1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 OVS_START_L7([at_ns1], [http])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping between two ports on cvlan])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
80 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
82 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
83 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
85 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
86 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
88 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
90 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
96 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
100 OVS_TRAFFIC_VSWITCHD_STOP
103 AT_SETUP([datapath - ping6 between two ports])
104 OVS_TRAFFIC_VSWITCHD_START()
106 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
108 ADD_NAMESPACES(at_ns0, at_ns1)
110 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
111 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping6 between two ports on vlan])
132 OVS_TRAFFIC_VSWITCHD_START()
134 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
136 ADD_NAMESPACES(at_ns0, at_ns1)
138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
141 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
142 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
144 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
145 dnl waiting, we get occasional failures due to the following error:
146 dnl "connect: Cannot assign requested address"
147 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
149 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
150 3 packets transmitted, 3 received, 0% packet loss, time 0ms
152 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
155 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
156 3 packets transmitted, 3 received, 0% packet loss, time 0ms
159 OVS_TRAFFIC_VSWITCHD_STOP
162 AT_SETUP([datapath - ping6 between two ports on cvlan])
163 OVS_TRAFFIC_VSWITCHD_START()
165 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
167 ADD_NAMESPACES(at_ns0, at_ns1)
169 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
170 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
172 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
173 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
175 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
176 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
178 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
180 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
181 3 packets transmitted, 3 received, 0% packet loss, time 0ms
183 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
184 3 packets transmitted, 3 received, 0% packet loss, time 0ms
186 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([datapath - ping over bond])
194 OVS_TRAFFIC_VSWITCHD_START()
196 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
198 ADD_NAMESPACES(at_ns0, at_ns1)
200 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
201 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
203 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
205 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
211 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
212 3 packets transmitted, 3 received, 0% packet loss, time 0ms
215 OVS_TRAFFIC_VSWITCHD_STOP
218 AT_SETUP([datapath - ping over vxlan tunnel])
221 OVS_TRAFFIC_VSWITCHD_START()
222 ADD_BR([br-underlay])
224 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
225 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
227 ADD_NAMESPACES(at_ns0)
229 dnl Set up underlay link from host into the namespace using veth pair.
230 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
231 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
232 AT_CHECK([ip link set dev br-underlay up])
234 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
235 dnl linux device inside the namespace.
236 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
237 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
240 dnl First, check the underlay
241 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 dnl Okay, now check the overlay with different packet sizes
246 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
249 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
250 3 packets transmitted, 3 received, 0% packet loss, time 0ms
252 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
256 OVS_TRAFFIC_VSWITCHD_STOP
259 AT_SETUP([datapath - ping over gre tunnel])
262 OVS_TRAFFIC_VSWITCHD_START()
263 ADD_BR([br-underlay])
265 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
266 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
268 ADD_NAMESPACES(at_ns0)
270 dnl Set up underlay link from host into the namespace using veth pair.
271 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
272 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
273 AT_CHECK([ip link set dev br-underlay up])
275 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
276 dnl linux device inside the namespace.
277 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
278 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
280 dnl First, check the underlay
281 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
282 3 packets transmitted, 3 received, 0% packet loss, time 0ms
285 dnl Okay, now check the overlay with different packet sizes
286 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
287 3 packets transmitted, 3 received, 0% packet loss, time 0ms
289 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
290 3 packets transmitted, 3 received, 0% packet loss, time 0ms
292 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
296 OVS_TRAFFIC_VSWITCHD_STOP
299 AT_SETUP([datapath - ping over geneve tunnel])
302 OVS_TRAFFIC_VSWITCHD_START()
303 ADD_BR([br-underlay])
305 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
306 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
308 ADD_NAMESPACES(at_ns0)
310 dnl Set up underlay link from host into the namespace using veth pair.
311 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
312 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
313 AT_CHECK([ip link set dev br-underlay up])
315 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
316 dnl linux device inside the namespace.
317 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
318 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
321 dnl First, check the underlay
322 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
323 3 packets transmitted, 3 received, 0% packet loss, time 0ms
326 dnl Okay, now check the overlay with different packet sizes
327 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
328 3 packets transmitted, 3 received, 0% packet loss, time 0ms
330 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
331 3 packets transmitted, 3 received, 0% packet loss, time 0ms
333 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
334 3 packets transmitted, 3 received, 0% packet loss, time 0ms
337 OVS_TRAFFIC_VSWITCHD_STOP
340 AT_SETUP([datapath - clone action])
341 OVS_TRAFFIC_VSWITCHD_START()
343 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
345 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
346 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
348 AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
349 -- set interface ovs-p1 ofport_request=2])
351 AT_DATA([flows.txt], [dnl
352 priority=1 actions=NORMAL
353 priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
354 priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
356 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
358 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
359 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
360 3 packets transmitted, 3 received, 0% packet loss, time 0ms
363 AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
364 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
365 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
366 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
369 OVS_TRAFFIC_VSWITCHD_STOP
372 AT_SETUP([datapath - basic truncate action])
373 AT_SKIP_IF([test $HAVE_NC = no])
374 OVS_TRAFFIC_VSWITCHD_START()
375 AT_CHECK([ovs-ofctl del-flows br0])
377 dnl Create p0 and ovs-p0(1)
378 ADD_NAMESPACES(at_ns0)
379 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
380 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
381 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
383 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
384 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
385 on_exit 'ip link del ovs-p1'
386 AT_CHECK([ip link set dev ovs-p1 up])
387 AT_CHECK([ip link set dev p1 up])
388 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
389 dnl Use p1 to check the truncated packet
390 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
392 dnl Create p2(5) and ovs-p2(4)
393 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
394 on_exit 'ip link del ovs-p2'
395 AT_CHECK([ip link set dev ovs-p2 up])
396 AT_CHECK([ip link set dev p2 up])
397 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
398 dnl Use p2 to check the truncated packet
399 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
402 AT_CHECK([ovs-ofctl del-flows br0])
403 AT_DATA([flows.txt], [dnl
404 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
405 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
406 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
408 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
410 dnl use this file as payload file for ncat
411 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
412 on_exit 'rm -f payload200.bin'
413 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
415 dnl packet with truncated size
416 AT_CHECK([ovs-appctl revalidator/purge], [0])
417 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
420 dnl packet with original size
421 AT_CHECK([ovs-appctl revalidator/purge], [0])
422 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
426 dnl more complicated output actions
427 AT_CHECK([ovs-ofctl del-flows br0])
428 AT_DATA([flows.txt], [dnl
429 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
430 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
431 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
433 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
435 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
437 dnl 100 + 100 + 242 + min(65535,242) = 684
438 AT_CHECK([ovs-appctl revalidator/purge], [0])
439 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
442 dnl 242 + 100 + min(242,200) = 542
443 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
447 dnl SLOW_ACTION: disable kernel datapath truncate support
448 dnl Repeat the test above, but exercise the SLOW_ACTION code path
449 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
450 [Datapath truncate action diabled
453 dnl SLOW_ACTION test1: check datapatch actions
454 AT_CHECK([ovs-ofctl del-flows br0])
455 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
457 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
458 AT_CHECK([tail -3 stdout], [0],
459 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
460 This flow is handled by the userspace slow path because it:
461 - Uses action(s) not supported by datapath.
464 dnl SLOW_ACTION test2: check actual packet truncate
465 AT_CHECK([ovs-ofctl del-flows br0])
466 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
467 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
469 dnl 100 + 100 + 242 + min(65535,242) = 684
470 AT_CHECK([ovs-appctl revalidator/purge], [0])
471 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
475 dnl 242 + 100 + min(242,200) = 542
476 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
480 OVS_TRAFFIC_VSWITCHD_STOP
483 dnl Create 2 bridges and 2 namespaces to test truncate over
485 dnl br0: overlay bridge
486 dnl ns1: connect to br0, with IP:10.1.1.2
487 dnl br-underlay: with IP: 172.31.1.100
488 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
489 AT_SETUP([datapath - truncate and output to gre tunnel])
490 AT_SKIP_IF([test $HAVE_NC = no])
492 OVS_TRAFFIC_VSWITCHD_START()
494 ADD_BR([br-underlay])
495 ADD_NAMESPACES(at_ns0)
496 ADD_NAMESPACES(at_ns1)
497 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
498 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
500 dnl Set up underlay link from host into the namespace using veth pair.
501 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
502 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
503 AT_CHECK([ip link set dev br-underlay up])
505 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
506 dnl linux device inside the namespace.
507 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
508 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
509 [], [address e6:66:c1:11:11:11])
510 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
511 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
513 dnl Set up (p1 and ovs-p1) at br0
514 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
515 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
516 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
517 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
519 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
520 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
521 on_exit 'ip link del ovs-p2'
522 AT_CHECK([ip link set dev ovs-p2 up])
523 AT_CHECK([ip link set dev p2 up])
524 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
525 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
527 dnl use this file as payload file for ncat
528 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
529 on_exit 'rm -f payload200.bin'
531 AT_CHECK([ovs-ofctl del-flows br0])
532 AT_DATA([flows.txt], [dnl
533 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
534 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
535 priority=1,in_port=4,ip,actions=drop
536 priority=1,actions=drop
538 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
540 AT_CHECK([ovs-ofctl del-flows br-underlay])
541 AT_DATA([flows-underlay.txt], [dnl
542 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
543 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
544 priority=1,actions=drop
547 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
549 dnl check tunnel push path, from at_ns1 to at_ns0
550 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
551 AT_CHECK([ovs-appctl revalidator/purge], [0])
553 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
554 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
557 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
558 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
562 dnl check tunnel pop path, from at_ns0 to at_ns1
563 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
564 dnl After truncation = 100 byte at loopback device p2(4)
565 AT_CHECK([ovs-appctl revalidator/purge], [0])
566 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
567 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
570 dnl SLOW_ACTION: disable datapath truncate support
571 dnl Repeat the test above, but exercise the SLOW_ACTION code path
572 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
573 [Datapath truncate action diabled
576 dnl SLOW_ACTION test1: check datapatch actions
577 AT_CHECK([ovs-ofctl del-flows br0])
578 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
580 dnl SLOW_ACTION test2: check actual packet truncate
581 AT_CHECK([ovs-ofctl del-flows br0])
582 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
583 AT_CHECK([ovs-ofctl del-flows br-underlay])
584 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
586 dnl check tunnel push path, from at_ns1 to at_ns0
587 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
588 AT_CHECK([ovs-appctl revalidator/purge], [0])
590 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
591 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
594 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
595 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
599 dnl check tunnel pop path, from at_ns0 to at_ns1
600 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
601 dnl After truncation = 100 byte at loopback device p2(4)
602 AT_CHECK([ovs-appctl revalidator/purge], [0])
603 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
604 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
607 OVS_TRAFFIC_VSWITCHD_STOP
610 AT_BANNER([conntrack])
612 AT_SETUP([conntrack - controller])
614 OVS_TRAFFIC_VSWITCHD_START()
615 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
617 ADD_NAMESPACES(at_ns0, at_ns1)
619 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
620 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
622 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
623 AT_DATA([flows.txt], [dnl
624 priority=1,action=drop
625 priority=10,arp,action=normal
626 priority=100,in_port=1,udp,action=ct(commit),controller
627 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
628 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
631 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
633 AT_CAPTURE_FILE([ofctl_monitor.log])
634 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
636 dnl Send an unsolicited reply from port 2. This should be dropped.
637 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
639 dnl OK, now start a new connection from port 1.
640 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
642 dnl Now try a reply from port 2.
643 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
645 dnl Check this output. We only see the latter two packets, not the first.
646 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
647 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
648 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
649 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,in_port=2 (via action) data_len=42 (unbuffered)
650 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
653 OVS_TRAFFIC_VSWITCHD_STOP
656 AT_SETUP([conntrack - IPv4 ping])
658 OVS_TRAFFIC_VSWITCHD_START()
660 ADD_NAMESPACES(at_ns0, at_ns1)
662 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
663 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
665 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
666 AT_DATA([flows.txt], [dnl
667 priority=1,action=drop
668 priority=10,arp,action=normal
669 priority=100,in_port=1,icmp,action=ct(commit),2
670 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
671 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
674 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
676 dnl Pings from ns0->ns1 should work fine.
677 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
678 3 packets transmitted, 3 received, 0% packet loss, time 0ms
681 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
682 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
685 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
687 dnl Pings from ns1->ns0 should fail.
688 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
689 7 packets transmitted, 0 received, 100% packet loss, time 0ms
692 OVS_TRAFFIC_VSWITCHD_STOP
695 AT_SETUP([conntrack - IPv6 ping])
697 OVS_TRAFFIC_VSWITCHD_START()
699 ADD_NAMESPACES(at_ns0, at_ns1)
701 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
702 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
704 AT_DATA([flows.txt], [dnl
706 dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
707 dnl through normal action.
708 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
709 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
710 table=0,priority=1,action=normal
712 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
713 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
714 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
715 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
716 table=1,priority=1,action=drop
719 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
721 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
723 dnl The above ping creates state in the connection tracker. We're not
724 dnl interested in that state.
725 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
727 dnl Pings from ns1->ns0 should fail.
728 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
729 7 packets transmitted, 0 received, 100% packet loss, time 0ms
732 dnl Pings from ns0->ns1 should work fine.
733 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
734 3 packets transmitted, 3 received, 0% packet loss, time 0ms
737 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
738 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
741 OVS_TRAFFIC_VSWITCHD_STOP
744 AT_SETUP([conntrack - preserve registers])
746 OVS_TRAFFIC_VSWITCHD_START()
748 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
750 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
751 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
752 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
753 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
755 dnl Allow any traffic from ns0->ns1, ns2->ns3.
756 AT_DATA([flows.txt], [dnl
757 priority=1,action=drop
758 priority=10,arp,action=normal
759 priority=10,icmp,action=normal
760 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
761 priority=100,in_port=1,tcp,ct_state=+trk,action=2
762 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
763 priority=100,in_port=2,tcp,ct_state=+trk,action=1
764 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
765 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
766 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
767 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
768 priority=100,in_port=4,tcp,ct_state=+trk,action=3
771 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
773 OVS_START_L7([at_ns1], [http])
774 OVS_START_L7([at_ns3], [http])
776 dnl HTTP requests from p0->p1 should work fine.
777 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
779 dnl HTTP requests from p2->p3 should work fine.
780 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
782 OVS_TRAFFIC_VSWITCHD_STOP
785 AT_SETUP([conntrack - invalid])
787 OVS_TRAFFIC_VSWITCHD_START()
789 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
791 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
792 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
793 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
794 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
796 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
797 dnl the opposite direction. This should fail.
798 dnl Pass traffic from ns3->ns4 without committing, and this time match
799 dnl invalid traffic and allow it through.
800 AT_DATA([flows.txt], [dnl
801 priority=1,action=drop
802 priority=10,arp,action=normal
803 priority=10,icmp,action=normal
804 priority=100,in_port=1,tcp,action=ct(),2
805 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
806 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
807 priority=100,in_port=3,tcp,action=ct(),4
808 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
809 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
810 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
813 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
815 dnl We set up our rules to allow the request without committing. The return
816 dnl traffic can't be identified, because the initial request wasn't committed.
817 dnl For the first pair of ports, this means that the connection fails.
818 OVS_START_L7([at_ns1], [http])
819 OVS_START_L7([at_ns3], [http])
820 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
822 dnl For the second pair, we allow packets from invalid connections, so it works.
823 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
825 OVS_TRAFFIC_VSWITCHD_STOP
828 AT_SETUP([conntrack - zones])
830 OVS_TRAFFIC_VSWITCHD_START()
832 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
834 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
835 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
836 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
837 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
839 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
840 dnl For ns2->ns3, use a different zone and see that the match fails.
841 AT_DATA([flows.txt], [dnl
842 priority=1,action=drop
843 priority=10,arp,action=normal
844 priority=10,icmp,action=normal
845 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
846 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
847 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
848 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
849 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
850 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
853 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
855 OVS_START_L7([at_ns1], [http])
856 OVS_START_L7([at_ns3], [http])
858 dnl HTTP requests from p0->p1 should work fine.
859 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
861 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
862 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
865 dnl HTTP requests from p2->p3 should fail due to network failure.
866 dnl Try 3 times, in 1 second intervals.
867 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
869 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
870 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
873 OVS_TRAFFIC_VSWITCHD_STOP
876 AT_SETUP([conntrack - zones from field])
878 OVS_TRAFFIC_VSWITCHD_START()
880 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
882 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
883 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
884 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
885 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
887 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
888 AT_DATA([flows.txt], [dnl
889 priority=1,action=drop
890 priority=10,arp,action=normal
891 priority=10,icmp,action=normal
892 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
893 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
894 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
895 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
896 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
897 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
900 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
902 OVS_START_L7([at_ns1], [http])
903 OVS_START_L7([at_ns3], [http])
905 dnl HTTP requests from p0->p1 should work fine.
906 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
908 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
909 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
912 dnl HTTP requests from p2->p3 should fail due to network failure.
913 dnl Try 3 times, in 1 second intervals.
914 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
916 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
917 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
920 OVS_TRAFFIC_VSWITCHD_STOP
923 AT_SETUP([conntrack - multiple bridges])
925 OVS_TRAFFIC_VSWITCHD_START(
927 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
928 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
930 ADD_NAMESPACES(at_ns0, at_ns1)
932 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
933 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
935 dnl Allow any traffic from ns0->br1, allow established in reverse.
936 AT_DATA([flows-br0.txt], [dnl
937 priority=1,action=drop
938 priority=10,arp,action=normal
939 priority=10,icmp,action=normal
940 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
941 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
942 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
945 dnl Allow any traffic from br0->ns1, allow established in reverse.
946 AT_DATA([flows-br1.txt], [dnl
947 priority=1,action=drop
948 priority=10,arp,action=normal
949 priority=10,icmp,action=normal
950 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
951 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
952 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
953 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
954 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
957 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
958 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
960 dnl HTTP requests from p0->p1 should work fine.
961 OVS_START_L7([at_ns1], [http])
962 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
964 OVS_TRAFFIC_VSWITCHD_STOP
967 AT_SETUP([conntrack - multiple zones])
969 OVS_TRAFFIC_VSWITCHD_START()
971 ADD_NAMESPACES(at_ns0, at_ns1)
973 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
974 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
976 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
977 AT_DATA([flows.txt], [dnl
978 priority=1,action=drop
979 priority=10,arp,action=normal
980 priority=10,icmp,action=normal
981 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
982 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
983 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
986 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
988 OVS_START_L7([at_ns1], [http])
990 dnl HTTP requests from p0->p1 should work fine.
991 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993 dnl (again) HTTP requests from p0->p1 should work fine.
994 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
996 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
997 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
998 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1001 OVS_TRAFFIC_VSWITCHD_STOP
1004 AT_SETUP([conntrack - multiple namespaces, internal ports])
1006 CHECK_CONNTRACK_LOCAL_STACK()
1007 OVS_TRAFFIC_VSWITCHD_START(
1008 [set-fail-mode br0 secure -- ])
1010 ADD_NAMESPACES(at_ns0, at_ns1)
1012 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1013 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1015 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1017 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1018 AT_DATA([flows.txt], [dnl
1019 priority=1,action=drop
1020 priority=10,arp,action=normal
1021 priority=10,icmp,action=normal
1022 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1023 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1024 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1027 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1029 OVS_START_L7([at_ns1], [http])
1031 dnl HTTP requests from p0->p1 should work fine.
1032 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1034 dnl (again) HTTP requests from p0->p1 should work fine.
1035 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1037 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1038 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1041 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1042 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1043 /removing policing failed: No such device/d"])
1046 AT_SETUP([conntrack - ct_mark])
1048 OVS_TRAFFIC_VSWITCHD_START()
1050 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1052 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1053 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1054 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1055 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1057 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1058 dnl Check that different marks do not match for traffic between ns2<->ns3.
1059 AT_DATA([flows.txt], [dnl
1060 priority=1,action=drop
1061 priority=10,arp,action=normal
1062 priority=10,icmp,action=normal
1063 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1064 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1065 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1066 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1067 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1068 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1071 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1073 OVS_START_L7([at_ns1], [http])
1074 OVS_START_L7([at_ns3], [http])
1076 dnl HTTP requests from p0->p1 should work fine.
1077 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1078 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1079 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1082 dnl HTTP requests from p2->p3 should fail due to network failure.
1083 dnl Try 3 times, in 1 second intervals.
1084 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1085 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1086 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1089 OVS_TRAFFIC_VSWITCHD_STOP
1092 AT_SETUP([conntrack - ct_mark bit-fiddling])
1094 OVS_TRAFFIC_VSWITCHD_START()
1096 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1098 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1099 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1101 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1102 dnl cause an additional bit to be set in the connection (and be allowed).
1103 AT_DATA([flows.txt], [dnl
1104 table=0,priority=1,action=drop
1105 table=0,priority=10,arp,action=normal
1106 table=0,priority=10,icmp,action=normal
1107 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1108 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1109 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1110 table=1,in_port=1,ct_state=-new,tcp,action=2
1111 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1114 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1116 OVS_START_L7([at_ns1], [http])
1118 dnl HTTP requests from p0->p1 should work fine.
1119 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1121 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1125 OVS_TRAFFIC_VSWITCHD_STOP
1128 AT_SETUP([conntrack - ct_mark from register])
1130 OVS_TRAFFIC_VSWITCHD_START()
1132 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1134 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1135 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1136 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1137 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1139 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1140 AT_DATA([flows.txt], [dnl
1141 priority=1,action=drop
1142 priority=10,arp,action=normal
1143 priority=10,icmp,action=normal
1144 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1145 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1146 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1147 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1148 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1149 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1152 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1154 OVS_START_L7([at_ns1], [http])
1155 OVS_START_L7([at_ns3], [http])
1157 dnl HTTP requests from p0->p1 should work fine.
1158 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1159 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1160 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1163 dnl HTTP requests from p2->p3 should fail due to network failure.
1164 dnl Try 3 times, in 1 second intervals.
1165 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1166 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1167 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1170 OVS_TRAFFIC_VSWITCHD_STOP
1173 AT_SETUP([conntrack - ct_label])
1175 OVS_TRAFFIC_VSWITCHD_START()
1177 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1179 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1180 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1181 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1182 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1184 dnl Allow traffic between ns0<->ns1 using the ct_label.
1185 dnl Check that different labels do not match for traffic between ns2<->ns3.
1186 AT_DATA([flows.txt], [dnl
1187 priority=1,action=drop
1188 priority=10,arp,action=normal
1189 priority=10,icmp,action=normal
1190 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1191 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1192 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1193 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1194 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1195 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1198 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1200 OVS_START_L7([at_ns1], [http])
1201 OVS_START_L7([at_ns3], [http])
1203 dnl HTTP requests from p0->p1 should work fine.
1204 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1206 dnl HTTP requests from p2->p3 should fail due to network failure.
1207 dnl Try 3 times, in 1 second intervals.
1208 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1210 OVS_TRAFFIC_VSWITCHD_STOP
1213 AT_SETUP([conntrack - ct_label bit-fiddling])
1215 OVS_TRAFFIC_VSWITCHD_START()
1217 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1219 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1220 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1222 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1223 dnl cause an additional bit to be set in the connection labels (and be allowed)
1224 AT_DATA([flows.txt], [dnl
1225 table=0,priority=1,action=drop
1226 table=0,priority=10,arp,action=normal
1227 table=0,priority=10,icmp,action=normal
1228 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1229 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1230 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1231 table=1,in_port=1,tcp,ct_state=-new,action=2
1232 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1235 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1237 OVS_START_L7([at_ns1], [http])
1239 dnl HTTP requests from p0->p1 should work fine.
1240 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1242 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1243 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1246 OVS_TRAFFIC_VSWITCHD_STOP
1249 AT_SETUP([conntrack - ct metadata, multiple zones])
1251 OVS_TRAFFIC_VSWITCHD_START()
1253 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1255 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1256 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1258 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1259 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1260 dnl and we should see that the conntrack entries only apply the ct_mark and
1261 dnl ct_labels to the connection in zone=1.
1262 AT_DATA([flows.txt], [dnl
1263 table=0,priority=1,action=drop
1264 table=0,priority=10,arp,action=normal
1265 table=0,priority=10,icmp,action=normal
1266 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1267 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1268 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1269 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1270 table=1,in_port=2,tcp,action=ct(zone=2),1
1273 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1275 OVS_START_L7([at_ns1], [http])
1277 dnl HTTP requests from p0->p1 should work fine.
1278 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1280 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1281 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1282 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1285 OVS_TRAFFIC_VSWITCHD_STOP
1288 AT_SETUP([conntrack - ICMP related])
1289 AT_SKIP_IF([test $HAVE_NC = no])
1291 OVS_TRAFFIC_VSWITCHD_START()
1293 ADD_NAMESPACES(at_ns0, at_ns1)
1295 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1296 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1298 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1299 AT_DATA([flows.txt], [dnl
1300 priority=1,action=drop
1301 priority=10,arp,action=normal
1302 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1303 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1304 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1307 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1309 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1310 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1312 AT_CHECK([ovs-appctl revalidator/purge], [0])
1313 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1314 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1315 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1316 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1317 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1321 OVS_TRAFFIC_VSWITCHD_STOP
1324 AT_SETUP([conntrack - ICMP related 2])
1326 OVS_TRAFFIC_VSWITCHD_START()
1328 ADD_NAMESPACES(at_ns0, at_ns1)
1330 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1331 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1333 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1334 AT_DATA([flows.txt], [dnl
1335 table=0,ip,action=ct(commit,table=1)
1336 table=1,ip,action=controller
1339 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1341 AT_CAPTURE_FILE([ofctl_monitor.log])
1342 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1344 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1345 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1347 dnl 2. Send and UDP packet to port 5555
1348 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1350 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1351 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1353 dnl Check this output. We only see the latter two packets, not the first.
1354 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1355 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,in_port=2 (via action) data_len=75 (unbuffered)
1356 icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
1357 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=1 (via action) data_len=47 (unbuffered)
1358 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1359 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=2 (via action) data_len=75 (unbuffered)
1360 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1363 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
1364 udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
1367 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
1370 OVS_TRAFFIC_VSWITCHD_STOP
1373 AT_SETUP([conntrack - IPv4 fragmentation])
1375 CHECK_CONNTRACK_FRAG()
1376 OVS_TRAFFIC_VSWITCHD_START()
1378 ADD_NAMESPACES(at_ns0, at_ns1)
1380 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1381 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1383 dnl Sending ping through conntrack
1384 AT_DATA([flows.txt], [dnl
1385 priority=1,action=drop
1386 priority=10,arp,action=normal
1387 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1388 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1389 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1392 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1394 dnl Ipv4 fragmentation connectivity check.
1395 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1396 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1399 dnl Ipv4 larger fragmentation connectivity check.
1400 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1401 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1404 OVS_TRAFFIC_VSWITCHD_STOP
1407 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1409 CHECK_CONNTRACK_FRAG()
1410 OVS_TRAFFIC_VSWITCHD_START()
1412 ADD_NAMESPACES(at_ns0, at_ns1)
1414 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1415 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1417 AT_DATA([flows.txt], [dnl
1418 priority=1,action=drop
1419 priority=10,arp,action=normal
1421 dnl Only allow non-fragmented messages and 1st fragments of each message
1422 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1423 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1424 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1425 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1428 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1430 dnl Ipv4 fragmentation connectivity check.
1431 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1432 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1435 OVS_TRAFFIC_VSWITCHD_STOP
1438 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1440 CHECK_CONNTRACK_FRAG()
1441 OVS_TRAFFIC_VSWITCHD_START()
1443 ADD_NAMESPACES(at_ns0, at_ns1)
1445 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1446 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1447 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1448 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1450 dnl Sending ping through conntrack
1451 AT_DATA([flows.txt], [dnl
1452 priority=1,action=drop
1453 priority=10,arp,action=normal
1454 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1455 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1456 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1459 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1461 dnl Ipv4 fragmentation connectivity check.
1462 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1463 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1466 dnl Ipv4 larger fragmentation connectivity check.
1467 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1468 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1471 OVS_TRAFFIC_VSWITCHD_STOP
1474 AT_SETUP([conntrack - IPv6 fragmentation])
1476 CHECK_CONNTRACK_FRAG()
1477 OVS_TRAFFIC_VSWITCHD_START()
1479 ADD_NAMESPACES(at_ns0, at_ns1)
1481 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1482 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1484 dnl Sending ping through conntrack
1485 AT_DATA([flows.txt], [dnl
1486 priority=1,action=drop
1487 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1488 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1489 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1490 priority=100,icmp6,icmp_type=135,action=normal
1491 priority=100,icmp6,icmp_type=136,action=normal
1494 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1496 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1497 dnl waiting, we get occasional failures due to the following error:
1498 dnl "connect: Cannot assign requested address"
1499 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1501 dnl Ipv6 fragmentation connectivity check.
1502 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1503 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1506 dnl Ipv6 larger fragmentation connectivity check.
1507 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1508 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1511 OVS_TRAFFIC_VSWITCHD_STOP
1514 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1516 CHECK_CONNTRACK_FRAG()
1517 OVS_TRAFFIC_VSWITCHD_START()
1519 ADD_NAMESPACES(at_ns0, at_ns1)
1521 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1522 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1524 AT_DATA([flows.txt], [dnl
1525 priority=1,action=drop
1527 dnl Only allow non-fragmented messages and 1st fragments of each message
1528 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1529 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1530 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1531 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1533 dnl Neighbour Discovery
1534 priority=100,icmp6,icmp_type=135,action=normal
1535 priority=100,icmp6,icmp_type=136,action=normal
1538 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1540 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1541 dnl waiting, we get occasional failures due to the following error:
1542 dnl "connect: Cannot assign requested address"
1543 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1545 dnl Send an IPv6 fragment. Some time later, it should expire.
1546 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1547 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1550 dnl At this point, the kernel will either crash or everything is OK.
1552 OVS_TRAFFIC_VSWITCHD_STOP
1555 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1557 CHECK_CONNTRACK_FRAG()
1558 OVS_TRAFFIC_VSWITCHD_START()
1560 ADD_NAMESPACES(at_ns0, at_ns1)
1562 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1563 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1565 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1566 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1568 dnl Sending ping through conntrack
1569 AT_DATA([flows.txt], [dnl
1570 priority=1,action=drop
1571 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1572 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1573 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1574 priority=100,icmp6,icmp_type=135,action=normal
1575 priority=100,icmp6,icmp_type=136,action=normal
1578 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1580 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1581 dnl waiting, we get occasional failures due to the following error:
1582 dnl "connect: Cannot assign requested address"
1583 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1585 dnl Ipv4 fragmentation connectivity check.
1586 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1587 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1590 dnl Ipv4 larger fragmentation connectivity check.
1591 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1592 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1595 OVS_TRAFFIC_VSWITCHD_STOP
1598 AT_SETUP([conntrack - Fragmentation over vxlan])
1601 CHECK_CONNTRACK_FRAG()
1603 OVS_TRAFFIC_VSWITCHD_START()
1604 ADD_BR([br-underlay])
1605 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1607 ADD_NAMESPACES(at_ns0)
1609 dnl Sending ping through conntrack
1610 AT_DATA([flows.txt], [dnl
1611 priority=1,action=drop
1612 priority=10,arp,action=normal
1613 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1614 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1615 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1618 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1620 dnl Set up underlay link from host into the namespace using veth pair.
1621 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1622 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1623 AT_CHECK([ip link set dev br-underlay up])
1625 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1626 dnl linux device inside the namespace.
1627 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1628 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1629 [id 0 dstport 4789])
1631 dnl First, check the underlay
1632 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1633 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1636 dnl Okay, now check the overlay with different packet sizes
1637 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1638 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1640 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1641 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1643 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1644 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1647 OVS_TRAFFIC_VSWITCHD_STOP
1650 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1653 CHECK_CONNTRACK_FRAG()
1655 OVS_TRAFFIC_VSWITCHD_START()
1656 ADD_BR([br-underlay])
1657 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1659 ADD_NAMESPACES(at_ns0)
1661 dnl Sending ping through conntrack
1662 AT_DATA([flows.txt], [dnl
1663 priority=1,action=drop
1664 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
1665 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
1666 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
1668 dnl Neighbour Discovery
1669 priority=1000,icmp6,icmp_type=135,action=normal
1670 priority=1000,icmp6,icmp_type=136,action=normal
1673 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1675 dnl Set up underlay link from host into the namespace using veth pair.
1676 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1677 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1678 AT_CHECK([ip link set dev br-underlay up])
1680 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1681 dnl linux device inside the namespace.
1682 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
1683 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
1684 [id 0 dstport 4789])
1686 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1687 dnl waiting, we get occasional failures due to the following error:
1688 dnl "connect: Cannot assign requested address"
1689 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1691 dnl First, check the underlay
1692 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1693 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1696 dnl Okay, now check the overlay with different packet sizes
1697 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1698 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1700 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1701 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1703 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1704 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1707 OVS_TRAFFIC_VSWITCHD_STOP
1710 AT_SETUP([conntrack - resubmit to ct multiple times])
1713 OVS_TRAFFIC_VSWITCHD_START(
1714 [set-fail-mode br0 secure -- ])
1716 ADD_NAMESPACES(at_ns0, at_ns1)
1718 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1719 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1721 AT_DATA([flows.txt], [dnl
1722 table=0,priority=150,arp,action=normal
1723 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1725 table=1,ip,action=ct(table=3)
1726 table=2,ip,action=ct(table=3)
1728 table=3,ip,action=drop
1731 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1733 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1734 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1737 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1738 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1739 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1740 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1741 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
1742 table=3, n_packets=2, n_bytes=196, ip actions=drop
1746 OVS_TRAFFIC_VSWITCHD_STOP
1749 AT_BANNER([conntrack - L7])
1751 AT_SETUP([conntrack - IPv4 HTTP])
1753 OVS_TRAFFIC_VSWITCHD_START()
1755 ADD_NAMESPACES(at_ns0, at_ns1)
1757 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1758 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1760 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1761 AT_DATA([flows.txt], [dnl
1762 priority=1,action=drop
1763 priority=10,arp,action=normal
1764 priority=10,icmp,action=normal
1765 priority=100,in_port=1,tcp,action=ct(commit),2
1766 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1767 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
1770 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1772 OVS_START_L7([at_ns0], [http])
1773 OVS_START_L7([at_ns1], [http])
1775 dnl HTTP requests from ns0->ns1 should work fine.
1776 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1777 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1778 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1781 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1782 dnl Try 3 times, in 1 second intervals.
1783 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
1785 OVS_TRAFFIC_VSWITCHD_STOP
1788 AT_SETUP([conntrack - IPv6 HTTP])
1790 OVS_TRAFFIC_VSWITCHD_START()
1792 ADD_NAMESPACES(at_ns0, at_ns1)
1794 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1795 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1797 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1798 AT_DATA([flows.txt], [dnl
1799 priority=1,action=drop
1800 priority=10,icmp6,action=normal
1801 priority=100,in_port=1,tcp6,action=ct(commit),2
1802 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
1803 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
1806 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1808 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1809 dnl waiting, we get occasional failures due to the following error:
1810 dnl "connect: Cannot assign requested address"
1811 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1813 OVS_START_L7([at_ns0], [http6])
1814 OVS_START_L7([at_ns1], [http6])
1816 dnl HTTP requests from ns0->ns1 should work fine.
1817 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1818 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1819 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1822 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1823 dnl Try 3 times, in 1 second intervals.
1824 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
1826 OVS_TRAFFIC_VSWITCHD_STOP
1829 AT_SETUP([conntrack - commit, recirc])
1831 OVS_TRAFFIC_VSWITCHD_START()
1833 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1835 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1836 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1837 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1838 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1840 dnl Allow any traffic from ns0->ns1, ns2->ns3.
1841 AT_DATA([flows.txt], [dnl
1842 priority=1,action=drop
1843 priority=10,arp,action=normal
1844 priority=10,icmp,action=normal
1845 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1846 priority=100,in_port=1,tcp,ct_state=+trk,action=2
1847 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1848 priority=100,in_port=2,tcp,ct_state=+trk,action=1
1849 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
1850 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
1851 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
1852 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1853 priority=100,in_port=4,tcp,ct_state=+trk,action=3
1856 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1858 OVS_START_L7([at_ns1], [http])
1859 OVS_START_L7([at_ns3], [http])
1861 dnl HTTP requests from p0->p1 should work fine.
1862 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1864 dnl HTTP requests from p2->p3 should work fine.
1865 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1867 OVS_TRAFFIC_VSWITCHD_STOP
1870 AT_SETUP([conntrack - multiple zones, local])
1872 CHECK_CONNTRACK_LOCAL_STACK()
1873 OVS_TRAFFIC_VSWITCHD_START()
1875 ADD_NAMESPACES(at_ns0)
1877 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1878 AT_CHECK([ip link set dev br0 up])
1879 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1880 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1882 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1883 dnl return traffic from ns0 back to the local stack.
1884 AT_DATA([flows.txt], [dnl
1885 priority=1,action=drop
1886 priority=10,arp,action=normal
1887 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
1888 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
1889 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
1890 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
1891 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
1892 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
1895 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1897 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1898 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1901 OVS_START_L7([at_ns0], [http])
1903 dnl HTTP requests from root namespace to p0 should work fine.
1904 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1906 dnl (again) HTTP requests from root namespace to p0 should work fine.
1907 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1909 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1910 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1911 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
1912 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1913 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1916 OVS_TRAFFIC_VSWITCHD_STOP
1919 AT_SETUP([conntrack - multi-stage pipeline, local])
1921 CHECK_CONNTRACK_LOCAL_STACK()
1922 OVS_TRAFFIC_VSWITCHD_START()
1924 ADD_NAMESPACES(at_ns0)
1926 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1927 AT_CHECK([ip link set dev br0 up])
1928 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1929 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1931 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1932 dnl return traffic from ns0 back to the local stack.
1933 AT_DATA([flows.txt], [dnl
1935 table=0,priority=1,action=drop
1936 table=0,priority=10,arp,action=normal
1938 dnl Load the output port to REG0
1939 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1940 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1942 dnl Ingress pipeline
1943 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1944 dnl - All other connections go through conntracker using the input port as
1945 dnl a connection tracking zone.
1946 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1947 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1948 table=1,priority=1,action=drop
1951 dnl - Allow all connections from LOCAL port (commit and skip to output)
1952 dnl - Allow other established connections to go through conntracker using
1953 dnl output port as a connection tracking zone.
1954 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1955 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1956 table=2,priority=1,action=drop
1958 dnl Only allow established traffic from egress ct lookup
1959 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1960 table=3,priority=1,action=drop
1963 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1966 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1968 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1969 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1972 OVS_START_L7([at_ns0], [http])
1974 dnl HTTP requests from root namespace to p0 should work fine.
1975 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1977 dnl (again) HTTP requests from root namespace to p0 should work fine.
1978 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1980 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1981 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1982 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
1983 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1984 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1987 OVS_TRAFFIC_VSWITCHD_STOP
1990 AT_SETUP([conntrack - FTP])
1991 AT_SKIP_IF([test $HAVE_FTP = no])
1993 CHECK_CONNTRACK_ALG()
1994 OVS_TRAFFIC_VSWITCHD_START()
1996 ADD_NAMESPACES(at_ns0, at_ns1)
1998 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1999 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2001 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2002 AT_DATA([flows1.txt], [dnl
2003 table=0,priority=1,action=drop
2004 table=0,priority=10,arp,action=normal
2005 table=0,priority=10,icmp,action=normal
2006 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
2007 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2008 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2009 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
2012 dnl Similar policy but without allowing all traffic from ns0->ns1.
2013 AT_DATA([flows2.txt], [dnl
2014 table=0,priority=1,action=drop
2015 table=0,priority=10,arp,action=normal
2016 table=0,priority=10,icmp,action=normal
2018 dnl Allow outgoing TCP connections, and treat them as FTP
2019 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2020 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
2021 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
2023 dnl Allow incoming FTP data connections and responses to existing connections
2024 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2025 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
2026 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2027 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
2030 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2032 OVS_START_L7([at_ns0], [ftp])
2033 OVS_START_L7([at_ns1], [ftp])
2035 dnl FTP requests from p1->p0 should fail due to network failure.
2036 dnl Try 3 times, in 1 second intervals.
2037 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2038 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2041 dnl FTP requests from p0->p1 should work fine.
2042 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2043 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2044 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2047 dnl Try the second set of flows.
2048 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2049 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2051 dnl FTP requests from p1->p0 should fail due to network failure.
2052 dnl Try 3 times, in 1 second intervals.
2053 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2054 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2057 dnl Active FTP requests from p0->p1 should work fine.
2058 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
2059 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2060 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2061 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2064 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2066 dnl Passive FTP requests from p0->p1 should work fine.
2067 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
2068 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2069 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2072 OVS_TRAFFIC_VSWITCHD_STOP
2075 AT_SETUP([conntrack - FTP over IPv6])
2076 AT_SKIP_IF([test $HAVE_FTP = no])
2078 CHECK_CONNTRACK_ALG()
2079 OVS_TRAFFIC_VSWITCHD_START()
2081 ADD_NAMESPACES(at_ns0, at_ns1)
2083 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2084 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2086 dnl Allow any traffic from ns0->ns1.
2087 dnl Only allow nd, return traffic from ns1->ns0.
2088 AT_DATA([flows.txt], [dnl
2089 dnl Track all IPv6 traffic and drop the rest.
2090 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
2091 table=0 priority=100 in_port=1 icmp6, action=2
2092 table=0 priority=100 in_port=2 icmp6, action=1
2093 table=0 priority=10 ip6, action=ct(table=1)
2094 table=0 priority=0 action=drop
2098 dnl Allow new TCPv6 FTP control connections from port 1.
2099 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
2100 dnl Allow related TCPv6 connections from port 2.
2101 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
2102 dnl Allow established TCPv6 connections both ways.
2103 table=1 in_port=1 ct_state=+est, tcp6, action=2
2104 table=1 in_port=2 ct_state=+est, tcp6, action=1
2105 dnl Drop everything else.
2106 table=1 priority=0, action=drop
2109 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2111 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2112 dnl waiting, we get occasional failures due to the following error:
2113 dnl "connect: Cannot assign requested address"
2114 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2116 OVS_START_L7([at_ns1], [ftp])
2118 dnl FTP requests from p0->p1 should work fine.
2119 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2121 dnl Discards CLOSE_WAIT and CLOSING
2122 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2123 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2124 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2127 OVS_TRAFFIC_VSWITCHD_STOP
2130 AT_SETUP([conntrack - FTP with multiple expectations])
2131 AT_SKIP_IF([test $HAVE_FTP = no])
2133 CHECK_CONNTRACK_ALG()
2134 OVS_TRAFFIC_VSWITCHD_START()
2136 ADD_NAMESPACES(at_ns0, at_ns1)
2138 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2139 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2141 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
2142 AT_DATA([flows.txt], [dnl
2143 table=0,priority=1,action=drop
2144 table=0,priority=10,arp,action=normal
2145 table=0,priority=10,icmp,action=normal
2147 dnl Traffic from ns1
2148 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
2149 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
2150 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
2151 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
2152 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
2154 dnl Traffic from ns2
2155 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
2156 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2157 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
2158 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2159 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
2162 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2164 OVS_START_L7([at_ns0], [ftp])
2165 OVS_START_L7([at_ns1], [ftp])
2167 dnl FTP requests from p1->p0 should fail due to network failure.
2168 dnl Try 3 times, in 1 second intervals.
2169 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2170 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2173 dnl Active FTP requests from p0->p1 should work fine.
2174 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2177 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2178 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2179 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2182 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2184 dnl Passive FTP requests from p0->p1 should work fine.
2185 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2188 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2189 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2190 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2193 OVS_TRAFFIC_VSWITCHD_STOP
2196 AT_SETUP([conntrack - TFTP])
2197 AT_SKIP_IF([test $HAVE_TFTP = no])
2199 CHECK_CONNTRACK_ALG()
2200 OVS_TRAFFIC_VSWITCHD_START()
2202 ADD_NAMESPACES(at_ns0, at_ns1)
2204 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2205 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2207 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2208 AT_DATA([flows1.txt], [dnl
2209 table=0,priority=1,action=drop
2210 table=0,priority=10,arp,action=normal
2211 table=0,priority=10,icmp,action=normal
2212 table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
2213 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2214 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2215 table=1,in_port=2,udp,ct_state=+trk+rel,action=1
2218 dnl Similar policy but without allowing all traffic from ns0->ns1.
2219 AT_DATA([flows2.txt], [dnl
2220 table=0,priority=1,action=drop
2221 table=0,priority=10,arp,action=normal
2222 table=0,priority=10,icmp,action=normal
2224 dnl Allow outgoing UDP connections, and treat them as TFTP
2225 table=0,priority=100,in_port=1,udp,action=ct(table=1)
2226 table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
2227 table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
2228 table=1,in_port=1,udp,ct_state=+trk+est,action=2
2230 dnl Allow incoming TFTP data connections and responses to existing connections
2231 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2232 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2233 table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
2236 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2238 OVS_START_L7([at_ns0], [tftp])
2239 OVS_START_L7([at_ns1], [tftp])
2241 dnl TFTP requests from p1->p0 should fail due to network failure.
2242 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
2243 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2246 dnl TFTP requests from p0->p1 should work fine.
2247 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
2248 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2249 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2252 dnl Try the second set of flows.
2253 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2254 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2256 dnl TFTP requests from p1->p0 should fail due to network failure.
2257 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
2258 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2261 dnl TFTP requests from p0->p1 should work fine.
2262 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
2263 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2264 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2267 OVS_TRAFFIC_VSWITCHD_STOP
2270 AT_BANNER([conntrack - NAT])
2272 AT_SETUP([conntrack - simple SNAT])
2274 CHECK_CONNTRACK_NAT()
2275 OVS_TRAFFIC_VSWITCHD_START()
2277 ADD_NAMESPACES(at_ns0, at_ns1)
2279 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2280 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2281 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2283 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2284 AT_DATA([flows.txt], [dnl
2285 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2286 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2287 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2290 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2291 priority=10 arp action=normal
2292 priority=0,action=drop
2294 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2295 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2296 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2297 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2299 dnl Swaps the fields of the ARP message to turn a query to a response.
2300 table=10 priority=100 arp xreg0=0 action=normal
2301 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2302 table=10 priority=0 action=drop
2305 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2307 dnl HTTP requests from p0->p1 should work fine.
2308 OVS_START_L7([at_ns1], [http])
2309 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2311 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2312 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2315 OVS_TRAFFIC_VSWITCHD_STOP
2318 AT_SETUP([conntrack - SNAT with ct_mark change on reply])
2320 CHECK_CONNTRACK_NAT()
2321 OVS_TRAFFIC_VSWITCHD_START()
2323 ADD_NAMESPACES(at_ns0, at_ns1)
2325 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2326 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2327 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2329 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2330 AT_DATA([flows.txt], [dnl
2331 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2332 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2334 dnl Setting the mark fails if the datapath can't find the existing conntrack
2335 dnl entry after NAT has been reversed and the skb was lost due to an upcall.
2337 in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
2338 table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
2341 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2342 priority=10 arp action=normal
2343 priority=0,action=drop
2345 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2346 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2347 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2348 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2350 dnl Swaps the fields of the ARP message to turn a query to a response.
2351 table=10 priority=100 arp xreg0=0 action=normal
2352 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2353 table=10 priority=0 action=drop
2356 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2358 dnl HTTP requests from p0->p1 should work fine.
2359 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2360 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
2361 1 packets transmitted, 1 received, 0% packet loss, time 0ms
2364 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2365 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
2368 OVS_TRAFFIC_VSWITCHD_STOP
2371 AT_SETUP([conntrack - SNAT with port range])
2373 CHECK_CONNTRACK_NAT()
2374 OVS_TRAFFIC_VSWITCHD_START()
2376 ADD_NAMESPACES(at_ns0, at_ns1)
2378 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2379 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2380 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2382 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2383 AT_DATA([flows.txt], [dnl
2384 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2385 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2386 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2387 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2390 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2391 priority=10 arp action=normal
2392 priority=0,action=drop
2394 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2395 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2396 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2397 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2399 dnl Swaps the fields of the ARP message to turn a query to a response.
2400 table=10 priority=100 arp xreg0=0 action=normal
2401 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2402 table=10 priority=0 action=drop
2405 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2407 dnl HTTP requests from p0->p1 should work fine.
2408 OVS_START_L7([at_ns1], [http])
2409 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2411 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2412 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2415 OVS_TRAFFIC_VSWITCHD_STOP
2419 AT_SETUP([conntrack - more complex SNAT])
2421 CHECK_CONNTRACK_NAT()
2422 OVS_TRAFFIC_VSWITCHD_START()
2424 ADD_NAMESPACES(at_ns0, at_ns1)
2426 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2427 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2428 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2430 AT_DATA([flows.txt], [dnl
2431 dnl Track all IP traffic, NAT existing connections.
2432 priority=100 ip action=ct(table=1,zone=1,nat)
2434 dnl Allow ARP, but generate responses for NATed addresses
2435 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2436 priority=10 arp action=normal
2437 priority=0 action=drop
2439 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2440 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2441 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2442 dnl Only allow established traffic from ns1->ns0.
2443 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2444 table=1 priority=0 action=drop
2446 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2447 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2448 dnl Zero result means not found.
2449 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2450 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2451 dnl ARP TPA IP in reg2.
2452 table=10 priority=100 arp xreg0=0 action=normal
2453 dnl Swaps the fields of the ARP message to turn a query to a response.
2454 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2455 table=10 priority=0 action=drop
2458 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2460 dnl HTTP requests from p0->p1 should work fine.
2461 OVS_START_L7([at_ns1], [http])
2462 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2464 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2465 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2468 OVS_TRAFFIC_VSWITCHD_STOP
2471 AT_SETUP([conntrack - simple DNAT])
2473 CHECK_CONNTRACK_NAT()
2474 OVS_TRAFFIC_VSWITCHD_START()
2476 ADD_NAMESPACES(at_ns0, at_ns1)
2478 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2479 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2480 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2482 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2483 AT_DATA([flows.txt], [dnl
2484 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2485 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2486 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2487 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2490 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2491 priority=10 arp action=normal
2492 priority=0,action=drop
2494 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2495 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2496 dnl Zero result means not found.
2497 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2498 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2500 table=10 priority=100 arp xreg0=0 action=normal
2501 dnl Swaps the fields of the ARP message to turn a query to a response.
2502 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2503 table=10 priority=0 action=drop
2506 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2508 dnl Should work with the virtual IP address through NAT
2509 OVS_START_L7([at_ns1], [http])
2510 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2512 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2513 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2516 dnl Should work with the assigned IP address as well
2517 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2519 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2520 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2523 OVS_TRAFFIC_VSWITCHD_STOP
2526 AT_SETUP([conntrack - more complex DNAT])
2528 CHECK_CONNTRACK_NAT()
2529 OVS_TRAFFIC_VSWITCHD_START()
2531 ADD_NAMESPACES(at_ns0, at_ns1)
2533 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2534 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2535 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2537 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2538 AT_DATA([flows.txt], [dnl
2539 dnl Track all IP traffic
2540 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2542 dnl Allow ARP, but generate responses for NATed addresses
2543 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2544 table=0 priority=10 arp action=normal
2545 table=0 priority=0 action=drop
2547 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2548 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2549 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2550 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2551 dnl Only allow established traffic from ns1->ns0.
2552 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2553 table=1 priority=0 action=drop
2555 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2556 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2557 dnl Zero result means not found.
2558 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2559 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2561 table=10 priority=100 arp xreg0=0 action=normal
2562 dnl Swaps the fields of the ARP message to turn a query to a response.
2563 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2564 table=10 priority=0 action=drop
2567 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2569 dnl Should work with the virtual IP address through NAT
2570 OVS_START_L7([at_ns1], [http])
2571 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2573 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2574 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2577 dnl Should work with the assigned IP address as well
2578 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2580 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2581 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2584 OVS_TRAFFIC_VSWITCHD_STOP
2587 AT_SETUP([conntrack - ICMP related with NAT])
2588 AT_SKIP_IF([test $HAVE_NC = no])
2590 CHECK_CONNTRACK_NAT()
2591 OVS_TRAFFIC_VSWITCHD_START()
2593 ADD_NAMESPACES(at_ns0, at_ns1)
2595 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2596 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2597 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2599 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2600 dnl Make sure ICMP responses are reverse-NATted.
2601 AT_DATA([flows.txt], [dnl
2602 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2603 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2604 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2607 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2608 priority=10 arp action=normal
2609 priority=0,action=drop
2611 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2612 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2613 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2614 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2616 dnl Swaps the fields of the ARP message to turn a query to a response.
2617 table=10 priority=100 arp xreg0=0 action=normal
2618 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2619 table=10 priority=0 action=drop
2622 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2624 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2625 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2627 AT_CHECK([ovs-appctl revalidator/purge], [0])
2628 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2629 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2630 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2631 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2632 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2633 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2634 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2635 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2636 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2637 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2638 OFPST_FLOW reply (OF1.5):
2641 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2642 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2645 OVS_TRAFFIC_VSWITCHD_STOP
2648 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
2650 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2651 dnl NAT, using the provided flow table.
2652 m4_define([CHECK_FTP_NAT],
2653 [AT_SETUP([conntrack - FTP NAT $1])
2654 AT_SKIP_IF([test $HAVE_FTP = no])
2656 CHECK_CONNTRACK_NAT()
2658 OVS_TRAFFIC_VSWITCHD_START()
2660 ADD_NAMESPACES(at_ns0, at_ns1)
2662 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2663 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2664 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2666 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2667 AT_DATA([flows.txt], [$3])
2669 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2671 OVS_START_L7([at_ns1], [ftp])
2673 dnl FTP requests from p0->p1 should work fine.
2674 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2676 dnl Discards CLOSE_WAIT and CLOSING
2677 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
2679 OVS_TRAFFIC_VSWITCHD_STOP
2682 dnl CHECK_FTP_NAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2684 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2685 dnl NAT, with flow tables that implement the NATing as part of handling of
2686 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
2688 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2689 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2690 m4_define([CHECK_FTP_NAT_PRE_RECIRC], [dnl
2691 CHECK_FTP_NAT([prerecirc $1], [$2], [dnl
2692 dnl track all IP traffic, de-mangle non-NEW connections
2693 table=0 in_port=1, ip, action=ct(table=1,nat)
2694 table=0 in_port=2, ip, action=ct(table=2,nat)
2698 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2699 table=0 priority=10 arp action=normal
2700 table=0 priority=0 action=drop
2702 dnl Table 1: port 1 -> 2
2704 dnl Allow new FTP connections. These need to be commited.
2705 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
2706 dnl Allow established TCP connections, make sure they are NATted already.
2707 table=1 ct_state=+est, tcp, nw_src=$2, action=2
2709 dnl Table 1: droppers
2711 table=1 priority=10, tcp, action=drop
2712 table=1 priority=0,action=drop
2714 dnl Table 2: port 2 -> 1
2716 dnl Allow established TCP connections, make sure they are reverse NATted
2717 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2718 dnl Allow (new) related (data) connections. These need to be commited.
2719 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
2720 dnl Allow related ICMP packets, make sure they are reverse NATted
2721 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2723 dnl Table 2: droppers
2725 table=2 priority=10, tcp, action=drop
2726 table=2 priority=0, action=drop
2728 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2730 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2731 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2732 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2734 dnl Swaps the fields of the ARP message to turn a query to a response.
2735 table=10 priority=100 arp xreg0=0 action=normal
2736 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2737 table=10 priority=0 action=drop
2739 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2740 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2744 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2745 CHECK_FTP_NAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
2747 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2749 dnl The FTP PORT command includes the ASCII representation of the address,
2750 dnl so when these messages need to be NATed between addresses that have
2751 dnl different lengths when represented in ASCII (such as the original address
2752 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2753 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2754 dnl separate from the above to easier identify issues in this code on different
2756 CHECK_FTP_NAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2758 dnl CHECK_FTP_NAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2760 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2761 dnl NAT, with flow tables that implement the NATing after the first round
2762 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
2763 dnl flow will implement the NATing with ct(nat..),output:foo.
2765 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2766 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2767 m4_define([CHECK_FTP_NAT_POST_RECIRC], [dnl
2768 CHECK_FTP_NAT([postrecirc $1], [$2], [dnl
2769 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2770 table=0 ip, action=ct(table=1)
2774 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2775 table=0 priority=10 arp action=normal
2776 table=0 priority=0 action=drop
2780 dnl Allow new FTP connections. These need to be commited.
2781 dnl This does helper for new packets.
2782 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
2783 dnl Allow and NAT established TCP connections
2784 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2785 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2786 dnl Allow and NAT (new) related active (data) connections.
2787 dnl These need to be commited.
2788 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2789 dnl Allow related ICMP packets.
2790 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2791 dnl Drop everything else.
2792 table=1 priority=0, action=drop
2794 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2796 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2797 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2798 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2800 dnl Swaps the fields of the ARP message to turn a query to a response.
2801 table=10 priority=100 arp xreg0=0 action=normal
2802 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2803 table=10 priority=0 action=drop
2805 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2806 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2810 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2811 CHECK_FTP_NAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
2813 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2815 dnl The FTP PORT command includes the ASCII representation of the address,
2816 dnl so when these messages need to be NATed between addresses that have
2817 dnl different lengths when represented in ASCII (such as the original address
2818 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2819 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2820 dnl separate from the above to easier identify issues in this code on different
2822 CHECK_FTP_NAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2825 dnl CHECK_FTP_NAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2827 dnl Checks the implementation of conntrack original direction tuple matching
2828 dnl with FTP ALGs in combination with NAT, with flow tables that implement
2829 dnl the NATing before the first round of recirculation - that is, the first
2830 dnl flow ct(nat, table=foo) then a subsequent flow will implement the
2831 dnl commiting of NATed and other connections with ct(nat..),output:foo.
2833 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2834 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2835 m4_define([CHECK_FTP_NAT_ORIG_TUPLE], [dnl
2836 CHECK_FTP_NAT([orig tuple $1], [$2], [dnl
2837 dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
2838 dnl NAT is only applied to OUT-direction packets, so that ACL
2839 dnl processing can be done with non-NATted headers.
2841 dnl Track all IP traffic in the IN-direction (IN from Port 1).
2842 table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
2843 dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
2844 table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
2848 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2849 table=0 priority=10 arp action=normal
2850 table=0 priority=0 action=drop
2852 dnl Pass tracked traffic through ACL, drop everything else.
2853 dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
2854 dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
2855 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
2856 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
2857 dnl of the master connection, as storted in ct_mark.
2859 dnl Incoming non-related packet in the original direction (ACL IN)
2860 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
2861 dnl Incoming non-related reply packet (CT ACL OUT)
2862 table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
2863 dnl Outgoing non-related packet (ACL OUT)
2864 table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
2865 dnl Outgoing non-related reply packet (CT ACL IN)
2866 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
2868 dnl Related packet (CT ACL in the direction of the master connection.)
2869 table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4
2870 dnl Drop everything else.
2871 table=1 priority=0, action=drop
2875 dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
2876 dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
2878 table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
2879 dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
2880 table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
2882 dnl Re-process stateful traffic that was not accepted by a stateful rule as
2883 dnl normal traffic in the current direction. This should also delete the
2884 dnl now stale conntrack state, so that new state can be created in it's place.
2886 dnl Stateful accepts go to next table.
2887 table=4 priority=100 reg2=1, action=goto_table:5
2888 dnl Everything else is reprocessed disregarding the CT state, using the actual
2889 dnl packet direction.
2890 table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
2892 dnl "ACL verdict processing table."
2894 dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
2896 dnl Drop all non-accepted packets.
2897 table=5 reg2=0 priority=1000 action=drop
2899 dnl Commit new incoming FTP control connections with SNAT range. Must match on
2900 dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
2901 dnl connections to ct_mark. Store the rule ID to labels.
2902 table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2903 dnl Commit other new incoming non-related IP connections with SNAT range.
2904 table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2905 dnl Commit non-related outgoing new IP connections with DNAT range.
2906 dnl (This should not get any packets in this test.)
2907 table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2908 dnl Commit new related connections in either direction, which need 'nat'
2909 dnl and which inherit the mark (the direction of the original direction
2910 dnl master tuple) from the master connection.
2911 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
2913 dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
2915 table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
2916 dnl Forward everything else, including stateless accepts.
2917 table=5 priority=0 action=goto_table:6
2919 dnl "Forwarding table"
2921 table=6 in_port=1 action=2
2922 table=6 in_port=2 action=1
2924 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2926 table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2927 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2928 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2930 dnl Swaps the fields of the ARP message to turn a query to a response.
2931 table=10 priority=100 arp xreg0=0 action=normal
2932 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2933 table=10 priority=0 action=drop
2935 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=<cleared>),helper=ftp
2936 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=<cleared>)
2940 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
2941 dnl an ACL table based on matching on conntrack original direction tuple only.
2942 CHECK_FTP_NAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
2944 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
2945 dnl an ACL table based on matching on conntrack original direction tuple only.
2946 CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
2948 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2950 CHECK_CONNTRACK_NAT()
2951 OVS_TRAFFIC_VSWITCHD_START()
2953 ADD_NAMESPACES(at_ns0, at_ns1)
2955 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2956 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2957 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2958 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2960 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2961 AT_DATA([flows.txt], [dnl
2962 priority=1,action=drop
2963 priority=10,icmp6,action=normal
2964 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2965 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2966 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2967 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2970 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2972 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2973 dnl waiting, we get occasional failures due to the following error:
2974 dnl "connect: Cannot assign requested address"
2975 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2977 dnl HTTP requests from ns0->ns1 should work fine.
2978 OVS_START_L7([at_ns1], [http6])
2980 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2982 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2983 dnl Try 3 times, in 1 second intervals.
2984 OVS_START_L7([at_ns0], [http6])
2985 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2987 OVS_TRAFFIC_VSWITCHD_STOP
2991 AT_SETUP([conntrack - IPv6 FTP with NAT])
2992 AT_SKIP_IF([test $HAVE_FTP = no])
2994 CHECK_CONNTRACK_NAT()
2995 OVS_TRAFFIC_VSWITCHD_START()
2997 ADD_NAMESPACES(at_ns0, at_ns1)
2999 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3000 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3001 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3002 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3003 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3005 dnl Allow any traffic from ns0->ns1.
3006 dnl Only allow nd, return traffic from ns1->ns0.
3007 AT_DATA([flows.txt], [dnl
3008 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3009 table=0 priority=10 ip6, action=ct(nat,table=1)
3010 table=0 priority=0 action=drop
3014 dnl Allow new TCPv6 FTP control connections.
3015 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3016 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3017 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
3018 dnl Allow established TCPv6 connections both ways, enforce NATting
3019 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
3020 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
3021 dnl Allow other ICMPv6 both ways (without commit).
3022 table=1 priority=100 in_port=1 icmp6, action=2
3023 table=1 priority=100 in_port=2 icmp6, action=1
3024 dnl Drop everything else.
3025 table=1 priority=0, action=drop
3028 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3030 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3031 dnl waiting, we get occasional failures due to the following error:
3032 dnl "connect: Cannot assign requested address"
3033 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3035 OVS_START_L7([at_ns1], [ftp])
3037 dnl FTP requests from p0->p1 should work fine.
3038 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3040 dnl Discards CLOSE_WAIT and CLOSING
3041 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3042 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3043 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3046 OVS_TRAFFIC_VSWITCHD_STOP
3050 AT_SETUP([conntrack - IPv6 FTP with NAT - orig tuple])
3051 AT_SKIP_IF([test $HAVE_FTP = no])
3053 CHECK_CONNTRACK_NAT()
3054 OVS_TRAFFIC_VSWITCHD_START()
3056 ADD_NAMESPACES(at_ns0, at_ns1)
3058 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3059 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3060 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3061 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3062 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3064 dnl Allow any traffic from ns0->ns1.
3065 dnl Only allow nd, return traffic from ns1->ns0.
3066 AT_DATA([flows.txt], [dnl
3067 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3068 table=0 priority=10 ip6, action=ct(nat,table=1)
3069 table=0 priority=0 action=drop
3073 dnl Allow other ICMPv6 both ways (without commit).
3074 table=1 priority=100 in_port=1 icmp6, action=2
3075 table=1 priority=100 in_port=2 icmp6, action=1
3076 dnl Allow new TCPv6 FTP control connections.
3077 table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3078 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3079 table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
3080 dnl Allow established TCPv6 connections both ways, enforce NATting
3081 table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
3082 table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
3083 dnl Drop everything else.
3084 table=1 priority=0, action=drop
3087 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3089 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3090 dnl waiting, we get occasional failures due to the following error:
3091 dnl "connect: Cannot assign requested address"
3092 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3094 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3095 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3097 dnl FTP requests from p0->p1 should work fine.
3098 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3100 dnl Discards CLOSE_WAIT and CLOSING
3101 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3102 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3103 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3106 OVS_TRAFFIC_VSWITCHD_STOP
3110 AT_SETUP([conntrack - DNAT load balancing])
3112 CHECK_CONNTRACK_NAT()
3113 OVS_TRAFFIC_VSWITCHD_START()
3115 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
3117 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3118 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3119 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3120 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3121 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3122 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3123 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3124 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3126 dnl Select group for load balancing. One bucket per server. Each bucket
3127 dnl tracks and NATs the connection and recirculates to table 4 for egress
3128 dnl routing. Packets of existing connections are always NATted based on
3129 dnl connection state, only new connections are NATted according to the
3130 dnl specific NAT parameters in each bucket.
3131 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3133 AT_DATA([flows.txt], [dnl
3134 dnl Track connections to the virtual IP address.
3135 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3136 dnl All other IP traffic is allowed but the connection state is no commited.
3137 table=0 priority=90 ip action=ct(table=4,nat)
3139 dnl Allow ARP, but generate responses for virtual addresses
3140 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3141 table=0 priority=10 arp action=normal
3142 table=0 priority=0 action=drop
3146 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3147 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3148 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3149 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3150 table=4 priority=0 action=drop
3152 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3153 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3154 dnl Zero result means not found.
3155 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3156 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3158 table=10 priority=100 arp xreg0=0 action=normal
3159 dnl Swaps the fields of the ARP message to turn a query to a response.
3160 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3161 table=10 priority=0 action=controller
3164 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3166 dnl Start web servers
3167 OVS_START_L7([at_ns2], [http])
3168 OVS_START_L7([at_ns3], [http])
3169 OVS_START_L7([at_ns4], [http])
3171 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3172 on_exit 'ovs-appctl revalidator/purge'
3173 on_exit 'ovs-appctl dpif/dump-flows br0'
3175 dnl Should work with the virtual IP address through NAT
3176 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
3178 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
3181 dnl Each server should have at least one connection.
3182 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
3183 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3184 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3185 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3188 ovs-appctl dpif/dump-flows br0
3189 ovs-appctl revalidator/purge
3190 ovs-ofctl -O OpenFlow15 dump-flows br0
3191 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3193 OVS_TRAFFIC_VSWITCHD_STOP
3197 AT_SETUP([conntrack - DNAT load balancing with NC])
3198 AT_SKIP_IF([test $HAVE_NC = no])
3200 CHECK_CONNTRACK_NAT()
3201 OVS_TRAFFIC_VSWITCHD_START()
3203 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
3205 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3206 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3207 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3208 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3209 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
3210 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3211 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3212 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3213 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3214 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
3216 dnl Select group for load balancing. One bucket per server. Each bucket
3217 dnl tracks and NATs the connection and recirculates to table 4 for egress
3218 dnl routing. Packets of existing connections are always NATted based on
3219 dnl connection state, only new connections are NATted according to the
3220 dnl specific NAT parameters in each bucket.
3221 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3223 AT_DATA([flows.txt], [dnl
3224 dnl Track connections to the virtual IP address.
3225 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3226 dnl All other IP traffic is allowed but the connection state is no commited.
3227 table=0 priority=90 ip action=ct(table=4,nat)
3229 dnl Allow ARP, but generate responses for virtual addresses
3230 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3231 table=0 priority=10 arp action=normal
3232 table=0 priority=0 action=drop
3236 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3237 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3238 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3239 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3240 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
3241 table=4 priority=0 action=drop
3243 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3244 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3245 dnl Zero result means not found.
3246 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3247 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3249 table=10 priority=100 arp xreg0=0 action=normal
3250 dnl Swaps the fields of the ARP message to turn a query to a response.
3251 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3252 table=10 priority=0 action=controller
3255 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3257 dnl Start web servers
3258 OVS_START_L7([at_ns2], [http])
3259 OVS_START_L7([at_ns3], [http])
3260 OVS_START_L7([at_ns4], [http])
3262 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3263 on_exit 'ovs-appctl revalidator/purge'
3264 on_exit 'ovs-appctl dpif/dump-flows br0'
3268 dnl Should work with the virtual IP address through NAT
3269 for i in 1 2 3 4 5 6 7 8 9; do
3271 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
3272 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
3277 ovs-appctl dpif/dump-flows br0
3278 ovs-appctl revalidator/purge
3279 ovs-ofctl -O OpenFlow15 dump-flows br0
3280 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3282 OVS_TRAFFIC_VSWITCHD_STOP