP related 2]) |
742 | CHECK_CONNTRACK() | |
743 | OVS_TRAFFIC_VSWITCHD_START( | |
744 | [set-fail-mode br0 standalone -- ]) | |
745 | ||
746 | ADD_NAMESPACES(at_ns0, at_ns1) | |
747 | ||
748 | ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24") | |
749 | ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24") | |
750 | ||
751 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
752 | AT_DATA([flows.txt], [dnl | |
753 | priority=1,action=drop | |
754 | priority=10,arp,action=normal | |
755 | priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,table=0) | |
756 | priority=100,in_port=1,ct_state=+trk,actions=controller | |
757 | priority=100,in_port=2,ct_state=-trk,action=ct(table=0) | |
758 | priority=100,in_port=2,ct_state=+trk+rel+rpl,action=controller | |
759 | ]) | |
760 | ||
761 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
762 | ||
763 | AT_CAPTURE_FILE([ofctl_monitor.log]) | |
764 | AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log]) | |
765 | ||
766 | dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request | |
767 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a']) | |
768 | ||
769 | dnl 2. Send and UDP packet to port 5555 | |
770 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) | |
771 | ||
772 | dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet | |
773 | AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) | |
774 | ||
775 | dnl Check this output. We only see the latter two packets, not the first. | |
776 | AT_CHECK([cat ofctl_monitor.log], [0], [dnl | |
777 | NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered) | |
778 | udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096 | |
779 | NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered) | |
780 | icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f | |
781 | ]) | |
782 | ||
783 | OVS_TRAFFIC_VSWITCHD_STOP | |
784 | AT_CLEANUP | |
d787ad39 JS |
785 | |
786 | AT_SETUP([conntrack - FTP]) | |
787 | AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) | |
788 | CHECK_CONNTRACK() | |
789 | OVS_TRAFFIC_VSWITCHD_START( | |
790 | [set-fail-mode br0 standalone -- ]) | |
791 | ||
792 | ADD_NAMESPACES(at_ns0, at_ns1) | |
793 | ||
794 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
795 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
796 | ||
797 | dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. | |
798 | AT_DATA([flows1.txt], [dnl | |
799 | priority=1,action=drop | |
800 | priority=10,arp,action=normal | |
801 | priority=10,icmp,action=normal | |
802 | priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 | |
803 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) | |
804 | priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 | |
805 | priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 | |
806 | ]) | |
807 | ||
808 | dnl Similar policy but without allowing all traffic from ns0->ns1. | |
809 | AT_DATA([flows2.txt], [dnl | |
810 | priority=1,action=drop | |
811 | priority=10,arp,action=normal | |
812 | priority=10,icmp,action=normal | |
813 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0) | |
814 | priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 | |
815 | priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 | |
816 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) | |
817 | priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 | |
818 | priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 | |
819 | priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 | |
820 | ]) | |
821 | ||
822 | AT_CHECK([ovs-ofctl add-flows br0 flows1.txt]) | |
823 | ||
824 | NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid]) | |
825 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) | |
826 | ||
827 | dnl FTP requests from p1->p0 should fail due to network failure. | |
828 | dnl Try 3 times, in 1 second intervals. | |
829 | NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) | |
830 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl | |
831 | ]) | |
832 | ||
833 | dnl FTP requests from p0->p1 should work fine. | |
834 | NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
835 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl | |
836 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1 | |
837 | ]) | |
838 | ||
839 | dnl Try the second set of flows. | |
840 | conntrack -F | |
841 | AT_CHECK([ovs-ofctl del-flows br0]) | |
842 | AT_CHECK([ovs-ofctl add-flows br0 flows2.txt]) | |
843 | ||
844 | dnl FTP requests from p1->p0 should fail due to network failure. | |
845 | dnl Try 3 times, in 1 second intervals. | |
846 | NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) | |
847 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl | |
848 | ]) | |
849 | ||
850 | dnl Active FTP requests from p0->p1 should work fine. | |
851 | NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
852 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl | |
853 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2 | |
854 | TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1 | |
855 | ]) | |
856 | ||
857 | AT_CHECK([conntrack -F 2>/dev/null]) | |
858 | ||
859 | dnl Passive FTP requests from p0->p1 should work fine. | |
860 | NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
861 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl | |
862 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2 | |
863 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1 | |
864 | ]) | |
865 | ||
866 | OVS_TRAFFIC_VSWITCHD_STOP | |
867 | AT_CLEANUP | |
868 | ||
869 | AT_SETUP([conntrack - FTP with multiple expectations]) | |
870 | AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) | |
871 | CHECK_CONNTRACK() | |
872 | OVS_TRAFFIC_VSWITCHD_START( | |
873 | [set-fail-mode br0 standalone -- ]) | |
874 | ||
875 | ADD_NAMESPACES(at_ns0, at_ns1) | |
876 | ||
877 | ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") | |
878 | ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") | |
879 | ||
880 | dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. | |
881 | AT_DATA([flows.txt], [dnl | |
882 | priority=1,action=drop | |
883 | priority=10,arp,action=normal | |
884 | priority=10,icmp,action=normal | |
885 | priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1) | |
886 | priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 | |
887 | priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2) | |
888 | priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2) | |
889 | priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 | |
890 | priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2) | |
891 | priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 | |
892 | priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1) | |
893 | priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 | |
894 | priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 | |
895 | ]) | |
896 | ||
897 | AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) | |
898 | ||
899 | NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid]) | |
900 | NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) | |
901 | ||
902 | dnl FTP requests from p1->p0 should fail due to network failure. | |
903 | dnl Try 3 times, in 1 second intervals. | |
904 | NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) | |
905 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl | |
906 | ]) | |
907 | ||
908 | dnl Active FTP requests from p0->p1 should work fine. | |
909 | NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
910 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl | |
911 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2 | |
912 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2 | |
913 | TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1 | |
914 | TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1 | |
915 | ]) | |
916 | ||
917 | AT_CHECK([conntrack -F 2>/dev/null]) | |
918 | ||
919 | dnl Passive FTP requests from p0->p1 should work fine. | |
920 | NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) | |
921 | AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl | |
922 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2 | |
923 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1 | |
924 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2 | |
925 | TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1 | |
926 | ]) | |
927 | ||
928 | OVS_TRAFFIC_VSWITCHD_STOP | |
929 | AT_CLEANUP |