tests/system-traffic.at

   1 AT_BANNER([datapath-sanity])
   2
   3 AT_SETUP([datapath - ping between two ports])
   4 OVS_TRAFFIC_VSWITCHD_START()
   5
   6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
   7
   8 ADD_NAMESPACES(at_ns0, at_ns1)
   9
  10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
  11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
  12
  13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
  14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  15 ])
  16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
  17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  18 ])
  19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
  20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  21 ])
  22
  23 OVS_TRAFFIC_VSWITCHD_STOP
  24 AT_CLEANUP
  25
  26 AT_SETUP([datapath - http between two ports])
  27 OVS_TRAFFIC_VSWITCHD_START()
  28
  29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
  30
  31 ADD_NAMESPACES(at_ns0, at_ns1)
  32
  33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
  34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
  35
  36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
  37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  38 ])
  39
  40 OVS_START_L7([at_ns1], [http])
  41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
  42
  43 OVS_TRAFFIC_VSWITCHD_STOP
  44 AT_CLEANUP
  45
  46 AT_SETUP([datapath - ping between two ports on vlan])
  47 OVS_TRAFFIC_VSWITCHD_START()
  48
  49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
  50
  51 ADD_NAMESPACES(at_ns0, at_ns1)
  52
  53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
  54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
  55
  56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
  57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
  58
  59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  61 ])
  62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  64 ])
  65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  67 ])
  68
  69 OVS_TRAFFIC_VSWITCHD_STOP
  70 AT_CLEANUP
  71
  72 AT_SETUP([datapath - ping between two ports on cvlan])
  73 OVS_TRAFFIC_VSWITCHD_START()
  74
  75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
  76
  77 ADD_NAMESPACES(at_ns0, at_ns1)
  78
  79 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
  80 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
  81
  82 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
  83 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
  84
  85 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
  86 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
  87
  88 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
  89
  90 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  92 ])
  93 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  95 ])
  96 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
  97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
  98 ])
  99
 100 OVS_TRAFFIC_VSWITCHD_STOP
 101 AT_CLEANUP
 102
 103 AT_SETUP([datapath - ping6 between two ports])
 104 OVS_TRAFFIC_VSWITCHD_START()
 105
 106 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 107
 108 ADD_NAMESPACES(at_ns0, at_ns1)
 109
 110 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 111 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 112
 113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
 114 dnl waiting, we get occasional failures due to the following error:
 115 dnl "connect: Cannot assign requested address"
 116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
 117
 118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
 119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 120 ])
 121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
 122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 123 ])
 124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
 125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 126 ])
 127
 128 OVS_TRAFFIC_VSWITCHD_STOP
 129 AT_CLEANUP
 130
 131 AT_SETUP([datapath - ping6 between two ports on vlan])
 132 OVS_TRAFFIC_VSWITCHD_START()
 133
 134 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 135
 136 ADD_NAMESPACES(at_ns0, at_ns1)
 137
 138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 140
 141 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
 142 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
 143
 144 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
 145 dnl waiting, we get occasional failures due to the following error:
 146 dnl "connect: Cannot assign requested address"
 147 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
 148
 149 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 150 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 151 ])
 152 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 154 ])
 155 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 156 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 157 ])
 158
 159 OVS_TRAFFIC_VSWITCHD_STOP
 160 AT_CLEANUP
 161
 162 AT_SETUP([datapath - ping6 between two ports on cvlan])
 163 OVS_TRAFFIC_VSWITCHD_START()
 164
 165 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 166
 167 ADD_NAMESPACES(at_ns0, at_ns1)
 168
 169 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 170 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 171
 172 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
 173 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
 174
 175 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
 176 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
 177
 178 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
 179
 180 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 181 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 182 ])
 183 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 184 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 185 ])
 186 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
 187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 188 ])
 189
 190 OVS_TRAFFIC_VSWITCHD_STOP
 191 AT_CLEANUP
 192
 193 AT_SETUP([datapath - ping over bond])
 194 OVS_TRAFFIC_VSWITCHD_START()
 195
 196 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 197
 198 ADD_NAMESPACES(at_ns0, at_ns1)
 199
 200 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 201 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
 202
 203 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
 204
 205 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
 206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 207 ])
 208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
 209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 210 ])
 211 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
 212 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 213 ])
 214
 215 OVS_TRAFFIC_VSWITCHD_STOP
 216 AT_CLEANUP
 217
 218 AT_SETUP([datapath - ping over vxlan tunnel])
 219 OVS_CHECK_VXLAN()
 220
 221 OVS_TRAFFIC_VSWITCHD_START()
 222 ADD_BR([br-underlay])
 223
 224 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 225 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
 226
 227 ADD_NAMESPACES(at_ns0)
 228
 229 dnl Set up underlay link from host into the namespace using veth pair.
 230 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
 231 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
 232 AT_CHECK([ip link set dev br-underlay up])
 233
 234 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
 235 dnl linux device inside the namespace.
 236 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
 237 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
 238                   [id 0 dstport 4789])
 239
 240 dnl First, check the underlay
 241 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
 242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 243 ])
 244
 245 dnl Okay, now check the overlay with different packet sizes
 246 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 248 ])
 249 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 250 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 251 ])
 252 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 254 ])
 255
 256 OVS_TRAFFIC_VSWITCHD_STOP
 257 AT_CLEANUP
 258
 259 AT_SETUP([datapath - ping over gre tunnel])
 260 OVS_CHECK_GRE()
 261
 262 OVS_TRAFFIC_VSWITCHD_START()
 263 ADD_BR([br-underlay])
 264
 265 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 266 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
 267
 268 ADD_NAMESPACES(at_ns0)
 269
 270 dnl Set up underlay link from host into the namespace using veth pair.
 271 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
 272 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
 273 AT_CHECK([ip link set dev br-underlay up])
 274
 275 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
 276 dnl linux device inside the namespace.
 277 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
 278 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
 279
 280 dnl First, check the underlay
 281 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
 282 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 283 ])
 284
 285 dnl Okay, now check the overlay with different packet sizes
 286 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 287 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 288 ])
 289 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 290 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 291 ])
 292 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 294 ])
 295
 296 OVS_TRAFFIC_VSWITCHD_STOP
 297 AT_CLEANUP
 298
 299 AT_SETUP([datapath - ping over geneve tunnel])
 300 OVS_CHECK_GENEVE()
 301
 302 OVS_TRAFFIC_VSWITCHD_START()
 303 ADD_BR([br-underlay])
 304
 305 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 306 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
 307
 308 ADD_NAMESPACES(at_ns0)
 309
 310 dnl Set up underlay link from host into the namespace using veth pair.
 311 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
 312 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
 313 AT_CHECK([ip link set dev br-underlay up])
 314
 315 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
 316 dnl linux device inside the namespace.
 317 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
 318 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
 319                   [vni 0])
 320
 321 dnl First, check the underlay
 322 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
 323 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 324 ])
 325
 326 dnl Okay, now check the overlay with different packet sizes
 327 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 328 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 329 ])
 330 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 331 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 332 ])
 333 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
 334 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 335 ])
 336
 337 OVS_TRAFFIC_VSWITCHD_STOP
 338 AT_CLEANUP
 339
 340 AT_SETUP([datapath - clone action])
 341 OVS_TRAFFIC_VSWITCHD_START()
 342
 343 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
 344
 345 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 346 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 347
 348 AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
 349                     -- set interface ovs-p1 ofport_request=2])
 350
 351 AT_DATA([flows.txt], [dnl
 352 priority=1 actions=NORMAL
 353 priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
 354 priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
 355 ])
 356 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 357
 358 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
 359 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
 360 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 361 ])
 362
 363 AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
 364 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
 365 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
 366 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
 367 ])
 368
 369 OVS_TRAFFIC_VSWITCHD_STOP
 370 AT_CLEANUP
 371
 372 AT_SETUP([datapath - basic truncate action])
 373 AT_SKIP_IF([test $HAVE_NC = no])
 374 OVS_TRAFFIC_VSWITCHD_START()
 375 AT_CHECK([ovs-ofctl del-flows br0])
 376
 377 dnl Create p0 and ovs-p0(1)
 378 ADD_NAMESPACES(at_ns0)
 379 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 380 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
 381 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
 382
 383 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
 384 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
 385 on_exit 'ip link del ovs-p1'
 386 AT_CHECK([ip link set dev ovs-p1 up])
 387 AT_CHECK([ip link set dev p1 up])
 388 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
 389 dnl Use p1 to check the truncated packet
 390 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
 391
 392 dnl Create p2(5) and ovs-p2(4)
 393 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
 394 on_exit 'ip link del ovs-p2'
 395 AT_CHECK([ip link set dev ovs-p2 up])
 396 AT_CHECK([ip link set dev p2 up])
 397 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
 398 dnl Use p2 to check the truncated packet
 399 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
 400
 401 dnl basic test
 402 AT_CHECK([ovs-ofctl del-flows br0])
 403 AT_DATA([flows.txt], [dnl
 404 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
 405 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
 406 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
 407 ])
 408 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 409
 410 dnl use this file as payload file for ncat
 411 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
 412 on_exit 'rm -f payload200.bin'
 413 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
 414
 415 dnl packet with truncated size
 416 AT_CHECK([ovs-appctl revalidator/purge], [0])
 417 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" |  sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 418 n_bytes=100
 419 ])
 420 dnl packet with original size
 421 AT_CHECK([ovs-appctl revalidator/purge], [0])
 422 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 423 n_bytes=242
 424 ])
 425
 426 dnl more complicated output actions
 427 AT_CHECK([ovs-ofctl del-flows br0])
 428 AT_DATA([flows.txt], [dnl
 429 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
 430 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
 431 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
 432 ])
 433 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 434
 435 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
 436
 437 dnl 100 + 100 + 242 + min(65535,242) = 684
 438 AT_CHECK([ovs-appctl revalidator/purge], [0])
 439 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 440 n_bytes=684
 441 ])
 442 dnl 242 + 100 + min(242,200) = 542
 443 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 444 n_bytes=542
 445 ])
 446
 447 dnl SLOW_ACTION: disable kernel datapath truncate support
 448 dnl Repeat the test above, but exercise the SLOW_ACTION code path
 449 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
 450 [Datapath truncate action diabled
 451 ])
 452
 453 dnl SLOW_ACTION test1: check datapatch actions
 454 AT_CHECK([ovs-ofctl del-flows br0])
 455 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 456
 457 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
 458 AT_CHECK([tail -3 stdout], [0],
 459 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
 460 This flow is handled by the userspace slow path because it:
 461         - Uses action(s) not supported by datapath.
 462 ])
 463
 464 dnl SLOW_ACTION test2: check actual packet truncate
 465 AT_CHECK([ovs-ofctl del-flows br0])
 466 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 467 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
 468
 469 dnl 100 + 100 + 242 + min(65535,242) = 684
 470 AT_CHECK([ovs-appctl revalidator/purge], [0])
 471 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 472 n_bytes=684
 473 ])
 474
 475 dnl 242 + 100 + min(242,200) = 542
 476 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 477 n_bytes=542
 478 ])
 479
 480 OVS_TRAFFIC_VSWITCHD_STOP
 481 AT_CLEANUP
 482
 483 dnl Create 2 bridges and 2 namespaces to test truncate over
 484 dnl GRE tunnel:
 485 dnl   br0: overlay bridge
 486 dnl   ns1: connect to br0, with IP:10.1.1.2
 487 dnl   br-underlay: with IP: 172.31.1.100
 488 dnl   ns0: connect to br-underlay, with IP: 10.1.1.1
 489 AT_SETUP([datapath - truncate and output to gre tunnel])
 490 AT_SKIP_IF([test $HAVE_NC = no])
 491 OVS_CHECK_GRE()
 492 OVS_TRAFFIC_VSWITCHD_START()
 493
 494 ADD_BR([br-underlay])
 495 ADD_NAMESPACES(at_ns0)
 496 ADD_NAMESPACES(at_ns1)
 497 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
 498 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
 499
 500 dnl Set up underlay link from host into the namespace using veth pair.
 501 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
 502 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
 503 AT_CHECK([ip link set dev br-underlay up])
 504
 505 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
 506 dnl linux device inside the namespace.
 507 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
 508 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
 509                   [], [address e6:66:c1:11:11:11])
 510 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
 511 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
 512
 513 dnl Set up (p1 and ovs-p1) at br0
 514 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
 515 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
 516 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
 517 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
 518
 519 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
 520 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
 521 on_exit 'ip link del ovs-p2'
 522 AT_CHECK([ip link set dev ovs-p2 up])
 523 AT_CHECK([ip link set dev p2 up])
 524 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
 525 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
 526
 527 dnl use this file as payload file for ncat
 528 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
 529 on_exit 'rm -f payload200.bin'
 530
 531 AT_CHECK([ovs-ofctl del-flows br0])
 532 AT_DATA([flows.txt], [dnl
 533 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
 534 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
 535 priority=1,in_port=4,ip,actions=drop
 536 priority=1,actions=drop
 537 ])
 538 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 539
 540 AT_CHECK([ovs-ofctl del-flows br-underlay])
 541 AT_DATA([flows-underlay.txt], [dnl
 542 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
 543 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
 544 priority=1,actions=drop
 545 ])
 546
 547 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
 548
 549 dnl check tunnel push path, from at_ns1 to at_ns0
 550 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
 551 AT_CHECK([ovs-appctl revalidator/purge], [0])
 552
 553 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
 554 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 555 n_bytes=242
 556 ])
 557 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
 558 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 559 n_bytes=138
 560 ])
 561
 562 dnl check tunnel pop path, from at_ns0 to at_ns1
 563 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
 564 dnl After truncation = 100 byte at loopback device p2(4)
 565 AT_CHECK([ovs-appctl revalidator/purge], [0])
 566 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
 567  n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
 568 ])
 569
 570 dnl SLOW_ACTION: disable datapath truncate support
 571 dnl Repeat the test above, but exercise the SLOW_ACTION code path
 572 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
 573 [Datapath truncate action diabled
 574 ])
 575
 576 dnl SLOW_ACTION test1: check datapatch actions
 577 AT_CHECK([ovs-ofctl del-flows br0])
 578 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 579
 580 dnl SLOW_ACTION test2: check actual packet truncate
 581 AT_CHECK([ovs-ofctl del-flows br0])
 582 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 583 AT_CHECK([ovs-ofctl del-flows br-underlay])
 584 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
 585
 586 dnl check tunnel push path, from at_ns1 to at_ns0
 587 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
 588 AT_CHECK([ovs-appctl revalidator/purge], [0])
 589
 590 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
 591 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 592 n_bytes=242
 593 ])
 594 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
 595 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
 596 n_bytes=138
 597 ])
 598
 599 dnl check tunnel pop path, from at_ns0 to at_ns1
 600 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
 601 dnl After truncation = 100 byte at loopback device p2(4)
 602 AT_CHECK([ovs-appctl revalidator/purge], [0])
 603 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
 604  n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
 605 ])
 606
 607 OVS_TRAFFIC_VSWITCHD_STOP
 608 AT_CLEANUP
 609
 610 AT_BANNER([conntrack])
 611
 612 AT_SETUP([conntrack - controller])
 613 CHECK_CONNTRACK()
 614 OVS_TRAFFIC_VSWITCHD_START()
 615 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
 616
 617 ADD_NAMESPACES(at_ns0, at_ns1)
 618
 619 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 620 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 621
 622 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 623 AT_DATA([flows.txt], [dnl
 624 priority=1,action=drop
 625 priority=10,arp,action=normal
 626 priority=100,in_port=1,udp,action=ct(commit),controller
 627 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
 628 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
 629 ])
 630
 631 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 632
 633 AT_CAPTURE_FILE([ofctl_monitor.log])
 634 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
 635
 636 dnl Send an unsolicited reply from port 2. This should be dropped.
 637 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
 638
 639 dnl OK, now start a new connection from port 1.
 640 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
 641
 642 dnl Now try a reply from port 2.
 643 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
 644
 645 dnl Check this output. We only see the latter two packets, not the first.
 646 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
 647 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
 648 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
 649 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,in_port=2 (via action) data_len=42 (unbuffered)
 650 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
 651 ])
 652
 653 OVS_TRAFFIC_VSWITCHD_STOP
 654 AT_CLEANUP
 655
 656 AT_SETUP([conntrack - IPv4 ping])
 657 CHECK_CONNTRACK()
 658 OVS_TRAFFIC_VSWITCHD_START()
 659
 660 ADD_NAMESPACES(at_ns0, at_ns1)
 661
 662 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 663 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 664
 665 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 666 AT_DATA([flows.txt], [dnl
 667 priority=1,action=drop
 668 priority=10,arp,action=normal
 669 priority=100,in_port=1,icmp,action=ct(commit),2
 670 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
 671 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
 672 ])
 673
 674 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 675
 676 dnl Pings from ns0->ns1 should work fine.
 677 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
 678 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 679 ])
 680
 681 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
 682 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
 683 ])
 684
 685 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
 686
 687 dnl Pings from ns1->ns0 should fail.
 688 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
 689 7 packets transmitted, 0 received, 100% packet loss, time 0ms
 690 ])
 691
 692 OVS_TRAFFIC_VSWITCHD_STOP
 693 AT_CLEANUP
 694
 695 AT_SETUP([conntrack - IPv6 ping])
 696 CHECK_CONNTRACK()
 697 OVS_TRAFFIC_VSWITCHD_START()
 698
 699 ADD_NAMESPACES(at_ns0, at_ns1)
 700
 701 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 702 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 703
 704 AT_DATA([flows.txt], [dnl
 705
 706 dnl ICMPv6 echo request and reply go to table 1.  The rest of the traffic goes
 707 dnl through normal action.
 708 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
 709 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
 710 table=0,priority=1,action=normal
 711
 712 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
 713 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
 714 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
 715 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
 716 table=1,priority=1,action=drop
 717 ])
 718
 719 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 720
 721 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
 722
 723 dnl The above ping creates state in the connection tracker.  We're not
 724 dnl interested in that state.
 725 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
 726
 727 dnl Pings from ns1->ns0 should fail.
 728 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
 729 7 packets transmitted, 0 received, 100% packet loss, time 0ms
 730 ])
 731
 732 dnl Pings from ns0->ns1 should work fine.
 733 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
 734 3 packets transmitted, 3 received, 0% packet loss, time 0ms
 735 ])
 736
 737 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
 738 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
 739 ])
 740
 741 OVS_TRAFFIC_VSWITCHD_STOP
 742 AT_CLEANUP
 743
 744 AT_SETUP([conntrack - preserve registers])
 745 CHECK_CONNTRACK()
 746 OVS_TRAFFIC_VSWITCHD_START()
 747
 748 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
 749
 750 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 751 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 752 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
 753 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
 754
 755 dnl Allow any traffic from ns0->ns1, ns2->ns3.
 756 AT_DATA([flows.txt], [dnl
 757 priority=1,action=drop
 758 priority=10,arp,action=normal
 759 priority=10,icmp,action=normal
 760 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
 761 priority=100,in_port=1,tcp,ct_state=+trk,action=2
 762 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
 763 priority=100,in_port=2,tcp,ct_state=+trk,action=1
 764 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
 765 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
 766 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
 767 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
 768 priority=100,in_port=4,tcp,ct_state=+trk,action=3
 769 ])
 770
 771 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 772
 773 OVS_START_L7([at_ns1], [http])
 774 OVS_START_L7([at_ns3], [http])
 775
 776 dnl HTTP requests from p0->p1 should work fine.
 777 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 778
 779 dnl HTTP requests from p2->p3 should work fine.
 780 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
 781
 782 OVS_TRAFFIC_VSWITCHD_STOP
 783 AT_CLEANUP
 784
 785 AT_SETUP([conntrack - invalid])
 786 CHECK_CONNTRACK()
 787 OVS_TRAFFIC_VSWITCHD_START()
 788
 789 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
 790
 791 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 792 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 793 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
 794 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
 795
 796 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
 797 dnl the opposite direction. This should fail.
 798 dnl Pass traffic from ns3->ns4 without committing, and this time match
 799 dnl invalid traffic and allow it through.
 800 AT_DATA([flows.txt], [dnl
 801 priority=1,action=drop
 802 priority=10,arp,action=normal
 803 priority=10,icmp,action=normal
 804 priority=100,in_port=1,tcp,action=ct(),2
 805 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
 806 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
 807 priority=100,in_port=3,tcp,action=ct(),4
 808 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
 809 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
 810 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
 811 ])
 812
 813 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 814
 815 dnl We set up our rules to allow the request without committing. The return
 816 dnl traffic can't be identified, because the initial request wasn't committed.
 817 dnl For the first pair of ports, this means that the connection fails.
 818 OVS_START_L7([at_ns1], [http])
 819 OVS_START_L7([at_ns3], [http])
 820 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
 821
 822 dnl For the second pair, we allow packets from invalid connections, so it works.
 823 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
 824
 825 OVS_TRAFFIC_VSWITCHD_STOP
 826 AT_CLEANUP
 827
 828 AT_SETUP([conntrack - zones])
 829 CHECK_CONNTRACK()
 830 OVS_TRAFFIC_VSWITCHD_START()
 831
 832 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
 833
 834 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 835 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 836 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
 837 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
 838
 839 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
 840 dnl For ns2->ns3, use a different zone and see that the match fails.
 841 AT_DATA([flows.txt], [dnl
 842 priority=1,action=drop
 843 priority=10,arp,action=normal
 844 priority=10,icmp,action=normal
 845 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
 846 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
 847 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
 848 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
 849 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
 850 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
 851 ])
 852
 853 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 854
 855 OVS_START_L7([at_ns1], [http])
 856 OVS_START_L7([at_ns3], [http])
 857
 858 dnl HTTP requests from p0->p1 should work fine.
 859 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 860
 861 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
 862 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
 863 ])
 864
 865 dnl HTTP requests from p2->p3 should fail due to network failure.
 866 dnl Try 3 times, in 1 second intervals.
 867 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
 868
 869 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
 870 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
 871 ])
 872
 873 OVS_TRAFFIC_VSWITCHD_STOP
 874 AT_CLEANUP
 875
 876 AT_SETUP([conntrack - zones from field])
 877 CHECK_CONNTRACK()
 878 OVS_TRAFFIC_VSWITCHD_START()
 879
 880 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
 881
 882 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 883 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 884 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
 885 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
 886
 887 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 888 AT_DATA([flows.txt], [dnl
 889 priority=1,action=drop
 890 priority=10,arp,action=normal
 891 priority=10,icmp,action=normal
 892 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
 893 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
 894 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
 895 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
 896 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
 897 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
 898 ])
 899
 900 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 901
 902 OVS_START_L7([at_ns1], [http])
 903 OVS_START_L7([at_ns3], [http])
 904
 905 dnl HTTP requests from p0->p1 should work fine.
 906 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 907
 908 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
 909 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
 910 ])
 911
 912 dnl HTTP requests from p2->p3 should fail due to network failure.
 913 dnl Try 3 times, in 1 second intervals.
 914 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
 915
 916 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
 917 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
 918 ])
 919
 920 OVS_TRAFFIC_VSWITCHD_STOP
 921 AT_CLEANUP
 922
 923 AT_SETUP([conntrack - multiple bridges])
 924 CHECK_CONNTRACK()
 925 OVS_TRAFFIC_VSWITCHD_START(
 926    [_ADD_BR([br1]) --\
 927     add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
 928     add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
 929
 930 ADD_NAMESPACES(at_ns0, at_ns1)
 931
 932 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 933 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
 934
 935 dnl Allow any traffic from ns0->br1, allow established in reverse.
 936 AT_DATA([flows-br0.txt], [dnl
 937 priority=1,action=drop
 938 priority=10,arp,action=normal
 939 priority=10,icmp,action=normal
 940 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
 941 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
 942 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
 943 ])
 944
 945 dnl Allow any traffic from br0->ns1, allow established in reverse.
 946 AT_DATA([flows-br1.txt], [dnl
 947 priority=1,action=drop
 948 priority=10,arp,action=normal
 949 priority=10,icmp,action=normal
 950 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
 951 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
 952 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
 953 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
 954 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
 955 ])
 956
 957 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
 958 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
 959
 960 dnl HTTP requests from p0->p1 should work fine.
 961 OVS_START_L7([at_ns1], [http])
 962 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 963
 964 OVS_TRAFFIC_VSWITCHD_STOP
 965 AT_CLEANUP
 966
 967 AT_SETUP([conntrack - multiple zones])
 968 CHECK_CONNTRACK()
 969 OVS_TRAFFIC_VSWITCHD_START()
 970
 971 ADD_NAMESPACES(at_ns0, at_ns1)
 972
 973 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 974 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 975
 976 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 977 AT_DATA([flows.txt], [dnl
 978 priority=1,action=drop
 979 priority=10,arp,action=normal
 980 priority=10,icmp,action=normal
 981 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
 982 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
 983 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
 984 ])
 985
 986 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 987
 988 OVS_START_L7([at_ns1], [http])
 989
 990 dnl HTTP requests from p0->p1 should work fine.
 991 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 992
 993 dnl (again) HTTP requests from p0->p1 should work fine.
 994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
 995
 996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
 997 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
 998 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
 999 ])
1000
1001 OVS_TRAFFIC_VSWITCHD_STOP
1002 AT_CLEANUP
1003
1004 AT_SETUP([conntrack - multiple namespaces, internal ports])
1005 CHECK_CONNTRACK()
1006 CHECK_CONNTRACK_LOCAL_STACK()
1007 OVS_TRAFFIC_VSWITCHD_START(
1008    [set-fail-mode br0 secure -- ])
1009
1010 ADD_NAMESPACES(at_ns0, at_ns1)
1011
1012 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1013 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1014
1015 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1016 dnl
1017 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1018 AT_DATA([flows.txt], [dnl
1019 priority=1,action=drop
1020 priority=10,arp,action=normal
1021 priority=10,icmp,action=normal
1022 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1023 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1024 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1025 ])
1026
1027 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1028
1029 OVS_START_L7([at_ns1], [http])
1030
1031 dnl HTTP requests from p0->p1 should work fine.
1032 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1033
1034 dnl (again) HTTP requests from p0->p1 should work fine.
1035 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1036
1037 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1038 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1039 ])
1040
1041 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1042 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1043 /removing policing failed: No such device/d"])
1044 AT_CLEANUP
1045
1046 AT_SETUP([conntrack - ct_mark])
1047 CHECK_CONNTRACK()
1048 OVS_TRAFFIC_VSWITCHD_START()
1049
1050 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1051
1052 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1053 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1054 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1055 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1056
1057 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1058 dnl Check that different marks do not match for traffic between ns2<->ns3.
1059 AT_DATA([flows.txt], [dnl
1060 priority=1,action=drop
1061 priority=10,arp,action=normal
1062 priority=10,icmp,action=normal
1063 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1064 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1065 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1066 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1067 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1068 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1069 ])
1070
1071 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1072
1073 OVS_START_L7([at_ns1], [http])
1074 OVS_START_L7([at_ns3], [http])
1075
1076 dnl HTTP requests from p0->p1 should work fine.
1077 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1078 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1079 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1080 ])
1081
1082 dnl HTTP requests from p2->p3 should fail due to network failure.
1083 dnl Try 3 times, in 1 second intervals.
1084 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1085 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1086 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1087 ])
1088
1089 OVS_TRAFFIC_VSWITCHD_STOP
1090 AT_CLEANUP
1091
1092 AT_SETUP([conntrack - ct_mark bit-fiddling])
1093 CHECK_CONNTRACK()
1094 OVS_TRAFFIC_VSWITCHD_START()
1095
1096 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1097
1098 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1099 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1100
1101 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1102 dnl cause an additional bit to be set in the connection (and be allowed).
1103 AT_DATA([flows.txt], [dnl
1104 table=0,priority=1,action=drop
1105 table=0,priority=10,arp,action=normal
1106 table=0,priority=10,icmp,action=normal
1107 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1108 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1109 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1110 table=1,in_port=1,ct_state=-new,tcp,action=2
1111 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1112 ])
1113
1114 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1115
1116 OVS_START_L7([at_ns1], [http])
1117
1118 dnl HTTP requests from p0->p1 should work fine.
1119 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1120
1121 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1123 ])
1124
1125 OVS_TRAFFIC_VSWITCHD_STOP
1126 AT_CLEANUP
1127
1128 AT_SETUP([conntrack - ct_mark from register])
1129 CHECK_CONNTRACK()
1130 OVS_TRAFFIC_VSWITCHD_START()
1131
1132 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1133
1134 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1135 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1136 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1137 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1138
1139 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1140 AT_DATA([flows.txt], [dnl
1141 priority=1,action=drop
1142 priority=10,arp,action=normal
1143 priority=10,icmp,action=normal
1144 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1145 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1146 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1147 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1148 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1149 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1150 ])
1151
1152 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1153
1154 OVS_START_L7([at_ns1], [http])
1155 OVS_START_L7([at_ns3], [http])
1156
1157 dnl HTTP requests from p0->p1 should work fine.
1158 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1159 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1160 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1161 ])
1162
1163 dnl HTTP requests from p2->p3 should fail due to network failure.
1164 dnl Try 3 times, in 1 second intervals.
1165 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1166 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1167 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1168 ])
1169
1170 OVS_TRAFFIC_VSWITCHD_STOP
1171 AT_CLEANUP
1172
1173 AT_SETUP([conntrack - ct_label])
1174 CHECK_CONNTRACK()
1175 OVS_TRAFFIC_VSWITCHD_START()
1176
1177 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1178
1179 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1180 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1181 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1182 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1183
1184 dnl Allow traffic between ns0<->ns1 using the ct_label.
1185 dnl Check that different labels do not match for traffic between ns2<->ns3.
1186 AT_DATA([flows.txt], [dnl
1187 priority=1,action=drop
1188 priority=10,arp,action=normal
1189 priority=10,icmp,action=normal
1190 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1191 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1192 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1193 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1194 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1195 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1196 ])
1197
1198 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1199
1200 OVS_START_L7([at_ns1], [http])
1201 OVS_START_L7([at_ns3], [http])
1202
1203 dnl HTTP requests from p0->p1 should work fine.
1204 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1205
1206 dnl HTTP requests from p2->p3 should fail due to network failure.
1207 dnl Try 3 times, in 1 second intervals.
1208 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1209
1210 OVS_TRAFFIC_VSWITCHD_STOP
1211 AT_CLEANUP
1212
1213 AT_SETUP([conntrack - ct_label bit-fiddling])
1214 CHECK_CONNTRACK()
1215 OVS_TRAFFIC_VSWITCHD_START()
1216
1217 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1218
1219 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1220 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1221
1222 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1223 dnl cause an additional bit to be set in the connection labels (and be allowed)
1224 AT_DATA([flows.txt], [dnl
1225 table=0,priority=1,action=drop
1226 table=0,priority=10,arp,action=normal
1227 table=0,priority=10,icmp,action=normal
1228 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1229 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1230 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1231 table=1,in_port=1,tcp,ct_state=-new,action=2
1232 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1233 ])
1234
1235 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1236
1237 OVS_START_L7([at_ns1], [http])
1238
1239 dnl HTTP requests from p0->p1 should work fine.
1240 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1241
1242 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1243 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1244 ])
1245
1246 OVS_TRAFFIC_VSWITCHD_STOP
1247 AT_CLEANUP
1248
1249 AT_SETUP([conntrack - ct metadata, multiple zones])
1250 CHECK_CONNTRACK()
1251 OVS_TRAFFIC_VSWITCHD_START()
1252
1253 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1254
1255 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1256 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1257
1258 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1259 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1260 dnl and we should see that the conntrack entries only apply the ct_mark and
1261 dnl ct_labels to the connection in zone=1.
1262 AT_DATA([flows.txt], [dnl
1263 table=0,priority=1,action=drop
1264 table=0,priority=10,arp,action=normal
1265 table=0,priority=10,icmp,action=normal
1266 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1267 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1268 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1269 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1270 table=1,in_port=2,tcp,action=ct(zone=2),1
1271 ])
1272
1273 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1274
1275 OVS_START_L7([at_ns1], [http])
1276
1277 dnl HTTP requests from p0->p1 should work fine.
1278 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1279
1280 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1281 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1282 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1283 ])
1284
1285 OVS_TRAFFIC_VSWITCHD_STOP
1286 AT_CLEANUP
1287
1288 AT_SETUP([conntrack - ICMP related])
1289 AT_SKIP_IF([test $HAVE_NC = no])
1290 CHECK_CONNTRACK()
1291 OVS_TRAFFIC_VSWITCHD_START()
1292
1293 ADD_NAMESPACES(at_ns0, at_ns1)
1294
1295 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1296 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1297
1298 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1299 AT_DATA([flows.txt], [dnl
1300 priority=1,action=drop
1301 priority=10,arp,action=normal
1302 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1303 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1304 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1305 ])
1306
1307 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1308
1309 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1310 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1311
1312 AT_CHECK([ovs-appctl revalidator/purge], [0])
1313 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1314  n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1315  n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1316  n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1317  n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1318 NXST_FLOW reply:
1319 ])
1320
1321 OVS_TRAFFIC_VSWITCHD_STOP
1322 AT_CLEANUP
1323
1324 AT_SETUP([conntrack - ICMP related 2])
1325 CHECK_CONNTRACK()
1326 OVS_TRAFFIC_VSWITCHD_START()
1327
1328 ADD_NAMESPACES(at_ns0, at_ns1)
1329
1330 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1331 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1332
1333 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1334 AT_DATA([flows.txt], [dnl
1335 table=0,ip,action=ct(commit,table=1)
1336 table=1,ip,action=controller
1337 ])
1338
1339 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1340
1341 AT_CAPTURE_FILE([ofctl_monitor.log])
1342 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1343
1344 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1345 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1346
1347 dnl 2. Send and UDP packet to port 5555
1348 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1349
1350 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1351 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1352
1353 dnl Check this output. We only see the latter two packets, not the first.
1354 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1355 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,in_port=2 (via action) data_len=75 (unbuffered)
1356 icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
1357 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=1 (via action) data_len=47 (unbuffered)
1358 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1359 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=2 (via action) data_len=75 (unbuffered)
1360 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1361 ])
1362
1363 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
1364 udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
1365 ])
1366
1367 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
1368 ])
1369
1370 OVS_TRAFFIC_VSWITCHD_STOP
1371 AT_CLEANUP
1372
1373 AT_SETUP([conntrack - IPv4 fragmentation])
1374 CHECK_CONNTRACK()
1375 CHECK_CONNTRACK_FRAG()
1376 OVS_TRAFFIC_VSWITCHD_START()
1377
1378 ADD_NAMESPACES(at_ns0, at_ns1)
1379
1380 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1381 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1382
1383 dnl Sending ping through conntrack
1384 AT_DATA([flows.txt], [dnl
1385 priority=1,action=drop
1386 priority=10,arp,action=normal
1387 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1388 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1389 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1390 ])
1391
1392 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1393
1394 dnl Ipv4 fragmentation connectivity check.
1395 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1396 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1397 ])
1398
1399 dnl Ipv4 larger fragmentation connectivity check.
1400 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1401 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1402 ])
1403
1404 OVS_TRAFFIC_VSWITCHD_STOP
1405 AT_CLEANUP
1406
1407 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1408 CHECK_CONNTRACK()
1409 CHECK_CONNTRACK_FRAG()
1410 OVS_TRAFFIC_VSWITCHD_START()
1411
1412 ADD_NAMESPACES(at_ns0, at_ns1)
1413
1414 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1415 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1416
1417 AT_DATA([flows.txt], [dnl
1418 priority=1,action=drop
1419 priority=10,arp,action=normal
1420
1421 dnl Only allow non-fragmented messages and 1st fragments of each message
1422 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1423 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1424 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1425 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1426 ])
1427
1428 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1429
1430 dnl Ipv4 fragmentation connectivity check.
1431 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1432 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1433 ])
1434
1435 OVS_TRAFFIC_VSWITCHD_STOP
1436 AT_CLEANUP
1437
1438 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1439 CHECK_CONNTRACK()
1440 CHECK_CONNTRACK_FRAG()
1441 OVS_TRAFFIC_VSWITCHD_START()
1442
1443 ADD_NAMESPACES(at_ns0, at_ns1)
1444
1445 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1446 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1447 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1448 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1449
1450 dnl Sending ping through conntrack
1451 AT_DATA([flows.txt], [dnl
1452 priority=1,action=drop
1453 priority=10,arp,action=normal
1454 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1455 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1456 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1457 ])
1458
1459 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1460
1461 dnl Ipv4 fragmentation connectivity check.
1462 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1463 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1464 ])
1465
1466 dnl Ipv4 larger fragmentation connectivity check.
1467 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1468 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1469 ])
1470
1471 OVS_TRAFFIC_VSWITCHD_STOP
1472 AT_CLEANUP
1473
1474 AT_SETUP([conntrack - IPv6 fragmentation])
1475 CHECK_CONNTRACK()
1476 CHECK_CONNTRACK_FRAG()
1477 OVS_TRAFFIC_VSWITCHD_START()
1478
1479 ADD_NAMESPACES(at_ns0, at_ns1)
1480
1481 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1482 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1483
1484 dnl Sending ping through conntrack
1485 AT_DATA([flows.txt], [dnl
1486 priority=1,action=drop
1487 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1488 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1489 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1490 priority=100,icmp6,icmp_type=135,action=normal
1491 priority=100,icmp6,icmp_type=136,action=normal
1492 ])
1493
1494 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1495
1496 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1497 dnl waiting, we get occasional failures due to the following error:
1498 dnl "connect: Cannot assign requested address"
1499 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1500
1501 dnl Ipv6 fragmentation connectivity check.
1502 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1503 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1504 ])
1505
1506 dnl Ipv6 larger fragmentation connectivity check.
1507 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1508 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1509 ])
1510
1511 OVS_TRAFFIC_VSWITCHD_STOP
1512 AT_CLEANUP
1513
1514 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1515 CHECK_CONNTRACK()
1516 CHECK_CONNTRACK_FRAG()
1517 OVS_TRAFFIC_VSWITCHD_START()
1518
1519 ADD_NAMESPACES(at_ns0, at_ns1)
1520
1521 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1522 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1523
1524 AT_DATA([flows.txt], [dnl
1525 priority=1,action=drop
1526
1527 dnl Only allow non-fragmented messages and 1st fragments of each message
1528 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1529 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1530 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1531 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1532
1533 dnl Neighbour Discovery
1534 priority=100,icmp6,icmp_type=135,action=normal
1535 priority=100,icmp6,icmp_type=136,action=normal
1536 ])
1537
1538 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1539
1540 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1541 dnl waiting, we get occasional failures due to the following error:
1542 dnl "connect: Cannot assign requested address"
1543 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1544
1545 dnl Send an IPv6 fragment. Some time later, it should expire.
1546 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1547 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1548 ])
1549
1550 dnl At this point, the kernel will either crash or everything is OK.
1551
1552 OVS_TRAFFIC_VSWITCHD_STOP
1553 AT_CLEANUP
1554
1555 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1556 CHECK_CONNTRACK()
1557 CHECK_CONNTRACK_FRAG()
1558 OVS_TRAFFIC_VSWITCHD_START()
1559
1560 ADD_NAMESPACES(at_ns0, at_ns1)
1561
1562 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1563 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1564
1565 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1566 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1567
1568 dnl Sending ping through conntrack
1569 AT_DATA([flows.txt], [dnl
1570 priority=1,action=drop
1571 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1572 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1573 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1574 priority=100,icmp6,icmp_type=135,action=normal
1575 priority=100,icmp6,icmp_type=136,action=normal
1576 ])
1577
1578 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1579
1580 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1581 dnl waiting, we get occasional failures due to the following error:
1582 dnl "connect: Cannot assign requested address"
1583 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1584
1585 dnl Ipv4 fragmentation connectivity check.
1586 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1587 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1588 ])
1589
1590 dnl Ipv4 larger fragmentation connectivity check.
1591 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1592 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1593 ])
1594
1595 OVS_TRAFFIC_VSWITCHD_STOP
1596 AT_CLEANUP
1597
1598 AT_SETUP([conntrack - Fragmentation over vxlan])
1599 OVS_CHECK_VXLAN()
1600 CHECK_CONNTRACK()
1601 CHECK_CONNTRACK_FRAG()
1602
1603 OVS_TRAFFIC_VSWITCHD_START()
1604 ADD_BR([br-underlay])
1605 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1606
1607 ADD_NAMESPACES(at_ns0)
1608
1609 dnl Sending ping through conntrack
1610 AT_DATA([flows.txt], [dnl
1611 priority=1,action=drop
1612 priority=10,arp,action=normal
1613 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1614 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1615 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1616 ])
1617
1618 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1619
1620 dnl Set up underlay link from host into the namespace using veth pair.
1621 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1622 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1623 AT_CHECK([ip link set dev br-underlay up])
1624
1625 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1626 dnl linux device inside the namespace.
1627 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1628 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1629                   [id 0 dstport 4789])
1630
1631 dnl First, check the underlay
1632 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1633 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1634 ])
1635
1636 dnl Okay, now check the overlay with different packet sizes
1637 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1638 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1639 ])
1640 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1641 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1642 ])
1643 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1644 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1645 ])
1646
1647 OVS_TRAFFIC_VSWITCHD_STOP
1648 AT_CLEANUP
1649
1650 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1651 OVS_CHECK_VXLAN()
1652 CHECK_CONNTRACK()
1653 CHECK_CONNTRACK_FRAG()
1654
1655 OVS_TRAFFIC_VSWITCHD_START()
1656 ADD_BR([br-underlay])
1657 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1658
1659 ADD_NAMESPACES(at_ns0)
1660
1661 dnl Sending ping through conntrack
1662 AT_DATA([flows.txt], [dnl
1663 priority=1,action=drop
1664 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1665 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1666 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1667
1668 dnl Neighbour Discovery
1669 priority=1000,icmp6,icmp_type=135,action=normal
1670 priority=1000,icmp6,icmp_type=136,action=normal
1671 ])
1672
1673 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1674
1675 dnl Set up underlay link from host into the namespace using veth pair.
1676 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1677 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1678 AT_CHECK([ip link set dev br-underlay up])
1679
1680 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1681 dnl linux device inside the namespace.
1682 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1683 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1684                   [id 0 dstport 4789])
1685
1686 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1687 dnl waiting, we get occasional failures due to the following error:
1688 dnl "connect: Cannot assign requested address"
1689 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1690
1691 dnl First, check the underlay
1692 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1693 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1694 ])
1695
1696 dnl Okay, now check the overlay with different packet sizes
1697 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1698 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1699 ])
1700 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1701 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1702 ])
1703 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1704 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1705 ])
1706
1707 OVS_TRAFFIC_VSWITCHD_STOP
1708 AT_CLEANUP
1709
1710 AT_SETUP([conntrack - resubmit to ct multiple times])
1711 CHECK_CONNTRACK()
1712
1713 OVS_TRAFFIC_VSWITCHD_START(
1714    [set-fail-mode br0 secure -- ])
1715
1716 ADD_NAMESPACES(at_ns0, at_ns1)
1717
1718 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1719 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1720
1721 AT_DATA([flows.txt], [dnl
1722 table=0,priority=150,arp,action=normal
1723 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1724
1725 table=1,ip,action=ct(table=3)
1726 table=2,ip,action=ct(table=3)
1727
1728 table=3,ip,action=drop
1729 ])
1730
1731 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1732
1733 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1734 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1735 ])
1736
1737 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1738  n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1739  n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1740  table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1741  table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1742  table=3, n_packets=2, n_bytes=196, ip actions=drop
1743 NXST_FLOW reply:
1744 ])
1745
1746 OVS_TRAFFIC_VSWITCHD_STOP
1747 AT_CLEANUP
1748
1749 AT_BANNER([conntrack - L7])
1750
1751 AT_SETUP([conntrack - IPv4 HTTP])
1752 CHECK_CONNTRACK()
1753 OVS_TRAFFIC_VSWITCHD_START()
1754
1755 ADD_NAMESPACES(at_ns0, at_ns1)
1756
1757 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1758 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1759
1760 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1761 AT_DATA([flows.txt], [dnl
1762 priority=1,action=drop
1763 priority=10,arp,action=normal
1764 priority=10,icmp,action=normal
1765 priority=100,in_port=1,tcp,action=ct(commit),2
1766 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1767 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
1768 ])
1769
1770 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1771
1772 OVS_START_L7([at_ns0], [http])
1773 OVS_START_L7([at_ns1], [http])
1774
1775 dnl HTTP requests from ns0->ns1 should work fine.
1776 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1777 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1778 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1779 ])
1780
1781 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1782 dnl Try 3 times, in 1 second intervals.
1783 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
1784
1785 OVS_TRAFFIC_VSWITCHD_STOP
1786 AT_CLEANUP
1787
1788 AT_SETUP([conntrack - IPv6 HTTP])
1789 CHECK_CONNTRACK()
1790 OVS_TRAFFIC_VSWITCHD_START()
1791
1792 ADD_NAMESPACES(at_ns0, at_ns1)
1793
1794 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1795 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1796
1797 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1798 AT_DATA([flows.txt], [dnl
1799 priority=1,action=drop
1800 priority=10,icmp6,action=normal
1801 priority=100,in_port=1,tcp6,action=ct(commit),2
1802 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
1803 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
1804 ])
1805
1806 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1807
1808 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1809 dnl waiting, we get occasional failures due to the following error:
1810 dnl "connect: Cannot assign requested address"
1811 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1812
1813 OVS_START_L7([at_ns0], [http6])
1814 OVS_START_L7([at_ns1], [http6])
1815
1816 dnl HTTP requests from ns0->ns1 should work fine.
1817 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1818 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1819 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1820 ])
1821
1822 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1823 dnl Try 3 times, in 1 second intervals.
1824 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
1825
1826 OVS_TRAFFIC_VSWITCHD_STOP
1827 AT_CLEANUP
1828
1829 AT_SETUP([conntrack - commit, recirc])
1830 CHECK_CONNTRACK()
1831 OVS_TRAFFIC_VSWITCHD_START()
1832
1833 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1834
1835 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1836 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1837 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1838 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1839
1840 dnl Allow any traffic from ns0->ns1, ns2->ns3.
1841 AT_DATA([flows.txt], [dnl
1842 priority=1,action=drop
1843 priority=10,arp,action=normal
1844 priority=10,icmp,action=normal
1845 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1846 priority=100,in_port=1,tcp,ct_state=+trk,action=2
1847 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1848 priority=100,in_port=2,tcp,ct_state=+trk,action=1
1849 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
1850 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
1851 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
1852 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1853 priority=100,in_port=4,tcp,ct_state=+trk,action=3
1854 ])
1855
1856 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1857
1858 OVS_START_L7([at_ns1], [http])
1859 OVS_START_L7([at_ns3], [http])
1860
1861 dnl HTTP requests from p0->p1 should work fine.
1862 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1863
1864 dnl HTTP requests from p2->p3 should work fine.
1865 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1866
1867 OVS_TRAFFIC_VSWITCHD_STOP
1868 AT_CLEANUP
1869
1870 AT_SETUP([conntrack - multiple zones, local])
1871 CHECK_CONNTRACK()
1872 CHECK_CONNTRACK_LOCAL_STACK()
1873 OVS_TRAFFIC_VSWITCHD_START()
1874
1875 ADD_NAMESPACES(at_ns0)
1876
1877 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1878 AT_CHECK([ip link set dev br0 up])
1879 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1880 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1881
1882 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1883 dnl return traffic from ns0 back to the local stack.
1884 AT_DATA([flows.txt], [dnl
1885 priority=1,action=drop
1886 priority=10,arp,action=normal
1887 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
1888 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
1889 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
1890 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
1891 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
1892 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
1893 ])
1894
1895 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1896
1897 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1898 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1899 ])
1900
1901 OVS_START_L7([at_ns0], [http])
1902
1903 dnl HTTP requests from root namespace to p0 should work fine.
1904 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1905
1906 dnl (again) HTTP requests from root namespace to  p0 should work fine.
1907 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1908
1909 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1910 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1911 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
1912 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1913 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1914 ])
1915
1916 OVS_TRAFFIC_VSWITCHD_STOP
1917 AT_CLEANUP
1918
1919 AT_SETUP([conntrack - multi-stage pipeline, local])
1920 CHECK_CONNTRACK()
1921 CHECK_CONNTRACK_LOCAL_STACK()
1922 OVS_TRAFFIC_VSWITCHD_START()
1923
1924 ADD_NAMESPACES(at_ns0)
1925
1926 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1927 AT_CHECK([ip link set dev br0 up])
1928 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1929 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1930
1931 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1932 dnl return traffic from ns0 back to the local stack.
1933 AT_DATA([flows.txt], [dnl
1934 dnl default
1935 table=0,priority=1,action=drop
1936 table=0,priority=10,arp,action=normal
1937
1938 dnl Load the output port to REG0
1939 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1940 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1941
1942 dnl Ingress pipeline
1943 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1944 dnl - All other connections go through conntracker using the input port as
1945 dnl   a connection tracking zone.
1946 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1947 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1948 table=1,priority=1,action=drop
1949
1950 dnl Egress pipeline
1951 dnl - Allow all connections from LOCAL port (commit and skip to output)
1952 dnl - Allow other established connections to go through conntracker using
1953 dnl   output port as a connection tracking zone.
1954 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1955 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1956 table=2,priority=1,action=drop
1957
1958 dnl Only allow established traffic from egress ct lookup
1959 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1960 table=3,priority=1,action=drop
1961
1962 dnl output table
1963 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1964 ])
1965
1966 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1967
1968 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1969 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1970 ])
1971
1972 OVS_START_L7([at_ns0], [http])
1973
1974 dnl HTTP requests from root namespace to p0 should work fine.
1975 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1976
1977 dnl (again) HTTP requests from root namespace to p0 should work fine.
1978 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1979
1980 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1981 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1982 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
1983 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1984 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1985 ])
1986
1987 OVS_TRAFFIC_VSWITCHD_STOP
1988 AT_CLEANUP
1989
1990 AT_SETUP([conntrack - FTP])
1991 AT_SKIP_IF([test $HAVE_FTP = no])
1992 CHECK_CONNTRACK()
1993 CHECK_CONNTRACK_ALG()
1994 OVS_TRAFFIC_VSWITCHD_START()
1995
1996 ADD_NAMESPACES(at_ns0, at_ns1)
1997
1998 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1999 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2000
2001 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2002 AT_DATA([flows1.txt], [dnl
2003 table=0,priority=1,action=drop
2004 table=0,priority=10,arp,action=normal
2005 table=0,priority=10,icmp,action=normal
2006 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
2007 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2008 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2009 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
2010 ])
2011
2012 dnl Similar policy but without allowing all traffic from ns0->ns1.
2013 AT_DATA([flows2.txt], [dnl
2014 table=0,priority=1,action=drop
2015 table=0,priority=10,arp,action=normal
2016 table=0,priority=10,icmp,action=normal
2017
2018 dnl Allow outgoing TCP connections, and treat them as FTP
2019 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2020 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
2021 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
2022
2023 dnl Allow incoming FTP data connections and responses to existing connections
2024 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2025 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
2026 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2027 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
2028 ])
2029
2030 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2031
2032 OVS_START_L7([at_ns0], [ftp])
2033 OVS_START_L7([at_ns1], [ftp])
2034
2035 dnl FTP requests from p1->p0 should fail due to network failure.
2036 dnl Try 3 times, in 1 second intervals.
2037 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
2038 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2039 ])
2040
2041 dnl FTP requests from p0->p1 should work fine.
2042 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2043 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2044 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2045 ])
2046
2047 dnl Try the second set of flows.
2048 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2049 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2050
2051 dnl FTP requests from p1->p0 should fail due to network failure.
2052 dnl Try 3 times, in 1 second intervals.
2053 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
2054 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2055 ])
2056
2057 dnl Active FTP requests from p0->p1 should work fine.
2058 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
2059 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2060 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2061 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2062 ])
2063
2064 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2065
2066 dnl Passive FTP requests from p0->p1 should work fine.
2067 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
2068 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2069 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2070 ])
2071
2072 OVS_TRAFFIC_VSWITCHD_STOP
2073 AT_CLEANUP
2074
2075 AT_SETUP([conntrack - FTP over IPv6])
2076 AT_SKIP_IF([test $HAVE_FTP = no])
2077 CHECK_CONNTRACK()
2078 CHECK_CONNTRACK_ALG()
2079 OVS_TRAFFIC_VSWITCHD_START()
2080
2081 ADD_NAMESPACES(at_ns0, at_ns1)
2082
2083 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2084 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2085
2086 dnl Allow any traffic from ns0->ns1.
2087 dnl Only allow nd, return traffic from ns1->ns0.
2088 AT_DATA([flows.txt], [dnl
2089 dnl Track all IPv6 traffic and drop the rest.
2090 dnl Allow ICMPv6 both ways.  No commit, so pings will not be tracked.
2091 table=0 priority=100 in_port=1 icmp6, action=2
2092 table=0 priority=100 in_port=2 icmp6, action=1
2093 table=0 priority=10 ip6, action=ct(table=1)
2094 table=0 priority=0 action=drop
2095 dnl
2096 dnl Table 1
2097 dnl
2098 dnl Allow new TCPv6 FTP control connections from port 1.
2099 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
2100 dnl Allow related TCPv6 connections from port 2.
2101 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
2102 dnl Allow established TCPv6 connections both ways.
2103 table=1 in_port=1 ct_state=+est, tcp6, action=2
2104 table=1 in_port=2 ct_state=+est, tcp6, action=1
2105 dnl Drop everything else.
2106 table=1 priority=0, action=drop
2107 ])
2108
2109 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2110
2111 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2112 dnl waiting, we get occasional failures due to the following error:
2113 dnl "connect: Cannot assign requested address"
2114 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2115
2116 OVS_START_L7([at_ns1], [ftp])
2117
2118 dnl FTP requests from p0->p1 should work fine.
2119 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2120
2121 dnl Discards CLOSE_WAIT and CLOSING
2122 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2123 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2124 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2125 ])
2126
2127 OVS_TRAFFIC_VSWITCHD_STOP
2128 AT_CLEANUP
2129
2130 AT_SETUP([conntrack - FTP with multiple expectations])
2131 AT_SKIP_IF([test $HAVE_FTP = no])
2132 CHECK_CONNTRACK()
2133 CHECK_CONNTRACK_ALG()
2134 OVS_TRAFFIC_VSWITCHD_START()
2135
2136 ADD_NAMESPACES(at_ns0, at_ns1)
2137
2138 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2139 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2140
2141 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
2142 AT_DATA([flows.txt], [dnl
2143 table=0,priority=1,action=drop
2144 table=0,priority=10,arp,action=normal
2145 table=0,priority=10,icmp,action=normal
2146
2147 dnl Traffic from ns1
2148 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
2149 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
2150 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
2151 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
2152 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
2153
2154 dnl Traffic from ns2
2155 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
2156 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2157 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
2158 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2159 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
2160 ])
2161
2162 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2163
2164 OVS_START_L7([at_ns0], [ftp])
2165 OVS_START_L7([at_ns1], [ftp])
2166
2167 dnl FTP requests from p1->p0 should fail due to network failure.
2168 dnl Try 3 times, in 1 second intervals.
2169 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
2170 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2171 ])
2172
2173 dnl Active FTP requests from p0->p1 should work fine.
2174 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2177 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2178 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2179 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2180 ])
2181
2182 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2183
2184 dnl Passive FTP requests from p0->p1 should work fine.
2185 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2188 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2189 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2190 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2191 ])
2192
2193 OVS_TRAFFIC_VSWITCHD_STOP
2194 AT_CLEANUP
2195
2196 AT_SETUP([conntrack - TFTP])
2197 AT_SKIP_IF([test $HAVE_TFTP = no])
2198 CHECK_CONNTRACK()
2199 CHECK_CONNTRACK_ALG()
2200 OVS_TRAFFIC_VSWITCHD_START()
2201
2202 ADD_NAMESPACES(at_ns0, at_ns1)
2203
2204 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2205 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2206
2207 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2208 AT_DATA([flows1.txt], [dnl
2209 table=0,priority=1,action=drop
2210 table=0,priority=10,arp,action=normal
2211 table=0,priority=10,icmp,action=normal
2212 table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
2213 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2214 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2215 table=1,in_port=2,udp,ct_state=+trk+rel,action=1
2216 ])
2217
2218 dnl Similar policy but without allowing all traffic from ns0->ns1.
2219 AT_DATA([flows2.txt], [dnl
2220 table=0,priority=1,action=drop
2221 table=0,priority=10,arp,action=normal
2222 table=0,priority=10,icmp,action=normal
2223
2224 dnl Allow outgoing UDP connections, and treat them as TFTP
2225 table=0,priority=100,in_port=1,udp,action=ct(table=1)
2226 table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
2227 table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
2228 table=1,in_port=1,udp,ct_state=+trk+est,action=2
2229
2230 dnl Allow incoming TFTP data connections and responses to existing connections
2231 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2232 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2233 table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
2234 ])
2235
2236 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2237
2238 OVS_START_L7([at_ns0], [tftp])
2239 OVS_START_L7([at_ns1], [tftp])
2240
2241 dnl TFTP requests from p1->p0 should fail due to network failure.
2242 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
2243 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2244 ])
2245
2246 dnl TFTP requests from p0->p1 should work fine.
2247 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
2248 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2249 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2250 ])
2251
2252 dnl Try the second set of flows.
2253 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2254 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2255
2256 dnl TFTP requests from p1->p0 should fail due to network failure.
2257 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
2258 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2259 ])
2260
2261 dnl TFTP requests from p0->p1 should work fine.
2262 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
2263 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2264 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2265 ])
2266
2267 OVS_TRAFFIC_VSWITCHD_STOP
2268 AT_CLEANUP
2269
2270 AT_BANNER([conntrack - NAT])
2271
2272 AT_SETUP([conntrack - simple SNAT])
2273 CHECK_CONNTRACK()
2274 CHECK_CONNTRACK_NAT()
2275 OVS_TRAFFIC_VSWITCHD_START()
2276
2277 ADD_NAMESPACES(at_ns0, at_ns1)
2278
2279 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2280 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2281 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2282
2283 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2284 AT_DATA([flows.txt], [dnl
2285 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2286 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2287 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2288 dnl
2289 dnl ARP
2290 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2291 priority=10 arp action=normal
2292 priority=0,action=drop
2293 dnl
2294 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2295 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2296 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2297 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2298 dnl TPA IP in reg2.
2299 dnl Swaps the fields of the ARP message to turn a query to a response.
2300 table=10 priority=100 arp xreg0=0 action=normal
2301 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2302 table=10 priority=0 action=drop
2303 ])
2304
2305 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2306
2307 dnl HTTP requests from p0->p1 should work fine.
2308 OVS_START_L7([at_ns1], [http])
2309 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2310
2311 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2312 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2313 ])
2314
2315 OVS_TRAFFIC_VSWITCHD_STOP
2316 AT_CLEANUP
2317
2318 AT_SETUP([conntrack - SNAT with ct_mark change on reply])
2319 CHECK_CONNTRACK()
2320 CHECK_CONNTRACK_NAT()
2321 OVS_TRAFFIC_VSWITCHD_START()
2322
2323 ADD_NAMESPACES(at_ns0, at_ns1)
2324
2325 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2326 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2327 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2328
2329 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2330 AT_DATA([flows.txt], [dnl
2331 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2332 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2333 dnl
2334 dnl Setting the mark fails if the datapath can't find the existing conntrack
2335 dnl entry after NAT has been reversed and the skb was lost due to an upcall.
2336 dnl
2337 in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
2338 table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
2339 dnl
2340 dnl ARP
2341 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2342 priority=10 arp action=normal
2343 priority=0,action=drop
2344 dnl
2345 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2346 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2347 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2348 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2349 dnl TPA IP in reg2.
2350 dnl Swaps the fields of the ARP message to turn a query to a response.
2351 table=10 priority=100 arp xreg0=0 action=normal
2352 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2353 table=10 priority=0 action=drop
2354 ])
2355
2356 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2357
2358 dnl HTTP requests from p0->p1 should work fine.
2359 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2360 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
2361 1 packets transmitted, 1 received, 0% packet loss, time 0ms
2362 ])
2363
2364 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2365 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
2366 ])
2367
2368 OVS_TRAFFIC_VSWITCHD_STOP
2369 AT_CLEANUP
2370
2371 AT_SETUP([conntrack - SNAT with port range])
2372 CHECK_CONNTRACK()
2373 CHECK_CONNTRACK_NAT()
2374 OVS_TRAFFIC_VSWITCHD_START()
2375
2376 ADD_NAMESPACES(at_ns0, at_ns1)
2377
2378 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2379 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2380 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2381
2382 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2383 AT_DATA([flows.txt], [dnl
2384 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2385 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2386 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2387 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2388 dnl
2389 dnl ARP
2390 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2391 priority=10 arp action=normal
2392 priority=0,action=drop
2393 dnl
2394 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2395 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2396 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2397 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2398 dnl TPA IP in reg2.
2399 dnl Swaps the fields of the ARP message to turn a query to a response.
2400 table=10 priority=100 arp xreg0=0 action=normal
2401 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2402 table=10 priority=0 action=drop
2403 ])
2404
2405 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2406
2407 dnl HTTP requests from p0->p1 should work fine.
2408 OVS_START_L7([at_ns1], [http])
2409 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2410
2411 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2412 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2413 ])
2414
2415 OVS_TRAFFIC_VSWITCHD_STOP
2416 AT_CLEANUP
2417
2418
2419 AT_SETUP([conntrack - more complex SNAT])
2420 CHECK_CONNTRACK()
2421 CHECK_CONNTRACK_NAT()
2422 OVS_TRAFFIC_VSWITCHD_START()
2423
2424 ADD_NAMESPACES(at_ns0, at_ns1)
2425
2426 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2427 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2428 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2429
2430 AT_DATA([flows.txt], [dnl
2431 dnl Track all IP traffic, NAT existing connections.
2432 priority=100 ip action=ct(table=1,zone=1,nat)
2433 dnl
2434 dnl Allow ARP, but generate responses for NATed addresses
2435 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2436 priority=10 arp action=normal
2437 priority=0 action=drop
2438 dnl
2439 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2440 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2441 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2442 dnl Only allow established traffic from ns1->ns0.
2443 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2444 table=1 priority=0 action=drop
2445 dnl
2446 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2447 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2448 dnl Zero result means not found.
2449 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2450 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2451 dnl ARP TPA IP in reg2.
2452 table=10 priority=100 arp xreg0=0 action=normal
2453 dnl Swaps the fields of the ARP message to turn a query to a response.
2454 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2455 table=10 priority=0 action=drop
2456 ])
2457
2458 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2459
2460 dnl HTTP requests from p0->p1 should work fine.
2461 OVS_START_L7([at_ns1], [http])
2462 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2463
2464 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2465 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2466 ])
2467
2468 OVS_TRAFFIC_VSWITCHD_STOP
2469 AT_CLEANUP
2470
2471 AT_SETUP([conntrack - simple DNAT])
2472 CHECK_CONNTRACK()
2473 CHECK_CONNTRACK_NAT()
2474 OVS_TRAFFIC_VSWITCHD_START()
2475
2476 ADD_NAMESPACES(at_ns0, at_ns1)
2477
2478 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2479 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2480 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2481
2482 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2483 AT_DATA([flows.txt], [dnl
2484 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2485 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2486 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2487 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2488 dnl
2489 dnl ARP
2490 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2491 priority=10 arp action=normal
2492 priority=0,action=drop
2493 dnl
2494 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2495 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2496 dnl Zero result means not found.
2497 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2498 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2499 dnl TPA IP in reg2.
2500 table=10 priority=100 arp xreg0=0 action=normal
2501 dnl Swaps the fields of the ARP message to turn a query to a response.
2502 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2503 table=10 priority=0 action=drop
2504 ])
2505
2506 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2507
2508 dnl Should work with the virtual IP address through NAT
2509 OVS_START_L7([at_ns1], [http])
2510 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2511
2512 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2513 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2514 ])
2515
2516 dnl Should work with the assigned IP address as well
2517 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2518
2519 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2520 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2521 ])
2522
2523 OVS_TRAFFIC_VSWITCHD_STOP
2524 AT_CLEANUP
2525
2526 AT_SETUP([conntrack - more complex DNAT])
2527 CHECK_CONNTRACK()
2528 CHECK_CONNTRACK_NAT()
2529 OVS_TRAFFIC_VSWITCHD_START()
2530
2531 ADD_NAMESPACES(at_ns0, at_ns1)
2532
2533 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2534 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2535 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2536
2537 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2538 AT_DATA([flows.txt], [dnl
2539 dnl Track all IP traffic
2540 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2541 dnl
2542 dnl Allow ARP, but generate responses for NATed addresses
2543 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2544 table=0 priority=10 arp action=normal
2545 table=0 priority=0 action=drop
2546 dnl
2547 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2548 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2549 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2550 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2551 dnl Only allow established traffic from ns1->ns0.
2552 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2553 table=1 priority=0 action=drop
2554 dnl
2555 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2556 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2557 dnl Zero result means not found.
2558 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2559 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2560 dnl TPA IP in reg2.
2561 table=10 priority=100 arp xreg0=0 action=normal
2562 dnl Swaps the fields of the ARP message to turn a query to a response.
2563 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2564 table=10 priority=0 action=drop
2565 ])
2566
2567 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2568
2569 dnl Should work with the virtual IP address through NAT
2570 OVS_START_L7([at_ns1], [http])
2571 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2572
2573 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2574 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2575 ])
2576
2577 dnl Should work with the assigned IP address as well
2578 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2579
2580 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2581 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2582 ])
2583
2584 OVS_TRAFFIC_VSWITCHD_STOP
2585 AT_CLEANUP
2586
2587 AT_SETUP([conntrack - ICMP related with NAT])
2588 AT_SKIP_IF([test $HAVE_NC = no])
2589 CHECK_CONNTRACK()
2590 CHECK_CONNTRACK_NAT()
2591 OVS_TRAFFIC_VSWITCHD_START()
2592
2593 ADD_NAMESPACES(at_ns0, at_ns1)
2594
2595 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2596 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2597 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2598
2599 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2600 dnl Make sure ICMP responses are reverse-NATted.
2601 AT_DATA([flows.txt], [dnl
2602 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2603 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2604 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2605 dnl
2606 dnl ARP
2607 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2608 priority=10 arp action=normal
2609 priority=0,action=drop
2610 dnl
2611 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2612 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2613 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2614 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2615 dnl TPA IP in reg2.
2616 dnl Swaps the fields of the ARP message to turn a query to a response.
2617 table=10 priority=100 arp xreg0=0 action=normal
2618 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2619 table=10 priority=0 action=drop
2620 ])
2621
2622 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2623
2624 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2625 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2626
2627 AT_CHECK([ovs-appctl revalidator/purge], [0])
2628 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2629  n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2630  n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2631  n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2632  n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2633  n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2634  table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2635  table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2636  table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2637  table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2638 OFPST_FLOW reply (OF1.5):
2639 ])
2640
2641 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2642 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2643 ])
2644
2645 OVS_TRAFFIC_VSWITCHD_STOP
2646 AT_CLEANUP
2647
2648 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
2649 dnl
2650 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2651 dnl NAT, using the provided flow table.
2652 m4_define([CHECK_FTP_NAT],
2653    [AT_SETUP([conntrack - FTP NAT $1])
2654     AT_SKIP_IF([test $HAVE_FTP = no])
2655     CHECK_CONNTRACK()
2656     CHECK_CONNTRACK_NAT()
2657
2658     OVS_TRAFFIC_VSWITCHD_START()
2659
2660     ADD_NAMESPACES(at_ns0, at_ns1)
2661
2662     ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2663     NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2664     ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2665
2666     dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2667     AT_DATA([flows.txt], [$3])
2668
2669     AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2670
2671     OVS_START_L7([at_ns1], [ftp])
2672
2673     dnl FTP requests from p0->p1 should work fine.
2674     NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2675
2676     dnl Discards CLOSE_WAIT and CLOSING
2677     AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
2678
2679     OVS_TRAFFIC_VSWITCHD_STOP
2680     AT_CLEANUP])
2681
2682 dnl CHECK_FTP_NAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2683 dnl
2684 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2685 dnl NAT, with flow tables that implement the NATing as part of handling of
2686 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
2687 dnl
2688 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2689 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2690 m4_define([CHECK_FTP_NAT_PRE_RECIRC], [dnl
2691    CHECK_FTP_NAT([prerecirc $1], [$2], [dnl
2692 dnl track all IP traffic, de-mangle non-NEW connections
2693 table=0 in_port=1, ip, action=ct(table=1,nat)
2694 table=0 in_port=2, ip, action=ct(table=2,nat)
2695 dnl
2696 dnl ARP
2697 dnl
2698 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2699 table=0 priority=10 arp action=normal
2700 table=0 priority=0 action=drop
2701 dnl
2702 dnl Table 1: port 1 -> 2
2703 dnl
2704 dnl Allow new FTP connections. These need to be commited.
2705 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
2706 dnl Allow established TCP connections, make sure they are NATted already.
2707 table=1 ct_state=+est, tcp, nw_src=$2,     action=2
2708 dnl
2709 dnl Table 1: droppers
2710 dnl
2711 table=1 priority=10, tcp, action=drop
2712 table=1 priority=0,action=drop
2713 dnl
2714 dnl Table 2: port 2 -> 1
2715 dnl
2716 dnl Allow established TCP connections, make sure they are reverse NATted
2717 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2718 dnl Allow (new) related (data) connections.  These need to be commited.
2719 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
2720 dnl Allow related ICMP packets, make sure they are reverse NATted
2721 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2722 dnl
2723 dnl Table 2: droppers
2724 dnl
2725 table=2 priority=10, tcp, action=drop
2726 table=2 priority=0, action=drop
2727 dnl
2728 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2729 dnl
2730 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2731 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2732 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2733 dnl TPA IP in reg2.
2734 dnl Swaps the fields of the ARP message to turn a query to a response.
2735 table=10 priority=100 arp xreg0=0 action=normal
2736 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2737 table=10 priority=0 action=drop
2738 ], [dnl
2739 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2740 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2741 ])
2742 ])
2743
2744 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2745 CHECK_FTP_NAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
2746
2747 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2748 dnl
2749 dnl The FTP PORT command includes the ASCII representation of the address,
2750 dnl so when these messages need to be NATed between addresses that have
2751 dnl different lengths when represented in ASCII (such as the original address
2752 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2753 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2754 dnl separate from the above to easier identify issues in this code on different
2755 dnl kernels.
2756 CHECK_FTP_NAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2757
2758 dnl CHECK_FTP_NAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2759 dnl
2760 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2761 dnl NAT, with flow tables that implement the NATing after the first round
2762 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
2763 dnl flow will implement the NATing with ct(nat..),output:foo.
2764 dnl
2765 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2766 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2767 m4_define([CHECK_FTP_NAT_POST_RECIRC], [dnl
2768     CHECK_FTP_NAT([postrecirc $1], [$2], [dnl
2769 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2770 table=0 ip, action=ct(table=1)
2771 dnl
2772 dnl ARP
2773 dnl
2774 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2775 table=0 priority=10 arp action=normal
2776 table=0 priority=0 action=drop
2777 dnl
2778 dnl Table 1
2779 dnl
2780 dnl Allow new FTP connections. These need to be commited.
2781 dnl This does helper for new packets.
2782 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
2783 dnl Allow and NAT established TCP connections
2784 table=1 in_port=1 ct_state=+est, tcp,     action=ct(nat),2
2785 table=1 in_port=2 ct_state=+est, tcp,     action=ct(nat),1
2786 dnl Allow and NAT (new) related active (data) connections.
2787 dnl These need to be commited.
2788 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2789 dnl Allow related ICMP packets.
2790 table=1 in_port=2 ct_state=+rel, icmp,    action=ct(nat),1
2791 dnl Drop everything else.
2792 table=1 priority=0, action=drop
2793 dnl
2794 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2795 dnl
2796 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2797 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2798 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2799 dnl TPA IP in reg2.
2800 dnl Swaps the fields of the ARP message to turn a query to a response.
2801 table=10 priority=100 arp xreg0=0 action=normal
2802 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2803 table=10 priority=0 action=drop
2804 ], [dnl
2805 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2806 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2807 ])
2808 ])
2809
2810 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2811 CHECK_FTP_NAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
2812
2813 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2814 dnl
2815 dnl The FTP PORT command includes the ASCII representation of the address,
2816 dnl so when these messages need to be NATed between addresses that have
2817 dnl different lengths when represented in ASCII (such as the original address
2818 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2819 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2820 dnl separate from the above to easier identify issues in this code on different
2821 dnl kernels.
2822 CHECK_FTP_NAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2823
2824
2825 dnl CHECK_FTP_NAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2826 dnl
2827 dnl Checks the implementation of conntrack original direction tuple matching
2828 dnl with FTP ALGs in combination with NAT, with flow tables that implement
2829 dnl the NATing before the first round of recirculation - that is, the first
2830 dnl flow ct(nat, table=foo) then a subsequent flow will implement the
2831 dnl commiting of NATed and other connections with ct(nat..),output:foo.
2832 dnl
2833 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2834 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2835 m4_define([CHECK_FTP_NAT_ORIG_TUPLE], [dnl
2836     CHECK_FTP_NAT([orig tuple $1], [$2], [dnl
2837 dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
2838 dnl NAT is only applied to OUT-direction packets, so that ACL
2839 dnl processing can be done with non-NATted headers.
2840 dnl
2841 dnl Track all IP traffic in the IN-direction (IN from Port 1).
2842 table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
2843 dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
2844 table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
2845 dnl
2846 dnl ARP
2847 dnl
2848 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2849 table=0 priority=10 arp action=normal
2850 table=0 priority=0 action=drop
2851 dnl
2852 dnl Pass tracked traffic through ACL, drop everything else.
2853 dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
2854 dnl in the actual packet direction in reg0 (IN=1, OUT=2).  REPLY packets
2855 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
2856 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
2857 dnl of the master connection, as storted in ct_mark.
2858 dnl
2859 dnl Incoming non-related packet in the original direction (ACL IN)
2860 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
2861 dnl Incoming non-related reply packet (CT ACL OUT)
2862 table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
2863 dnl Outgoing non-related packet (ACL OUT)
2864 table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
2865 dnl Outgoing non-related reply packet (CT ACL IN)
2866 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
2867 dnl
2868 dnl Related packet (CT ACL in the direction of the master connection.)
2869 table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4
2870 dnl Drop everything else.
2871 table=1 priority=0, action=drop
2872 dnl
2873 dnl "ACL table"
2874 dnl
2875 dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
2876 dnl IP source address '10.1.1.1'.  Store rule ID (1234) in reg1, verdict
2877 dnl in reg2.
2878 table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
2879 dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
2880 table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
2881 dnl
2882 dnl Re-process stateful traffic that was not accepted by a stateful rule as
2883 dnl normal traffic in the current direction.  This should also delete the
2884 dnl now stale conntrack state, so that new state can be created in it's place.
2885 dnl
2886 dnl Stateful accepts go to next table.
2887 table=4 priority=100 reg2=1, action=goto_table:5
2888 dnl Everything else is reprocessed disregarding the CT state, using the actual
2889 dnl packet direction.
2890 table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
2891 dnl
2892 dnl "ACL verdict processing table."
2893 dnl
2894 dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
2895 dnl
2896 dnl Drop all non-accepted packets.
2897 table=5 reg2=0 priority=1000 action=drop
2898 dnl
2899 dnl Commit new incoming FTP control connections with SNAT range.  Must match on
2900 dnl 'tcp' when setting 'alg=ftp'.  Store the directionality of non-related
2901 dnl connections to ct_mark.  Store the rule ID to labels.
2902 table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2903 dnl Commit other new incoming non-related IP connections with SNAT range.
2904 table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2905 dnl Commit non-related outgoing new IP connections with DNAT range.
2906 dnl (This should not get any packets in this test.)
2907 table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2908 dnl Commit new related connections in either direction, which need 'nat'
2909 dnl and which inherit the mark (the direction of the original direction
2910 dnl master tuple) from the master connection.
2911 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2912 dnl
2913 dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
2914 dnl
2915 table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
2916 dnl Forward everything else, including stateless accepts.
2917 table=5 priority=0 action=goto_table:6
2918 dnl
2919 dnl "Forwarding table"
2920 dnl
2921 table=6 in_port=1 action=2
2922 table=6 in_port=2 action=1
2923 dnl
2924 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2925 dnl
2926 table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2927 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2928 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2929 dnl TPA IP in reg2.
2930 dnl Swaps the fields of the ARP message to turn a query to a response.
2931 table=10 priority=100 arp xreg0=0 action=normal
2932 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2933 table=10 priority=0 action=drop
2934 ], [dnl
2935 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=<cleared>),helper=ftp
2936 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=<cleared>)
2937 ])
2938 ])
2939
2940 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
2941 dnl an ACL table based on matching on conntrack original direction tuple only.
2942 CHECK_FTP_NAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
2943
2944 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
2945 dnl an ACL table based on matching on conntrack original direction tuple only.
2946 CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
2947
2948 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2949 CHECK_CONNTRACK()
2950 CHECK_CONNTRACK_NAT()
2951 OVS_TRAFFIC_VSWITCHD_START()
2952
2953 ADD_NAMESPACES(at_ns0, at_ns1)
2954
2955 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2956 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2957 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2958 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2959
2960 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2961 AT_DATA([flows.txt], [dnl
2962 priority=1,action=drop
2963 priority=10,icmp6,action=normal
2964 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2965 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2966 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2967 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2968 ])
2969
2970 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2971
2972 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2973 dnl waiting, we get occasional failures due to the following error:
2974 dnl "connect: Cannot assign requested address"
2975 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2976
2977 dnl HTTP requests from ns0->ns1 should work fine.
2978 OVS_START_L7([at_ns1], [http6])
2979
2980 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2981
2982 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2983 dnl Try 3 times, in 1 second intervals.
2984 OVS_START_L7([at_ns0], [http6])
2985 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2986
2987 OVS_TRAFFIC_VSWITCHD_STOP
2988 AT_CLEANUP
2989
2990
2991 AT_SETUP([conntrack - IPv6 FTP with NAT])
2992 AT_SKIP_IF([test $HAVE_FTP = no])
2993 CHECK_CONNTRACK()
2994 CHECK_CONNTRACK_NAT()
2995 OVS_TRAFFIC_VSWITCHD_START()
2996
2997 ADD_NAMESPACES(at_ns0, at_ns1)
2998
2999 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3000 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3001 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3002 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3003 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3004
3005 dnl Allow any traffic from ns0->ns1.
3006 dnl Only allow nd, return traffic from ns1->ns0.
3007 AT_DATA([flows.txt], [dnl
3008 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3009 table=0 priority=10 ip6, action=ct(nat,table=1)
3010 table=0 priority=0 action=drop
3011 dnl
3012 dnl Table 1
3013 dnl
3014 dnl Allow new TCPv6 FTP control connections.
3015 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21  action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3016 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3017 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
3018 dnl Allow established TCPv6 connections both ways, enforce NATting
3019 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240   action=2
3020 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1     action=1
3021 dnl Allow other ICMPv6 both ways (without commit).
3022 table=1 priority=100 in_port=1 icmp6, action=2
3023 table=1 priority=100 in_port=2 icmp6, action=1
3024 dnl Drop everything else.
3025 table=1 priority=0, action=drop
3026 ])
3027
3028 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3029
3030 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3031 dnl waiting, we get occasional failures due to the following error:
3032 dnl "connect: Cannot assign requested address"
3033 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3034
3035 OVS_START_L7([at_ns1], [ftp])
3036
3037 dnl FTP requests from p0->p1 should work fine.
3038 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3039
3040 dnl Discards CLOSE_WAIT and CLOSING
3041 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3042 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3043 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3044 ])
3045
3046 OVS_TRAFFIC_VSWITCHD_STOP
3047 AT_CLEANUP
3048
3049
3050 AT_SETUP([conntrack - IPv6 FTP with NAT - orig tuple])
3051 AT_SKIP_IF([test $HAVE_FTP = no])
3052 CHECK_CONNTRACK()
3053 CHECK_CONNTRACK_NAT()
3054 OVS_TRAFFIC_VSWITCHD_START()
3055
3056 ADD_NAMESPACES(at_ns0, at_ns1)
3057
3058 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3059 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3060 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3061 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3062 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3063
3064 dnl Allow any traffic from ns0->ns1.
3065 dnl Only allow nd, return traffic from ns1->ns0.
3066 AT_DATA([flows.txt], [dnl
3067 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3068 table=0 priority=10 ip6, action=ct(nat,table=1)
3069 table=0 priority=0 action=drop
3070 dnl
3071 dnl Table 1
3072 dnl
3073 dnl Allow other ICMPv6 both ways (without commit).
3074 table=1 priority=100 in_port=1 icmp6, action=2
3075 table=1 priority=100 in_port=2 icmp6, action=1
3076 dnl Allow new TCPv6 FTP control connections.
3077 table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21  action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3078 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3079 table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
3080 dnl Allow established TCPv6 connections both ways, enforce NATting
3081 table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
3082 table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
3083 dnl Drop everything else.
3084 table=1 priority=0, action=drop
3085 ])
3086
3087 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3088
3089 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3090 dnl waiting, we get occasional failures due to the following error:
3091 dnl "connect: Cannot assign requested address"
3092 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3093
3094 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3095 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3096
3097 dnl FTP requests from p0->p1 should work fine.
3098 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3099
3100 dnl Discards CLOSE_WAIT and CLOSING
3101 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3102 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3103 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3104 ])
3105
3106 OVS_TRAFFIC_VSWITCHD_STOP
3107 AT_CLEANUP
3108
3109
3110 AT_SETUP([conntrack - DNAT load balancing])
3111 CHECK_CONNTRACK()
3112 CHECK_CONNTRACK_NAT()
3113 OVS_TRAFFIC_VSWITCHD_START()
3114
3115 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
3116
3117 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3118 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3119 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3120 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3121 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3122 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3123 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3124 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3125
3126 dnl Select group for load balancing.  One bucket per server.  Each bucket
3127 dnl tracks and NATs the connection and recirculates to table 4 for egress
3128 dnl routing.  Packets of existing connections are always NATted based on
3129 dnl connection state, only new connections are NATted according to the
3130 dnl specific NAT parameters in each bucket.
3131 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3132
3133 AT_DATA([flows.txt], [dnl
3134 dnl Track connections to the virtual IP address.
3135 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3136 dnl All other IP traffic is allowed but the connection state is no commited.
3137 table=0 priority=90 ip action=ct(table=4,nat)
3138 dnl
3139 dnl Allow ARP, but generate responses for virtual addresses
3140 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3141 table=0 priority=10 arp action=normal
3142 table=0 priority=0 action=drop
3143 dnl
3144 dnl Routing table
3145 dnl
3146 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3147 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3148 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3149 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3150 table=4 priority=0 action=drop
3151 dnl
3152 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3153 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3154 dnl Zero result means not found.
3155 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3156 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3157 dnl TPA IP in reg2.
3158 table=10 priority=100 arp xreg0=0 action=normal
3159 dnl Swaps the fields of the ARP message to turn a query to a response.
3160 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3161 table=10 priority=0 action=controller
3162 ])
3163
3164 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3165
3166 dnl Start web servers
3167 OVS_START_L7([at_ns2], [http])
3168 OVS_START_L7([at_ns3], [http])
3169 OVS_START_L7([at_ns4], [http])
3170
3171 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3172 on_exit 'ovs-appctl revalidator/purge'
3173 on_exit 'ovs-appctl dpif/dump-flows br0'
3174
3175 dnl Should work with the virtual IP address through NAT
3176 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
3177     echo Request $i
3178     NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
3179 done
3180
3181 dnl Each server should have at least one connection.
3182 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
3183 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3184 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3185 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3186 ])
3187
3188 ovs-appctl dpif/dump-flows br0
3189 ovs-appctl revalidator/purge
3190 ovs-ofctl -O OpenFlow15 dump-flows br0
3191 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3192
3193 OVS_TRAFFIC_VSWITCHD_STOP
3194 AT_CLEANUP
3195
3196
3197 AT_SETUP([conntrack - DNAT load balancing with NC])
3198 AT_SKIP_IF([test $HAVE_NC = no])
3199 CHECK_CONNTRACK()
3200 CHECK_CONNTRACK_NAT()
3201 OVS_TRAFFIC_VSWITCHD_START()
3202
3203 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
3204
3205 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3206 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3207 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3208 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3209 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
3210 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3211 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3212 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3213 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3214 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
3215
3216 dnl Select group for load balancing.  One bucket per server.  Each bucket
3217 dnl tracks and NATs the connection and recirculates to table 4 for egress
3218 dnl routing.  Packets of existing connections are always NATted based on
3219 dnl connection state, only new connections are NATted according to the
3220 dnl specific NAT parameters in each bucket.
3221 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3222
3223 AT_DATA([flows.txt], [dnl
3224 dnl Track connections to the virtual IP address.
3225 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3226 dnl All other IP traffic is allowed but the connection state is no commited.
3227 table=0 priority=90 ip action=ct(table=4,nat)
3228 dnl
3229 dnl Allow ARP, but generate responses for virtual addresses
3230 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3231 table=0 priority=10 arp action=normal
3232 table=0 priority=0 action=drop
3233 dnl
3234 dnl Routing table
3235 dnl
3236 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3237 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3238 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3239 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3240 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
3241 table=4 priority=0 action=drop
3242 dnl
3243 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3244 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3245 dnl Zero result means not found.
3246 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3247 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3248 dnl TPA IP in reg2.
3249 table=10 priority=100 arp xreg0=0 action=normal
3250 dnl Swaps the fields of the ARP message to turn a query to a response.
3251 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3252 table=10 priority=0 action=controller
3253 ])
3254
3255 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3256
3257 dnl Start web servers
3258 OVS_START_L7([at_ns2], [http])
3259 OVS_START_L7([at_ns3], [http])
3260 OVS_START_L7([at_ns4], [http])
3261
3262 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3263 on_exit 'ovs-appctl revalidator/purge'
3264 on_exit 'ovs-appctl dpif/dump-flows br0'
3265
3266 sleep 5
3267
3268 dnl Should work with the virtual IP address through NAT
3269 for i in 1 2 3 4 5 6 7 8 9; do
3270     echo Request $i
3271     NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
3272     NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
3273 done
3274
3275 conntrack -L 2>&1
3276
3277 ovs-appctl dpif/dump-flows br0
3278 ovs-appctl revalidator/purge
3279 ovs-ofctl -O OpenFlow15 dump-flows br0
3280 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3281
3282 OVS_TRAFFIC_VSWITCHD_STOP
3283 AT_CLEANUP