1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 OVS_START_L7([at_ns1], [http])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping between two ports on cvlan])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
80 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
82 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
83 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
85 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
86 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
88 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
90 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
96 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
100 OVS_TRAFFIC_VSWITCHD_STOP
103 AT_SETUP([datapath - ping6 between two ports])
104 OVS_TRAFFIC_VSWITCHD_START()
106 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
108 ADD_NAMESPACES(at_ns0, at_ns1)
110 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
111 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping6 between two ports on vlan])
132 OVS_TRAFFIC_VSWITCHD_START()
134 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
136 ADD_NAMESPACES(at_ns0, at_ns1)
138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
141 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
142 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
144 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
145 dnl waiting, we get occasional failures due to the following error:
146 dnl "connect: Cannot assign requested address"
147 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
149 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
150 3 packets transmitted, 3 received, 0% packet loss, time 0ms
152 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
155 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
156 3 packets transmitted, 3 received, 0% packet loss, time 0ms
159 OVS_TRAFFIC_VSWITCHD_STOP
162 AT_SETUP([datapath - ping6 between two ports on cvlan])
163 OVS_TRAFFIC_VSWITCHD_START()
165 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
167 ADD_NAMESPACES(at_ns0, at_ns1)
169 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
170 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
172 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
173 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
175 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
176 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
178 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
180 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
181 3 packets transmitted, 3 received, 0% packet loss, time 0ms
183 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
184 3 packets transmitted, 3 received, 0% packet loss, time 0ms
186 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([datapath - ping over bond])
194 OVS_TRAFFIC_VSWITCHD_START()
196 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
198 ADD_NAMESPACES(at_ns0, at_ns1)
200 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
201 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
203 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
205 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
211 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
212 3 packets transmitted, 3 received, 0% packet loss, time 0ms
215 OVS_TRAFFIC_VSWITCHD_STOP
218 AT_SETUP([datapath - ping over vxlan tunnel])
221 OVS_TRAFFIC_VSWITCHD_START()
222 ADD_BR([br-underlay])
224 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
225 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
227 ADD_NAMESPACES(at_ns0)
229 dnl Set up underlay link from host into the namespace using veth pair.
230 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
231 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
232 AT_CHECK([ip link set dev br-underlay up])
234 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
235 dnl linux device inside the namespace.
236 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
237 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
240 dnl First, check the underlay
241 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 dnl Okay, now check the overlay with different packet sizes
246 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
249 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
250 3 packets transmitted, 3 received, 0% packet loss, time 0ms
252 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
256 OVS_TRAFFIC_VSWITCHD_STOP
259 AT_SETUP([datapath - ping over vxlan6 tunnel])
260 OVS_CHECK_VXLAN_UDP6ZEROCSUM()
262 OVS_TRAFFIC_VSWITCHD_START()
263 ADD_BR([br-underlay])
265 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
266 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
268 ADD_NAMESPACES(at_ns0)
270 dnl Set up underlay link from host into the namespace using veth pair.
271 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
272 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
273 AT_CHECK([ip link set dev br-underlay up])
275 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
276 dnl linux device inside the namespace.
277 ADD_OVS_TUNNEL6([vxlan], [br0], [at_vxlan0], [fc00::1], [10.1.1.100/24])
278 ADD_NATIVE_TUNNEL6([vxlan], [at_vxlan1], [at_ns0], [fc00::100], [10.1.1.1/24],
279 [id 0 dstport 4789 udp6zerocsumtx udp6zerocsumrx])
281 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
283 dnl First, check the underlay
284 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
285 3 packets transmitted, 3 received, 0% packet loss, time 0ms
288 dnl Okay, now check the overlay with different packet sizes
289 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
290 3 packets transmitted, 3 received, 0% packet loss, time 0ms
292 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
295 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
296 3 packets transmitted, 3 received, 0% packet loss, time 0ms
299 OVS_TRAFFIC_VSWITCHD_STOP
302 AT_SETUP([datapath - ping over gre tunnel])
305 OVS_TRAFFIC_VSWITCHD_START()
306 ADD_BR([br-underlay])
308 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
309 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
311 ADD_NAMESPACES(at_ns0)
313 dnl Set up underlay link from host into the namespace using veth pair.
314 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
315 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
316 AT_CHECK([ip link set dev br-underlay up])
318 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
319 dnl linux device inside the namespace.
320 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
321 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
323 dnl First, check the underlay
324 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
325 3 packets transmitted, 3 received, 0% packet loss, time 0ms
328 dnl Okay, now check the overlay with different packet sizes
329 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
330 3 packets transmitted, 3 received, 0% packet loss, time 0ms
332 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
333 3 packets transmitted, 3 received, 0% packet loss, time 0ms
335 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
336 3 packets transmitted, 3 received, 0% packet loss, time 0ms
339 OVS_TRAFFIC_VSWITCHD_STOP
342 AT_SETUP([datapath - ping over geneve tunnel])
345 OVS_TRAFFIC_VSWITCHD_START()
346 ADD_BR([br-underlay])
348 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
349 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
351 ADD_NAMESPACES(at_ns0)
353 dnl Set up underlay link from host into the namespace using veth pair.
354 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
355 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
356 AT_CHECK([ip link set dev br-underlay up])
358 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
359 dnl linux device inside the namespace.
360 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
361 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
364 dnl First, check the underlay
365 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
366 3 packets transmitted, 3 received, 0% packet loss, time 0ms
369 dnl Okay, now check the overlay with different packet sizes
370 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
371 3 packets transmitted, 3 received, 0% packet loss, time 0ms
373 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
374 3 packets transmitted, 3 received, 0% packet loss, time 0ms
376 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
377 3 packets transmitted, 3 received, 0% packet loss, time 0ms
380 OVS_TRAFFIC_VSWITCHD_STOP
383 AT_SETUP([datapath - ping over geneve6 tunnel])
384 OVS_CHECK_GENEVE_UDP6ZEROCSUM()
386 OVS_TRAFFIC_VSWITCHD_START()
387 ADD_BR([br-underlay])
389 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
390 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
392 ADD_NAMESPACES(at_ns0)
394 dnl Set up underlay link from host into the namespace using veth pair.
395 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
396 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
397 AT_CHECK([ip link set dev br-underlay up])
399 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
400 dnl linux device inside the namespace.
401 ADD_OVS_TUNNEL6([geneve], [br0], [at_gnv0], [fc00::1], [10.1.1.100/24])
402 ADD_NATIVE_TUNNEL6([geneve], [ns_gnv0], [at_ns0], [fc00::100], [10.1.1.1/24],
403 [vni 0 udp6zerocsumtx udp6zerocsumrx])
405 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
407 dnl First, check the underlay
408 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
409 3 packets transmitted, 3 received, 0% packet loss, time 0ms
412 dnl Okay, now check the overlay with different packet sizes
413 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
414 3 packets transmitted, 3 received, 0% packet loss, time 0ms
416 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
417 3 packets transmitted, 3 received, 0% packet loss, time 0ms
419 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
420 3 packets transmitted, 3 received, 0% packet loss, time 0ms
423 OVS_TRAFFIC_VSWITCHD_STOP
426 AT_SETUP([datapath - clone action])
427 OVS_TRAFFIC_VSWITCHD_START()
429 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
431 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
432 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
434 AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
435 -- set interface ovs-p1 ofport_request=2])
437 AT_DATA([flows.txt], [dnl
438 priority=1 actions=NORMAL
439 priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
440 priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
442 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
444 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
445 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
446 3 packets transmitted, 3 received, 0% packet loss, time 0ms
449 AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
450 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
451 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
452 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
455 OVS_TRAFFIC_VSWITCHD_STOP
458 AT_SETUP([datapath - mpls actions])
459 OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
461 ADD_NAMESPACES(at_ns0, at_ns1)
463 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
464 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
466 AT_CHECK([ip link add patch0 type veth peer name patch1])
467 on_exit 'ip link del patch0'
469 AT_CHECK([ip link set dev patch0 up])
470 AT_CHECK([ip link set dev patch1 up])
471 AT_CHECK([ovs-vsctl add-port br0 patch0])
472 AT_CHECK([ovs-vsctl add-port br1 patch1])
474 AT_DATA([flows.txt], [dnl
475 table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,resubmit(,1)
476 table=0,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,1)
477 table=0,priority=10 actions=resubmit(,1)
478 table=1,priority=10 actions=normal
481 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
482 AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
484 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
485 3 packets transmitted, 3 received, 0% packet loss, time 0ms
488 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
489 3 packets transmitted, 3 received, 0% packet loss, time 0ms
492 OVS_TRAFFIC_VSWITCHD_STOP
494 AT_SETUP([datapath - basic truncate action])
495 AT_SKIP_IF([test $HAVE_NC = no])
496 OVS_TRAFFIC_VSWITCHD_START()
497 AT_CHECK([ovs-ofctl del-flows br0])
499 dnl Create p0 and ovs-p0(1)
500 ADD_NAMESPACES(at_ns0)
501 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
502 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
503 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
505 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
506 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
507 on_exit 'ip link del ovs-p1'
508 AT_CHECK([ip link set dev ovs-p1 up])
509 AT_CHECK([ip link set dev p1 up])
510 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
511 dnl Use p1 to check the truncated packet
512 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
514 dnl Create p2(5) and ovs-p2(4)
515 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
516 on_exit 'ip link del ovs-p2'
517 AT_CHECK([ip link set dev ovs-p2 up])
518 AT_CHECK([ip link set dev p2 up])
519 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
520 dnl Use p2 to check the truncated packet
521 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
524 AT_CHECK([ovs-ofctl del-flows br0])
525 AT_DATA([flows.txt], [dnl
526 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
527 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
528 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
530 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
532 dnl use this file as payload file for ncat
533 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
534 on_exit 'rm -f payload200.bin'
535 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
537 dnl packet with truncated size
538 AT_CHECK([ovs-appctl revalidator/purge], [0])
539 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
542 dnl packet with original size
543 AT_CHECK([ovs-appctl revalidator/purge], [0])
544 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
548 dnl more complicated output actions
549 AT_CHECK([ovs-ofctl del-flows br0])
550 AT_DATA([flows.txt], [dnl
551 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
552 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
553 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
555 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
557 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
559 dnl 100 + 100 + 242 + min(65535,242) = 684
560 AT_CHECK([ovs-appctl revalidator/purge], [0])
561 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
564 dnl 242 + 100 + min(242,200) = 542
565 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
569 dnl SLOW_ACTION: disable kernel datapath truncate support
570 dnl Repeat the test above, but exercise the SLOW_ACTION code path
571 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
573 dnl SLOW_ACTION test1: check datapatch actions
574 AT_CHECK([ovs-ofctl del-flows br0])
575 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
577 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
578 AT_CHECK([tail -3 stdout], [0],
579 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
580 This flow is handled by the userspace slow path because it:
581 - Uses action(s) not supported by datapath.
584 dnl SLOW_ACTION test2: check actual packet truncate
585 AT_CHECK([ovs-ofctl del-flows br0])
586 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
587 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
589 dnl 100 + 100 + 242 + min(65535,242) = 684
590 AT_CHECK([ovs-appctl revalidator/purge], [0])
591 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
595 dnl 242 + 100 + min(242,200) = 542
596 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
600 OVS_TRAFFIC_VSWITCHD_STOP
603 dnl Create 2 bridges and 2 namespaces to test truncate over
605 dnl br0: overlay bridge
606 dnl ns1: connect to br0, with IP:10.1.1.2
607 dnl br-underlay: with IP: 172.31.1.100
608 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
609 AT_SETUP([datapath - truncate and output to gre tunnel])
610 AT_SKIP_IF([test $HAVE_NC = no])
612 OVS_TRAFFIC_VSWITCHD_START()
614 ADD_BR([br-underlay])
615 ADD_NAMESPACES(at_ns0)
616 ADD_NAMESPACES(at_ns1)
617 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
618 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
620 dnl Set up underlay link from host into the namespace using veth pair.
621 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
622 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
623 AT_CHECK([ip link set dev br-underlay up])
625 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
626 dnl linux device inside the namespace.
627 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
628 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
629 [], [address e6:66:c1:11:11:11])
630 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
631 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
633 dnl Set up (p1 and ovs-p1) at br0
634 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
635 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
636 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
637 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
639 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
640 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
641 on_exit 'ip link del ovs-p2'
642 AT_CHECK([ip link set dev ovs-p2 up])
643 AT_CHECK([ip link set dev p2 up])
644 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
645 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
647 dnl use this file as payload file for ncat
648 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
649 on_exit 'rm -f payload200.bin'
651 AT_CHECK([ovs-ofctl del-flows br0])
652 AT_DATA([flows.txt], [dnl
653 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
654 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
655 priority=1,in_port=4,ip,actions=drop
656 priority=1,actions=drop
658 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
660 AT_CHECK([ovs-ofctl del-flows br-underlay])
661 AT_DATA([flows-underlay.txt], [dnl
662 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
663 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
664 priority=1,actions=drop
667 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
669 dnl check tunnel push path, from at_ns1 to at_ns0
670 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
671 AT_CHECK([ovs-appctl revalidator/purge], [0])
673 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
674 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
677 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
678 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
682 dnl check tunnel pop path, from at_ns0 to at_ns1
683 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
684 dnl After truncation = 100 byte at loopback device p2(4)
685 AT_CHECK([ovs-appctl revalidator/purge], [0])
686 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
687 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
690 dnl SLOW_ACTION: disable datapath truncate support
691 dnl Repeat the test above, but exercise the SLOW_ACTION code path
692 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
694 dnl SLOW_ACTION test1: check datapatch actions
695 AT_CHECK([ovs-ofctl del-flows br0])
696 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
698 dnl SLOW_ACTION test2: check actual packet truncate
699 AT_CHECK([ovs-ofctl del-flows br0])
700 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
701 AT_CHECK([ovs-ofctl del-flows br-underlay])
702 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
704 dnl check tunnel push path, from at_ns1 to at_ns0
705 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
706 AT_CHECK([ovs-appctl revalidator/purge], [0])
708 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
709 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
712 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
713 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
717 dnl check tunnel pop path, from at_ns0 to at_ns1
718 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
719 dnl After truncation = 100 byte at loopback device p2(4)
720 AT_CHECK([ovs-appctl revalidator/purge], [0])
721 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
722 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
725 OVS_TRAFFIC_VSWITCHD_STOP
728 AT_BANNER([conntrack])
730 AT_SETUP([conntrack - controller])
732 OVS_TRAFFIC_VSWITCHD_START()
733 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
735 ADD_NAMESPACES(at_ns0, at_ns1)
737 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
738 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
740 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
741 AT_DATA([flows.txt], [dnl
742 priority=1,action=drop
743 priority=10,arp,action=normal
744 priority=100,in_port=1,udp,action=ct(commit),controller
745 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
746 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
749 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
751 AT_CAPTURE_FILE([ofctl_monitor.log])
752 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
754 dnl Send an unsolicited reply from port 2. This should be dropped.
755 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
757 dnl OK, now start a new connection from port 1.
758 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
760 dnl Now try a reply from port 2.
761 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
763 dnl Check this output. We only see the latter two packets, not the first.
764 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
765 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
766 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
767 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,in_port=2 (via action) data_len=42 (unbuffered)
768 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
771 OVS_TRAFFIC_VSWITCHD_STOP
774 AT_SETUP([conntrack - force commit])
776 OVS_TRAFFIC_VSWITCHD_START()
777 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
779 ADD_NAMESPACES(at_ns0, at_ns1)
781 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
782 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
784 AT_DATA([flows.txt], [dnl
785 priority=1,action=drop
786 priority=10,arp,action=normal
787 priority=100,in_port=1,udp,action=ct(force,commit),controller
788 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
789 priority=100,in_port=2,ct_state=+trk+est,udp,action=ct(force,commit,table=1)
790 table=1,in_port=2,ct_state=+trk,udp,action=controller
793 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
795 AT_CAPTURE_FILE([ofctl_monitor.log])
796 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
798 dnl Send an unsolicited reply from port 2. This should be dropped.
799 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
801 dnl OK, now start a new connection from port 1.
802 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
804 dnl Now try a reply from port 2.
805 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
807 AT_CHECK([ovs-appctl revalidator/purge], [0])
809 dnl Check this output. We only see the latter two packets, not the first.
810 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
811 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
812 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
813 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1,in_port=2 (via action) data_len=42 (unbuffered)
814 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
818 dnl Check that the directionality has been changed by force commit.
820 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [], [dnl
821 udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2)
824 dnl OK, now send another packet from port 1 and see that it switches again
825 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
826 AT_CHECK([ovs-appctl revalidator/purge], [0])
828 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
829 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
832 OVS_TRAFFIC_VSWITCHD_STOP
835 AT_SETUP([conntrack - IPv4 ping])
837 OVS_TRAFFIC_VSWITCHD_START()
839 ADD_NAMESPACES(at_ns0, at_ns1)
841 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
842 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
844 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
845 AT_DATA([flows.txt], [dnl
846 priority=1,action=drop
847 priority=10,arp,action=normal
848 priority=100,in_port=1,icmp,action=ct(commit),2
849 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
850 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
853 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
855 dnl Pings from ns0->ns1 should work fine.
856 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
857 3 packets transmitted, 3 received, 0% packet loss, time 0ms
860 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
861 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
864 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
866 dnl Pings from ns1->ns0 should fail.
867 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
868 7 packets transmitted, 0 received, 100% packet loss, time 0ms
871 OVS_TRAFFIC_VSWITCHD_STOP
874 AT_SETUP([conntrack - IPv6 ping])
876 OVS_TRAFFIC_VSWITCHD_START()
878 ADD_NAMESPACES(at_ns0, at_ns1)
880 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
881 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
883 AT_DATA([flows.txt], [dnl
885 dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
886 dnl through normal action.
887 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
888 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
889 table=0,priority=1,action=normal
891 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
892 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
893 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
894 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
895 table=1,priority=1,action=drop
898 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
900 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
902 dnl The above ping creates state in the connection tracker. We're not
903 dnl interested in that state.
904 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
906 dnl Pings from ns1->ns0 should fail.
907 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
908 7 packets transmitted, 0 received, 100% packet loss, time 0ms
911 dnl Pings from ns0->ns1 should work fine.
912 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
913 3 packets transmitted, 3 received, 0% packet loss, time 0ms
916 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
917 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
920 OVS_TRAFFIC_VSWITCHD_STOP
923 AT_SETUP([conntrack - preserve registers])
925 OVS_TRAFFIC_VSWITCHD_START()
927 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
929 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
930 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
931 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
932 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
934 dnl Allow any traffic from ns0->ns1, ns2->ns3.
935 AT_DATA([flows.txt], [dnl
936 priority=1,action=drop
937 priority=10,arp,action=normal
938 priority=10,icmp,action=normal
939 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
940 priority=100,in_port=1,tcp,ct_state=+trk,action=2
941 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
942 priority=100,in_port=2,tcp,ct_state=+trk,action=1
943 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
944 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
945 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
946 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
947 priority=100,in_port=4,tcp,ct_state=+trk,action=3
950 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
952 OVS_START_L7([at_ns1], [http])
953 OVS_START_L7([at_ns3], [http])
955 dnl HTTP requests from p0->p1 should work fine.
956 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
958 dnl HTTP requests from p2->p3 should work fine.
959 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
961 OVS_TRAFFIC_VSWITCHD_STOP
964 AT_SETUP([conntrack - invalid])
966 OVS_TRAFFIC_VSWITCHD_START()
968 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
970 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
971 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
972 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
973 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
975 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
976 dnl the opposite direction. This should fail.
977 dnl Pass traffic from ns3->ns4 without committing, and this time match
978 dnl invalid traffic and allow it through.
979 AT_DATA([flows.txt], [dnl
980 priority=1,action=drop
981 priority=10,arp,action=normal
982 priority=10,icmp,action=normal
983 priority=100,in_port=1,tcp,action=ct(),2
984 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
985 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
986 priority=100,in_port=3,tcp,action=ct(),4
987 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
988 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
989 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
992 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
994 dnl We set up our rules to allow the request without committing. The return
995 dnl traffic can't be identified, because the initial request wasn't committed.
996 dnl For the first pair of ports, this means that the connection fails.
997 OVS_START_L7([at_ns1], [http])
998 OVS_START_L7([at_ns3], [http])
999 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
1001 dnl For the second pair, we allow packets from invalid connections, so it works.
1002 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1004 OVS_TRAFFIC_VSWITCHD_STOP
1007 AT_SETUP([conntrack - zones])
1009 OVS_TRAFFIC_VSWITCHD_START()
1011 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1013 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1014 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1015 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1016 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1018 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
1019 dnl For ns2->ns3, use a different zone and see that the match fails.
1020 AT_DATA([flows.txt], [dnl
1021 priority=1,action=drop
1022 priority=10,arp,action=normal
1023 priority=10,icmp,action=normal
1024 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
1025 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1026 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1027 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
1028 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1029 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
1032 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1034 OVS_START_L7([at_ns1], [http])
1035 OVS_START_L7([at_ns3], [http])
1037 dnl HTTP requests from p0->p1 should work fine.
1038 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1040 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1041 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1044 dnl HTTP requests from p2->p3 should fail due to network failure.
1045 dnl Try 3 times, in 1 second intervals.
1046 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1048 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1049 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1052 OVS_TRAFFIC_VSWITCHD_STOP
1055 AT_SETUP([conntrack - zones from field])
1057 OVS_TRAFFIC_VSWITCHD_START()
1059 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1061 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1062 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1063 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1064 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1066 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1067 AT_DATA([flows.txt], [dnl
1068 priority=1,action=drop
1069 priority=10,arp,action=normal
1070 priority=10,icmp,action=normal
1071 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
1072 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1073 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
1074 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
1075 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1076 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
1079 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1081 OVS_START_L7([at_ns1], [http])
1082 OVS_START_L7([at_ns3], [http])
1084 dnl HTTP requests from p0->p1 should work fine.
1085 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1087 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1088 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
1091 dnl HTTP requests from p2->p3 should fail due to network failure.
1092 dnl Try 3 times, in 1 second intervals.
1093 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1095 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1096 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
1099 OVS_TRAFFIC_VSWITCHD_STOP
1102 AT_SETUP([conntrack - multiple bridges])
1104 OVS_TRAFFIC_VSWITCHD_START(
1106 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1107 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1109 ADD_NAMESPACES(at_ns0, at_ns1)
1111 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1112 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1114 dnl Allow any traffic from ns0->br1, allow established in reverse.
1115 AT_DATA([flows-br0.txt], [dnl
1116 priority=1,action=drop
1117 priority=10,arp,action=normal
1118 priority=10,icmp,action=normal
1119 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1120 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1121 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1124 dnl Allow any traffic from br0->ns1, allow established in reverse.
1125 AT_DATA([flows-br1.txt], [dnl
1126 priority=1,action=drop
1127 priority=10,arp,action=normal
1128 priority=10,icmp,action=normal
1129 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1130 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1131 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1132 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1133 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1136 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1137 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
1139 dnl HTTP requests from p0->p1 should work fine.
1140 OVS_START_L7([at_ns1], [http])
1141 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1143 OVS_TRAFFIC_VSWITCHD_STOP
1146 AT_SETUP([conntrack - multiple zones])
1148 OVS_TRAFFIC_VSWITCHD_START()
1150 ADD_NAMESPACES(at_ns0, at_ns1)
1152 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1153 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1155 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1156 AT_DATA([flows.txt], [dnl
1157 priority=1,action=drop
1158 priority=10,arp,action=normal
1159 priority=10,icmp,action=normal
1160 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1161 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1162 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1165 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1167 OVS_START_L7([at_ns1], [http])
1169 dnl HTTP requests from p0->p1 should work fine.
1170 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1172 dnl (again) HTTP requests from p0->p1 should work fine.
1173 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1175 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1176 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1177 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1180 OVS_TRAFFIC_VSWITCHD_STOP
1183 AT_SETUP([conntrack - multiple namespaces, internal ports])
1185 CHECK_CONNTRACK_LOCAL_STACK()
1186 OVS_TRAFFIC_VSWITCHD_START(
1187 [set-fail-mode br0 secure -- ])
1189 ADD_NAMESPACES(at_ns0, at_ns1)
1191 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1192 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1194 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1196 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1197 AT_DATA([flows.txt], [dnl
1198 priority=1,action=drop
1199 priority=10,arp,action=normal
1200 priority=10,icmp,action=normal
1201 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1202 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1203 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1206 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1208 OVS_START_L7([at_ns1], [http])
1210 dnl HTTP requests from p0->p1 should work fine.
1211 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1213 dnl (again) HTTP requests from p0->p1 should work fine.
1214 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1216 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1217 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1220 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1221 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1222 /removing policing failed: No such device/d"])
1225 AT_SETUP([conntrack - ct_mark])
1227 OVS_TRAFFIC_VSWITCHD_START()
1229 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1231 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1232 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1233 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1234 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1236 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1237 dnl Check that different marks do not match for traffic between ns2<->ns3.
1238 AT_DATA([flows.txt], [dnl
1239 priority=1,action=drop
1240 priority=10,arp,action=normal
1241 priority=10,icmp,action=normal
1242 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1243 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1244 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1245 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1246 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1247 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1250 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1252 OVS_START_L7([at_ns1], [http])
1253 OVS_START_L7([at_ns3], [http])
1255 dnl HTTP requests from p0->p1 should work fine.
1256 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1257 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1258 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1261 dnl HTTP requests from p2->p3 should fail due to network failure.
1262 dnl Try 3 times, in 1 second intervals.
1263 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1264 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1265 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1268 OVS_TRAFFIC_VSWITCHD_STOP
1271 AT_SETUP([conntrack - ct_mark bit-fiddling])
1273 OVS_TRAFFIC_VSWITCHD_START()
1275 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1277 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1278 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1280 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1281 dnl cause an additional bit to be set in the connection (and be allowed).
1282 AT_DATA([flows.txt], [dnl
1283 table=0,priority=1,action=drop
1284 table=0,priority=10,arp,action=normal
1285 table=0,priority=10,icmp,action=normal
1286 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1287 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1288 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1289 table=1,in_port=1,ct_state=-new,tcp,action=2
1290 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1293 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1295 OVS_START_L7([at_ns1], [http])
1297 dnl HTTP requests from p0->p1 should work fine.
1298 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1300 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1301 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1304 OVS_TRAFFIC_VSWITCHD_STOP
1307 AT_SETUP([conntrack - ct_mark from register])
1309 OVS_TRAFFIC_VSWITCHD_START()
1311 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1313 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1314 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1315 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1316 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1318 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1319 AT_DATA([flows.txt], [dnl
1320 priority=1,action=drop
1321 priority=10,arp,action=normal
1322 priority=10,icmp,action=normal
1323 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1324 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1325 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1326 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1327 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1328 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1331 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1333 OVS_START_L7([at_ns1], [http])
1334 OVS_START_L7([at_ns3], [http])
1336 dnl HTTP requests from p0->p1 should work fine.
1337 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1338 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1339 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1342 dnl HTTP requests from p2->p3 should fail due to network failure.
1343 dnl Try 3 times, in 1 second intervals.
1344 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1345 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1346 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1349 OVS_TRAFFIC_VSWITCHD_STOP
1352 AT_SETUP([conntrack - ct_label])
1354 OVS_TRAFFIC_VSWITCHD_START()
1356 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1358 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1359 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1360 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1361 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1363 dnl Allow traffic between ns0<->ns1 using the ct_label.
1364 dnl Check that different labels do not match for traffic between ns2<->ns3.
1365 AT_DATA([flows.txt], [dnl
1366 priority=1,action=drop
1367 priority=10,arp,action=normal
1368 priority=10,icmp,action=normal
1369 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1370 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1371 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1372 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1373 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1374 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1377 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1379 OVS_START_L7([at_ns1], [http])
1380 OVS_START_L7([at_ns3], [http])
1382 dnl HTTP requests from p0->p1 should work fine.
1383 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1385 dnl HTTP requests from p2->p3 should fail due to network failure.
1386 dnl Try 3 times, in 1 second intervals.
1387 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1389 OVS_TRAFFIC_VSWITCHD_STOP
1392 AT_SETUP([conntrack - ct_label bit-fiddling])
1394 OVS_TRAFFIC_VSWITCHD_START()
1396 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1398 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1399 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1401 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1402 dnl cause an additional bit to be set in the connection labels (and be allowed)
1403 AT_DATA([flows.txt], [dnl
1404 table=0,priority=1,action=drop
1405 table=0,priority=10,arp,action=normal
1406 table=0,priority=10,icmp,action=normal
1407 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1408 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1409 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1410 table=1,in_port=1,tcp,ct_state=-new,action=2
1411 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1414 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1416 OVS_START_L7([at_ns1], [http])
1418 dnl HTTP requests from p0->p1 should work fine.
1419 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1421 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1422 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1425 OVS_TRAFFIC_VSWITCHD_STOP
1428 AT_SETUP([conntrack - ct metadata, multiple zones])
1430 OVS_TRAFFIC_VSWITCHD_START()
1432 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1434 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1435 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1437 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1438 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1439 dnl and we should see that the conntrack entries only apply the ct_mark and
1440 dnl ct_labels to the connection in zone=1.
1441 AT_DATA([flows.txt], [dnl
1442 table=0,priority=1,action=drop
1443 table=0,priority=10,arp,action=normal
1444 table=0,priority=10,icmp,action=normal
1445 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1446 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1447 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1448 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1449 table=1,in_port=2,tcp,action=ct(zone=2),1
1452 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1454 OVS_START_L7([at_ns1], [http])
1456 dnl HTTP requests from p0->p1 should work fine.
1457 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1459 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1460 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1461 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1464 OVS_TRAFFIC_VSWITCHD_STOP
1467 AT_SETUP([conntrack - ICMP related])
1468 AT_SKIP_IF([test $HAVE_NC = no])
1470 OVS_TRAFFIC_VSWITCHD_START()
1472 ADD_NAMESPACES(at_ns0, at_ns1)
1474 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1475 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1477 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1478 AT_DATA([flows.txt], [dnl
1479 priority=1,action=drop
1480 priority=10,arp,action=normal
1481 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1482 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1483 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1486 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1488 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1489 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1491 AT_CHECK([ovs-appctl revalidator/purge], [0])
1492 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1493 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1494 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1495 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1496 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1500 OVS_TRAFFIC_VSWITCHD_STOP
1503 AT_SETUP([conntrack - ICMP related to original direction])
1504 AT_SKIP_IF([test $HAVE_NC = no])
1506 OVS_TRAFFIC_VSWITCHD_START()
1508 ADD_NAMESPACES(at_ns0, at_ns1)
1510 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1511 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1513 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1514 AT_DATA([flows.txt], [dnl
1515 priority=1000,arp,action=normal
1516 priority=100,ip,action=ct(table=1)
1517 priority=1,action=drop
1518 table=1,ip,action=ct(zone=34673,table=2)
1519 table=2,in_port=2,udp,action=ct(commit,zone=34673),1
1520 table=2,in_port=1,udp,action=ct(commit,zone=34673),2
1521 table=2,in_port=2,ct_state=+rel,icmp,action=1
1524 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1526 dnl 1. Send and UDP packet to port 53 (src=192.100.1.8,dst=192.100.2.5)
1527 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '00010200020400232211223308004500001c000100004011f6fac0640108c06402050035003500087b9e'])
1529 dnl 2. Send and UDP packet to port 53 (src=192.100.2.5,dst=192.100.1.8)
1530 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) '00232211223300010200020408004500001c000100004011f6fac0640205c06401080035003500087b9e'])
1532 dnl 3. Send an ICMP port unreach reply for port 53, related to the 2nd
1533 dnl packet, but in the original direction of the conntrack entry created
1534 dnl for the 1st packet.
1535 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
1537 AT_CHECK([ovs-appctl revalidator/purge], [0])
1540 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
1542 AT_CHECK([ovs-appctl revalidator/purge], [0])
1544 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1545 n_packets=4, n_bytes=224, priority=100,ip actions=ct(table=1)
1546 priority=1000,arp actions=NORMAL
1547 table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
1548 table=2, n_packets=1, n_bytes=42, udp,in_port=1 actions=ct(commit,zone=34673),output:2
1549 table=2, n_packets=1, n_bytes=42, udp,in_port=2 actions=ct(commit,zone=34673),output:1
1550 table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2 actions=output:1
1554 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.100.1.8)], [0], [dnl
1555 udp,orig=(src=192.100.1.8,dst=192.100.2.5,sport=<cleared>,dport=<cleared>),reply=(src=192.100.2.5,dst=192.100.1.8,sport=<cleared>,dport=<cleared>),zone=34673
1558 OVS_TRAFFIC_VSWITCHD_STOP
1561 AT_SETUP([conntrack - ICMP related 2])
1563 OVS_TRAFFIC_VSWITCHD_START()
1565 ADD_NAMESPACES(at_ns0, at_ns1)
1567 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1568 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1570 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1571 AT_DATA([flows.txt], [dnl
1572 table=0,ip,action=ct(commit,table=1)
1573 table=1,ip,action=controller
1576 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1578 AT_CAPTURE_FILE([ofctl_monitor.log])
1579 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1581 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1582 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1584 dnl 2. Send and UDP packet to port 5555
1585 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1587 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1588 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1590 dnl Check this output. We only see the latter two packets, not the first.
1591 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1592 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,in_port=2 (via action) data_len=75 (unbuffered)
1593 icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
1594 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=1 (via action) data_len=47 (unbuffered)
1595 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1596 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,in_port=2 (via action) data_len=75 (unbuffered)
1597 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1600 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
1601 udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
1604 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
1607 OVS_TRAFFIC_VSWITCHD_STOP
1610 AT_SETUP([conntrack - IPv4 fragmentation])
1612 CHECK_CONNTRACK_FRAG()
1613 OVS_TRAFFIC_VSWITCHD_START()
1615 ADD_NAMESPACES(at_ns0, at_ns1)
1617 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1618 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1620 dnl Sending ping through conntrack
1621 AT_DATA([flows.txt], [dnl
1622 priority=1,action=drop
1623 priority=10,arp,action=normal
1624 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1625 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1626 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1629 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1631 dnl Ipv4 fragmentation connectivity check.
1632 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1633 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1636 dnl Ipv4 larger fragmentation connectivity check.
1637 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1638 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1641 OVS_TRAFFIC_VSWITCHD_STOP
1644 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1646 CHECK_CONNTRACK_FRAG()
1647 OVS_TRAFFIC_VSWITCHD_START()
1649 ADD_NAMESPACES(at_ns0, at_ns1)
1651 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1652 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1654 AT_DATA([flows.txt], [dnl
1655 priority=1,action=drop
1656 priority=10,arp,action=normal
1658 dnl Only allow non-fragmented messages and 1st fragments of each message
1659 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1660 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1661 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1662 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1665 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1667 dnl Ipv4 fragmentation connectivity check.
1668 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1669 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1672 OVS_TRAFFIC_VSWITCHD_STOP
1675 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1677 CHECK_CONNTRACK_FRAG()
1678 OVS_TRAFFIC_VSWITCHD_START()
1680 ADD_NAMESPACES(at_ns0, at_ns1)
1682 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1683 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1684 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1685 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1687 dnl Sending ping through conntrack
1688 AT_DATA([flows.txt], [dnl
1689 priority=1,action=drop
1690 priority=10,arp,action=normal
1691 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1692 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1693 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1696 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1698 dnl Ipv4 fragmentation connectivity check.
1699 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1700 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1703 dnl Ipv4 larger fragmentation connectivity check.
1704 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1705 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1708 OVS_TRAFFIC_VSWITCHD_STOP
1711 AT_SETUP([conntrack - IPv4 fragmentation + cvlan])
1713 CHECK_CONNTRACK_FRAG()
1714 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
1717 ADD_NAMESPACES(at_ns0, at_ns1)
1719 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1720 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1722 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
1723 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
1725 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
1726 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
1728 dnl Sending ping through conntrack
1729 AT_DATA([flows.txt], [dnl
1730 priority=1,action=drop
1731 priority=10,arp,action=normal
1732 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1733 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1734 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1737 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1739 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
1741 dnl Ipv4 fragmentation connectivity check.
1742 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1743 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1746 dnl Ipv4 fragmentation connectivity check. (outer svlan)
1747 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
1748 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1751 dnl Ipv4 larger fragmentation connectivity check.
1752 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1753 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1756 dnl Ipv4 larger fragmentation connectivity check. (outer svlan)
1757 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
1758 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1761 OVS_TRAFFIC_VSWITCHD_STOP
1764 AT_SETUP([conntrack - IPv6 fragmentation])
1766 CHECK_CONNTRACK_FRAG()
1767 OVS_TRAFFIC_VSWITCHD_START()
1769 ADD_NAMESPACES(at_ns0, at_ns1)
1771 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1772 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1774 dnl Sending ping through conntrack
1775 AT_DATA([flows.txt], [dnl
1776 priority=1,action=drop
1777 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1778 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1779 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1780 priority=100,icmp6,icmp_type=135,action=normal
1781 priority=100,icmp6,icmp_type=136,action=normal
1784 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1786 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1787 dnl waiting, we get occasional failures due to the following error:
1788 dnl "connect: Cannot assign requested address"
1789 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1791 dnl Ipv6 fragmentation connectivity check.
1792 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1793 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1796 dnl Ipv6 larger fragmentation connectivity check.
1797 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1798 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1801 OVS_TRAFFIC_VSWITCHD_STOP
1804 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1806 CHECK_CONNTRACK_FRAG()
1807 OVS_TRAFFIC_VSWITCHD_START()
1809 ADD_NAMESPACES(at_ns0, at_ns1)
1811 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1812 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1814 AT_DATA([flows.txt], [dnl
1815 priority=1,action=drop
1817 dnl Only allow non-fragmented messages and 1st fragments of each message
1818 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1819 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1820 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1821 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1823 dnl Neighbour Discovery
1824 priority=100,icmp6,icmp_type=135,action=normal
1825 priority=100,icmp6,icmp_type=136,action=normal
1828 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1830 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1831 dnl waiting, we get occasional failures due to the following error:
1832 dnl "connect: Cannot assign requested address"
1833 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1835 dnl Send an IPv6 fragment. Some time later, it should expire.
1836 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1837 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1840 dnl At this point, the kernel will either crash or everything is OK.
1842 OVS_TRAFFIC_VSWITCHD_STOP
1845 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1847 CHECK_CONNTRACK_FRAG()
1848 OVS_TRAFFIC_VSWITCHD_START()
1850 ADD_NAMESPACES(at_ns0, at_ns1)
1852 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1853 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1855 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1856 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1858 dnl Sending ping through conntrack
1859 AT_DATA([flows.txt], [dnl
1860 priority=1,action=drop
1861 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1862 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1863 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1864 priority=100,icmp6,icmp_type=135,action=normal
1865 priority=100,icmp6,icmp_type=136,action=normal
1868 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1870 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1871 dnl waiting, we get occasional failures due to the following error:
1872 dnl "connect: Cannot assign requested address"
1873 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1875 dnl Ipv4 fragmentation connectivity check.
1876 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1877 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1880 dnl Ipv4 larger fragmentation connectivity check.
1881 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1882 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1885 OVS_TRAFFIC_VSWITCHD_STOP
1888 AT_SETUP([conntrack - IPv6 fragmentation + cvlan])
1890 CHECK_CONNTRACK_FRAG()
1891 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
1894 ADD_NAMESPACES(at_ns0, at_ns1)
1896 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1897 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1899 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::3/96")
1900 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::4/96")
1902 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::3/96")
1903 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::4/96")
1905 dnl Sending ping through conntrack
1906 AT_DATA([flows.txt], [dnl
1907 priority=1,action=drop
1908 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1909 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1910 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1911 priority=100,icmp6,icmp_type=135,action=normal
1912 priority=100,icmp6,icmp_type=136,action=normal
1915 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1917 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::4])
1919 dnl Ipv6 fragmentation connectivity check.
1920 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1921 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1924 dnl Ipv6 fragmentation connectivity check. (outer svlan)
1925 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
1926 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1929 dnl Ipv6 larger fragmentation connectivity check.
1930 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1931 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1934 dnl Ipv6 larger fragmentation connectivity check. (outer svlan)
1935 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
1936 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1939 OVS_TRAFFIC_VSWITCHD_STOP
1942 AT_SETUP([conntrack - Fragmentation over vxlan])
1945 CHECK_CONNTRACK_FRAG()
1947 OVS_TRAFFIC_VSWITCHD_START()
1948 ADD_BR([br-underlay])
1949 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1951 ADD_NAMESPACES(at_ns0)
1953 dnl Sending ping through conntrack
1954 AT_DATA([flows.txt], [dnl
1955 priority=1,action=drop
1956 priority=10,arp,action=normal
1957 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1958 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
1959 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1962 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1964 dnl Set up underlay link from host into the namespace using veth pair.
1965 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1966 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1967 AT_CHECK([ip link set dev br-underlay up])
1969 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1970 dnl linux device inside the namespace.
1971 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
1972 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1973 [id 0 dstport 4789])
1975 dnl First, check the underlay
1976 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1977 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1980 dnl Okay, now check the overlay with different packet sizes
1981 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1982 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1984 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1985 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1987 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1988 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1991 OVS_TRAFFIC_VSWITCHD_STOP
1994 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
1997 CHECK_CONNTRACK_FRAG()
1999 OVS_TRAFFIC_VSWITCHD_START()
2000 ADD_BR([br-underlay])
2001 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
2003 ADD_NAMESPACES(at_ns0)
2005 dnl Sending ping through conntrack
2006 AT_DATA([flows.txt], [dnl
2007 priority=1,action=drop
2008 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
2009 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
2010 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
2012 dnl Neighbour Discovery
2013 priority=1000,icmp6,icmp_type=135,action=normal
2014 priority=1000,icmp6,icmp_type=136,action=normal
2017 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2019 dnl Set up underlay link from host into the namespace using veth pair.
2020 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
2021 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
2022 AT_CHECK([ip link set dev br-underlay up])
2024 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
2025 dnl linux device inside the namespace.
2026 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
2027 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
2028 [id 0 dstport 4789])
2030 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2031 dnl waiting, we get occasional failures due to the following error:
2032 dnl "connect: Cannot assign requested address"
2033 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2035 dnl First, check the underlay
2036 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2037 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2040 dnl Okay, now check the overlay with different packet sizes
2041 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2042 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2044 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2045 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2047 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2048 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2051 OVS_TRAFFIC_VSWITCHD_STOP
2054 AT_SETUP([conntrack - resubmit to ct multiple times])
2057 OVS_TRAFFIC_VSWITCHD_START(
2058 [set-fail-mode br0 secure -- ])
2060 ADD_NAMESPACES(at_ns0, at_ns1)
2062 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2063 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2065 AT_DATA([flows.txt], [dnl
2066 table=0,priority=150,arp,action=normal
2067 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
2069 table=1,ip,action=ct(table=3)
2070 table=2,ip,action=ct(table=3)
2072 table=3,ip,action=drop
2075 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
2077 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
2078 1 packets transmitted, 0 received, 100% packet loss, time 0ms
2081 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
2082 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
2083 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
2084 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
2085 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
2086 table=3, n_packets=2, n_bytes=196, ip actions=drop
2090 OVS_TRAFFIC_VSWITCHD_STOP
2093 AT_BANNER([conntrack - L7])
2095 AT_SETUP([conntrack - IPv4 HTTP])
2097 OVS_TRAFFIC_VSWITCHD_START()
2099 ADD_NAMESPACES(at_ns0, at_ns1)
2101 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2102 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2104 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2105 AT_DATA([flows.txt], [dnl
2106 priority=1,action=drop
2107 priority=10,arp,action=normal
2108 priority=10,icmp,action=normal
2109 priority=100,in_port=1,tcp,action=ct(commit),2
2110 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2111 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
2114 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2116 OVS_START_L7([at_ns0], [http])
2117 OVS_START_L7([at_ns1], [http])
2119 dnl HTTP requests from ns0->ns1 should work fine.
2120 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2121 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2125 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2126 dnl Try 3 times, in 1 second intervals.
2127 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
2129 OVS_TRAFFIC_VSWITCHD_STOP
2132 AT_SETUP([conntrack - IPv6 HTTP])
2134 OVS_TRAFFIC_VSWITCHD_START()
2136 ADD_NAMESPACES(at_ns0, at_ns1)
2138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2141 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2142 AT_DATA([flows.txt], [dnl
2143 priority=1,action=drop
2144 priority=10,icmp6,action=normal
2145 priority=100,in_port=1,tcp6,action=ct(commit),2
2146 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
2147 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
2150 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2152 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2153 dnl waiting, we get occasional failures due to the following error:
2154 dnl "connect: Cannot assign requested address"
2155 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2157 OVS_START_L7([at_ns0], [http6])
2158 OVS_START_L7([at_ns1], [http6])
2160 dnl HTTP requests from ns0->ns1 should work fine.
2161 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2162 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2163 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2166 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2167 dnl Try 3 times, in 1 second intervals.
2168 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
2170 OVS_TRAFFIC_VSWITCHD_STOP
2173 AT_SETUP([conntrack - commit, recirc])
2175 OVS_TRAFFIC_VSWITCHD_START()
2177 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2179 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2180 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2181 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2182 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2184 dnl Allow any traffic from ns0->ns1, ns2->ns3.
2185 AT_DATA([flows.txt], [dnl
2186 priority=1,action=drop
2187 priority=10,arp,action=normal
2188 priority=10,icmp,action=normal
2189 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
2190 priority=100,in_port=1,tcp,ct_state=+trk,action=2
2191 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
2192 priority=100,in_port=2,tcp,ct_state=+trk,action=1
2193 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
2194 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
2195 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
2196 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
2197 priority=100,in_port=4,tcp,ct_state=+trk,action=3
2200 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2202 OVS_START_L7([at_ns1], [http])
2203 OVS_START_L7([at_ns3], [http])
2205 dnl HTTP requests from p0->p1 should work fine.
2206 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2208 dnl HTTP requests from p2->p3 should work fine.
2209 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
2211 OVS_TRAFFIC_VSWITCHD_STOP
2214 AT_SETUP([conntrack - multiple zones, local])
2216 CHECK_CONNTRACK_LOCAL_STACK()
2217 OVS_TRAFFIC_VSWITCHD_START()
2219 ADD_NAMESPACES(at_ns0)
2221 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
2222 AT_CHECK([ip link set dev br0 up])
2223 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
2224 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
2226 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
2227 dnl return traffic from ns0 back to the local stack.
2228 AT_DATA([flows.txt], [dnl
2229 priority=1,action=drop
2230 priority=10,arp,action=normal
2231 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
2232 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
2233 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
2234 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
2235 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
2236 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
2239 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2241 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2245 OVS_START_L7([at_ns0], [http])
2247 dnl HTTP requests from root namespace to p0 should work fine.
2248 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2250 dnl (again) HTTP requests from root namespace to p0 should work fine.
2251 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2253 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
2254 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
2255 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
2256 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2257 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2260 OVS_TRAFFIC_VSWITCHD_STOP
2263 AT_SETUP([conntrack - multi-stage pipeline, local])
2265 CHECK_CONNTRACK_LOCAL_STACK()
2266 OVS_TRAFFIC_VSWITCHD_START()
2268 ADD_NAMESPACES(at_ns0)
2270 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
2271 AT_CHECK([ip link set dev br0 up])
2272 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
2273 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
2275 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
2276 dnl return traffic from ns0 back to the local stack.
2277 AT_DATA([flows.txt], [dnl
2279 table=0,priority=1,action=drop
2280 table=0,priority=10,arp,action=normal
2282 dnl Load the output port to REG0
2283 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
2284 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
2286 dnl Ingress pipeline
2287 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
2288 dnl - All other connections go through conntracker using the input port as
2289 dnl a connection tracking zone.
2290 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=2,zone=OXM_OF_IN_PORT[[0..15]])
2291 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
2292 table=1,priority=1,action=drop
2295 dnl - Allow all connections from LOCAL port (commit and skip to output)
2296 dnl - Allow other established connections to go through conntracker using
2297 dnl output port as a connection tracking zone.
2298 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=4,zone=NXM_NX_REG0[[0..15]])
2299 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
2300 table=2,priority=1,action=drop
2302 dnl Only allow established traffic from egress ct lookup
2303 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
2304 table=3,priority=1,action=drop
2307 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
2310 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2312 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2313 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2316 OVS_START_L7([at_ns0], [http])
2318 dnl HTTP requests from root namespace to p0 should work fine.
2319 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2321 dnl (again) HTTP requests from root namespace to p0 should work fine.
2322 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2324 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
2325 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
2326 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
2327 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2328 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
2331 OVS_TRAFFIC_VSWITCHD_STOP
2334 AT_SETUP([FTP - no conntrack])
2335 AT_SKIP_IF([test $HAVE_FTP = no])
2336 OVS_TRAFFIC_VSWITCHD_START()
2338 ADD_NAMESPACES(at_ns0, at_ns1)
2340 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2341 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2343 AT_DATA([flows.txt], [dnl
2344 table=0,action=normal
2347 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
2349 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
2350 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2351 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2353 dnl FTP requests from p0->p1 should work fine.
2354 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2356 AT_CHECK([find -name index.html], [0], [dnl
2360 OVS_TRAFFIC_VSWITCHD_STOP
2363 AT_SETUP([conntrack - FTP])
2364 AT_SKIP_IF([test $HAVE_FTP = no])
2366 CHECK_CONNTRACK_ALG()
2367 OVS_TRAFFIC_VSWITCHD_START()
2369 ADD_NAMESPACES(at_ns0, at_ns1)
2371 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2372 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2374 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2375 AT_DATA([flows1.txt], [dnl
2376 table=0,priority=1,action=drop
2377 table=0,priority=10,arp,action=normal
2378 table=0,priority=10,icmp,action=normal
2379 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
2380 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2381 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2382 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
2385 dnl Similar policy but without allowing all traffic from ns0->ns1.
2386 AT_DATA([flows2.txt], [dnl
2387 table=0,priority=1,action=drop
2388 table=0,priority=10,arp,action=normal
2389 table=0,priority=10,icmp,action=normal
2391 dnl Allow outgoing TCP connections, and treat them as FTP
2392 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2393 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
2394 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
2396 dnl Allow incoming FTP data connections and responses to existing connections
2397 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
2398 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
2399 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
2400 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
2403 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2405 OVS_START_L7([at_ns0], [ftp])
2406 OVS_START_L7([at_ns1], [ftp])
2408 dnl FTP requests from p1->p0 should fail due to network failure.
2409 dnl Try 3 times, in 1 second intervals.
2410 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2411 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2414 dnl FTP requests from p0->p1 should work fine.
2415 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2416 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2417 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2420 dnl Try the second set of flows.
2421 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2422 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2424 dnl FTP requests from p1->p0 should fail due to network failure.
2425 dnl Try 3 times, in 1 second intervals.
2426 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2427 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2430 dnl Active FTP requests from p0->p1 should work fine.
2431 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
2432 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2433 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2434 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2437 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2439 dnl Passive FTP requests from p0->p1 should work fine.
2440 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
2441 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2442 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2445 OVS_TRAFFIC_VSWITCHD_STOP
2448 AT_SETUP([conntrack - FTP over IPv6])
2449 AT_SKIP_IF([test $HAVE_FTP = no])
2451 CHECK_CONNTRACK_ALG()
2452 OVS_TRAFFIC_VSWITCHD_START()
2454 ADD_NAMESPACES(at_ns0, at_ns1)
2456 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2457 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2459 dnl Allow any traffic from ns0->ns1.
2460 dnl Only allow nd, return traffic from ns1->ns0.
2461 AT_DATA([flows.txt], [dnl
2462 dnl Track all IPv6 traffic and drop the rest.
2463 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
2464 table=0 priority=100 in_port=1 icmp6, action=2
2465 table=0 priority=100 in_port=2 icmp6, action=1
2466 table=0 priority=10 ip6, action=ct(table=1)
2467 table=0 priority=0 action=drop
2471 dnl Allow new TCPv6 FTP control connections from port 1.
2472 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
2473 dnl Allow related TCPv6 connections from port 2.
2474 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
2475 dnl Allow established TCPv6 connections both ways.
2476 table=1 in_port=1 ct_state=+est, tcp6, action=2
2477 table=1 in_port=2 ct_state=+est, tcp6, action=1
2478 dnl Drop everything else.
2479 table=1 priority=0, action=drop
2482 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2484 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2485 dnl waiting, we get occasional failures due to the following error:
2486 dnl "connect: Cannot assign requested address"
2487 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2489 OVS_START_L7([at_ns1], [ftp])
2491 dnl FTP requests from p0->p1 should work fine.
2492 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2494 dnl Discards CLOSE_WAIT and CLOSING
2495 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2496 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2497 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2500 OVS_TRAFFIC_VSWITCHD_STOP
2503 AT_SETUP([conntrack - IPv6 FTP Passive])
2504 AT_SKIP_IF([test $HAVE_FTP = no])
2506 CHECK_CONNTRACK_ALG()
2507 OVS_TRAFFIC_VSWITCHD_START()
2509 ADD_NAMESPACES(at_ns0, at_ns1)
2511 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2512 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2513 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2514 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
2515 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
2516 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:88 dev p1])
2518 dnl Allow any traffic from ns0->ns1.
2519 dnl Only allow nd, return traffic from ns1->ns0.
2520 AT_DATA([flows.txt], [dnl
2521 dnl Track all IPv6 traffic and drop the rest.
2522 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
2523 table=0 priority=100 in_port=1 icmp6, action=2
2524 table=0 priority=100 in_port=2 icmp6, action=1
2525 table=0 priority=10 ip6, action=ct(table=1)
2526 table=0 priority=0 action=drop
2530 dnl Allow new TCPv6 FTP control connections from port 1.
2531 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
2532 dnl Allow related TCPv6 connections from port 1.
2533 table=1 in_port=1 ct_state=+new+rel, tcp6, action=ct(commit),2
2534 dnl Allow established TCPv6 connections both ways.
2535 table=1 in_port=1 ct_state=+est, tcp6, action=2
2536 table=1 in_port=2 ct_state=+est, tcp6, action=1
2537 dnl Drop everything else.
2538 table=1 priority=0, action=drop
2541 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2543 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2544 dnl waiting, we get occasional failures due to the following error:
2545 dnl "connect: Cannot assign requested address"
2546 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2548 OVS_START_L7([at_ns1], [ftp])
2550 dnl FTP passive requests from p0->p1 should work fine.
2551 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2553 dnl Discards CLOSE_WAIT and CLOSING
2554 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2555 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2556 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2559 OVS_TRAFFIC_VSWITCHD_STOP
2562 AT_SETUP([conntrack - FTP with multiple expectations])
2563 AT_SKIP_IF([test $HAVE_FTP = no])
2565 CHECK_CONNTRACK_ALG()
2566 OVS_TRAFFIC_VSWITCHD_START()
2568 ADD_NAMESPACES(at_ns0, at_ns1)
2570 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2571 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2573 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
2574 AT_DATA([flows.txt], [dnl
2575 table=0,priority=1,action=drop
2576 table=0,priority=10,arp,action=normal
2577 table=0,priority=10,icmp,action=normal
2579 dnl Traffic from ns1
2580 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
2581 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
2582 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
2583 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
2584 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
2586 dnl Traffic from ns2
2587 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
2588 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2589 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
2590 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
2591 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
2594 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2596 OVS_START_L7([at_ns0], [ftp])
2597 OVS_START_L7([at_ns1], [ftp])
2599 dnl FTP requests from p1->p0 should fail due to network failure.
2600 dnl Try 3 times, in 1 second intervals.
2601 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
2602 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2605 dnl Active FTP requests from p0->p1 should work fine.
2606 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2607 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2608 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2609 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2610 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2611 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2614 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2616 dnl Passive FTP requests from p0->p1 should work fine.
2617 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2618 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2619 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2620 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
2621 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2622 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
2625 OVS_TRAFFIC_VSWITCHD_STOP
2628 AT_SETUP([conntrack - TFTP])
2629 AT_SKIP_IF([test $HAVE_TFTP = no])
2631 CHECK_CONNTRACK_ALG()
2632 OVS_TRAFFIC_VSWITCHD_START()
2634 ADD_NAMESPACES(at_ns0, at_ns1)
2636 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2637 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2639 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2640 AT_DATA([flows1.txt], [dnl
2641 table=0,priority=1,action=drop
2642 table=0,priority=10,arp,action=normal
2643 table=0,priority=10,icmp,action=normal
2644 table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
2645 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2646 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2647 table=1,in_port=2,udp,ct_state=+trk+rel,action=1
2650 dnl Similar policy but without allowing all traffic from ns0->ns1.
2651 AT_DATA([flows2.txt], [dnl
2652 table=0,priority=1,action=drop
2653 table=0,priority=10,arp,action=normal
2654 table=0,priority=10,icmp,action=normal
2656 dnl Allow outgoing UDP connections, and treat them as TFTP
2657 table=0,priority=100,in_port=1,udp,action=ct(table=1)
2658 table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
2659 table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
2660 table=1,in_port=1,udp,ct_state=+trk+est,action=2
2662 dnl Allow incoming TFTP data connections and responses to existing connections
2663 table=0,priority=100,in_port=2,udp,action=ct(table=1)
2664 table=1,in_port=2,udp,ct_state=+trk+est,action=1
2665 table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
2668 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
2670 OVS_START_L7([at_ns0], [tftp])
2671 OVS_START_L7([at_ns1], [tftp])
2673 dnl TFTP requests from p1->p0 should fail due to network failure.
2674 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
2675 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2678 dnl TFTP requests from p0->p1 should work fine.
2679 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
2680 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2681 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2684 dnl Try the second set of flows.
2685 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
2686 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
2688 dnl TFTP requests from p1->p0 should fail due to network failure.
2689 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
2690 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
2693 dnl TFTP requests from p0->p1 should work fine.
2694 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
2695 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2696 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
2699 OVS_TRAFFIC_VSWITCHD_STOP
2702 AT_BANNER([conntrack - NAT])
2704 AT_SETUP([conntrack - simple SNAT])
2706 CHECK_CONNTRACK_NAT()
2707 OVS_TRAFFIC_VSWITCHD_START()
2709 ADD_NAMESPACES(at_ns0, at_ns1)
2711 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2712 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2713 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2715 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2716 AT_DATA([flows.txt], [dnl
2717 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2718 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2719 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2722 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2723 priority=10 arp action=normal
2724 priority=0,action=drop
2726 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2727 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2728 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2729 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2731 dnl Swaps the fields of the ARP message to turn a query to a response.
2732 table=10 priority=100 arp xreg0=0 action=normal
2733 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2734 table=10 priority=0 action=drop
2737 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2739 dnl HTTP requests from p0->p1 should work fine.
2740 OVS_START_L7([at_ns1], [http])
2741 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2743 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
2744 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2747 OVS_TRAFFIC_VSWITCHD_STOP
2750 AT_SETUP([conntrack - SNAT with ct_mark change on reply])
2752 CHECK_CONNTRACK_NAT()
2753 OVS_TRAFFIC_VSWITCHD_START()
2755 ADD_NAMESPACES(at_ns0, at_ns1)
2757 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2758 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
2759 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
2761 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2762 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
2763 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
2765 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2766 AT_DATA([flows.txt], [dnl
2767 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240)),2
2768 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2770 dnl Setting the mark fails if the datapath can't find the existing conntrack
2771 dnl entry after NAT has been reversed and the skb was lost due to an upcall.
2773 in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
2774 table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
2776 priority=0,action=drop
2779 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2781 dnl ICMP requests from p0->p1 should work fine.
2782 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
2783 1 packets transmitted, 1 received, 0% packet loss, time 0ms
2786 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2787 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
2790 OVS_TRAFFIC_VSWITCHD_STOP
2793 AT_SETUP([conntrack - SNAT with port range])
2795 CHECK_CONNTRACK_NAT()
2796 OVS_TRAFFIC_VSWITCHD_START()
2798 ADD_NAMESPACES(at_ns0, at_ns1)
2800 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2801 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2802 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2804 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2805 AT_DATA([flows.txt], [dnl
2806 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2807 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2808 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2809 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2812 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2813 priority=10 arp action=normal
2814 priority=0,action=drop
2816 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2817 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2818 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2819 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2821 dnl Swaps the fields of the ARP message to turn a query to a response.
2822 table=10 priority=100 arp xreg0=0 action=normal
2823 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2824 table=10 priority=0 action=drop
2827 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2829 dnl HTTP requests from p0->p1 should work fine.
2830 OVS_START_L7([at_ns1], [http])
2831 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2833 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
2834 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2837 OVS_TRAFFIC_VSWITCHD_STOP
2841 AT_SETUP([conntrack - more complex SNAT])
2843 CHECK_CONNTRACK_NAT()
2844 OVS_TRAFFIC_VSWITCHD_START()
2846 ADD_NAMESPACES(at_ns0, at_ns1)
2848 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2849 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2850 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2852 AT_DATA([flows.txt], [dnl
2853 dnl Track all IP traffic, NAT existing connections.
2854 priority=100 ip action=ct(table=1,zone=1,nat)
2856 dnl Allow ARP, but generate responses for NATed addresses
2857 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2858 priority=10 arp action=normal
2859 priority=0 action=drop
2861 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2862 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2863 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2864 dnl Only allow established traffic from ns1->ns0.
2865 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2866 table=1 priority=0 action=drop
2868 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2869 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2870 dnl Zero result means not found.
2871 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2872 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2873 dnl ARP TPA IP in reg2.
2874 table=10 priority=100 arp xreg0=0 action=normal
2875 dnl Swaps the fields of the ARP message to turn a query to a response.
2876 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2877 table=10 priority=0 action=drop
2880 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2882 dnl HTTP requests from p0->p1 should work fine.
2883 OVS_START_L7([at_ns1], [http])
2884 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2886 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
2887 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2890 OVS_TRAFFIC_VSWITCHD_STOP
2893 AT_SETUP([conntrack - simple DNAT])
2895 CHECK_CONNTRACK_NAT()
2896 OVS_TRAFFIC_VSWITCHD_START()
2898 ADD_NAMESPACES(at_ns0, at_ns1)
2900 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2901 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2902 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2904 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2905 AT_DATA([flows.txt], [dnl
2906 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2907 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2908 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2909 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2912 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2913 priority=10 arp action=normal
2914 priority=0,action=drop
2916 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2917 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2918 dnl Zero result means not found.
2919 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2920 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2922 table=10 priority=100 arp xreg0=0 action=normal
2923 dnl Swaps the fields of the ARP message to turn a query to a response.
2924 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2925 table=10 priority=0 action=drop
2928 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2930 dnl Should work with the virtual IP address through NAT
2931 OVS_START_L7([at_ns1], [http])
2932 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2934 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2935 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2938 dnl Should work with the assigned IP address as well
2939 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2941 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2942 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2945 OVS_TRAFFIC_VSWITCHD_STOP
2948 AT_SETUP([conntrack - more complex DNAT])
2950 CHECK_CONNTRACK_NAT()
2951 OVS_TRAFFIC_VSWITCHD_START()
2953 ADD_NAMESPACES(at_ns0, at_ns1)
2955 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2956 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2957 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2959 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2960 AT_DATA([flows.txt], [dnl
2961 dnl Track all IP traffic
2962 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2964 dnl Allow ARP, but generate responses for NATed addresses
2965 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2966 table=0 priority=10 arp action=normal
2967 table=0 priority=0 action=drop
2969 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2970 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2971 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2972 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2973 dnl Only allow established traffic from ns1->ns0.
2974 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2975 table=1 priority=0 action=drop
2977 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2978 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2979 dnl Zero result means not found.
2980 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2981 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2983 table=10 priority=100 arp xreg0=0 action=normal
2984 dnl Swaps the fields of the ARP message to turn a query to a response.
2985 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2986 table=10 priority=0 action=drop
2989 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2991 dnl Should work with the virtual IP address through NAT
2992 OVS_START_L7([at_ns1], [http])
2993 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2995 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2996 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2999 dnl Should work with the assigned IP address as well
3000 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3002 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3003 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3006 OVS_TRAFFIC_VSWITCHD_STOP
3009 AT_SETUP([conntrack - ICMP related with NAT])
3010 AT_SKIP_IF([test $HAVE_NC = no])
3011 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
3013 CHECK_CONNTRACK_NAT()
3014 OVS_TRAFFIC_VSWITCHD_START()
3016 ADD_NAMESPACES(at_ns0, at_ns1)
3018 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3019 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3020 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3022 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
3023 dnl Make sure ICMP responses are reverse-NATted.
3024 AT_DATA([flows.txt], [dnl
3025 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
3026 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
3027 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
3030 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3031 priority=10 arp action=normal
3032 priority=0,action=drop
3034 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3035 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3036 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3037 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3039 dnl Swaps the fields of the ARP message to turn a query to a response.
3040 table=10 priority=100 arp xreg0=0 action=normal
3041 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3042 table=10 priority=0 action=drop
3045 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3048 tcpdump -U -i ovs-p0 -w p0.pcap &
3051 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
3052 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
3054 AT_CHECK([ovs-appctl revalidator/purge], [0])
3055 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
3056 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
3057 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
3058 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
3059 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
3060 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3061 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
3062 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
3063 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
3064 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
3065 OFPST_FLOW reply (OF1.5):
3068 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
3069 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
3072 AT_CHECK([tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
3074 OVS_TRAFFIC_VSWITCHD_STOP
3077 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
3079 dnl Checks the implementation of conntrack with FTP ALGs in combination with
3080 dnl NAT, using the provided flow table.
3081 m4_define([CHECK_FTP_NAT],
3082 [AT_SETUP([conntrack - FTP NAT $1])
3083 AT_SKIP_IF([test $HAVE_FTP = no])
3085 CHECK_CONNTRACK_NAT()
3086 CHECK_CONNTRACK_ALG()
3088 OVS_TRAFFIC_VSWITCHD_START()
3090 ADD_NAMESPACES(at_ns0, at_ns1)
3092 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3093 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3094 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3096 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3097 AT_DATA([flows.txt], [$3])
3099 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3101 OVS_START_L7([at_ns1], [ftp])
3103 dnl FTP requests from p0->p1 should work fine.
3104 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3106 dnl Discards CLOSE_WAIT and CLOSING
3107 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
3109 OVS_TRAFFIC_VSWITCHD_STOP
3112 dnl CHECK_FTP_NAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
3114 dnl Checks the implementation of conntrack with FTP ALGs in combination with
3115 dnl NAT, with flow tables that implement the NATing as part of handling of
3116 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
3118 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
3119 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
3120 m4_define([CHECK_FTP_NAT_PRE_RECIRC], [dnl
3121 CHECK_FTP_NAT([prerecirc $1], [$2], [dnl
3122 dnl track all IP traffic, de-mangle non-NEW connections
3123 table=0 in_port=1, ip, action=ct(table=1,nat)
3124 table=0 in_port=2, ip, action=ct(table=2,nat)
3128 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3129 table=0 priority=10 arp action=normal
3130 table=0 priority=0 action=drop
3132 dnl Table 1: port 1 -> 2
3134 dnl Allow new FTP connections. These need to be commited.
3135 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
3136 dnl Allow established TCP connections, make sure they are NATted already.
3137 table=1 ct_state=+est, tcp, nw_src=$2, action=2
3139 dnl Table 1: droppers
3141 table=1 priority=10, tcp, action=drop
3142 table=1 priority=0,action=drop
3144 dnl Table 2: port 2 -> 1
3146 dnl Allow established TCP connections, make sure they are reverse NATted
3147 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
3148 dnl Allow (new) related (data) connections. These need to be commited.
3149 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
3150 dnl Allow related ICMP packets, make sure they are reverse NATted
3151 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
3153 dnl Table 2: droppers
3155 table=2 priority=10, tcp, action=drop
3156 table=2 priority=0, action=drop
3158 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3160 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3161 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3162 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3164 dnl Swaps the fields of the ARP message to turn a query to a response.
3165 table=10 priority=100 arp xreg0=0 action=normal
3166 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3167 table=10 priority=0 action=drop
3169 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3170 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3174 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
3175 CHECK_FTP_NAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
3177 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
3179 dnl The FTP PORT command includes the ASCII representation of the address,
3180 dnl so when these messages need to be NATed between addresses that have
3181 dnl different lengths when represented in ASCII (such as the original address
3182 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
3183 dnl resize the packet and adjust TCP sequence numbers. This test is kept
3184 dnl separate from the above to easier identify issues in this code on different
3186 CHECK_FTP_NAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
3188 dnl CHECK_FTP_NAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
3190 dnl Checks the implementation of conntrack with FTP ALGs in combination with
3191 dnl NAT, with flow tables that implement the NATing after the first round
3192 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
3193 dnl flow will implement the NATing with ct(nat..),output:foo.
3195 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
3196 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
3197 m4_define([CHECK_FTP_NAT_POST_RECIRC], [dnl
3198 CHECK_FTP_NAT([postrecirc $1], [$2], [dnl
3199 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
3200 table=0 ip, action=ct(table=1)
3204 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3205 table=0 priority=10 arp action=normal
3206 table=0 priority=0 action=drop
3210 dnl Allow new FTP connections. These need to be commited.
3211 dnl This does helper for new packets.
3212 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
3213 dnl Allow and NAT established TCP connections
3214 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
3215 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
3216 dnl Allow and NAT (new) related active (data) connections.
3217 dnl These need to be commited.
3218 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
3219 dnl Allow related ICMP packets.
3220 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
3221 dnl Drop everything else.
3222 table=1 priority=0, action=drop
3224 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3226 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3227 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3228 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3230 dnl Swaps the fields of the ARP message to turn a query to a response.
3231 table=10 priority=100 arp xreg0=0 action=normal
3232 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3233 table=10 priority=0 action=drop
3235 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3236 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3240 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
3241 CHECK_FTP_NAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
3243 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
3245 dnl The FTP PORT command includes the ASCII representation of the address,
3246 dnl so when these messages need to be NATed between addresses that have
3247 dnl different lengths when represented in ASCII (such as the original address
3248 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
3249 dnl resize the packet and adjust TCP sequence numbers. This test is kept
3250 dnl separate from the above to easier identify issues in this code on different
3252 CHECK_FTP_NAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
3255 dnl CHECK_FTP_NAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
3257 dnl Checks the implementation of conntrack original direction tuple matching
3258 dnl with FTP ALGs in combination with NAT, with flow tables that implement
3259 dnl the NATing before the first round of recirculation - that is, the first
3260 dnl flow ct(nat, table=foo) then a subsequent flow will implement the
3261 dnl commiting of NATed and other connections with ct(nat..),output:foo.
3263 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
3264 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
3265 m4_define([CHECK_FTP_NAT_ORIG_TUPLE], [dnl
3266 CHECK_FTP_NAT([orig tuple $1], [$2], [dnl
3267 dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
3268 dnl NAT is only applied to OUT-direction packets, so that ACL
3269 dnl processing can be done with non-NATted headers.
3271 dnl Track all IP traffic in the IN-direction (IN from Port 1).
3272 table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
3273 dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
3274 table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
3278 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3279 table=0 priority=10 arp action=normal
3280 table=0 priority=0 action=drop
3282 dnl Pass tracked traffic through ACL, drop everything else.
3283 dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
3284 dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
3285 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
3286 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
3287 dnl of the master connection, as stored in ct_label[0].
3289 dnl Incoming non-related packet in the original direction (ACL IN)
3290 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
3291 dnl Incoming non-related reply packet (CT ACL OUT)
3292 table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
3293 dnl Outgoing non-related packet (ACL OUT)
3294 table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
3295 dnl Outgoing non-related reply packet (CT ACL IN)
3296 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
3298 dnl Related packet (CT ACL in the direction of the master connection.)
3299 table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
3300 dnl Drop everything else.
3301 table=1 priority=0, action=drop
3305 dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
3306 dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
3308 table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
3309 dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
3310 table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
3312 dnl Re-process stateful traffic that was not accepted by a stateful rule as
3313 dnl normal traffic in the current direction. This should also delete the
3314 dnl now stale conntrack state, so that new state can be created in it's place.
3316 dnl Stateful accepts go to next table.
3317 table=4 priority=100 reg2=1, action=goto_table:5
3318 dnl Everything else is reprocessed disregarding the CT state, using the actual
3319 dnl packet direction.
3320 table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
3322 dnl "ACL verdict processing table."
3324 dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
3326 dnl Drop all non-accepted packets.
3327 table=5 reg2=0 priority=1000 action=drop
3329 dnl Commit new incoming FTP control connections with SNAT range. Must match on
3330 dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
3331 dnl connections to ct_label[0] Store the rule ID to ct_label[96..127].
3332 table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
3333 dnl Commit other new incoming non-related IP connections with SNAT range.
3334 table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
3335 dnl Commit non-related outgoing new IP connections with DNAT range.
3336 dnl (This should not get any packets in this test.)
3337 table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
3338 dnl Commit new related connections in either direction, which need 'nat'
3339 dnl and which inherit the label (the direction of the original direction
3340 dnl master tuple) from the master connection.
3341 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
3343 dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
3345 table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
3346 dnl Forward everything else, including stateless accepts.
3347 table=5 priority=0 action=goto_table:6
3349 dnl "Forwarding table"
3351 table=6 in_port=1 action=2
3352 table=6 in_port=2 action=1
3354 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3356 table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3357 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3358 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3360 dnl Swaps the fields of the ARP message to turn a query to a response.
3361 table=10 priority=100 arp xreg0=0 action=normal
3362 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3363 table=10 priority=0 action=drop
3365 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>),helper=ftp
3366 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>)
3370 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
3371 dnl an ACL table based on matching on conntrack original direction tuple only.
3372 CHECK_FTP_NAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
3374 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
3375 dnl an ACL table based on matching on conntrack original direction tuple only.
3376 CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
3378 AT_SETUP([conntrack - IPv4 FTP Passive with NAT])
3379 AT_SKIP_IF([test $HAVE_FTP = no])
3381 CHECK_CONNTRACK_NAT()
3382 CHECK_CONNTRACK_ALG()
3384 OVS_TRAFFIC_VSWITCHD_START()
3386 ADD_NAMESPACES(at_ns0, at_ns1)
3388 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3389 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
3390 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
3392 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3393 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
3394 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
3395 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
3397 dnl Allow any traffic from ns0->ns1.
3398 AT_DATA([flows.txt], [dnl
3399 dnl track all IPv4 traffic and NAT any established traffic.
3400 table=0 priority=10 ip, action=ct(nat,table=1)
3401 table=0 priority=0 action=drop
3405 dnl Allow new FTP control connections.
3406 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
3407 dnl Allow related TCP connections from port 1.
3408 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
3409 dnl Allow established TCP connections both ways, post-NAT match.
3410 table=1 in_port=1 ct_state=+est tcp nw_src=10.1.1.240 action=2
3411 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
3413 dnl Allow ICMP both ways.
3414 table=1 priority=100 in_port=1 icmp, action=2
3415 table=1 priority=100 in_port=2 icmp, action=1
3416 table=1 priority=0, action=drop
3419 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3421 dnl Check that the stacks working to avoid races.
3422 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
3424 OVS_START_L7([at_ns1], [ftp])
3426 dnl FTP requests from p0->p1 should work fine.
3427 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3429 dnl Discards CLOSE_WAIT and CLOSING
3430 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3431 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3432 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3435 OVS_TRAFFIC_VSWITCHD_STOP
3438 AT_SETUP([conntrack - IPv6 HTTP with SNAT])
3440 CHECK_CONNTRACK_NAT()
3441 OVS_TRAFFIC_VSWITCHD_START()
3443 ADD_NAMESPACES(at_ns0, at_ns1)
3445 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3446 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3447 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3448 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3449 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
3451 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3452 AT_DATA([flows.txt], [dnl
3453 priority=1,action=drop
3454 priority=10,icmp6,action=normal
3455 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
3456 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
3457 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
3458 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
3459 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
3462 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3464 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3465 dnl waiting, we get occasional failures due to the following error:
3466 dnl "connect: Cannot assign requested address"
3467 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3469 dnl HTTP requests from ns0->ns1 should work fine.
3470 OVS_START_L7([at_ns1], [http6])
3472 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3474 dnl HTTP requests from ns1->ns0 should fail due to network failure.
3475 dnl Try 3 times, in 1 second intervals.
3476 OVS_START_L7([at_ns0], [http6])
3477 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
3479 OVS_TRAFFIC_VSWITCHD_STOP
3482 AT_SETUP([conntrack - IPv6 HTTP with DNAT])
3484 CHECK_CONNTRACK_NAT()
3485 OVS_TRAFFIC_VSWITCHD_START()
3487 ADD_NAMESPACES(at_ns0, at_ns1)
3489 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3490 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3491 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
3492 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
3493 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
3494 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
3496 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3497 AT_DATA([flows.txt], [dnl
3498 priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
3499 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
3500 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
3503 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3505 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3506 dnl waiting, we get occasional failures due to the following error:
3507 dnl "connect: Cannot assign requested address"
3508 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
3510 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
3511 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3514 dnl Should work with the virtual IP address through NAT
3515 OVS_START_L7([at_ns1], [http6])
3516 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3518 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
3519 icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
3520 tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3523 OVS_TRAFFIC_VSWITCHD_STOP
3526 AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
3527 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
3529 CHECK_CONNTRACK_NAT()
3530 OVS_TRAFFIC_VSWITCHD_START()
3532 ADD_NAMESPACES(at_ns0, at_ns1)
3534 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3535 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3536 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
3537 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
3539 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
3540 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
3541 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
3542 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
3544 NS_CHECK_EXEC([at_ns0], [ip -6 route add default via fc00::2])
3546 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3547 AT_DATA([flows.txt], [dnl
3548 priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
3549 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
3550 priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
3551 priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
3554 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3556 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3557 dnl waiting, we get occasional failures due to the following error:
3558 dnl "connect: Cannot assign requested address"
3559 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3561 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3564 tcpdump -U -i ovs-p0 -w p0.pcap &
3567 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
3568 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
3570 AT_CHECK([tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
3572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3573 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
3576 OVS_TRAFFIC_VSWITCHD_STOP
3579 AT_SETUP([conntrack - IPv6 FTP with NAT])
3580 AT_SKIP_IF([test $HAVE_FTP = no])
3582 CHECK_CONNTRACK_NAT()
3583 CHECK_CONNTRACK_ALG()
3585 OVS_TRAFFIC_VSWITCHD_START()
3587 ADD_NAMESPACES(at_ns0, at_ns1)
3589 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3590 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3591 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3592 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3593 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3595 dnl Allow any traffic from ns0->ns1.
3596 dnl Only allow nd, return traffic from ns1->ns0.
3597 AT_DATA([flows.txt], [dnl
3598 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3599 table=0 priority=10 ip6, action=ct(nat,table=1)
3600 table=0 priority=0 action=drop
3604 dnl Allow new TCPv6 FTP control connections.
3605 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3606 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3607 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
3608 dnl Allow established TCPv6 connections both ways, enforce NATting
3609 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
3610 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
3611 dnl Allow other ICMPv6 both ways (without commit).
3612 table=1 priority=100 in_port=1 icmp6, action=2
3613 table=1 priority=100 in_port=2 icmp6, action=1
3614 dnl Drop everything else.
3615 table=1 priority=0, action=drop
3618 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3620 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3621 dnl waiting, we get occasional failures due to the following error:
3622 dnl "connect: Cannot assign requested address"
3623 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3625 OVS_START_L7([at_ns1], [ftp])
3627 dnl FTP requests from p0->p1 should work fine.
3628 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3630 dnl Discards CLOSE_WAIT and CLOSING
3631 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3632 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3633 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3636 OVS_TRAFFIC_VSWITCHD_STOP
3639 AT_SETUP([conntrack - IPv6 FTP Passive with NAT])
3640 AT_SKIP_IF([test $HAVE_FTP = no])
3642 CHECK_CONNTRACK_NAT()
3643 CHECK_CONNTRACK_ALG()
3645 OVS_TRAFFIC_VSWITCHD_START()
3647 ADD_NAMESPACES(at_ns0, at_ns1)
3649 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3650 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3651 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3652 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
3653 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
3654 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3656 dnl Allow any traffic from ns0->ns1.
3657 dnl Only allow nd, return traffic from ns1->ns0.
3658 AT_DATA([flows.txt], [dnl
3659 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3660 table=0 priority=10 ip6, action=ct(nat,table=1)
3661 table=0 priority=0 action=drop
3665 dnl Allow new TCPv6 FTP control connections.
3666 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3667 dnl Allow related TCPv6 connections from port 1.
3668 table=1 in_port=1 ct_state=+new+rel tcp6 ipv6_dst=fc00::2 action=ct(commit,nat),2
3669 dnl Allow established TCPv6 connections both ways, enforce NATting
3670 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
3671 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
3672 dnl Allow other ICMPv6 both ways (without commit).
3673 table=1 priority=100 in_port=1 icmp6, action=2
3674 table=1 priority=100 in_port=2 icmp6, action=1
3675 dnl Drop everything else.
3676 table=1 priority=0, action=drop
3679 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3681 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3682 dnl waiting, we get occasional failures due to the following error:
3683 dnl "connect: Cannot assign requested address"
3684 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3686 OVS_START_L7([at_ns1], [ftp])
3688 dnl FTP requests from p0->p1 should work fine.
3689 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3691 dnl Discards CLOSE_WAIT and CLOSING
3692 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3693 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3694 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3697 OVS_TRAFFIC_VSWITCHD_STOP
3700 AT_SETUP([conntrack - IPv6 FTP with NAT - orig tuple])
3701 AT_SKIP_IF([test $HAVE_FTP = no])
3703 CHECK_CONNTRACK_NAT()
3704 CHECK_CONNTRACK_ALG()
3705 OVS_TRAFFIC_VSWITCHD_START()
3707 ADD_NAMESPACES(at_ns0, at_ns1)
3709 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3710 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3711 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3712 dnl Would be nice if NAT could translate neighbor discovery messages, too.
3713 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
3715 dnl Allow any traffic from ns0->ns1.
3716 dnl Only allow nd, return traffic from ns1->ns0.
3717 AT_DATA([flows.txt], [dnl
3718 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
3719 table=0 priority=10 ip6, action=ct(nat,table=1)
3720 table=0 priority=0 action=drop
3724 dnl Allow other ICMPv6 both ways (without commit).
3725 table=1 priority=100 in_port=1 icmp6, action=2
3726 table=1 priority=100 in_port=2 icmp6, action=1
3727 dnl Allow new TCPv6 FTP control connections.
3728 table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
3729 dnl Allow related TCPv6 connections from port 2 to the NATted address.
3730 table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
3731 dnl Allow established TCPv6 connections both ways, enforce NATting
3732 table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
3733 table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
3734 dnl Drop everything else.
3735 table=1 priority=0, action=drop
3738 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3740 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3741 dnl waiting, we get occasional failures due to the following error:
3742 dnl "connect: Cannot assign requested address"
3743 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3745 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3746 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3748 dnl FTP requests from p0->p1 should work fine.
3749 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3751 dnl Discards CLOSE_WAIT and CLOSING
3752 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3753 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3754 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3757 OVS_TRAFFIC_VSWITCHD_STOP
3760 AT_SETUP([conntrack - IPv4 TFTP with NAT])
3761 AT_SKIP_IF([test $HAVE_TFTP = no])
3763 CHECK_CONNTRACK_NAT()
3764 CHECK_CONNTRACK_ALG()
3766 OVS_TRAFFIC_VSWITCHD_START()
3768 ADD_NAMESPACES(at_ns0, at_ns1)
3770 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3771 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
3772 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
3774 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3775 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
3776 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
3777 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
3779 dnl Allow any traffic from ns0->ns1.
3780 AT_DATA([flows.txt], [dnl
3781 dnl track all IPv4 traffic.
3782 table=0 priority=10 ip, action=ct(table=1)
3783 dnl drop everything else.
3784 table=0 priority=0 action=drop
3787 dnl Allow ICMP both ways.
3788 table=1 priority=100 in_port=1 icmp, action=2
3789 table=1 priority=100 in_port=2 icmp, action=1
3791 dnl Allow new TFTP control connections.
3792 table=1 in_port=1 ct_state=+new udp nw_src=10.1.1.1 tp_dst=69 action=ct(alg=tftp,commit,nat(src=10.1.1.240)),2
3793 dnl Allow related UDP connections from port 1.
3794 table=1 in_port=2 ct_state=+new+rel udp nw_src=10.1.1.2 action=ct(commit,nat),1
3795 dnl Allow established and NAT them.
3796 table=1 in_port=1 ct_state=+est udp nw_src=10.1.1.1 action=ct(nat,table=2)
3797 table=1 in_port=2 ct_state=+est udp nw_src=10.1.1.2 action=ct(nat,table=2)
3799 table=1 priority=0, action=drop
3801 table=2 in_port=1 ct_state=+est udp nw_src=10.1.1.240 action=2
3802 table=2 in_port=2 ct_state=+est udp nw_dst=10.1.1.1 action=1
3805 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3807 dnl Check that the stacks working to avoid races.
3808 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
3810 OVS_START_L7([at_ns0], [tftp])
3811 OVS_START_L7([at_ns1], [tftp])
3813 dnl TFTP requests from p0->p1 should work fine.
3814 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows.txt -o foo 2>curl0.log]])
3816 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3817 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),helper=tftp
3818 udp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>)
3821 OVS_TRAFFIC_VSWITCHD_STOP
3824 AT_SETUP([conntrack - DNAT load balancing])
3826 CHECK_CONNTRACK_NAT()
3827 OVS_TRAFFIC_VSWITCHD_START()
3829 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
3831 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3832 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3833 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3834 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3835 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3836 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3837 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3838 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3840 dnl Select group for load balancing. One bucket per server. Each bucket
3841 dnl tracks and NATs the connection and recirculates to table 4 for egress
3842 dnl routing. Packets of existing connections are always NATted based on
3843 dnl connection state, only new connections are NATted according to the
3844 dnl specific NAT parameters in each bucket.
3845 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3847 AT_DATA([flows.txt], [dnl
3848 dnl Track connections to the virtual IP address.
3849 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3850 dnl All other IP traffic is allowed but the connection state is no commited.
3851 table=0 priority=90 ip action=ct(table=4,nat)
3853 dnl Allow ARP, but generate responses for virtual addresses
3854 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3855 table=0 priority=10 arp action=normal
3856 table=0 priority=0 action=drop
3860 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3861 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3862 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3863 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3864 table=4 priority=0 action=drop
3866 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3867 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3868 dnl Zero result means not found.
3869 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3870 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3872 table=10 priority=100 arp xreg0=0 action=normal
3873 dnl Swaps the fields of the ARP message to turn a query to a response.
3874 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3875 table=10 priority=0 action=controller
3878 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3880 dnl Start web servers
3881 OVS_START_L7([at_ns2], [http])
3882 OVS_START_L7([at_ns3], [http])
3883 OVS_START_L7([at_ns4], [http])
3885 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3886 on_exit 'ovs-appctl revalidator/purge'
3887 on_exit 'ovs-appctl dpif/dump-flows br0'
3889 dnl Should work with the virtual IP address through NAT
3890 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
3892 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
3895 dnl Each server should have at least one connection.
3896 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
3897 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3898 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3899 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3902 ovs-appctl dpif/dump-flows br0
3903 ovs-appctl revalidator/purge
3904 ovs-ofctl -O OpenFlow15 dump-flows br0
3905 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3907 OVS_TRAFFIC_VSWITCHD_STOP
3911 AT_SETUP([conntrack - DNAT load balancing with NC])
3912 AT_SKIP_IF([test $HAVE_NC = no])
3914 CHECK_CONNTRACK_NAT()
3915 OVS_TRAFFIC_VSWITCHD_START()
3917 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
3919 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
3920 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
3921 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
3922 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
3923 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
3924 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
3925 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
3926 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
3927 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
3928 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
3930 dnl Select group for load balancing. One bucket per server. Each bucket
3931 dnl tracks and NATs the connection and recirculates to table 4 for egress
3932 dnl routing. Packets of existing connections are always NATted based on
3933 dnl connection state, only new connections are NATted according to the
3934 dnl specific NAT parameters in each bucket.
3935 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
3937 AT_DATA([flows.txt], [dnl
3938 dnl Track connections to the virtual IP address.
3939 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
3940 dnl All other IP traffic is allowed but the connection state is no commited.
3941 table=0 priority=90 ip action=ct(table=4,nat)
3943 dnl Allow ARP, but generate responses for virtual addresses
3944 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3945 table=0 priority=10 arp action=normal
3946 table=0 priority=0 action=drop
3950 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
3951 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
3952 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
3953 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
3954 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
3955 table=4 priority=0 action=drop
3957 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3958 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3959 dnl Zero result means not found.
3960 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3961 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3963 table=10 priority=100 arp xreg0=0 action=normal
3964 dnl Swaps the fields of the ARP message to turn a query to a response.
3965 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3966 table=10 priority=0 action=controller
3969 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3971 dnl Start web servers
3972 OVS_START_L7([at_ns2], [http])
3973 OVS_START_L7([at_ns3], [http])
3974 OVS_START_L7([at_ns4], [http])
3976 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
3977 on_exit 'ovs-appctl revalidator/purge'
3978 on_exit 'ovs-appctl dpif/dump-flows br0'
3982 dnl Should work with the virtual IP address through NAT
3983 for i in 1 2 3 4 5 6 7 8 9; do
3985 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
3986 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
3991 ovs-appctl dpif/dump-flows br0
3992 ovs-appctl revalidator/purge
3993 ovs-ofctl -O OpenFlow15 dump-flows br0
3994 ovs-ofctl -O OpenFlow15 dump-group-stats br0
3996 OVS_TRAFFIC_VSWITCHD_STOP
3999 AT_BANNER([802.1ad])
4001 AT_SETUP([802.1ad - vlan_limit])
4002 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
4005 ADD_NAMESPACES(at_ns0, at_ns1)
4007 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4008 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4010 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
4011 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
4013 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
4014 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
4016 AT_CHECK([ovs-ofctl add-flow br0 "priority=1 action=normal"])
4018 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
4020 dnl CVLAN traffic should match the flow and drop
4021 AT_CHECK([ovs-appctl revalidator/purge])
4022 AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:vlan-limit=1])
4023 AT_CHECK([ovs-ofctl add-flow br0 "priority=100 dl_type=0x8100 action=drop"])
4024 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.2.2.2], [1], [ignore])
4026 OVS_TRAFFIC_VSWITCHD_STOP
4030 AT_SETUP([802.1ad - push/pop outer 802.1ad])
4031 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
4036 ADD_NAMESPACES(at_ns0, at_ns1)
4038 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
4039 AT_CHECK([ip link set dev ovs-p0 up])
4040 AT_CHECK([ip link set dev ovs-p1 up])
4041 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
4042 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
4043 on_exit 'ip link del ovs-p0'
4045 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
4046 AT_CHECK([ip link set dev ovs-p2 up])
4047 AT_CHECK([ip link set dev ovs-p3 up])
4048 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
4049 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
4050 on_exit 'ip link del ovs-p2'
4052 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
4053 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
4054 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
4055 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
4057 AT_DATA([flows-br0.txt], [dnl
4058 priority=1 action=drop
4059 priority=100 in_port=1 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:2
4060 priority=100 in_port=2 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:1
4063 AT_DATA([flows-customer-br.txt], [dnl
4064 priority=1 action=normal
4065 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
4068 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
4069 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
4070 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
4072 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
4074 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4075 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4078 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4079 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4082 OVS_TRAFFIC_VSWITCHD_STOP
4086 AT_SETUP([802.1ad - push/pop outer 802.1q])
4087 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
4092 ADD_NAMESPACES(at_ns0, at_ns1)
4094 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
4095 AT_CHECK([ip link set dev ovs-p0 up])
4096 AT_CHECK([ip link set dev ovs-p1 up])
4097 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
4098 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
4099 on_exit 'ip link del ovs-p0'
4101 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
4102 AT_CHECK([ip link set dev ovs-p2 up])
4103 AT_CHECK([ip link set dev ovs-p3 up])
4104 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
4105 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
4106 on_exit 'ip link del ovs-p2'
4108 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
4109 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
4110 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
4111 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
4113 AT_DATA([flows-br0.txt], [dnl
4114 priority=1 action=drop
4115 priority=100 in_port=1 action=push_vlan:0x8100,mod_vlan_vid=4094,output:2
4116 priority=100 in_port=2 action=push_vlan:0x8100,mod_vlan_vid=4094,output:1
4119 AT_DATA([flows-customer-br.txt], [dnl
4120 priority=1 action=normal
4121 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
4124 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
4125 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
4126 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
4128 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
4130 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4131 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4134 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4135 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4138 OVS_TRAFFIC_VSWITCHD_STOP
4142 AT_SETUP([802.1ad - 802.1q tunnel])
4143 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
4148 ADD_NAMESPACES(at_ns0, at_ns1)
4150 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
4151 AT_CHECK([ip link set dev ovs-p0 up])
4152 AT_CHECK([ip link set dev ovs-p1 up])
4153 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
4154 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
4155 on_exit 'ip link del ovs-p0'
4157 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
4158 AT_CHECK([ip link set dev ovs-p2 up])
4159 AT_CHECK([ip link set dev ovs-p3 up])
4160 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
4161 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
4162 on_exit 'ip link del ovs-p2'
4164 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
4165 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
4166 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
4167 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
4168 ADD_CVLAN(p4, at_ns0, 200, "10.3.2.1/24")
4169 ADD_CVLAN(p5, at_ns1, 200, "10.3.2.2/24")
4170 ADD_CVLAN(p4, at_ns0, 300, "10.4.2.1/24")
4171 ADD_CVLAN(p5, at_ns1, 300, "10.4.2.2/24")
4173 AT_CHECK([ovs-ofctl add-flow br0 action=normal])
4174 AT_CHECK([ovs-ofctl add-flow br1 action=normal])
4175 AT_CHECK([ovs-ofctl add-flow br2 action=normal])
4176 AT_CHECK([ovs-vsctl set port ovs-p0 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
4177 AT_CHECK([ovs-vsctl set port ovs-p2 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
4179 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
4180 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.3.2.2])
4182 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4183 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4186 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
4187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4190 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4191 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4194 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
4195 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4198 dnl CVLAN 300 is not permitted by dot1q-tunnel
4199 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.4.2.2], [1], [ignore])
4201 OVS_TRAFFIC_VSWITCHD_STOP(["/dropping VLAN \(0\|300\) packet received on dot1q-tunnel port/d"])
4204 AT_SETUP([802.1ad - double vlan match])
4205 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
4208 ADD_NAMESPACES(at_ns0, at_ns1)
4210 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4211 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4213 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
4214 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
4216 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
4217 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
4219 AT_DATA([flows-br0.txt], [dnl
4220 table=0,priority=1 action=drop
4221 table=0,priority=100 dl_vlan=4094 action=pop_vlan,goto_table:1
4222 table=1,priority=100 dl_vlan=100 action=push_vlan:0x88a8,mod_vlan_vid:4094,normal
4224 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
4226 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
4228 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4229 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4232 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
4233 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4236 OVS_TRAFFIC_VSWITCHD_STOP